new upstream version
This commit is contained in:
parent
0fd0958b75
commit
dc696fdac4
1
.gitignore
vendored
1
.gitignore
vendored
@ -11,3 +11,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.0.1a-usa.tar.xz
|
/openssl-1.0.1a-usa.tar.xz
|
||||||
/openssl-1.0.1b-usa.tar.xz
|
/openssl-1.0.1b-usa.tar.xz
|
||||||
/openssl-1.0.1c-usa.tar.xz
|
/openssl-1.0.1c-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-usa.tar.xz
|
||||||
|
@ -1,189 +0,0 @@
|
|||||||
diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c
|
|
||||||
--- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 2006-11-06 20:53:37.000000000 +0100
|
|
||||||
+++ openssl-1.0.0/crypto/pem/pem_all.c 2012-04-26 17:17:35.765317652 +0200
|
|
||||||
@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN
|
|
||||||
|
|
||||||
IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
|
|
||||||
PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
|
|
||||||
+static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+ {
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
|
|
||||||
+ (char *)kstr, klen, cb, u);
|
|
||||||
+ else
|
|
||||||
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
|
|
||||||
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
|
|
||||||
+ bp,x,enc,kstr,klen,cb,u);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_FP_API
|
|
||||||
+static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+ {
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ return PEM_write_PKCS8PrivateKey(fp, x, enc,
|
|
||||||
+ (char *)kstr, klen, cb, u);
|
|
||||||
+ else
|
|
||||||
+ return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
|
|
||||||
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
|
|
||||||
+ fp,x,enc,kstr,klen,cb,u);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
|
||||||
|
|
||||||
@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+
|
|
||||||
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+ EVP_PKEY_set1_RSA(k, x);
|
|
||||||
+
|
|
||||||
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_FP_API
|
|
||||||
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_set1_RSA(k, x);
|
|
||||||
+
|
|
||||||
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
|
|
||||||
IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
|
|
||||||
|
|
||||||
@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp,
|
|
||||||
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+
|
|
||||||
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+ EVP_PKEY_set1_DSA(k, x);
|
|
||||||
+
|
|
||||||
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_FP_API
|
|
||||||
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+ EVP_PKEY_set1_DSA(k, x);
|
|
||||||
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_FP_API
|
|
||||||
@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b
|
|
||||||
|
|
||||||
IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
|
|
||||||
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+
|
|
||||||
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+ EVP_PKEY_set1_EC_KEY(k, x);
|
|
||||||
+
|
|
||||||
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_FP_API
|
|
||||||
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
|
|
||||||
+ unsigned char *kstr, int klen,
|
|
||||||
+ pem_password_cb *cb, void *u)
|
|
||||||
+{
|
|
||||||
+ EVP_PKEY *k;
|
|
||||||
+ int ret;
|
|
||||||
+ k = EVP_PKEY_new();
|
|
||||||
+ if (!k)
|
|
||||||
+ return 0;
|
|
||||||
+ EVP_PKEY_set1_EC_KEY(k, x);
|
|
||||||
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
|
|
||||||
+ EVP_PKEY_free(k);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
|
|
||||||
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_FP_API
|
|
@ -1,106 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c
|
|
||||||
--- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports 2012-02-28 15:47:16.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/asn1/x_pubkey.c 2012-05-15 17:44:14.584128501 +0200
|
|
||||||
@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k
|
|
||||||
CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
|
|
||||||
if (key->pkey)
|
|
||||||
{
|
|
||||||
+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
|
|
||||||
EVP_PKEY_free(ret);
|
|
||||||
ret = key->pkey;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
+ {
|
|
||||||
key->pkey = ret;
|
|
||||||
- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
|
|
||||||
+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
|
|
||||||
+ }
|
|
||||||
CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c
|
|
||||||
--- openssl-1.0.1c/ssl/s3_lib.c.backports 2012-04-17 17:20:17.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/ssl/s3_lib.c 2012-05-15 17:42:43.880139566 +0200
|
|
||||||
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
0, /* not implemented (non-ephemeral DH) */
|
|
||||||
TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
|
|
||||||
TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
|
|
||||||
- SSL_kDHr,
|
|
||||||
+ SSL_kDHd,
|
|
||||||
SSL_aDH,
|
|
||||||
SSL_AES128,
|
|
||||||
SSL_SHA256,
|
|
||||||
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
0, /* not implemented (non-ephemeral DH) */
|
|
||||||
TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
|
|
||||||
TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
|
|
||||||
- SSL_kDHr,
|
|
||||||
+ SSL_kDHd,
|
|
||||||
SSL_aDH,
|
|
||||||
SSL_AES256,
|
|
||||||
SSL_SHA256,
|
|
||||||
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
0,
|
|
||||||
TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
|
|
||||||
TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
|
|
||||||
- SSL_kDHr,
|
|
||||||
+ SSL_kDHd,
|
|
||||||
SSL_aDH,
|
|
||||||
SSL_AES128GCM,
|
|
||||||
SSL_AEAD,
|
|
||||||
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
0,
|
|
||||||
TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
|
|
||||||
TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
|
|
||||||
- SSL_kDHr,
|
|
||||||
+ SSL_kDHd,
|
|
||||||
SSL_aDH,
|
|
||||||
SSL_AES256GCM,
|
|
||||||
SSL_AEAD,
|
|
||||||
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
1,
|
|
||||||
TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
|
|
||||||
TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
|
|
||||||
- SSL_kECDHe,
|
|
||||||
+ SSL_kECDHr,
|
|
||||||
SSL_aECDH,
|
|
||||||
SSL_AES128,
|
|
||||||
SSL_SHA256,
|
|
||||||
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
1,
|
|
||||||
TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
|
|
||||||
TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
|
|
||||||
- SSL_kECDHe,
|
|
||||||
+ SSL_kECDHr,
|
|
||||||
SSL_aECDH,
|
|
||||||
SSL_AES256,
|
|
||||||
SSL_SHA384,
|
|
||||||
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
1,
|
|
||||||
TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
- SSL_kECDHe,
|
|
||||||
+ SSL_kECDHr,
|
|
||||||
SSL_aECDH,
|
|
||||||
SSL_AES128GCM,
|
|
||||||
SSL_AEAD,
|
|
||||||
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
|
||||||
1,
|
|
||||||
TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
- SSL_kECDHe,
|
|
||||||
+ SSL_kECDHr,
|
|
||||||
SSL_aECDH,
|
|
||||||
SSL_AES256GCM,
|
|
||||||
SSL_AEAD,
|
|
||||||
diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c
|
|
||||||
--- openssl-1.0.1c/ssl/s3_pkt.c.backports 2012-04-17 15:20:19.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/ssl/s3_pkt.c 2012-05-15 17:43:48.470555889 +0200
|
|
||||||
@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ
|
|
||||||
* bytes and record version number > TLS 1.0
|
|
||||||
*/
|
|
||||||
if (s->state == SSL3_ST_CW_CLNT_HELLO_B
|
|
||||||
+ && !s->renegotiate
|
|
||||||
&& TLS1_get_version(s) > TLS1_VERSION)
|
|
||||||
*(p++) = 0x1;
|
|
||||||
else
|
|
@ -1,385 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
|
|
||||||
--- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/apps/cms.c 2012-11-14 20:27:50.240211707 +0100
|
|
||||||
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
else if (!strcmp(*args,"-camellia256"))
|
|
||||||
cipher = EVP_camellia_256_cbc();
|
|
||||||
#endif
|
|
||||||
+ else if (!strcmp (*args, "-debug_decrypt"))
|
|
||||||
+ flags |= CMS_DEBUG_DECRYPT;
|
|
||||||
else if (!strcmp (*args, "-text"))
|
|
||||||
flags |= CMS_TEXT;
|
|
||||||
else if (!strcmp (*args, "-nointern"))
|
|
||||||
@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
ret = 4;
|
|
||||||
if (operation == SMIME_DECRYPT)
|
|
||||||
{
|
|
||||||
+ if (flags & CMS_DEBUG_DECRYPT)
|
|
||||||
+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
|
|
||||||
|
|
||||||
if (secret_key)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 openssl-1.0.1c/crypto/asn1/a_strex.c
|
|
||||||
--- openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 2011-01-03 02:30:58.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/asn1/a_strex.c 2012-11-20 22:13:05.722766980 +0100
|
|
||||||
@@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **
|
|
||||||
if(mbflag == -1) return -1;
|
|
||||||
