diff --git a/openssl-1.0.1e-backports.patch b/openssl-1.0.1e-backports.patch index d6b7224..5abe884 100644 --- a/openssl-1.0.1e-backports.patch +++ b/openssl-1.0.1e-backports.patch @@ -1,33 +1,84 @@ -From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001 -From: Nick Alcock -Date: Fri, 15 Feb 2013 17:44:11 +0000 -Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man - 2.5.0+ - -podlators 2.5.0 has switched to dying on POD syntax errors. This means -that a bunch of long-standing erroneous POD in the openssl documentation -now leads to fatal errors from pod2man, halting installation. - -Unfortunately POD constraints mean that you have to sort numeric lists -in ascending order if they start with 1: you cannot do 1, 0, 2 even if -you want 1 to appear first. I've reshuffled such (alas, I wish there -were a better way but I don't know of one). -(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b) ---- - doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++ - doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++---- - doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++ - doc/ssl/SSL_accept.pod | 10 +++++----- - doc/ssl/SSL_connect.pod | 10 +++++----- - doc/ssl/SSL_do_handshake.pod | 10 +++++----- - doc/ssl/SSL_shutdown.pod | 10 +++++----- - 7 files changed, 30 insertions(+), 24 deletions(-) - -diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod -index a883f6c..60e8332 100644 ---- a/doc/crypto/X509_STORE_CTX_get_error.pod -+++ b/doc/crypto/X509_STORE_CTX_get_error.pod -@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled. +diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c +--- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200 +@@ -167,6 +167,7 @@ start: + #ifndef OPENSSL_NO_RSA + if (strcmp(name,PEM_STRING_RSA) == 0) + { ++ d2i=(D2I_OF(void))d2i_RSAPrivateKey; + if (xi->x_pkey != NULL) + { + if (!sk_X509_INFO_push(ret,xi)) goto err; +diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200 ++++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200 +@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT + pm = RSA_NO_PADDING; + else if (!strcmp(value, "oeap")) + pm = RSA_PKCS1_OAEP_PADDING; ++ else if (!strcmp(value, "oaep")) ++ pm = RSA_PKCS1_OAEP_PADDING; + else if (!strcmp(value, "x931")) + pm = RSA_X931_PADDING; + else if (!strcmp(value, "pss")) +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200 +@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct + X509_CRL *crl = NULL, *dcrl = NULL; + X509 *x; + int ok, cnum; ++ unsigned int last_reasons; + cnum = ctx->error_depth; + x = sk_X509_value(ctx->chain, cnum); + ctx->current_cert = x; +@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct + ctx->current_reasons = 0; + while (ctx->current_reasons != CRLDP_ALL_REASONS) + { ++ last_reasons = ctx->current_reasons; + /* Try to retrieve relevant CRL */ + if (ctx->get_crl) + ok = ctx->get_crl(ctx, &crl, x); +@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct + X509_CRL_free(dcrl); + crl = NULL; + dcrl = NULL; ++ /* If reasons not updated we wont get anywhere by ++ * another iteration, so exit loop. ++ */ ++ if (last_reasons == ctx->current_reasons) ++ { ++ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ++ ok = ctx->verify_cb(0, ctx); ++ goto err; ++ } + } + err: + X509_CRL_free(crl); +diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c +--- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200 +@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c + + int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) + { ++ x->cert_info->enc.modified = 1; + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), + x->cert_info->signature, + x->sig_alg, x->signature, x->cert_info, ctx); +@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY + + int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) + { ++ x->crl->enc.modified = 1; + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), + x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx); + } +diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod +--- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200 +@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl an application specific error. This will never be returned unless explicitly set by an application. @@ -36,55 +87,9 @@ index a883f6c..60e8332 100644 =head1 NOTES The above functions should be used instead of directly referencing the fields -diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod -index 632b556..5e66133 100644 ---- a/doc/ssl/SSL_CTX_set_client_CA_list.pod -+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod -@@ -66,16 +66,16 @@ values: - - =over 4 - --=item 1 -- --The operation succeeded. -- - =item 0 - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - -+=item 1 -+ -+The operation succeeded. -+ - =back - - =head1 EXAMPLES -diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -index b80e25b..7e60df5 100644 ---- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return - - Return values from the server callback are interpreted as follows: - -+=over 4 -+ - =item > 0 - - PSK identity was found and the server callback has provided the PSK -@@ -99,4 +101,6 @@ completely. - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. - -+=back -+ - =cut -diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod -index cc724c0..b1c34d1 100644 ---- a/doc/ssl/SSL_accept.pod -+++ b/doc/ssl/SSL_accept.pod +diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod +--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200 @@ -44,17 +44,17 @@ The following return values can occur: =over 4 @@ -108,10 +113,9 @@ index cc724c0..b1c34d1 100644 =item E0 The TLS/SSL handshake was not successful because a fatal error occurred either -diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod -index cc56ebb..946ca89 100644 ---- a/doc/ssl/SSL_connect.pod -+++ b/doc/ssl/SSL_connect.pod +diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod +--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200 @@ -41,17 +41,17 @@ The following return values can occur: =over 4 @@ -135,10 +139,52 @@ index cc56ebb..946ca89 100644 =item E0 The TLS/SSL handshake was not successful, because a fatal error occurred either -diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod -index 2435764..7f8cf24 100644 ---- a/doc/ssl/SSL_do_handshake.pod -+++ b/doc/ssl/SSL_do_handshake.pod +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200 +@@ -66,16 +66,16 @@ values: + + =over 4 + +-=item 1 +- +-The operation succeeded. +- + =item 0 + + A failure while manipulating the STACK_OF(X509_NAME) object occurred or + the X509_NAME could not be extracted from B. Check the error stack + to find out the reason. + ++=item 1 ++ ++The operation succeeded. ++ + =back + + =head1 EXAMPLES +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200 +@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_ + + Return values from the server callback are interpreted as follows: + ++=over 4 ++ + =item > 0 + + PSK identity was found and the server callback has provided the PSK +@@ -99,4 +101,6 @@ completely. + PSK identity was not found. An "unknown_psk_identity" alert message + will be sent and the connection setup fails. + ++=back ++ + =cut +diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod +--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200 @@ -45,17 +45,17 @@ The following return values can occur: =over 4 @@ -162,10 +208,9 @@ index 2435764..7f8cf24 100644 =item E0 The TLS/SSL handshake was not successful because a fatal error occurred either -diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod -index 89911ac..42a89b7 100644 ---- a/doc/ssl/SSL_shutdown.pod -+++ b/doc/ssl/SSL_shutdown.pod +diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod +--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200 @@ -92,11 +92,6 @@ The following return values can occur: =over 4 @@ -178,7 +223,7 @@ index 89911ac..42a89b7 100644 =item 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, -@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed. +@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per The output of L may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. @@ -190,26 +235,84 @@ index 89911ac..42a89b7 100644 =item -1 The shutdown was not successful because a fatal error occurred either --- -1.7.9.5 - -From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Mon, 11 Feb 2013 18:24:03 +0000 -Subject: [PATCH] Fix for SSL_get_certificate - -Now we set the current certificate to the one used by a server -there is no need to call ssl_get_server_send_cert which will -fail if we haven't sent a certificate yet. ---- - ssl/ssl_lib.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 14d143d..ff5a85a 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) +diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c +--- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200 +@@ -196,6 +196,7 @@ void dtls1_free(SSL *s) + pqueue_free(s->d1->buffered_app_data.q); + + OPENSSL_free(s->d1); ++ s->d1 = NULL; + } + + void dtls1_clear(SSL *s) +diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c +--- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200 +@@ -847,6 +847,12 @@ start: + } + } + ++ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) ++ { ++ rr->length = 0; ++ goto start; ++ } ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1051,6 +1057,7 @@ start: + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + !s->s3->renegotiate) + { ++ s->d1->handshake_read_seq++; + s->new_session = 1; + ssl3_renegotiate(s); + if (ssl3_renegotiate_check(s)) +diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c +--- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200 +@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s) + case SSL3_ST_SW_HELLO_REQ_B: + + s->shutdown=0; ++ dtls1_clear_record_buffer(s); + dtls1_start_timer(s); + ret=dtls1_send_hello_request(s); + if (ret <= 0) goto end; +- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; ++ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; + s->state=SSL3_ST_SW_FLUSH; + s->init_num=0; + +diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c +--- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200 +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. +diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c +--- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200 +@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); + + ret->extra_certs=NULL; +- ret->comp_methods=SSL_COMP_get_compression_methods(); ++ /* No compression for DTLS */ ++ if (meth->version != DTLS1_VERSION) ++ ret->comp_methods=SSL_COMP_get_compression_methods(); + + ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + +@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { @@ -220,37 +323,3 @@ index 14d143d..ff5a85a 100644 return(s->cert->key->x509); else return(NULL); --- -1.7.9.5 - -From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Tue, 12 Feb 2013 14:55:32 +0000 -Subject: [PATCH] Check DTLS_BAD_VER for version number. - -The version check for DTLS1_VERSION was redundant as -DTLS1_VERSION > TLS1_1_VERSION, however we do need to -check for DTLS1_BAD_VER for compatibility. - -PR:2984 -(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) ---- - ssl/s3_cbc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -index 02edf3f..443a31e 100644 ---- a/ssl/s3_cbc.c -+++ b/ssl/s3_cbc.c -@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. --- -1.7.9.5 - diff --git a/openssl-1.0.1e-fips.patch b/openssl-1.0.1e-fips.patch index 0175754..95f2147 100644 --- a/openssl-1.0.1e-fips.patch +++ b/openssl-1.0.1e-fips.patch @@ -19333,8 +19333,8 @@ diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c if (r) diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c --- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 12:47:33.744118975 +0100 -@@ -55,28 +55,63 @@ ++++ openssl-1.0.1e/crypto/o_init.c 2013-08-15 16:14:43.069221580 +0200 +@@ -55,28 +55,68 @@ #include #include #ifdef OPENSSL_FIPS @@ -19392,6 +19392,11 @@ diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); RAND_init_fips(); + init_fips_mode(); ++ if (!FIPS_mode()) ++ { ++ /* Clean up prematurely set default rand method */ ++ RAND_set_rand_method(NULL); ++ } #endif #if 0 fprintf(stderr, "Called OPENSSL_init\n"); diff --git a/openssl-1.0.1e-manfix.patch b/openssl-1.0.1e-manfix.patch index 0c0e64d..05b0df7 100644 --- a/openssl-1.0.1e-manfix.patch +++ b/openssl-1.0.1e-manfix.