diff --git a/.gitignore b/.gitignore index ded4230..80ca99a 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1e-hobbled.tar.xz /openssl-1.0.1g-hobbled.tar.xz /openssl-1.0.1h-hobbled.tar.xz +/openssl-1.0.1i-hobbled.tar.xz diff --git a/openssl-1.0.0c-fips-md5-allow.patch b/openssl-1.0.0c-fips-md5-allow.patch deleted file mode 100644 index f9f5e5d..0000000 --- a/openssl-1.0.0c-fips-md5-allow.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c ---- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow 2011-02-03 19:53:28.000000000 +0100 -+++ openssl-1.0.0c/crypto/md5/md5_dgst.c 2011-02-03 20:33:14.000000000 +0100 -@@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --FIPS_NON_FIPS_MD_Init(MD5) -+int MD5_Init(MD5_CTX *c) -+#ifdef OPENSSL_FIPS -+ { -+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ FIPS_BAD_ALGORITHM(alg) -+ return private_MD5_Init(c); -+ } -+int private_MD5_Init(MD5_CTX *c) -+#endif - { - memset (c,0,sizeof(*c)); - c->A=INIT_DATA_A; diff --git a/openssl-1.0.0e-doc-noeof.patch b/openssl-1.0.0e-doc-noeof.patch deleted file mode 100644 index 9686575..0000000 --- a/openssl-1.0.0e-doc-noeof.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod ---- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof 2009-06-26 13:28:51.000000000 +0200 -+++ openssl-1.0.0e/doc/apps/s_client.pod 2011-11-03 08:30:35.000000000 +0100 -@@ -27,6 +27,7 @@ B B - [B<-nbio>] - [B<-crlf>] - [B<-ign_eof>] -+[B<-no_ign_eof>] - [B<-quiet>] - [B<-ssl2>] - [B<-ssl3>] -@@ -161,6 +162,11 @@ by some servers. - inhibit shutting down the connection when end of file is reached in the - input. - -+=item B<-no_ign_eof> -+ -+shut down the connection when end of file is reached in the -+input. Can be used to override the implicit B<-ign_eof> after B<-quiet>. -+ - =item B<-quiet> - - inhibit printing of session and certificate information. This implicitly diff --git a/openssl-1.0.1e-ssl2-no-ec.patch b/openssl-1.0.1e-ssl2-no-ec.patch deleted file mode 100644 index 81ad472..0000000 --- a/openssl-1.0.1e-ssl2-no-ec.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c ---- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200 -@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C - long l; - - /* We can write SSLv2 and SSLv3 ciphers */ -+ /* but no ECC ciphers */ -+ if (c->algorithm_mkey == SSL_kECDHr || -+ c->algorithm_mkey == SSL_kECDHe || -+ c->algorithm_mkey == SSL_kEECDH || -+ c->algorithm_auth == SSL_aECDH || -+ c->algorithm_auth == SSL_aECDSA) -+ return 0; - if (p != NULL) - { - l=c->id; diff --git a/openssl-1.0.1g-3des-strength.patch b/openssl-1.0.1g-3des-strength.patch deleted file mode 100644 index aec054d..0000000 --- a/openssl-1.0.1g-3des-strength.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff -up openssl-1.0.1g/ssl/s2_lib.c.3des-strength openssl-1.0.1g/ssl/s2_lib.c ---- openssl-1.0.1g/ssl/s2_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/ssl/s2_lib.c 2014-05-06 16:33:45.646358418 +0200 -@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_SSLV2, - SSL_NOT_EXP|SSL_HIGH, - 0, -- 168, -+ 128, - 168, - }, - -diff -up openssl-1.0.1g/ssl/s3_lib.c.3des-strength openssl-1.0.1g/ssl/s3_lib.c ---- openssl-1.0.1g/ssl/s3_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/ssl/s3_lib.c 2014-05-06 16:38:05.887374872 +0200 -@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - -@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, -- 168, -+ 128, - 168, - }, - diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch index 83afda0..7a028aa 100644 --- a/openssl-1.0.1h-disable-sslv2v3.patch +++ b/openssl-1.0.1h-disable-sslv2v3.patch @@ -5,8 +5,8 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; -+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ -+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ++ /* Disable SSLv2 by default (affects the SSLv23_method() only) */ ++ ret->options |= SSL_OP_NO_SSLv2; + return(ret); err: diff --git a/openssl-1.0.1h-manfix.patch b/openssl-1.0.1h-manfix.patch deleted file mode 100644 index 836f58f..0000000 --- a/openssl-1.0.1h-manfix.patch +++ /dev/null @@ -1,135 +0,0 @@ -diff -up openssl-1.0.1h/doc/apps/ec.pod.manfix openssl-1.0.1h/doc/apps/ec.pod ---- openssl-1.0.1h/doc/apps/ec.pod.manfix 2014-06-05 11:41:31.000000000 +0200 -+++ openssl-1.0.1h/doc/apps/ec.pod 2014-06-05 14:41:11.501274915 +0200 -@@ -93,10 +93,6 @@ prints out the public, private key compo - - this option prevents output of the encoded version of the key. - --=item B<-modulus> -- --this option prints out the value of the public key component of the key. -- - =item B<-pubin> - - by default a private key is read from the input file: with this option a -diff -up openssl-1.0.1h/doc/apps/openssl.pod.manfix openssl-1.0.1h/doc/apps/openssl.pod ---- openssl-1.0.1h/doc/apps/openssl.pod.manfix 2014-06-05 11:41:31.000000000 +0200 -+++ openssl-1.0.1h/doc/apps/openssl.pod 2014-06-05 14:41:11.501274915 +0200 -@@ -163,7 +163,7 @@ Create or examine a netscape certificate - - Online Certificate Status Protocol utility. - --=item L|passwd(1)> -+=item L|sslpasswd(1)> - - Generation of hashed passwords. - -@@ -187,7 +187,7 @@ Public key algorithm parameter managemen - - Public key algorithm cryptographic operation utility. - --=item L|rand(1)> -+=item L|sslrand(1)> - - Generate pseudo-random bytes. - -@@ -401,9 +401,9 @@ L, L, L, L, - L, L, L, - L, L, L, --L, -+L, - L, L, L, --L, L, L, -+L, L, L, - L, L, - L, L, - L, L, -diff -up openssl-1.0.1h/doc/apps/s_client.pod.manfix openssl-1.0.1h/doc/apps/s_client.pod ---- openssl-1.0.1h/doc/apps/s_client.pod.manfix 2014-06-05 14:41:11.445273605 +0200 -+++ openssl-1.0.1h/doc/apps/s_client.pod 2014-06-05 14:41:11.501274915 +0200 -@@ -33,9 +33,14 @@ B B - [B<-ssl2>] - [B<-ssl3>] - [B<-tls1>] -+[B<-tls1_1>] -+[B<-tls1_2>] -+[B<-dtls1>] - [B<-no_ssl2>] - [B<-no_ssl3>] - [B<-no_tls1>] -+[B<-no_tls1_1>] -+[B<-no_tls1_2>] - [B<-bugs>] - [B<-cipher cipherlist>] - [B<-starttls protocol>] -@@ -45,6 +50,7 @@ B B - [B<-sess_out filename>] - [B<-sess_in filename>] - [B<-rand file(s)>] -+[B<-nextprotoneg protocols>] - - =head1 DESCRIPTION - -@@ -188,7 +194,7 @@ Use the PSK key B when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all -@@ -249,6 +255,17 @@ Multiple files can be specified separate - The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for - all others. - -+=item B<-nextprotoneg protocols> -+ -+enable Next Protocol Negotiation TLS extension and provide a list of -+comma-separated protocol names that the client should advertise -+support for. The list should contain most wanted protocols first. -+Protocol names are printable ASCII strings, for example "http/1.1" or -+"spdy/3". -+Empty list of protocols is treated specially and will cause the client to -+advertise support for the TLS extension but disconnect just after -+reciving ServerHello with a list of server supported protocols. -+ - =back - - =head1 CONNECTED COMMANDS -diff -up openssl-1.0.1h/doc/apps/s_server.pod.manfix openssl-1.0.1h/doc/apps/s_server.pod ---- openssl-1.0.1h/doc/apps/s_server.pod.manfix 2014-06-05 11:41:31.000000000 +0200 -+++ openssl-1.0.1h/doc/apps/s_server.pod 2014-06-05 14:41:11.502274939 +0200 -@@ -55,6 +55,7 @@ B B - [B<-no_ticket>] - [B<-id_prefix arg>] - [B<-rand file(s)>] -+[B<-nextprotoneg protocols>] - - =head1 DESCRIPTION - -@@ -207,7 +208,7 @@ Use the PSK key B when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all -@@ -282,6 +283,14 @@ Multiple files can be specified separate - The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for - all others. - -+=item B<-nextprotoneg protocols> -+ -+enable Next Protocol Negotiation TLS extension and provide a -+comma-separated list of supported protocol names. -+The list should contain most wanted protocols first. -+Protocol names are printable ASCII strings, for example "http/1.1" or -+"spdy/3". -+ - =back - - =head1 CONNECTED COMMANDS diff --git a/openssl-1.0.1h-session-resumption.patch b/openssl-1.0.1h-session-resumption.patch deleted file mode 100644 index 1d0626f..0000000 --- a/openssl-1.0.1h-session-resumption.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up openssl-1.0.1h/ssl/s3_clnt.c.resumption openssl-1.0.1h/ssl/s3_clnt.c ---- openssl-1.0.1h/ssl/s3_clnt.c.resumption 2014-06-05 11:44:33.000000000 +0200 -+++ openssl-1.0.1h/ssl/s3_clnt.c 2014-06-10 16:35:12.895096670 +0200 -@@ -901,6 +901,7 @@ int ssl3_get_server_hello(SSL *s) - { - s->session->cipher = pref_cipher ? - pref_cipher : ssl_get_cipher_by_char(s, p+j); -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - } - } - #endif /* OPENSSL_NO_TLSEXT */ diff --git a/openssl-1.0.1a-algo-doc.patch b/openssl-1.0.1i-algo-doc.patch similarity index 80% rename from openssl-1.0.1a-algo-doc.patch rename to openssl-1.0.1i-algo-doc.patch index c4aaa89..a19877d 100644 --- a/openssl-1.0.1a-algo-doc.patch +++ b/openssl-1.0.1i-algo-doc.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod ---- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200 -+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200 +diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod +--- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200 @@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ EVP_DigestInit_ex() sets up digest context B to use a digest @@ -10,9 +10,9 @@ diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/do If B is NULL then the default implementation of digest B is used. EVP_DigestUpdate() hashes B bytes of data at B into the -@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ - EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block - size in bytes. +@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u + EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and + EVP_MD_CTX_block_size() return the digest or block size in bytes. -EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), +EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), @@ -20,9 +20,9 @@ diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/do EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the corresponding EVP_MD structures. -diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod ---- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200 -+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200 +diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod +--- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200 @@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); diff --git a/openssl-1.0.1i-manfix.patch b/openssl-1.0.1i-manfix.patch new file mode 100644 index 0000000..f2f8be7 --- /dev/null +++ b/openssl-1.0.1i-manfix.patch @@ -0,0 +1,86 @@ +diff -up openssl-1.0.1i/doc/apps/ec.pod.manfix openssl-1.0.1i/doc/apps/ec.pod +--- openssl-1.0.1i/doc/apps/ec.pod.manfix 2014-07-22 21:41:23.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/ec.pod 2014-08-07 11:21:57.258887741 +0200 +@@ -93,10 +93,6 @@ prints out the public, private key compo + + this option prevents output of the encoded version of the key. + +-=item B<-modulus> +- +-this option prints out the value of the public key component of the key. +- + =item B<-pubin> + + by default a private key is read from the input file: with this option a +diff -up openssl-1.0.1i/doc/apps/openssl.pod.manfix openssl-1.0.1i/doc/apps/openssl.pod +--- openssl-1.0.1i/doc/apps/openssl.pod.manfix 2014-07-22 21:43:11.