update to the latest 1.1.1 beta version
This commit is contained in:
parent
7f74f219f1
commit
9189f03055
1
.gitignore
vendored
1
.gitignore
vendored
@ -38,3 +38,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.1.0f-hobbled.tar.xz
|
||||
/openssl-1.1.0g-hobbled.tar.xz
|
||||
/openssl-1.1.0h-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||
|
23
ec_curve.c
23
ec_curve.c
@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -7,26 +8,12 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
||||
*
|
||||
* Portions of the attached software ("Contribution") are developed by
|
||||
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
||||
*
|
||||
* The Contribution is licensed pursuant to the OpenSSL open source
|
||||
* license provided above.
|
||||
*
|
||||
* The elliptic curve binary polynomial software is originally written by
|
||||
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "ec_lcl.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include "e_os.h"
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
int field_type, /* either NID_X9_62_prime_field or
|
||||
@ -350,6 +337,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||
}
|
||||
#endif
|
||||
|
||||
EC_GROUP_set_curve_name(group, curve.nid);
|
||||
|
||||
if ((P = EC_POINT_new(group)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
@ -415,8 +404,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
EC_GROUP_set_curve_name(ret, nid);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -1,48 +0,0 @@
|
||||
diff -up openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod
|
||||
--- openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc 2017-01-26 15:49:18.784947229 +0100
|
||||
+++ openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod 2017-01-26 15:52:46.458556068 +0100
|
||||
@@ -152,7 +152,7 @@ corresponding OBJECT IDENTIFIER or NID_u
|
||||
EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
|
||||
EVP_MD_CTX_block_size() return the digest or block size in bytes.
|
||||
|
||||
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(),
|
||||
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(),
|
||||
EVP_mdc2(), EVP_ripemd160(), EVP_blake2b512(), and EVP_blake2s256() return
|
||||
pointers to the corresponding EVP_MD structures.
|
||||
|
||||
diff -up openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod
|
||||
--- openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc 2017-01-26 14:10:24.000000000 +0100
|
||||
+++ openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod 2017-01-26 15:49:18.784947229 +0100
|
||||
@@ -108,6 +108,32 @@ EVP_chacha20, EVP_chacha20_poly1305 - EV
|
||||
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||
|
||||
+ const EVP_CIPHER *EVP_des_ede3(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
|
||||
+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_ecb(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_cbc(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
|
||||
+ const EVP_CIPHER *EVP_aes_128_ofb(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_ecb(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_cbc(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
|
||||
+ const EVP_CIPHER *EVP_aes_192_ofb(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_ecb(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_cbc(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
|
||||
+ const EVP_CIPHER *EVP_aes_256_ofb(void);
|
||||
+
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The EVP cipher routines are a high level interface to certain
|
@ -1,29 +0,0 @@
|
||||
diff -up openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl openssl-1.1.0c/crypto/bio/bss_fd.c
|
||||
--- openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100
|
||||
+++ openssl-1.1.0c/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100
|
||||
@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
|
||||
char *ptr = buf;
|
||||
char *end = buf + size - 1;
|
||||
|
||||
- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
|
||||
- ptr++;
|
||||
+ while (ptr < end && fd_read(bp, ptr, 1) > 0) {
|
||||
+ if (*ptr++ == '\n')
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
ptr[0] = '\0';
|
||||
|
||||
diff -up openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl openssl-1.1.0c/doc/crypto/BIO_read.pod
|
||||
--- openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100
|
||||
+++ openssl-1.1.0c/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100
|
||||
@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
|
||||
from the BIO of maximum length B<len-1>. There are exceptions to this,
|
||||
however; for example, BIO_gets() on a digest BIO will calculate and
|
||||
return the digest and other BIOs may not support BIO_gets() at all.
|
||||
-The returned string is always NUL-terminated.
|
||||
+The returned string is always NUL-terminated and the '\n' is preserved
|
||||
+if present in the input data.
|
||||
|
||||
BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
|
||||
|
@ -1,104 +0,0 @@
|
||||
diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
|
||||
+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
|
||||
@@ -553,7 +553,7 @@ uninstall_runtime:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@echo "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -565,7 +565,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@echo "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
|
||||
|
||||
uninstall_html_docs:
|
||||
diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
|
||||
--- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
|
||||
+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
|
||||
@@ -662,6 +662,7 @@ sub vms_info {
|
||||
cflags => add("-m64 -DL_ENDIAN"),
|
||||
perlasm_scheme => "linux64le",
|
||||
shared_ldflag => add("-m64"),
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -702,6 +703,7 @@ sub vms_info {
|
||||
"linux-aarch64" => {
|
||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||
diff -up openssl-1.1.0h/engines/afalg/e_afalg.c.build openssl-1.1.0h/engines/afalg/e_afalg.c
|
||||
--- openssl-1.1.0h/engines/afalg/e_afalg.c.build 2018-03-27 15:50:40.000000000 +0200
|
||||
+++ openssl-1.1.0h/engines/afalg/e_afalg.c 2018-06-19 16:56:20.150950529 +0200
|
||||
@@ -36,14 +36,25 @@ void engine_load_afalg_int(void)
|
||||
}
|
||||
#else
|
||||
|
||||
-# include <linux/if_alg.h>
|
||||
# include <fcntl.h>
|
||||
# include <sys/utsname.h>
|
||||
|
||||
-# include <linux/aio_abi.h>
|
||||
# include <sys/syscall.h>
|
||||
# include <errno.h>
|
||||
|
||||
+# define timespec linux_timespec
|
||||
+# define timeval linux_timeval
|
||||
+# define itimerspec linux_itimerspec
|
||||
+# define sigset_t linux_sigset_type
|
||||
+# include <linux/if_alg.h>
|
||||
+# include <linux/aio_abi.h>
|
||||
+
|
||||
+# ifndef _LINUX_TIME_H
|
||||
+# undef timespec
|
||||
+# undef timeval
|
||||
+# undef itimerspec
|
||||