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod --- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/cms.pod 2013-07-25 15:04:07.149565258 +0200 ++++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 16:02:17.542089270 +0200 @@ -450,28 +450,28 @@ remains DER. =over 4 @@ -38,7 +38,7 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod the signers certificates. diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod --- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/ec.pod 2013-07-25 15:12:40.782194199 +0200 ++++ openssl-1.0.1e/doc/apps/ec.pod 2013-08-16 16:02:17.542089270 +0200 @@ -93,10 +93,6 @@ prints out the public, private key compo this option prevents output of the encoded version of the key. @@ -52,7 +52,7 @@ diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod by default a private key is read from the input file: with this option a diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod --- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-07-25 15:04:07.149565258 +0200 ++++ openssl-1.0.1e/doc/apps/openssl.pod 2013-08-16 16:02:17.542089270 +0200 @@ -163,7 +163,7 @@ Create or examine a netscape certificate Online Certificate Status Protocol utility. @@ -84,8 +84,8 @@ diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/open L, L, L, L, diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod ---- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-07-25 15:04:07.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-07-25 15:08:37.912168333 +0200 +--- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-08-16 16:02:17.434086891 +0200 ++++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 16:02:17.543089292 +0200 @@ -32,9 +32,14 @@ B B [B<-ssl2>] [B<-ssl3>] @@ -112,7 +112,7 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_c the initial handshake uses a method which should be compatible with all diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod --- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/smime.pod 2013-07-25 15:04:07.149565258 +0200 ++++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 16:02:17.543089292 +0200 @@ -308,28 +308,28 @@ remains DER. =over 4 @@ -150,8 +150,8 @@ diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime. the signers certificates. diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod --- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-07-25 15:10:57.653060081 +0200 -@@ -40,9 +40,14 @@ B B ++++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 16:03:56.711273036 +0200 +@@ -40,10 +40,16 @@ B B [B<-ssl2>] [B<-ssl3>] [B<-tls1>] @@ -164,9 +164,22 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_s +[B<-no_tls1_1>] +[B<-no_tls1_2>] [B<-no_dhe>] ++[B<-no_ecdhe>] [B<-bugs>] [B<-hack>] -@@ -201,7 +206,7 @@ Use the PSK key B when using a PSK + [B<-www>] +@@ -131,6 +137,10 @@ a static set of parameters hard coded in + if this option is set then no DH parameters will be loaded effectively + disabling the ephemeral DH cipher suites. + ++=item B<-no_ecdhe> ++ ++if this option is set then ephemeral ECDH cipher suites will be disabled. ++ + =item B<-no_tmp_rsa> + + certain export cipher suites sometimes use a temporary RSA key, this option +@@ -201,7 +211,7 @@ Use the PSK key B when using a PSK given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. @@ -176,8 +189,8 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_s these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod ---- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-07-25 15:04:07.146565198 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-07-25 15:04:07.149565258 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-08-16 16:02:17.534089094 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 16:02:17.544089314 +0200 @@ -44,13 +44,13 @@ The following return values can occur: =over 4 @@ -196,7 +209,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL established. diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod --- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-07-25 15:04:07.150565279 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-08-16 16:02:17.544089314 +0200 @@ -56,12 +56,12 @@ The following return values can occur: =over 4 @@ -213,8 +226,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_ The SSL_clear() operation was successful. diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod ---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-07-25 15:04:07.115564555 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-07-25 15:04:07.150565279 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-08-16 16:02:17.486088037 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-08-16 16:02:17.544089314 +0200 @@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re =over 4 @@ -230,8 +243,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix opens The operation failed. Check the error queue to find out the reason. diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod ---- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-07-25 15:04:07.146565198 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-07-25 15:04:07.150565279 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-08-16 16:02:17.535089116 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 16:02:17.545089336 +0200 @@ -41,13 +41,13 @@ The following return values can occur: =over 4 @@ -250,7 +263,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SS established. diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod --- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-07-25 15:04:07.150565279 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-08-16 16:02:17.545089336 +0200 @@ -52,13 +52,13 @@ The following values are returned by all =over 4 @@ -269,7 +282,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/do diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod --- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-07-25 15:04:07.150565279 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-08-16 16:02:17.545089336 +0200 @@ -100,13 +100,13 @@ The following return values can occur: =over 4 @@ -287,8 +300,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl The operation succeeded. diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-07-25 15:04:07.146565198 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-07-25 15:04:07.150565279 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-08-16 16:02:17.535089116 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 16:02:17.545089336 +0200 @@ -66,13 +66,13 @@ values: =over 4 @@ -307,7 +320,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1. diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod --- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-07-25 15:04:07.150565279 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-08-16 16:02:17.546089358 +0200 @@ -64,13 +64,13 @@ return the following values: =over 4 @@ -326,7 +339,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openss diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod --- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-07-25 15:04:07.151565300 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-08-16 16:02:17.546089358 +0200 @@ -42,11 +42,11 @@ and SSL_set_ssl_method(): =over 4 @@ -342,8 +355,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1 The operation succeeded. diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-07-25 15:04:07.146565198 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-07-25 15:04:07.151565300 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-08-16 16:02:17.535089116 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 16:02:17.546089358 +0200 @@ -96,7 +96,7 @@ data to B and return the length of connection will fail with decryption_error before it will be finished completely. @@ -354,8 +367,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl PSK identity was not found. An "unknown_psk_identity" alert message will be sent and the connection setup fails. diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod ---- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-07-25 15:04:07.147565218 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-07-25 15:04:07.151565300 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-08-16 16:02:17.536089138 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 16:02:17.546089358 +0200 @@ -45,13 +45,13 @@ The following return values can occur: =over 4 @@ -374,7 +387,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/s established. diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod --- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-07-25 15:04:07.151565300 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-08-16 16:02:17.547089380 +0200 @@ -86,7 +86,7 @@ The following return values can occur: The read operation was successful; the return value is the number of bytes actually read from the TLS/SSL connection. @@ -386,7 +399,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_r shutdown due to a "close notify" alert sent by the peer (in which case diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod --- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-07-25 15:04:07.151565300 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-08-16 16:02:17.547089380 +0200 @@ -27,11 +27,11 @@ The following return values can occur: =over 4 @@ -403,7 +416,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod --- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-07-25 15:04:07.151565300 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-08-16 16:02:17.547089380 +0200 @@ -35,11 +35,11 @@ The following return values can occur: =over 4 @@ -420,7 +433,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod --- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-07-25 15:04:07.151565300 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-08-16 16:02:17.547089380 +0200 @@ -37,11 +37,11 @@ The following return values can occur: =over 4 @@ -436,8 +449,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ss The operation succeeded. diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod ---- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-07-25 15:04:07.147565218 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-07-25 15:04:07.151565300 +0200 +--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-08-16 16:02:17.536089138 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 16:02:17.548089402 +0200 @@ -92,14 +92,14 @@ The following return values can occur: =over 4 @@ -457,7 +470,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/S and the peer's "close notify" alert was received. diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod --- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-07-25 15:04:07.152565321 +0200 ++++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-08-16 16:02:17.548089402 +0200 @@ -79,7 +79,7 @@ The following return values can occur: The write operation was successful, the return value is the number of bytes actually written to the TLS/SSL connection. diff --git a/openssl-1.0.1e-trusted-first.patch b/openssl-1.0.1e-trusted-first.patch index 9cf2457..08ab639 100644 --- a/openssl-1.0.1e-trusted-first.patch +++ b/openssl-1.0.1e-trusted-first.