mbflag |= MBSTRING_FLAG;
|
|
||||||
stmp.data = NULL;
|
|
||||||
+ stmp.length = 0;
|
|
||||||
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
|
|
||||||
if(ret < 0) return ret;
|
|
||||||
*out = stmp.data;
|
|
||||||
diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
|
|
||||||
--- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-11-14 20:27:49.696199811 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-11-14 20:27:50.240211707 +0100
|
|
||||||
@@ -282,16 +282,23 @@ extern "C" {
|
|
||||||
# endif
|
|
||||||
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
|
|
||||||
# if defined(__GNUC__) && __GNUC__>=2
|
|
||||||
-# define BN_UMULT_HIGH(a,b) ({ \
|
|
||||||
+# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
|
|
||||||
+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
|
|
||||||
+# define BN_UMULT_LOHI(low,high,a,b) ({ \
|
|
||||||
+ __uint128_t ret=(__uint128_t)(a)*(b); \
|
|
||||||
+ (high)=ret>>64; (low)=ret; })
|
|
||||||
+# else
|
|
||||||
+# define BN_UMULT_HIGH(a,b) ({ \
|
|
||||||
register BN_ULONG ret; \
|
|
||||||
asm ("dmultu %1,%2" \
|
|
||||||
: "=h"(ret) \
|
|
||||||
: "r"(a), "r"(b) : "l"); \
|
|
||||||
ret; })
|
|
||||||
-# define BN_UMULT_LOHI(low,high,a,b) \
|
|
||||||
+# define BN_UMULT_LOHI(low,high,a,b)\
|
|
||||||
asm ("dmultu %2,%3" \
|
|
||||||
: "=l"(low),"=h"(high) \
|
|
||||||
: "r"(a), "r"(b));
|
|
||||||
+# endif
|
|
||||||
# endif
|
|
||||||
# endif /* cpu */
|
|
||||||
#endif /* OPENSSL_NO_ASM */
|
|
||||||
diff -up openssl-1.0.1c/crypto/evp/e_aes.c.backports2 openssl-1.0.1c/crypto/evp/e_aes.c
|
|
||||||
--- openssl-1.0.1c/crypto/evp/e_aes.c.backports2 2012-11-14 20:27:50.238211664 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-11-20 22:10:06.350891703 +0100
|
|
||||||
@@ -968,8 +968,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
|
|
||||||
|
|
||||||
if (!gctx->iv_set)
|
|
||||||
return -1;
|
|
||||||
- if (!ctx->encrypt && gctx->taglen < 0)
|
|
||||||
- return -1;
|
|
||||||
if (in)
|
|
||||||
{
|
|
||||||
if (out == NULL)
|
|
||||||
@@ -1011,6 +1009,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
|
|
||||||
{
|
|
||||||
if (!ctx->encrypt)
|
|
||||||
{
|
|
||||||
+ if (gctx->taglen < 0)
|
|
||||||
+ return -1;
|
|
||||||
if (CRYPTO_gcm128_finish(&gctx->gcm,
|
|
||||||
ctx->buf, gctx->taglen) != 0)
|
|
||||||
return -1;
|
|
||||||
diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
|
|
||||||
--- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-11-14 20:27:50.241211729 +0100
|
|
||||||
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
|
|
||||||
void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (ctx->mres)
|
|
||||||
+ if (ctx->mres || ctx->ares)
|
|
||||||
GCM_MUL(ctx,Xi);
|
|
||||||
|
|
||||||
if (is_endian.little) {
|
|
||||||
diff -up openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl
|
|
||||||
--- openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 2012-11-14 20:27:50.293212866 +0100
|
|
||||||
+++ openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl 2012-11-20 22:20:15.015041719 +0100
|
|
||||||
@@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) {
|
|
||||||
$code.=<<___;
|
|
||||||
teq $Xi,sp
|
|
||||||
bne .L_00_15 @ [((11+4)*5+2)*3]
|
|
||||||
+ sub sp,sp,#25*4
|
|
||||||
___
|
|
||||||
&BODY_00_15(@V); unshift(@V,pop(@V));
|
|
||||||
&BODY_16_19(@V); unshift(@V,pop(@V));
|
|
||||||
@@ -186,7 +187,6 @@ ___
|
|
||||||
$code.=<<___;
|
|
||||||
|
|
||||||
ldr $K,.LK_20_39 @ [+15+16*4]
|
|
||||||
- sub sp,sp,#25*4
|
|
||||||
cmn sp,#0 @ [+3], clear carry to denote 20_39
|
|
||||||
.L_20_39_or_60_79:
|
|
||||||
___
|
|
||||||
diff -up openssl-1.0.1c/ssl/s3_srvr.c.backports2 openssl-1.0.1c/ssl/s3_srvr.c
|
|
||||||
--- openssl-1.0.1c/ssl/s3_srvr.c.backports2 2012-04-15 19:23:41.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/ssl/s3_srvr.c 2012-11-20 22:23:21.684755182 +0100
|
|
||||||
@@ -1181,7 +1181,7 @@ int ssl3_get_client_hello(SSL *s)
|
|
||||||
goto f_err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if (ssl_check_clienthello_tlsext(s) <= 0) {
|
|
||||||
+ if (ssl_check_clienthello_tlsext_early(s) <= 0) {
|
|
||||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -1403,6 +1403,16 @@ int ssl3_get_client_hello(SSL *s)
|
|
||||||
* s->tmp.new_cipher - the new cipher to use.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+ /* Handles TLS extensions that we couldn't check earlier */
|
|
||||||
+ if (s->version >= SSL3_VERSION)
|
|
||||||
+ {
|
|
||||||
+ if (ssl_check_clienthello_tlsext_late(s) <= 0)
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (ret < 0) ret=1;
|
|
||||||
if (0)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
|
|
||||||
--- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-11-14 20:27:50.241211729 +0100
|
|
||||||
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
|
|
||||||
{
|
|
||||||
/* Set digest values to defaults */
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
|
|
||||||
+ cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
|
||||||
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
|
|
||||||
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
- cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
|
|
||||||
+ cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1c/ssl/ssl_lib.c.backports2 openssl-1.0.1c/ssl/ssl_lib.c
|
|
||||||
--- openssl-1.0.1c/ssl/ssl_lib.c.backports2 2012-01-05 11:22:39.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/ssl/ssl_lib.c 2012-11-20 22:25:29.243509755 +0100
|
|
||||||
@@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* THIS NEEDS CLEANING UP */
|
|
||||||
-X509 *ssl_get_server_send_cert(SSL *s)
|
|
||||||
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
|
|
||||||
{
|
|
||||||
unsigned long alg_k,alg_a;
|
|
||||||
CERT *c;
|
|
||||||
@@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(SSL *s)
|
|
||||||
SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
- if (c->pkeys[i].x509 == NULL) return(NULL);
|
|
||||||
|
|
||||||
- return(c->pkeys[i].x509);
|
|
||||||
+ return c->pkeys + i;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+X509 *ssl_get_server_send_cert(const SSL *s)
|
|
||||||
+ {
|
|
||||||
+ CERT_PKEY *cpk;
|
|
||||||
+ cpk = ssl_get_server_send_pkey(s);
|
|
||||||
+ if (!cpk)
|
|
||||||
+ return NULL;
|
|
||||||
+ return cpk->x509;
|
|
||||||
}
|
|
||||||
|
|
||||||
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
|
|
||||||
@@ -2780,7 +2788,9 @@ void ssl_clear_cipher_ctx(SSL *s)
|
|
||||||
/* Fix this function so that it takes an optional type parameter */
|
|
||||||
X509 *SSL_get_certificate(const SSL *s)
|
|
||||||
{
|
|
||||||
- if (s->cert != NULL)
|
|
||||||
+ if (s->server)
|
|
||||||
+ return(ssl_get_server_send_cert(s));
|
|
||||||
+ else if (s->cert != NULL)
|
|
||||||
return(s->cert->key->x509);
|
|
||||||
else
|
|
||||||
return(NULL);
|
|
||||||
diff -up openssl-1.0.1c/ssl/ssl_locl.h.backports2 openssl-1.0.1c/ssl/ssl_locl.h
|
|
||||||
--- openssl-1.0.1c/ssl/ssl_locl.h.backports2 2012-11-14 20:27:50.056207682 +0100
|
|
||||||
+++ openssl-1.0.1c/ssl/ssl_locl.h 2012-11-20 22:25:29.244509777 +0100
|
|
||||||
@@ -814,7 +814,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_O
|
|
||||||
int ssl_undefined_function(SSL *s);
|
|
||||||
int ssl_undefined_void_function(void);
|
|
||||||
int ssl_undefined_const_function(const SSL *s);
|
|
||||||
-X509 *ssl_get_server_send_cert(SSL *);
|
|
||||||
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
|
|
||||||
+X509 *ssl_get_server_send_cert(const SSL *);
|
|
||||||
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
|
|
||||||
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
|
|
||||||
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
|
|
||||||
@@ -1065,7 +1066,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
|
||||||
int ssl_prepare_clienthello_tlsext(SSL *s);
|
|
||||||
int ssl_prepare_serverhello_tlsext(SSL *s);
|
|
||||||
-int ssl_check_clienthello_tlsext(SSL *s);
|
|
||||||
+int ssl_check_clienthello_tlsext_early(SSL *s);
|
|
||||||
+int ssl_check_clienthello_tlsext_late(SSL *s);
|
|
||||||
int ssl_check_serverhello_tlsext(SSL *s);
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_HEARTBEATS
|
|
||||||
diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
|
|
||||||
--- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/ssl/t1_lib.c 2012-11-20 22:25:29.244509777 +0100
|
|
||||||
@@ -1763,7 +1763,7 @@ int ssl_prepare_serverhello_tlsext(SSL *
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int ssl_check_clienthello_tlsext(SSL *s)
|
|
||||||
+int ssl_check_clienthello_tlsext_early(SSL *s)
|
|
||||||
{
|
|
||||||
int ret=SSL_TLSEXT_ERR_NOACK;
|
|
||||||
int al = SSL_AD_UNRECOGNIZED_NAME;
|
|
||||||
@@ -1782,42 +1782,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|
||||||
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
|
||||||
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
|
|
||||||
|
|
||||||
- /* If status request then ask callback what to do.
