|
[-]
[+]
|
Added |
_service:download_src_package:openssl.spec
|
|
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.0-beta4-ca-dir.patch
^
|
| @@ -0,0 +1,36 @@
+diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
+--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+
+-$CATOP="./demoCA";
++$CATOP="/etc/pki/CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";
+diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
+--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100
+@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+ PKCS12="openssl pkcs12"
+
+-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
++if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
+--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100
++++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100
+@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
+ ####################################################################
+ [ CA_default ]
+
+-dir = ./demoCA # Where everything is kept
++dir = /etc/pki/CA # Where everything is kept
+ certs = $dir/certs # Where the issued certs are kept
+ crl_dir = $dir/crl # Where the issued crl are kept
+ database = $dir/index.txt # database index file.
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.0-timezone.patch
^
|
| @@ -0,0 +1,21 @@
+diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
+--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200
++++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200
+@@ -609,7 +609,7 @@ install_docs:
+ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+- sh -c "$$pod2man \
++ sh -c "TZ=UTC $$pod2man \
+ --section=$$sec --center=OpenSSL \
+ --release=$(VERSION) `basename $$i`") \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+@@ -626,7 +626,7 @@ install_docs:
+ sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ (cd `$(PERL) util/dirname.pl $$i`; \
+- sh -c "$$pod2man \
++ sh -c "TZ=UTC $$pod2man \
+ --section=$$sec --center=OpenSSL \
+ --release=$(VERSION) `basename $$i`") \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.1c-aliasing.patch
^
|
| @@ -0,0 +1,12 @@
+diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
+--- openssl-1.0.1c/crypto/modes/Makefile.aliasing 2011-08-12 00:36:17.000000000 +0200
++++ openssl-1.0.1c/crypto/modes/Makefile 2012-07-13 11:32:10.767829077 +0200
+@@ -12,7 +12,7 @@ AR= ar r
+
+ MODES_ASM_OBJ=
+
+-CFLAGS= $(INCLUDES) $(CFLAG)
++CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
+ ASFLAGS= $(INCLUDES) $(ASFLAG)
+ AFLAGS= $(ASFLAGS)
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.1c-perlfind.patch
^
|
| @@ -0,0 +1,16 @@
+diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl
+--- openssl-1.0.1c/util/perlpath.pl.perlfind 2012-07-11 22:57:33.000000000 +0200
++++ openssl-1.0.1c/util/perlpath.pl 2012-07-12 00:31:12.102156275 +0200
+@@ -4,10 +4,10 @@
+ # line in all scripts that rely on perl.
+ #
+
+-require "find.pl";
++use File::Find;
+
+ $#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n";
+-&find(".");
++find(\&wanted, ".");
+
+ sub wanted
+ {
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.1i-algo-doc.patch
^
|
| @@ -0,0 +1,77 @@
+diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200
+@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
+
+ EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
+ B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
+-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
++function. B<type> will typically be supplied by a function such as EVP_sha1().
+ If B<impl> is NULL then the default implementation of digest B<type> is used.
+
+ EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u
+ EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
+ EVP_MD_CTX_block_size() return the digest or block size in bytes.
+
+-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
++EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
++EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
+ EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+ corresponding EVP_MD structures.
+
+diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
++ const EVP_CIPHER *EVP_des_ede3(void);
++ const EVP_CIPHER *EVP_des_ede3_ecb(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
++ const EVP_CIPHER *EVP_des_ede3_ofb(void);
++ const EVP_CIPHER *EVP_des_ede3_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_ecb(void);
++ const EVP_CIPHER *EVP_aes_128_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_cfb1(void);
++ const EVP_CIPHER *EVP_aes_128_cfb8(void);
++ const EVP_CIPHER *EVP_aes_128_cfb128(void);
++ const EVP_CIPHER *EVP_aes_128_ofb(void);
++ const EVP_CIPHER *EVP_aes_192_ecb(void);
++ const EVP_CIPHER *EVP_aes_192_cbc(void);
++ const EVP_CIPHER *EVP_aes_192_cfb1(void);
++ const EVP_CIPHER *EVP_aes_192_cfb8(void);
++ const EVP_CIPHER *EVP_aes_192_cfb128(void);
++ const EVP_CIPHER *EVP_aes_192_ofb(void);
++ const EVP_CIPHER *EVP_aes_256_ecb(void);
++ const EVP_CIPHER *EVP_aes_256_cbc(void);
++ const EVP_CIPHER *EVP_aes_256_cfb1(void);
++ const EVP_CIPHER *EVP_aes_256_cfb8(void);
++ const EVP_CIPHER *EVP_aes_256_cfb128(void);
++ const EVP_CIPHER *EVP_aes_256_ofb(void);
++
+ =head1 DESCRIPTION
+
+ The EVP cipher routines are a high level interface to certain
+@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
+
+ DESX algorithm in CBC mode.
+
++=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
++
++AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
++
++AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
++
++AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
+ =item EVP_rc4(void)
+
+ RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-apps-dgst.patch
^
|
| @@ -0,0 +1,110 @@
+diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c
+--- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200
+@@ -157,7 +157,7 @@ static const char *ca_usage[] = {
+ " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
+ " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
+ " -days arg - number of days to certify the certificate for\n",
+- " -md arg - md to use, one of md2, md5, sha or sha1\n",
++ " -md arg - md to use, see openssl dgst -h for list\n",
+ " -policy arg - The CA 'policy' to support\n",
+ " -keyfile arg - private key file\n",
+ " -keyform arg - private key file format (PEM or ENGINE)\n",
+diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c
+--- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200
+@@ -294,7 +294,7 @@ int MAIN(int argc, char **argv)
+ "%-14s the next argument is the md to use to create a key\n",
+ "-md");
+ BIO_printf(bio_err,
+- "%-14s from a passphrase. One of md2, md5, sha or sha1\n",
++ "%-14s from a passphrase. See openssl dgst -h for list.\n",
+ "");
+ BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
+ "-S");
+diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c
+--- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200
+@@ -414,7 +414,7 @@ int MAIN(int argc, char **argv)
+ " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+ #endif
+ BIO_printf(bio_err,
+- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
++ " -[digest] Digest to sign with (see openssl dgst -h for list)\n");
+ BIO_printf(bio_err, " -config file request template file.\n");
+ BIO_printf(bio_err,
+ " -subj arg set or modify request subject\n");
+diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c
+--- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200
+@@ -337,7 +337,7 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "usage:\n"
+ "ts -query [-rand file%cfile%c...] [-config configfile] "
+ "[-data file_to_hash] [-digest digest_bytes]"
+- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
++ "[-<hashalg>] "
+ "[-policy object_id] [-no_nonce] [-cert] "
+ "[-in request.tsq] [-out request.tsq] [-text]\n",
+ LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c
+--- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200
+@@ -141,7 +141,7 @@ static const char *x509_usage[] = {
+ " -set_serial - serial number to use\n",
+ " -text - print the certificate in text form\n",
+ " -C - print out C code forms\n",
+- " -md2/-md5/-sha1/-mdc2 - digest to use\n",
++ " -<dgst> - digest to use, see openssl dgst -h output for list\n",
+ " -extfile - configuration file with X509V3 extensions to add\n",
+ " -extensions - section from config file with X509V3 extensions to add\n",
+ " -clrext - delete extensions before signing and input certificate\n",
+diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod
+--- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -168,7 +168,8 @@ the number of days to certify the certif
+ =item B<-md alg>
+
+ the message digest to use. Possible values include md5, sha1 and mdc2.
+-This option also applies to CRLs.
++For full list of digests see openssl dgst -h output. This option also
++applies to CRLs.
+
+ =item B<-policy arg>
+
+diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod
+--- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -219,7 +219,8 @@ check is not performed.