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/openssl.pod 2014-08-07 11:21:57.259887746 +0200 +@@ -163,7 +163,7 @@ Create or examine a netscape certificate + + Online Certificate Status Protocol utility. + +-=item L|passwd(1)> ++=item L|sslpasswd(1)> + + Generation of hashed passwords. + +@@ -187,7 +187,7 @@ Public key algorithm parameter managemen + + Public key algorithm cryptographic operation utility. + +-=item L|rand(1)> ++=item L|sslrand(1)> + + Generate pseudo-random bytes. + +@@ -401,9 +401,9 @@ L, L, L, L, + L, L, L, + L, L, L, +-L, ++L, + L, L, L, +-L, L, L, ++L, L, L, + L, L, + L, L, + L, L, +diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_client.pod +--- openssl-1.0.1i/doc/apps/s_client.pod.manfix 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 11:24:28.736604443 +0200 +@@ -34,9 +34,14 @@ B B + [B<-ssl2>] + [B<-ssl3>] + [B<-tls1>] ++[B<-tls1_1>] ++[B<-tls1_2>] ++[B<-dtls1>] + [B<-no_ssl2>] + [B<-no_ssl3>] + [B<-no_tls1>] ++[B<-no_tls1_1>] ++[B<-no_tls1_2>] + [B<-bugs>] + [B<-cipher cipherlist>] + [B<-serverpref>] +@@ -196,7 +201,7 @@ Use the PSK key B when using a PSK + given as a hexadecimal number without leading 0x, for example -psk + 1a2b3c4d. + +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> ++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + + these options disable the use of certain SSL or TLS protocols. By default + the initial handshake uses a method which should be compatible with all +diff -up openssl-1.0.1i/doc/apps/s_server.pod.manfix openssl-1.0.1i/doc/apps/s_server.pod +--- openssl-1.0.1i/doc/apps/s_server.pod.manfix 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 11:21:57.259887746 +0200 +@@ -216,7 +216,7 @@ Use the PSK key B when using a PSK + given as a hexadecimal number without leading 0x, for example -psk + 1a2b3c4d. + +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> ++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + + these options disable the use of certain SSL or TLS protocols. By default + the initial handshake uses a method which should be compatible with all diff --git a/openssl-1.0.1g-new-fips-reqs.patch b/openssl-1.0.1i-new-fips-reqs.patch similarity index 82% rename from openssl-1.0.1g-new-fips-reqs.patch rename to openssl-1.0.1i-new-fips-reqs.patch index 335cf43..b577177 100644 --- a/openssl-1.0.1g-new-fips-reqs.patch +++ b/openssl-1.0.1i-new-fips-reqs.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1g/crypto/bn/bn_rand.c ---- openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/crypto/bn/bn_rand.c 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1i/crypto/bn/bn_rand.c +--- openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs 2014-07-22 21:43:11.000000000 +0200 ++++ openssl-1.0.1i/crypto/bn/bn_rand.c 2014-08-07 11:25:28.835889145 +0200 @@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM goto err; } @@ -17,9 +17,9 @@ diff -up openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1g/crypto/bn/b if (pseudorand) { -diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_gen.c ---- openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs 2014-05-06 16:22:21.253536145 +0200 -+++ openssl-1.0.1g/crypto/dh/dh_gen.c 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_gen.c +--- openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs 2014-08-07 11:25:28.586887965 +0200 ++++ openssl-1.0.1i/crypto/dh/dh_gen.c 2014-08-07 11:25:28.835889145 +0200 @@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret, return 0; } @@ -29,9 +29,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1g/crypto/dh/dh { DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; -diff -up openssl-1.0.1g/crypto/dh/dh.h.fips-reqs openssl-1.0.1g/crypto/dh/dh.h ---- openssl-1.0.1g/crypto/dh/dh.h.fips-reqs 2014-05-06 16:22:21.253536145 +0200 -+++ openssl-1.0.1g/crypto/dh/dh.h 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/dh/dh.h.fips-reqs openssl-1.0.1i/crypto/dh/dh.h +--- openssl-1.0.1i/crypto/dh/dh.h.fips-reqs 2014-08-07 11:25:28.586887965 +0200 ++++ openssl-1.0.1i/crypto/dh/dh.h 2014-08-07 11:25:28.836889150 +0200 @@ -78,6 +78,7 @@ #endif @@ -40,9 +40,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh.h.fips-reqs openssl-1.0.1g/crypto/dh/dh.h #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH -diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_check.c ---- openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/crypto/dh/dh_check.c 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_check.c +--- openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/crypto/dh/dh_check.c 2014-08-07 11:25:28.836889150 +0200 @@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const BN_sub_word(q,1); if (BN_cmp(pub_key,q)>=0) @@ -77,9 +77,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/ ok = 1; err: if (q != NULL) BN_free(q); -diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_gen.c ---- openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs 2014-05-06 16:22:21.254536168 +0200 -+++ openssl-1.0.1g/crypto/dsa/dsa_gen.c 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_gen.c +--- openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs 2014-08-07 11:25:28.587887969 +0200 ++++ openssl-1.0.1i/crypto/dsa/dsa_gen.c 2014-08-07 11:25:28.836889150 +0200 @@ -159,7 +159,7 @@ int dsa_builtin_paramgen(DSA *ret, size_ } @@ -89,9 +89,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa (bits != 2048 || qbits != 224) && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) -diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa.h ---- openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs 2014-05-06 16:22:21.254536168 +0200 -+++ openssl-1.0.1g/crypto/dsa/dsa.h 2014-05-06 16:22:21.432540283 +0200 +diff -up openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1i/crypto/dsa/dsa.h +--- openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs 2014-08-07 11:25:28.588887974 +0200 ++++ openssl-1.0.1i/crypto/dsa/dsa.h 2014-08-07 11:25:28.837889154 +0200 @@ -89,6 +89,7 @@ #endif @@ -113,9 +113,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa #define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) -diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_key.c ---- openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs 2014-05-06 16:22:21.427540169 +0200 -+++ openssl-1.0.1g/crypto/dsa/dsa_key.c 2014-05-06 16:22:21.433540307 +0200 +diff -up openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_key.c +--- openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs 2014-08-07 11:25:28.833889135 +0200 ++++ openssl-1.0.1i/crypto/dsa/dsa_key.c 2014-08-07 11:25:28.837889154 +0200 @@ -127,7 +127,7 @@ static int dsa_builtin_keygen(DSA *dsa) #ifdef OPENSSL_FIPS @@ -125,9 +125,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1g/crypto/dsa { DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); goto err; -diff -up openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-05-06 16:22:21.433540307 +0200 -+++ openssl-1.0.1g/crypto/fips/fips_dh_selftest.c 2014-05-06 16:22:21.433540307 +0200 +diff -up openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_dh_selftest.c +--- openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-08-07 11:25:28.837889154 +0200 ++++ openssl-1.0.1i/crypto/fips/fips_dh_selftest.c 2014-08-07 11:25:28.837889154 +0200 @@ -0,0 +1,162 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -291,92 +291,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1g/ + return ret; + } +#endif -diff -up openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs 2014-05-06 16:22:21.263536376 +0200 -+++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c 2014-05-06 16:22:21.433540307 +0200 -@@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char - int rv = 0; - unsigned char *adin = NULL; - size_t adinlen = 0; -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ int locked; -+ locked = private_RAND_lock(1); - do - { - size_t rcnt; -@@ -109,7 +110,8 @@ static int fips_drbg_bytes(unsigned char - while (count); - rv = 1; - err: -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ if (locked) -+ private_RAND_lock(0); - return rv; - } - -@@ -124,35 +126,51 @@ static int fips_drbg_status(void) - { - DRBG_CTX *dctx = &ossl_dctx; - int rv; -- CRYPTO_r_lock(CRYPTO_LOCK_RAND); -+ int locked; -+ locked = private_RAND_lock(1); - rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; -- CRYPTO_r_unlock(CRYPTO_LOCK_RAND); -+ if (locked) -+ private_RAND_lock(0); - return rv; - } - - static void fips_drbg_cleanup(void) - { - DRBG_CTX *dctx = &ossl_dctx; -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ int locked; -+ locked = private_RAND_lock(1); - FIPS_drbg_uninstantiate(dctx); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ if (locked) -+ private_RAND_lock(0); - } - - static int fips_drbg_seed(const void *seed, int seedlen) - { - DRBG_CTX *dctx = &ossl_dctx; -+ int locked; -+ int ret = 1; -+ -+ locked = private_RAND_lock(1); - if (dctx->rand_seed_cb) -- return dctx->rand_seed_cb(dctx, seed, seedlen); -- return 1; -+ ret = dctx->rand_seed_cb(dctx, seed, seedlen); -+ if (locked) -+ private_RAND_lock(0); -+ return ret; - } - - static int fips_drbg_add(const void *seed, int seedlen, - double add_entropy) - { - DRBG_CTX *dctx = &ossl_dctx; -+ int locked; -+ int ret = 1; -+ -+ locked = private_RAND_lock(1); - if (dctx->rand_add_cb) -- return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); -- return 1; -+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); -+ if (locked) -+ private_RAND_lock(0); -+ return ret; - } - - static const RAND_METHOD rand_drbg_meth = -diff -up openssl-1.0.1g/crypto/fips/fips.h.fips-reqs openssl-1.0.1g/crypto/fips/fips.h ---- openssl-1.0.1g/crypto/fips/fips.h.fips-reqs 2014-05-06 16:22:21.421540031 +0200 -+++ openssl-1.0.1g/crypto/fips/fips.h 2014-05-06 16:22:21.433540307 +0200 +diff -up openssl-1.0.1i/crypto/fips/fips.h.fips-reqs openssl-1.0.1i/crypto/fips/fips.h +--- openssl-1.0.1i/crypto/fips/fips.h.fips-reqs 2014-08-07 11:25:28.828889111 +0200 ++++ openssl-1.0.1i/crypto/fips/fips.h 2014-08-07 11:25:28.838889159 +0200 @@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void); int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); @@ -385,9 +302,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips.h.fips-reqs openssl-1.0.1g/crypto/fips/ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_post.c ---- openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs 2014-05-06 16:22:21.420540008 +0200 -+++ openssl-1.0.1g/crypto/fips/fips_post.c 2014-05-06 16:22:21.433540307 +0200 +diff -up openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_post.c +--- openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs 2014-08-07 11:25:28.822889083 +0200 ++++ openssl-1.0.1i/crypto/fips/fips_post.c 2014-08-07 11:25:28.838889159 +0200 @@ -99,6 +99,8 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_dsa()) @@ -397,9 +314,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1g/crypto/ if (!FIPS_selftest_ecdh()) rv = 0; return rv; -diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-05-06 16:22:21.267536469 +0200 -+++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c 2014-05-06 16:22:21.434540330 +0200 +diff -up openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-08-07 11:25:28.783888898 +0200 ++++ openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c 2014-08-07 11:25:28.838889159 +0200 @@ -60,69 +60,113 @@ #ifdef OPENSSL_FIPS @@ -1130,9 +1047,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1g RSA_free(key); return ret; } -diff -up openssl-1.0.1g/crypto/fips/Makefile.fips-reqs openssl-1.0.1g/crypto/fips/Makefile ---- openssl-1.0.1g/crypto/fips/Makefile.fips-reqs 2014-05-06 16:22:21.420540008 +0200 -+++ openssl-1.0.1g/crypto/fips/Makefile 2014-05-06 16:22:21.434540330 +0200 +diff -up openssl-1.0.1i/crypto/fips/Makefile.fips-reqs openssl-1.0.1i/crypto/fips/Makefile +--- openssl-1.0.1i/crypto/fips/Makefile.fips-reqs 2014-08-07 11:25:28.823889088 +0200 ++++ openssl-1.0.1i/crypto/fips/Makefile 2014-08-07 11:25:28.838889159 +0200 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -1151,9 +1068,9 @@ diff -up openssl-1.0.1g/crypto/fips/Makefile.fips-reqs openssl-1.0.1g/crypto/fip LIBCRYPTO=-L.. -lcrypto -diff -up openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1g/crypto/modes/gcm128.c ---- openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs 2014-04-06 17:55:01.000000000 +0200 -+++ openssl-1.0.1g/crypto/modes/gcm128.c 2014-05-06 16:22:21.434540330 +0200 +diff -up openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1i/crypto/modes/gcm128.c +--- openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/crypto/modes/gcm128.c 2014-08-07 11:25:28.839889164 +0200 @@ -906,6 +906,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT # endif #endif @@ -1176,9 +1093,9 @@ diff -up openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1g/crypto/mo mlen += len; if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen 0); - -- if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ if (locked) -+ private_RAND_lock(0); - - EVP_MD_CTX_init(&m); - for (i=0; i 0) - { -@@ -524,16 +497,11 @@ static int ssleay_rand_bytes(unsigned ch - MD_Init(&m); - MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); - MD_Update(&m,local_md,MD_DIGEST_LENGTH); --#ifdef OPENSSL_FIPS -- if (!FIPS_mode()) --#endif -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ locked = private_RAND_lock(1); - MD_Update(&m,md,MD_DIGEST_LENGTH); - MD_Final(&m,md); --#ifdef OPENSSL_FIPS -- if (!FIPS_mode()) --#endif -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ if (locked) -+ private_RAND_lock(0); - - EVP_MD_CTX_cleanup(&m); - if (ok) -@@ -563,32 +531,10 @@ static int ssleay_rand_pseudo_bytes(unsi - - static int ssleay_rand_status(void) - { -- CRYPTO_THREADID cur; - int ret; -- int do_not_lock; -+ int locked; - -- CRYPTO_THREADID_current(&cur); -- /* check if we already have the lock -- * (could happen if a RAND_poll() implementation calls RAND_status()) */ -- if (crypto_lock_rand) -- { -- CRYPTO_r_lock(CRYPTO_LOCK_RAND2); -- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur); -- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); -- } -- else -- do_not_lock = 0; -- -- if (!do_not_lock) -- { -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -- -- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ -- CRYPTO_w_lock(CRYPTO_LOCK_RAND2); -- CRYPTO_THREADID_cpy(&locking_threadid, &cur); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); -- crypto_lock_rand = 1; -- } -+ locked = private_RAND_lock(1); - - if (!initialized) - { -@@ -598,13 +544,8 @@ static int ssleay_rand_status(void) - - ret = entropy >= ENTROPY_NEEDED; - -- if (!do_not_lock) -- { -- /* before unlocking, we must clear 'crypto_lock_rand' */ -- crypto_lock_rand = 0; -- -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -- } -+ if (locked) -+ private_RAND_lock(0); - - return ret; - } -diff -up openssl-1.0.1g/crypto/rand/rand.h.fips-reqs openssl-1.0.1g/crypto/rand/rand.h ---- openssl-1.0.1g/crypto/rand/rand.h.fips-reqs 2014-05-06 16:22:21.269536515 +0200 -+++ openssl-1.0.1g/crypto/rand/rand.h 2014-05-06 16:22:21.435540353 +0200 -@@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i - int RAND_init_fips(void); - #endif - -+int private_RAND_lock(int lock); -+ - /* BEGIN ERROR CODES */ - /* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. -diff -up openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1g/crypto/rand/rand_lcl.h ---- openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs 2014-05-06 16:22:21.021530782 +0200 -+++ openssl-1.0.1g/crypto/rand/rand_lcl.h 2014-05-06 16:22:21.435540353 +0200 +diff -up openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1i/crypto/rand/rand_lcl.h +--- openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs 2014-08-07 11:25:28.418887169 +0200 ++++ openssl-1.0.1i/crypto/rand/rand_lcl.h 2014-08-07 11:25:28.840889168 +0200 @@ -112,7 +112,7 @@ #ifndef HEADER_RAND_LCL_H #define HEADER_RAND_LCL_H @@ -1399,57 +1116,19 @@ diff -up openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1g/crypto/r #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) -diff -up openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1g/crypto/rand/rand_lib.c ---- openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/crypto/rand/rand_lib.c 2014-05-06 16:22:21.435540353 +0200 -@@ -181,6 +181,41 @@ int RAND_status(void) - return 0; - } - -+int private_RAND_lock(int lock) -+ { -+ static int crypto_lock_rand; -+ static CRYPTO_THREADID locking_threadid; -+ int do_lock; -+ -+ if (!lock) -+ { -+ crypto_lock_rand = 0; -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return 0; -+ } -+ -+ /* check if we already have