|
|
||||||
- * Note: this must be called after servername callbacks in case
|
|
||||||
- * the certificate has changed.
|
|
||||||
- */
|
|
||||||
- if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
|
|
||||||
- {
|
|
||||||
- int r;
|
|
||||||
- r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
|
||||||
- switch (r)
|
|
||||||
- {
|
|
||||||
- /* We don't want to send a status request response */
|
|
||||||
- case SSL_TLSEXT_ERR_NOACK:
|
|
||||||
- s->tlsext_status_expected = 0;
|
|
||||||
- break;
|
|
||||||
- /* status request response should be sent */
|
|
||||||
- case SSL_TLSEXT_ERR_OK:
|
|
||||||
- if (s->tlsext_ocsp_resp)
|
|
||||||
- s->tlsext_status_expected = 1;
|
|
||||||
- else
|
|
||||||
- s->tlsext_status_expected = 0;
|
|
||||||
- break;
|
|
||||||
- /* something bad happened */
|
|
||||||
- case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
||||||
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
- al = SSL_AD_INTERNAL_ERROR;
|
|
||||||
- goto err;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- s->tlsext_status_expected = 0;
|
|
||||||
-
|
|
||||||
#ifdef TLSEXT_TYPE_opaque_prf_input
|
|
||||||
{
|
|
||||||
/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
|
|
||||||
* but we might be sending an alert in response to the client hello,
|
|
||||||
- * so this has to happen here in ssl_check_clienthello_tlsext(). */
|
|
||||||
+ * so this has to happen here in
|
|
||||||
+ * ssl_check_clienthello_tlsext_early(). */
|
|
||||||
|
|
||||||
int r = 1;
|
|
||||||
|
|
||||||
@@ -1869,8 +1839,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-#endif
|
|
||||||
err:
|
|
||||||
+#endif
|
|
||||||
switch (ret)
|
|
||||||
{
|
|
||||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
||||||
@@ -1888,6 +1858,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+int ssl_check_clienthello_tlsext_late(SSL *s)
|
|
||||||
+ {
|
|
||||||
+ int ret = SSL_TLSEXT_ERR_OK;
|
|
||||||
+ int al;
|
|
||||||
+
|
|
||||||
+ /* If status request then ask callback what to do.
|
|
||||||
+ * Note: this must be called after servername callbacks in case
|
|
||||||
+ * the certificate has changed, and must be called after the cipher
|
|
||||||
+ * has been chosen because this may influence which certificate is sent
|
|
||||||
+ */
|
|
||||||
+ if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
|
|
||||||
+ {
|
|
||||||
+ int r;
|
|
||||||
+ CERT_PKEY *certpkey;
|
|
||||||
+ certpkey = ssl_get_server_send_pkey(s);
|
|
||||||
+ /* If no certificate can't return certificate status */
|
|
||||||
+ if (certpkey == NULL)
|
|
||||||
+ {
|
|
||||||
+ s->tlsext_status_expected = 0;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ /* Set current certificate to one we will use so
|
|
||||||
+ * SSL_get_certificate et al can pick it up.
|
|
||||||
+ */
|
|
||||||
+ s->cert->key = certpkey;
|
|
||||||
+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
|
||||||
+ switch (r)
|
|
||||||
+ {
|
|
||||||
+ /* We don't want to send a status request response */
|
|
||||||
+ case SSL_TLSEXT_ERR_NOACK:
|
|
||||||
+ s->tlsext_status_expected = 0;
|
|
||||||
+ break;
|
|
||||||
+ /* status request response should be sent */
|
|
||||||
+ case SSL_TLSEXT_ERR_OK:
|
|
||||||
+ if (s->tlsext_ocsp_resp)
|
|
||||||
+ s->tlsext_status_expected = 1;
|
|
||||||
+ else
|
|
||||||
+ s->tlsext_status_expected = 0;
|
|
||||||
+ break;
|
|
||||||
+ /* something bad happened */
|
|
||||||
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
||||||
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
+ al = SSL_AD_INTERNAL_ERROR;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ s->tlsext_status_expected = 0;
|
|
||||||
+
|
|
||||||
+ err:
|
|
||||||
+ switch (ret)
|
|
||||||
+ {
|
|
||||||
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
|
|
||||||
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
|
|
||||||
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
int ssl_check_serverhello_tlsext(SSL *s)
|
|
||||||
{
|
|
||||||
int ret=SSL_TLSEXT_ERR_NOACK;
|
|
||||||
@@ -2414,7 +2449,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
|
||||||
*/
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
|
|
||||||
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
|
|
||||||
+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
|
||||||
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
|
|
||||||
@@ -2425,7 +2460,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
if (!c->pkeys[SSL_PKEY_ECC].digest)
|
|
||||||
- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
|
|
||||||
+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
|
|
||||||
#endif
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,11 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c
|
|
||||||
--- openssl-1.0.1c/crypto/evp/e_aes.c.init-str 2012-09-06 17:20:45.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-09-06 17:18:30.000000000 +0200
|
|
||||||
@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C
|
|
||||||
vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
|
|
||||||
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
|
|
||||||
&cctx->ks, (block128_f)vpaes_encrypt);
|
|
||||||
+ cctx->str = NULL;
|
|
||||||
cctx->key_set = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
@ -1,11 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
|
|
||||||
--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100
|
|
||||||
@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
|
|
||||||
char *f;
|
|
||||||
|
|
||||||
EVP_MD_CTX_init(&ctx);
|
|
||||||
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
|
||||||
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
|
|
||||||
ret=strlen(f);
|
|
||||||
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
|
@ -1,474 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/doc/apps/verify.pod.manfix openssl-1.0.1c/doc/apps/verify.pod
|
|
||||||
--- openssl-1.0.1c/doc/apps/verify.pod.manfix 2010-02-23 15:09:22.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/doc/apps/verify.pod 2013-01-30 17:36:15.277264650 +0100
|
|
||||||
@@ -54,35 +54,37 @@ in PEM format concatenated together.