+ =item B<-md5|-sha1|-sha256|-ripemod160|...>
+
+ this option sets digest algorithm to use for certificate identification
+-in the OCSP request. By default SHA-1 is used.
++in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
++the list of available algorithms.
+
+ =back
+
+diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod
+--- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -201,7 +201,8 @@ will not be encrypted.
+
+ this specifies the message digest to sign the request with (such as
+ B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+-the configuration file.
++the configuration file. For full list of possible digests see openssl
++dgst -h output.
+
+ Some public key algorithms may override this choice. For instance, DSA
+ signatures always use SHA1, GOST R 34.10 signatures always use
+diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod
+--- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -107,6 +107,7 @@ the digest to use. This affects any sign
+ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+ specified then SHA1 is used. If the key being used to sign with is a DSA key
+ then this option has no effect: SHA1 is always used with DSA keys.
++For full list of digests see openssl dgst -h output.
+
+ =item B<-engine id>
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-cc-reqs.patch
^
|
| @@ -0,0 +1,27 @@
+diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs 2015-04-09 18:22:58.638448432 +0200
++++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-09 18:22:57.264416692 +0200
+@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+ goto err;
+
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
++ goto err;
++
+ BN_copy(rsa->e, e_value);
+
+ /* generate p and q */
+@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+ do {
+ if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+ goto err;
+- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
+ if (degenerate == 3) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-chil-fixes.patch
^
|
| @@ -0,0 +1,24 @@
+diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c
+--- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200
+@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char
+ UI *ui;
+ void *callback_data = NULL;
+ UI_METHOD *ui_method = NULL;
++ /* Despite what the documentation says prompt_info can be
++ * an empty string.
++ */
++ if (prompt_info && !*prompt_info)
++ prompt_info = NULL;
+
+ if (cactx) {
+ if (cactx->ui_method)
+@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char
+ ui = UI_new_method(ui_method);
+
+ if (ui) {
+- char answer;
++ char answer = '\0';
+ char buf[BUFSIZ];
+ /*
+ * Despite what the documentation says wrong_info can be an empty
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-compat-symbols.patch
^
|
| @@ -0,0 +1,46 @@
+diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c
+--- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200
+@@ -68,6 +68,11 @@
+ # include <openssl/fips.h>
+ # include <openssl/evp.h>
+
++/* just a compatibility symbol - no-op */
++void FIPS_corrupt_dsa_keygen(void)
++{
++}
++
+ static int fips_check_dsa(DSA *dsa)
+ {
+ EVP_PKEY *pk;
+diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c
+--- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200
++++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200
+@@ -63,6 +63,11 @@
+ # include <openssl/fips.h>
+ #endif
+
++/* just backwards compatibility symbol - no-op */
++void ENGINE_load_aesni(void)
++{
++}
++
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200
+@@ -113,6 +113,12 @@ int FIPS_module_mode(void)
+ return ret;
+ }
+
++/* just a compat symbol - return NULL */
++const void *FIPS_rand_check(void)
++{
++ return NULL;
++}
++
+ int FIPS_selftest_failed(void)
+ {
+ int ret = 0;
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-defaults.patch
^
|
| @@ -0,0 +1,60 @@
+diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf
+--- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200
+@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -104,6 +104,7 @@ emailAddress = optional
+ ####################################################################
+ [ req ]
+ default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
+@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
+ default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+ other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+-digests = md5, sha1 # Acceptable message digests (mandatory)
++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+ accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ clock_precision_digits = 0 # number of digits after dot. (optional)
+ ordering = yes # Is ordering defined for timestamps?
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-disable-sslv2v3.patch
^
|
| @@ -0,0 +1,13 @@
+diff -up openssl-1.0.2a/ssl/ssl_lib.c.v2v3 openssl-1.0.2a/ssl/ssl_lib.c
+--- openssl-1.0.2a/ssl/ssl_lib.c.v2v3 2015-04-22 15:37:15.974345757 +0200
++++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:39:39.114782365 +0200
+@@ -2048,6 +2048,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ */
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+
++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ return (ret);
+ err:
+ SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-dtls1-abi.patch
^
|
| @@ -0,0 +1,23 @@
+diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h
+--- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200
++++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200
+@@ -214,9 +214,6 @@ typedef struct dtls1_state_st {
+ * loss.
+ */
+ record_pqueue buffered_app_data;
+- /* Is set when listening for new connections with dtls1_listen() */
+- unsigned int listen;
+- unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ unsigned int mtu; /* max DTLS packet size */
+ struct hm_header_st w_msg_hdr;
+ struct hm_header_st r_msg_hdr;
+@@ -241,6 +238,9 @@ typedef struct dtls1_state_st {
+ * Cleared after the message has been processed.
+ */
+ unsigned int change_cipher_spec_ok;
++ /* Is set when listening for new connections with dtls1_listen() */
++ unsigned int listen;
++ unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ # ifndef OPENSSL_NO_SCTP
+ /* used when SSL_ST_XX_FLUSH is entered */
+ int next_state;
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-enc-fail.patch
^
|
| @@ -0,0 +1,61 @@
+diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c
+--- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200
+@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i
+ break;
+ }
+ } else {
+- EVP_CipherUpdate(&(ctx->cipher),
+- (unsigned char *)ctx->buf, &ctx->buf_len,
+- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i);
+- ctx->cont = 1;
++ if (!EVP_CipherUpdate(&(ctx->cipher),
++ (unsigned char *)ctx->buf, &ctx->buf_len,
++ (unsigned char *)&(ctx->buf[BUF_OFFSET]),
++ i)) {
++ ctx->ok = 0;
++ ctx->cont = 0;
++ } else
++ ctx->cont = 1;
+ /*
+ * Note: it is possible for EVP_CipherUpdate to decrypt zero
+ * bytes because this is or looks like the final block: if this
+@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char
+ ctx->buf_off = 0;
+ while (inl > 0) {
+ n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
+- EVP_CipherUpdate(&(ctx->cipher),
+- (unsigned char *)ctx->buf, &ctx->buf_len,
+- (unsigned char *)in, n);
++ if (!EVP_CipherUpdate(&(ctx->cipher),
++ (unsigned char *)ctx->buf, &ctx->buf_len,
++ (unsigned char *)in, n)) {
++ BIO_copy_next_retry(b);
++ ctx->ok = 0;
++ return ret - inl;
++ }
+ inl -= n;
+ in += n;
+
+@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
+ case BIO_CTRL_RESET:
+ ctx->ok = 1;
+ ctx->finished = 0;
+- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+- ctx->cipher.encrypt);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
++ ctx->cipher.encrypt))
++ ctx->ok = 0;
+ ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+ break;
+ case BIO_CTRL_EOF: /* More to read */
+@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
+
+ b->init = 1;
+ ctx = (BIO_ENC_CTX *)b->ptr;
+- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
++ ctx->ok = 0;
+
+ if (b->callback != NULL)
+ b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-enginesdir.patch
^
|
| @@ -0,0 +1,52 @@
+diff -up openssl-1.0.2a/Configure.enginesdir openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.enginesdir 2015-04-20 14:37:58.137392222 +0200
++++ openssl-1.0.2a/Configure 2015-04-20 14:37:58.140392292 +0200
+@@ -702,6 +702,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -929,6 +930,10 @@ PROCESS_ARGS:
+ {
+ $openssldir=$1;
+ }
++ elsif (/^--enginesdir=(.*)$/)
++ {
++ $enginesdir=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1185,7 +1190,7 @@ chop $prefix if $prefix =~ /.\/$/;
+
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+@@ -1871,7 +1876,7 @@ while (<IN>)
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- my $foo = "$prefix/$libdir/engines";
++ my $foo = "$enginesdir";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
+diff -up openssl-1.0.2a/engines/Makefile.enginesdir openssl-1.0.2a/engines/Makefile
+--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-04-20 14:37:58.140392292 +0200
++++ openssl-1.0.2a/engines/Makefile 2015-04-20 14:40:15.570598383 +0200
+@@ -124,7 +124,7 @@ install:
+ esac; \
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ fi; \
+- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-env-zlib.patch
^
|
| @@ -0,0 +1,39 @@
+diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
+@@ -47,6 +47,13 @@ Once the identities of the compression m
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
+@@ -140,6 +140,8 @@
+ * OTHERWISE.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
+
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL) {
++ if (ssl_comp_methods != NULL
++ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-fips-ctor.patch
^
|
| @@ -0,0 +1,174 @@
+diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
+ }
+
+ # define HMAC_PREFIX "."
