Changes - j0ke.net Open Build Service

Changes of Revision 10

[-] [+]	Deleted	_service:download_src_package:openssl.spec
@@ -1,1886 +0,0 @@ -# For the curious: -# 0.9.5a soversion = 0 -# 0.9.6 soversion = 1 -# 0.9.6a soversion = 2 -# 0.9.6c soversion = 3 -# 0.9.7a soversion = 4 -# 0.9.7ef soversion = 5 -# 0.9.8ab soversion = 6 -# 0.9.8g soversion = 7 -# 0.9.8jk + EAP-FAST soversion = 8 -# 1.0.0 soversion = 10 -%define soversion 10 - -# Number of threads to spawn when testing some threading fixes. -%define thread_test_threads %{?threads:%{threads}}%{!?threads:1} - -# Arches on which we need to prevent arch conflicts on opensslconf.h, must -# also be handled in opensslconf-new.h. -%define multilib_arches %{ix86} ia64 %{mips} ppc %{power64} s390 s390x sparcv9 sparc64 x86_64 - -%global _performance_build 1 - -Summary: Utilities from the general purpose cryptography library with TLS implementation -Name: openssl -Version: 1.0.2f -Release: 1%{?dist} -Epoch: 1 -# We have to remove certain patented algorithms from the openssl source -# tarball with the hobble-openssl script which is included below. -# The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.xz -Source1: hobble-openssl -Source2: Makefile.certificate -Source6: make-dummy-cert -Source7: renew-dummy-cert -Source8: openssl-thread-test.c -Source9: opensslconf-new.h -Source10: opensslconf-new-warning.h -Source11: README.FIPS -Source12: ec_curve.c -Source13: ectest.c -# Build changes -Patch1: openssl-1.0.2e-rpmbuild.patch -Patch2: openssl-1.0.2a-defaults.patch -Patch4: openssl-1.0.2a-enginesdir.patch -Patch5: openssl-1.0.2a-no-rpath.patch -Patch6: openssl-1.0.2a-test-use-localhost.patch -Patch7: openssl-1.0.0-timezone.patch -Patch8: openssl-1.0.1c-perlfind.patch -Patch9: openssl-1.0.1c-aliasing.patch -# Bug fixes -Patch23: openssl-1.0.2c-default-paths.patch -Patch24: openssl-1.0.2a-issuer-hash.patch -# Functionality changes -Patch33: openssl-1.0.0-beta4-ca-dir.patch -Patch34: openssl-1.0.2a-x509.patch -Patch35: openssl-1.0.2a-version-add-engines.patch -Patch39: openssl-1.0.2a-ipv6-apps.patch -Patch40: openssl-1.0.2e-fips.patch -Patch45: openssl-1.0.2a-env-zlib.patch -Patch47: openssl-1.0.2a-readme-warning.patch -Patch49: openssl-1.0.1i-algo-doc.patch -Patch50: openssl-1.0.2a-dtls1-abi.patch -Patch51: openssl-1.0.2a-version.patch -Patch56: openssl-1.0.2a-rsa-x931.patch -Patch58: openssl-1.0.2a-fips-md5-allow.patch -Patch60: openssl-1.0.2a-apps-dgst.patch -Patch63: openssl-1.0.2a-xmpp-starttls.patch -Patch65: openssl-1.0.2a-chil-fixes.patch -Patch66: openssl-1.0.2a-pkgconfig-krb5.patch -Patch68: openssl-1.0.2a-secure-getenv.patch -Patch70: openssl-1.0.2a-fips-ec.patch -Patch71: openssl-1.0.2d-manfix.patch -Patch72: openssl-1.0.2a-fips-ctor.patch -Patch73: openssl-1.0.2c-ecc-suiteb.patch -Patch74: openssl-1.0.2a-no-md5-verify.patch -Patch75: openssl-1.0.2a-compat-symbols.patch -Patch76: openssl-1.0.2f-new-fips-reqs.patch -Patch77: openssl-1.0.2a-weak-ciphers.patch -Patch78: openssl-1.0.2a-cc-reqs.patch -Patch90: openssl-1.0.2a-enc-fail.patch -Patch92: openssl-1.0.2a-system-cipherlist.patch -Patch93: openssl-1.0.2a-disable-sslv2v3.patch -Patch94: openssl-1.0.2d-secp256k1.patch -Patch95: openssl-1.0.2e-remove-nistp224.patch -Patch96: openssl-1.0.2e-speed-doc.patch -# Backported fixes including security fixes -Patch80: openssl-1.0.2e-wrap-pad.patch -Patch81: openssl-1.0.2a-padlock64.patch -Patch82: openssl-1.0.2c-trusted-first-doc.patch - -License: OpenSSL -Group: System Environment/Libraries -URL: http://www.openssl.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: coreutils, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp -BuildRequires: lksctp-tools-devel -BuildRequires: /usr/bin/rename -BuildRequires: /usr/bin/pod2man -Requires: coreutils, make -Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} - -%description -The OpenSSL toolkit provides support for secure communications between -machines. OpenSSL includes a certificate management tool and shared -libraries which provide various cryptographic algorithms and -protocols. - -%package libs -Summary: A general purpose cryptography library with TLS implementation -Group: System Environment/Libraries -Requires: ca-certificates >= 2008-5 -Requires: crypto-policies -# Needed obsoletes due to the base/lib subpackage split -Obsoletes: openssl < 1:1.0.1-0.3.beta3 -Obsoletes: openssl-fips < 1:1.0.1e-28 -Provides: openssl-fips = %{epoch}:%{version}-%{release} - -%description libs -OpenSSL is a toolkit for supporting cryptography. The openssl-libs -package contains the libraries that are used by various applications which -support cryptographic algorithms and protocols. - -%package devel -Summary: Files for development of applications which will use OpenSSL -Group: Development/Libraries -Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa} -Requires: pkgconfig - -%description devel -OpenSSL is a toolkit for supporting cryptography. The openssl-devel -package contains include files needed to develop applications which -support various cryptographic algorithms and protocols. - -%package static -Summary: Libraries for static linking of applications which will use OpenSSL -Group: Development/Libraries -Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release} - -%description static -OpenSSL is a toolkit for supporting cryptography. The openssl-static -package contains static libraries needed for static linking of -applications which support various cryptographic algorithms and -protocols. - -%package perl -Summary: Perl scripts provided with OpenSSL -Group: Applications/Internet -Requires: perl -Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} - -%description perl -OpenSSL is a toolkit for supporting cryptography. The openssl-perl -package provides Perl scripts for converting certificates and keys -from other formats to the formats used by the OpenSSL toolkit. - -%prep -%setup -q -n %{name}-%{version} - -# The hobble_openssl is called here redundantly, just to be sure. -# The tarball has already the sources removed. -%{SOURCE1} > /dev/null - -cp %{SOURCE12} %{SOURCE13} crypto/ec/ - -%patch1 -p1 -b .rpmbuild -%patch2 -p1 -b .defaults -%patch4 -p1 -b .enginesdir %{?_rawbuild} -%patch5 -p1 -b .no-rpath -%patch6 -p1 -b .use-localhost -%patch7 -p1 -b .timezone -%patch8 -p1 -b .perlfind %{?_rawbuild} -%patch9 -p1 -b .aliasing - -%patch23 -p1 -b .default-paths -%patch24 -p1 -b .issuer-hash - -%patch33 -p1 -b .ca-dir -%patch34 -p1 -b .x509 -%patch35 -p1 -b .version-add-engines -%patch39 -p1 -b .ipv6-apps -%patch40 -p1 -b .fips -%patch45 -p1 -b .env-zlib -%patch47 -p1 -b .warning -%patch49 -p1 -b .algo-doc -%patch50 -p1 -b .dtls1-abi -%patch51 -p1 -b .version -%patch56 -p1 -b .x931 -%patch58 -p1 -b .md5-allow -%patch60 -p1 -b .dgst -%patch63 -p1 -b .starttls -%patch65 -p1 -b .chil -%patch66 -p1 -b .krb5 -%patch68 -p1 -b .secure-getenv -%patch70 -p1 -b .fips-ec -%patch71 -p1 -b .manfix -%patch72 -p1 -b .fips-ctor -%patch73 -p1 -b .suiteb
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.0-beta4-ca-dir.patch ^
@@ -1,36 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in ---- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100 -@@ -53,7 +53,7 @@ $VERIFY="$openssl verify"; - $X509="$openssl x509"; - $PKCS12="$openssl pkcs12"; - --$CATOP="./demoCA"; -+$CATOP="/etc/pki/CA"; - $CAKEY="cakey.pem"; - $CAREQ="careq.pem"; - $CACERT="cacert.pem"; -diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh ---- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100 -@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify" - X509="$OPENSSL x509" - PKCS12="openssl pkcs12" - --if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi -+if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi - CAKEY=./cakey.pem - CAREQ=./careq.pem - CACERT=./cacert.pem -diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf ---- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100 -@@ -39,7 +39,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file.
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.0-timezone.patch ^
@@ -1,21 +0,0 @@ -diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org ---- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200 -+++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200 -@@ -609,7 +609,7 @@ install_docs: - sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ - (cd `$(PERL) util/dirname.pl $$i`; \ -- sh -c "$$pod2man \ -+ sh -c "TZ=UTC $$pod2man \ - --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ -@@ -626,7 +626,7 @@ install_docs: - sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ - (cd `$(PERL) util/dirname.pl $$i`; \ -- sh -c "$$pod2man \ -+ sh -c "TZ=UTC $$pod2man \ - --section=$$sec --center=OpenSSL \ - --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.1c-aliasing.patch ^
@@ -1,12 +0,0 @@ -diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile ---- openssl-1.0.1c/crypto/modes/Makefile.aliasing 2011-08-12 00:36:17.000000000 +0200 -+++ openssl-1.0.1c/crypto/modes/Makefile 2012-07-13 11:32:10.767829077 +0200 -@@ -12,7 +12,7 @@ AR= ar r - - MODES_ASM_OBJ= - --CFLAGS= $(INCLUDES) $(CFLAG) -+CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing - ASFLAGS= $(INCLUDES) $(ASFLAG) - AFLAGS= $(ASFLAGS) -
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.1c-perlfind.patch ^
@@ -1,16 +0,0 @@ -diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl ---- openssl-1.0.1c/util/perlpath.pl.perlfind 2012-07-11 22:57:33.000000000 +0200 -+++ openssl-1.0.1c/util/perlpath.pl 2012-07-12 00:31:12.102156275 +0200 -@@ -4,10 +4,10 @@ - # line in all scripts that rely on perl. - # - --require "find.pl"; -+use File::Find; - - $#ARGV == 0 \|\| print STDERR "usage: perlpath newpath (eg /usr/bin)\n"; --&find("."); -+find(\&wanted, "."); - - sub wanted - {
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.1i-algo-doc.patch ^
@@ -1,77 +0,0 @@ -diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod ---- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200 -+++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200 -@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ - - EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest - B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this --function. B<type> will typically be supplied by a functionsuch as EVP_sha1(). -+function. B<type> will typically be supplied by a function such as EVP_sha1(). - If B<impl> is NULL then the default implementation of digest B<type> is used. - - EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the -@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u - EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and - EVP_MD_CTX_block_size() return the digest or block size in bytes. - --EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), -+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), -+EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(), - EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the - corresponding EVP_MD structures. - -diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod ---- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200 -+++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200 -@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher - int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX c, ASN1_TYPE type); - int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX c, ASN1_TYPE type); - -+ const EVP_CIPHER EVP_des_ede3(void); -+ const EVP_CIPHER EVP_des_ede3_ecb(void); -+ const EVP_CIPHER EVP_des_ede3_cfb64(void); -+ const EVP_CIPHER EVP_des_ede3_cfb1(void); -+ const EVP_CIPHER EVP_des_ede3_cfb8(void); -+ const EVP_CIPHER EVP_des_ede3_ofb(void); -+ const EVP_CIPHER EVP_des_ede3_cbc(void); -+ const EVP_CIPHER EVP_aes_128_ecb(void); -+ const EVP_CIPHER EVP_aes_128_cbc(void); -+ const EVP_CIPHER EVP_aes_128_cfb1(void); -+ const EVP_CIPHER EVP_aes_128_cfb8(void); -+ const EVP_CIPHER EVP_aes_128_cfb128(void); -+ const EVP_CIPHER EVP_aes_128_ofb(void); -+ const EVP_CIPHER EVP_aes_192_ecb(void); -+ const EVP_CIPHER EVP_aes_192_cbc(void); -+ const EVP_CIPHER EVP_aes_192_cfb1(void); -+ const EVP_CIPHER EVP_aes_192_cfb8(void); -+ const EVP_CIPHER EVP_aes_192_cfb128(void); -+ const EVP_CIPHER EVP_aes_192_ofb(void); -+ const EVP_CIPHER EVP_aes_256_ecb(void); -+ const EVP_CIPHER EVP_aes_256_cbc(void); -+ const EVP_CIPHER EVP_aes_256_cfb1(void); -+ const EVP_CIPHER EVP_aes_256_cfb8(void); -+ const EVP_CIPHER EVP_aes_256_cfb128(void); -+ const EVP_CIPHER *EVP_aes_256_ofb(void); -+ - =head1 DESCRIPTION - - The EVP cipher routines are a high level interface to certain -@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an - - DESX algorithm in CBC mode. - -+=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void) -+ -+AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ -+=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void) -+ -+AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ -+=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void) -+ -+AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ - =item EVP_rc4(void) - - RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-apps-dgst.patch ^
@@ -1,110 +0,0 @@ -diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c ---- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200 -@@ -157,7 +157,7 @@ static const char ca_usage[] = { - " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n", - " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n", - " -days arg - number of days to certify the certificate for\n", -- " -md arg - md to use, one of md2, md5, sha or sha1\n", -+ " -md arg - md to use, see openssl dgst -h for list\n", - " -policy arg - The CA 'policy' to support\n", - " -keyfile arg - private key file\n", - " -keyform arg - private key file format (PEM or ENGINE)\n", -diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c ---- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200 -@@ -294,7 +294,7 @@ int MAIN(int argc, char argv) - "%-14s the next argument is the md to use to create a key\n", - "-md"); - BIO_printf(bio_err, -- "%-14s from a passphrase. One of md2, md5, sha or sha1\n", -+ "%-14s from a passphrase. See openssl dgst -h for list.\n", - ""); - BIO_printf(bio_err, "%-14s salt in hex is the next argument\n", - "-S"); -diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c ---- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200 -@@ -414,7 +414,7 @@ int MAIN(int argc, char argv) - " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n"); - #endif - BIO_printf(bio_err, -- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); -+ " -[digest] Digest to sign with (see openssl dgst -h for list)\n"); - BIO_printf(bio_err, " -config file request template file.\n"); - BIO_printf(bio_err, - " -subj arg set or modify request subject\n"); -diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c ---- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200 -@@ -337,7 +337,7 @@ int MAIN(int argc, char argv) - BIO_printf(bio_err, "usage:\n" - "ts -query [-rand file%cfile%c...] [-config configfile] " - "[-data file_to_hash] [-digest digest_bytes]" -- "[-md2\|-md4\|-md5\|-sha\|-sha1\|-mdc2\|-ripemd160] " -+ "[-<hashalg>] " - "[-policy object_id] [-no_nonce] [-cert] " - "[-in request.tsq] [-out request.tsq] [-text]\n", - LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); -diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c ---- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200 -@@ -141,7 +141,7 @@ static const char x509_usage[] = { - " -set_serial - serial number to use\n", - " -text - print the certificate in text form\n", - " -C - print out C code forms\n", -- " -md2/-md5/-sha1/-mdc2 - digest to use\n", -+ " -<dgst> - digest to use, see openssl dgst -h output for list\n", - " -extfile - configuration file with X509V3 extensions to add\n", - " -extensions - section from config file with X509V3 extensions to add\n", - " -clrext - delete extensions before signing and input certificate\n", -diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod ---- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200 -@@ -168,7 +168,8 @@ the number of days to certify the certif - =item B<-md alg> - - the message digest to use. Possible values include md5, sha1 and mdc2. --This option also applies to CRLs. -+For full list of digests see openssl dgst -h output. This option also -+applies to CRLs. - - =item B<-policy arg> - -diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod ---- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200 -@@ -219,7 +219,8 @@ check is not performed. - =item B<-md5\|-sha1\|-sha256\|-ripemod160\|...> - - this option sets digest algorithm to use for certificate identification --in the OCSP request. By default SHA-1 is used. -+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for -+the list of available algorithms. - - =back - -diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod ---- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200 -@@ -201,7 +201,8 @@ will not be encrypted. - - this specifies the message digest to sign the request with (such as - B<-md5>, B<-sha1>). This overrides the digest algorithm specified in --the configuration file. -+the configuration file. For full list of possible digests see openssl -+dgst -h output. - - Some public key algorithms may override this choice. For instance, DSA - signatures always use SHA1, GOST R 34.10 signatures always use -diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod ---- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200 -@@ -107,6 +107,7 @@ the digest to use. This affects any sign - digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not - specified then SHA1 is used. If the key being used to sign with is a DSA key - then this option has no effect: SHA1 is always used with DSA keys. -+For full list of digests see openssl dgst -h output. - - =item B<-engine id> -
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-cc-reqs.patch ^
@@ -1,27 +0,0 @@ -diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c ---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs 2015-04-09 18:22:58.638448432 +0200 -+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-09 18:22:57.264416692 +0200 -@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA rsa, - if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) - goto err; - -+ / prepare minimum p and q difference / -+ if (!BN_one(r3)) -+ goto err; -+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) -+ goto err; -+ - BN_copy(rsa->e, e_value); - - / generate p and q / -@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA rsa, - do { - if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) - goto err; -- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3)); - if (degenerate == 3) { - ok = 0; /* we set our own err */ - RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-chil-fixes.patch ^
@@ -1,24 +0,0 @@ -diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c ---- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200 -@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char - UI ui; - void callback_data = NULL; - UI_METHOD ui_method = NULL; -+ / Despite what the documentation says prompt_info can be -+ * an empty string. -+ / -+ if (prompt_info && !prompt_info) -+ prompt_info = NULL; - - if (cactx) { - if (cactx->ui_method) -@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char - ui = UI_new_method(ui_method); - - if (ui) { -- char answer; -+ char answer = '\0'; - char buf[BUFSIZ]; - /* - * Despite what the documentation says wrong_info can be an empty
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-compat-symbols.patch ^
@@ -1,46 +0,0 @@ -diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c ---- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200 -@@ -68,6 +68,11 @@ - # include <openssl/fips.h> - # include <openssl/evp.h> - -+/* just a compatibility symbol - no-op / -+void FIPS_corrupt_dsa_keygen(void) -+{ -+} -+ - static int fips_check_dsa(DSA dsa) - { - EVP_PKEY pk; -diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c ---- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200 -+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200 -@@ -63,6 +63,11 @@ - # include <openssl/fips.h> - #endif - -+/ just backwards compatibility symbol - no-op / -+void ENGINE_load_aesni(void) -+{ -+} -+ - void ENGINE_load_builtin_engines(void) - { - / Some ENGINEs need this / -diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200 -@@ -113,6 +113,12 @@ int FIPS_module_mode(void) - return ret; - } - -+/ just a compat symbol - return NULL / -+const void FIPS_rand_check(void) -+{ -+ return NULL; -+} -+ - int FIPS_selftest_failed(void) - { - int ret = 0;
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-defaults.patch ^
@@ -1,60 +0,0 @@ -diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf ---- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200 -@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi - - default_days = 365 # how long to certify for - default_crl_days= 30 # how long before next CRL --default_md = default # use public key default MD -+default_md = sha256 # use SHA-256 by default - preserve = no # keep passed DN ordering - - # A few difference way of specifying how similar the request should look -@@ -104,6 +104,7 @@ emailAddress = optional - #################################################################### - [ req ] - default_bits = 2048 -+default_md = sha256 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -126,17 +127,18 @@ string_mask = utf8only - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = XX - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+#stateOrProvinceName_default = Default Province - - localityName = Locality Name (eg, city) -+localityName_default = Default City - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = Default Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (e.g. server FQDN or YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address -@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T - default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) - other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) --digests = md5, sha1 # Acceptable message digests (mandatory) -+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) - accuracy = secs:1, millisecs:500, microsecs:100 # (optional) - clock_precision_digits = 0 # number of digits after dot. (optional) - ordering = yes # Is ordering defined for timestamps?