+# undef sigset_t
|
||||
+# endif
|
||||
# include "e_afalg.h"
|
||||
|
||||
# define AFALG_LIB_NAME "AFALG"
|
||||
diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
|
||||
--- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
|
||||
+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
|
||||
@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
|
||||
|
||||
PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
|
||||
|
||||
-Derive=Alice-25519
|
||||
-PeerKey=Bob-25519-PUBLIC
|
||||
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
-
|
||||
-Derive=Bob-25519
|
||||
-PeerKey=Alice-25519-PUBLIC
|
||||
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
-
|
||||
# Illegal sign/verify operations with X25519 key
|
||||
|
||||
Sign=Alice-25519
|
||||
@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
|
||||
Function = EVP_PKEY_verify_init
|
||||
Reason = operation not supported for this keytype
|
||||
|
||||
+Derive=Alice-25519
|
||||
+PeerKey=Bob-25519-PUBLIC
|
||||
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
+
|
||||
+Derive=Bob-25519
|
||||
+PeerKey=Alice-25519-PUBLIC
|
||||
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
+
|
||||
## ECDH Tests: test with randomly generated keys for all the listed curves
|
||||
|
||||
|
@ -1,27 +0,0 @@
|
||||
diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0h/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs 2018-03-27 15:50:39.000000000 +0200
|
||||
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-29 14:37:53.405048562 +0200
|
||||
@@ -86,6 +86,12 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
|
||||
goto err;
|
||||
|
||||
+ /* prepare minimum p and q difference */
|
||||
+ if (!BN_one(r3))
|
||||
+ goto err;
|
||||
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
|
||||
+ goto err;
|
||||
+
|
||||
if (BN_copy(rsa->e, e_value) == NULL)
|
||||
goto err;
|
||||
|
||||
@@ -118,7 +124,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
do {
|
||||
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||
goto err;
|
||||
- } while (BN_cmp(rsa->p, rsa->q) == 0);
|
||||
+ if (!BN_sub(r2, rsa->q, rsa->p))
|
||||
+ goto err;
|
||||
+ } while (BN_ucmp(r2, r3) <= 0);
|
||||
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
||||
goto err;
|
||||
ERR_set_mark();
|
@ -1,15 +0,0 @@
|
||||
diff -up openssl-1.1.0-pre6/engines/e_chil.c.chil openssl-1.1.0-pre6/engines/e_chil.c
|
||||
--- openssl-1.1.0-pre6/engines/e_chil.c.chil 2016-08-04 16:00:47.000000000 +0200
|
||||
+++ openssl-1.1.0-pre6/engines/e_chil.c 2016-08-05 16:50:13.860588775 +0200
|
||||
@@ -1195,6 +1195,11 @@ static int hwcrhk_insert_card(const char
|
||||
UI *ui;
|
||||
void *callback_data = NULL;
|
||||
UI_METHOD *ui_method = NULL;
|
||||
+ /* Despite what the documentation says prompt_info can be
|
||||
+ * an empty string.
|
||||
+ */
|
||||
+ if (prompt_info && !*prompt_info)
|
||||
+ prompt_info = NULL;
|
||||
|
||||
if (cactx) {
|
||||
if (cactx->ui_method)
|
@ -1,85 +0,0 @@
|
||||
diff -up openssl-1.1.0h/apps/s_client.c.disable-ssl3 openssl-1.1.0h/apps/s_client.c
|
||||
--- openssl-1.1.0h/apps/s_client.c.disable-ssl3 2018-03-29 14:38:39.612133765 +0200
|
||||
+++ openssl-1.1.0h/apps/s_client.c 2018-03-29 14:41:51.309635904 +0200
|
||||
@@ -1489,6 +1489,9 @@ int s_client_main(int argc, char **argv)
|
||||
if (!config_ctx(cctx, ssl_args, ctx))
|
||||
goto end;
|
||||
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (ssl_config) {
|
||||
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||
diff -up openssl-1.1.0h/apps/s_server.c.disable-ssl3 openssl-1.1.0h/apps/s_server.c
|
||||
--- openssl-1.1.0h/apps/s_server.c.disable-ssl3 2018-03-29 14:38:39.613133788 +0200
|
||||
+++ openssl-1.1.0h/apps/s_server.c 2018-03-29 14:42:27.313481477 +0200
|
||||
@@ -1619,6 +1619,9 @@ int s_server_main(int argc, char *argv[]
|
||||
if (!config_ctx(cctx, ssl_args, ctx))
|
||||
goto end;
|
||||
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (ssl_config) {
|
||||
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||
diff -up openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0h/ssl/ssl_lib.c
|
||||
--- openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 2018-03-27 15:50:40.000000000 +0200
|
||||
+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:38:39.614133811 +0200
|
||||
@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
* or by using the SSL_CONF library.
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_COMPRESSION;
|
||||
+ /*
|
||||
+ * Disable SSLv3 by default. Applications can
|
||||
+ * re-enable it by configuring
|
||||
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+ * or by using the SSL_CONF library.
|
||||
+ */
|
||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||
|
||||
ret->tlsext_status_type = -1;
|
||||
|
||||
diff -up openssl-1.1.0h/test/ssl_test.c.disable-ssl3 openssl-1.1.0h/test/ssl_test.c
|
||||
--- openssl-1.1.0h/test/ssl_test.c.disable-ssl3 2018-03-29 14:38:39.615133835 +0200
|
||||
+++ openssl-1.1.0h/test/ssl_test.c 2018-03-29 14:43:37.893139086 +0200
|
||||
@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
SSL_TEST_SERVERNAME_CB_NONE) {
|
||||
server2_ctx = SSL_CTX_new(TLS_server_method());
|
||||
TEST_check(server2_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
client_ctx = SSL_CTX_new(TLS_client_method());
|
||||
TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
|
||||
@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
TLS_MAX_VERSION));
|
||||
TEST_check(resume_server_ctx != NULL);
|
||||
TEST_check(resume_client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_check(server_ctx != NULL);
|
||||
TEST_check(client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
||||
|
||||
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
|
||||
|
||||
diff -up openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 openssl-1.1.0h/test/ssltest_old.c
|
||||
--- openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 2018-03-27 15:50:41.000000000 +0200
|
||||
+++ openssl-1.1.0h/test/ssltest_old.c 2018-03-29 14:38:39.615133835 +0200
|
||||
@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[])
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
+
|
||||
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
/*
|
||||
* Since we will use low security ciphersuites and keys for testing set
|
||||
* security level to zero by default. Tests can override this by adding
|
@ -1,80 +0,0 @@
|
||||
diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
|
||||
--- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100
|
||||
+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100
|
||||
@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
|
||||
#define R_EC_X25519 16
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static OPT_PAIR ecdsa_choices[] = {
|
||||
- {"ecdsap160", R_EC_P160},
|
||||
- {"ecdsap192", R_EC_P192},
|
||||
{"ecdsap224", R_EC_P224},
|
||||
{"ecdsap256", R_EC_P256},
|
||||