+-# define HMAC_SUFFIX ".hmac"
++# ifndef HMAC_SUFFIX
++# define HMAC_SUFFIX ".hmac"
++# endif
+ # define READ_BUFFER_LENGTH 16384
+
+ static char *make_hmac_path(const char *origpath)
+@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
+ return rv;
+ }
+
+-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++static int FIPSCHECK_verify(const char *path)
+ {
+- char path[PATH_MAX + 1];
+- int rv;
++ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+- rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+- if (rv < 0)
+- return 0;
+-
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
+ return 1;
+ }
+
++static int verify_checksums(void)
++{
++ int rv;
++ char path[PATH_MAX + 1];
++ char *p;
++
++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++ are in the same directory */
++
++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
++ "FIPS_mode_set", path, sizeof(path));
++ if (rv < 0)
++ return 0;
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++
++ /* replace libcrypto with libssl */
++ while ((p = strstr(path, "libcrypto.so")) != NULL) {
++ p = stpcpy(p, "libssl");
++ memmove(p, p + 3, strlen(p + 2));
++ }
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++ return 1;
++}
++
++# ifndef FIPS_MODULE_PATH
++# define FIPS_MODULE_PATH "/etc/system-fips"
++# endif
++
++int FIPS_module_installed(void)
++{
++ int rv;
++ rv = access(FIPS_MODULE_PATH, F_OK);
++ if (rv < 0 && errno != ENOENT)
++ rv = 0;
++
++ /* Installed == true */
++ return !rv;
++}
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+ {
+ int ret = 0;
+@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
+ }
+ # endif
+
+- if (!FIPSCHECK_verify
+- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if (!FIPSCHECK_verify
+- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
+@@ -74,6 +74,7 @@ extern "C" {
+
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++ int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
+@@ -74,6 +74,9 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
++ /* Ensure the selftests always run */
++ FIPS_mode_set(1);
++
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+@@ -85,8 +88,12 @@ static void init_fips_mode(void)
+ * otherwise..
+ */
+
+- if (buf[0] == '1') {
+- FIPS_mode_set(1);
++ if (buf[0] != '1') {
++ /* drop down to non-FIPS mode if it is not requested */
++ FIPS_mode_set(0);
++ } else {
++ /* abort if selftest failed */
++ FIPS_selftest_check();
+ }
+ }
+ #endif
+@@ -96,13 +103,16 @@ static void init_fips_mode(void)
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
++ if (!FIPS_module_installed()) {
++ return;
++ }
+ RAND_init_fips();
+ init_fips_mode();
+ if (!FIPS_mode()) {
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-fips-ec.patch
^
|
| @@ -0,0 +1,1929 @@
+diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
+ goto err;
+
+ /* NIST PRIME CURVES TESTS */
++# if 0
+ if (!test_ecdh_curve
+ (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
+ goto err;
+ if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
+ goto err;
++# endif
+ if (!test_ecdh_curve
+ (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
+ goto err;
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
+ if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
+ goto err;
+ # endif
++# if 0
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
+ goto err;
+-
++# endif
+ ret = 0;
+
+ err:
+diff -up openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_lib.c
+--- openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_lib.c 2015-04-22 19:00:19.721884512 +0200
+@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_
+ const ECDH_METHOD *ECDH_get_default_method(void)
+ {
+ if (!default_ECDH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdh_openssl();
+- else
+- return ECDH_OpenSSL();
+-#else
+ default_ECDH_method = ECDH_OpenSSL();
+-#endif
+ }
+ return default_ECDH_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_ossl.c
+--- openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -78,6 +78,10 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
+ EC_KEY *ecdh,
+ void *(*KDF) (const void *in, size_t inlen,
+@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = {
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDH_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, s
+ size_t buflen, len;
+ unsigned char *buf = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ if (outlen > INT_MAX) {
+ ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,
+ * anyway */
+diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
+--- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200
+@@ -138,11 +138,14 @@ int restore_rand(void)
+ }
+
+ static int fbytes_counter = 0;
+-static const char *numbers[8] = {
++static const char *numbers[10] = {
++ "651056770906015076056810763456358567190100156695615665659",
+ "651056770906015076056810763456358567190100156695615665659",
+ "6140507067065001063065065565667405560006161556565665656654",
+ "8763001015071075675010661307616710783570106710677817767166"
+ "71676178726717",
++ "8763001015071075675010661307616710783570106710677817767166"
++ "71676178726717",
+ "7000000175690566466555057817571571075705015757757057795755"
+ "55657156756655",
+ "1275552191113212300012030439187146164646146646466749494799",
+@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
+ int ret;
+ BIGNUM *tmp = NULL;
+
+- if (fbytes_counter >= 8)
++ if (fbytes_counter >= 10)
+ return 0;
+ tmp = BN_new();
+ if (!tmp)
+@@ -532,8 +535,10 @@ int main(void)
+ RAND_seed(rnd_seed, sizeof(rnd_seed));
+
+ /* the tests */
++# if 0
+ if (!x9_62_tests(out))
+ goto err;
++# endif
+ if (!test_builtin(out))
+ goto err;
+
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_lib.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_lib.c 2015-04-22 19:00:19.722884536 +0200
+@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDS
+ const ECDSA_METHOD *ECDSA_get_default_method(void)
+ {
+ if (!default_ECDSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdsa_openssl();
+- else
+- return ECDSA_OpenSSL();
+-#else
+ default_ECDSA_method = ECDSA_OpenSSL();
+-#endif
+ }
+ return default_ECDSA_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -60,6 +60,9 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
+ const BIGNUM *, const BIGNUM *,
+@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth =
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDSA_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const un
+ ECDSA_DATA *ecdsa;
+ const BIGNUM *priv_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
++
+ ecdsa = ecdsa_check(eckey);
+ group = EC_KEY_get0_group(eckey);
+ priv_key = EC_KEY_get0_private_key(eckey);
+@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigne
+ const EC_GROUP *group;
+ const EC_POINT *pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ /* check input values */
+ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+ (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+diff -up openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec openssl-1.0.2a/crypto/ec/ec_cvt.c
+--- openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ec_cvt.c 2015-04-22 19:01:08.703040756 +0200
+@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const B
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-fips-md5-allow.patch
^
|
| @@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200
+@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-nonfips_md_init(MD5)
++int MD5_Init(MD5_CTX *c)
++#ifdef OPENSSL_FIPS
++{
++ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
++ return private_MD5_Init(c);
++}
++
++int private_MD5_Init(MD5_CTX *c)
++#endif
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-ipv6-apps.patch
^
|
| @@ -0,0 +1,525 @@
+diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
+--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
++++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
+@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
+ #define PORT_STR "4433"
+ #define PROTOCOL "tcp"
+
+-int do_server(int port, int type, int *ret,
++int do_server(char *port, int type, int *ret,
+ int (*cb) (char *hostname, int s, int stype,
+ unsigned char *context), unsigned char *context,
+ int naccept);
+@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
+ int ssl_print_curves(BIO *out, SSL *s, int noshared);
+ #endif
+ int ssl_print_tmp_key(BIO *out, SSL *s);
+-int init_client(int *sock, char *server, int port, int type);