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-disable-sslv2v3.patch ^
@@ -1,13 +0,0 @@ -diff -up openssl-1.0.2a/ssl/ssl_lib.c.v2v3 openssl-1.0.2a/ssl/ssl_lib.c ---- openssl-1.0.2a/ssl/ssl_lib.c.v2v3 2015-04-22 15:37:15.974345757 +0200 -+++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:39:39.114782365 +0200 -@@ -2048,6 +2048,9 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD m - / - ret->options \|= SSL_OP_LEGACY_SERVER_CONNECT; - -+ / Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ -+ ret->options \|= SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3; -+ - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-dtls1-abi.patch ^
@@ -1,23 +0,0 @@ -diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h ---- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200 -+++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200 -@@ -214,9 +214,6 @@ typedef struct dtls1_state_st { - * loss. - / - record_pqueue buffered_app_data; -- / Is set when listening for new connections with dtls1_listen() / -- unsigned int listen; -- unsigned int link_mtu; / max on-the-wire DTLS packet size / - unsigned int mtu; / max DTLS packet size / - struct hm_header_st w_msg_hdr; - struct hm_header_st r_msg_hdr; -@@ -241,6 +238,9 @@ typedef struct dtls1_state_st { - Cleared after the message has been processed. - / - unsigned int change_cipher_spec_ok; -+ / Is set when listening for new connections with dtls1_listen() / -+ unsigned int listen; -+ unsigned int link_mtu; / max on-the-wire DTLS packet size / - # ifndef OPENSSL_NO_SCTP - / used when SSL_ST_XX_FLUSH is entered */ - int next_state;
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-enc-fail.patch ^
@@ -1,61 +0,0 @@ -diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c ---- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200 -@@ -201,10 +201,14 @@ static int enc_read(BIO b, char out, i - break; - } - } else { -- EVP_CipherUpdate(&(ctx->cipher), -- (unsigned char )ctx->buf, &ctx->buf_len, -- (unsigned char )&(ctx->buf[BUF_OFFSET]), i); -- ctx->cont = 1; -+ if (!EVP_CipherUpdate(&(ctx->cipher), -+ (unsigned char )ctx->buf, &ctx->buf_len, -+ (unsigned char )&(ctx->buf[BUF_OFFSET]), -+ i)) { -+ ctx->ok = 0; -+ ctx->cont = 0; -+ } else -+ ctx->cont = 1; - /* - * Note: it is possible for EVP_CipherUpdate to decrypt zero - * bytes because this is or looks like the final block: if this -@@ -260,9 +264,13 @@ static int enc_write(BIO b, const char - ctx->buf_off = 0; - while (inl > 0) { - n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl; -- EVP_CipherUpdate(&(ctx->cipher), -- (unsigned char )ctx->buf, &ctx->buf_len, -- (unsigned char )in, n); -+ if (!EVP_CipherUpdate(&(ctx->cipher), -+ (unsigned char )ctx->buf, &ctx->buf_len, -+ (unsigned char )in, n)) { -+ BIO_copy_next_retry(b); -+ ctx->ok = 0; -+ return ret - inl; -+ } - inl -= n; - in += n; - -@@ -298,8 +306,9 @@ static long enc_ctrl(BIO b, int cmd, lo - case BIO_CTRL_RESET: - ctx->ok = 1; - ctx->finished = 0; -- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, -- ctx->cipher.encrypt); -+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, -+ ctx->cipher.encrypt)) -+ ctx->ok = 0; - ret = BIO_ctrl(b->next_bio, cmd, num, ptr); - break; - case BIO_CTRL_EOF: /* More to read / -@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO b, const EVP_CI - - b->init = 1; - ctx = (BIO_ENC_CTX )b->ptr; -- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e); -+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e)) -+ ctx->ok = 0; - - if (b->callback != NULL) - b->callback(b, BIO_CB_CTRL, (const char )c, BIO_CTRL_SET, e, 1L);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-enginesdir.patch ^
@@ -1,52 +0,0 @@ -diff -up openssl-1.0.2a/Configure.enginesdir openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.enginesdir 2015-04-20 14:37:58.137392222 +0200 -+++ openssl-1.0.2a/Configure 2015-04-20 14:37:58.140392292 +0200 -@@ -702,6 +702,7 @@ my $idx_multilib = $idx++; - my $prefix=""; - my $libdir=""; - my $openssldir=""; -+my $enginesdir=""; - my $exe_ext=""; - my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; - my $cross_compile_prefix=""; -@@ -929,6 +930,10 @@ PROCESS_ARGS: - { - $openssldir=$1; - } -+ elsif (/^--enginesdir=(.)$/) -+ { -+ $enginesdir=$1; -+ } - elsif (/^--install.prefix=(.)$/) - { - $install_prefix=$1; -@@ -1185,7 +1190,7 @@ chop $prefix if $prefix =~ /.\/$/; - - $openssldir=$prefix . "/ssl" if $openssldir eq ""; - $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/\|^[a-zA-Z]:[\\\/])/; -- -+$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; - - print "IsMK1MF=$IsMK1MF\n"; - -@@ -1871,7 +1876,7 @@ while (<IN>) - } - elsif (/^#define\s+ENGINESDIR/) - { -- my $foo = "$prefix/$libdir/engines"; -+ my $foo = "$enginesdir"; - $foo =~ s/\\/\\\\/g; - print OUT "#define ENGINESDIR \"$foo\"\n"; - } -diff -up openssl-1.0.2a/engines/Makefile.enginesdir openssl-1.0.2a/engines/Makefile ---- openssl-1.0.2a/engines/Makefile.enginesdir 2015-04-20 14:37:58.140392292 +0200 -+++ openssl-1.0.2a/engines/Makefile 2015-04-20 14:40:15.570598383 +0200 -@@ -124,7 +124,7 @@ install: - esac; \ - cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ - fi; \ -- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ -+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ - done; \ - fi
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-env-zlib.patch ^
@@ -1,39 +0,0 @@ -diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod ---- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200 -+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200 -@@ -47,6 +47,13 @@ Once the identities of the compression m - been standardized, the compression API will most likely be changed. Using - it in the current state is not recommended. - -+It is also not recommended to use compression if data transfered contain -+untrusted parts that can be manipulated by an attacker as he could then -+get information about the encrypted data. See the CRIME attack. For -+that reason the default loading of the zlib compression method is -+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB> -+is present during the library initialization. -+ - =head1 RETURN VALUES - - SSL_COMP_add_compression_method() may return the following values: -diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c ---- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200 -+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200 -@@ -140,6 +140,8 @@ - * OTHERWISE. - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <stdio.h> - #include <openssl/objects.h> - #ifndef OPENSSL_NO_COMP -@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo - - MemCheck_off(); - ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); -- if (ssl_comp_methods != NULL) { -+ if (ssl_comp_methods != NULL -+ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) { - comp = (SSL_COMP )OPENSSL_malloc(sizeof(SSL_COMP)); - if (comp != NULL) { - comp->method = COMP_zlib();
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-fips-ctor.patch ^
@@ -1,174 +0,0 @@ -diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200 -@@ -60,6 +60,8 @@ - #include <dlfcn.h> - #include <stdio.h> - #include <stdlib.h> -+#include <unistd.h> -+#include <errno.h> - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -201,7 +203,9 @@ static char bin2hex(void buf, size_t l - } - - # define HMAC_PREFIX "." --# define HMAC_SUFFIX ".hmac" -+# ifndef HMAC_SUFFIX -+# define HMAC_SUFFIX ".hmac" -+# endif - # define READ_BUFFER_LENGTH 16384 - - static char make_hmac_path(const char origpath) -@@ -279,20 +283,14 @@ static int compute_file_hmac(const char - return rv; - } - --static int FIPSCHECK_verify(const char libname, const char symbolname) -+static int FIPSCHECK_verify(const char path) - { -- char path[PATH_MAX + 1]; -- int rv; -+ int rv = 0; - FILE hf; - char hmacpath, p; - char hmac = NULL; - size_t n; - -- rv = get_library_path(libname, symbolname, path, sizeof(path)); -- -- if (rv < 0) -- return 0; -- - hmacpath = make_hmac_path(path); - if (hmacpath == NULL) - return 0; -@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char - return 1; - } - -+static int verify_checksums(void) -+{ -+ int rv; -+ char path[PATH_MAX + 1]; -+ char p; -+ -+ / we need to avoid dlopening libssl, assume both libcrypto and libssl -+ are in the same directory / -+ -+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, -+ "FIPS_mode_set", path, sizeof(path)); -+ if (rv < 0) -+ return 0; -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ -+ / replace libcrypto with libssl / -+ while ((p = strstr(path, "libcrypto.so")) != NULL) { -+ p = stpcpy(p, "libssl"); -+ memmove(p, p + 3, strlen(p + 2)); -+ } -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ return 1; -+} -+ -+# ifndef FIPS_MODULE_PATH -+# define FIPS_MODULE_PATH "/etc/system-fips" -+# endif -+ -+int FIPS_module_installed(void) -+{ -+ int rv; -+ rv = access(FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ / Installed == true / -+ return !rv; -+} -+ - int FIPS_module_mode_set(int onoff, const char auth) - { - int ret = 0; -@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons - } - # endif - -- if (!FIPSCHECK_verify -- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -- fips_selftest_fail = 1; -- ret = 0; -- goto end; -- } -- -- if (!FIPSCHECK_verify -- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { -+ if (!verify_checksums()) { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, - FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; -diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h ---- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200 -@@ -74,6 +74,7 @@ extern "C" { - - int FIPS_module_mode_set(int onoff, const char auth); - int FIPS_module_mode(void); -+ int FIPS_module_installed(void); - const void FIPS_rand_check(void); - int FIPS_selftest(void); - int FIPS_selftest_failed(void); -diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c ---- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200 -+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200 -@@ -74,6 +74,9 @@ static void init_fips_mode(void) - char buf[2] = "0"; - int fd; - -+ /* Ensure the selftests always run / -+ FIPS_mode_set(1); -+ - if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { - buf[0] = '1'; - } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -@@ -85,8 +88,12 @@ static void init_fips_mode(void) - otherwise.. - / - -- if (buf[0] == '1') { -- FIPS_mode_set(1); -+ if (buf[0] != '1') { -+ / drop down to non-FIPS mode if it is not requested / -+ FIPS_mode_set(0); -+ } else { -+ / abort if selftest failed / -+ FIPS_selftest_check(); - } - } - #endif -@@ -96,13 +103,16 @@ static void init_fips_mode(void) - sets FIPS callbacks - */ - --void OPENSSL_init_library(void) -+void __attribute__ ((constructor)) OPENSSL_init_library(void) - { - static int done = 0; - if (done) - return; - done = 1; - #ifdef OPENSSL_FIPS -+ if (!FIPS_module_installed()) { -+ return; -+ } - RAND_init_fips(); - init_fips_mode(); - if (!FIPS_mode()) {
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-fips-ec.patch ^
@@ -1,1929 +0,0 @@ -diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c ---- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200 -@@ -501,11 +501,13 @@ int main(int argc, char argv[]) - goto err; - - / NIST PRIME CURVES TESTS / -+# if 0 - if (!test_ecdh_curve - (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) - goto err; - if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) - goto err; -+# endif - if (!test_ecdh_curve - (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) - goto err; -@@ -536,13 +538,14 @@ int main(int argc, char argv[]) - if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) - goto err; - # endif -+# if 0 - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) - goto err; -- -+# endif - ret = 0; - - err: -diff -up openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_lib.c ---- openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdh/ech_lib.c 2015-04-22 19:00:19.721884512 +0200 -@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_ - const ECDH_METHOD ECDH_get_default_method(void) - { - if (!default_ECDH_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdh_openssl(); -- else -- return ECDH_OpenSSL(); --#else - default_ECDH_method = ECDH_OpenSSL(); --#endif - } - return default_ECDH_method; - } -diff -up openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_ossl.c ---- openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdh/ech_ossl.c 2015-04-22 19:00:19.722884536 +0200 -@@ -78,6 +78,10 @@ - #include <openssl/obj_mac.h> - #include <openssl/bn.h> - -+#ifdef OPENSSL_FIPS -+# include <openssl/fips.h> -+#endif -+ - static int ecdh_compute_key(void out, size_t len, const EC_POINT pub_key, - EC_KEY ecdh, - void (KDF) (const void in, size_t inlen, -@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = { - NULL, / init / - NULL, / finish / - #endif -- 0, / flags / -+ ECDH_FLAG_FIPS_METHOD, / flags / - NULL / app_data / - }; - -@@ -119,6 +123,13 @@ static int ecdh_compute_key(void out, s - size_t buflen, len; - unsigned char buf = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - if (outlen > INT_MAX) { - ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); / sort of, - * anyway / -diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c ---- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200 -@@ -138,11 +138,14 @@ int restore_rand(void) - } - - static int fbytes_counter = 0; --static const char numbers[8] = { -+static const char numbers[10] = { -+ "651056770906015076056810763456358567190100156695615665659", - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", -+ "8763001015071075675010661307616710783570106710677817767166" -+ "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", -@@ -158,7 +161,7 @@ int fbytes(unsigned char buf, int num) - int ret; - BIGNUM tmp = NULL; - -- if (fbytes_counter >= 8) -+ if (fbytes_counter >= 10) - return 0; - tmp = BN_new(); - if (!tmp) -@@ -532,8 +535,10 @@ int main(void) - RAND_seed(rnd_seed, sizeof(rnd_seed)); - - / the tests / -+# if 0 - if (!x9_62_tests(out)) - goto err; -+# endif - if (!test_builtin(out)) - goto err; - -diff -up openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_lib.c ---- openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdsa/ecs_lib.c 2015-04-22 19:00:19.722884536 +0200 -@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDS - const ECDSA_METHOD ECDSA_get_default_method(void) - { - if (!default_ECDSA_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdsa_openssl(); -- else -- return ECDSA_OpenSSL(); --#else - default_ECDSA_method = ECDSA_OpenSSL(); --#endif - } - return default_ECDSA_method; - } -diff -up openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c ---- openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c 2015-04-22 19:00:19.722884536 +0200 -@@ -60,6 +60,9 @@ - #include <openssl/err.h> - #include <openssl/obj_mac.h> - #include <openssl/bn.h> -+#ifdef OPENSSL_FIPS -+# include <openssl/fips.h> -+#endif - - static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dlen, - const BIGNUM , const BIGNUM , -@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth = - NULL, /* init / - NULL, / finish / - #endif -- 0, / flags / -+ ECDSA_FLAG_FIPS_METHOD, / flags / - NULL / app_data / - }; - -@@ -245,6 +248,13 @@ static ECDSA_SIG ecdsa_do_sign(const un - ECDSA_DATA ecdsa; - const BIGNUM priv_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - ecdsa = ecdsa_check(eckey); - group = EC_KEY_get0_group(eckey); - priv_key = EC_KEY_get0_private_key(eckey); -@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigne - const EC_GROUP group; - const EC_POINT pub_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - /* check input values / - if (eckey == NULL \|\| (group = EC_KEY_get0_group(eckey)) == NULL \|\| - (pub_key = EC_KEY_get0_public_key(eckey)) == NULL \|\| sig == NULL) { -diff -up openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec openssl-1.0.2a/crypto/ec/ec_cvt.c ---- openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/ec/ec_cvt.c 2015-04-22 19:01:08.703040756 +0200 -@@ -82,10 +82,6 @@ EC_GROUP EC_GROUP_new_curve_GFp(const B
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-fips-md5-allow.patch ^
@@ -1,21 +0,0 @@ -diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c ---- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200 -+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200 -@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --nonfips_md_init(MD5) -+int MD5_Init(MD5_CTX c) -+#ifdef OPENSSL_FIPS -+{ -+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); -+ return private_MD5_Init(c); -+} -+ -+int private_MD5_Init(MD5_CTX c) -+#endif - { - memset(c, 0, sizeof(*c)); - c->A = INIT_DATA_A;
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-ipv6-apps.patch ^