the lock */ -+ if (crypto_lock_rand) -+ { -+ CRYPTO_THREADID cur; -+ CRYPTO_THREADID_current(&cur); -+ CRYPTO_r_lock(CRYPTO_LOCK_RAND2); -+ do_lock = !!CRYPTO_THREADID_cmp(&locking_threadid, &cur); -+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); -+ } -+ else -+ do_lock = 1; -+ if (do_lock) -+ { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ crypto_lock_rand = 1; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND2); -+ CRYPTO_THREADID_current(&locking_threadid); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); -+ } -+ return do_lock; -+ } -+ - #ifdef OPENSSL_FIPS - - /* FIPS DRBG initialisation code. This sets up the DRBG for use by the -@@ -239,12 +274,16 @@ static int drbg_rand_add(DRBG_CTX *ctx, +diff -up openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1i/crypto/rand/rand_lib.c +--- openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/crypto/rand/rand_lib.c 2014-08-07 13:45:51.240535446 +0200 +@@ -240,12 +240,24 @@ static int drbg_rand_add(DRBG_CTX *ctx, double entropy) { RAND_SSLeay()->add(in, inlen, entropy); + if (FIPS_rand_status()) ++ { ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); + FIPS_drbg_reseed(ctx, NULL, 0); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ } return 1; } @@ -1457,13 +1136,17 @@ diff -up openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1g/crypto/r { RAND_SSLeay()->seed(in, inlen); + if (FIPS_rand_status()) ++ { ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); + FIPS_drbg_reseed(ctx, NULL, 0); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ } return 1; } -diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa/rsa_gen.c ---- openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs 2014-05-06 16:22:21.270536538 +0200 -+++ openssl-1.0.1g/crypto/rsa/rsa_gen.c 2014-05-06 16:22:21.436540376 +0200 +diff -up openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1i/crypto/rsa/rsa_gen.c +--- openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs 2014-08-07 11:25:28.788888922 +0200 ++++ openssl-1.0.1i/crypto/rsa/rsa_gen.c 2014-08-07 11:25:28.840889168 +0200 @@ -1,5 +1,6 @@ /* crypto/rsa/rsa_gen.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -1713,7 +1396,7 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa } #endif -@@ -301,17 +520,6 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -301,17 +513,6 @@ static int rsa_builtin_keygen(RSA *rsa, p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; @@ -1731,9 +1414,9 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa ok=1; err: if (ok == -1) -diff -up openssl-1.0.1g/ssl/t1_enc.c.fips-reqs openssl-1.0.1g/ssl/t1_enc.c ---- openssl-1.0.1g/ssl/t1_enc.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/ssl/t1_enc.c 2014-05-06 16:22:21.436540376 +0200 +diff -up openssl-1.0.1i/ssl/t1_enc.c.fips-reqs openssl-1.0.1i/ssl/t1_enc.c +--- openssl-1.0.1i/ssl/t1_enc.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/ssl/t1_enc.c 2014-08-07 11:25:28.841889173 +0200 @@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask, err: return ret; diff --git a/openssl-1.0.1e-trusted-first.patch b/openssl-1.0.1i-trusted-first.patch similarity index 67% rename from openssl-1.0.1e-trusted-first.patch rename to openssl-1.0.1i-trusted-first.patch index 08ab639..f11f36d 100644 --- a/openssl-1.0.1e-trusted-first.patch +++ b/openssl-1.0.1i-trusted-first.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c ---- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200 -@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg +diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c +--- openssl-1.0.1i/apps/apps.c.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/apps/apps.c 2014-08-07 13:54:27.751103405 +0200 +@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; @@ -10,9 +10,9 @@ diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c else return 0; -diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c ---- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200 +diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c +--- openssl-1.0.1i/apps/cms.c.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/apps/cms.c 2014-08-07 13:54:27.751103405 +0200 @@ -642,6 +642,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); @@ -21,10 +21,10 @@ diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c ---- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200 -@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv) +diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c +--- openssl-1.0.1i/apps/ocsp.c.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/apps/ocsp.c 2014-08-07 13:54:27.752103409 +0200 +@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); @@ -32,20 +32,20 @@ diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); -diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c ---- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200 -@@ -298,6 +298,7 @@ static void sc_usage(void) +diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c +--- openssl-1.0.1i/apps/s_client.c.trusted-first 2014-08-07 13:54:27.752103409 +0200 ++++ openssl-1.0.1i/apps/s_client.c 2014-08-07 15:06:28.443918055 +0200 +@@ -299,6 +299,7 @@ static void sc_usage(void) BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); - BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); -diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c ---- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200 + BIO_printf(bio_err," -prexit - print session information even on connection failure\n"); +diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c +--- openssl-1.0.1i/apps/smime.c.