|
|
||||||
=item B<-untrusted file>
|
|
||||||
|
|
||||||
A file of untrusted certificates. The file should contain multiple certificates
|
|
||||||
+in PEM format concatenated together.
|
|
||||||
|
|
||||||
=item B<-purpose purpose>
|
|
||||||
|
|
||||||
-the intended use for the certificate. Without this option no chain verification
|
|
||||||
-will be done. Currently accepted uses are B<sslclient>, B<sslserver>,
|
|
||||||
-B<nssslserver>, B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION>
|
|
||||||
-section for more information.
|
|
||||||
+The intended use for the certificate. If this option is not specified,
|
|
||||||
+B<verify> will not consider certificate purpose during chain verification.
|
|
||||||
+Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
|
|
||||||
+B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
|
|
||||||
+information.
|
|
||||||
|
|
||||||
=item B<-help>
|
|
||||||
|
|
||||||
-prints out a usage message.
|
|
||||||
+Print out a usage message.
|
|
||||||
|
|
||||||
=item B<-verbose>
|
|
||||||
|
|
||||||
-print extra information about the operations being performed.
|
|
||||||
+Print extra information about the operations being performed.
|
|
||||||
|
|
||||||
=item B<-issuer_checks>
|
|
||||||
|
|
||||||
-print out diagnostics relating to searches for the issuer certificate
|
|
||||||
-of the current certificate. This shows why each candidate issuer
|
|
||||||
-certificate was rejected. However the presence of rejection messages
|
|
||||||
-does not itself imply that anything is wrong: during the normal
|
|
||||||
-verify process several rejections may take place.
|
|
||||||
+Print out diagnostics relating to searches for the issuer certificate of the
|
|
||||||
+current certificate. This shows why each candidate issuer certificate was
|
|
||||||
+rejected. The presence of rejection messages does not itself imply that
|
|
||||||
+anything is wrong; during the normal verification process, several
|
|
||||||
+rejections may take place.
|
|
||||||
|
|
||||||
=item B<-policy arg>
|
|
||||||
|
|
||||||
-Enable policy processing and add B<arg> to the user-initial-policy-set
|
|
||||||
-(see RFC3280 et al). The policy B<arg> can be an object name an OID in numeric
|
|
||||||
-form. This argument can appear more than once.
|
|
||||||
+Enable policy processing and add B<arg> to the user-initial-policy-set (see
|
|
||||||
+RFC5280). The policy B<arg> can be an object name an OID in numeric form.
|
|
||||||
+This argument can appear more than once.
|
|
||||||
|
|
||||||
=item B<-policy_check>
|
|
||||||
|
|
||||||
@@ -90,41 +92,40 @@ Enables certificate policy processing.
|
|
||||||
|
|
||||||
=item B<-explicit_policy>
|
|
||||||
|
|
||||||
-Set policy variable require-explicit-policy (see RFC3280 et al).
|
|
||||||
+Set policy variable require-explicit-policy (see RFC5280).
|
|
||||||
|
|
||||||
=item B<-inhibit_any>
|
|
||||||
|
|
||||||
-Set policy variable inhibit-any-policy (see RFC3280 et al).
|
|
||||||
+Set policy variable inhibit-any-policy (see RFC5280).
|
|
||||||
|
|
||||||
=item B<-inhibit_map>
|
|
||||||
|
|
||||||
-Set policy variable inhibit-policy-mapping (see RFC3280 et al).
|
|
||||||
+Set policy variable inhibit-policy-mapping (see RFC5280).
|
|
||||||
|
|
||||||
=item B<-policy_print>
|
|
||||||
|
|
||||||
-Print out diagnostics, related to policy checking
|
|
||||||
+Print out diagnostics related to policy processing.
|
|
||||||
|
|
||||||
=item B<-crl_check>
|
|
||||||
|
|
||||||
-Checks end entity certificate validity by attempting to lookup a valid CRL.
|
|
||||||
+Checks end entity certificate validity by attempting to look up a valid CRL.
|
|
||||||
If a valid CRL cannot be found an error occurs.
|
|
||||||
|
|
||||||
=item B<-crl_check_all>
|
|
||||||
|
|
||||||
Checks the validity of B<all> certificates in the chain by attempting
|
|
||||||
-to lookup valid CRLs.
|
|
||||||
+to look up valid CRLs.
|
|
||||||
|
|
||||||
=item B<-ignore_critical>
|
|
||||||
|
|
||||||
Normally if an unhandled critical extension is present which is not
|
|
||||||
-supported by OpenSSL the certificate is rejected (as required by
|
|
||||||
-RFC3280 et al). If this option is set critical extensions are
|
|
||||||
-ignored.
|
|
||||||
+supported by OpenSSL the certificate is rejected (as required by RFC5280).
|
|
||||||
+If this option is set critical extensions are ignored.
|
|
||||||
|
|
||||||
=item B<-x509_strict>
|
|
||||||
|
|
||||||
-Disable workarounds for broken certificates which have to be disabled
|
|
||||||
-for strict X.509 compliance.
|
|
||||||
+For strict X.509 compliance, disable non-compliant workarounds for broken
|
|
||||||
+certificates.
|
|
||||||
|
|
||||||
=item B<-extended_crl>
|
|
||||||
|
|
||||||
@@ -142,16 +143,15 @@ because it doesn't add any security.
|
|
||||||
|
|
||||||
=item B<->
|
|
||||||
|
|
||||||
-marks the last option. All arguments following this are assumed to be
|
|
||||||
+Indicates the last option. All arguments following this are assumed to be
|
|
||||||
certificate files. This is useful if the first certificate filename begins
|
|
||||||
with a B<->.
|
|
||||||
|
|
||||||
=item B<certificates>
|
|
||||||
|
|
||||||
-one or more certificates to verify. If no certificate filenames are included
|
|
||||||
-then an attempt is made to read a certificate from standard input. They should
|
|
||||||
-all be in PEM format.
|
|
||||||
-
|
|
||||||
+One or more certificates to verify. If no certificates are given, B<verify>
|
|
||||||
+will attempt to read a certificate from standard input. Certificates must be
|
|
||||||
+in PEM format.
|
|
||||||
|
|
||||||
=back
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1c/doc/apps/x509.pod.manfix openssl-1.0.1c/doc/apps/x509.pod
|
|
||||||
--- openssl-1.0.1c/doc/apps/x509.pod.manfix 2013-01-10 10:26:11.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/doc/apps/x509.pod 2013-01-30 17:35:38.952458133 +0100
|
|
||||||
@@ -29,6 +29,7 @@ B<openssl> B<x509>
|
|
||||||
[B<-purpose>]
|
|
||||||
[B<-dates>]
|
|
||||||
[B<-modulus>]
|
|
||||||
+[B<-pubkey>]
|
|
||||||
[B<-fingerprint>]
|
|
||||||
[B<-alias>]
|
|
||||||
[B<-noout>]
|
|
||||||
@@ -136,6 +137,10 @@ section for more information.
|
|
||||||
|
|
||||||
this option prevents output of the encoded version of the request.
|
|
||||||
|
|
||||||
+=item B<-pubkey>
|
|
||||||
+
|
|
||||||
+outputs the the certificate's SubjectPublicKeyInfo block in PEM format.
|
|
||||||
+
|
|
||||||
=item B<-modulus>
|
|
||||||
|
|
||||||
this option prints out the value of the modulus of the public key
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod.manfix 2009-10-01 01:40:47.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod 2013-01-30 17:36:05.381045128 +0100
|
|
||||||
@@ -117,7 +117,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod.manfix 2009-10-01 01:40:48.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod 2013-01-30 17:36:05.381045128 +0100
|
|
||||||
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3
|
|
||||||
L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod.manfix 2009-10-01 01:40:48.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod 2013-01-30 17:36:05.381045128 +0100
|
|
||||||
@@ -84,7 +84,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod.manfix 2009-10-01 01:40:48.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod 2013-01-30 17:36:05.382045143 +0100
|
|
||||||
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod.manfix 2009-10-01 01:40:48.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod 2013-01-30 17:36:05.382045143 +0100
|
|
||||||
@@ -32,7 +32,7 @@ public key algorithm.