@@ -1,525 +0,0 @@ -diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h ---- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200 -+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200 -@@ -151,7 +151,7 @@ typedef fd_mask fd_set; - #define PORT_STR "4433" - #define PROTOCOL "tcp" - --int do_server(int port, int type, int ret, -+int do_server(char port, int type, int ret, - int (cb) (char hostname, int s, int stype, - unsigned char context), unsigned char context, - int naccept); -@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO out, SS - int ssl_print_curves(BIO out, SSL s, int noshared); - #endif - int ssl_print_tmp_key(BIO out, SSL s); --int init_client(int sock, char server, int port, int type); -+int init_client(int sock, char server, char port, int type); - int should_retry(int i); - int extract_port(char str, short port_ptr); --int extract_host_port(char str, char *host_ptr, unsigned char ip, -- short p); -+int extract_host_port(char str, char host_ptr, char port_ptr); - - long MS_CALLBACK bio_dump_callback(BIO bio, int cmd, const char argp, - int argi, long argl, long ret); -diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200 -@@ -662,7 +662,7 @@ int MAIN(int argc, char *argv) - int cbuf_len, cbuf_off; - int sbuf_len, sbuf_off; - fd_set readfds, writefds; -- short port = PORT; -+ char port_str = PORT_STR; - int full_log = 1; - char host = SSL_HOST_NAME; - char cert_file = NULL, key_file = NULL, chain_file = NULL; -@@ -785,13 +785,11 @@ int MAIN(int argc, char *argv) - } else if (strcmp(argv, "-port") == 0) { - if (--argc < 1) - goto bad; -- port = atoi((++argv)); -- if (port == 0) -- goto bad; -+ port_str = (++argv); - } else if (strcmp(argv, "-connect") == 0) { - if (--argc < 1) - goto bad; -- if (!extract_host_port((++argv), &host, NULL, &port)) -+ if (!extract_host_port((++argv), &host, &port_str)) - goto bad; - } else if (strcmp(argv, "-verify") == 0) { - verify = SSL_VERIFY_PEER; -@@ -1417,7 +1415,7 @@ int MAIN(int argc, char *argv) - - re_start: - -- if (init_client(&s, host, port, socket_type) == 0) { -+ if (init_client(&s, host, port_str, socket_type) == 0) { - BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error()); - SHUTDOWN(s); - goto end; -diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200 -@@ -1061,7 +1061,7 @@ int MAIN(int argc, char argv[]) - { - X509_VERIFY_PARAM vpm = NULL; - int badarg = 0; -- short port = PORT; -+ char port_str = PORT_STR; - char CApath = NULL, CAfile = NULL; - char chCApath = NULL, chCAfile = NULL; - char vfyCApath = NULL, vfyCAfile = NULL; -@@ -1148,7 +1148,8 @@ int MAIN(int argc, char argv[]) - if ((strcmp(argv, "-port") == 0) \|\| (strcmp(argv, "-accept") == 0)) { - if (--argc < 1) - goto bad; -- if (!extract_port((++argv), &port)) -+ port_str = (++argv); -+ if (port_str == NULL \|\| port_str == '\0') - goto bad; - } else if (strcmp(argv, "-naccept") == 0) { - if (--argc < 1) -@@ -2020,13 +2021,13 @@ int MAIN(int argc, char argv[]) - BIO_printf(bio_s_out, "ACCEPT\n"); - (void)BIO_flush(bio_s_out); - if (rev) -- do_server(port, socket_type, &accept_socket, rev_body, context, -+ do_server(port_str, socket_type, &accept_socket, rev_body, context, - naccept); - else if (www) -- do_server(port, socket_type, &accept_socket, www_body, context, -+ do_server(port_str, socket_type, &accept_socket, www_body, context, - naccept); - else -- do_server(port, socket_type, &accept_socket, sv_body, context, -+ do_server(port_str, socket_type, &accept_socket, sv_body, context, - naccept); - print_stats(bio_s_out, ctx); - ret = 0; -diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c ---- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200 -@@ -106,9 +106,7 @@ static struct hostent GetHostByName(cha - static void ssl_sock_cleanup(void); - # endif - static int ssl_sock_init(void); --static int init_client_ip(int sock, unsigned char ip[4], int port, int type); --static int init_server(int sock, int port, int type); --static int init_server_long(int sock, int port, char ip, int type); -+static int init_server(int sock, char port, int type); - static int do_accept(int acc_sock, int sock, char *host); - static int host_ip(char str, unsigned char ip[4]); - -@@ -231,65 +229,66 @@ static int ssl_sock_init(void) - return (1); - } - --int init_client(int sock, char host, int port, int type) -+int init_client(int sock, char host, char port, int type) - { -- unsigned char ip[4]; -- -- memset(ip, '\0', sizeof ip); -- if (!host_ip(host, &(ip[0]))) -- return 0; -- return init_client_ip(sock, ip, port, type); --} -- --static int init_client_ip(int sock, unsigned char ip[4], int port, int type) --{ -- unsigned long addr; -- struct sockaddr_in them; -- int s, i; -+ struct addrinfo res, res0, hints; -+ char failed_call = NULL; -+ int s; -+ int e; - - if (!ssl_sock_init()) - return (0); - -- memset((char )&them, 0, sizeof(them)); -- them.sin_family = AF_INET; -- them.sin_port = htons((unsigned short)port); -- addr = (unsigned long) -- ((unsigned long)ip[0] << 24L) \| -- ((unsigned long)ip[1] << 16L) \| -- ((unsigned long)ip[2] << 8L) \| ((unsigned long)ip[3]); -- them.sin_addr.s_addr = htonl(addr); -- -- if (type == SOCK_STREAM) -- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL); -- else /* ( type == SOCK_DGRAM) / -- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); -- -- if (s == INVALID_SOCKET) { -- perror("socket"); -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_ADDRCONFIG; -+ -+ e = getaddrinfo(host, port, &hints, &res); -+ if (e) { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); - return (0); - } -+ -+ res0 = res; -+ while (res) { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) { -+ failed_call = "socket"; -+ goto nextres; -+ } - # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) -- if (type == SOCK_STREAM) { -- i = 0; -- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char )&i, sizeof(i)); -- if (i < 0) { -- closesocket(s); -- perror("keepalive"); -- return (0); -+ if (type == SOCK_STREAM) { -+ int i = 0; -+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, -+ (char *)&i, sizeof(i)); -+ if (i < 0) { -+ failed_call = "keepalive"; -+ goto nextres; -+ } - } -- } - # endif --
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-issuer-hash.patch ^
@@ -1,11 +0,0 @@ -diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c ---- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200 -+++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200 -@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has - char *f; - - EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); - if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) - goto err;
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-no-md5-verify.patch ^
@@ -1,25 +0,0 @@ -diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c ---- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify 2015-04-09 18:20:58.829680829 +0200 -+++ openssl-1.0.2a/crypto/asn1/a_verify.c 2015-04-09 18:20:54.495580710 +0200 -@@ -56,6 +56,9 @@ - * [including the GNU Public Licence.] - / - -+/ for secure_getenv / -+#define _GNU_SOURCE -+ - #include <stdio.h> - #include <time.h> - -@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM it - if (ret != 2) - goto err; - ret = -1; -+ } else if (mdnid == NID_md5 -+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) { -+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, -+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); -+ goto err; - } else { - const EVP_MD *type; - type = EVP_get_digestbynid(mdnid);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-no-rpath.patch ^
@@ -1,12 +0,0 @@ -diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared ---- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200 -+++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200 -@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" - --DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" -+DO_GNU_APP=LDFLAGS="$(CFLAGS)" - - #This is rather special. It's a special target with which one can link - #applications without bothering with any features that have anything to
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-padlock64.patch ^
@@ -1,198 +0,0 @@ -diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c ---- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200 -@@ -101,7 +101,10 @@ - / - # undef COMPILE_HW_PADLOCK - # if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM) --# if (defined(__GNUC__) && (defined(__i386__) \|\| defined(__i386))) \|\| \ -+# if (defined(__GNUC__) && __GNUC__>=2 && \ -+ (defined(__i386__) \|\| defined(__i386) \|\| \ -+ defined(__x86_64__) \|\| defined(__x86_64)) \ -+ ) \|\| \ - (defined(_MSC_VER) && defined(_M_IX86)) - # define COMPILE_HW_PADLOCK - # endif -@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void) - # endif - # elif defined(__GNUC__) - # ifndef alloca --# define alloca(s) __builtin_alloca(s) -+# define alloca(s) __builtin_alloca((s)) - # endif - # endif - -@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da - ======================================================= - / - # if defined(__GNUC__) && __GNUC__>=2 -+# if defined(__i386__) \|\| defined(__i386) - / - * As for excessive "push %ebx"/"pop %ebx" found all over. - * When generating position-independent code GCC won't let -@@ -379,22 +383,6 @@ static int padlock_available(void) - return padlock_use_ace + padlock_use_rng; - } - --# ifndef OPENSSL_NO_AES --# ifndef AES_ASM --/* Our own htonl()/ntohl() / --static inline void padlock_bswapl(AES_KEY ks) --{ -- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]); -- unsigned int key = ks->rd_key; -- -- while (i--) { -- asm volatile ("bswapl %0":"+r" (key)); -- key++; -- } --} --# endif --# endif -- - /* - * Force key reload from memory to the CPU microcode. Loading EFLAGS from the - * stack clears EFLAGS[30] which does the trick. -@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo - asm volatile ("pushfl; popfl"); - } - --# ifndef OPENSSL_NO_AES -+# ifndef OPENSSL_NO_AES - /* - * This is heuristic key context tracing. At first one - * believes that one should use atomic swap instructions, -@@ -448,6 +436,101 @@ static inline void name(size_t cnt, - : "edx", "cc", "memory"); \ - return iv; \ - } -+# endif -+ -+# elif defined(__x86_64__) \|\| defined(__x86_64) -+ -+/ Load supported features of the CPU to see if -+ the PadLock is available. / -+static int padlock_available(void) -+{ -+ char vendor_string[16]; -+ unsigned int eax, edx; -+ -+ / Are we running on the Centaur (VIA) CPU? / -+ eax = 0x00000000; -+ vendor_string[12] = 0; -+ asm volatile ("cpuid\n" -+ "movl %%ebx,(%1)\n" -+ "movl %%edx,4(%1)\n" -+ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx", -+ "rcx", "rdx"); -+ if (strcmp(vendor_string, "CentaurHauls") != 0) -+ return 0; -+ -+ / Check for Centaur Extended Feature Flags presence / -+ eax = 0xC0000000; -+ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx"); -+ if (eax < 0xC0000001) -+ return 0; -+ -+ / Read the Centaur Extended Feature Flags / -+ eax = 0xC0000001; -+ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx"); -+ -+ / Fill up some flags / -+ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6)); -+ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2)); -+ -+ return padlock_use_ace + padlock_use_rng; -+} -+ -+/ Force key reload from memory to the CPU microcode. -+ Loading EFLAGS from the stack clears EFLAGS[30] -+ which does the trick. / -+static inline void padlock_reload_key(void) -+{ -+ asm volatile ("pushfq; popfq"); -+} -+ -+# ifndef OPENSSL_NO_AES -+/ -+ * This is heuristic key context tracing. At first one -+ * believes that one should use atomic swap instructions, -+ * but it's not actually necessary. Point is that if -+ * padlock_saved_context was changed by another thread -+ * after we've read it and before we compare it with cdata, -+ * our key shall be reloaded upon thread context switch -+ * and we are therefore set in either case... -+ / -+static inline void padlock_verify_context(struct padlock_cipher_data cdata) -+{ -+ asm volatile ("pushfq\n" -+ " btl $30,(%%rsp)\n" -+ " jnc 1f\n" -+ " cmpq %2,%1\n" -+ " je 1f\n" -+ " popfq\n" -+ " subq $8,%%rsp\n" -+ "1: addq $8,%%rsp\n" -+ " movq %2,%0":"+m" (padlock_saved_context) -+ :"r"(padlock_saved_context), "r"(cdata):"cc"); -+} -+ -+/* Template for padlock_xcrypt_* modes / -+/ BIG FAT WARNING: -+ * The offsets used with 'leal' instructions -+ * describe items of the 'padlock_cipher_data' -+ * structure. -+ / -+# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \ -+static inline void name(size_t cnt, \ -+ struct padlock_cipher_data cdata, \ -+ void out, const void inp) \ -+{ void iv; \ -+ asm volatile ( "leaq 16(%0),%%rdx\n" \ -+ " leaq 32(%0),%%rbx\n" \ -+ rep_xcrypt "\n" \ -+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ -+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ -+ : "rbx", "rdx", "cc", "memory"); \ -+ return iv; \ -+} -+# endif -+ -+# endif /* cpu / -+ -+# ifndef OPENSSL_NO_AES - - / Generate all functions with appropriate opcodes / - / rep xcryptecb / -@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, " - PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") - / rep xcryptofb / - PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") -+ -+# ifndef AES_ASM -+/ Our own htonl()/ntohl() / -+static inline void padlock_bswapl(AES_KEY ks) -+{ -+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]); -+ unsigned int key = ks->rd_key; -+ -+ while (i--) { -+ asm volatile ("bswapl %0":"+r" (key)); -+ key++; -+ } -+} -+# endif - # endif - /* The RNG call itself / - static inline unsigned int padlock_xstore(void addr, unsigned int edx_in) -@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor - static inline unsigned char padlock_memcpy(void dst, const void src, - size_t n) - { -- long d = dst; -- const long s = src; -+ size_t d = dst; -+ const size_t s = src; - - n /= sizeof(d); - do {
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-pkgconfig-krb5.patch ^
@@ -1,21 +0,0 @@ -diff -up openssl-1.0.2a/Makefile.org.krb5 openssl-1.0.2a/Makefile.org ---- openssl-1.0.2a/Makefile.org.krb5 2015-04-21 17:08:41.157464459 +0200 -+++ openssl-1.0.2a/Makefile.org 2015-04-21 17:11:56.887039005 +0200 -@@ -372,7 +372,7 @@ libcrypto.pc: Makefile - echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lcrypto'; \ - echo 'Libs.private: $(EX_LIBS)'; \ -- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc -+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc - - libssl.pc: Makefile - @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -385,7 +385,7 @@ libssl.pc: Makefile - echo 'Version: '$(VERSION); \ - echo 'Requires.private: libcrypto'; \ - echo 'Libs: -L$${libdir} -lssl'; \ -- echo 'Libs.private: $(EX_LIBS)'; \ -+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc - - openssl.pc: Makefile
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-readme-warning.patch ^
@@ -1,50 +0,0 @@ -diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README ---- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100 -+++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100 -@@ -5,6 +5,46 @@ - Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson - All rights reserved. - -+ WARNING -+ ------- -+ -+ This version of OpenSSL is built in a way that supports operation in -+ the so called FIPS mode. Note though that the library as we build it -+ is not FIPS 140-2 validated and the FIPS mode is present for testing -+ purposes only. -+ -+ This version also contains a few differences from the upstream code -+ some of which are: -+ * The FIPS validation support is significantly different from the -+ upstream FIPS support. For example the FIPS integrity verification -+ check is implemented differently as the FIPS module is built inside -+ the shared library. The HMAC-SHA256 checksums of the whole shared -+ libraries are verified. Also note that the FIPS integrity -+ verification check requires that the libcrypto and libssl shared -+ library files are unmodified which means that it will fail if these -+ files are changed for example by prelink. -+ * If the file /etc/system-fips is present the integrity verification -+ and selftests of the crypto algorithms are run inside the library -+ constructor code. -+ * With the /etc/system-fips present the module respects the kernel -+ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode -+ if it is set to 1 aborting if the FIPS mode could not be initialized. -+ With the /etc/system-fips present it is also possible to force the -+ OpenSSL library to FIPS mode especially for debugging purposes by -+ setting the environment variable OPENSSL_FORCE_FIPS_MODE. -+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module -+ will not automatically load the built in compression method ZLIB -+ when initialized. Applications can still explicitely ask for ZLIB -+ compression method. -+ * The library was patched so the certificates, CRLs and other objects -+ signed with use of MD5 fail verification as the MD5 is too insecure -+ to be used for signatures. If the environment variable -+ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed -+ normally. -+ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set, -+ the library will not allow generation of DSA and RSA keys with -+ other lengths than specified in the FIPS 186-4 standard. -+ - DESCRIPTION - ----------- -
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-rsa-x931.patch ^
