minor upstream release 1.0.2c fixing multiple security issues
This commit is contained in:
		
							parent
							
								
									18455c91c0
								
							
						
					
					
						commit
						837dd04882
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -23,3 +23,4 @@ openssl-1.0.0a-usa.tar.bz2 | |||||||
| /openssl-1.0.1j-hobbled.tar.xz | /openssl-1.0.1j-hobbled.tar.xz | ||||||
| /openssl-1.0.1k-hobbled.tar.xz | /openssl-1.0.1k-hobbled.tar.xz | ||||||
| /openssl-1.0.2a-hobbled.tar.xz | /openssl-1.0.2a-hobbled.tar.xz | ||||||
|  | /openssl-1.0.2c-hobbled.tar.xz | ||||||
|  | |||||||
							
								
								
									
										8
									
								
								ectest.c
									
									
									
									
									
								
							
							
						
						
									
										8
									
								
								ectest.c
									
									
									
									
									
								
							| @ -386,7 +386,7 @@ static void prime_field_tests(void) | |||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) |     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_is_on_curve(group, P, ctx)) |     if (EC_POINT_is_on_curve(group, P, ctx) <= 0) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" |     if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" | ||||||
|                    "84F3B9CAC2FC632551")) |                    "84F3B9CAC2FC632551")) | ||||||
| @ -442,7 +442,7 @@ static void prime_field_tests(void) | |||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) |     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_is_on_curve(group, P, ctx)) |     if (EC_POINT_is_on_curve(group, P, ctx) <= 0) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |     if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" | ||||||
|                    "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) |                    "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) | ||||||
| @ -501,7 +501,7 @@ static void prime_field_tests(void) | |||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) |     if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_is_on_curve(group, P, ctx)) |     if (EC_POINT_is_on_curve(group, P, ctx) <= 0) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |     if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" | ||||||
|                    "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" |                    "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" | ||||||
| @ -545,7 +545,7 @@ static void prime_field_tests(void) | |||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_dbl(group, P, P, ctx)) |     if (!EC_POINT_dbl(group, P, P, ctx)) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_is_on_curve(group, P, ctx)) |     if (EC_POINT_is_on_curve(group, P, ctx) <= 0) | ||||||
|         ABORT; |         ABORT; | ||||||
|     if (!EC_POINT_invert(group, Q, ctx)) |     if (!EC_POINT_invert(group, Q, ctx)) | ||||||
|         ABORT;                  /* P = -2Q */ |         ABORT;                  /* P = -2Q */ | ||||||
|  | |||||||
| @ -1,527 +0,0 @@ | |||||||
| diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
 |  | ||||||
| --- openssl-1.0.2a/apps/apps.c.alt-chains	2015-03-19 14:30:36.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.2a/apps/apps.c	2015-04-28 16:49:50.124558770 +0200
 |  | ||||||
| @@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
 |  | ||||||
|          flags |= X509_V_FLAG_SUITEB_192_LOS; |  | ||||||
|      else if (!strcmp(arg, "-partial_chain")) |  | ||||||
|          flags |= X509_V_FLAG_PARTIAL_CHAIN; |  | ||||||
| +    else if (!strcmp(arg, "-no_alt_chains"))
 |  | ||||||
| +        flags |= X509_V_FLAG_NO_ALT_CHAINS;
 |  | ||||||
|      else |  | ||||||
|          return 0; |  | ||||||
|   |  | ||||||
| diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
 |  | ||||||
| --- openssl-1.0.2a/apps/cms.c.alt-chains	2015-04-23 10:22:56.225685251 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/cms.c	2015-04-28 16:49:50.125558793 +0200
 |  | ||||||
| @@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-trusted_first use trusted certificates first when building the trust chain\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
| +                   "-no_alt_chains only ever use the first certificate chain found\n");
 |  | ||||||
| +        BIO_printf(bio_err,
 |  | ||||||
|                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |  | ||||||
| diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
 |  | ||||||
| --- openssl-1.0.2a/apps/ocsp.c.alt-chains	2015-04-23 10:22:56.225685251 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/ocsp.c	2015-04-28 16:49:50.125558793 +0200
 |  | ||||||
| @@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-trusted_first       use trusted certificates first when building the trust chain\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
| +                   "-no_alt_chains       only ever use the first certificate chain found\n");
 |  | ||||||
| +        BIO_printf(bio_err,
 |  | ||||||
|                     "-VAfile file         validator certificates file\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-validity_period n   maximum validity discrepancy in seconds\n"); |  | ||||||
| diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
 |  | ||||||
| --- openssl-1.0.2a/apps/s_client.c.alt-chains	2015-04-23 10:22:56.225685251 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/s_client.c	2015-04-28 16:49:50.126558815 +0200
 |  | ||||||
| @@ -335,6 +335,8 @@ static void sc_usage(void)
 |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
|                 " -trusted_first - Use trusted CA's first when building the trust chain\n"); |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
| +               " -no_alt_chains - only ever use the first certificate chain found\n");
 |  | ||||||
| +    BIO_printf(bio_err,
 |  | ||||||
|                 " -reconnect    - Drop and re-make the connection with the same Session-ID\n"); |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
|                 " -pause        - sleep(1) after each read(2) and write(2) system call\n"); |  | ||||||
| diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
 |  | ||||||
| --- openssl-1.0.2a/apps/smime.c.alt-chains	2015-04-23 10:22:56.226685277 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/smime.c	2015-04-28 16:49:50.128558861 +0200
 |  | ||||||
| @@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-trusted_first use trusted certificates first when building the trust chain\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
| +                   "-no_alt_chains only ever use the first certificate chain found\n");
 |  | ||||||
| +        BIO_printf(bio_err,
 |  | ||||||
|                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |  | ||||||
| diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
 |  | ||||||
| --- openssl-1.0.2a/apps/s_server.c.alt-chains	2015-04-23 10:22:56.226685277 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/s_server.c	2015-04-28 16:49:50.128558861 +0200
 |  | ||||||
| @@ -571,6 +571,8 @@ static void sv_usage(void)
 |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
|                 " -trusted_first - Use trusted CA's first when building the trust chain\n"); |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
| +               " -no_alt_chains - only ever use the first certificate chain found\n");
 |  | ||||||
| +    BIO_printf(bio_err,
 |  | ||||||
|                 " -nocert       - Don't use any certificates (Anon-DH)\n"); |  | ||||||
|      BIO_printf(bio_err, |  | ||||||
|                 " -cipher arg   - play with 'openssl ciphers' to see what goes here\n"); |  | ||||||
| diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
 |  | ||||||
| --- openssl-1.0.2a/apps/verify.c.alt-chains	2015-04-28 16:49:50.128558861 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/verify.c	2015-04-28 16:50:52.210974346 +0200
 |  | ||||||
| @@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|      if (ret == 1) { |  | ||||||
|          BIO_printf(bio_err, |  | ||||||
|                     "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); |  | ||||||
| -        BIO_printf(bio_err, " [-attime timestamp]");
 |  | ||||||
| +        BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
 |  | ||||||
|  #ifndef OPENSSL_NO_ENGINE |  | ||||||
|          BIO_printf(bio_err, " [-engine e]"); |  | ||||||
|  #endif |  | ||||||
| diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
 |  | ||||||
| --- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains	2015-04-23 10:22:56.188684277 +0200
 |  | ||||||
| +++ openssl-1.0.2a/crypto/x509/x509_vfy.c	2015-04-28 17:03:40.478786778 +0200
 |  | ||||||
| @@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
 |  | ||||||
|   |  | ||||||
|  int X509_verify_cert(X509_STORE_CTX *ctx) |  | ||||||
|  { |  | ||||||
| -    X509 *x, *xtmp, *chain_ss = NULL;
 |  | ||||||
| +    X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
 |  | ||||||
|      int bad_chain = 0; |  | ||||||
|      X509_VERIFY_PARAM *param = ctx->param; |  | ||||||
|      int depth, i, ok = 0; |  | ||||||
| -    int num;
 |  | ||||||
| +    int num, j, retry;
 |  | ||||||
|      int (*cb) (int xok, X509_STORE_CTX *xctx); |  | ||||||
|      STACK_OF(X509) *sktmp = NULL; |  | ||||||
|      if (ctx->cert == NULL) { |  | ||||||
| @@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 |  | ||||||
|          break; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    /* Remember how many untrusted certs we have */
 |  | ||||||
| +    j = num;
 |  | ||||||
|      /* |  | ||||||
|       * at this point, chain should contain a list of untrusted certificates. |  | ||||||
|       * We now need to add at least one trusted one, if possible, otherwise we |  | ||||||
|       * complain. |  | ||||||
|       */ |  | ||||||
|   |  | ||||||
| -    /*
 |  | ||||||
| -     * Examine last certificate in chain and see if it is self signed.
 |  | ||||||
| -     */
 |  | ||||||
| -
 |  | ||||||
| -    i = sk_X509_num(ctx->chain);
 |  | ||||||
| -    x = sk_X509_value(ctx->chain, i - 1);
 |  | ||||||
| -    if (cert_self_signed(x)) {
 |  | ||||||
| -        /* we have a self signed certificate */
 |  | ||||||
| -        if (sk_X509_num(ctx->chain) == 1) {
 |  | ||||||
| -            /*
 |  | ||||||
| -             * We have a single self signed certificate: see if we can find
 |  | ||||||
| -             * it in the store. We must have an exact match to avoid possible
 |  | ||||||
| -             * impersonation.
 |  | ||||||
| -             */
 |  | ||||||
| -            ok = ctx->get_issuer(&xtmp, ctx, x);
 |  | ||||||
| -            if ((ok <= 0) || X509_cmp(x, xtmp)) {
 |  | ||||||