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/apps/smime.c 2014-08-07 13:54:27.753103414 +0200 @@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); @@ -54,10 +54,10 @@ diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c ---- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200 -@@ -501,6 +501,7 @@ static void sv_usage(void) +diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c +--- openssl-1.0.1i/apps/s_server.c.trusted-first 2014-08-07 13:54:27.718103241 +0200 ++++ openssl-1.0.1i/apps/s_server.c 2014-08-07 13:54:27.753103414 +0200 +@@ -502,6 +502,7 @@ static void sv_usage(void) BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); @@ -65,9 +65,9 @@ diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_serv BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); -diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c ---- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200 +diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c +--- openssl-1.0.1i/apps/s_time.c.trusted-first 2014-08-07 13:54:27.432101823 +0200 ++++ openssl-1.0.1i/apps/s_time.c 2014-08-07 13:54:27.753103414 +0200 @@ -179,6 +179,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ @@ -76,9 +76,9 @@ diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf( "usage: s_time \n\n" ); -diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c ---- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200 +diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c +--- openssl-1.0.1i/apps/ts.c.trusted-first 2014-08-07 13:54:27.707103186 +0200 ++++ openssl-1.0.1i/apps/ts.c 2014-08-07 13:54:27.753103414 +0200 @@ -383,7 +383,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " @@ -88,9 +88,9 @@ diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ -diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c ---- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200 +diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c +--- openssl-1.0.1i/apps/verify.c.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/apps/verify.c 2014-08-07 13:54:27.754103419 +0200 @@ -237,7 +237,7 @@ int MAIN(int argc, char **argv) end: @@ -100,9 +100,9 @@ diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c BIO_printf(bio_err," [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," [-engine e]"); -diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c ---- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200 -+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200 +diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c +--- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first 2014-08-07 13:54:27.716103231 +0200 ++++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2014-08-07 13:54:27.754103419 +0200 @@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx /* If we are self signed, we break */ @@ -125,9 +125,9 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/cryp /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) -diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h ---- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200 -+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200 +diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h +--- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first 2014-08-07 13:54:27.360101466 +0200 ++++ openssl-1.0.1i/crypto/x509/x509_vfy.h 2014-08-07 13:54:27.754103419 +0200 @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ @@ -137,9 +137,9 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/cryp #define X509_VP_FLAG_DEFAULT 0x1 -diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod ---- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200 +diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod +--- openssl-1.0.1i/doc/apps/cms.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/cms.pod 2014-08-07 13:54:27.754103419 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] @@ -148,7 +148,7 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/c [B<-md digest>] [B<-[cipher]>] [B<-nointern>] -@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta +@@ -243,6 +244,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -161,9 +161,9 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/c =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod ---- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200 +diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod +--- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first 2014-08-07 13:54:27.708103191 +0200 ++++ openssl-1.0.1i/doc/apps/ocsp.pod 2014-08-07 13:54:27.755103424 +0200 @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] @@ -186,10 +186,10 @@ diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ =item B<-verify_other file> file containing additional certificates to search when attempting to locate -diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod ---- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200 -@@ -17,6 +17,7 @@ B B +diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod +--- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200 ++++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 13:54:27.755103424 +0200 +@@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] @@ -197,7 +197,7 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/a [B<-reconnect>] [B<-pause>] [B<-showcerts>] -@@ -107,7 +108,7 @@ also used when building the client certi +@@ -121,7 +122,7 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. @@ -206,9 +206,9 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/a Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. -diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod ---- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200 +diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod +--- openssl-1.0.1i/doc/apps/smime.pod.trusted-first 2014-07-22 21:43:11.