@@ -1,35 +0,0 @@ -diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c ---- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200 -+++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200 -@@ -97,6 +97,7 @@ int MAIN(int argc, char *argv) - int ret = 1; - int i, num = DEFBITS; - long l; -+ int use_x931 = 0; - const EVP_CIPHER enc = NULL; - unsigned long f4 = RSA_F4; - char outfile = NULL; -@@ -139,6 +140,8 @@ int MAIN(int argc, char argv) - f4 = 3; - else if (strcmp(argv, "-F4") == 0 \|\| strcmp(argv, "-f4") == 0) - f4 = RSA_F4; -+ else if (strcmp(argv, "-x931") == 0) -+ use_x931 = 1; - # ifndef OPENSSL_NO_ENGINE - else if (strcmp(argv, "-engine") == 0) { - if (--argc < 1) -@@ -278,7 +281,13 @@ int MAIN(int argc, char *argv) - if (!rsa) - goto err; - -- if (!BN_set_word(bn, f4) \|\| !RSA_generate_key_ex(rsa, num, bn, &cb)) -+ if (use_x931) { -+ if (!BN_set_word(bn, f4)) -+ goto err; -+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb)) -+ goto err; -+ } else if (!BN_set_word(bn, f4) -+ \|\| !RSA_generate_key_ex(rsa, num, bn, &cb)) - goto err; - - app_RAND_write_file(NULL, bio_err);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-secure-getenv.patch ^
@@ -1,241 +0,0 @@ -diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c ---- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200 -@@ -63,6 +63,8 @@ - # define NDEBUG - #endif - -+/* for secure_getenv / -+#define _GNU_SOURCE - #include <assert.h> - #include <stdlib.h> - #include <string.h> -@@ -141,7 +143,7 @@ char _CONF_get_string(const CONF conf, - if (v != NULL) - return (v->value); - if (strcmp(section, "ENV") == 0) { -- p = getenv(name); -+ p = secure_getenv(name); - if (p != NULL) - return (p); - } -@@ -154,7 +156,7 @@ char _CONF_get_string(const CONF conf, - else - return (NULL); - } else -- return (getenv(name)); -+ return (secure_getenv(name)); - } - - #if 0 / There's no way to provide error checking -diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c ---- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200 -@@ -57,6 +57,8 @@ - * - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <stdio.h> - #include <ctype.h> - #include <openssl/crypto.h> -@@ -526,7 +528,7 @@ char CONF_get1_default_config_file(void - char file; - int len; - -- file = getenv("OPENSSL_CONF"); -+ file = secure_getenv("OPENSSL_CONF"); - if (file) - return BUF_strdup(file); - -diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c ---- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200 -+++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200 -@@ -62,6 +62,8 @@ - SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include "eng_int.h" - - / -@@ -368,10 +370,10 @@ ENGINE ENGINE_by_id(const char id) - / - if (strcmp(id, "dynamic")) { - # ifdef OPENSSL_SYS_VMS -- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) -+ if (OPENSSL_issetugid() \|\| (load_dir = getenv("OPENSSL_ENGINES")) == 0) - load_dir = "SSLROOT:[ENGINES]"; - # else -- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) -+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) - load_dir = ENGINESDIR; - # endif - iterator = ENGINE_by_id("dynamic"); -diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c ---- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200 -+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200 -@@ -56,6 +56,8 @@ - [including the GNU Public Licence.] - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <stdio.h> - #include "md5_locl.h" - #include <openssl/opensslv.h> -@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL - int MD5_Init(MD5_CTX c) - #ifdef OPENSSL_FIPS - { -- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ if (FIPS_mode() -+ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) - OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); - return private_MD5_Init(c); - } -diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c ---- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200 -+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200 -@@ -53,6 +53,8 @@ - * - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <e_os.h> - #include <openssl/err.h> - #ifdef OPENSSL_FIPS -@@ -72,7 +74,7 @@ static void init_fips_mode(void) - char buf[2] = "0"; - int fd; - -- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { - buf[0] = '1'; - } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { - while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c ---- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200 -@@ -60,6 +60,8 @@ - #if !defined(OPENSSL_SYS_VXWORKS) - # define _XOPEN_SOURCE 500 - #endif -+/ for secure_getenv / -+#define _GNU_SOURCE - - #include <errno.h> - #include <stdio.h> -@@ -292,14 +294,12 @@ const char RAND_file_name(char buf, si - struct stat sb; - #endif - -- if (OPENSSL_issetugid() == 0) -- s = getenv("RANDFILE"); -+ s = secure_getenv("RANDFILE"); - if (s != NULL && s && strlen(s) + 1 < size) { - if (BUF_strlcpy(buf, s, size) >= size) - return NULL; - } else { -- if (OPENSSL_issetugid() == 0) -- s = getenv("HOME"); -+ s = secure_getenv("HOME"); - #ifdef DEFAULT_HOME - if (s == NULL) { - s = DEFAULT_HOME; -diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c ---- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200 -@@ -56,6 +56,8 @@ - * [including the GNU Public Licence.] - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <stdio.h> - #include <time.h> - #include <errno.h> -@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- dir = (char )getenv(X509_get_default_cert_dir_env()); -+ dir = (char )secure_getenv(X509_get_default_cert_dir_env()); - if (dir) - ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - else -diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c ---- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200 -+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200 -@@ -56,6 +56,8 @@ - * [including the GNU Public Licence.] - / - -+/ for secure_getenv / -+#define _GNU_SOURCE - #include <stdio.h> - #include <time.h> - #include <errno.h> -@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP ctx - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = (char )getenv(X509_get_default_cert_file_env()); -+ file = (char )secure_getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); -diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c ---- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200 -@@ -56,6 +56,8 @@ - * [including the GNU Public Licence.] - / - -+/ for secure_getenv */ -+#define _GNU_SOURCE
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-system-cipherlist.patch ^
@@ -1,285 +0,0 @@ -diff -up openssl-1.0.2a/Configure.system openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.system 2015-04-22 15:23:47.970633650 +0200 -+++ openssl-1.0.2a/Configure 2015-04-22 15:23:48.042635407 +0200 -@@ -10,7 +10,7 @@ use strict; - - # see INSTALL for instructions. - --my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx\|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib\|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx\|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib\|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; - - # Options: - # -@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher> - # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently - # supported values are "MIT" and "Heimdal". A value is required. - # -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --test-sanity Make a number of sanity checks on the data in this file. - # This is a debugging tool for OpenSSL developers. - # -@@ -703,6 +706,7 @@ my $prefix=""; - my $libdir=""; - my $openssldir=""; - my $enginesdir=""; -+my $system_ciphers_file=""; - my $exe_ext=""; - my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; - my $cross_compile_prefix=""; -@@ -934,6 +938,10 @@ PROCESS_ARGS: - { - $enginesdir=$1; - } -+ elsif (/^--system-ciphers-file=(.)$/) -+ { -+ $system_ciphers_file=$1; -+ } - elsif (/^--install.prefix=(.)$/) - { - $install_prefix=$1; -@@ -1096,6 +1104,7 @@ print "Configuring for $target\n"; - - &usage if (!defined($table{$target})); - -+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/; - - foreach (sort (keys %disabled)) - { -@@ -1667,6 +1676,7 @@ while (<IN>) - s/^INSTALLTOP=.$/INSTALLTOP=$prefix/; - s/^MULTILIB=.$/MULTILIB=$multilib/; - s/^OPENSSLDIR=.$/OPENSSLDIR=$openssldir/; -+ s/^SYSTEM_CIPHERS_FILE=.$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/; - s/^LIBDIR=.$/LIBDIR=$libdir/; - s/^INSTALL_PREFIX=.$/INSTALL_PREFIX=$install_prefix/; - s/^PLATFORM=.$/PLATFORM=$target/; -@@ -1877,6 +1887,14 @@ while (<IN>) - $foo =~ s/\\/\\\\/g; - print OUT "#define ENGINESDIR \"$foo\"\n"; - } -+ elsif (/^#((define)\|(undef))\s+SYSTEM_CIPHERS_FILE/) -+ { -+ my $foo = "$system_ciphers_file"; -+ if ($foo ne '') { -+ $foo =~ s/\\/\\\\/g; -+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n"; -+ } -+ } - elsif (/^#((define)\|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) - { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" - if $export_var_as_fn; -diff -up openssl-1.0.2a/crypto/opensslconf.h.in.system openssl-1.0.2a/crypto/opensslconf.h.in ---- openssl-1.0.2a/crypto/opensslconf.h.in.system 2015-04-22 15:23:47.988634089 +0200 -+++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 15:23:48.042635407 +0200 -@@ -25,6 +25,8 @@ - #endif - #endif - -+#undef SYSTEM_CIPHERS_FILE -+ - #undef OPENSSL_UNISTD - #define OPENSSL_UNISTD <unistd.h> - -diff -up openssl-1.0.2a/ssl/ssl_ciph.c.system openssl-1.0.2a/ssl/ssl_ciph.c ---- openssl-1.0.2a/ssl/ssl_ciph.c.system 2015-04-22 15:23:47.993634211 +0200 -+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-22 15:29:30.185982356 +0200 -@@ -1463,6 +1463,50 @@ static int check_suiteb_cipher_list(cons - } - #endif - -+#ifdef SYSTEM_CIPHERS_FILE -+static char load_system_str(const char suffix) -+{ -+ FILE fp; -+ char buf[1024]; -+ char new_rules; -+ unsigned len, slen; -+ -+ fp = fopen(SYSTEM_CIPHERS_FILE, "r"); -+ if (fp == NULL \|\| fgets(buf, sizeof(buf), fp) == NULL) { -+ / cannot open or file is empty / -+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); -+ } -+ -+ if (fp) -+ fclose(fp); -+ -+ slen = strlen(suffix); -+ len = strlen(buf); -+ -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) -+ return NULL; -+ -+ memcpy(new_rules, buf, len); -+ if (slen > 0) { -+ memcpy(&new_rules[len], suffix, slen); -+ len += slen; -+ } -+ new_rules[len] = 0; -+ -+ return new_rules; -+} -+#endif -+ - STACK_OF(SSL_CIPHER) ssl_create_cipher_list(const SSL_METHOD ssl_method, STACK_OF(SSL_CIPHER) - cipher_list, STACK_OF(SSL_CIPHER) - cipher_list_by_id, -@@ -1471,19 +1515,29 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_ - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; - unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, - disabled_ssl; -- STACK_OF(SSL_CIPHER) cipherstack, tmp_cipher_list; -+ STACK_OF(SSL_CIPHER) cipherstack = NULL, tmp_cipher_list; - const char rule_p; - CIPHER_ORDER co_list = NULL, head = NULL, tail = NULL, curr; - const SSL_CIPHER ca_list = NULL; -+#ifdef SYSTEM_CIPHERS_FILE -+ char new_rules = NULL; -+ -+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char p = rule_str + 14; -+ -+ new_rules = load_system_str(p); -+ rule_str = new_rules; -+ } -+#endif - - / - * Return with error if nothing to do. - / - if (rule_str == NULL \|\| cipher_list == NULL \|\| cipher_list_by_id == NULL) -- return NULL; -+ goto end; - #ifndef OPENSSL_NO_EC - if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) -- return NULL; -+ goto end; - #endif - - / -@@ -1507,7 +1561,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_ - (CIPHER_ORDER )OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (co_list == NULL) { - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- return (NULL); /* Failure / -+ goto end; - } - - ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1568,8 +1622,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_ - * in force within each class - / - if (!ssl_cipher_strength_sort(&head, &tail)) { -- OPENSSL_free(co_list); -- return NULL; -+ goto end; - } - - / Now disable everything (maintaining the ordering!) / -@@ -1587,9 +1640,8 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_ - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; - ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER ) num_of_alias_max); - if (ca_list == NULL) { -- OPENSSL_free(co_list); - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- return (NULL); /* Failure */ -+ goto end; - }
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-test-use-localhost.patch ^
@@ -1,21 +0,0 @@ -diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c ---- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200 -+++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200 -@@ -1516,16 +1516,7 @@ int main(int argc, char argv[]) - - #ifndef OPENSSL_NO_KRB5 - if (c_ssl && c_ssl->kssl_ctx) { -- char localhost[MAXHOSTNAMELEN + 2]; -- -- if (gethostname(localhost, sizeof localhost - 1) == 0) { -- localhost[sizeof localhost - 1] = '\0'; -- if (strlen(localhost) == sizeof localhost - 1) { -- BIO_printf(bio_err, "localhost name too long\n"); -- goto end; -- } -- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost); -- } -+ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost"); - } - #endif / OPENSSL_NO_KRB5 */ -
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-version-add-engines.patch ^
@@ -1,47 +0,0 @@ -diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c ---- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200 -+++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200 -@@ -131,6 +131,7 @@ - #ifndef OPENSSL_NO_BF - # include <openssl/blowfish.h> - #endif -+#include <openssl/engine.h> - - #undef PROG - #define PROG version_main -@@ -140,7 +141,8 @@ int MAIN(int, char ); - int MAIN(int argc, char argv) - { - int i, ret = 0; -- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; -+ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = -+ 0, engines = 0; - - apps_startup(); - -@@ -164,7 +166,7 @@ int MAIN(int argc, char argv) - else if (strcmp(argv[i], "-d") == 0) - dir = 1; - else if (strcmp(argv[i], "-a") == 0) -- date = version = cflags = options = platform = dir = 1; -+ date = version = cflags = options = platform = dir = engines = 1; - else { - BIO_printf(bio_err, "usage:version -[avbofpd]\n"); - ret = 1; -@@ -208,6 +210,16 @@ int MAIN(int argc, char argv) - printf("%s\n", SSLeay_version(SSLEAY_CFLAGS)); - if (dir) - printf("%s\n", SSLeay_version(SSLEAY_DIR)); -+ if (engines) { -+ ENGINE *e; -+ printf("engines: "); -+ e = ENGINE_get_first(); -+ while (e) { -+ printf("%s ", ENGINE_get_id(e)); -+ e = ENGINE_get_next(e); -+ } -+ printf("\n"); -+ } - end: - apps_shutdown(); - OPENSSL_EXIT(ret);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-version.patch ^
@@ -1,83 +0,0 @@ -diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c ---- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200 -@@ -62,7 +62,7 @@ - # include "buildinf.h" - #endif - --const char SSLeay_version(int t) -+const char _current_SSLeay_version(int t) - { - if (t == SSLEAY_VERSION) - return OPENSSL_VERSION_TEXT; -@@ -101,7 +101,40 @@ const char SSLeay_version(int t) - return ("not available"); - } - --unsigned long SSLeay(void) -+const char _original_SSLeay_version(int t) -+{ -+ if (t == SSLEAY_VERSION) -+ return "OpenSSL 1.0.0-fips 29 Mar 2010"; -+ else -+ return _current_SSLeay_version(t); -+} -+ -+const char _original101_SSLeay_version(int t) -+{ -+ if (t == SSLEAY_VERSION) -+ return "OpenSSL 1.0.1e-fips 11 Feb 2013"; -+ else -+ return _current_SSLeay_version(t); -+} -+ -+unsigned long _original_SSLeay(void) -+{ -+ return (0x10000003L); -+} -+ -+unsigned long _original101_SSLeay(void) -+{ -+ return (0x1000105fL); -+} -+ -+unsigned long _current_SSLeay(void) - { - return (SSLEAY_VERSION_NUMBER); - } -+ -+__asm__(".symver _original_SSLeay,SSLeay@"); -+__asm__(".symver _original_SSLeay_version,SSLeay_version@"); -+__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1"); -+__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1"); -+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2"); -+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2"); -diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared ---- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200 -+++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200 -@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \ - SHLIB_SUFFIX=; \ - ALLSYMSFLAGS='-Wl,--whole-archive'; \ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ -- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" -+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" - - DO_GNU_APP=LDFLAGS="$(CFLAGS)" - -diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map ---- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200 -+++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200 -@@ -0,0 +1,13 @@ -+OPENSSL_1.0.1 { -+ global: -+ SSLeay; -+ SSLeay_version; -+ local: -+ _original; -+ _current*; -+}; -+OPENSSL_1.0.2 { -+ global: -+ SSLeay; -+ SSLeay_version; -+} OPENSSL_1.0.1;
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-weak-ciphers.patch ^