{"ecdsap384", R_EC_P384},
|
||||
{"ecdsap521", R_EC_P521},
|
||||
- {"ecdsak163", R_EC_K163},
|
||||
- {"ecdsak233", R_EC_K233},
|
||||
- {"ecdsak283", R_EC_K283},
|
||||
- {"ecdsak409", R_EC_K409},
|
||||
- {"ecdsak571", R_EC_K571},
|
||||
- {"ecdsab163", R_EC_B163},
|
||||
- {"ecdsab233", R_EC_B233},
|
||||
- {"ecdsab283", R_EC_B283},
|
||||
- {"ecdsab409", R_EC_B409},
|
||||
- {"ecdsab571", R_EC_B571},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static OPT_PAIR ecdh_choices[] = {
|
||||
- {"ecdhp160", R_EC_P160},
|
||||
- {"ecdhp192", R_EC_P192},
|
||||
{"ecdhp224", R_EC_P224},
|
||||
{"ecdhp256", R_EC_P256},
|
||||
{"ecdhp384", R_EC_P384},
|
||||
{"ecdhp521", R_EC_P521},
|
||||
- {"ecdhk163", R_EC_K163},
|
||||
- {"ecdhk233", R_EC_K233},
|
||||
- {"ecdhk283", R_EC_K283},
|
||||
- {"ecdhk409", R_EC_K409},
|
||||
- {"ecdhk571", R_EC_K571},
|
||||
- {"ecdhb163", R_EC_B163},
|
||||
- {"ecdhb233", R_EC_B233},
|
||||
- {"ecdhb283", R_EC_B283},
|
||||
- {"ecdhb409", R_EC_B409},
|
||||
- {"ecdhb571", R_EC_B571},
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{NULL}
|
||||
};
|
||||
diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100
|
||||
+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100
|
||||
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (BN_num_bits(p) < 224) {
|
||||
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
|
||||
--- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100
|
||||
+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100
|
||||
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
|
||||
if (!change_rand())
|
||||
goto x962_err;
|
||||
|
||||
+#if 0
|
||||
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
|
||||
"3342403536405981729393488334694600415596881826869351677613",
|
||||
"5735822328888155254683894997897571951568553642892029982342"))
|
||||
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
|
||||
"3238135532097973577080787768312505059318910517550078427819"
|
||||
"78505179448783"))
|
||||
goto x962_err;
|
||||
+#endif
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
|
||||
"87194383164871543355722284926904419997237591535066528048",
|
@ -1,51 +0,0 @@
|
||||
diff -up openssl-1.1.0g/doc/apps/ec.pod.manfix openssl-1.1.0g/doc/apps/ec.pod
|
||||
--- openssl-1.1.0g/doc/apps/ec.pod.manfix 2017-11-02 15:29:04.000000000 +0100
|
||||
+++ openssl-1.1.0g/doc/apps/ec.pod 2017-11-03 16:09:31.714027145 +0100
|
||||
@@ -101,10 +101,6 @@ prints out the public, private key compo
|
||||
|
||||
this option prevents output of the encoded version of the key.
|
||||
|
||||
-=item B<-modulus>
|
||||
-
|
||||
-this option prints out the value of the public key component of the key.
|
||||
-
|
||||
=item B<-pubin>
|
||||
|
||||
by default a private key is read from the input file: with this option a
|
||||
diff -up openssl-1.1.0g/doc/apps/openssl.pod.manfix openssl-1.1.0g/doc/apps/openssl.pod
|
||||
--- openssl-1.1.0g/doc/apps/openssl.pod.manfix 2017-11-02 15:29:04.000000000 +0100
|
||||
+++ openssl-1.1.0g/doc/apps/openssl.pod 2017-11-03 16:11:48.478245311 +0100
|
||||
@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
|
||||
|
||||
Online Certificate Status Protocol utility.
|
||||
|
||||
-=item L<B<passwd>|passwd(1)>
|
||||
+=item L<B<passwd>|sslpasswd(1)>
|
||||
|
||||
Generation of hashed passwords.
|
||||
|
||||
@@ -198,7 +198,7 @@ Public key algorithm parameter managemen
|
||||
|
||||
Public key algorithm cryptographic operation utility.
|
||||
|
||||
-=item L<B<rand>|rand(1)>
|
||||
+=item L<B<rand>|sslrand(1)>
|
||||
|
||||
Generate pseudo-random bytes.
|
||||
|
||||
@@ -432,13 +432,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
||||
L<ec(1)>, L<ecparam(1)>,
|
||||
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
|
||||
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
|
||||
-L<passwd(1)>,
|
||||
L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
|
||||
L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>,
|
||||
-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||
+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||
L<rsautl(1)>, L<s_client(1)>,
|
||||
L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
|
||||
L<smime(1)>, L<speed(1)>, L<spkac(1)>,
|
||||
+L<sslpasswd(1)>, L<sslrand(1)>,
|
||||
L<ts(1)>,
|
||||
L<verify(1)>, L<version(1)>, L<x509(1)>,
|
||||
L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
|
@ -1,15 +0,0 @@
|
||||
diff -up openssl-1.1.0h/util/dofile.pl.missing-quotes openssl-1.1.0h/util/dofile.pl
|
||||
--- openssl-1.1.0h/util/dofile.pl.missing-quotes 2018-03-27 15:50:41.000000000 +0200
|
||||
+++ openssl-1.1.0h/util/dofile.pl 2018-04-03 11:59:36.742091742 +0200
|
||||
@@ -99,9 +99,9 @@ package main;
|
||||
# This adds quotes (") around the given string, and escapes any $, @, \,
|
||||
# " and ' by prepending a \ to them.
|
||||
sub quotify1 {
|
||||
- my $s = my $orig = shift @_;
|
||||
+ my $s = shift @_;
|
||||
$s =~ s/([\$\@\\"'])/\\$1/g;
|
||||
- $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
|
||||
+ '"'.$s.'"';
|
||||
}
|
||||
|
||||
# quotify_l LIST
|
@ -1,139 +0,0 @@
|
||||
diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c
|
||||
--- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/conf/conf_api.c 2017-11-03 16:12:31.826265323 +0100
|
||||
@@ -9,6 +9,8 @@
|
||||
|
||||
/* Part of the code in here was originally in conf.c, which is now removed */
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/conf.h>
|
||||
@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||
if (v != NULL)
|
||||
return (v->value);
|
||||
if (strcmp(section, "ENV") == 0) {
|
||||
- p = getenv(name);
|
||||
+ p = secure_getenv(name);
|
||||
if (p != NULL)
|
||||
return (p);
|
||||
}
|
||||
@@ -95,7 +97,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||
else
|
||||
return (NULL);
|
||||
} else
|
||||
- return (getenv(name));
|
||||
+ return (secure_getenv(name));
|
||||
}
|
||||
|
||||
static unsigned long conf_value_hash(const CONF_VALUE *v)
|
||||
diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c
|
||||
--- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/conf/conf_mod.c 2017-11-03 16:12:31.827265347 +0100
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <openssl/crypto.h>
|
||||
@@ -478,7 +480,7 @@ char *CONF_get1_default_config_file(void
|
||||
char *file;
|
||||
int len;
|
||||
|
||||
- file = getenv("OPENSSL_CONF");
|
||||
+ file = secure_getenv("OPENSSL_CONF");
|
||||
if (file)
|
||||
return OPENSSL_strdup(file);
|
||||
|
||||
diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c
|
||||
--- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/engine/eng_list.c 2017-11-03 16:12:31.827265347 +0100
|
||||
@@ -13,6 +13,8 @@
|
||||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "eng_int.h"
|
||||
|
||||
/*
|
||||
@@ -322,7 +324,7 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||
* Prevent infinite recursion if we're looking for the dynamic engine.