| -                ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
 |  | ||||||
| -                ctx->current_cert = x;
 |  | ||||||
| -                ctx->error_depth = i - 1;
 |  | ||||||
| -                if (ok == 1)
 |  | ||||||
| -                    X509_free(xtmp);
 |  | ||||||
| -                bad_chain = 1;
 |  | ||||||
| -                ok = cb(0, ctx);
 |  | ||||||
| -                if (!ok)
 |  | ||||||
| -                    goto end;
 |  | ||||||
| +    do {
 |  | ||||||
| +        /*
 |  | ||||||
| +         * Examine last certificate in chain and see if it is self signed.
 |  | ||||||
| +         */
 |  | ||||||
| +        i = sk_X509_num(ctx->chain);
 |  | ||||||
| +        x = sk_X509_value(ctx->chain, i - 1);
 |  | ||||||
| +        if (cert_self_signed(x)) {
 |  | ||||||
| +            /* we have a self signed certificate */
 |  | ||||||
| +            if (sk_X509_num(ctx->chain) == 1) {
 |  | ||||||
| +                /*
 |  | ||||||
| +                 * We have a single self signed certificate: see if we can
 |  | ||||||
| +                 * find it in the store. We must have an exact match to avoid
 |  | ||||||
| +                 * possible impersonation.
 |  | ||||||
| +                 */
 |  | ||||||
| +                ok = ctx->get_issuer(&xtmp, ctx, x);
 |  | ||||||
| +                if ((ok <= 0) || X509_cmp(x, xtmp)) {
 |  | ||||||
| +                    ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
 |  | ||||||
| +                    ctx->current_cert = x;
 |  | ||||||
| +                    ctx->error_depth = i - 1;
 |  | ||||||
| +                    if (ok == 1)
 |  | ||||||
| +                        X509_free(xtmp);
 |  | ||||||
| +                    bad_chain = 1;
 |  | ||||||
| +                    ok = cb(0, ctx);
 |  | ||||||
| +                    if (!ok)
 |  | ||||||
| +                        goto end;
 |  | ||||||
| +                } else {
 |  | ||||||
| +                    /*
 |  | ||||||
| +                     * We have a match: replace certificate with store
 |  | ||||||
| +                     * version so we get any trust settings.
 |  | ||||||
| +                     */
 |  | ||||||
| +                    X509_free(x);
 |  | ||||||
| +                    x = xtmp;
 |  | ||||||
| +                    (void)sk_X509_set(ctx->chain, i - 1, x);
 |  | ||||||
| +                    ctx->last_untrusted = 0;
 |  | ||||||
| +                }
 |  | ||||||
|              } else { |  | ||||||
|                  /* |  | ||||||
| -                 * We have a match: replace certificate with store version so
 |  | ||||||
| -                 * we get any trust settings.
 |  | ||||||
| +                 * extract and save self signed certificate for later use
 |  | ||||||
|                   */ |  | ||||||
| -                X509_free(x);
 |  | ||||||
| -                x = xtmp;
 |  | ||||||
| -                (void)sk_X509_set(ctx->chain, i - 1, x);
 |  | ||||||
| -                ctx->last_untrusted = 0;
 |  | ||||||
| +                chain_ss = sk_X509_pop(ctx->chain);
 |  | ||||||
| +                ctx->last_untrusted--;
 |  | ||||||
| +                num--;
 |  | ||||||
| +                j--;
 |  | ||||||
| +                x = sk_X509_value(ctx->chain, num - 1);
 |  | ||||||
|              } |  | ||||||
| -        } else {
 |  | ||||||
| -            /*
 |  | ||||||
| -             * extract and save self signed certificate for later use
 |  | ||||||
| -             */
 |  | ||||||
| -            chain_ss = sk_X509_pop(ctx->chain);
 |  | ||||||
| -            ctx->last_untrusted--;
 |  | ||||||
| -            num--;
 |  | ||||||
| -            x = sk_X509_value(ctx->chain, num - 1);
 |  | ||||||
|          } |  | ||||||
| -    }
 |  | ||||||
| -
 |  | ||||||
| -    /* We now lookup certs from the certificate store */
 |  | ||||||
| -    for (;;) {
 |  | ||||||
| -        /* If we have enough, we break */
 |  | ||||||
| -        if (depth < num)
 |  | ||||||
| -            break;
 |  | ||||||
| +        /* We now lookup certs from the certificate store */
 |  | ||||||
| +        for (;;) {
 |  | ||||||
| +            /* If we have enough, we break */
 |  | ||||||
| +            if (depth < num)
 |  | ||||||
| +                break;
 |  | ||||||
| +            /* If we are self signed, we break */
 |  | ||||||
| +            if (cert_self_signed(x))
 |  | ||||||
| +                break;
 |  | ||||||
| +            ok = ctx->get_issuer(&xtmp, ctx, x);
 |  | ||||||
|   |  | ||||||
| -        /* If we are self signed, we break */
 |  | ||||||
| -        if (cert_self_signed(x))
 |  | ||||||
| -            break;
 |  | ||||||
| +            if (ok < 0)
 |  | ||||||
| +                return ok;
 |  | ||||||
| +            if (ok == 0)
 |  | ||||||
| +                break;
 |  | ||||||
| +            x = xtmp;
 |  | ||||||
| +            if (!sk_X509_push(ctx->chain, x)) {
 |  | ||||||
| +                X509_free(xtmp);
 |  | ||||||
| +                X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
 |  | ||||||
| +                return 0;
 |  | ||||||
| +            }
 |  | ||||||
| +            num++;
 |  | ||||||
| +        }
 |  | ||||||
|   |  | ||||||
| -        ok = ctx->get_issuer(&xtmp, ctx, x);
 |  | ||||||
| +        /* we now have our chain, lets check it... */
 |  | ||||||
| +        i = check_trust(ctx);
 |  | ||||||
|   |  | ||||||
| -        if (ok < 0)
 |  | ||||||
| -            return ok;
 |  | ||||||
| -        if (ok == 0)
 |  | ||||||
| -            break;
 |  | ||||||
| +        /* If explicitly rejected error */
 |  | ||||||
| +        if (i == X509_TRUST_REJECTED)
 |  | ||||||
| +            goto end;
 |  | ||||||
| +        /*
 |  | ||||||
| +         * If it's not explicitly trusted then check if there is an alternative
 |  | ||||||
| +         * chain that could be used. We only do this if we haven't already
 |  | ||||||
| +         * checked via TRUSTED_FIRST and the user hasn't switched off alternate
 |  | ||||||
| +         * chain checking
 |  | ||||||
| +         */
 |  | ||||||
| +        retry = 0;
 |  | ||||||
| +        if (i != X509_TRUST_TRUSTED
 |  | ||||||
| +            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
 |  | ||||||
| +            && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
 |  | ||||||
| +            while (j-- > 1) {
 |  | ||||||
| +                STACK_OF(X509) *chtmp = ctx->chain;
 |  | ||||||
| +                xtmp2 = sk_X509_value(ctx->chain, j - 1);
 |  | ||||||
| +                /*
 |  | ||||||
| +                 * Temporarily set chain to NULL so we don't discount
 |  | ||||||
| +                 * duplicates: the same certificate could be an untrusted
 |  | ||||||
| +                 * CA found in the trusted store.
 |  | ||||||
| +                 */
 |  | ||||||
| +                ctx->chain = NULL;
 |  | ||||||
| +                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
 |  | ||||||
| +                ctx->chain = chtmp;
 |  | ||||||
| +                if (ok < 0)
 |  | ||||||
| +                    goto end;
 |  | ||||||
| +                /* Check if we found an alternate chain */
 |  | ||||||
| +                if (ok > 0) {
 |  | ||||||
| +                    /*
 |  | ||||||
| +                     * Free up the found cert we'll add it again later
 |  | ||||||
| +                     */
 |  | ||||||
| +                    X509_free(xtmp);
 |  | ||||||
|   |  | ||||||
| -        x = xtmp;
 |  | ||||||
| -        if (!sk_X509_push(ctx->chain, x)) {
 |  | ||||||
| -            X509_free(xtmp);
 |  | ||||||
| -            X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
 |  | ||||||
| -            return 0;
 |  | ||||||
| +                    /*
 |  | ||||||
| +                     * Dump all the certs above this point - we've found an
 |  | ||||||
| +                     * alternate chain
 |  | ||||||
| +                     */
 |  | ||||||
| +                    while (num > j) {
 |  | ||||||
| +                        xtmp = sk_X509_pop(ctx->chain);
 |  | ||||||
| +                        X509_free(xtmp);
 |  | ||||||
| +                        num--;
 |  | ||||||
| +                        ctx->last_untrusted--;
 |  | ||||||
| +                    }
 |  | ||||||
| +                    retry = 1;
 |  | ||||||
| +                    break;
 |  | ||||||
| +                }
 |  | ||||||
| +            }
 |  | ||||||
|          } |  | ||||||
| -        num++;
 |  | ||||||
| -    }
 |  | ||||||
| +    } while (retry);
 |  | ||||||
|   |  | ||||||
| -    /* we now have our chain, lets check it... */
 |  | ||||||
| -
 |  | ||||||
| -    i = check_trust(ctx);
 |  | ||||||
| -
 |  | ||||||
| -    /* If explicitly rejected error */
 |  | ||||||
| -    if (i == X509_TRUST_REJECTED)
 |  | ||||||
| -        goto end;
 |  | ||||||
|      /* |  | ||||||
|       * If not explicitly trusted then indicate error unless it's a single |  | ||||||
|       * self signed certificate in which case we've indicated an error already |  | ||||||
| diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
 |  | ||||||
| --- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains	2015-04-23 10:22:56.016679751 +0200
 |  | ||||||
| +++ openssl-1.0.2a/crypto/x509/x509_vfy.h	2015-04-28 16:49:18.551838908 +0200
 |  | ||||||
| @@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
 |  | ||||||
|   |  | ||||||
|  /* Allow partial chains if at least one certificate is in trusted store */ |  | ||||||
|  # define X509_V_FLAG_PARTIAL_CHAIN               0x80000 |  | ||||||
| +/*
 |  | ||||||
| + * If the initial chain is not trusted, do not attempt to build an alternative
 |  | ||||||
| + * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
 |  | ||||||
| + * will force the behaviour to match that of previous versions.
 |  | ||||||
| + */
 |  | ||||||
| +# define X509_V_FLAG_NO_ALT_CHAINS               0x100000
 |  | ||||||
|   |  | ||||||
|  # define X509_VP_FLAG_DEFAULT                    0x1 |  | ||||||
|  # define X509_VP_FLAG_OVERWRITE                  0x2 |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/cms.pod.alt-chains	2015-04-23 10:22:56.227685303 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/cms.pod	2015-04-28 16:54:17.537682406 +0200
 |  | ||||||
| @@ -36,6 +36,7 @@ B<openssl> B<cms>
 |  | ||||||
|  [B<-CAfile file>] |  | ||||||
|  [B<-CApath dir>] |  | ||||||
|  [B<-trusted_first>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-md digest>] |  | ||||||
|  [B<-[cipher]>] |  | ||||||
|  [B<-nointern>] |  | ||||||
| @@ -426,7 +427,7 @@ portion of a message so they may be incl
 |  | ||||||
|  then many S/MIME mail clients check the signers certificate's email |  | ||||||
|  address matches that specified in the From: address. |  | ||||||
|   |  | ||||||