++int init_client(int *sock, char *server, char *port, int type);
+ int should_retry(int i);
+ int extract_port(char *str, short *port_ptr);
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+- short *p);
++int extract_host_port(char *str, char **host_ptr, char **port_ptr);
+
+ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+ int argi, long argl, long ret);
+diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
+@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
+ int cbuf_len, cbuf_off;
+ int sbuf_len, sbuf_off;
+ fd_set readfds, writefds;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ int full_log = 1;
+ char *host = SSL_HOST_NAME;
+ char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
+@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
+ } else if (strcmp(*argv, "-port") == 0) {
+ if (--argc < 1)
+ goto bad;
+- port = atoi(*(++argv));
+- if (port == 0)
+- goto bad;
++ port_str = *(++argv);
+ } else if (strcmp(*argv, "-connect") == 0) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_host_port(*(++argv), &host, NULL, &port))
++ if (!extract_host_port(*(++argv), &host, &port_str))
+ goto bad;
+ } else if (strcmp(*argv, "-verify") == 0) {
+ verify = SSL_VERIFY_PEER;
+@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
+
+ re_start:
+
+- if (init_client(&s, host, port, socket_type) == 0) {
++ if (init_client(&s, host, port_str, socket_type) == 0) {
+ BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
+ SHUTDOWN(s);
+ goto end;
+diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
+@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
+ {
+ X509_VERIFY_PARAM *vpm = NULL;
+ int badarg = 0;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ char *CApath = NULL, *CAfile = NULL;
+ char *chCApath = NULL, *chCAfile = NULL;
+ char *vfyCApath = NULL, *vfyCAfile = NULL;
+@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
+ if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_port(*(++argv), &port))
++ port_str = *(++argv);
++ if (port_str == NULL || *port_str == '\0')
+ goto bad;
+ } else if (strcmp(*argv, "-naccept") == 0) {
+ if (--argc < 1)
+@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
+ BIO_printf(bio_s_out, "ACCEPT\n");
+ (void)BIO_flush(bio_s_out);
+ if (rev)
+- do_server(port, socket_type, &accept_socket, rev_body, context,
++ do_server(port_str, socket_type, &accept_socket, rev_body, context,
+ naccept);
+ else if (www)
+- do_server(port, socket_type, &accept_socket, www_body, context,
++ do_server(port_str, socket_type, &accept_socket, www_body, context,
+ naccept);
+ else
+- do_server(port, socket_type, &accept_socket, sv_body, context,
++ do_server(port_str, socket_type, &accept_socket, sv_body, context,
+ naccept);
+ print_stats(bio_s_out, ctx);
+ ret = 0;
+diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
+--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
+@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
+ static void ssl_sock_cleanup(void);
+ # endif
+ static int ssl_sock_init(void);
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
+-static int init_server(int *sock, int port, int type);
+-static int init_server_long(int *sock, int port, char *ip, int type);
++static int init_server(int *sock, char *port, int type);
+ static int do_accept(int acc_sock, int *sock, char **host);
+ static int host_ip(char *str, unsigned char ip[4]);
+
+@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
+ return (1);
+ }
+
+-int init_client(int *sock, char *host, int port, int type)
++int init_client(int *sock, char *host, char *port, int type)
+ {
+- unsigned char ip[4];
+-
+- memset(ip, '\0', sizeof ip);
+- if (!host_ip(host, &(ip[0])))
+- return 0;
+- return init_client_ip(sock, ip, port, type);
+-}
+-
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+-{
+- unsigned long addr;
+- struct sockaddr_in them;
+- int s, i;
++ struct addrinfo *res, *res0, hints;
++ char *failed_call = NULL;
++ int s;
++ int e;
+
+ if (!ssl_sock_init())
+ return (0);
+
+- memset((char *)&them, 0, sizeof(them));
+- them.sin_family = AF_INET;
+- them.sin_port = htons((unsigned short)port);
+- addr = (unsigned long)
+- ((unsigned long)ip[0] << 24L) |
+- ((unsigned long)ip[1] << 16L) |
+- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
+- them.sin_addr.s_addr = htonl(addr);
+-
+- if (type == SOCK_STREAM)
+- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+- else /* ( type == SOCK_DGRAM) */
+- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+-
+- if (s == INVALID_SOCKET) {
+- perror("socket");
++ memset(&hints, '\0', sizeof(hints));
++ hints.ai_socktype = type;
++ hints.ai_flags = AI_ADDRCONFIG;
++
++ e = getaddrinfo(host, port, &hints, &res);
++ if (e) {
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++ if (e == EAI_SYSTEM)
++ perror("getaddrinfo");
+ return (0);
+ }
++
++ res0 = res;
++ while (res) {
++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (s == INVALID_SOCKET) {
++ failed_call = "socket";
++ goto nextres;
++ }
+ # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+- if (type == SOCK_STREAM) {
+- i = 0;
+- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
+- if (i < 0) {
+- closesocket(s);
+- perror("keepalive");
+- return (0);
++ if (type == SOCK_STREAM) {
++ int i = 0;
++ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
++ (char *)&i, sizeof(i));
++ if (i < 0) {
++ failed_call = "keepalive";
++ goto nextres;
++ }
+ }
+- }
+ # endif
+-
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-issuer-hash.patch
^
|
| @@ -0,0 +1,11 @@
+diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c
+--- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200
++++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200
+@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has
+ char *f;
+
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+ goto err;
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-no-md5-verify.patch
^
|
| @@ -0,0 +1,25 @@
+diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
+--- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify 2015-04-09 18:20:58.829680829 +0200
++++ openssl-1.0.2a/crypto/asn1/a_verify.c 2015-04-09 18:20:54.495580710 +0200
+@@ -56,6 +56,9 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+
+@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ if (ret != 2)
+ goto err;
+ ret = -1;
++ } else if (mdnid == NID_md5
++ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
++ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++ goto err;
+ } else {
+ const EVP_MD *type;
+ type = EVP_get_digestbynid(mdnid);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-no-rpath.patch
^
|
| @@ -0,0 +1,12 @@
+diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200
+@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-padlock64.patch
^
|
| @@ -0,0 +1,198 @@
+diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
+--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
+@@ -101,7 +101,10 @@
+ */
+ # undef COMPILE_HW_PADLOCK
+ # if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
+-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
++# if (defined(__GNUC__) && __GNUC__>=2 && \
++ (defined(__i386__) || defined(__i386) || \
++ defined(__x86_64__) || defined(__x86_64)) \
++ ) || \
+ (defined(_MSC_VER) && defined(_M_IX86))
+ # define COMPILE_HW_PADLOCK
+ # endif
+@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
+ # endif
+ # elif defined(__GNUC__)
+ # ifndef alloca
+-# define alloca(s) __builtin_alloca(s)
++# define alloca(s) __builtin_alloca((s))
+ # endif
+ # endif
+
+@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
+ * =======================================================
+ */
+ # if defined(__GNUC__) && __GNUC__>=2
++# if defined(__i386__) || defined(__i386)
+ /*
+ * As for excessive "push %ebx"/"pop %ebx" found all over.
+ * When generating position-independent code GCC won't let
+@@ -379,22 +383,6 @@ static int padlock_available(void)
+ return padlock_use_ace + padlock_use_rng;
+ }
+
+-# ifndef OPENSSL_NO_AES
+-# ifndef AES_ASM
+-/* Our own htonl()/ntohl() */
+-static inline void padlock_bswapl(AES_KEY *ks)
+-{
+- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+- unsigned int *key = ks->rd_key;
+-
+- while (i--) {
+- asm volatile ("bswapl %0":"+r" (*key));
+- key++;
+- }
+-}
+-# endif
+-# endif
+-
+ /*
+ * Force key reload from memory to the CPU microcode. Loading EFLAGS from the
+ * stack clears EFLAGS[30] which does the trick.