|
||||
*/
|
||||
if (strcmp(id, "dynamic")) {
|
||||
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
|
||||
load_dir = ENGINESDIR;
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
||||
diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c
|
||||
--- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/rand/randfile.c 2017-11-03 16:12:31.827265347 +0100
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si
|
||||
if (OPENSSL_issetugid() != 0) {
|
||||
use_randfile = 0;
|
||||
} else {
|
||||
- s = getenv("RANDFILE");
|
||||
+ s = secure_getenv("RANDFILE");
|
||||
if (s == NULL || *s == '\0') {
|
||||
use_randfile = 0;
|
||||
- s = getenv("HOME");
|
||||
+ s = secure_getenv("HOME");
|
||||
}
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c
|
||||
--- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/x509/by_dir.c 2017-11-03 16:12:31.827265347 +0100
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- dir = (char *)getenv(X509_get_default_cert_dir_env());
|
||||
+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
|
||||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
else
|
||||
diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c
|
||||
--- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
|
||||
+++ openssl-1.1.0g/crypto/x509/by_file.c 2017-11-03 16:14:13.230649686 +0100
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -47,7 +49,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
||||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- file = getenv(X509_get_default_cert_file_env());
|
||||
+ file = secure_getenv(X509_get_default_cert_file_env());
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
@ -1,24 +0,0 @@
|
||||
diff -up openssl-1.1.0h/apps/app_rand.c.silent-rnd-write openssl-1.1.0h/apps/app_rand.c
|
||||
--- openssl-1.1.0h/apps/app_rand.c.silent-rnd-write 2018-03-27 15:50:37.000000000 +0200
|
||||
+++ openssl-1.1.0h/apps/app_rand.c 2018-03-29 15:27:24.597891091 +0200
|
||||
@@ -91,6 +91,7 @@ long app_RAND_load_files(char *name)
|
||||
int app_RAND_write_file(const char *file)
|
||||
{
|
||||
char buffer[200];
|
||||
+ const char *origfile = file;
|
||||
|
||||
if (egdsocket || !seeded)
|
||||
/*
|
||||
@@ -103,8 +104,10 @@ int app_RAND_write_file(const char *file
|
||||
if (file == NULL)
|
||||
file = RAND_file_name(buffer, sizeof(buffer));
|
||||
if (file == NULL || !RAND_write_file(file)) {
|
||||
- BIO_printf(bio_err, "unable to write 'random state'\n");
|
||||
- return 0;
|
||||
+ if (origfile != NULL) {
|
||||
+ BIO_printf(bio_err, "unable to write 'random state'\n");
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
return 1;
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
diff -up openssl-1.1.0h/apps/version.c.version-add-engines openssl-1.1.0h/apps/version.c
|
||||
--- openssl-1.1.0h/apps/version.c.version-add-engines 2018-03-27 15:50:37.000000000 +0200
|
||||
+++ openssl-1.1.0h/apps/version.c 2018-03-29 14:33:30.732879537 +0200
|
||||
@@ -52,7 +52,7 @@ int version_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, dirty = 0;
|
||||
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
|
||||
- int engdir = 0;
|
||||
+ int engdir = 0, engines = 0;
|
||||
char *prog;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
@@ -90,7 +90,7 @@ opthelp:
|
||||
dirty = version = 1;
|
||||
break;
|
||||
case OPT_A:
|
||||
- options = cflags = version = date = platform = dir = engdir = 1;
|
||||
+ options = cflags = version = date = platform = dir = engdir = engines = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -139,6 +139,16 @@ opthelp:
|
||||
printf("%s\n", OpenSSL_version(OPENSSL_DIR));
|
||||
if (engdir)
|
||||
printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
|
||||
+ if (engines) {
|
||||
+ ENGINE *e;
|
||||
+ printf("engines: ");
|
||||
+ e = ENGINE_get_first();
|
||||
+ while (e) {
|
||||
+ printf("%s ", ENGINE_get_id(e));
|
||||
+ e = ENGINE_get_next(e);
|
||||
+ }
|
||||
+ printf("\n");
|
||||
+ }
|
||||
ret = 0;
|
||||
end:
|
||||
return (ret);
|
40
openssl-1.1.1-build.patch
Normal file
40
openssl-1.1.1-build.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
|
||||
@@ -680,7 +680,7 @@ uninstall_runtime:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -692,7 +692,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
|
||||
|
||||
uninstall_html_docs:
|
||||
diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
|
||||
--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
|
||||
@@ -693,6 +693,7 @@ my %targets = (
|
||||
cxxflags => add("-m64"),
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
perlasm_scheme => "linux64le",
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -733,6 +734,7 @@ my %targets = (
|
||||
"linux-aarch64" => {
|
||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
89
openssl-1.1.1-disable-ssl3.patch
Normal file
89
openssl-1.1.1-disable-ssl3.patch
Normal file
@ -0,0 +1,89 @@
|
||||
diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c
|
||||
--- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/s_client.c 2018-07-16 18:16:40.070186323 +0200
|
||||
@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv)
|
||||
if (sdebug)
|
||||
ssl_ctx_security_debug(ctx, sdebug);
|
||||
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (!config_ctx(cctx, ssl_args, ctx))
|
||||
goto end;
|
||||
|
||||
diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c
|
||||
--- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/s_server.c 2018-07-16 18:17:17.300055551 +0200
|
||||
@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[]
|
||||
if (sdebug)
|
||||
ssl_ctx_security_debug(ctx, sdebug);
|
||||
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (!config_ctx(cctx, ssl_args, ctx))
|
||||
goto end;
|
||||
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
|
||||
@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
|
||||
|
||||
+ /*
|
||||
+ * Disable SSLv3 by default. Applications can
|
||||
+ * re-enable it by configuring
|
||||
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+ * or by using the SSL_CONF API.