| -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
 |  | ||||||
| +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 |  | ||||||
|   |  | ||||||
|  Set various certificate chain valiadition option. See the |  | ||||||
|  L<B<verify>|verify(1)> manual page for details. |  | ||||||
| @@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
 |  | ||||||
|  The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added |  | ||||||
|  to OpenSSL 1.1.0. |  | ||||||
|   |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
|  =cut |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains	2015-04-23 10:22:56.227685303 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/ocsp.pod	2015-04-28 16:53:44.564914852 +0200
 |  | ||||||
| @@ -30,6 +30,7 @@ B<openssl> B<ocsp>
 |  | ||||||
|  [B<-CApath dir>] |  | ||||||
|  [B<-CAfile file>] |  | ||||||
|  [B<-trusted_first>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-VAfile file>] |  | ||||||
|  [B<-validity_period n>] |  | ||||||
|  [B<-status_age n>] |  | ||||||
| @@ -151,6 +152,10 @@ in the response or residing in other cer
 |  | ||||||
|  chain to verify responder certificate. |  | ||||||
|  This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |  | ||||||
|   |  | ||||||
| +=item B<-no_alt_chains>
 |  | ||||||
| +
 |  | ||||||
| +See L<B<verify>|verify(1)> manual page for details.
 |  | ||||||
| +
 |  | ||||||
|  =item B<-verify_other file> |  | ||||||
|   |  | ||||||
|  file containing additional certificates to search when attempting to locate |  | ||||||
| @@ -388,3 +393,9 @@ second file.
 |  | ||||||
|   |  | ||||||
|   openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem |  | ||||||
|       -reqin req.der -respout resp.der |  | ||||||
| +
 |  | ||||||
| +=head1 HISTORY
 |  | ||||||
| +
 |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
| +=cut
 |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains	2015-04-23 10:22:56.227685303 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/s_client.pod	2015-04-28 16:55:24.812248450 +0200
 |  | ||||||
| @@ -20,6 +20,7 @@ B<openssl> B<s_client>
 |  | ||||||
|  [B<-CApath directory>] |  | ||||||
|  [B<-CAfile filename>] |  | ||||||
|  [B<-trusted_first>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-reconnect>] |  | ||||||
|  [B<-pause>] |  | ||||||
|  [B<-showcerts>] |  | ||||||
| @@ -124,7 +125,7 @@ also used when building the client certi
 |  | ||||||
|  A file containing trusted certificates to use during server authentication |  | ||||||
|  and to use when attempting to build the client certificate chain. |  | ||||||
|   |  | ||||||
| -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
 |  | ||||||
| +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
 |  | ||||||
|   |  | ||||||
|  Set various certificate chain valiadition option. See the |  | ||||||
|  L<B<verify>|verify(1)> manual page for details. |  | ||||||
| @@ -365,4 +366,8 @@ information whenever a session is renego
 |  | ||||||
|   |  | ||||||
|  L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> |  | ||||||
|   |  | ||||||
| +=head1 HISTORY
 |  | ||||||
| +
 |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
|  =cut |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/smime.pod.alt-chains	2015-04-23 10:22:56.227685303 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/smime.pod	2015-04-28 16:57:33.598246384 +0200
 |  | ||||||
| @@ -18,6 +18,7 @@ B<openssl> B<smime>
 |  | ||||||
|  [B<-CAfile file>] |  | ||||||
|  [B<-CApath dir>] |  | ||||||
|  [B<-trusted_first>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-certfile file>] |  | ||||||
|  [B<-signer file>] |  | ||||||
|  [B<-recip  file>] |  | ||||||
| @@ -268,7 +269,7 @@ portion of a message so they may be incl
 |  | ||||||
|  then many S/MIME mail clients check the signers certificate's email |  | ||||||
|  address matches that specified in the From: address. |  | ||||||
|   |  | ||||||
| -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
 |  | ||||||
| +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 |  | ||||||
|   |  | ||||||
|  Set various options of certificate chain verification. See |  | ||||||
|  L<B<verify>|verify(1)> manual page for details. |  | ||||||
| @@ -450,5 +451,6 @@ structures may cause parsing errors.
 |  | ||||||
|  The use of multiple B<-signer> options and the B<-resign> command were first |  | ||||||
|  added in OpenSSL 1.0.0 |  | ||||||
|   |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
|   |  | ||||||
|  =cut |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains	2015-04-23 10:22:56.227685303 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/s_server.pod	2015-04-28 16:56:27.494707598 +0200
 |  | ||||||
| @@ -34,6 +34,7 @@ B<openssl> B<s_server>
 |  | ||||||
|  [B<-CApath directory>] |  | ||||||
|  [B<-CAfile filename>] |  | ||||||
|  [B<-trusted_first>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-nocert>] |  | ||||||
|  [B<-cipher cipherlist>] |  | ||||||
|  [B<-serverpref>] |  | ||||||
| @@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
 |  | ||||||
|  when building the trust chain to verify client certificates. |  | ||||||
|  This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |  | ||||||
|   |  | ||||||
| +=item B<-no_alt_chains>
 |  | ||||||
| +
 |  | ||||||
| +See the L<B<verify>|verify(1)> manual page for details.
 |  | ||||||
| +
 |  | ||||||
|  =item B<-state> |  | ||||||
|   |  | ||||||
|  prints out the SSL session states. |  | ||||||
| @@ -413,4 +418,8 @@ unknown cipher suites a client says it s
 |  | ||||||
|   |  | ||||||
|  L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)> |  | ||||||
|   |  | ||||||
| +=head1 HISTORY
 |  | ||||||
| +
 |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
|  =cut |  | ||||||
| diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/apps/verify.pod.alt-chains	2015-04-23 10:22:56.228685330 +0200
 |  | ||||||
| +++ openssl-1.0.2a/doc/apps/verify.pod	2015-04-28 16:52:22.544033948 +0200
 |  | ||||||
| @@ -26,6 +26,7 @@ B<openssl> B<verify>
 |  | ||||||
|  [B<-extended_crl>] |  | ||||||
|  [B<-use_deltas>] |  | ||||||
|  [B<-policy_print>] |  | ||||||
| +[B<-no_alt_chains>]
 |  | ||||||
|  [B<-untrusted file>] |  | ||||||
|  [B<-help>] |  | ||||||
|  [B<-issuer_checks>] |  | ||||||
| @@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
 |  | ||||||
|   |  | ||||||
|  Set policy variable inhibit-policy-mapping (see RFC5280). |  | ||||||
|   |  | ||||||
| +=item B<-no_alt_chains>
 |  | ||||||
| +
 |  | ||||||
| +When building a certificate chain, if the first certificate chain found is not
 |  | ||||||
| +trusted, then OpenSSL will continue to check to see if an alternative chain can
 |  | ||||||
| +be found that is trusted. With this option that behaviour is suppressed so that
 |  | ||||||
| +only the first chain found is ever used. Using this option will force the
 |  | ||||||
| +behaviour to match that of previous OpenSSL versions.
 |  | ||||||
| +
 |  | ||||||
|  =item B<-policy_print> |  | ||||||
|   |  | ||||||
|  Print out diagnostics related to policy processing. |  | ||||||
| @@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
 |  | ||||||
|   |  | ||||||
|  L<x509(1)|x509(1)> |  | ||||||
|   |  | ||||||
| +=head1 HISTORY
 |  | ||||||
| +
 |  | ||||||
| +The -no_alt_chains options was first added to OpenSSL 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
|  =cut |  | ||||||
| diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
 |  | ||||||
| --- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains	2015-03-19 14:30:36.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod	2015-04-28 16:52:22.544033948 +0200
 |  | ||||||
| @@ -197,6 +197,12 @@ verification. If this flag is set then a
 |  | ||||||
|  to the verification callback and it B<must> be prepared to handle such cases |  | ||||||
|  without assuming they are hard errors. |  | ||||||
|   |  | ||||||
| +The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
 |  | ||||||
| +chains. By default, when building a certificate chain, if the first certificate
 |  | ||||||
| +chain found is not trusted, then OpenSSL will continue to check to see if an
 |  | ||||||
| +alternative chain can be found that is trusted. With this flag set the behaviour
 |  | ||||||
| +will match that of OpenSSL versions prior to 1.0.2b.
 |  | ||||||
| +
 |  | ||||||
|  =head1 NOTES |  | ||||||
|   |  | ||||||
|  The above functions should be used to manipulate verification parameters |  | ||||||
| @@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
 |  | ||||||
|   |  | ||||||
|  =head1 HISTORY |  | ||||||
|   |  | ||||||
| -TBA
 |  | ||||||
| +The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
 |  | ||||||
|   |  | ||||||
|  =cut |  | ||||||
| @ -1,75 +0,0 @@ | |||||||
| diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
 |  | ||||||
| --- openssl-1.0.2a/apps/s_server.c.dh1024	2015-04-09 18:19:55.978228949 +0200
 |  | ||||||
| +++ openssl-1.0.2a/apps/s_server.c	2015-04-09 18:19:50.842110304 +0200
 |  | ||||||
| @@ -230,29 +230,44 @@ static void s_server_init(void);
 |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
|  #ifndef OPENSSL_NO_DH |  | ||||||
| -static unsigned char dh512_p[] = {
 |  | ||||||
| -    0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
 |  | ||||||
| -    0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
 |  | ||||||
| -    0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
 |  | ||||||
| -    0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
 |  | ||||||
| -    0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
 |  | ||||||
| -    0x47, 0x74, 0xE8, 0x33,
 |  | ||||||
| -};
 |  | ||||||
| -
 |  | ||||||
| -static unsigned char dh512_g[] = {
 |  | ||||||
| -    0x02,
 |  | ||||||
| -};
 |  | ||||||
| -
 |  | ||||||
| -static DH *get_dh512(void)
 |  | ||||||
| +static DH *get_dh1024()
 |  | ||||||
|  { |  | ||||||
| -    DH *dh = NULL;
 |  | ||||||
| +    static unsigned char dh1024_p[] = {
 |  | ||||||
| +        0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
 |  | ||||||
| +            0x63,
 |  | ||||||
| +        0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
 |  | ||||||
| +            0x79,
 |  | ||||||
| +        0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
 |  | ||||||
| +            0x3C,
 |  | ||||||
| +        0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
 |  | ||||||
| +            0xEF,
 |  | ||||||
| +        0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
 |  | ||||||
| +            0xFB,
 |  | ||||||
| +        0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
 |  | ||||||
| +            0xE3,
 |  | ||||||
| +        0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
 |  | ||||||
| +            0xED,
 |  | ||||||
| +        0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