+@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
+ asm volatile ("pushfl; popfl");
+ }
+
+-# ifndef OPENSSL_NO_AES
++# ifndef OPENSSL_NO_AES
+ /*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
+ : "edx", "cc", "memory"); \
+ return iv; \
+ }
++# endif
++
++# elif defined(__x86_64__) || defined(__x86_64)
++
++/* Load supported features of the CPU to see if
++ the PadLock is available. */
++static int padlock_available(void)
++{
++ char vendor_string[16];
++ unsigned int eax, edx;
++
++ /* Are we running on the Centaur (VIA) CPU? */
++ eax = 0x00000000;
++ vendor_string[12] = 0;
++ asm volatile ("cpuid\n"
++ "movl %%ebx,(%1)\n"
++ "movl %%edx,4(%1)\n"
++ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
++ "rcx", "rdx");
++ if (strcmp(vendor_string, "CentaurHauls") != 0)
++ return 0;
++
++ /* Check for Centaur Extended Feature Flags presence */
++ eax = 0xC0000000;
++ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
++ if (eax < 0xC0000001)
++ return 0;
++
++ /* Read the Centaur Extended Feature Flags */
++ eax = 0xC0000001;
++ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
++
++ /* Fill up some flags */
++ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
++ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
++
++ return padlock_use_ace + padlock_use_rng;
++}
++
++/* Force key reload from memory to the CPU microcode.
++ Loading EFLAGS from the stack clears EFLAGS[30]
++ which does the trick. */
++static inline void padlock_reload_key(void)
++{
++ asm volatile ("pushfq; popfq");
++}
++
++# ifndef OPENSSL_NO_AES
++/*
++ * This is heuristic key context tracing. At first one
++ * believes that one should use atomic swap instructions,
++ * but it's not actually necessary. Point is that if
++ * padlock_saved_context was changed by another thread
++ * after we've read it and before we compare it with cdata,
++ * our key *shall* be reloaded upon thread context switch
++ * and we are therefore set in either case...
++ */
++static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
++{
++ asm volatile ("pushfq\n"
++ " btl $30,(%%rsp)\n"
++ " jnc 1f\n"
++ " cmpq %2,%1\n"
++ " je 1f\n"
++ " popfq\n"
++ " subq $8,%%rsp\n"
++ "1: addq $8,%%rsp\n"
++ " movq %2,%0":"+m" (padlock_saved_context)
++ :"r"(padlock_saved_context), "r"(cdata):"cc");
++}
++
++/* Template for padlock_xcrypt_* modes */
++/* BIG FAT WARNING:
++ * The offsets used with 'leal' instructions
++ * describe items of the 'padlock_cipher_data'
++ * structure.
++ */
++# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
++static inline void *name(size_t cnt, \
++ struct padlock_cipher_data *cdata, \
++ void *out, const void *inp) \
++{ void *iv; \
++ asm volatile ( "leaq 16(%0),%%rdx\n" \
++ " leaq 32(%0),%%rbx\n" \
++ rep_xcrypt "\n" \
++ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
++ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
++ : "rbx", "rdx", "cc", "memory"); \
++ return iv; \
++}
++# endif
++
++# endif /* cpu */
++
++# ifndef OPENSSL_NO_AES
+
+ /* Generate all functions with appropriate opcodes */
+ /* rep xcryptecb */
+@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
+ /* rep xcryptofb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
++
++# ifndef AES_ASM
++/* Our own htonl()/ntohl() */
++static inline void padlock_bswapl(AES_KEY *ks)
++{
++ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
++ unsigned int *key = ks->rd_key;
++
++ while (i--) {
++ asm volatile ("bswapl %0":"+r" (*key));
++ key++;
++ }
++}
++# endif
+ # endif
+ /* The RNG call itself */
+ static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
+@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
+ static inline unsigned char *padlock_memcpy(void *dst, const void *src,
+ size_t n)
+ {
+- long *d = dst;
+- const long *s = src;
++ size_t *d = dst;
++ const size_t *s = src;
+
+ n /= sizeof(*d);
+ do {
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-pkgconfig-krb5.patch
^
|
| @@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/Makefile.org.krb5 openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2a/Makefile.org.krb5 2015-04-21 17:08:41.157464459 +0200
++++ openssl-1.0.2a/Makefile.org 2015-04-21 17:11:56.887039005 +0200
+@@ -372,7 +372,7 @@ libcrypto.pc: Makefile
+ echo 'Requires: '; \
+ echo 'Libs: -L$${libdir} -lcrypto'; \
+ echo 'Libs.private: $(EX_LIBS)'; \
+- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
++ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+
+ libssl.pc: Makefile
+ @ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -385,7 +385,7 @@ libssl.pc: Makefile
+ echo 'Version: '$(VERSION); \
+ echo 'Requires.private: libcrypto'; \
+ echo 'Libs: -L$${libdir} -lssl'; \
+- echo 'Libs.private: $(EX_LIBS)'; \
++ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+
+ openssl.pc: Makefile
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-readme-warning.patch
^
|
| @@ -0,0 +1,50 @@
+diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
+--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
++++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
+@@ -5,6 +5,46 @@
+ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+ All rights reserved.
+
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS 140-2 validated and the FIPS mode is present for testing
++ purposes only.
++
++ This version also contains a few differences from the upstream code
++ some of which are:
++ * The FIPS validation support is significantly different from the
++ upstream FIPS support. For example the FIPS integrity verification
++ check is implemented differently as the FIPS module is built inside
++ the shared library. The HMAC-SHA256 checksums of the whole shared
++ libraries are verified. Also note that the FIPS integrity
++ verification check requires that the libcrypto and libssl shared
++ library files are unmodified which means that it will fail if these
++ files are changed for example by prelink.
++ * If the file /etc/system-fips is present the integrity verification
++ and selftests of the crypto algorithms are run inside the library
++ constructor code.
++ * With the /etc/system-fips present the module respects the kernel
++ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
++ if it is set to 1 aborting if the FIPS mode could not be initialized.
++ With the /etc/system-fips present it is also possible to force the
++ OpenSSL library to FIPS mode especially for debugging purposes by
++ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++ will not automatically load the built in compression method ZLIB
++ when initialized. Applications can still explicitely ask for ZLIB
++ compression method.
++ * The library was patched so the certificates, CRLs and other objects
++ signed with use of MD5 fail verification as the MD5 is too insecure
++ to be used for signatures. If the environment variable
++ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
++ normally.
++ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
++ the library will not allow generation of DSA and RSA keys with
++ other lengths than specified in the FIPS 186-4 standard.