@@ -1,12 +0,0 @@ -diff -up openssl-1.0.2a/ssl/ssl.h.weak-ciphers openssl-1.0.2a/ssl/ssl.h ---- openssl-1.0.2a/ssl/ssl.h.weak-ciphers 2015-04-22 15:11:14.026574414 +0200 -+++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:14:51.302744713 +0200 -@@ -338,7 +338,7 @@ extern "C" { - * The following cipher list is used by default. It also is substituted when - * an application-defined cipher list string starts with 'DEFAULT'. - / --# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" -+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!DES" - / - * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always - * starts with a reasonable order, and all we have to do for DEFAULT is
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-x509.patch ^
@@ -1,28 +0,0 @@ -diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c ---- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200 -+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200 -@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP ctx - } - } - i = X509_STORE_add_cert(ctx->store_ctx, x); -- if (!i) -- goto err; -- count++; -+ / ignore any problems with current certificate -+ and continue with the next one / -+ if (i) -+ count++; -+ else -+ ERR_clear_error(); - X509_free(x); - x = NULL; - } -@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP ctx - } - i = X509_STORE_add_cert(ctx->store_ctx, x); - if (!i) -- goto err; -+ ERR_clear_error(); - ret = i; - } else { - X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2a-xmpp-starttls.patch ^
@@ -1,27 +0,0 @@ -diff -up openssl-1.0.2a/apps/s_client.c.starttls openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200 -@@ -134,7 +134,8 @@ - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - / -- -+/ for strcasestr / -+#define _GNU_SOURCE - #include <assert.h> - #include <ctype.h> - #include <stdio.h> -@@ -1626,8 +1627,11 @@ int MAIN(int argc, char *argv) - "xmlns='jabber:client' to='%s' version='1.0'>", host); - seen = BIO_read(sbio, mbuf, BUFSIZZ); - mbuf[seen] = 0; -- while (!strstr -- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) { -+ while (!strcasestr -+ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") -+ && !strcasestr(mbuf, -+ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) -+ { - if (strstr(mbuf, "/stream:features>")) - goto shut; - seen = BIO_read(sbio, mbuf, BUFSIZZ);
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2c-default-paths.patch ^
@@ -1,63 +0,0 @@ -diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c ---- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200 -@@ -1788,12 +1788,16 @@ int MAIN(int argc, char argv[]) - } - #endif - -- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) \|\| -- (!SSL_CTX_set_default_verify_paths(ctx))) { -- / BIO_printf(bio_err,"X509_load_verify_locations\n"); / -- ERR_print_errors(bio_err); -- / goto end; / -+ if (CAfile == NULL && CApath == NULL) { -+ if (!SSL_CTX_set_default_verify_paths(ctx)) { -+ ERR_print_errors(bio_err); -+ } -+ } else { -+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { -+ ERR_print_errors(bio_err); -+ } - } -+ - if (vpm) - SSL_CTX_set1_param(ctx, vpm); - -@@ -1850,8 +1854,10 @@ int MAIN(int argc, char argv[]) - else - SSL_CTX_sess_set_cache_size(ctx2, 128); - -- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) \|\| -- (!SSL_CTX_set_default_verify_paths(ctx2))) { -+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx2)) { - ERR_print_errors(bio_err); - } - if (vpm) -diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c ---- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200 -@@ -381,13 +381,14 @@ int MAIN(int argc, char *argv) - - SSL_load_error_strings(); - -- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) \|\| -- (!SSL_CTX_set_default_verify_paths(tm_ctx))) { -- / -- * BIO_printf(bio_err,"error setting default verify locations\n"); -- / -- ERR_print_errors(bio_err); -- / goto end; */ -+ if (CAfile == NULL && CApath == NULL) { -+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) { -+ ERR_print_errors(bio_err); -+ } -+ } else { -+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) { -+ ERR_print_errors(bio_err); -+ } - } - - if (tm_cipher == NULL)
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2c-ecc-suiteb.patch ^
@@ -1,195 +0,0 @@ -diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c ---- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200 -+++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200 -@@ -996,78 +996,26 @@ int MAIN(int argc, char *argv) - } else - # endif - # ifndef OPENSSL_NO_ECDSA -- if (strcmp(argv, "ecdsap160") == 0) -- ecdsa_doit[R_EC_P160] = 2; -- else if (strcmp(argv, "ecdsap192") == 0) -- ecdsa_doit[R_EC_P192] = 2; -- else if (strcmp(argv, "ecdsap224") == 0) -- ecdsa_doit[R_EC_P224] = 2; -- else if (strcmp(argv, "ecdsap256") == 0) -+ if (strcmp(argv, "ecdsap256") == 0) - ecdsa_doit[R_EC_P256] = 2; - else if (strcmp(argv, "ecdsap384") == 0) - ecdsa_doit[R_EC_P384] = 2; - else if (strcmp(argv, "ecdsap521") == 0) - ecdsa_doit[R_EC_P521] = 2; -- else if (strcmp(argv, "ecdsak163") == 0) -- ecdsa_doit[R_EC_K163] = 2; -- else if (strcmp(argv, "ecdsak233") == 0) -- ecdsa_doit[R_EC_K233] = 2; -- else if (strcmp(argv, "ecdsak283") == 0) -- ecdsa_doit[R_EC_K283] = 2; -- else if (strcmp(argv, "ecdsak409") == 0) -- ecdsa_doit[R_EC_K409] = 2; -- else if (strcmp(argv, "ecdsak571") == 0) -- ecdsa_doit[R_EC_K571] = 2; -- else if (strcmp(argv, "ecdsab163") == 0) -- ecdsa_doit[R_EC_B163] = 2; -- else if (strcmp(argv, "ecdsab233") == 0) -- ecdsa_doit[R_EC_B233] = 2; -- else if (strcmp(argv, "ecdsab283") == 0) -- ecdsa_doit[R_EC_B283] = 2; -- else if (strcmp(argv, "ecdsab409") == 0) -- ecdsa_doit[R_EC_B409] = 2; -- else if (strcmp(argv, "ecdsab571") == 0) -- ecdsa_doit[R_EC_B571] = 2; - else if (strcmp(argv, "ecdsa") == 0) { -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P256; i <= R_EC_P521; i++) - ecdsa_doit[i] = 1; - } else - # endif - # ifndef OPENSSL_NO_ECDH -- if (strcmp(argv, "ecdhp160") == 0) -- ecdh_doit[R_EC_P160] = 2; -- else if (strcmp(argv, "ecdhp192") == 0) -- ecdh_doit[R_EC_P192] = 2; -- else if (strcmp(argv, "ecdhp224") == 0) -- ecdh_doit[R_EC_P224] = 2; -- else if (strcmp(argv, "ecdhp256") == 0) -+ if (strcmp(argv, "ecdhp256") == 0) - ecdh_doit[R_EC_P256] = 2; - else if (strcmp(argv, "ecdhp384") == 0) - ecdh_doit[R_EC_P384] = 2; - else if (strcmp(argv, "ecdhp521") == 0) - ecdh_doit[R_EC_P521] = 2; -- else if (strcmp(argv, "ecdhk163") == 0) -- ecdh_doit[R_EC_K163] = 2; -- else if (strcmp(argv, "ecdhk233") == 0) -- ecdh_doit[R_EC_K233] = 2; -- else if (strcmp(argv, "ecdhk283") == 0) -- ecdh_doit[R_EC_K283] = 2; -- else if (strcmp(argv, "ecdhk409") == 0) -- ecdh_doit[R_EC_K409] = 2; -- else if (strcmp(argv, "ecdhk571") == 0) -- ecdh_doit[R_EC_K571] = 2; -- else if (strcmp(argv, "ecdhb163") == 0) -- ecdh_doit[R_EC_B163] = 2; -- else if (strcmp(argv, "ecdhb233") == 0) -- ecdh_doit[R_EC_B233] = 2; -- else if (strcmp(argv, "ecdhb283") == 0) -- ecdh_doit[R_EC_B283] = 2; -- else if (strcmp(argv, "ecdhb409") == 0) -- ecdh_doit[R_EC_B409] = 2; -- else if (strcmp(argv, "ecdhb571") == 0) -- ecdh_doit[R_EC_B571] = 2; - else if (strcmp(argv, "ecdh") == 0) { -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P256; i <= R_EC_P521; i++) - ecdh_doit[i] = 1; - } else - # endif -@@ -1156,21 +1104,11 @@ int MAIN(int argc, char argv) - BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); - # endif - # ifndef OPENSSL_NO_ECDSA -- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " -- "ecdsap256 ecdsap384 ecdsap521\n"); -- BIO_printf(bio_err, -- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n"); -- BIO_printf(bio_err, -- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n"); -+ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n"); - BIO_printf(bio_err, "ecdsa\n"); - # endif - # ifndef OPENSSL_NO_ECDH -- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 " -- "ecdhp256 ecdhp384 ecdhp521\n"); -- BIO_printf(bio_err, -- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n"); -- BIO_printf(bio_err, -- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n"); -+ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n"); - BIO_printf(bio_err, "ecdh\n"); - # endif - -@@ -1255,11 +1193,11 @@ int MAIN(int argc, char argv) - if (!FIPS_mode() \|\| i != R_DSA_512) - dsa_doit[i] = 1; - # ifndef OPENSSL_NO_ECDSA -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P256; i <= R_EC_P521; i++) - ecdsa_doit[i] = 1; - # endif - # ifndef OPENSSL_NO_ECDH -- for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P256; i <= R_EC_P521; i++) - ecdh_doit[i] = 1; - # endif - } -diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c ---- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200 -+++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200 -@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto - 0, 23, / secp256r1 (23) / - / Other >= 256-bit prime curves. / - 0, 25, / secp521r1 (25) / -- 0, 28, / brainpool512r1 (28) / -- 0, 27, / brainpoolP384r1 (27) / - 0, 24, / secp384r1 (24) / -- 0, 26, / brainpoolP256r1 (26) / -- 0, 22, / secp256k1 (22) / - # ifndef OPENSSL_NO_EC2M - / >= 256-bit binary curves. / - 0, 14, / sect571r1 (14) / -@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[ - 0, 23, / secp256r1 (23) / - / Other >= 256-bit prime curves. / - 0, 25, / secp521r1 (25) / -- 0, 28, / brainpool512r1 (28) / -- 0, 27, / brainpoolP384r1 (27) / - 0, 24, / secp384r1 (24) / -- 0, 26, / brainpoolP256r1 (26) / -- 0, 22, / secp256k1 (22) / - # ifndef OPENSSL_NO_EC2M - / >= 256-bit binary curves. / - 0, 14, / sect571r1 (14) / -@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[ - Remaining curves disabled by default but still permitted if set - * via an explicit callback or parameters. - / -- 0, 20, / secp224k1 (20) / -- 0, 21, / secp224r1 (21) / -- 0, 18, / secp192k1 (18) / -- 0, 19, / secp192r1 (19) / -- 0, 15, / secp160k1 (15) / -- 0, 16, / secp160r1 (16) / -- 0, 17, / secp160r2 (17) / - # ifndef OPENSSL_NO_EC2M - 0, 8, / sect239k1 (8) / - 0, 6, / sect233k1 (6) / -@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d - 0, 9, / sect283k1 (9) / - 0, 10, / sect283r1 (10) / - # endif -- 0, 22, / secp256k1 (22) / - 0, 23, / secp256r1 (23) / - # ifndef OPENSSL_NO_EC2M - 0, 8, / sect239k1 (8) / - 0, 6, / sect233k1 (6) / - 0, 7, / sect233r1 (7) / - # endif -- 0, 20, / secp224k1 (20) / -- 0, 21, / secp224r1 (21) / - # ifndef OPENSSL_NO_EC2M - 0, 4, / sect193r1 (4) / - 0, 5, / sect193r2 (5) / - # endif -- 0, 18, / secp192k1 (18) / -- 0, 19, / secp192r1 (19) / - # ifndef OPENSSL_NO_EC2M - 0, 1, / sect163k1 (1) / - 0, 2, / sect163r1 (2) / - 0, 3, / sect163r2 (3) / - # endif -- 0, 15, / secp160k1 (15) / -- 0, 16, / secp160r1 (16) / -- 0, 17, / secp160r2 (17) */ - }; - # endif -
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2c-trusted-first-doc.patch ^
@@ -1,288 +0,0 @@ -diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c ---- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 -+++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200 -@@ -646,6 +646,8 @@ int MAIN(int argc, char argv) - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, -+ "-trusted_first use trusted certificates first when building the trust chain\n"); -+ BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c ---- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 -+++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200 -@@ -536,6 +536,8 @@ int MAIN(int argc, char argv) - BIO_printf(bio_err, - "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, -+ "-trusted_first use trusted certificates first when building the trust chain\n"); -+ BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-VAfile file validator certificates file\n"); -diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c ---- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 -+++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200 -@@ -333,6 +333,8 @@ static void sc_usage(void) - BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, -+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); -+ BIO_printf(bio_err, - " -no_alt_chains - only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - " -reconnect - Drop and re-make the connection with the same Session-ID\n"); -diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c ---- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 -+++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200 -@@ -442,6 +442,8 @@ int MAIN(int argc, char argv) - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, -+ "-trusted_first use trusted certificates first when building the trust chain\n"); -+ BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c ---- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 -+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200 -@@ -572,6 +572,8 @@ static void sv_usage(void) - BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, -+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); -+ BIO_printf(bio_err, - " -no_alt_chains - only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - " -nocert - Don't use any certificates (Anon-DH)\n"); -diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c ---- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200 -+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200 -@@ -182,6 +182,7 @@ static void s_time_usage(void) - file if not specified by this option\n\ - -CApath arg - PEM format directory of CA's\n\ - -CAfile arg - PEM format file of CA's\n\ -+-trusted_first - Use trusted CA's first when building the trust chain\n\ - -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; - - printf("usage: s_time <args>\n\n"); -diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c ---- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200 -+++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200 -@@ -352,7 +352,7 @@ int MAIN(int argc, char argv) - "ts -verify [-data file_to_hash] [-digest digest_bytes] " - "[-queryfile request.tsq] " - "-in response.tsr [-token_in] " -- "-CApath ca_path -CAfile ca_file.pem " -+ "-CApath ca_path -CAfile ca_file.pem -trusted_first" - "-untrusted cert_file.pem\n"); - cleanup: - /* Clean up. / -diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c ---- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 -+++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200 -@@ -231,7 +231,7 @@ int MAIN(int argc, char *argv) - end: - if (ret == 1) { - BIO_printf(bio_err, -- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); -+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); - #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, " [-engine e]"); -diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod ---- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200 -@@ -35,6 +35,7 @@ B<openssl> B<cms> - [B<-print>] - [B<-CAfile file>] - [B<-CApath dir>] -+[B<-trusted_first>] - [B<-no_alt_chains>] - [B<-md digest>] - [B<-[cipher]>] -@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta - is a hash of each subject name (using B<x509 -hash>) should be linked - to each certificate. - -+=item B<-trusted_first> -+ -+Use certificates in CA file or CA directory before untrusted certificates -+from the message when building the trust chain to verify certificates. -+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. -+ - =item B<-md digest> - - digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod ---- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 -+++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200 -@@ -29,7 +29,8 @@ B<openssl> B<ocsp> - [B<-path>] - [B<-CApath dir>] - [B<-CAfile file>] --[B<-no_alt_chains>]] -+[B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-VAfile file>] - [B<-validity_period n>] - [B<-status_age n>] -@@ -144,6 +145,13 @@ connection timeout to the OCSP responder - file or pathname containing trusted CA certificates. These are used to verify - the signature on the OCSP response. - -+=item B<-trusted_first> -+ -+Use certificates in CA file or CA directory over certificates provided -+in the response or residing in other certificates file when building the trust -+chain to verify responder certificate. -+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. -+ - =item B<-no_alt_chains> - - See L<B<verify>\|verify(1)> manual page for details. -diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod ---- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 -+++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200 -@@ -19,6 +19,7 @@ B<openssl> B<s_client> - [B<-pass arg>] - [B<-CApath directory>] - [B<-CAfile filename>] -+[B<-trusted_first>] - [B<-no_alt_chains>] - [B<-reconnect>] - [B<-pause>] -@@ -124,7 +125,7 @@ also used when building the client certi - A file containing trusted certificates to use during server authentication - and to use when attempting to build the client certificate chain. - --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains> - - Set various certificate chain valiadition option. See the - L<B<verify>\|verify(1)> manual page for details. -diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod ---- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200 -@@ -15,6 +15,9 @@ B<openssl> B<smime> - [B<-pk7out>] - [B<-[cipher]>] - [B<-in file>] -+[B<-CAfile file>] -+[B<-CApath dir>] -+[B<-trusted_first>] - [B<-no_alt_chains>] - [B<-certfile file>] - [B<-signer file>] -@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta - is a hash of each subject name (using B<x509 -hash>) should be linked - to each certificate. - -+=item B<-trusted_first> -+ -+Use certificates in CA file or CA directory over certificates provided -+in the message when building the trust chain to verify a certificate. -+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. -+ - =item B<-md digest> - - digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod ---- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200 -+++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200 -@@ -33,6 +33,7 @@ B<openssl> B<s_server> - [B<-state>] - [B<-CApath directory>] - [B<-CAfile filename>]