|
|
||||||
L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod.manfix 2009-10-01 01:40:49.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod 2013-01-30 17:36:05.382045143 +0100
|
|
||||||
@@ -151,7 +151,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod.manfix 2009-10-01 01:40:50.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod 2013-01-30 17:36:05.383045149 +0100
|
|
||||||
@@ -86,7 +86,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3
|
|
||||||
L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod.manfix 2010-12-02 14:45:25.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod 2013-01-30 17:36:05.383045149 +0100
|
|
||||||
@@ -81,7 +81,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3
|
|
||||||
L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
|
|
||||||
L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
|
|
||||||
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
|
|
||||||
L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod.manfix 2013-01-30 17:36:05.383045149 +0100
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod 2013-01-30 17:36:05.383045149 +0100
|
|
||||||
@@ -0,0 +1,103 @@
|
|
||||||
+=pod
|
|
||||||
+
|
|
||||||
+=head1 NAME
|
|
||||||
+
|
|
||||||
+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
|
|
||||||
+
|
|
||||||
+=head1 SYNOPSIS
|
|
||||||
+
|
|
||||||
+ #include <openssl/evp.h>
|
|
||||||
+
|
|
||||||
+ int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
|
|
||||||
+ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
|
|
||||||
+ unsigned char *rout, size_t *routlen,
|
|
||||||
+ const unsigned char *sig, size_t siglen);
|
|
||||||
+
|
|
||||||
+=head1 DESCRIPTION
|
|
||||||
+
|
|
||||||
+The EVP_PKEY_verify_recover_init() function initializes a public key algorithm
|
|
||||||
+context using key B<pkey> for a verify recover operation.
|
|
||||||
+
|
|
||||||
+The EVP_PKEY_verify_recover() function recovers signed data
|
|
||||||
+using B<ctx>. The signature is specified using the B<sig> and
|
|
||||||
+B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
|
|
||||||
+buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
|
|
||||||
+before the call the B<routlen> parameter should contain the length of the
|
|
||||||
+B<rout> buffer, if the call is successful recovered data is written to
|
|
||||||
+B<rout> and the amount of data written to B<routlen>.
|
|
||||||
+
|
|
||||||
+=head1 NOTES
|
|
||||||
+
|
|
||||||
+Normally an application is only interested in whether a signature verification
|
|
||||||
+operation is successful in those cases the EVP_verify() function should be
|
|
||||||
+used.
|
|
||||||
+
|
|
||||||
+Sometimes however it is useful to obtain the data originally signed using a
|
|
||||||
+signing operation. Only certain public key algorithms can recover a signature
|
|
||||||
+in this way (for example RSA in PKCS padding mode).
|
|
||||||
+
|
|
||||||
+After the call to EVP_PKEY_verify_recover_init() algorithm specific control
|
|
||||||
+operations can be performed to set any appropriate parameters for the
|
|
||||||
+operation.
|
|
||||||
+
|
|
||||||
+The function EVP_PKEY_verify_recover() can be called more than once on the same
|
|
||||||
+context if several operations are performed using the same parameters.
|
|
||||||
+
|
|
||||||
+=head1 RETURN VALUES
|
|
||||||
+
|
|
||||||
+EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
|
|
||||||
+and 0 or a negative value for failure. In particular a return value of -2
|
|
||||||
+indicates the operation is not supported by the public key algorithm.
|
|
||||||
+
|
|
||||||
+=head1 EXAMPLE
|
|
||||||
+
|
|
||||||
+Recover digest originally signed using PKCS#1 and SHA256 digest:
|
|
||||||
+
|
|
||||||
+ #include <openssl/evp.h>
|
|
||||||
+ #include <openssl/rsa.h>
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_CTX *ctx;
|
|
||||||
+ unsigned char *rout, *sig;
|
|
||||||
+ size_t routlen, siglen;
|
|
||||||
+ EVP_PKEY *verify_key;
|
|
||||||
+ /* NB: assumes verify_key, sig and siglen are already set up
|
|
||||||
+ * and that verify_key is an RSA public key
|
|
||||||
+ */
|
|
||||||
+ ctx = EVP_PKEY_CTX_new(verify_key);
|
|
||||||
+ if (!ctx)
|
|
||||||
+ /* Error occurred */
|
|
||||||
+ if (EVP_PKEY_verify_recover_init(ctx) <= 0)
|
|
||||||
+ /* Error */
|
|
||||||
+ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
|
|
||||||
+ /* Error */
|
|
||||||
+ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
|
|
||||||
+ /* Error */
|
|
||||||
+
|
|
||||||
+ /* Determine buffer length */
|
|
||||||
+ if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
|
|
||||||
+ /* Error */
|
|
||||||
+
|
|
||||||
+ rout = OPENSSL_malloc(routlen);
|
|
||||||
+
|
|
||||||
+ if (!rout)
|
|
||||||
+ /* malloc failure */
|
|
||||||
+
|
|
||||||
+ if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
|
|
||||||
+ /* Error */
|
|
||||||
+
|
|
||||||
+ /* Recovered data is routlen bytes written to buffer rout */
|
|
||||||
+
|
|
||||||
+=head1 SEE ALSO
|
|
||||||
+
|
|
||||||
+L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
|
|
||||||
+L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
|
|
||||||
+L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
+L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
+L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
+L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
+
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+These functions were first added to OpenSSL 1.0.0.
|
|
||||||
+
|
|
||||||
+=cut
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod.manfix openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
||||||
--- openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod.manfix 2009-10-18 17:28:59.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod 2013-01-30 17:34:16.315630759 +0100
|
|
||||||
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
|
|
||||||
an application specific error. This will never be returned unless explicitly
|
|
||||||
set by an application.
|
|
||||||
|
|
||||||
+=back
|
|
||||||
+
|
|
||||||
=head1 NOTES
|
|
||||||
|
|
||||||
The above functions should be used instead of directly referencing the fields
|
|
||||||
diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verifyrecover.pod /dev/null
|
|
||||||
--- openssl-1.0.1c/doc/crypto/EVP_PKEY_verifyrecover.pod
|
|
||||||
+++ /dev/null
|
|
||||||
@@ -1,103 +0,0 @@
|
|
||||||
-=pod
|
|
||||||
-
|
|
||||||
-=head1 NAME
|
|
||||||
-
|
|
||||||
-EVP_PKEY_verifyrecover_init, EVP_PKEY_verifyrecover - recover signature using a public key algorithm
|
|
||||||
-
|
|
||||||
-=head1 SYNOPSIS
|
|
||||||
-
|
|
||||||
- #include <openssl/evp.h>
|
|
||||||
-
|
|
||||||
- int EVP_PKEY_verifyrecover_init(EVP_PKEY_CTX *ctx);
|
|
||||||
- int EVP_PKEY_verifyrecover(EVP_PKEY_CTX *ctx,
|
|
||||||
- unsigned char *rout, size_t *routlen,
|
|
||||||
- const unsigned char *sig, size_t siglen);
|
|
||||||
-
|
|
||||||
-=head1 DESCRIPTION
|
|
||||||
-
|
|
||||||
-The EVP_PKEY_verifyrecover_init() function initializes a public key algorithm
|
|
||||||
-context using key B<pkey> for a verify recover operation.
|
|
||||||
-
|
|
||||||
-The EVP_PKEY_verifyrecover() function recovers signed data
|
|
||||||
-using B<ctx>. The signature is specified using the B<sig> and
|
|
||||||
-B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
|
|
||||||
-buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
|
|
||||||
-before the call the B<routlen> parameter should contain the length of the
|
|
||||||
-B<rout> buffer, if the call is successful recovered data is written to
|
|
||||||
-B<rout> and the amount of data written to B<routlen>.
|
|
||||||
-
|
|
||||||
-=head1 NOTES
|
|
||||||
-
|
|
||||||
-Normally an application is only interested in whether a signature verification
|
|
||||||
-operation is successful in those cases the EVP_verify() function should be
|
|
||||||
-used.
|
|
||||||
-
|
|
||||||
-Sometimes however it is useful to obtain the data originally signed using a
|
|
||||||
-signing operation. Only certain public key algorithms can recover a signature
|
|
||||||
-in this way (for example RSA in PKCS padding mode).