 |  | ||||||
| +            0x23,
 |  | ||||||
| +        0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
 |  | ||||||
| +            0x05,
 |  | ||||||
| +        0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
 |  | ||||||
| +            0xA4,
 |  | ||||||
| +        0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
 |  | ||||||
| +    };
 |  | ||||||
| +    static unsigned char dh1024_g[] = {
 |  | ||||||
| +        0x02,
 |  | ||||||
| +    };
 |  | ||||||
| +    DH *dh;
 |  | ||||||
|   |  | ||||||
|      if ((dh = DH_new()) == NULL) |  | ||||||
|          return (NULL); |  | ||||||
| -    dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
 |  | ||||||
| -    dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
 |  | ||||||
| -    if ((dh->p == NULL) || (dh->g == NULL))
 |  | ||||||
| +    dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
 |  | ||||||
| +    dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
 |  | ||||||
| +    if ((dh->p == NULL) || (dh->g == NULL)) {
 |  | ||||||
| +        DH_free(dh);
 |  | ||||||
|          return (NULL); |  | ||||||
| +    }
 |  | ||||||
|      return (dh); |  | ||||||
|  } |  | ||||||
|  #endif |  | ||||||
| @@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
 |  | ||||||
|              BIO_printf(bio_s_out, "Setting temp DH parameters\n"); |  | ||||||
|          } else { |  | ||||||
|              BIO_printf(bio_s_out, "Using default temp DH parameters\n"); |  | ||||||
| -            dh = get_dh512();
 |  | ||||||
| +            dh = get_dh1024();
 |  | ||||||
|          } |  | ||||||
|          (void)BIO_flush(bio_s_out); |  | ||||||
|   |  | ||||||
| @ -1,38 +1,7 @@ | |||||||
| diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
 | diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
 | ||||||
| --- openssl-1.0.2a/apps/s_client.c.default-paths	2015-04-20 14:48:31.462166971 +0200
 | --- openssl-1.0.2c/apps/s_server.c.default-paths	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/s_client.c	2015-04-20 14:52:55.125316170 +0200
 | +++ openssl-1.0.2c/apps/s_server.c	2015-06-15 17:24:17.747446515 +0200
 | ||||||
| @@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
 | @@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
 | ||||||
|   |  | ||||||
|      SSL_CTX_set_verify(ctx, verify, verify_callback); |  | ||||||
|   |  | ||||||
| -    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
 |  | ||||||
| -        (!SSL_CTX_set_default_verify_paths(ctx))) {
 |  | ||||||
| -        /*
 |  | ||||||
| -         * BIO_printf(bio_err,"error setting default verify locations\n");
 |  | ||||||
| -         */
 |  | ||||||
| -        ERR_print_errors(bio_err);
 |  | ||||||
| -        /* goto end; */
 |  | ||||||
| +    if (CAfile == NULL && CApath == NULL) {
 |  | ||||||
| +        if (!SSL_CTX_set_default_verify_paths(ctx)) {
 |  | ||||||
| +            ERR_print_errors(bio_err);
 |  | ||||||
| +        }
 |  | ||||||
| +    } else {
 |  | ||||||
| +        if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
 |  | ||||||
| +            ERR_print_errors(bio_err);
 |  | ||||||
| +        }
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    ssl_ctx_add_crls(ctx, crls, crl_download);
 |  | ||||||
| -    if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
 |  | ||||||
| -        goto end;
 |  | ||||||
| -
 |  | ||||||
|  #ifndef OPENSSL_NO_TLSEXT |  | ||||||
|      if (servername != NULL) { |  | ||||||
|          tlsextcbp.biodebug = bio_err; |  | ||||||
| diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
 |  | ||||||
| --- openssl-1.0.2a/apps/s_server.c.default-paths	2015-03-19 14:30:36.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.2a/apps/s_server.c	2015-04-20 14:48:31.462166971 +0200
 |  | ||||||
| @@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
 |  | ||||||
|      } |      } | ||||||
|  #endif |  #endif | ||||||
|   |   | ||||||
| @ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv | |||||||
|      if (vpm) |      if (vpm) | ||||||
|          SSL_CTX_set1_param(ctx, vpm); |          SSL_CTX_set1_param(ctx, vpm); | ||||||
|   |   | ||||||
| @@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
 | @@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
 | ||||||
|          else |          else | ||||||
|              SSL_CTX_sess_set_cache_size(ctx2, 128); |              SSL_CTX_sess_set_cache_size(ctx2, 128); | ||||||
|   |   | ||||||
| @ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv | |||||||
|              ERR_print_errors(bio_err); |              ERR_print_errors(bio_err); | ||||||
|          } |          } | ||||||
|          if (vpm) |          if (vpm) | ||||||
| diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
 | diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
 | ||||||
| --- openssl-1.0.2a/apps/s_time.c.default-paths	2015-04-20 14:48:31.462166971 +0200
 | --- openssl-1.0.2c/apps/s_time.c.default-paths	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/s_time.c	2015-04-20 14:55:14.232542738 +0200
 | +++ openssl-1.0.2c/apps/s_time.c	2015-06-15 17:24:17.747446515 +0200
 | ||||||
| @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
 | @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
 | ||||||
|   |   | ||||||
|      SSL_load_error_strings(); |      SSL_load_error_strings(); | ||||||
| @ -1,6 +1,6 @@ | |||||||
| diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
 | diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
 | ||||||
| --- openssl-1.0.2a/apps/speed.c.suiteb	2015-04-21 17:46:15.452321183 +0200
 | --- openssl-1.0.2c/apps/speed.c.suiteb	2015-06-15 17:37:06.285083685 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/speed.c	2015-04-22 14:52:45.362272296 +0200
 | +++ openssl-1.0.2c/apps/speed.c	2015-06-15 17:37:06.335084836 +0200
 | ||||||
| @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
 | @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
 | ||||||
|          } else |          } else | ||||||
|  # endif |  # endif | ||||||
| @ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c | |||||||
|              ecdh_doit[i] = 1; |              ecdh_doit[i] = 1; | ||||||
|  # endif |  # endif | ||||||
|      } |      } | ||||||
| diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c
 | diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
 | ||||||
| --- openssl-1.0.2a/ssl/t1_lib.c.suiteb	2015-04-21 17:46:15.506322451 +0200
 | --- openssl-1.0.2c/ssl/t1_lib.c.suiteb	2015-06-12 16:51:27.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/ssl/t1_lib.c	2015-04-22 15:03:32.464591096 +0200
 | +++ openssl-1.0.2c/ssl/t1_lib.c	2015-06-15 17:44:03.578681271 +0200
 | ||||||
| @@ -266,41 +266,30 @@ static const unsigned char eccurves_defa
 | @@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
 | ||||||
|      0, 13,                      /* sect571k1 (13) */ |      0, 23,                      /* secp256r1 (23) */ | ||||||
|  # endif |      /* Other >= 256-bit prime curves. */ | ||||||
|      0, 25,                      /* secp521r1 (25) */ |      0, 25,                      /* secp521r1 (25) */ | ||||||
| -    0, 28,                      /* brainpool512r1 (28) */
 | -    0, 28,                      /* brainpool512r1 (28) */
 | ||||||
|  # ifndef OPENSSL_NO_EC2M |  | ||||||
|      0, 11,                      /* sect409k1 (11) */ |  | ||||||
|      0, 12,                      /* sect409r1 (12) */ |  | ||||||
|  # endif |  | ||||||
| -    0, 27,                      /* brainpoolP384r1 (27) */
 | -    0, 27,                      /* brainpoolP384r1 (27) */
 | ||||||
|      0, 24,                      /* secp384r1 (24) */ |      0, 24,                      /* secp384r1 (24) */ | ||||||
|  # ifndef OPENSSL_NO_EC2M |  | ||||||
|      0, 9,                       /* sect283k1 (9) */ |  | ||||||
|      0, 10,                      /* sect283r1 (10) */ |  | ||||||
|  # endif |  | ||||||
| -    0, 26,                      /* brainpoolP256r1 (26) */
 | -    0, 26,                      /* brainpoolP256r1 (26) */
 | ||||||
| -    0, 22,                      /* secp256k1 (22) */
 | -    0, 22,                      /* secp256k1 (22) */
 | ||||||
|      0, 23,                      /* secp256r1 (23) */ |  | ||||||
|  # ifndef OPENSSL_NO_EC2M |  # ifndef OPENSSL_NO_EC2M | ||||||
|      0, 8,                       /* sect239k1 (8) */ |      /* >= 256-bit binary curves. */ | ||||||
|      0, 6,                       /* sect233k1 (6) */ |      0, 14,                      /* sect571r1 (14) */ | ||||||
|      0, 7,                       /* sect233r1 (7) */ | @@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
 | ||||||
|  # endif |      0, 23,                      /* secp256r1 (23) */ | ||||||
|  |      /* Other >= 256-bit prime curves. */ | ||||||
|  |      0, 25,                      /* secp521r1 (25) */ | ||||||
|  | -    0, 28,                      /* brainpool512r1 (28) */
 | ||||||
|  | -    0, 27,                      /* brainpoolP384r1 (27) */
 | ||||||
|  |      0, 24,                      /* secp384r1 (24) */ | ||||||
|  | -    0, 26,                      /* brainpoolP256r1 (26) */
 | ||||||
|  | -    0, 22,                      /* secp256k1 (22) */
 | ||||||
|  |  # ifndef OPENSSL_NO_EC2M | ||||||
|  |      /* >= 256-bit binary curves. */ | ||||||
|  |      0, 14,                      /* sect571r1 (14) */ | ||||||
|  | @@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
 | ||||||
|  |       * Remaining curves disabled by default but still permitted if set | ||||||
|  |       * via an explicit callback or parameters. | ||||||
|  |       */ | ||||||
| -    0, 20,                      /* secp224k1 (20) */
 | -    0, 20,                      /* secp224k1 (20) */
 | ||||||
| -    0, 21,                      /* secp224r1 (21) */
 | -    0, 21,                      /* secp224r1 (21) */
 | ||||||
|  # ifndef OPENSSL_NO_EC2M |  | ||||||
|      0, 4,                       /* sect193r1 (4) */ |  | ||||||
|      0, 5,                       /* sect193r2 (5) */ |  | ||||||
|  # endif |  | ||||||
| -    0, 18,                      /* secp192k1 (18) */
 | -    0, 18,                      /* secp192k1 (18) */
 | ||||||
| -    0, 19,                      /* secp192r1 (19) */
 | -    0, 19,                      /* secp192r1 (19) */
 | ||||||
|  # ifndef OPENSSL_NO_EC2M |  | ||||||
|      0, 1,                       /* sect163k1 (1) */ |  | ||||||
|      0, 2,                       /* sect163r1 (2) */ |  | ||||||
|      0, 3,                       /* sect163r2 (3) */ |  | ||||||
|  # endif |  | ||||||
| -    0, 15,                      /* secp160k1 (15) */
 | -    0, 15,                      /* secp160k1 (15) */
 | ||||||
| -    0, 16,                      /* secp160r1 (16) */
 | -    0, 16,                      /* secp160r1 (16) */