|
||||
+ */
|
||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||
+
|
||||
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
|
||||
|
||||
/*
|
||||
diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c
|
||||
--- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ssl_test.c 2018-07-16 18:18:34.806865121 +0200
|
||||
@@ -443,6 +443,7 @@ static int test_handshake(int idx)
|
||||
SSL_TEST_SERVERNAME_CB_NONE) {
|
||||
if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
|
||||
goto err;
|
||||
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
||||
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
|
||||
TLS_MAX_VERSION)))
|
||||
goto err;
|
||||
@@ -464,6 +465,8 @@ static int test_handshake(int idx)
|
||||
if (!TEST_ptr(resume_server_ctx)
|
||||
|| !TEST_ptr(resume_client_ctx))
|
||||
goto err;
|
||||
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -477,6 +480,9 @@ static int test_handshake(int idx)
|
||||
|| !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0))
|
||||
goto err;
|
||||
|
||||
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (!SSL_CTX_config(server_ctx, "server")
|
||||
|| !SSL_CTX_config(client_ctx, "client")) {
|
||||
goto err;
|
||||
diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c
|
||||
--- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ssltest_old.c 2018-07-16 18:08:20.002487676 +0200
|
||||
@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[])
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
+
|
||||
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
/*
|
||||
* Since we will use low security ciphersuites and keys for testing set
|
||||
* security level to zero by default. Tests can override this by adding
|
94
openssl-1.1.1-ec-curves.patch
Normal file
94
openssl-1.1.1-ec-curves.patch
Normal file
@ -0,0 +1,94 @@
|
||||
diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
|
||||
--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200
|
||||
@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2];
|
||||
#define R_EC_X448 23
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static OPT_PAIR ecdsa_choices[] = {
|
||||
- {"ecdsap160", R_EC_P160},
|
||||
- {"ecdsap192", R_EC_P192},
|
||||
{"ecdsap224", R_EC_P224},
|
||||
{"ecdsap256", R_EC_P256},
|
||||
{"ecdsap384", R_EC_P384},
|
||||
{"ecdsap521", R_EC_P521},
|
||||
- {"ecdsak163", R_EC_K163},
|
||||
- {"ecdsak233", R_EC_K233},
|
||||
- {"ecdsak283", R_EC_K283},
|
||||
- {"ecdsak409", R_EC_K409},
|
||||
- {"ecdsak571", R_EC_K571},
|
||||
- {"ecdsab163", R_EC_B163},
|
||||
- {"ecdsab233", R_EC_B233},
|
||||
- {"ecdsab283", R_EC_B283},
|
||||
- {"ecdsab409", R_EC_B409},
|
||||
- {"ecdsab571", R_EC_B571},
|
||||
- {"ecdsabrp256r1", R_EC_BRP256R1},
|
||||
- {"ecdsabrp256t1", R_EC_BRP256T1},
|
||||
- {"ecdsabrp384r1", R_EC_BRP384R1},
|
||||
- {"ecdsabrp384t1", R_EC_BRP384T1},
|
||||
- {"ecdsabrp512r1", R_EC_BRP512R1},
|
||||
- {"ecdsabrp512t1", R_EC_BRP512T1}
|
||||
};
|
||||
# define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
|
||||
|
||||
static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
|
||||
|
||||
static const OPT_PAIR ecdh_choices[] = {
|
||||
- {"ecdhp160", R_EC_P160},
|
||||
- {"ecdhp192", R_EC_P192},
|
||||
{"ecdhp224", R_EC_P224},
|
||||
{"ecdhp256", R_EC_P256},
|
||||
{"ecdhp384", R_EC_P384},
|
||||
{"ecdhp521", R_EC_P521},
|
||||
- {"ecdhk163", R_EC_K163},
|
||||
- {"ecdhk233", R_EC_K233},
|
||||
- {"ecdhk283", R_EC_K283},
|
||||
- {"ecdhk409", R_EC_K409},
|
||||
- {"ecdhk571", R_EC_K571},
|
||||
- {"ecdhb163", R_EC_B163},
|
||||
- {"ecdhb233", R_EC_B233},
|
||||
- {"ecdhb283", R_EC_B283},
|
||||
- {"ecdhb409", R_EC_B409},
|
||||
- {"ecdhb571", R_EC_B571},
|
||||
- {"ecdhbrp256r1", R_EC_BRP256R1},
|
||||
- {"ecdhbrp256t1", R_EC_BRP256T1},
|
||||
- {"ecdhbrp384r1", R_EC_BRP384R1},
|
||||
- {"ecdhbrp384t1", R_EC_BRP384T1},
|
||||
- {"ecdhbrp512r1", R_EC_BRP512R1},
|
||||
- {"ecdhbrp512t1", R_EC_BRP512T1},
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{"ecdhx448", R_EC_X448}
|
||||
};
|
||||
diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200
|
||||
@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (BN_num_bits(p) < 224) {
|
||||
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c
|
||||
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200
|
||||
@@ -173,6 +173,7 @@ static int x9_62_tests(void)
|
||||
if (!change_rand())
|
||||
goto x962_err;
|
||||
|
||||
+#if 0
|
||||
if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
|
||||
"3342403536405981729393488334694600415596881826869351677613",
|
||||
"5735822328888155254683894997897571951568553642892029982342")))
|
||||
@@ -183,6 +184,7 @@ static int x9_62_tests(void)
|
||||
"3238135532097973577080787768312505059318910517550078427819"
|
||||
"78505179448783")))
|
||||
goto x962_err;
|
||||
+#endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,
|
File diff suppressed because it is too large
Load Diff
37
openssl-1.1.1-man-rename.patch
Normal file
37
openssl-1.1.1-man-rename.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff -up openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre2/doc/man1/openssl.pod
|
||||
--- openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename 2018-02-27 14:40:43.000000000 +0100
|
||||
+++ openssl-1.1.1-pre2/doc/man1/openssl.pod 2018-03-06 15:32:44.737652939 +0100
|
||||
@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
|
||||
|
||||
Online Certificate Status Protocol utility.
|
||||
|
||||
-=item L<B<passwd>|passwd(1)>
|
||||
+=item L<B<passwd>|sslpasswd(1)>
|
||||
|
||||
Generation of hashed passwords.
|
||||
|
||||
@@ -202,7 +202,7 @@ Public key algorithm cryptographic opera
|
||||
|
||||
Compute prime numbers.
|
||||
|
||||
-=item L<B<rand>|rand(1)>
|
||||
+=item L<B<rand>|sslrand(1)>
|
||||
|
||||
Generate pseudo-random bytes.