|
|
||||||
-
|
|
||||||
-After the call to EVP_PKEY_verifyrecover_init() algorithm specific control
|
|
||||||
-operations can be performed to set any appropriate parameters for the
|
|
||||||
-operation.
|
|
||||||
-
|
|
||||||
-The function EVP_PKEY_verifyrecover() can be called more than once on the same
|
|
||||||
-context if several operations are performed using the same parameters.
|
|
||||||
-
|
|
||||||
-=head1 RETURN VALUES
|
|
||||||
-
|
|
||||||
-EVP_PKEY_verifyrecover_init() and EVP_PKEY_verifyrecover() return 1 for success
|
|
||||||
-and 0 or a negative value for failure. In particular a return value of -2
|
|
||||||
-indicates the operation is not supported by the public key algorithm.
|
|
||||||
-
|
|
||||||
-=head1 EXAMPLE
|
|
||||||
-
|
|
||||||
-Recover digest originally signed using PKCS#1 and SHA256 digest:
|
|
||||||
-
|
|
||||||
- #include <openssl/evp.h>
|
|
||||||
- #include <openssl/rsa.h>
|
|
||||||
-
|
|
||||||
- EVP_PKEY_CTX *ctx;
|
|
||||||
- unsigned char *rout, *sig;
|
|
||||||
- size_t routlen, siglen;
|
|
||||||
- EVP_PKEY *verify_key;
|
|
||||||
- /* NB: assumes verify_key, sig and siglen are already set up
|
|
||||||
- * and that verify_key is an RSA public key
|
|
||||||
- */
|
|
||||||
- ctx = EVP_PKEY_CTX_new(verify_key);
|
|
||||||
- if (!ctx)
|
|
||||||
- /* Error occurred */
|
|
||||||
- if (EVP_PKEY_verifyrecover_init(ctx) <= 0)
|
|
||||||
- /* Error */
|
|
||||||
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
|
|
||||||
- /* Error */
|
|
||||||
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
|
|
||||||
- /* Error */
|
|
||||||
-
|
|
||||||
- /* Determine buffer length */
|
|
||||||
- if (EVP_PKEY_verifyrecover(ctx, NULL, &routlen, sig, siglen) <= 0)
|
|
||||||
- /* Error */
|
|
||||||
-
|
|
||||||
- rout = OPENSSL_malloc(routlen);
|
|
||||||
-
|
|
||||||
- if (!rout)
|
|
||||||
- /* malloc failure */
|
|
||||||
-
|
|
||||||
- if (EVP_PKEY_verifyrecover(ctx, rout, &routlen, sig, siglen) <= 0)
|
|
||||||
- /* Error */
|
|
||||||
-
|
|
||||||
- /* Recovered data is routlen bytes written to buffer rout */
|
|
||||||
-
|
|
||||||
-=head1 SEE ALSO
|
|
||||||
-
|
|
||||||
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
|
|
||||||
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
|
|
||||||
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
|
|
||||||
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
|
|
||||||
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
|
|
||||||
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
|
|
||||||
-
|
|
||||||
-=head1 HISTORY
|
|
||||||
-
|
|
||||||
-These functions were first added to OpenSSL 1.0.0.
|
|
||||||
-
|
|
||||||
-=cut
|
|
||||||
--
|
|
||||||
|
|
@ -1,77 +0,0 @@
|
|||||||
From 5bb6d96558ff6013826e3362f4c81513e3df23ff Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ben Laurie <ben@openssl.org>
|
|
||||||
Date: Thu, 13 Dec 2012 15:48:42 +0000
|
|
||||||
Subject: [PATCH] Make verify return errors.
|
|
||||||
|
|
||||||
---
|
|
||||||
CHANGES | 3 +++
|
|
||||||
Makefile.org | 2 +-
|
|
||||||
apps/verify.c | 16 ++++++++++++----
|
|
||||||
test/Makefile | 2 +-
|
|
||||||
4 files changed, 17 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.org b/Makefile.org
|
|
||||||
index 55273ea..43d16cb 100644
|
|
||||||
--- a/Makefile.org
|
|
||||||
+++ b/Makefile.org
|
|
||||||
@@ -444,7 +444,7 @@ rehash.time: certs apps
|
|
||||||
[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
|
|
||||||
OPENSSL_DEBUG_MEMORY=on; \
|
|
||||||
export OPENSSL OPENSSL_DEBUG_MEMORY; \
|
|
||||||
- $(PERL) tools/c_rehash certs) && \
|
|
||||||
+ $(PERL) tools/c_rehash certs/demo) && \
|
|
||||||
touch rehash.time; \
|
|
||||||
else :; fi
|
|
||||||
|
|
||||||
diff --git a/apps/verify.c b/apps/verify.c
|
|
||||||
index 0f34b86..893670f 100644
|
|
||||||
--- a/apps/verify.c
|
|
||||||
+++ b/apps/verify.c
|
|
||||||
@@ -222,11 +222,19 @@ int MAIN(int argc, char **argv)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
|
|
||||||
+ ret = 0;
|
|
||||||
+ if (argc < 1)
|
|
||||||
+ {
|
|
||||||
+ if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
|
|
||||||
+ ret = -1;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
+ {
|
|
||||||
for (i=0; i<argc; i++)
|
|
||||||
- check(cert_ctx,argv[i], untrusted, trusted, crls, e);
|
|
||||||
- ret=0;
|
|
||||||
+ if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
|
|
||||||
+ ret = -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
end:
|
|
||||||
if (ret == 1) {
|
|
||||||
BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
|
||||||
@@ -252,7 +260,7 @@ end:
|
|
||||||
sk_X509_pop_free(trusted, X509_free);
|
|
||||||
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
|
||||||
apps_shutdown();
|
|
||||||
- OPENSSL_EXIT(ret);
|
|
||||||
+ OPENSSL_EXIT(ret < 0 ? 2 : ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int check(X509_STORE *ctx, char *file,
|
|
||||||
diff --git a/test/Makefile b/test/Makefile
|
|
||||||
index 09e6848..4c9eabc 100644
|
|
||||||
--- a/test/Makefile
|
|
||||||
+++ b/test/Makefile
|
|
||||||
@@ -246,7 +246,7 @@ test_ecdh:
|
|
||||||
test_verify:
|
|
||||||
@echo "The following command should have some OK's and some failures"
|
|
||||||
@echo "There are definitly a few expired certificates"
|
|
||||||
- ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem
|
|
||||||
+ ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
|
|
||||||
|
|
||||||
test_dh:
|
|
||||||
@echo "Generate a set of DH parameters"
|
|
||||||
--
|
|
||||||
1.7.7.6
|
|
||||||
|
|
256
openssl-1.0.1e-backports.patch
Normal file
256
openssl-1.0.1e-backports.patch
Normal file
@ -0,0 +1,256 @@
|
|||||||
|
From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Alcock <nix@esperi.org.uk>
|
||||||
|
Date: Fri, 15 Feb 2013 17:44:11 +0000
|
||||||
|
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
|
||||||
|
2.5.0+
|
||||||
|
|
||||||
|
podlators 2.5.0 has switched to dying on POD syntax errors. This means
|
||||||
|
that a bunch of long-standing erroneous POD in the openssl documentation
|
||||||
|
now leads to fatal errors from pod2man, halting installation.
|
||||||
|
|
||||||
|
Unfortunately POD constraints mean that you have to sort numeric lists
|
||||||
|
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
|
||||||
|
you want 1 to appear first. I've reshuffled such (alas, I wish there
|
||||||
|
were a better way but I don't know of one).
|
||||||
|
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
|
||||||
|
---
|
||||||
|
doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++
|
||||||
|
doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++----
|
||||||
|
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++
|
||||||
|
doc/ssl/SSL_accept.pod | 10 +++++-----
|
||||||
|
doc/ssl/SSL_connect.pod | 10 +++++-----
|
||||||
|
doc/ssl/SSL_do_handshake.pod | 10 +++++-----
|
||||||
|
doc/ssl/SSL_shutdown.pod | 10 +++++-----
|
||||||
|
7 files changed, 30 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
|
||||||
|
index a883f6c..60e8332 100644
|
||||||
|
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
|
||||||
|
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
|
||||||
|
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
|
||||||
|
an application specific error. This will never be returned unless explicitly
|
||||||
|
set by an application.