 | ||||||
| -    0, 17,                      /* secp160r2 (17) */
 | -    0, 17,                      /* secp160r2 (17) */
 | ||||||
|  }; |  # ifndef OPENSSL_NO_EC2M | ||||||
|   |      0, 8,                       /* sect239k1 (8) */ | ||||||
|  static const unsigned char suiteb_curves[] = { |      0, 6,                       /* sect233k1 (6) */ | ||||||
| @@ -325,29 +314,21 @@ static const unsigned char fips_curves_d
 | @@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
 | ||||||
|      0, 9,                       /* sect283k1 (9) */ |      0, 9,                       /* sect283k1 (9) */ | ||||||
|      0, 10,                      /* sect283r1 (10) */ |      0, 10,                      /* sect283r1 (10) */ | ||||||
|  #  endif |  #  endif | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,7 +1,7 @@ | |||||||
| diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
 | diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 | ||||||
| --- openssl-1.0.2a/Configure.rpmbuild	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/Configure.rpmbuild	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/Configure	2015-04-20 14:35:03.516318252 +0200
 | +++ openssl-1.0.2c/Configure	2015-06-15 17:22:52.598496680 +0200
 | ||||||
| @@ -348,8 +348,8 @@ my %table=(
 | @@ -365,8 +365,8 @@ my %table=(
 | ||||||
|  #### |  #### | ||||||
|  # *-generic* is endian-neutral target, but ./config is free to |  # *-generic* is endian-neutral target, but ./config is free to | ||||||
|  # throw in -D[BL]_ENDIAN, whichever appropriate... |  # throw in -D[BL]_ENDIAN, whichever appropriate... | ||||||
| @ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure | |||||||
|   |   | ||||||
|  ####################################################################### |  ####################################################################### | ||||||
|  # Note that -march is not among compiler options in below linux-armv4 |  # Note that -march is not among compiler options in below linux-armv4 | ||||||
| @@ -378,30 +378,30 @@ my %table=(
 | @@ -395,30 +395,30 @@ my %table=(
 | ||||||
|  # |  # | ||||||
|  #       ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 |  #       ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 | ||||||
|  # |  # | ||||||
| -"linux-armv4",	"gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | -"linux-armv4",	"gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | ||||||
| -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | ||||||
| +"linux-armv4",	"gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | +"linux-armv4",	"gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
| +"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
|  # Configure script adds minimally required -march for assembly support, |  # Configure script adds minimally required -march for assembly support, | ||||||
|  # if no -march was specified at command line. mips32 and mips64 below |  # if no -march was specified at command line. mips32 and mips64 below | ||||||
|  # refer to contemporary MIPS Architecture specifications, MIPS32 and |  # refer to contemporary MIPS Architecture specifications, MIPS32 and | ||||||
| @ -40,14 +40,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure | |||||||
| -"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | -"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | ||||||
| -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
 | -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
 | ||||||
| -"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | -"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | ||||||
| +"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
| +"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | ||||||
| +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | ||||||
| +"linux-ia64",	"gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | +"linux-ia64",	"gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
|  "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |  "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||||||
| -"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | -"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | ||||||
| +"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | ||||||
|  "linux-x86_64-clang",	"clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", |  "linux-x86_64-clang",	"clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", | ||||||
|  "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", |  "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", | ||||||
|  "linux-x32",	"gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", |  "linux-x32",	"gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", | ||||||
| -"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | -"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | ||||||
| @ -55,12 +55,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure | |||||||
|  #### So called "highgprs" target for z/Architecture CPUs |  #### So called "highgprs" target for z/Architecture CPUs | ||||||
|  # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see |  # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see | ||||||
|  # /proc/cpuinfo. The idea is to preserve most significant bits of |  # /proc/cpuinfo. The idea is to preserve most significant bits of | ||||||
| @@ -419,12 +419,12 @@ my %table=(
 | @@ -436,12 +436,12 @@ my %table=(
 | ||||||
|  #### SPARC Linux setups |  #### SPARC Linux setups | ||||||
|  # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently |  # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently | ||||||
|  # assisted with debugging of following two configs. |  # assisted with debugging of following two configs. | ||||||
| -"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | -"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | ||||||
| +"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | +"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
|  # it's a real mess with -mcpu=ultrasparc option under Linux, but |  # it's a real mess with -mcpu=ultrasparc option under Linux, but | ||||||
|  # -Wa,-Av8plus should do the trick no matter what. |  # -Wa,-Av8plus should do the trick no matter what. | ||||||
| -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 | ||||||
| @ -71,7 +71,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure | |||||||
|  #### Alpha Linux with GNU C and Compaq C setups |  #### Alpha Linux with GNU C and Compaq C setups | ||||||
|  # Special notes: |  # Special notes: | ||||||
|  # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you |  # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you | ||||||
| @@ -1737,7 +1737,7 @@ while (<IN>)
 | @@ -1764,7 +1764,7 @@ while (<IN>)
 | ||||||
|  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) |  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) | ||||||
|  		{ |  		{ | ||||||
|  		my $sotmp = $1; |  		my $sotmp = $1; | ||||||
| @ -80,9 +80,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure | |||||||
|  		} |  		} | ||||||
|  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) |  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) | ||||||
|  		{ |  		{ | ||||||
| diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
 | diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
 | ||||||
| --- openssl-1.0.2a/Makefile.org.rpmbuild	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/Makefile.org.rpmbuild	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/Makefile.org	2015-04-20 14:11:52.152847093 +0200
 | +++ openssl-1.0.2c/Makefile.org	2015-06-15 17:19:14.874510995 +0200
 | ||||||
| @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 | @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 | ||||||
|  SHLIB_MAJOR= |  SHLIB_MAJOR= | ||||||
|  SHLIB_MINOR= |  SHLIB_MINOR= | ||||||
| @ -91,7 +91,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org | |||||||
|  PLATFORM=dist |  PLATFORM=dist | ||||||
|  OPTIONS= |  OPTIONS= | ||||||
|  CONFIGURE_ARGS= |  CONFIGURE_ARGS= | ||||||
| @@ -335,10 +336,9 @@ clean-shared:
 | @@ -338,10 +339,9 @@ clean-shared:
 | ||||||
|  link-shared: |  link-shared: | ||||||
|  	@ set -e; for i in $(SHLIBDIRS); do \ |  	@ set -e; for i in $(SHLIBDIRS); do \ | ||||||
|  		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ |  		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ | ||||||
| @ -103,7 +103,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org | |||||||
|  	done |  	done | ||||||
|   |   | ||||||
|  build-shared: do_$(SHLIB_TARGET) link-shared |  build-shared: do_$(SHLIB_TARGET) link-shared | ||||||
| @@ -349,7 +349,7 @@ do_$(SHLIB_TARGET):
 | @@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
 | ||||||
|  			libs="$(LIBKRB5) $$libs"; \ |  			libs="$(LIBKRB5) $$libs"; \ | ||||||
|  		fi; \ |  		fi; \ | ||||||
|  		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ |  		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ | ||||||
| @ -1,66 +1,66 @@ | |||||||
| diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c
 | diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
 | ||||||
| --- openssl-1.0.2a/apps/cms.c.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/apps/cms.c.trusted-first	2015-06-15 17:45:13.112279761 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/cms.c	2015-04-22 16:25:31.839164061 +0200
 | +++ openssl-1.0.2c/apps/cms.c	2015-06-15 17:46:11.045611575 +0200
 | ||||||
| @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
 | @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
 | ||||||
|                     "-CApath dir    trusted certificates directory\n"); |                     "-CApath dir    trusted certificates directory\n"); | ||||||
|          BIO_printf(bio_err, "-CAfile file   trusted certificates file\n"); |          BIO_printf(bio_err, "-CAfile file   trusted certificates file\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
| +                   "-trusted_first use trusted certificates first when building the trust chain\n");
 | +                   "-trusted_first use trusted certificates first when building the trust chain\n");
 | ||||||
| +        BIO_printf(bio_err,
 | +        BIO_printf(bio_err,
 | ||||||
|                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); |                     "-no_alt_chains only ever use the first certificate chain found\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
|                     "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); | ||||||
| diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c
 | diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
 | ||||||
| --- openssl-1.0.2a/apps/ocsp.c.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/apps/ocsp.c.trusted-first	2015-06-15 17:45:13.112279761 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/ocsp.c	2015-04-22 16:25:31.840164085 +0200