|
||||
|
||||
@@ -444,13 +444,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
||||
L<ec(1)>, L<ecparam(1)>,
|
||||
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
|
||||
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
|
||||
-L<passwd(1)>,
|
||||
L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
|
||||
L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
|
||||
-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||
+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||
L<rsautl(1)>, L<s_client(1)>,
|
||||
L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
|
||||
L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
|
||||
+L<sslpasswd(1)>, L<sslrand(1)>,
|
||||
L<ts(1)>,
|
||||
L<verify(1)>, L<version(1)>, L<x509(1)>,
|
||||
L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
|
173
openssl-1.1.1-secure-getenv.patch
Normal file
173
openssl-1.1.1-secure-getenv.patch
Normal file
@ -0,0 +1,173 @@
|
||||
diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c
|
||||
--- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200
|
||||
@@ -9,6 +9,8 @@
|
||||
|
||||
/* Part of the code in here was originally in conf.c, which is now removed */
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "e_os.h"
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||
if (v != NULL)
|
||||
return v->value;
|
||||
if (strcmp(section, "ENV") == 0) {
|
||||
- p = getenv(name);
|
||||
+ p = secure_getenv(name);
|
||||
if (p != NULL)
|
||||
return p;
|
||||
}
|
||||
diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c
|
||||
--- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "internal/cryptlib.h"
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void
|
||||
int len;
|
||||
|
||||
if (!OPENSSL_issetugid()) {
|
||||
- file = getenv("OPENSSL_CONF");
|
||||
+ file = secure_getenv("OPENSSL_CONF");
|
||||
if (file)
|
||||
return OPENSSL_strdup(file);
|
||||
}
|
||||
diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c
|
||||
--- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c
|
||||
|
||||
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
|
||||
{
|
||||
- const char *fpath = getenv(CTLOG_FILE_EVP);
|
||||
+ const char *fpath = secure_getenv(CTLOG_FILE_EVP);
|
||||
|
||||
if (fpath == NULL)
|
||||
fpath = CTLOG_FILE;
|
||||
diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c
|
||||
--- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200
|
||||
@@ -8,6 +8,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "eng_int.h"
|
||||
|
||||
/*
|
||||
@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||
*/
|
||||
if (strcmp(id, "dynamic")) {
|
||||
if (OPENSSL_issetugid()
|
||||
- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
|
||||
+ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL)
|
||||
load_dir = ENGINESDIR;
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
||||
diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c
|
||||
--- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "e_os.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/cryptlib_int.h"
|
||||
@@ -180,11 +182,11 @@ static int shouldfail(void)
|
||||
|
||||
void ossl_malloc_setup_failures(void)
|
||||
{
|
||||
- const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
|
||||
+ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES");
|
||||
|
||||
if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
|
||||
parseit();
|
||||
- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
|
||||
+ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL)
|
||||
md_tracefd = atoi(cp);
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c
|
||||
--- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si
|
||||
#else
|
||||
if (OPENSSL_issetugid() != 0) {
|
||||
use_randfile = 0;
|
||||
- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
|
||||
+ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') {
|
||||
use_randfile = 0;
|
||||
s = getenv("HOME");
|
||||
}
|
||||
diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c
|
||||
--- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include "e_os.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <stdio.h>
|
||||
@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- const char *dir = getenv(X509_get_default_cert_dir_env());
|
||||
+ const char *dir = secure_getenv(X509_get_default_cert_dir_env());
|
||||
|
||||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c
|
||||
--- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200
|
||||
@@ -7,6 +7,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
||||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- file = getenv(X509_get_default_cert_file_env());
|
||||
+ file = secure_getenv(X509_get_default_cert_file_env());
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100
|
||||
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100
|
||||
@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-07-25 10:13:06.325232356 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-25 10:18:27.067863251 +0200
|
||||
@@ -176,6 +176,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
@ -12,19 +12,18 @@ diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist open
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -171,7 +175,7 @@ HTMLSUFFIX=html
|
||||
|
||||
CROSS_COMPILE= {- $config{cross_compile_prefix} -}
|
||||
CC= $(CROSS_COMPILE){- $target{cc} -}
|
||||
-CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
|
||||
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"\$(SYSTEM_CIPHERS_FILE_DEFINE)","-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
|
||||
CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
|
||||
LDFLAGS= {- $target{lflags} -}
|
||||
PLIB_LDFLAGS= {- $target{plib_lflags} -}
|
||||
diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||
--- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100
|
||||
+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100
|
||||
@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
|
||||
@@ -199,6 +203,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Configure
|
||||
--- openssl-1.1.1-pre8/Configure.system-cipherlist 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configure 2018-07-25 10:13:06.346232856 +0200
|
||||
@@ -21,7 +21,7 @@ use OpenSSL::Glob;
|
||||
|
||||
# see INSTALL for instructions.
|
||||
|
||||
@ -33,7 +32,7 @@ diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||
|
||||
# Options:
|
||||
#
|
||||
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||
@@ -38,6 +38,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
#
|
||||
@ -43,17 +42,17 @@ diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||
#
|
||||
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
||||
@@ -293,6 +296,7 @@ $config{openssldir}="";
|
||||
@@ -291,6 +294,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
$config{cross_compile_prefix}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
|
||||
my $nofipscanistercheck=0;
|
||||
$config{baseaddr}="0xFB00000";
|
||||
@@ -718,6 +722,10 @@ while (@argvcopy)
|
||||
{
|
||||
$config{baseaddr}="$1";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -814,6 +818,10 @@ while (@argvcopy)
|
||||
push @seed_sources, $x;
|
||||
}
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
@ -61,20 +60,20 @@ diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||
+ }
|
||||
elsif (/^--cross-compile-prefix=(.*)$/)
|
||||
{
|
||||
$config{cross_compile_prefix}=$1;
|
||||
@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
|
||||
$target = "Cygwin".$1;
|
||||
$user{CROSS_COMPILE}=$1;
|
||||
@@ -1000,6 +1008,8 @@ if ($target eq "HASH") {
|
||||
exit 0;
|
||||
}
|
||||
|
||||
+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
|
||||