|
||||||
|
|
||||||
|
+=back
|
||||||
|
+
|
||||||
|
=head1 NOTES
|
||||||
|
|
||||||
|
The above functions should be used instead of directly referencing the fields
|
||||||
|
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
|
index 632b556..5e66133 100644
|
||||||
|
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
|
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
|
@@ -66,16 +66,16 @@ values:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The operation succeeded.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
||||||
|
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
||||||
|
to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The operation succeeded.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
|
index b80e25b..7e60df5 100644
|
||||||
|
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
|
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
|
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
|
||||||
|
|
||||||
|
Return values from the server callback are interpreted as follows:
|
||||||
|
|
||||||
|
+=over 4
|
||||||
|
+
|
||||||
|
=item > 0
|
||||||
|
|
||||||
|
PSK identity was found and the server callback has provided the PSK
|
||||||
|
@@ -99,4 +101,6 @@ completely.
|
||||||
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
||||||
|
will be sent and the connection setup fails.
|
||||||
|
|
||||||
|
+=back
|
||||||
|
+
|
||||||
|
=cut
|
||||||
|
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
|
||||||
|
index cc724c0..b1c34d1 100644
|
||||||
|
--- a/doc/ssl/SSL_accept.pod
|
||||||
|
+++ b/doc/ssl/SSL_accept.pod
|
||||||
|
@@ -44,17 +44,17 @@ The following return values can occur:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
-established.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
||||||
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
||||||
|
return value B<ret> to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
+established.
|
||||||
|
+
|
||||||
|
=item E<lt>0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
|
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
|
||||||
|
index cc56ebb..946ca89 100644
|
||||||
|
--- a/doc/ssl/SSL_connect.pod
|
||||||
|
+++ b/doc/ssl/SSL_connect.pod
|
||||||
|
@@ -41,17 +41,17 @@ The following return values can occur:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
-established.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
||||||
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
||||||
|
return value B<ret> to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
+established.
|
||||||
|
+
|
||||||
|
=item E<lt>0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
||||||
|
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
|
||||||
|
index 2435764..7f8cf24 100644
|
||||||
|
--- a/doc/ssl/SSL_do_handshake.pod
|
||||||
|
+++ b/doc/ssl/SSL_do_handshake.pod
|
||||||
|
@@ -45,17 +45,17 @@ The following return values can occur:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
-established.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
||||||
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
||||||
|
return value B<ret> to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
||||||
|
+established.
|
||||||
|
+
|
||||||
|
=item E<lt>0
|
||||||
|
|
||||||
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
|
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
|
||||||
|
index 89911ac..42a89b7 100644
|
||||||
|
--- a/doc/ssl/SSL_shutdown.pod
|
||||||
|
+++ b/doc/ssl/SSL_shutdown.pod
|
||||||
|
@@ -92,11 +92,6 @@ The following return values can occur:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The shutdown was successfully completed. The "close notify" alert was sent
|
||||||
|
-and the peer's "close notify" alert was received.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
||||||
|
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
|
||||||
|
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
||||||
|
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The shutdown was successfully completed. The "close notify" alert was sent
|
||||||
|
+and the peer's "close notify" alert was received.
|
||||||
|
+
|
||||||
|
=item -1
|
||||||
|
|
||||||
|
The shutdown was not successful because a fatal error occurred either
|
||||||
|
--
|
||||||
|
1.7.9.5
|
||||||
|
|
||||||
|
From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dr. Stephen Henson" <steve@openssl.org>
|
||||||
|
Date: Mon, 11 Feb 2013 18:24:03 +0000
|
||||||
|
Subject: [PATCH] Fix for SSL_get_certificate
|
||||||
|
|
||||||
|
Now we set the current certificate to the one used by a server
|
||||||
|
there is no need to call ssl_get_server_send_cert which will
|
||||||
|
fail if we haven't sent a certificate yet.
|
||||||
|
---
|
||||||
|
ssl/ssl_lib.c | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
|
index 14d143d..ff5a85a 100644
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
||||||
|
/* Fix this function so that it takes an optional type parameter */
|
||||||
|
X509 *SSL_get_certificate(const SSL *s)
|
||||||
|
{
|
||||||
|
- if (s->server)
|
||||||
|
- return(ssl_get_server_send_cert(s));
|
||||||
|
- else if (s->cert != NULL)
|
||||||
|
+ if (s->cert != NULL)
|
||||||
|
return(s->cert->key->x509);
|
||||||
|
else
|
||||||
|
return(NULL);
|
||||||
|
--
|
||||||
|
1.7.9.5
|
||||||
|
|
||||||
|
From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Woodhouse <dwmw2@infradead.org>
|
||||||
|
Date: Tue, 12 Feb 2013 14:55:32 +0000
|
||||||
|
Subject: [PATCH] Check DTLS_BAD_VER for version number.
|
||||||
|
|
||||||
|
The version check for DTLS1_VERSION was redundant as
|
||||||
|
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
|
||||||
|
check for DTLS1_BAD_VER for compatibility.
|
||||||
|
|
||||||
|
PR:2984
|
||||||
|
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
|
||||||
|
---
|
||||||
|
ssl/s3_cbc.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
|
||||||
|
index 02edf3f..443a31e 100644
|
||||||
|
--- a/ssl/s3_cbc.c
|
||||||
|
+++ b/ssl/s3_cbc.c
|
||||||
|
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
|
||||||
|
unsigned padding_length, good, to_check, i;
|
||||||
|
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
||||||
|
/* Check if version requires explicit IV */
|
||||||
|
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
||||||
|
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
/* These lengths are all public so we can test them in
|
||||||
|
* non-constant time.
|
||||||
|
--
|
||||||
|
1.7.9.5
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
11
openssl-1.0.1e-issuer-hash.patch
Normal file
11
openssl-1.0.1e-issuer-hash.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100
|
||||||
|
@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
|
||||||
|
char *f;
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&ctx);
|
||||||
|
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
|
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
|
||||||
|
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
||||||
|
goto err;
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
|
diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c
|
||||||
--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200
|
--- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-09-10 20:20:24.803968961 +0200
|
+++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100
|
||||||
@@ -63,6 +63,8 @@
|
@@ -63,6 +63,8 @@
|
||||||
# define NDEBUG
|
# define NDEBUG
|
||||||
#endif
|
#endif
|
||||||
@ -28,9 +28,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/cryp
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if 0 /* There's no way to provide error checking with this function, so
|
#if 0 /* There's no way to provide error checking with this function, so
|
||||||
diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
|
diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c
|
||||||
--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100
|
--- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-09-10 20:22:46.228970661 +0200
|
+++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
@ -51,9 +51,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/cryp
|
|||||||
return BUF_strdup(file);
|
return BUF_strdup(file);
|
||||||
|
|
||||||
len = strlen(X509_get_default_cert_area());
|
len = strlen(X509_get_default_cert_area());
|
||||||
diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
|
diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c
|
||||||
--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100
|
--- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-09-10 20:20:46.106452027 +0200
|
+++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100
|
||||||
@@ -61,6 +61,8 @@
|
@@ -61,6 +61,8 @@
|
||||||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||||
*/
|
*/
|
||||||
@ -75,9 +75,9 @@ diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/cr
|
|||||||
#endif
|
#endif
|
||||||
iterator = ENGINE_by_id("dynamic");
|
iterator = ENGINE_by_id("dynamic");
|
||||||
if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
||||||
diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
|
diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c
|
||||||
--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-09-10 20:10:26.079391932 +0200
|
--- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100
|
||||||
+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-09-10 20:20:31.383118153 +0200
|
+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
* [including the GNU Public Licence.]
|
* [including the GNU Public Licence.]