 | +++ openssl-1.0.2c/apps/ocsp.c	2015-06-15 17:46:31.898090948 +0200
 | ||||||
| @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
 | @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
 | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
|                     "-CAfile file         trusted certificates file\n"); |                     "-CAfile file         trusted certificates file\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
| +                   "-trusted_first       use trusted certificates first when building the trust chain\n");
 | +                   "-trusted_first       use trusted certificates first when building the trust chain\n");
 | ||||||
| +        BIO_printf(bio_err,
 | +        BIO_printf(bio_err,
 | ||||||
|                     "-VAfile file         validator certificates file\n"); |                     "-no_alt_chains       only ever use the first certificate chain found\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
|                     "-validity_period n   maximum validity discrepancy in seconds\n"); |                     "-VAfile file         validator certificates file\n"); | ||||||
| diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c
 | diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
 | ||||||
| --- openssl-1.0.2a/apps/s_client.c.trusted-first	2015-04-22 16:25:31.799163115 +0200
 | --- openssl-1.0.2c/apps/s_client.c.trusted-first	2015-06-15 17:45:13.113279784 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/s_client.c	2015-04-22 16:25:31.840164085 +0200
 | +++ openssl-1.0.2c/apps/s_client.c	2015-06-15 17:47:05.645866767 +0200
 | ||||||
| @@ -333,6 +333,8 @@ static void sc_usage(void)
 | @@ -333,6 +333,8 @@ static void sc_usage(void)
 | ||||||
|      BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n"); |      BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n"); | ||||||
|      BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n"); |      BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n"); | ||||||
|      BIO_printf(bio_err, |      BIO_printf(bio_err, | ||||||
| +               " -trusted_first - Use trusted CA's first when building the trust chain\n");
 | +               " -trusted_first - Use trusted CA's first when building the trust chain\n");
 | ||||||
| +    BIO_printf(bio_err,
 | +    BIO_printf(bio_err,
 | ||||||
|                 " -reconnect    - Drop and re-make the connection with the same Session-ID\n"); |                 " -no_alt_chains - only ever use the first certificate chain found\n"); | ||||||
|      BIO_printf(bio_err, |      BIO_printf(bio_err, | ||||||
|                 " -pause        - sleep(1) after each read(2) and write(2) system call\n"); |                 " -reconnect    - Drop and re-make the connection with the same Session-ID\n"); | ||||||
| diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c
 | diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
 | ||||||
| --- openssl-1.0.2a/apps/smime.c.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/apps/smime.c.trusted-first	2015-06-15 17:45:13.113279784 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/smime.c	2015-04-22 16:25:31.840164085 +0200
 | +++ openssl-1.0.2c/apps/smime.c	2015-06-15 17:47:39.090635621 +0200
 | ||||||
| @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
 | @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
 | ||||||
|                     "-CApath dir    trusted certificates directory\n"); |                     "-CApath dir    trusted certificates directory\n"); | ||||||
|          BIO_printf(bio_err, "-CAfile file   trusted certificates file\n"); |          BIO_printf(bio_err, "-CAfile file   trusted certificates file\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
| +                   "-trusted_first use trusted certificates first when building the trust chain\n");
 | +                   "-trusted_first use trusted certificates first when building the trust chain\n");
 | ||||||
| +        BIO_printf(bio_err,
 | +        BIO_printf(bio_err,
 | ||||||
|                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); |                     "-no_alt_chains only ever use the first certificate chain found\n"); | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
|                     "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |                     "-crl_check     check revocation status of signer's certificate using CRLs\n"); | ||||||
| diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c
 | diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
 | ||||||
| --- openssl-1.0.2a/apps/s_server.c.trusted-first	2015-04-22 16:25:31.806163281 +0200
 | --- openssl-1.0.2c/apps/s_server.c.trusted-first	2015-06-15 17:45:13.114279807 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/s_server.c	2015-04-22 16:25:31.841164108 +0200
 | +++ openssl-1.0.2c/apps/s_server.c	2015-06-15 17:47:24.841308046 +0200
 | ||||||
| @@ -569,6 +569,8 @@ static void sv_usage(void)
 | @@ -572,6 +572,8 @@ static void sv_usage(void)
 | ||||||
|      BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n"); |      BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n"); | ||||||
|      BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n"); |      BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n"); | ||||||
|      BIO_printf(bio_err, |      BIO_printf(bio_err, | ||||||
| +               " -trusted_first - Use trusted CA's first when building the trust chain\n");
 | +               " -trusted_first - Use trusted CA's first when building the trust chain\n");
 | ||||||
| +    BIO_printf(bio_err,
 | +    BIO_printf(bio_err,
 | ||||||
|                 " -nocert       - Don't use any certificates (Anon-DH)\n"); |                 " -no_alt_chains - only ever use the first certificate chain found\n"); | ||||||
|      BIO_printf(bio_err, |      BIO_printf(bio_err, | ||||||
|                 " -cipher arg   - play with 'openssl ciphers' to see what goes here\n"); |                 " -nocert       - Don't use any certificates (Anon-DH)\n"); | ||||||
| diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
 | diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
 | ||||||
| --- openssl-1.0.2a/apps/s_time.c.trusted-first	2015-04-22 16:25:31.755162075 +0200
 | --- openssl-1.0.2c/apps/s_time.c.trusted-first	2015-06-15 17:45:13.010277416 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/s_time.c	2015-04-22 16:25:31.841164108 +0200
 | +++ openssl-1.0.2c/apps/s_time.c	2015-06-15 17:45:13.114279807 +0200
 | ||||||
| @@ -182,6 +182,7 @@ static void s_time_usage(void)
 | @@ -182,6 +182,7 @@ static void s_time_usage(void)
 | ||||||
|                  file if not specified by this option\n\ |                  file if not specified by this option\n\ | ||||||
|  -CApath arg   - PEM format directory of CA's\n\ |  -CApath arg   - PEM format directory of CA's\n\ | ||||||
| @ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c | |||||||
|  -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n"; |  -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n"; | ||||||
|   |   | ||||||
|      printf("usage: s_time <args>\n\n"); |      printf("usage: s_time <args>\n\n"); | ||||||
| diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
 | diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
 | ||||||
| --- openssl-1.0.2a/apps/ts.c.trusted-first	2015-04-22 16:25:31.797163068 +0200
 | --- openssl-1.0.2c/apps/ts.c.trusted-first	2015-06-15 17:45:13.065278681 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/ts.c	2015-04-22 16:25:31.841164108 +0200
 | +++ openssl-1.0.2c/apps/ts.c	2015-06-15 17:45:13.114279807 +0200
 | ||||||
| @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
 | @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
 | ||||||
|                 "ts -verify [-data file_to_hash] [-digest digest_bytes] " |                 "ts -verify [-data file_to_hash] [-digest digest_bytes] " | ||||||
|                 "[-queryfile request.tsq] " |                 "[-queryfile request.tsq] " | ||||||
| @ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c | |||||||
|                 "-untrusted cert_file.pem\n"); |                 "-untrusted cert_file.pem\n"); | ||||||
|   cleanup: |   cleanup: | ||||||
|      /* Clean up. */ |      /* Clean up. */ | ||||||
| diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c
 | diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
 | ||||||
| --- openssl-1.0.2a/apps/verify.c.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/apps/verify.c.trusted-first	2015-06-15 17:45:13.114279807 +0200
 | ||||||
| +++ openssl-1.0.2a/apps/verify.c	2015-04-22 16:25:31.841164108 +0200
 | +++ openssl-1.0.2c/apps/verify.c	2015-06-15 17:48:03.979207778 +0200
 | ||||||
| @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
 | @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
 | ||||||
|   end: |   end: | ||||||
|      if (ret == 1) { |      if (ret == 1) { | ||||||
|          BIO_printf(bio_err, |          BIO_printf(bio_err, | ||||||
| -                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
 | -                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
 | ||||||
| +                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
 | +                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
 | ||||||
|          BIO_printf(bio_err, " [-attime timestamp]"); |          BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); | ||||||
|  #ifndef OPENSSL_NO_ENGINE |  #ifndef OPENSSL_NO_ENGINE | ||||||
|          BIO_printf(bio_err, " [-engine e]"); |          BIO_printf(bio_err, " [-engine e]"); | ||||||
| diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod
 | diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/cms.pod.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/doc/apps/cms.pod.trusted-first	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/cms.pod	2015-04-22 16:25:31.842164132 +0200
 | +++ openssl-1.0.2c/doc/apps/cms.pod	2015-06-15 17:48:43.615118958 +0200
 | ||||||
| @@ -35,6 +35,7 @@ B<openssl> B<cms>
 | @@ -35,6 +35,7 @@ B<openssl> B<cms>
 | ||||||
|  [B<-print>] |  [B<-print>] | ||||||
|  [B<-CAfile file>] |  [B<-CAfile file>] | ||||||
|  [B<-CApath dir>] |  [B<-CApath dir>] | ||||||
| +[B<-trusted_first>]
 | +[B<-trusted_first>]
 | ||||||
|  |  [B<-no_alt_chains>] | ||||||
|  [B<-md digest>] |  [B<-md digest>] | ||||||
|  [B<-[cipher]>] |  [B<-[cipher]>] | ||||||
|  [B<-nointern>] | @@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
 | ||||||
| @@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
 |  | ||||||
|  is a hash of each subject name (using B<x509 -hash>) should be linked |  is a hash of each subject name (using B<x509 -hash>) should be linked | ||||||