+
|
||||
foreach (sort (keys %disabled))
|
||||
{
|
||||
$config{options} .= " no-$_";
|
||||
diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
|
||||
--- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100
|
||||
+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100
|
||||
@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
|
||||
print "for $target\n";
|
||||
|
||||
diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre8/doc/man1/ciphers.pod
|
||||
--- openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist 2018-06-20 16:48:12.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/doc/man1/ciphers.pod 2018-07-25 10:13:06.346232856 +0200
|
||||
@@ -200,6 +200,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
@ -89,11 +88,11 @@ diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/do
|
||||
+
|
||||
=item B<HIGH>
|
||||
|
||||
"high" encryption cipher suites. This currently means those with key lengths
|
||||
diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
|
||||
--- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||
+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100
|
||||
@@ -201,6 +201,11 @@ extern "C" {
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre8/include/openssl/ssl.h
|
||||
--- openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/include/openssl/ssl.h 2018-07-25 10:13:06.346232856 +0200
|
||||
@@ -186,6 +186,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
*/
|
||||
@ -105,12 +104,21 @@ diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/i
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||
+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100
|
||||
@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 10:36:36.475896866 +0200
|
||||
@@ -9,6 +9,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <openssl/objects.h>
|
||||
@@ -1400,6 +1402,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+static char *load_system_str(const char *suffix)
|
||||
@ -118,9 +126,12 @@ diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_
|
||||
+ FILE *fp;
|
||||
+ char buf[1024];
|
||||
+ char *new_rules;
|
||||
+ const char *ciphers_path;
|
||||
+ unsigned len, slen;
|
||||
+
|
||||
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
|
||||
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||
+ fp = fopen(ciphers_path, "r");
|
||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ /* cannot open or file is empty */
|
||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||
@ -156,15 +167,10 @@ diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
|
||||
**cipher_list, STACK_OF(SSL_CIPHER)
|
||||
**cipher_list_by_id,
|
||||
@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
{
|
||||
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
||||
uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
|
||||
- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
|
||||
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1413,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
const char *rule_p;
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
@ -184,134 +190,121 @@ diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_
|
||||
*/
|
||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||
- return NULL;
|
||||
+ goto end;
|
||||
+ goto err;
|
||||
#ifndef OPENSSL_NO_EC
|
||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||
- return NULL;
|
||||
+ goto end;
|
||||
+ goto err;
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1444,7 +1503,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
- return (NULL); /* Failure */
|
||||
+ goto end;
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1510,8 +1569,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto end;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1556,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
- return (NULL); /* Failure */
|
||||
+ goto end;
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1584,8 +1641,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
- OPENSSL_free(co_list);
|
||||
- return (NULL);
|
||||
+ goto end;
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1593,14 +1649,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return (NULL);
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
if (curr->active
|
||||
&& (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
||||
- OPENSSL_free(co_list);
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
- return NULL;
|
||||
+ cipherstack = NULL;
|
||||
+ goto end;
|
||||
+ goto err;
|
||||
}
|
||||
#ifdef CIPHER_DEBUG
|
||||
fprintf(stderr, "<%s>\n", curr->cipher->name);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
- OPENSSL_free(co_list); /* Not needed any longer */
|
||||
|
||||
tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
|
||||
if (tmp_cipher_list == NULL) {
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
- return NULL;
|
||||
+ cipherstack = NULL;
|
||||
+ goto end;
|
||||
}
|
||||
sk_SSL_CIPHER_free(*cipher_list);
|
||||
*cipher_list = cipherstack;
|
||||
@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
|
||||
|
||||
sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||
+#endif
|
||||
+
|
||||
+ end:
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack,
|
||||
sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
||||
+ OPENSSL_free(co_list);
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
return NULL;
|
||||
}
|
||||
@@ -1632,6 +1692,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(co_list);
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules);
|
||||
+#endif
|
||||
return (cipherstack);
|
||||
+ return NULL;
|
||||
+
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
|
||||
--- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100
|
||||
+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100
|
||||
@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
|
||||
sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist 2018-07-25 10:13:06.347232880 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 10:37:38.715394989 +0200
|
||||
@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
&(ctx->cipher_list_by_id),
|
||||
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return (0);
|
||||
@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
#endif
|
||||
return 0;
|
||||
@@ -2931,7 +2931,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
if (!ssl_create_cipher_list(ret->method,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
- SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
|
||||
--- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100
|
||||
+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100
|
||||
@@ -190,7 +190,9 @@ int main(int argc, char **argv)
|
||||
{
|
||||
int result = 0;
|
||||
diff -up openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre8/test/cipherlist_test.c
|
||||
--- openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist 2018-07-25 10:13:06.348232903 +0200
|
||||
+++ openssl-1.1.1-pre8/test/cipherlist_test.c 2018-07-25 10:39:08.887552814 +0200
|
||||
@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
+#ifndef SYSTEM_CIPHERS_FILE
|
||||
ADD_TEST(test_default_cipherlist_implicit);
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
|
||||
result = run_tests(argv[0]);
|
||||
return 1;
|
||||
}
|
38
openssl-1.1.1-version-add-engines.patch
Normal file
38
openssl-1.1.1-version-add-engines.patch
Normal file
@ -0,0 +1,38 @@
|
||||
diff -up openssl-1.1.1-pre8/apps/version.c.version-add-engines openssl-1.1.1-pre8/apps/version.c
|
||||
--- openssl-1.1.1-pre8/apps/version.c.version-add-engines 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/version.c 2018-07-16 18:00:40.608624346 +0200
|
||||