++
+ DESCRIPTION
+ -----------
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-rsa-x931.patch
^
|
| @@ -0,0 +1,35 @@
+diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
+--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
++++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
+@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
+ int ret = 1;
+ int i, num = DEFBITS;
+ long l;
++ int use_x931 = 0;
+ const EVP_CIPHER *enc = NULL;
+ unsigned long f4 = RSA_F4;
+ char *outfile = NULL;
+@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
+ f4 = 3;
+ else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
+ f4 = RSA_F4;
++ else if (strcmp(*argv, "-x931") == 0)
++ use_x931 = 1;
+ # ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*argv, "-engine") == 0) {
+ if (--argc < 1)
+@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
+ if (!rsa)
+ goto err;
+
+- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
++ if (use_x931) {
++ if (!BN_set_word(bn, f4))
++ goto err;
++ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
++ goto err;
++ } else if (!BN_set_word(bn, f4)
++ || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ goto err;
+
+ app_RAND_write_file(NULL, bio_err);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-secure-getenv.patch
^
|
| @@ -0,0 +1,241 @@
+diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c
+--- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200
+@@ -63,6 +63,8 @@
+ # define NDEBUG
+ #endif
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
+ if (v != NULL)
+ return (v->value);
+ if (strcmp(section, "ENV") == 0) {
+- p = getenv(name);
++ p = secure_getenv(name);
+ if (p != NULL)
+ return (p);
+ }
+@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
+ else
+ return (NULL);
+ } else
+- return (getenv(name));
++ return (secure_getenv(name));
+ }
+
+ #if 0 /* There's no way to provide error checking
+diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c
+--- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200
+@@ -57,6 +57,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/crypto.h>
+@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void
+ char *file;
+ int len;
+
+- file = getenv("OPENSSL_CONF");
++ file = secure_getenv("OPENSSL_CONF");
+ if (file)
+ return BUF_strdup(file);
+
+diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c
+--- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200
++++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200
+@@ -62,6 +62,8 @@
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "eng_int.h"
+
+ /*
+@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
+ */
+ if (strcmp(id, "dynamic")) {
+ # ifdef OPENSSL_SYS_VMS
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = "SSLROOT:[ENGINES]";
+ # else
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = ENGINESDIR;
+ # endif
+ iterator = ENGINE_by_id("dynamic");
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include "md5_locl.h"
+ #include <openssl/opensslv.h>
+@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
+ int MD5_Init(MD5_CTX *c)
+ #ifdef OPENSSL_FIPS
+ {
+- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ if (FIPS_mode()
++ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
+ return private_MD5_Init(c);
+ }
+diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200
+@@ -53,6 +53,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+@@ -72,7 +74,7 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
+- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c
+--- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200
+@@ -60,6 +60,8 @@
+ #if !defined(OPENSSL_SYS_VXWORKS)
+ # define _XOPEN_SOURCE 500
+ #endif
++/* for secure_getenv */
++#define _GNU_SOURCE
+
+ #include <errno.h>
+ #include <stdio.h>
+@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si
+ struct stat sb;
+ #endif
+
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("RANDFILE");
++ s = secure_getenv("RANDFILE");
+ if (s != NULL && *s && strlen(s) + 1 < size) {
+ if (BUF_strlcpy(buf, s, size) >= size)
+ return NULL;
+ } else {
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("HOME");
++ s = secure_getenv("HOME");
+ #ifdef DEFAULT_HOME
+ if (s == NULL) {
+ s = DEFAULT_HOME;
+diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c
+--- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+ switch (cmd) {
+ case X509_L_ADD_DIR:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- dir = (char *)getenv(X509_get_default_cert_dir_env());
++ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
+ if (dir)
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+ else
+diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c
+--- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200
++++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+ switch (cmd) {
+ case X509_L_FILE_LOAD:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- file = (char *)getenv(X509_get_default_cert_file_env());
++ file = (char *)secure_getenv(X509_get_default_cert_file_env());
+ if (file)
+ ok = (X509_load_cert_crl_file(ctx, file,
+ X509_FILETYPE_PEM) != 0);
+diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c
+--- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-system-cipherlist.patch
^
|
| @@ -0,0 +1,285 @@
+diff -up openssl-1.0.2a/Configure.system openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.system 2015-04-22 15:23:47.970633650 +0200
++++ openssl-1.0.2a/Configure 2015-04-22 15:23:48.042635407 +0200
+@@ -10,7 +10,7 @@ use strict;
+
+ # see INSTALL for instructions.
+
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+
+ # Options:
+ #
+@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
+ # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
+ # supported values are "MIT" and "Heimdal". A value is required.
+ #
++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
++# cipher is specified (default).
++#
+ # --test-sanity Make a number of sanity checks on the data in this file.
+ # This is a debugging tool for OpenSSL developers.
+ #
+@@ -703,6 +706,7 @@ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
+ my $enginesdir="";
++my $system_ciphers_file="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -934,6 +938,10 @@ PROCESS_ARGS:
+ {
+ $enginesdir=$1;
+ }
++ elsif (/^--system-ciphers-file=(.*)$/)
++ {
++ $system_ciphers_file=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1096,6 +1104,7 @@ print "Configuring for $target\n";
+
+ &usage if (!defined($table{$target}));
+
++chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
+
+ foreach (sort (keys %disabled))
+ {
+@@ -1667,6 +1676,7 @@ while (<IN>)
+ s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
+ s/^MULTILIB=.*$/MULTILIB=$multilib/;
+ s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
++ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
+ s/^LIBDIR=.*$/LIBDIR=$libdir/;
+ s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
+ s/^PLATFORM=.*$/PLATFORM=$target/;
+@@ -1877,6 +1887,14 @@ while (<IN>)
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
++ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
++ {
++ my $foo = "$system_ciphers_file";
++ if ($foo ne '') {
++ $foo =~ s/\\/\\\\/g;
++ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
++ }
++ }
+ elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
+ { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
+ if $export_var_as_fn;
+diff -up openssl-1.0.2a/crypto/opensslconf.h.in.system openssl-1.0.2a/crypto/opensslconf.h.in
+--- openssl-1.0.2a/crypto/opensslconf.h.in.system 2015-04-22 15:23:47.988634089 +0200
++++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 15:23:48.042635407 +0200
+@@ -25,6 +25,8 @@
+ #endif
+ #endif
+
++#undef SYSTEM_CIPHERS_FILE
++
+ #undef OPENSSL_UNISTD
+ #define OPENSSL_UNISTD <unistd.h>
+
+diff -up openssl-1.0.2a/ssl/ssl_ciph.c.system openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a/ssl/ssl_ciph.c.system 2015-04-22 15:23:47.993634211 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-22 15:29:30.185982356 +0200
+@@ -1463,6 +1463,50 @@ static int check_suiteb_cipher_list(cons
+ }
+ #endif
+
++#ifdef SYSTEM_CIPHERS_FILE
++static char *load_system_str(const char *suffix)
++{
++ FILE *fp;
++ char buf[1024];
++ char *new_rules;
++ unsigned len, slen;
++
++ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++ /* cannot open or file is empty */
++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
++ }
++
++ if (fp)
++ fclose(fp);
++
++ slen = strlen(suffix);
++ len = strlen(buf);
++
++ if (buf[len - 1] == '\n') {
++ len--;
++ buf[len] = 0;
++ }
++ if (buf[len - 1] == '\r') {
++ len--;
++ buf[len] = 0;
++ }
++
++ new_rules = OPENSSL_malloc(len + slen + 1);
++ if (new_rules == 0)
++ return NULL;
++
++ memcpy(new_rules, buf, len);
++ if (slen > 0) {
++ memcpy(&new_rules[len], suffix, slen);
++ len += slen;
++ }
++ new_rules[len] = 0;
++
++ return new_rules;
++}
++#endif
++
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
+ **cipher_list, STACK_OF(SSL_CIPHER)
+ **cipher_list_by_id,
+@@ -1471,19 +1515,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+ unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac,
+ disabled_ssl;
+- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
++ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
+ const char *rule_p;
+ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
+ const SSL_CIPHER **ca_list = NULL;
++#ifdef SYSTEM_CIPHERS_FILE
++ char *new_rules = NULL;
++
++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
++ char *p = rule_str + 14;
++
++ new_rules = load_system_str(p);
++ rule_str = new_rules;
++ }
++#endif
+
+ /*
+ * Return with error if nothing to do.