|
||||||
*/
|
*/
|
||||||
@ -96,9 +96,9 @@ diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypt
|
|||||||
OpenSSLDie(__FILE__, __LINE__, \
|
OpenSSLDie(__FILE__, __LINE__, \
|
||||||
"Digest MD5 forbidden in FIPS mode!");
|
"Digest MD5 forbidden in FIPS mode!");
|
||||||
return private_MD5_Init(c);
|
return private_MD5_Init(c);
|
||||||
diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
|
diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c
|
||||||
--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-09-10 20:10:26.066391638 +0200
|
--- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100
|
||||||
+++ openssl-1.0.1c/crypto/o_init.c 2012-09-10 20:23:27.634908822 +0200
|
+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100
|
||||||
@@ -52,6 +52,8 @@
|
@@ -52,6 +52,8 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
@ -117,19 +117,19 @@ diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_in
|
|||||||
{
|
{
|
||||||
buf[0] = '1';
|
buf[0] = '1';
|
||||||
}
|
}
|
||||||
diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
|
diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c
|
||||||
--- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100
|
--- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/rand/randfile.c 2012-09-10 20:20:40.708329617 +0200
|
+++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100
|
||||||
@@ -58,6 +58,8 @@
|
@@ -60,6 +60,8 @@
|
||||||
|
#if !defined(OPENSSL_SYS_VXWORKS)
|
||||||
/* We need to define this to get macros like S_IFBLK and S_IFCHR */
|
|
||||||
#define _XOPEN_SOURCE 500
|
#define _XOPEN_SOURCE 500
|
||||||
|
#endif
|
||||||
+/* for secure_getenv */
|
+/* for secure_getenv */
|
||||||
+#define _GNU_SOURCE
|
+#define _GNU_SOURCE
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si
|
@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si
|
||||||
struct stat sb;
|
struct stat sb;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -139,7 +139,7 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp
|
|||||||
if (s != NULL && *s && strlen(s) + 1 < size)
|
if (s != NULL && *s && strlen(s) + 1 < size)
|
||||||
{
|
{
|
||||||
if (BUF_strlcpy(buf,s,size) >= size)
|
if (BUF_strlcpy(buf,s,size) >= size)
|
||||||
@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si
|
@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@ -149,9 +149,9 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp
|
|||||||
#ifdef DEFAULT_HOME
|
#ifdef DEFAULT_HOME
|
||||||
if (s == NULL)
|
if (s == NULL)
|
||||||
{
|
{
|
||||||
diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
|
diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c
|
||||||
--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100
|
--- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-09-10 20:21:16.641144451 +0200
|
+++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
* [including the GNU Public Licence.]
|
* [including the GNU Public Licence.]
|
||||||
*/
|
*/
|
||||||
@ -170,9 +170,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto
|
|||||||
if (dir)
|
if (dir)
|
||||||
ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
|
ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
|
||||||
else
|
else
|
||||||
diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
|
diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c
|
||||||
--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-09-10 20:10:26.016390503 +0200
|
--- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100
|
||||||
+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-09-10 20:21:07.748942806 +0200
|
+++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
* [including the GNU Public Licence.]
|
* [including the GNU Public Licence.]
|
||||||
*/
|
*/
|
||||||
@ -191,9 +191,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypt
|
|||||||
if (file)
|
if (file)
|
||||||
ok = (X509_load_cert_crl_file(ctx,file,
|
ok = (X509_load_cert_crl_file(ctx,file,
|
||||||
X509_FILETYPE_PEM) != 0);
|
X509_FILETYPE_PEM) != 0);
|
||||||
diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-09-10 20:20:55.951675283 +0200
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
* [including the GNU Public Licence.]
|
* [including the GNU Public Licence.]
|
||||||
*/
|
*/
|
||||||
@ -212,9 +212,9 @@ diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/cryp
|
|||||||
allow_proxy_certs = 1;
|
allow_proxy_certs = 1;
|
||||||
purpose = ctx->param->purpose;
|
purpose = ctx->param->purpose;
|
||||||
}
|
}
|
||||||
diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
|
diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c
|
||||||
--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100
|
--- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-09-10 20:21:26.759373897 +0200
|
+++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100
|
||||||
@@ -6,6 +6,8 @@
|
@@ -6,6 +6,8 @@
|
||||||
* Implementation of control commands for GOST engine *
|
* Implementation of control commands for GOST engine *
|
||||||
* OpenSSL 0.9.9 libraries required *
|
* OpenSSL 0.9.9 libraries required *
|
25
openssl.spec
25
openssl.spec
@ -20,9 +20,9 @@
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1c
|
Version: 1.0.1e
|
||||||
# Do not forget to bump SHLIB_VERSION on version upgrades
|
# Do not forget to bump SHLIB_VERSION on version upgrades
|
||||||
Release: 12%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -47,7 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
|
|||||||
Patch9: openssl-1.0.1c-aliasing.patch
|
Patch9: openssl-1.0.1c-aliasing.patch
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch23: openssl-1.0.1c-default-paths.patch
|
Patch23: openssl-1.0.1c-default-paths.patch
|
||||||
Patch24: openssl-1.0.1c-issuer-hash.patch
|
Patch24: openssl-1.0.1e-issuer-hash.patch
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||||
Patch34: openssl-0.9.6-x509.patch
|
Patch34: openssl-0.9.6-x509.patch
|
||||||
@ -55,7 +55,7 @@ Patch35: openssl-0.9.8j-version-add-engines.patch
|
|||||||
Patch36: openssl-1.0.0e-doc-noeof.patch
|
Patch36: openssl-1.0.0e-doc-noeof.patch
|
||||||
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
||||||
Patch39: openssl-1.0.1c-ipv6-apps.patch
|
Patch39: openssl-1.0.1c-ipv6-apps.patch
|
||||||
Patch40: openssl-1.0.1c-fips.patch
|
Patch40: openssl-1.0.1e-fips.patch
|
||||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||||
Patch49: openssl-1.0.1a-algo-doc.patch
|
Patch49: openssl-1.0.1a-algo-doc.patch
|
||||||
@ -67,16 +67,11 @@ Patch60: openssl-1.0.0d-apps-dgst.patch
|
|||||||
Patch63: openssl-1.0.0d-xmpp-starttls.patch
|
Patch63: openssl-1.0.0d-xmpp-starttls.patch
|
||||||
Patch65: openssl-1.0.0e-chil-fixes.patch
|
Patch65: openssl-1.0.0e-chil-fixes.patch
|
||||||
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
||||||
Patch67: openssl-1.0.0-fips-pkcs8.patch
|
Patch68: openssl-1.0.1e-secure-getenv.patch
|
||||||
Patch68: openssl-1.0.1c-secure-getenv.patch
|
|
||||||
Patch69: openssl-1.0.1c-dh-1024.patch
|
Patch69: openssl-1.0.1c-dh-1024.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||||
Patch82: openssl-1.0.1c-backports.patch
|
Patch82: openssl-1.0.1e-backports.patch
|
||||||
Patch83: openssl-1.0.1c-ccm-init-str.patch
|
|
||||||
Patch84: openssl-1.0.1c-backports2.patch
|
|
||||||
Patch85: openssl-1.0.1c-manfix.patch
|
|
||||||
Patch86: openssl-1.0.1c-verify-error.patch
|
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -175,16 +170,11 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch63 -p1 -b .starttls
|
%patch63 -p1 -b .starttls
|
||||||
%patch65 -p1 -b .chil
|
%patch65 -p1 -b .chil
|
||||||
%patch66 -p1 -b .krb5
|
%patch66 -p1 -b .krb5
|
||||||
%patch67 -p1 -b .pkcs8
|
|
||||||
%patch68 -p1 -b .secure-getenv
|
%patch68 -p1 -b .secure-getenv
|
||||||
%patch69 -p1 -b .dh1024
|
%patch69 -p1 -b .dh1024
|
||||||
|
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch82 -p1 -b .backports
|
%patch82 -p1 -b .backports
|
||||||
%patch83 -p1 -b .init-str
|
|
||||||
%patch84 -p1 -b .backports2
|
|
||||||
%patch85 -p1 -b .manfix
|
|
||||||
%patch86 -p1 -b .verify
|
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -440,6 +430,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
* Wed Jan 30 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1c-12
|
* Wed Jan 30 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1c-12
|
||||||
- more fixes from upstream
|
- more fixes from upstream
|
||||||
- fix errors in manual causing build failure (#904777)
|
- fix errors in manual causing build failure (#904777)
|
||||||
|
Loading…
Reference in New Issue
Block a user