@@ -64,7 +64,7 @@ int version_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, dirty = 0, seed = 0;
|
||||
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
|
||||
- int engdir = 0;
|
||||
+ int engdir = 0, engines = 0;
|
||||
char *prog;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
@@ -106,7 +106,7 @@ opthelp:
|
||||
break;
|
||||
case OPT_A:
|
||||
seed = options = cflags = version = date = platform = dir = engdir
|
||||
- = 1;
|
||||
+ = engines = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -188,6 +188,16 @@ opthelp:
|
||||
#endif
|
||||
printf("\n");
|
||||
}
|
||||
+ if (engines) {
|
||||
+ ENGINE *e;
|
||||
+ printf("engines: ");
|
||||
+ e = ENGINE_get_first();
|
||||
+ while (e) {
|
||||
+ printf("%s ", ENGINE_get_id(e));
|
||||
+ e = ENGINE_get_next(e);
|
||||
+ }
|
||||
+ printf("\n");
|
||||
+ }
|
||||
ret = 0;
|
||||
end:
|
||||
return ret;
|
14
openssl-1.1.1-version-override.patch
Normal file
14
openssl-1.1.1-version-override.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff -up openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override openssl-1.1.1-pre8/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/include/openssl/opensslv.h 2018-07-25 11:03:29.297543392 +0200
|
||||
@@ -39,8 +39,8 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-# define OPENSSL_VERSION_NUMBER 0x10101008L
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018"
|
||||
+# define OPENSSL_VERSION_NUMBER 0x1010100fL
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
62
openssl.spec
62
openssl.spec
@ -19,15 +19,17 @@
|
||||
|
||||
%global _performance_build 1
|
||||
|
||||
%global prerelease pre8
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.0h
|
||||
Release: 6%{?dist}
|
||||
Version: 1.1.1
|
||||
Release: 0.%{prerelease}%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||
Source: openssl-%{version}-hobbled.tar.xz
|
||||
Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source6: make-dummy-cert
|
||||
@ -38,30 +40,25 @@ Source11: README.FIPS
|
||||
Source12: ec_curve.c
|
||||
Source13: ectest.c
|
||||
# Build changes
|
||||
Patch1: openssl-1.1.0-build.patch
|
||||
Patch1: openssl-1.1.1-build.patch
|
||||
Patch2: openssl-1.1.0-defaults.patch
|
||||
Patch3: openssl-1.1.0-no-html.patch
|
||||
Patch4: openssl-1.1.1-man-rename.patch
|
||||
# Bug fixes
|
||||
Patch21: openssl-1.1.0-issuer-hash.patch
|
||||
Patch22: openssl-1.1.0-algo-doc.patch
|
||||
Patch23: openssl-1.1.0-manfix.patch
|
||||
# Functionality changes
|
||||
Patch31: openssl-1.1.0-ca-dir.patch
|
||||
Patch32: openssl-1.1.0-version-add-engines.patch
|
||||
Patch32: openssl-1.1.1-version-add-engines.patch
|
||||
Patch33: openssl-1.1.0-apps-dgst.patch
|
||||
Patch35: openssl-1.1.0-chil-fixes.patch
|
||||
Patch36: openssl-1.1.0-secure-getenv.patch
|
||||
Patch37: openssl-1.1.0-ec-curves.patch
|
||||
Patch36: openssl-1.1.1-secure-getenv.patch
|
||||
Patch37: openssl-1.1.1-ec-curves.patch
|
||||
Patch38: openssl-1.1.0-no-weak-verify.patch
|
||||
Patch39: openssl-1.1.0-cc-reqs.patch
|
||||
Patch40: openssl-1.1.0-disable-ssl3.patch
|
||||
Patch41: openssl-1.1.0-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.0-fips.patch
|
||||
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
|
||||
Patch40: openssl-1.1.1-disable-ssl3.patch
|
||||
Patch41: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.1-fips.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.0-weak-ciphers.patch
|
||||
Patch46: openssl-1.1.0-silent-rnd-write.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch70: openssl-1.1.0-missing-quotes.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -71,6 +68,7 @@ BuildRequires: coreutils, krb5-devel, perl-interpreter, sed, zlib-devel, /usr/bi
|
||||
BuildRequires: lksctp-tools-devel
|
||||
BuildRequires: /usr/bin/rename
|
||||
BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/sbin/sysctl
|
||||
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||
BuildRequires: perl(Time::HiRes)
|
||||
@ -134,7 +132,7 @@ package provides Perl scripts for converting certificates and keys
|
||||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%setup -q -n %{name}-%{version}-%{prerelease}
|
||||
|
||||
# The hobble_openssl is called here redundantly, just to be sure.
|
||||
# The tarball has already the sources removed.
|
||||
@ -146,27 +144,22 @@ cp %{SOURCE13} test/
|
||||
%patch1 -p1 -b .build %{?_rawbuild}
|
||||
%patch2 -p1 -b .defaults
|
||||
%patch3 -p1 -b .no-html %{?_rawbuild}
|
||||
%patch4 -p1 -b .man-rename
|
||||
|
||||
%patch21 -p1 -b .issuer-hash
|
||||
%patch22 -p1 -b .algo-doc
|
||||
%patch23 -p1 -b .manfix
|
||||
|
||||
%patch31 -p1 -b .ca-dir
|
||||
%patch32 -p1 -b .version-add-engines
|
||||
%patch33 -p1 -b .dgst
|
||||
%patch35 -p1 -b .chil
|
||||
%patch36 -p1 -b .secure-getenv
|
||||
%patch37 -p1 -b .curves
|
||||
%patch38 -p1 -b .no-weak-verify
|
||||
%patch39 -p1 -b .cc-reqs
|
||||
%patch40 -p1 -b .disable-ssl3
|
||||
%patch41 -p1 -b .system-cipherlist
|
||||
%patch42 -p1 -b .fips
|
||||
%patch44 -p1 -b .preserve-nl
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .silent-rnd-write
|
||||
|
||||
%patch70 -p1 -b .missing-quotes
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -246,7 +239,7 @@ export HASHBANGPERL=/usr/bin/perl
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
|
||||
enable-weak-ssl-ciphers \
|
||||
no-mdc2 no-ec2m \
|
||||
no-mdc2 no-ec2m no-sm2 \
|
||||
shared ${sslarch} $RPM_OPT_FLAGS
|
||||
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
@ -265,6 +258,13 @@ done
|
||||
%check
|
||||
# Verify that what was compiled actually works.
|
||||
|
||||
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
|
||||
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
|
||||
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
|
||||
sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
|
||||
touch -r configdata.pm configdata.pm.new && \
|
||||
mv -f configdata.pm.new configdata.pm)
|
||||
|
||||
# We must revert patch31 before tests otherwise they will fail
|
||||
patch -p1 -R < %{PATCH31}
|
||||
|
||||
@ -276,6 +276,8 @@ crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}
|
||||
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
|
||||
OPENSSL_ENABLE_MD5_VERIFY=
|
||||
export OPENSSL_ENABLE_MD5_VERIFY
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
make test
|
||||
|
||||
# Add generation of HMAC checksum of the final stripped library
|
||||
@ -344,11 +346,13 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
|
||||
|
||||
# Ensure the openssl.cnf timestamp is identical across builds to avoid
|
||||
# Ensure the config file timestamps are identical across builds to avoid
|
||||
# mulitlib conflicts and unnecessary renames on upgrade
|
||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
||||
|
||||
# Determine which arch opensslconf.h is going to try to #include.
|
||||
basearch=%{_arch}
|
||||
@ -399,6 +403,7 @@ export LD_LIBRARY_PATH
|
||||
%dir %{_sysconfdir}/pki/tls/misc
|
||||
%dir %{_sysconfdir}/pki/tls/private
|
||||
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
||||
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||
@ -435,6 +440,9 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.1
|
||||
- update to the latest 1.1.1 beta version
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (openssl-1.1.0h-hobbled.tar.xz) = cba4641956d6593f5cf5164bed12fb3acfaa9c24a69d5642cc0267d0918555450a12ddeac6e02b246afa64e7019f35baa0d9302d1f06e3be5555d8340319c5e4
|
||||
SHA512 (openssl-1.1.1-pre8-hobbled.tar.xz) = eca0c8843c69fc3dcd1a27d56107368548f5674a64decc62ff48196d30485f287550bb671ca8bc48aeef482a8419462638bf152850c741e4554219230f4c4582
|
||||
|
Loading…
Reference in New Issue
Block a user