+ */
+ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+- return NULL;
++ goto end;
+ #ifndef OPENSSL_NO_EC
+ if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+- return NULL;
++ goto end;
+ #endif
+
+ /*
+@@ -1507,7 +1561,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+ if (co_list == NULL) {
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return (NULL); /* Failure */
++ goto end;
+ }
+
+ ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+@@ -1568,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * in force within each class
+ */
+ if (!ssl_cipher_strength_sort(&head, &tail)) {
+- OPENSSL_free(co_list);
+- return NULL;
++ goto end;
+ }
+
+ /* Now disable everything (maintaining the ordering!) */
+@@ -1587,9 +1640,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+ ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+ if (ca_list == NULL) {
+- OPENSSL_free(co_list);
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return (NULL); /* Failure */
++ goto end;
+ }
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-test-use-localhost.patch
^
|
| @@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c
+--- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200
++++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200
+@@ -1516,16 +1516,7 @@ int main(int argc, char *argv[])
+
+ #ifndef OPENSSL_NO_KRB5
+ if (c_ssl && c_ssl->kssl_ctx) {
+- char localhost[MAXHOSTNAMELEN + 2];
+-
+- if (gethostname(localhost, sizeof localhost - 1) == 0) {
+- localhost[sizeof localhost - 1] = '\0';
+- if (strlen(localhost) == sizeof localhost - 1) {
+- BIO_printf(bio_err, "localhost name too long\n");
+- goto end;
+- }
+- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
+- }
++ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost");
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-version-add-engines.patch
^
|
| @@ -0,0 +1,47 @@
+diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c
+--- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200
++++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200
+@@ -131,6 +131,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+
+ #undef PROG
+ #define PROG version_main
+@@ -140,7 +141,8 @@ int MAIN(int, char **);
+ int MAIN(int argc, char **argv)
+ {
+ int i, ret = 0;
+- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
++ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir =
++ 0, engines = 0;
+
+ apps_startup();
+
+@@ -164,7 +166,7 @@ int MAIN(int argc, char **argv)
+ else if (strcmp(argv[i], "-d") == 0)
+ dir = 1;
+ else if (strcmp(argv[i], "-a") == 0)
+- date = version = cflags = options = platform = dir = 1;
++ date = version = cflags = options = platform = dir = engines = 1;
+ else {
+ BIO_printf(bio_err, "usage:version -[avbofpd]\n");
+ ret = 1;
+@@ -208,6 +210,16 @@ int MAIN(int argc, char **argv)
+ printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
+ if (dir)
+ printf("%s\n", SSLeay_version(SSLEAY_DIR));
++ if (engines) {
++ ENGINE *e;
++ printf("engines: ");
++ e = ENGINE_get_first();
++ while (e) {
++ printf("%s ", ENGINE_get_id(e));
++ e = ENGINE_get_next(e);
++ }
++ printf("\n");
++ }
+ end:
+ apps_shutdown();
+ OPENSSL_EXIT(ret);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-version.patch
^
|
| @@ -0,0 +1,83 @@
+diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
+--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
+@@ -62,7 +62,7 @@
+ # include "buildinf.h"
+ #endif
+
+-const char *SSLeay_version(int t)
++const char *_current_SSLeay_version(int t)
+ {
+ if (t == SSLEAY_VERSION)
+ return OPENSSL_VERSION_TEXT;
+@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
+ return ("not available");
+ }
+
+-unsigned long SSLeay(void)
++const char *_original_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.0-fips 29 Mar 2010";
++ else
++ return _current_SSLeay_version(t);
++}
++
++const char *_original101_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
++ else
++ return _current_SSLeay_version(t);
++}
++
++unsigned long _original_SSLeay(void)
++{
++ return (0x10000003L);
++}
++
++unsigned long _original101_SSLeay(void)
++{
++ return (0x1000105fL);
++}
++
++unsigned long _current_SSLeay(void)
+ {
+ return (SSLEAY_VERSION_NUMBER);
+ }
++
++__asm__(".symver _original_SSLeay,SSLeay@");
++__asm__(".symver _original_SSLeay_version,SSLeay_version@");
++__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
++__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
++__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
++__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
+diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
++++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
+@@ -0,0 +1,13 @@
++OPENSSL_1.0.1 {
++ global:
++ SSLeay;
++ SSLeay_version;
++ local:
++ _original*;
++ _current*;
++};
++OPENSSL_1.0.2 {
++ global:
++ SSLeay;
++ SSLeay_version;
++} OPENSSL_1.0.1;
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-weak-ciphers.patch
^
|
| @@ -0,0 +1,12 @@
+diff -up openssl-1.0.2a/ssl/ssl.h.weak-ciphers openssl-1.0.2a/ssl/ssl.h
+--- openssl-1.0.2a/ssl/ssl.h.weak-ciphers 2015-04-22 15:11:14.026574414 +0200
++++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:14:51.302744713 +0200
+@@ -338,7 +338,7 @@ extern "C" {
+ * The following cipher list is used by default. It also is substituted when
+ * an application-defined cipher list string starts with 'DEFAULT'.
+ */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!DES"
+ /*
+ * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-x509.patch
^
|
| @@ -0,0 +1,28 @@
+diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c
+--- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200
++++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200
+@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+- if (!i)
+- goto err;
+- count++;
++ /* ignore any problems with current certificate
++ and continue with the next one */
++ if (i)
++ count++;
++ else
++ ERR_clear_error();
+ X509_free(x);
+ x = NULL;
+ }
+@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+ if (!i)
+- goto err;
++ ERR_clear_error();
+ ret = i;
+ } else {
+ X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2a-xmpp-starttls.patch
^
|
| @@ -0,0 +1,27 @@
+diff -up openssl-1.0.2a/apps/s_client.c.starttls openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200
+@@ -134,7 +134,8 @@
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
+-
++/* for strcasestr */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <ctype.h>
+ #include <stdio.h>
+@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
+ "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ mbuf[seen] = 0;
+- while (!strstr
+- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
++ while (!strcasestr
++ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
++ && !strcasestr(mbuf,
++ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
++ {
+ if (strstr(mbuf, "/stream:features>"))
+ goto shut;
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2c-default-paths.patch
^
|
| @@ -0,0 +1,63 @@
+diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
+--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
+@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
+ else
+ SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2))) {
++ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
+ ERR_print_errors(bio_err);
+ }
+ if (vpm)
+diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
+--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
+@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ if (tm_cipher == NULL)
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2c-ecc-suiteb.patch
^
|
| @@ -0,0 +1,195 @@
+diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
+--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
+@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- if (strcmp(*argv, "ecdsap160") == 0)
+- ecdsa_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdsap192") == 0)
+- ecdsa_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdsap224") == 0)
+- ecdsa_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdsap256") == 0)
++ if (strcmp(*argv, "ecdsap256") == 0)
+ ecdsa_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdsap384") == 0)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdsak163") == 0)
+- ecdsa_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdsak233") == 0)
+- ecdsa_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdsak283") == 0)
+- ecdsa_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdsak409") == 0)
+- ecdsa_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdsak571") == 0)
+- ecdsa_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdsab163") == 0)
+- ecdsa_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdsab233") == 0)
+- ecdsa_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdsab283") == 0)
+- ecdsa_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdsab409") == 0)
+- ecdsa_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdsab571") == 0)
+- ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- if (strcmp(*argv, "ecdhp160") == 0)
+- ecdh_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdhp192") == 0)
+- ecdh_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdhp224") == 0)
+- ecdh_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdhp256") == 0)
++ if (strcmp(*argv, "ecdhp256") == 0)
+ ecdh_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdhp384") == 0)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdhk163") == 0)
+- ecdh_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdhk233") == 0)
+- ecdh_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdhk283") == 0)
+- ecdh_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdhk409") == 0)
+- ecdh_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdhk571") == 0)
+- ecdh_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdhb163") == 0)
+- ecdh_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdhb233") == 0)
+- ecdh_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdhb283") == 0)
+- ecdh_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdhb409") == 0)
+- ecdh_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdhb571") == 0)
+- ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ } else
+ # endif
+@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
+- "ecdsap256 ecdsap384 ecdsap521\n");
+- BIO_printf(bio_err,
+- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+- BIO_printf(bio_err,
+- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
++ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
+ BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
+- "ecdhp256 ecdhp384 ecdhp521\n");
+- BIO_printf(bio_err,
+- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
+- BIO_printf(bio_err,
+- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
++ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
+ BIO_printf(bio_err, "ecdh\n");
+ # endif
+
+@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ # endif
+ }
+diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
+--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
++++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
+@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
+ * Remaining curves disabled by default but still permitted if set
+ * via an explicit callback or parameters.