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2d-manfix.patch ^
@@ -1,81 +0,0 @@ -diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod ---- openssl-1.0.2a/doc/apps/ec.pod.manfix 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/ec.pod 2015-04-21 17:39:20.084574580 +0200 -@@ -93,10 +93,6 @@ prints out the public, private key compo - - this option prevents output of the encoded version of the key. - --=item B<-modulus> -- --this option prints out the value of the public key component of the key. -- - =item B<-pubin> - - by default a private key is read from the input file: with this option a -diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod ---- openssl-1.0.2a/doc/apps/openssl.pod.manfix 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/openssl.pod 2015-04-21 17:39:20.084574580 +0200 -@@ -163,7 +163,7 @@ Create or examine a netscape certificate - - Online Certificate Status Protocol utility. - --=item L<B<passwd>\|passwd(1)> -+=item L<B<passwd>\|sslpasswd(1)> - - Generation of hashed passwords. - -@@ -187,7 +187,7 @@ Public key algorithm parameter managemen - - Public key algorithm cryptographic operation utility. - --=item L<B<rand>\|rand(1)> -+=item L<B<rand>\|sslrand(1)> - - Generate pseudo-random bytes. - -@@ -401,9 +401,9 @@ L<crl(1)\|crl(1)>, L<crl2pkcs7(1)\|crl2pkc - L<dhparam(1)\|dhparam(1)>, L<dsa(1)\|dsa(1)>, L<dsaparam(1)\|dsaparam(1)>, - L<enc(1)\|enc(1)>, L<gendsa(1)\|gendsa(1)>, L<genpkey(1)\|genpkey(1)>, - L<genrsa(1)\|genrsa(1)>, L<nseq(1)\|nseq(1)>, L<openssl(1)\|openssl(1)>, --L<passwd(1)\|passwd(1)>, -+L<sslpasswd(1)\|sslpasswd(1)>, - L<pkcs12(1)\|pkcs12(1)>, L<pkcs7(1)\|pkcs7(1)>, L<pkcs8(1)\|pkcs8(1)>, --L<rand(1)\|rand(1)>, L<req(1)\|req(1)>, L<rsa(1)\|rsa(1)>, -+L<sslrand(1)\|sslrand(1)>, L<req(1)\|req(1)>, L<rsa(1)\|rsa(1)>, - L<rsautl(1)\|rsautl(1)>, L<s_client(1)\|s_client(1)>, - L<s_server(1)\|s_server(1)>, L<s_time(1)\|s_time(1)>, - L<smime(1)\|smime(1)>, L<spkac(1)\|spkac(1)>, -diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod ---- openssl-1.0.2a/doc/apps/s_client.pod.manfix 2015-04-21 17:39:20.085574603 +0200 -+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-21 17:41:00.215924162 +0200 -@@ -34,6 +34,9 @@ B<openssl> B<s_client> - [B<-ssl2>] - [B<-ssl3>] - [B<-tls1>] -+[B<-tls1_1>] -+[B<-tls1_2>] -+[B<-dtls1>] - [B<-no_ssl2>] - [B<-no_ssl3>] - [B<-no_tls1>] -@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all -diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod ---- openssl-1.0.2a/doc/apps/s_server.pod.manfix 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-21 17:39:20.085574603 +0200 -@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2d-secp256k1.patch ^
@@ -1,82 +0,0 @@ -diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c ---- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400 -+++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400 -@@ -86,6 +86,42 @@ typedef struct { - unsigned int cofactor; /* promoted to BN_ULONG / - } EC_CURVE_DATA; - -+static const struct { -+ EC_CURVE_DATA h; -+ unsigned char data[0 + 32 6]; -+} _EC_SECG_PRIME_256K1 = { -+ { -+ NID_X9_62_prime_field, 0, 32, 1 -+ }, -+ { -+ /* no seed / -+ / p / -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, -+ / a / -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ / b / -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, -+ / x / -+ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, -+ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, -+ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, -+ / y / -+ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, -+ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, -+ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, -+ / order / -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, -+ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 -+ } -+}; -+ - / the nist prime curves / - static const struct { - EC_CURVE_DATA h; -@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st { - static const ec_list_element curve_list[] = { - / prime field curves / - / secg curves / -+ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, -+ "SECG curve over a 256 bit prime field"}, - / SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted / - {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, - "NIST/SECG curve over a 384 bit prime field"}, -diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c ---- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400 -+++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400 -@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto - / Other >= 256-bit prime curves. / - 0, 25, / secp521r1 (25) / - 0, 24, / secp384r1 (24) / -+ 0, 22, / secp256k1 (22) / - # ifndef OPENSSL_NO_EC2M - / >= 256-bit binary curves. / - 0, 14, / sect571r1 (14) / -@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[ - / Other >= 256-bit prime curves. / - 0, 25, / secp521r1 (25) / - 0, 24, / secp384r1 (24) / -+ 0, 22, / secp256k1 (22) / - # ifndef OPENSSL_NO_EC2M - / >= 256-bit binary curves. / - 0, 14, / sect571r1 (14) / -@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d - 0, 9, / sect283k1 (9) / - 0, 10, / sect283r1 (10) / - # endif -+ 0, 22, / secp256k1 (22) / - 0, 23, / secp256r1 (23) / - # ifndef OPENSSL_NO_EC2M - 0, 8, / sect239k1 (8) */
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2e-fips.patch ^
@@ -1,13704 +0,0 @@ -diff -up openssl-1.0.2e/apps/speed.c.fips openssl-1.0.2e/apps/speed.c ---- openssl-1.0.2e/apps/speed.c.fips 2015-12-03 15:04:23.000000000 +0100 -+++ openssl-1.0.2e/apps/speed.c 2015-12-04 13:55:51.956562389 +0100 -@@ -197,7 +197,6 @@ - # ifdef OPENSSL_DOING_MAKEDEPEND - # undef AES_set_encrypt_key - # undef AES_set_decrypt_key --# undef DES_set_key_unchecked - # endif - # define BF_set_key private_BF_set_key - # define CAST_set_key private_CAST_set_key -@@ -205,7 +204,6 @@ - # define SEED_set_key private_SEED_set_key - # define RC2_set_key private_RC2_set_key - # define RC4_set_key private_RC4_set_key --# define DES_set_key_unchecked private_DES_set_key_unchecked - # define AES_set_encrypt_key private_AES_set_encrypt_key - # define AES_set_decrypt_key private_AES_set_decrypt_key - # define Camellia_set_key private_Camellia_set_key -@@ -974,7 +972,12 @@ int MAIN(int argc, char *argv) - # endif - # ifndef OPENSSL_NO_RSA - if (strcmp(argv, "rsa") == 0) { -- rsa_doit[R_RSA_512] = 1; -+# ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) -+# endif -+ { -+ rsa_doit[R_RSA_512] = 1; -+ } - rsa_doit[R_RSA_1024] = 1; - rsa_doit[R_RSA_2048] = 1; - rsa_doit[R_RSA_4096] = 1; -@@ -982,7 +985,12 @@ int MAIN(int argc, char *argv) - # endif - # ifndef OPENSSL_NO_DSA - if (strcmp(argv, "dsa") == 0) { -- dsa_doit[R_DSA_512] = 1; -+# ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) -+# endif -+ { -+ dsa_doit[R_DSA_512] = 1; -+ } - dsa_doit[R_DSA_1024] = 1; - dsa_doit[R_DSA_2048] = 1; - } else -@@ -1233,13 +1241,19 @@ int MAIN(int argc, char argv) - - if (j == 0) { - for (i = 0; i < ALGOR_NUM; i++) { -- if (i != D_EVP) -+ if (i != D_EVP && -+ (!FIPS_mode() \|\| (i != D_WHIRLPOOL && -+ i != D_MD2 && i != D_MD4 && -+ i != D_MD5 && i != D_MDC2 && -+ i != D_RMD160))) - doit[i] = 1; - } - for (i = 0; i < RSA_NUM; i++) -- rsa_doit[i] = 1; -+ if (!FIPS_mode() \|\| i != R_RSA_512) -+ rsa_doit[i] = 1; - for (i = 0; i < DSA_NUM; i++) -- dsa_doit[i] = 1; -+ if (!FIPS_mode() \|\| i != R_DSA_512) -+ dsa_doit[i] = 1; - # ifndef OPENSSL_NO_ECDSA - for (i = 0; i < EC_NUM; i++) - ecdsa_doit[i] = 1; -@@ -1299,30 +1313,46 @@ int MAIN(int argc, char argv) - AES_set_encrypt_key(key32, 256, &aes_ks3); - # endif - # ifndef OPENSSL_NO_CAMELLIA -- Camellia_set_key(key16, 128, &camellia_ks1); -- Camellia_set_key(ckey24, 192, &camellia_ks2); -- Camellia_set_key(ckey32, 256, &camellia_ks3); -+ if (doit[D_CBC_128_CML] \|\| doit[D_CBC_192_CML] \|\| doit[D_CBC_256_CML]) { -+ Camellia_set_key(key16, 128, &camellia_ks1); -+ Camellia_set_key(ckey24, 192, &camellia_ks2); -+ Camellia_set_key(ckey32, 256, &camellia_ks3); -+ } - # endif - # ifndef OPENSSL_NO_IDEA -- idea_set_encrypt_key(key16, &idea_ks); -+ if (doit[D_CBC_IDEA]) { -+ idea_set_encrypt_key(key16, &idea_ks); -+ } - # endif - # ifndef OPENSSL_NO_SEED -- SEED_set_key(key16, &seed_ks); -+ if (doit[D_CBC_SEED]) { -+ SEED_set_key(key16, &seed_ks); -+ } - # endif - # ifndef OPENSSL_NO_RC4 -- RC4_set_key(&rc4_ks, 16, key16); -+ if (doit[D_RC4]) { -+ RC4_set_key(&rc4_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_RC2 -- RC2_set_key(&rc2_ks, 16, key16, 128); -+ if (doit[D_CBC_RC2]) { -+ RC2_set_key(&rc2_ks, 16, key16, 128); -+ } - # endif - # ifndef OPENSSL_NO_RC5 -- RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ if (doit[D_CBC_RC5]) { -+ RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ } - # endif - # ifndef OPENSSL_NO_BF -- BF_set_key(&bf_ks, 16, key16); -+ if (doit[D_CBC_BF]) { -+ BF_set_key(&bf_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_CAST -- CAST_set_key(&cast_ks, 16, key16); -+ if (doit[D_CBC_CAST]) { -+ CAST_set_key(&cast_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_RSA - memset(rsa_c, 0, sizeof(rsa_c)); -@@ -1605,6 +1635,7 @@ int MAIN(int argc, char *argv) - HMAC_CTX hctx; - - HMAC_CTX_init(&hctx); -+ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - HMAC_Init_ex(&hctx, (unsigned char )"This is a key...", - 16, EVP_md5(), NULL); - -diff -up openssl-1.0.2e/Configure.fips openssl-1.0.2e/Configure ---- openssl-1.0.2e/Configure.fips 2015-12-04 13:55:51.939561992 +0100 -+++ openssl-1.0.2e/Configure 2015-12-04 13:55:51.956562389 +0100 -@@ -1058,11 +1058,6 @@ if (defined($disabled{"md5"}) \|\| defined - $disabled{"ssl2"} = "forced"; - } - --if ($fips && $fipslibdir eq "") -- { -- $fipslibdir = $fipsdir . "/lib/"; -- } -- - # RSAX ENGINE sets default non-FIPS RSA method. - if ($fips) - { -@@ -1551,7 +1546,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b - if ($fips) - { - $openssl_other_defines.="#define OPENSSL_FIPS\n"; -- $cflags .= " -I\$(FIPSDIR)/include"; - } - - $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1754,9 +1748,12 @@ while (<IN>) - - s/^FIPSDIR=./FIPSDIR=$fipsdir/; - s/^FIPSLIBDIR=./FIPSLIBDIR=$fipslibdir/; -- s/^FIPSCANLIB=./FIPSCANLIB=libcrypto/ if $fips; - s/^BASEADDR=./BASEADDR=$baseaddr/; - -+ if ($fips) -+ { -+ s/^FIPS=./FIPS=yes/; -+ } - s/^SHLIB_TARGET=./SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK=./SHLIB_MARK=$shared_mark/; - s/^SHARED_LIBS=./SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.2e/crypto/aes/aes_misc.c.fips openssl-1.0.2e/crypto/aes/aes_misc.c ---- openssl-1.0.2e/crypto/aes/aes_misc.c.fips 2015-12-03 15:04:23.000000000 +0100 -+++ openssl-1.0.2e/crypto/aes/aes_misc.c 2015-12-04 13:55:51.956562389 +0100 -@@ -70,17 +70,11 @@ const char AES_options(void) - int AES_set_encrypt_key(const unsigned char userKey, const int bits, - AES_KEY key) - { --#ifdef OPENSSL_FIPS -- fips_cipher_abort(AES); --#endif - return private_AES_set_encrypt_key(userKey, bits, key); - } - - int AES_set_decrypt_key(const unsigned char userKey, const int bits, - AES_KEY key) - { --#ifdef OPENSSL_FIPS -- fips_cipher_abort(AES); --#endif - return private_AES_set_decrypt_key(userKey, bits, key); - } -diff -up openssl-1.0.2e/crypto/cmac/cmac.c.fips openssl-1.0.2e/crypto/cmac/cmac.c ---- openssl-1.0.2e/crypto/cmac/cmac.c.fips 2015-12-03 15:04:23.000000000 +0100 -+++ openssl-1.0.2e/crypto/cmac/cmac.c 2015-12-04 13:55:51.957562412 +0100 -@@ -105,12 +105,6 @@ CMAC_CTX CMAC_CTX_new(void) - - void CMAC_CTX_cleanup(CMAC_CTX *ctx)
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2e-remove-nistp224.patch ^
@@ -1,15 +0,0 @@ -diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h ---- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100 -+++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100 -@@ -149,11 +149,6 @@ const EC_METHOD EC_GFp_mont_method(void - const EC_METHOD EC_GFp_nist_method(void); - - # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 --/** Returns 64-bit optimized methods for nistp224 -- * \return EC_METHOD object -- / --const EC_METHOD EC_GFp_nistp224_method(void); -- - /** Returns 64-bit optimized methods for nistp256 - * \return EC_METHOD object - */
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2e-rpmbuild.patch ^
@@ -1,115 +0,0 @@ -diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure ---- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100 -+++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100 -@@ -365,8 +365,8 @@ my %table=( - #### - # -generic is endian-neutral target, but ./config is free to - # throw in -D[BL]_ENDIAN, whichever appropriate... --"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - - ####################################################################### - # Note that -march is not among compiler options in below linux-armv4 -@@ -395,31 +395,31 @@ my %table=( - # - # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 - # --"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - # Configure script adds minimally required -march for assembly support, - # if no -march was specified at command line. mips32 and mips64 below - # refer to contemporary MIPS Architecture specifications, MIPS32 and - # MIPS64, rather than to kernel bitness. --"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32", --"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32", -+"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - #### IA-32 targets... - "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out", - #### --"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", --"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", --"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", -+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", -+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", -+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", - "debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", - "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", - "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", --"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - #### So called "highgprs" target for z/Architecture CPUs - # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see - # /proc/cpuinfo. The idea is to preserve most significant bits of -@@ -437,12 +437,12 @@ my %table=( - #### SPARC Linux setups - # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently - # assisted with debugging of following two configs. --"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # it's a real mess with -mcpu=ultrasparc option under Linux, but - # -Wa,-Av8plus should do the trick no matter what. --"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # GCC 3.1 is a requirement --"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - #### Alpha Linux with GNU C and Compaq C setups - # Special notes: - # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -1767,7 +1767,7 @@ while (<IN>) - elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]\.[^\.]$/) - { - my $sotmp = $1; -- s/^SHARED_LIBS_LINK_EXTS=./SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; -+ s/^SHARED_LIBS_LINK_EXTS=./SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; - } - elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]\.[^\.]\.dylib$/) - { -diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org ---- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100 -+++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100 -@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= - SHLIB_MAJOR= - SHLIB_MINOR= - SHLIB_EXT= -+SHLIB_SONAMEVER=10 - PLATFORM=dist - OPTIONS= - CONFIGURE_ARGS= -@@ -341,10 +342,9 @@ clean-shared: - link-shared: - @ set -e; for i in $(SHLIBDIRS); do \ - $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ -+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \ - LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ - symlink.$(SHLIB_TARGET); \ -- libs="$$libs -l$$i"; \ - done - - build-shared: do_$(SHLIB_TARGET) link-shared -@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET): - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ -+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \ - LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ - LIBDEPS="$$libs $(EX_LIBS)" \ - link_a.$(SHLIB_TARGET); \
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2e-speed-doc.patch ^