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c --- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/apps.c 2013-07-10 10:42:42.242706279 +0200 ++++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200 @@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) @@ -10,11 +10,100 @@ diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c else return 0; -diff -up openssl-1.0.1e/CHANGES.trusted-first openssl-1.0.1e/CHANGES +diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c +--- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200 +@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv) + BIO_printf (bio_err, "-text include or delete text MIME headers\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); + BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); + #ifndef OPENSSL_NO_ENGINE +diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c +--- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200 +@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv) + BIO_printf (bio_err, "-path path to use in OCSP request\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf (bio_err, "-VAfile file validator certificates file\n"); + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); +diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c +--- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200 +@@ -298,6 +298,7 @@ static void sc_usage(void) + BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); + BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); ++ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); + BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); + BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); +diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c +--- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200 +@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) + BIO_printf (bio_err, "-text include or delete text MIME headers\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); + BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); + #ifndef OPENSSL_NO_ENGINE +diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c +--- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200 +@@ -501,6 +501,7 @@ static void sv_usage(void) + BIO_printf(bio_err," -state - Print the SSL states\n"); + BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); ++ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); + BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); + BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); +diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c +--- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200 +@@ -179,6 +179,7 @@ static void s_time_usage(void) + file if not specified by this option\n\ + -CApath arg - PEM format directory of CA's\n\ + -CAfile arg - PEM format file of CA's\n\ ++-trusted_first - Use trusted CA's first when building the trust chain\n\ + -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; + + printf( "usage: s_time \n\n" ); +diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c +--- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200 +@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv) + "ts -verify [-data file_to_hash] [-digest digest_bytes] " + "[-queryfile request.tsq] " + "-in response.tsr [-token_in] " +- "-CApath ca_path -CAfile ca_file.pem " ++ "-CApath ca_path -CAfile ca_file.pem -trusted_first" + "-untrusted cert_file.pem\n"); + cleanup: + /* Clean up. */ +diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c +--- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200 +@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv) + + end: + if (ret == 1) { +- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); ++ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); + BIO_printf(bio_err," [-attime timestamp]"); + #ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err," [-engine e]"); diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c ---- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-05-31 13:40:52.000000000 +0200 -+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-07-10 10:45:49.473638295 +0200 -@@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200 +@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx /* If we are self signed, we break */ if (ctx->check_issued(ctx, x,x)) break; @@ -37,8 +126,8 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/cryp /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h ---- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-05-31 13:40:51.890277515 +0200 -+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-07-10 10:42:42.247706379 +0200 +--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200 @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ @@ -48,3 +137,194 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/cryp #define X509_VP_FLAG_DEFAULT 0x1 +diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod +--- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200 +@@ -35,6 +35,7 @@ B B + [B<-print>] + [B<-CAfile file>] + [B<-CApath dir>] ++[B<-trusted_first>] + [B<-md digest>] + [B<-[cipher]>] + [B<-nointern>] +@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta + is a hash of each subject name (using B) should be linked + to each certificate. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory before untrusted certificates ++from the message when building the trust chain to verify certificates. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-md digest> + + digest algorithm to use when signing or resigning. If not present then the +diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod +--- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200 +@@ -29,6 +29,7 @@ B B + [B<-path>] + [B<-CApath dir>] + [B<-CAfile file>] ++[B<-trusted_first>] + [B<-VAfile file>] + [B<-validity_period n>] + [B<-status_age n>] +@@ -138,6 +139,13 @@ or "/" by default. + file or pathname containing trusted CA certificates. These are used to verify + the signature on the OCSP response. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory over certificates provided ++in the response or residing in other certificates file when building the trust ++chain to verify responder certificate. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-verify_other file> + + file containing additional certificates to search when attempting to locate +diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod +--- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200 +@@ -17,6 +17,7 @@ B B + [B<-pass arg>] + [B<-CApath directory>] + [B<-CAfile filename>] ++[B<-trusted_first>] + [B<-reconnect>] + [B<-pause>] + [B<-showcerts>] +@@ -107,7 +108,7 @@ also used when building the client certi + A file containing trusted certificates to use during server authentication + and to use when attempting to build the client certificate chain. + +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> + + Set various certificate chain valiadition option. See the + L|verify(1)> manual page for details. +diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod +--- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200 +@@ -15,6 +15,9 @@ B B + [B<-pk7out>] + [B<-[cipher]>] + [B<-in file>] ++[B<-CAfile file>] ++[B<-CApath dir>] ++[B<-trusted_first>] + [B<-certfile file>] + [B<-signer file>] + [B<-recip file>] +@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta + is a hash of each subject name (using B) should be linked + to each certificate. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory over certificates provided ++in the message when building the trust chain to verify a certificate. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-md digest> + + digest algorithm to use when signing or resigning. If not present then the +diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod +--- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 ++++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200 +@@ -33,6 +33,7 @@ B B + [B<-state>] + [B<-CApath directory>] + [B<-CAfile filename>] ++[B<-trusted_first>] + [B<-nocert>] + [B<-cipher cipherlist>] + [B<-quiet>] +@@ -168,6 +169,12 @@ and to use when attempting to build the + is also used in the list of acceptable client CAs passed to the client when + a certificate is requested. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory before other certificates ++when building the trust chain to verify client certificates. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-state> + + prints out the SSL session states. +diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod +--- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200 +@@ -14,6 +14,7 @@ B B + [B<-key filename>] + [B<-CApath directory>] + [B<-CAfile filename>] ++[B<-trusted_first>] + [B<-reuse>] + [B<-new>] + [B<-verify depth>] +@@ -76,6 +77,12 @@ also used when building the client certi + A file containing trusted certificates to use during server authentication + and to use when attempting to build the client certificate chain. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory over the certificates provided ++by the server when building the trust chain to verify server certificate. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-new> + + performs the timing test using a new session ID for each connection. +diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod +--- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200 +@@ -46,6 +46,7 @@ B<-verify> + [B<-token_in>] + [B<-CApath> trusted_cert_path] + [B<-CAfile> trusted_certs.pem] ++[B<-trusted_first>] + [B<-untrusted> cert_file.pem] + + =head1 DESCRIPTION +@@ -324,6 +325,12 @@ L for additional de + or B<-CApath> must be specified. + (Optional) + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory before other certificates ++when building the trust chain to verify certificates. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-untrusted> cert_file.pem + + Set of additional untrusted certificates in PEM format which may be +diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod +--- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200 +@@ -9,6 +9,7 @@ verify - Utility to verify certificates. + B B + [B<-CApath directory>] + [B<-CAfile file>] ++[B<-trusted_first>] + [B<-purpose purpose>] + [B<-policy arg>] + [B<-ignore_critical>] +@@ -56,6 +57,12 @@ in PEM format concatenated together. + A file of untrusted certificates. The file should contain multiple certificates + in PEM format concatenated together. + ++=item B<-trusted_first> ++ ++Use certificates in CA file or CA directory before the certificates in the untrusted ++file when building the trust chain to verify certificates. ++This is mainly useful in environments with Bridge CA or Cross-Certified CAs. ++ + =item B<-purpose purpose> + + The intended use for the certificate. If this option is not specified, diff --git a/openssl.spec b/openssl.spec index 2ef5091..1d524be 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -441,6 +441,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Aug 16 2013 Tomas Mraz 1.0.1e-15 +- fix use of rdrand if available +- more commits cherry picked from upstream +- documentation fixes + * Sat Aug 03 2013 Petr Pisar - 1:1.0.1e-14 - Perl 5.18 rebuild