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/smime.pod 2014-08-07 13:54:27.755103424 +0200 @@ -15,6 +15,9 @@ B B [B<-pk7out>] [B<-[cipher]>] @@ -232,9 +232,9 @@ diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod ---- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 -+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200 +diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod +--- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200 ++++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 15:07:12.315099577 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] @@ -242,8 +242,8 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/a +[B<-trusted_first>] [B<-nocert>] [B<-cipher cipherlist>] - [B<-quiet>] -@@ -168,6 +169,12 @@ and to use when attempting to build the + [B<-serverpref>] +@@ -178,6 +179,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. @@ -256,9 +256,9 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/a =item B<-state> prints out the SSL session states. -diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod ---- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200 +diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod +--- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/s_time.pod 2014-08-07 13:54:27.755103424 +0200 @@ -14,6 +14,7 @@ B B [B<-key filename>] [B<-CApath directory>] @@ -280,9 +280,9 @@ diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/app =item B<-new> performs the timing test using a new session ID for each connection. -diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod ---- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200 +diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod +--- openssl-1.0.1i/doc/apps/ts.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/ts.pod 2014-08-07 13:54:27.756103429 +0200 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] @@ -304,9 +304,9 @@ diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be -diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod ---- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200 +diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod +--- openssl-1.0.1i/doc/apps/verify.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200 ++++ openssl-1.0.1i/doc/apps/verify.pod 2014-08-07 13:54:27.756103429 +0200 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] diff --git a/openssl.spec b/openssl.spec index 88fca31..e58b9a7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.1h -Release: 6%{?dist} +Version: 1.0.1i +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -56,12 +56,11 @@ Patch24: openssl-1.0.1e-issuer-hash.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch -Patch36: openssl-1.0.0e-doc-noeof.patch Patch39: openssl-1.0.1h-ipv6-apps.patch Patch40: openssl-1.0.1g-fips.patch Patch45: openssl-1.0.1e-env-zlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch -Patch49: openssl-1.0.1a-algo-doc.patch +Patch49: openssl-1.0.1i-algo-doc.patch Patch50: openssl-1.0.1-beta2-dtls1-abi.patch Patch51: openssl-1.0.1e-version.patch Patch56: openssl-1.0.0c-rsa-x931.patch @@ -73,22 +72,19 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch Patch68: openssl-1.0.1e-secure-getenv.patch Patch69: openssl-1.0.1c-dh-1024.patch Patch70: openssl-1.0.1e-fips-ec.patch -Patch71: openssl-1.0.1h-manfix.patch +Patch71: openssl-1.0.1i-manfix.patch Patch72: openssl-1.0.1e-fips-ctor.patch Patch73: openssl-1.0.1e-ecc-suiteb.patch Patch74: openssl-1.0.1e-no-md5-verify.patch Patch75: openssl-1.0.1e-compat-symbols.patch -Patch76: openssl-1.0.1g-new-fips-reqs.patch +Patch76: openssl-1.0.1i-new-fips-reqs.patch Patch77: openssl-1.0.1e-weak-ciphers.patch -Patch78: openssl-1.0.1g-3des-strength.patch Patch90: openssl-1.0.1e-enc-fail.patch -Patch91: openssl-1.0.1e-ssl2-no-ec.patch Patch92: openssl-1.0.1h-system-cipherlist.patch Patch93: openssl-1.0.1h-disable-sslv2v3.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch -Patch82: openssl-1.0.1h-session-resumption.patch -Patch84: openssl-1.0.1e-trusted-first.patch +Patch84: openssl-1.0.1i-trusted-first.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch Patch89: openssl-1.0.1e-ephemeral-key-size.patch @@ -181,7 +177,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch33 -p1 -b .ca-dir %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines -%patch36 -p1 -b .doc-noeof %patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips %patch45 -p1 -b .env-zlib @@ -205,14 +200,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch75 -p1 -b .compat %patch76 -p1 -b .fips-reqs %patch77 -p1 -b .weak-ciphers -%patch78 -p1 -b .3des-strength %patch90 -p1 -b .enc-fail -%patch91 -p1 -b .ssl2noec %patch92 -p1 -b .system %patch93 -p1 -b .v2v3 %patch81 -p1 -b .padlock64 -%patch82 -p1 -b .resumption %patch84 -p1 -b .trusted-first %patch85 -p1 -b .armcap %patch89 -p1 -b .ephemeral @@ -483,6 +475,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Aug 7 2014 Tomáš Mráz 1.0.1i-1 +- new upstream release fixing multiple moderate security issues +- for now disable only SSLv2 by default + * Fri Jul 18 2014 Tom Callaway 1.0.1h-6 - fix license handling diff --git a/sources b/sources index 5c377fa..b97a288 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4ea0f231c61b9c66642176cdc033b386 openssl-1.0.1h-hobbled.tar.xz +c152e5284765c3325301a62b01a48fc0 openssl-1.0.1i-hobbled.tar.xz