@@ -1,58 +0,0 @@ -diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c ---- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100 -+++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100 -@@ -648,10 +648,6 @@ int MAIN(int argc, char argv) - # endif - int multiblock = 0; - --# ifndef TIMES -- usertime = -1; --# endif -- - apps_startup(); - memset(results, 0, sizeof(results)); - # ifndef OPENSSL_NO_DSA -@@ -1145,10 +1141,8 @@ int MAIN(int argc, char argv) - - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, "Available options:\n"); --# if defined(TIMES) \|\| defined(USE_TOD) - BIO_printf(bio_err, "-elapsed " - "measure time in real time instead of CPU user time.\n"); --# endif - # ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e " -diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod ---- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100 -+++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100 -@@ -8,6 +8,9 @@ speed - test library performance - - B<openssl speed> - [B<-engine id>] -+[B<-elapsed>] -+[B<-evp algo>] -+[B<-decrypt>] - [B<md2>] - [B<mdc2>] - [B<md5>] -@@ -49,6 +52,19 @@ to attempt to obtain a functional refere - thus initialising it if needed. The engine will then be set as the default - for all available algorithms. - -+=item B<-elapsed> -+ -+Measure time in real time instead of CPU time. It can be useful when testing -+speed of hardware engines. -+ -+=item B<-evp algo> -+ -+Use the specified cipher or message digest algorithm via the EVP interface. -+ -+=item B<-decrypt> -+ -+Time the decryption instead of encryption. Affects only the EVP testing. -+ - =item B<[zero or more test algorithms]> - - If any options are given, B<speed> tests those algorithms, otherwise all of
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2e-wrap-pad.patch ^
@@ -1,541 +0,0 @@ -diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c ---- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100 -+++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100 -@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_128_xts()); - EVP_add_cipher(EVP_aes_128_ccm()); - EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher(EVP_aes_128_wrap_pad()); - EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); - EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); - EVP_add_cipher(EVP_aes_192_ecb()); -@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_192_gcm()); - EVP_add_cipher(EVP_aes_192_ccm()); - EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher(EVP_aes_192_wrap_pad()); - EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); - EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); - EVP_add_cipher(EVP_aes_256_ecb()); -@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_256_xts()); - EVP_add_cipher(EVP_aes_256_ccm()); - EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher(EVP_aes_256_wrap_pad()); - EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); - EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); - # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void) - - EVP_add_cipher(EVP_des_ede()); - EVP_add_cipher(EVP_des_ede3()); -+ EVP_add_cipher(EVP_des_ede3_wrap()); - # endif - - # ifndef OPENSSL_NO_AES -@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_128_xts()); - EVP_add_cipher(EVP_aes_128_ccm()); - EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher(EVP_aes_128_wrap_pad()); - EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); - EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); - EVP_add_cipher(EVP_aes_192_ecb()); -@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_192_gcm()); - EVP_add_cipher(EVP_aes_192_ccm()); - EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher(EVP_aes_192_wrap_pad()); - EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); - EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); - EVP_add_cipher(EVP_aes_256_ecb()); -@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_256_xts()); - EVP_add_cipher(EVP_aes_256_ccm()); - EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher(EVP_aes_256_wrap_pad()); - EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); - EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); - # endif -diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c ---- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100 -+++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100 -@@ -1,5 +1,5 @@ - /* ==================================================================== -- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_ - wctx->iv = NULL; - } - if (iv) { -- memcpy(ctx->iv, iv, 8); -+ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); - wctx->iv = ctx->iv; - } - return 1; -@@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT - { - EVP_AES_WRAP_CTX wctx = ctx->cipher_data; - size_t rv; -+ / AES wrap with padding has IV length of 4, without padding 8 / -+ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4; -+ / No final operation so always return zero length / - if (!in) - return 0; -- if (inlen % 8) -+ / Input length must always be non-zero / -+ if (!inlen) - return -1; -- if (ctx->encrypt && inlen < 8) -+ / If decrypting need at least 16 bytes and multiple of 8 / -+ if (!ctx->encrypt && (inlen < 16 \|\| inlen & 0x7)) - return -1; -- if (!ctx->encrypt && inlen < 16) -+ / If not padding input must be multiple of 8 / -+ if (!pad && inlen & 0x7) - return -1; - if (!out) { -- if (ctx->encrypt) -+ if (ctx->encrypt) { -+ / If padding round up to multiple of 8 / -+ if (pad) -+ inlen = (inlen + 7) / 8 8; -+ /* 8 byte prefix / - return inlen + 8; -- else -+ } else { -+ / If not padding output will be exactly 8 bytes -+ * smaller than input. If padding it will be at -+ * least 8 bytes smaller but we don't know how -+ * much. -+ / - return inlen - 8; - } -+ } -+ if (pad) { - if (ctx->encrypt) -- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen, -+ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv, -+ out, in, inlen, - (block128_f) AES_encrypt); - else -- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen, -+ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv, -+ out, in, inlen, - (block128_f) AES_decrypt); -+ } else { -+ if (ctx->encrypt) -+ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, -+ out, in, inlen, (block128_f) AES_encrypt); -+ else -+ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, -+ out, in, inlen, (block128_f) AES_decrypt); -+ } - return rv ? (int)rv : -1; - } - --#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ -+# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \| EVP_CIPH_FLAG_FIPS \ - \| EVP_CIPH_CUSTOM_IV \| EVP_CIPH_FLAG_CUSTOM_CIPHER \ - \| EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_FLAG_DEFAULT_ASN1) - -@@ -2032,3 +2059,45 @@ const EVP_CIPHER EVP_aes_256_wrap(void) - { - return &aes_256_wrap; - } -+ -+static const EVP_CIPHER aes_128_wrap_pad = { -+ NID_id_aes128_wrap_pad, -+ 8, 16, 4, WRAP_FLAGS, -+ aes_wrap_init_key, aes_wrap_cipher, -+ NULL, -+ sizeof(EVP_AES_WRAP_CTX), -+ NULL, NULL, NULL, NULL -+}; -+ -+const EVP_CIPHER EVP_aes_128_wrap_pad(void) -+{ -+ return &aes_128_wrap_pad; -+} -+ -+static const EVP_CIPHER aes_192_wrap_pad = { -+ NID_id_aes192_wrap_pad, -+ 8, 24, 4, WRAP_FLAGS, -+ aes_wrap_init_key, aes_wrap_cipher, -+ NULL, -+ sizeof(EVP_AES_WRAP_CTX), -+ NULL, NULL, NULL, NULL -+}; -+ -+const EVP_CIPHER EVP_aes_192_wrap_pad(void) -+{ -+ return &aes_192_wrap_pad; -+} -+ -+static const EVP_CIPHER aes_256_wrap_pad = { -+ NID_id_aes256_wrap_pad, -+ 8, 32, 4, WRAP_FLAGS, -+ aes_wrap_init_key, aes_wrap_cipher, -+ NULL, -+ sizeof(EVP_AES_WRAP_CTX), -+ NULL, NULL, NULL, NULL -+}; -+ -+const EVP_CIPHER *EVP_aes_256_wrap_pad(void) -+{ -+ return &aes_256_wrap_pad; -+} -diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c ---- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100 -+++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100 -@@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = { - NID_id_smime_alg_CMS3DESwrap, - 8, 24, 0, - EVP_CIPH_WRAP_MODE \| EVP_CIPH_CUSTOM_IV \| EVP_CIPH_FLAG_CUSTOM_CIPHER -- \| EVP_CIPH_FLAG_DEFAULT_ASN1, -+ \| EVP_CIPH_FLAG_DEFAULT_ASN1 \| EVP_CIPH_FLAG_FIPS,
[-] [+]	Deleted	_service:download_src_package:openssl-1.0.2f-new-fips-reqs.patch ^
@@ -1,1366 +0,0 @@ -diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c ---- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100 -+++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100 -@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM - goto err; - } - -- /* make a random number and set the top and bottom bits / -- time(&tim); -- RAND_add(&tim, sizeof(tim), 0.0); -+ if (!FIPS_mode()) { / in FIPS mode the RNG is always properly seeded or the module fails / -+ / make a random number and set the top and bottom bits / -+ time(&tim); -+ RAND_add(&tim, sizeof(tim), 0.0); -+ } - - if (pseudorand) { - if (RAND_pseudo_bytes(buf, bytes) == -1) -diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c ---- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100 -+++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100 -@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH ret, - return 0; - } - -- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h ---- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100 -+++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100 -@@ -78,6 +78,7 @@ - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DH_FLAG_CACHE_MONT_P 0x01 - -diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c ---- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100 -@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA ret, size_ - } - - if (FIPS_module_mode() && -- (bits != 1024 \|\| qbits != 160) && -- (bits != 2048 \|\| qbits != 224) && -- (bits != 2048 \|\| qbits != 256) && (bits != 3072 \|\| qbits != 256)) { -+ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") \|\| bits != 1024 -+ \|\| qbits != 160) && (bits != 2048 \|\| qbits != 224) && (bits != 2048 -+ \|\| qbits != -+ 256) -+ && (bits != 3072 \|\| qbits != 256)) { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); - goto err; - } -diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h ---- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100 -@@ -89,6 +89,7 @@ - # endif - - # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024) - - # define DSA_FLAG_CACHE_MONT_P 0x01 - / -@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE fp, const D - int DSA_print_fp(FILE bp, const DSA x, int off); - # endif - --# define DSS_prime_checks 50 -+# define DSS_prime_checks 64 - / -- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of -+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of - * Rabin-Miller - / - # define DSA_is_prime(n, callback, cb_arg) \ -diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c ---- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100 -@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA dsa) - - # ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { - DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c ---- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 -+++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100 -@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons - ret = 0; - goto end; - } -- OPENSSL_ia32cap_P[0] \|= (1 << 28); /* set "shared cache" / -- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); / clear AVX / - } - # endif - -- if (!verify_checksums()) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ if (!FIPS_selftest()) { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - -- if (FIPS_selftest()) -- fips_set_mode(onoff); -- else { -+ if (!verify_checksums()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } -+ -+ fips_set_mode(onoff); - ret = 1; - goto end; - } -diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100 -+++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100 -@@ -0,0 +1,162 @@ -+/ ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2013 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include <string.h> -+#include <openssl/crypto.h> -+#include <openssl/dh.h> -+#include <openssl/fips.h> -+#include <openssl/err.h> -+#include <openssl/evp.h> -+#include <openssl/bn.h> -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dh_test_2048_p[] = { -+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, -+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
[-] [+]	Deleted	_service ^
@@ -1,7 +0,0 @@ -<services> - <service name="download_src_package"> - <param name="host">kojipkgs.fedoraproject.org</param> - <param name="protocol">https</param> - <param name="path">//packages/openssl/1.0.2f/1.fc24/src/openssl-1.0.2f-1.fc24.src.rpm</param> - </service> -</services> \ No newline at end of file
[-] [+]	Deleted	_service:download_src_package:Makefile.certificate ^
@@ -1,82 +0,0 @@ -UTF8 := $(shell locale -c LC_CTYPE -k \| grep -q charmap.*UTF-8 && echo -utf8) -DAYS=365 -KEYLEN=2048 -TYPE=rsa:$(KEYLEN) -EXTRA_FLAGS= -ifdef SERIAL - EXTRA_FLAGS+=-set_serial $(SERIAL) -endif - -.PHONY: usage -.SUFFIXES: .key .csr .crt .pem -.PRECIOUS: %.key %.csr %.crt %.pem - -usage: - @echo "This makefile allows you to create:" - @echo " o public/private key pairs" - @echo " o SSL certificate signing requests (CSRs)" - @echo " o self-signed SSL test certificates" - @echo - @echo "To create a key pair, run \"make SOMETHING.key\"." - @echo "To create a CSR, run \"make SOMETHING.csr\"." - @echo "To create a test certificate, run \"make SOMETHING.crt\"." - @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." - @echo - @echo "To create a key for use with Apache, run \"make genkey\"." - @echo "To create a CSR for use with Apache, run \"make certreq\"." - @echo "To create a test certificate for use with Apache, run \"make testcert\"." - @echo - @echo "To create a test certificate with serial number other than random, add SERIAL=num" - @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" - @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS" - @echo - @echo Examples: - @echo " make server.key" - @echo " make server.csr" - @echo " make server.crt" - @echo " make stunnel.pem" - @echo " make genkey" - @echo " make certreq" - @echo " make testcert" - @echo " make server.crt SERIAL=1" - @echo " make stunnel.pem EXTRA_FLAGS=-sha384" - @echo " make testcert DAYS=600" - -%.pem: - umask 77 ; \ - PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ - cat $$PEM1 > $@ ; \ - echo "" >> $@ ; \ - cat $$PEM2 >> $@ ; \ - $(RM) $$PEM1 $$PEM2 - -%.key: - umask 77 ; \ - /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ - -%.csr: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ - -%.crt: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) - -TLSROOT=/etc/pki/tls -KEY=$(TLSROOT)/private/localhost.key -CSR=$(TLSROOT)/certs/localhost.csr -CRT=$(TLSROOT)/certs/localhost.crt - -genkey: $(KEY) -certreq: $(CSR) -testcert: $(CRT) - -$(CSR): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) - -$(CRT): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
[-] [+]	Deleted	_service:download_src_package:README.FIPS ^
@@ -1,75 +0,0 @@ -User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module -================================================================= - -This package contains libraries which comprise the FIPS 140-2 -Red Hat Enterprise Linux - OPENSSL Module. - -The module files -================ -/usr/lib[64]/libcrypto.so.1.0.1e -/usr/lib[64]/libssl.so.1.0.1e -/usr/lib[64]/.libcrypto.so.1.0.1e.hmac -/usr/lib[64]/.libssl.so.1.0.1e.hmac - -Dependencies -============ - -The approved mode of operation requires kernel with /dev/urandom RNG running -with properties as defined in the security policy of the module. This is -provided by kernel packages with validated Red Hat Enterprise Linux - IPSec -Crytographic Module. - -Installation -============ - -The RPM package of the module can be installed by standard tools recommended -for installation of RPM packages on the Red Hat Enterprise Linux system (yum, -rpm, RHN remote management tool). - -For proper operation of the in-module integrity verification the prelink has to -be disabled. This can be done with setting PRELINKING=no in the -/etc/sysconfig/prelink configuration file. If the libraries were already -prelinked the prelink should be undone on all the system files with the -'prelink -u -a' command. - -Usage and API -============= - -The module respects kernel command line FIPS setting. If the kernel command -line contains option fips=1 the module will initialize in the FIPS approved -mode of operation automatically. To allow for the automatic initialization the -application using the module has to call one of the following API calls: - -- void OPENSSL_init_library(void) - this will do only a basic initialization -of the library and does initialization of the FIPS approved mode without setting -up EVP API with supported algorithms. - -- void OPENSSL_add_all_algorithms(void) - this API function calls -OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API -in the approved mode - -- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also -adds algorithms which are necessary for TLS protocol support and initializes -the SSL library. - -To explicitely put the library to the approved mode the application can call -the following function: - -- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch -the library from the non-approved to the approved mode. If any of the selftests -and integrity verification tests fail, the library is put into the error state -and 0 is returned. If they succeed the return value is 1. - -To query the module whether it is in the approved mode or not: - -- int FIPS_mode(void) - returns 1 if the module is in the approved mode, -0 otherwise. - -To query whether the module is in the error state: - -- int FIPS_selftest_failed(void) - returns 1 if the module is in the error -state, 0 otherwise. - -To zeroize the FIPS RNG key and internal state the application calls: - -- void RAND_cleanup(void)