|  to each certificate. |  to each certificate. | ||||||
|   |   | ||||||
| @ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c | |||||||
|  =item B<-md digest> |  =item B<-md digest> | ||||||
|   |   | ||||||
|  digest algorithm to use when signing or resigning. If not present then the |  digest algorithm to use when signing or resigning. If not present then the | ||||||
| diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod
 | diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first	2015-04-22 16:25:31.798163092 +0200
 | --- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first	2015-06-15 17:45:13.115279830 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/ocsp.pod	2015-04-22 16:25:31.842164132 +0200
 | +++ openssl-1.0.2c/doc/apps/ocsp.pod	2015-06-15 17:49:06.337641320 +0200
 | ||||||
| @@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 | @@ -29,7 +29,8 @@ B<openssl> B<ocsp>
 | ||||||
|  [B<-path>] |  [B<-path>] | ||||||
|  [B<-CApath dir>] |  [B<-CApath dir>] | ||||||
|  [B<-CAfile file>] |  [B<-CAfile file>] | ||||||
|  | -[B<-no_alt_chains>]]
 | ||||||
| +[B<-trusted_first>]
 | +[B<-trusted_first>]
 | ||||||
|  | +[B<-no_alt_chains>]
 | ||||||
|  [B<-VAfile file>] |  [B<-VAfile file>] | ||||||
|  [B<-validity_period n>] |  [B<-validity_period n>] | ||||||
|  [B<-status_age n>] |  [B<-status_age n>] | ||||||
| @@ -143,6 +144,13 @@ connection timeout to the OCSP responder
 | @@ -144,6 +145,13 @@ connection timeout to the OCSP responder
 | ||||||
|  file or pathname containing trusted CA certificates. These are used to verify |  file or pathname containing trusted CA certificates. These are used to verify | ||||||
|  the signature on the OCSP response. |  the signature on the OCSP response. | ||||||
|   |   | ||||||
| @ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ | |||||||
| +chain to verify responder certificate.
 | +chain to verify responder certificate.
 | ||||||
| +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
 | +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
 | ||||||
| +
 | +
 | ||||||
|  =item B<-verify_other file> |  =item B<-no_alt_chains> | ||||||
|   |   | ||||||
|  file containing additional certificates to search when attempting to locate |  See L<B<verify>|verify(1)> manual page for details. | ||||||
| diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod
 | diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first	2015-04-22 16:25:31.814163470 +0200
 | --- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first	2015-06-15 17:45:13.115279830 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/s_client.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/s_client.pod	2015-06-15 17:49:23.984046989 +0200
 | ||||||
| @@ -19,6 +19,7 @@ B<openssl> B<s_client>
 | @@ -19,6 +19,7 @@ B<openssl> B<s_client>
 | ||||||
|  [B<-pass arg>] |  [B<-pass arg>] | ||||||
|  [B<-CApath directory>] |  [B<-CApath directory>] | ||||||
|  [B<-CAfile filename>] |  [B<-CAfile filename>] | ||||||
| +[B<-trusted_first>]
 | +[B<-trusted_first>]
 | ||||||
|  |  [B<-no_alt_chains>] | ||||||
|  [B<-reconnect>] |  [B<-reconnect>] | ||||||
|  [B<-pause>] |  [B<-pause>] | ||||||
|  [B<-showcerts>] | @@ -124,7 +125,7 @@ also used when building the client certi
 | ||||||
| @@ -123,7 +124,7 @@ also used when building the client certi
 |  | ||||||
|  A file containing trusted certificates to use during server authentication |  A file containing trusted certificates to use during server authentication | ||||||
|  and to use when attempting to build the client certificate chain. |  and to use when attempting to build the client certificate chain. | ||||||
|   |   | ||||||
| -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
 | -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 | ||||||
| +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
 | +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
 | ||||||
|   |   | ||||||
|  Set various certificate chain valiadition option. See the |  Set various certificate chain valiadition option. See the | ||||||
|  L<B<verify>|verify(1)> manual page for details. |  L<B<verify>|verify(1)> manual page for details. | ||||||
| diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod
 | diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/smime.pod.trusted-first	2015-01-20 13:33:36.000000000 +0100
 | --- openssl-1.0.2c/doc/apps/smime.pod.trusted-first	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/smime.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/smime.pod	2015-06-15 17:50:00.856894648 +0200
 | ||||||
| @@ -15,6 +15,9 @@ B<openssl> B<smime>
 | @@ -15,6 +15,9 @@ B<openssl> B<smime>
 | ||||||
|  [B<-pk7out>] |  [B<-pk7out>] | ||||||
|  [B<-[cipher]>] |  [B<-[cipher]>] | ||||||
| @ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps | |||||||
| +[B<-CAfile file>]
 | +[B<-CAfile file>]
 | ||||||
| +[B<-CApath dir>]
 | +[B<-CApath dir>]
 | ||||||
| +[B<-trusted_first>]
 | +[B<-trusted_first>]
 | ||||||
|  |  [B<-no_alt_chains>] | ||||||
|  [B<-certfile file>] |  [B<-certfile file>] | ||||||
|  [B<-signer file>] |  [B<-signer file>] | ||||||
|  [B<-recip  file>] | @@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
 | ||||||
| @@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
 |  | ||||||
|  is a hash of each subject name (using B<x509 -hash>) should be linked |  is a hash of each subject name (using B<x509 -hash>) should be linked | ||||||
|  to each certificate. |  to each certificate. | ||||||
|   |   | ||||||
| @ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps | |||||||
|  =item B<-md digest> |  =item B<-md digest> | ||||||
|   |   | ||||||
|  digest algorithm to use when signing or resigning. If not present then the |  digest algorithm to use when signing or resigning. If not present then the | ||||||
| diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod
 | diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first	2015-04-22 16:25:31.814163470 +0200
 | --- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first	2015-06-15 17:45:13.116279853 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/s_server.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/s_server.pod	2015-06-15 17:49:37.420355873 +0200
 | ||||||
| @@ -33,6 +33,7 @@ B<openssl> B<s_server>
 | @@ -33,6 +33,7 @@ B<openssl> B<s_server>
 | ||||||
|  [B<-state>] |  [B<-state>] | ||||||
|  [B<-CApath directory>] |  [B<-CApath directory>] | ||||||
|  [B<-CAfile filename>] |  [B<-CAfile filename>] | ||||||
| +[B<-trusted_first>]
 | +[B<-trusted_first>]
 | ||||||
|  |  [B<-no_alt_chains>] | ||||||
|  [B<-nocert>] |  [B<-nocert>] | ||||||
|  [B<-cipher cipherlist>] |  [B<-cipher cipherlist>] | ||||||
|  [B<-serverpref>] | @@ -175,6 +176,12 @@ and to use when attempting to build the
 | ||||||
| @@ -174,6 +175,12 @@ and to use when attempting to build the
 |  | ||||||
|  is also used in the list of acceptable client CAs passed to the client when |  is also used in the list of acceptable client CAs passed to the client when | ||||||
|  a certificate is requested. |  a certificate is requested. | ||||||
|   |   | ||||||
| @ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a | |||||||
| +when building the trust chain to verify client certificates.
 | +when building the trust chain to verify client certificates.
 | ||||||
| +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
 | +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
 | ||||||
| +
 | +
 | ||||||
|  =item B<-state> |  =item B<-no_alt_chains> | ||||||
|   |   | ||||||
|  prints out the SSL session states. |  See the L<B<verify>|verify(1)> manual page for details. | ||||||
| diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod
 | diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first	2015-01-15 15:43:49.000000000 +0100
 | --- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/s_time.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/s_time.pod	2015-06-15 17:45:13.116279853 +0200
 | ||||||
| @@ -14,6 +14,7 @@ B<openssl> B<s_time>
 | @@ -14,6 +14,7 @@ B<openssl> B<s_time>
 | ||||||
|  [B<-key filename>] |  [B<-key filename>] | ||||||
|  [B<-CApath directory>] |  [B<-CApath directory>] | ||||||
| @ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app | |||||||
|  =item B<-new> |  =item B<-new> | ||||||
|   |   | ||||||
|  performs the timing test using a new session ID for each connection. |  performs the timing test using a new session ID for each connection. | ||||||
| diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod
 | diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/ts.pod.trusted-first	2015-01-20 13:33:36.000000000 +0100
 | --- openssl-1.0.2c/doc/apps/ts.pod.trusted-first	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/ts.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/ts.pod	2015-06-15 17:45:13.116279853 +0200
 | ||||||
| @@ -46,6 +46,7 @@ B<-verify>
 | @@ -46,6 +46,7 @@ B<-verify>
 | ||||||
|  [B<-token_in>] |  [B<-token_in>] | ||||||
|  [B<-CApath> trusted_cert_path] |  [B<-CApath> trusted_cert_path] | ||||||
| @ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts | |||||||
|  =item B<-untrusted> cert_file.pem |  =item B<-untrusted> cert_file.pem | ||||||
|   |   | ||||||
|  Set of additional untrusted certificates in PEM format which may be |  Set of additional untrusted certificates in PEM format which may be | ||||||
| diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod
 | diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod
 | ||||||
| --- openssl-1.0.2a/doc/apps/verify.pod.trusted-first	2015-03-19 14:30:36.000000000 +0100
 | --- openssl-1.0.2c/doc/apps/verify.pod.trusted-first	2015-06-12 16:51:21.000000000 +0200
 | ||||||
| +++ openssl-1.0.2a/doc/apps/verify.pod	2015-04-22 16:25:31.843164156 +0200
 | +++ openssl-1.0.2c/doc/apps/verify.pod	2015-06-15 17:45:13.116279853 +0200
 | ||||||
| @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 | @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 | ||||||
|  B<openssl> B<verify> |  B<openssl> B<verify> | ||||||
|  [B<-CApath directory>] |  [B<-CApath directory>] | ||||||
| @ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app | |||||||
|  [B<-purpose purpose>] |  [B<-purpose purpose>] | ||||||
|  [B<-policy arg>] |  [B<-policy arg>] | ||||||
|  [B<-ignore_critical>] |  [B<-ignore_critical>] | ||||||
| @@ -78,6 +79,12 @@ If a valid CRL cannot be found an error
 | @@ -79,6 +80,12 @@ If a valid CRL cannot be found an error
 | ||||||
|  A file of untrusted certificates. The file should contain multiple certificates |  A file of untrusted certificates. The file should contain multiple certificates | ||||||
|  in PEM format concatenated together. |  in PEM format concatenated together. | ||||||
|   |   | ||||||
							
								
								
									
										21
									
								
								openssl.spec
									
									
									
									
									
								
							
							
						
						
									
										21
									
								
								openssl.spec
									
									
									
									
									
								
							| @ -22,8 +22,8 @@ | |||||||
| 
 | 
 | ||||||
| Summary: Utilities from the general purpose cryptography library with TLS implementation | Summary: Utilities from the general purpose cryptography library with TLS implementation | ||||||
| Name: openssl | Name: openssl | ||||||
| Version: 1.0.2a | Version: 1.0.2c | ||||||
| Release: 4%{?dist} | Release: 1%{?dist} | ||||||
| Epoch: 1 | Epoch: 1 | ||||||
| # We have to remove certain patented algorithms from the openssl source | # We have to remove certain patented algorithms from the openssl source | ||||||
| # tarball with the hobble-openssl script which is included below. | # tarball with the hobble-openssl script which is included below. | ||||||
| @ -40,7 +40,7 @@ Source11: README.FIPS | |||||||
| Source12: ec_curve.c | Source12: ec_curve.c | ||||||
| Source13: ectest.c | Source13: ectest.c | ||||||
| # Build changes | # Build changes | ||||||
| Patch1: openssl-1.0.2a-rpmbuild.patch | Patch1: openssl-1.0.2c-rpmbuild.patch | ||||||
| Patch2: openssl-1.0.2a-defaults.patch | Patch2: openssl-1.0.2a-defaults.patch | ||||||
| Patch4: openssl-1.0.2a-enginesdir.patch | Patch4: openssl-1.0.2a-enginesdir.patch | ||||||
| Patch5: openssl-1.0.2a-no-rpath.patch | Patch5: openssl-1.0.2a-no-rpath.patch | ||||||
| @ -49,14 +49,14 @@ Patch7: openssl-1.0.0-timezone.patch | |||||||
| Patch8: openssl-1.0.1c-perlfind.patch | Patch8: openssl-1.0.1c-perlfind.patch | ||||||
| Patch9: openssl-1.0.1c-aliasing.patch | Patch9: openssl-1.0.1c-aliasing.patch | ||||||
| # Bug fixes | # Bug fixes | ||||||
| Patch23: openssl-1.0.2a-default-paths.patch | Patch23: openssl-1.0.2c-default-paths.patch | ||||||
| Patch24: openssl-1.0.2a-issuer-hash.patch | Patch24: openssl-1.0.2a-issuer-hash.patch | ||||||
| # Functionality changes | # Functionality changes | ||||||
| Patch33: openssl-1.0.0-beta4-ca-dir.patch | Patch33: openssl-1.0.0-beta4-ca-dir.patch | ||||||
| Patch34: openssl-1.0.2a-x509.patch | Patch34: openssl-1.0.2a-x509.patch | ||||||
| Patch35: openssl-1.0.2a-version-add-engines.patch | Patch35: openssl-1.0.2a-version-add-engines.patch | ||||||
| Patch39: openssl-1.0.2a-ipv6-apps.patch | Patch39: openssl-1.0.2a-ipv6-apps.patch | ||||||
| Patch40: openssl-1.0.2a-fips.patch | Patch40: openssl-1.0.2c-fips.patch | ||||||
| Patch45: openssl-1.0.2a-env-zlib.patch | Patch45: openssl-1.0.2a-env-zlib.patch | ||||||
| Patch47: openssl-1.0.2a-readme-warning.patch | Patch47: openssl-1.0.2a-readme-warning.patch | ||||||
| Patch49: openssl-1.0.1i-algo-doc.patch | Patch49: openssl-1.0.1i-algo-doc.patch | ||||||
| @ -69,11 +69,10 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch | |||||||
| Patch65: openssl-1.0.2a-chil-fixes.patch | Patch65: openssl-1.0.2a-chil-fixes.patch | ||||||
| Patch66: openssl-1.0.2a-pkgconfig-krb5.patch | Patch66: openssl-1.0.2a-pkgconfig-krb5.patch | ||||||
| Patch68: openssl-1.0.2a-secure-getenv.patch | Patch68: openssl-1.0.2a-secure-getenv.patch | ||||||
| Patch69: openssl-1.0.2a-dh-1024.patch |  | ||||||
| Patch70: openssl-1.0.2a-fips-ec.patch | Patch70: openssl-1.0.2a-fips-ec.patch | ||||||
| Patch71: openssl-1.0.2a-manfix.patch | Patch71: openssl-1.0.2a-manfix.patch | ||||||
| Patch72: openssl-1.0.2a-fips-ctor.patch | Patch72: openssl-1.0.2a-fips-ctor.patch | ||||||
| Patch73: openssl-1.0.2a-ecc-suiteb.patch | Patch73: openssl-1.0.2c-ecc-suiteb.patch | ||||||
| Patch74: openssl-1.0.2a-no-md5-verify.patch | Patch74: openssl-1.0.2a-no-md5-verify.patch | ||||||
| Patch75: openssl-1.0.2a-compat-symbols.patch | Patch75: openssl-1.0.2a-compat-symbols.patch | ||||||
| Patch76: openssl-1.0.2a-new-fips-reqs.patch | Patch76: openssl-1.0.2a-new-fips-reqs.patch | ||||||
| @ -85,8 +84,7 @@ Patch93: openssl-1.0.2a-disable-sslv2v3.patch | |||||||
| # Backported fixes including security fixes | # Backported fixes including security fixes | ||||||
| Patch80: openssl-1.0.2a-wrap-pad.patch | Patch80: openssl-1.0.2a-wrap-pad.patch | ||||||
| Patch81: openssl-1.0.2a-padlock64.patch | Patch81: openssl-1.0.2a-padlock64.patch | ||||||
| Patch82: openssl-1.0.2a-trusted-first-doc.patch | Patch82: openssl-1.0.2c-trusted-first-doc.patch | ||||||
| Patch83: openssl-1.0.2a-alt-chains.patch |  | ||||||
| 
 | 
 | ||||||
| License: OpenSSL | License: OpenSSL | ||||||
| Group: System Environment/Libraries | Group: System Environment/Libraries | ||||||
| @ -190,7 +188,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ | |||||||
| %patch65 -p1 -b .chil | %patch65 -p1 -b .chil | ||||||
| %patch66 -p1 -b .krb5 | %patch66 -p1 -b .krb5 | ||||||
| %patch68 -p1 -b .secure-getenv | %patch68 -p1 -b .secure-getenv | ||||||
| %patch69 -p1 -b .dh1024 |  | ||||||
| %patch70 -p1 -b .fips-ec | %patch70 -p1 -b .fips-ec | ||||||
| %patch71 -p1 -b .manfix | %patch71 -p1 -b .manfix | ||||||
| %patch72 -p1 -b .fips-ctor | %patch72 -p1 -b .fips-ctor | ||||||
| @ -207,7 +204,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ | |||||||
| %patch80 -p1 -b .wrap | %patch80 -p1 -b .wrap | ||||||
| %patch81 -p1 -b .padlock64 | %patch81 -p1 -b .padlock64 | ||||||
| %patch82 -p1 -b .trusted-first | %patch82 -p1 -b .trusted-first | ||||||
| %patch83 -p1 -b .alt-chains |  | ||||||
| 
 | 
 | ||||||
| sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h | sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h | ||||||
| 
 | 
 | ||||||
| @ -478,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* | |||||||
| %postun libs -p /sbin/ldconfig | %postun libs -p /sbin/ldconfig | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-1 | ||||||
|  | - minor upstream release 1.0.2c fixing multiple security issues | ||||||
|  | 
 | ||||||
| * Thu May  7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4 | * Thu May  7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4 | ||||||
| - Add aarch64 sslarch details | - Add aarch64 sslarch details | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user