[-] [+]	Deleted	_service:download_src_package:ec_curve.c ^
@@ -1,455 +0,0 @@ -/* crypto/ec/ec_curve.c / -/ - * Written by Nils Larsch for the OpenSSL project. - / -/ ==================================================================== - * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - / -/ ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - / - -#include <string.h> -#include "ec_lcl.h" -#include <openssl/err.h> -#include <openssl/obj_mac.h> -#include <openssl/opensslconf.h> - -#ifdef OPENSSL_FIPS -# include <openssl/fips.h> -#endif - -typedef struct { - int field_type, / either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field / - seed_len, param_len; - unsigned int cofactor; / promoted to BN_ULONG / -} EC_CURVE_DATA; - -/ the nist prime curves / -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 48 6]; -} _EC_NIST_PRIME_384 = { - { - NID_X9_62_prime_field, 20, 48, 1 - }, - { - /* seed / - 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A, - 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, - / p / - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - / a / - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - / b / - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, - 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, - 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, - 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - / x / - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, - 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, - 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, - 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - / y / - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, - 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, - 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, - 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - / order / - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, - 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 66 6]; -} _EC_NIST_PRIME_521 = { - { - NID_X9_62_prime_field, 20, 66, 1 - }, - { - /* seed / - 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, - / p / - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - / a / - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - / b / - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, - 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, - 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, - 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, - 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - / x / - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, - 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, - 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, - 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, - 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - / y / - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, - 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, - 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, - 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, - 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, - 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - / order / - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, - 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, - 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 6]; -} _EC_X9_62_PRIME_256V1 = { - { - NID_X9_62_prime_field, 20, 32, 1 - }, - { - /* seed */ - 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
[-] [+]	Deleted	_service:download_src_package:ectest.c ^
@@ -1,985 +0,0 @@ -/* crypto/ec/ectest.c / -/ - * Originally written by Bodo Moeller for the OpenSSL project. - / -/ ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - / -/ ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - / - -#include <stdio.h> -#include <stdlib.h> -#ifdef FLAT_INC -# include "e_os.h" -#else -# include "../e_os.h" -#endif -#include <string.h> -#include <time.h> - -#ifdef OPENSSL_NO_EC -int main(int argc, char argv[]) -{ - puts("Elliptic curves are disabled."); - return 0; -} -#else - -# include <openssl/ec.h> -# ifndef OPENSSL_NO_ENGINE -# include <openssl/engine.h> -# endif -# include <openssl/err.h> -# include <openssl/obj_mac.h> -# include <openssl/objects.h> -# include <openssl/rand.h> -# include <openssl/bn.h> -# include <openssl/opensslconf.h> - -# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12) -/* suppress "too big too optimize" warning / -# pragma warning(disable:4959) -# endif - -# define ABORT do { \ - fflush(stdout); \ - fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ - ERR_print_errors_fp(stderr); \ - EXIT(1); \ -} while (0) - -# define TIMING_BASE_PT 0 -# define TIMING_RAND_PT 1 -# define TIMING_SIMUL 2 - -# if 0 -static void timings(EC_GROUP group, int type, BN_CTX ctx) -{ - clock_t clck; - int i, j; - BIGNUM s; - BIGNUM r[10], r0[10]; - EC_POINT P; - - s = BN_new(); - if (s == NULL) - ABORT; - - fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group)); - if (!EC_GROUP_get_order(group, s, ctx)) - ABORT; - fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s)); - fflush(stdout); - - P = EC_POINT_new(group); - if (P == NULL) - ABORT; - EC_POINT_copy(P, EC_GROUP_get0_generator(group)); - - for (i = 0; i < 10; i++) { - if ((r[i] = BN_new()) == NULL) - ABORT; - if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) - ABORT; - if (type != TIMING_BASE_PT) { - if ((r0[i] = BN_new()) == NULL) - ABORT; - if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) - ABORT; - } - } - - clck = clock(); - for (i = 0; i < 10; i++) { - for (j = 0; j < 10; j++) { - if (!EC_POINT_mul - (group, P, (type != TIMING_RAND_PT) ? r[i] : NULL, - (type != TIMING_BASE_PT) ? P : NULL, - (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) - ABORT; - } - } - clck = clock() - clck; - - fprintf(stdout, "\n"); - -# ifdef CLOCKS_PER_SEC - / - * "To determine the time in seconds, the value returned by the clock - * function should be divided by the value of the macro CLOCKS_PER_SEC." - * -- ISO/IEC 9899 - / -# define UNIT "s" -# else - / - * "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on - * NeXTstep/OpenStep - / -# define UNIT "units" -# define CLOCKS_PER_SEC 1 -# endif - - if (type == TIMING_BASE_PT) { - fprintf(stdout, "%i %s in %.2f " UNIT "\n", i j, - "base point multiplications", (double)clck / CLOCKS_PER_SEC); - } else if (type == TIMING_RAND_PT) { - fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j, - "random point multiplications", - (double)clck / CLOCKS_PER_SEC); - } else if (type == TIMING_SIMUL) { - fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j, - "sP+tQ operations", (double)clck / CLOCKS_PER_SEC); - } - fprintf(stdout, "average: %.4f " UNIT "\n", - (double)clck / (CLOCKS_PER_SEC * i * j)); - - EC_POINT_free(P); - BN_free(s);
[-] [+]	Deleted	_service:download_src_package:hobble-openssl ^
@@ -1,53 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e - -# Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway -# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore -# RC5: 5,724,428 01/11/2015 -# EC: ????????? ??/??/2020 -# SRP: ????????? ??/??/20?? - -# Remove assembler portions of IDEA, MDC2, and RC5. -(find crypto/rc5/asm -type f \| xargs -r rm -fv) - -# RC5, SRP. -for a in rc5 srp; do - for c in `find crypto/$a -name ".c" -a \! -name "test" -type f` ; do - echo Destroying $c - > $c - done -done - -for c in `find crypto/evp -name "_rc5.c"`; do - echo Destroying $c - > $c -done - -for c in `find crypto/bn -name "gf2m.c"`; do - echo Destroying $c - > $c -done - -for c in `find crypto/ec -name "ec2.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do - echo Destroying $c - > $c -done - -for h in `find crypto ssl apps test -name ".h"` ; do - echo Removing RC5, SRP and EC2M references from $h - cat $h \| \ - awk 'BEGIN {ech=1;} \ - /^#[ \t]ifndef.NO_SRP/ {ech--; next;} \ - /^#[ \t]ifndef.NO_RC5/ {ech--; next;} \ - /^#[ \t]ifndef.NO_EC2M/ {ech--; next;} \ - /^#[ \t]if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ - mv $h.hobbled $h -done - -# Make the makefiles happy. -touch crypto/rc5/asm/rc5-586.pl
[-] [+]	Deleted	_service:download_src_package:make-dummy-cert ^
@@ -1,28 +0,0 @@ -#!/bin/sh -umask 077 - -answers() { - echo -- - echo SomeState - echo SomeCity - echo SomeOrganization - echo SomeOrganizationalUnit - echo localhost.localdomain - echo root@localhost.localdomain -} - -if [ $# -eq 0 ] ; then - echo $"Usage: `basename $0` filename [...]" - exit 0 -fi - -for target in $@ ; do - PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` - PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` - trap "rm -f $PEM1 $PEM2" SIGINT - answers \| /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null - cat $PEM1 > ${target} - echo "" >> ${target} - cat $PEM2 >> ${target} - rm -f $PEM1 $PEM2 -done
	Deleted	_service:download_src_package:openssl-1.0.2f-hobbled.tar.xz ^
[-] [+]	Deleted	_service:download_src_package:openssl-thread-test.c ^
@@ -1,400 +0,0 @@ -/* Test program to verify that RSA signing is thread-safe in OpenSSL. / - -#include <assert.h> -#include <errno.h> -#include <fcntl.h> -#include <limits.h> -#include <pthread.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -#include <openssl/crypto.h> -#include <openssl/err.h> -#include <openssl/objects.h> -#include <openssl/rand.h> -#include <openssl/rsa.h> -#include <openssl/md5.h> -#include <openssl/ssl.h> - -/ Just assume we want to do engine stuff if we're using 0.9.6b or - * higher. This assumption is only valid for versions bundled with RHL. / -#if OPENSSL_VERSION_NUMBER >= 0x0090602fL -#include <openssl/engine.h> -#define USE_ENGINE -#endif - -#define MAX_THREAD_COUNT 10000 -#define ITERATION_COUNT 10 -#define MAIN_COUNT 100 - -/ OpenSSL requires us to provide thread ID and locking primitives. / -pthread_mutex_t mutex_locks = NULL; -static unsigned long -thread_id_cb(void) -{ - return (unsigned long) pthread_self(); -} -static void -lock_cb(int mode, int n, const char file, int line) -{ - if (mode & CRYPTO_LOCK) { - pthread_mutex_lock(&mutex_locks[n]); - } else { - pthread_mutex_unlock(&mutex_locks[n]); - } -} - -struct thread_args { - RSA rsa; - int digest_type; - unsigned char digest; - unsigned int digest_len; - unsigned char signature; - unsigned int signature_len; - pthread_t main_thread; -}; - -static int print = 0; - -pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER; -static int locked_sign = 0; -static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);} -static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);} - -pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER; -static int locked_verify = 0; -static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);} -static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);} - -pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER; -long failure_count = 0; -static void -failure() -{ - pthread_mutex_lock(&failure_count_lock); - failure_count++; - pthread_mutex_unlock(&failure_count_lock); -} - -static void * -thread_main(void argp) -{ - struct thread_args args = argp; - unsigned char signature; - unsigned int signature_len, signature_alloc_len; - int ret, i; - - signature_alloc_len = args->signature_len; - if (RSA_size(args->rsa) > signature_alloc_len) { - signature_alloc_len = RSA_size(args->rsa); - } - signature = malloc(signature_alloc_len); - if (signature == NULL) { - fprintf(stderr, "Skipping checks in thread %lu -- %s.\n", - (unsigned long) pthread_self(), strerror(errno)); - pthread_exit(0); - return NULL; - } - for (i = 0; i < ITERATION_COUNT; i++) { - signature_len = signature_alloc_len; - SIGN_LOCK(); - ret = RSA_check_key(args->rsa); - ERR_print_errors_fp(stdout); - if (ret != 1) { - failure(); - break; - } - ret = RSA_sign(args->digest_type, - args->digest, - args->digest_len, - signature, &signature_len, - args->rsa); - SIGN_UNLOCK(); - ERR_print_errors_fp(stdout); - if (ret != 1) { - failure(); - break; - } - - VERIFY_LOCK(); - ret = RSA_verify(args->digest_type, - args->digest, - args->digest_len, - signature, signature_len, - args->rsa); - VERIFY_UNLOCK(); - if (ret != 1) { - fprintf(stderr, - "Signature from thread %lu(%d) fails " - "verification (passed in thread #%lu)!\n", - (long) pthread_self(), i, - (long) args->main_thread); - ERR_print_errors_fp(stdout); - failure(); - continue; - } - if (print) { - fprintf(stderr, ">%d\n", i); - } - } - free(signature); - - pthread_exit(0); - - return NULL; -} - -unsigned char -xmemdup(unsigned char s, size_t len) -{ - unsigned char r; - r = malloc(len); - if (r == NULL) { - fprintf(stderr, "Out of memory.\n"); - ERR_print_errors_fp(stdout); - assert(r != NULL); - } - memcpy(r, s, len); - return r; -} - -int -main(int argc, char *argv) -{ - RSA rsa; - MD5_CTX md5; - int fd, i; - pthread_t threads[MAX_THREAD_COUNT]; - int thread_count = 1000; - unsigned char message, digest; - unsigned int message_len, digest_len; - unsigned char correct_signature; - unsigned int correct_siglen, ret; - struct thread_args master_args, args; - int sync = 0, seed = 0; - int again = 1; -#ifdef USE_ENGINE - char engine = NULL; - ENGINE e = NULL; -#endif - - pthread_mutex_init(&failure_count_lock, NULL); - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--seed") == 0) { - printf("Seeding PRNG.\n"); - seed++; - } else - if (strcmp(argv[i], "--sync") == 0) { - printf("Running synchronized.\n"); - sync++; - } else - if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) { - i++; - thread_count = atol(argv[i]); - if (thread_count > MAX_THREAD_COUNT) { - thread_count = MAX_THREAD_COUNT; - } - printf("Starting %d threads.\n", thread_count);
[-] [+]	Deleted	_service:download_src_package:opensslconf-new-warning.h ^
@@ -1,7 +0,0 @@ -/* Prepended at openssl package build-time. Don't include this file directly, - * use <openssl/opensslconf.h> instead. */ - -#ifndef openssl_opensslconf_multilib_redirection_h -#error "Don't include this file directly, use <openssl/opensslconf.h> instead!" -#endif -
[-] [+]	Deleted	_service:download_src_package:opensslconf-new.h ^
@@ -1,47 +0,0 @@ -/* This file is here to prevent a file conflict on multiarch systems. A - * conflict will frequently occur because arch-specific build-time - * configuration options are stored (and used, so they can't just be stripped - * out) in opensslconf.h. The original opensslconf.h has been renamed. - * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ - -#ifdef openssl_opensslconf_multilib_redirection_h -#error "Do not define openssl_opensslconf_multilib_redirection_h!" -#endif -#define openssl_opensslconf_multilib_redirection_h - -#if defined(__i386__) -#include "opensslconf-i386.h" -#elif defined(__ia64__) -#include "opensslconf-ia64.h" -#elif defined(__mips64) && defined(__MIPSEL__) -#include "opensslconf-mips64el.h" -#elif defined(__mips64) -#include "opensslconf-mips64.h" -#elif defined(__mips) && defined(__MIPSEL__) -#include "opensslconf-mipsel.h" -#elif defined(__mips) -#include "opensslconf-mips.h" -#elif defined(__powerpc64__) -#include <endian.h> -#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -#include "opensslconf-ppc64.h" -#else -#include "opensslconf-ppc64le.h" -#endif -#elif defined(__powerpc__) -#include "opensslconf-ppc.h" -#elif defined(__s390x__) -#include "opensslconf-s390x.h" -#elif defined(__s390__) -#include "opensslconf-s390.h" -#elif defined(__sparc__) && defined(__arch64__) -#include "opensslconf-sparc64.h" -#elif defined(__sparc__) -#include "opensslconf-sparc.h" -#elif defined(__x86_64__) -#include "opensslconf-x86_64.h" -#else -#error "This openssl-devel package does not work your architecture?" -#endif - -#undef openssl_opensslconf_multilib_redirection_h
[-] [+]	Deleted	_service:download_src_package:renew-dummy-cert ^
@@ -1,42 +0,0 @@ -#!/bin/bash - -if [ $# -eq 0 ]; then - echo $"Usage: `basename $0` filename" 1>&2 - exit 1 -fi - -PEM=$1 -REQ=`/bin/mktemp /tmp/openssl.XXXXXX` -KEY=`/bin/mktemp /tmp/openssl.XXXXXX` -CRT=`/bin/mktemp /tmp/openssl.XXXXXX` -NEW=${PEM}_ - -trap "rm -f $REQ $KEY $CRT $NEW" SIGINT - -if [ ! -f $PEM ]; then - echo "$PEM: file not found" 1>&2 - exit 1 -fi - -let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial \| cut -d= -f2) -let SERIAL++ - -umask 077 - -OWNER=`ls -l $PEM \| awk '{ printf "%s.%s", $3, $4; }'` - -openssl rsa -inform pem -in $PEM -out $KEY -openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ -openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \ - -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT - -(cat $KEY ; echo "" ; cat $CRT) > $NEW - -chown $OWNER $NEW - -mv -f $NEW $PEM - -rm -f $REQ $KEY $CRT - -exit 0 -