+ */
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
+- 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+ 0, 7, /* sect233r1 (7) */
+ # endif
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 4, /* sect193r1 (4) */
+ 0, 5, /* sect193r2 (5) */
+ # endif
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 1, /* sect163k1 (1) */
+ 0, 2, /* sect163r1 (2) */
+ 0, 3, /* sect163r2 (3) */
+ # endif
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ };
+ # endif
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2c-trusted-first-doc.patch
^
|
| @@ -0,0 +1,288 @@
+diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
+--- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
++++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200
+@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
+--- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
++++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200
+@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-VAfile file validator certificates file\n");
+diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
+--- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
++++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200
+@@ -333,6 +333,8 @@ static void sc_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -reconnect - Drop and re-make the connection with the same Session-ID\n");
+diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
+--- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
++++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200
+@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
+--- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200
+@@ -572,6 +572,8 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -nocert - Don't use any certificates (Anon-DH)\n");
+diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
+--- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200
++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200
+@@ -182,6 +182,7 @@ static void s_time_usage(void)
+ file if not specified by this option\n\
+ -CApath arg - PEM format directory of CA's\n\
+ -CAfile arg - PEM format file of CA's\n\
++-trusted_first - Use trusted CA's first when building the trust chain\n\
+ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+ printf("usage: s_time <args>\n\n");
+diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
+--- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200
++++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200
+@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
+ "ts -verify [-data file_to_hash] [-digest digest_bytes] "
+ "[-queryfile request.tsq] "
+ "-in response.tsr [-token_in] "
+- "-CApath ca_path -CAfile ca_file.pem "
++ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
+ "-untrusted cert_file.pem\n");
+ cleanup:
+ /* Clean up. */
+diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
+--- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
++++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200
+@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
+ end:
+ if (ret == 1) {
+ BIO_printf(bio_err,
+- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
++ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, " [-engine e]");
+diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
+--- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200
+@@ -35,6 +35,7 @@ B<openssl> B<cms>
+ [B<-print>]
+ [B<-CAfile file>]
+ [B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-md digest>]
+ [B<-[cipher]>]
+@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before untrusted certificates
++from the message when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
+--- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
++++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200
+@@ -29,7 +29,8 @@ B<openssl> B<ocsp>
+ [B<-path>]
+ [B<-CApath dir>]
+ [B<-CAfile file>]
+-[B<-no_alt_chains>]]
++[B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-VAfile file>]
+ [B<-validity_period n>]
+ [B<-status_age n>]
+@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
+ file or pathname containing trusted CA certificates. These are used to verify
+ the signature on the OCSP response.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the response or residing in other certificates file when building the trust
++chain to verify responder certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-no_alt_chains>
+
+ See L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
+--- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
++++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200
+@@ -19,6 +19,7 @@ B<openssl> B<s_client>
+ [B<-pass arg>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-reconnect>]
+ [B<-pause>]
+@@ -124,7 +125,7 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
+--- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200
+@@ -15,6 +15,9 @@ B<openssl> B<smime>
+ [B<-pk7out>]
+ [B<-[cipher]>]
+ [B<-in file>]
++[B<-CAfile file>]
++[B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-certfile file>]
+ [B<-signer file>]
+@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the message when building the trust chain to verify a certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
+--- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200
++++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200
+@@ -33,6 +33,7 @@ B<openssl> B<s_server>
+ [B<-state>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2d-manfix.patch
^
|
| @@ -0,0 +1,81 @@
+diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod
+--- openssl-1.0.2a/doc/apps/ec.pod.manfix 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ec.pod 2015-04-21 17:39:20.084574580 +0200
+@@ -93,10 +93,6 @@ prints out the public, private key compo
+
+ this option prevents output of the encoded version of the key.
+
+-=item B<-modulus>
+-
+-this option prints out the value of the public key component of the key.
+-
+ =item B<-pubin>
+
+ by default a private key is read from the input file: with this option a
+diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod
+--- openssl-1.0.2a/doc/apps/openssl.pod.manfix 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/openssl.pod 2015-04-21 17:39:20.084574580 +0200
+@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+
+ Online Certificate Status Protocol utility.
+
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+
+ Generation of hashed passwords.
+
+@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+
+ Public key algorithm cryptographic operation utility.
+
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+
+ Generate pseudo-random bytes.
+
+@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
+ L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
+ L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+-L<passwd(1)|passwd(1)>,
++L<sslpasswd(1)|sslpasswd(1)>,
+ L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
++L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
+ L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+ L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod
+--- openssl-1.0.2a/doc/apps/s_client.pod.manfix 2015-04-21 17:39:20.085574603 +0200
++++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-21 17:41:00.215924162 +0200
+@@ -34,6 +34,9 @@ B<openssl> B<s_client>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
++[B<-dtls1>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod
+--- openssl-1.0.2a/doc/apps/s_server.pod.manfix 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-21 17:39:20.085574603 +0200
+@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2d-secp256k1.patch
^
|
| @@ -0,0 +1,82 @@
+diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c
+--- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400
++++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400
+@@ -86,6 +86,42 @@ typedef struct {
+ unsigned int cofactor; /* promoted to BN_ULONG */
+ } EC_CURVE_DATA;
+
++static const struct {
++ EC_CURVE_DATA h;
++ unsigned char data[0 + 32 * 6];
++} _EC_SECG_PRIME_256K1 = {
++ {
++ NID_X9_62_prime_field, 0, 32, 1
++ },
++ {
++ /* no seed */
++ /* p */
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
++ /* a */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ /* b */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
++ /* x */
++ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
++ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
++ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
++ /* y */
++ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
++ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
++ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
++ /* order */
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
++ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
++ }
++};
++
+ /* the nist prime curves */
+ static const struct {
+ EC_CURVE_DATA h;
+@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st {
+ static const ec_list_element curve_list[] = {
+ /* prime field curves */
+ /* secg curves */
++ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
++ "SECG curve over a 256 bit prime field"},
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
+ "NIST/SECG curve over a 384 bit prime field"},
+diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c
+--- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400
++++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400
+@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+ 0, 24, /* secp384r1 (24) */
++ 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+ 0, 24, /* secp384r1 (24) */
++ 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
++ 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2e-fips.patch
^
|
| @@ -0,0 +1,13704 @@
+diff -up openssl-1.0.2e/apps/speed.c.fips openssl-1.0.2e/apps/speed.c
+--- openssl-1.0.2e/apps/speed.c.fips 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/apps/speed.c 2015-12-04 13:55:51.956562389 +0100
+@@ -197,7 +197,6 @@
+ # ifdef OPENSSL_DOING_MAKEDEPEND
+ # undef AES_set_encrypt_key
+ # undef AES_set_decrypt_key
+-# undef DES_set_key_unchecked
+ # endif
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -205,7 +204,6 @@
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define AES_set_encrypt_key private_AES_set_encrypt_key
+ # define AES_set_decrypt_key private_AES_set_decrypt_key
+ # define Camellia_set_key private_Camellia_set_key
+@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv, "rsa") == 0) {
+- rsa_doit[R_RSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ rsa_doit[R_RSA_512] = 1;
++ }
+ rsa_doit[R_RSA_1024] = 1;
+ rsa_doit[R_RSA_2048] = 1;
+ rsa_doit[R_RSA_4096] = 1;
+@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv, "dsa") == 0) {
+- dsa_doit[R_DSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ dsa_doit[R_DSA_512] = 1;
++ }
+ dsa_doit[R_DSA_1024] = 1;
+ dsa_doit[R_DSA_2048] = 1;
+ } else
+@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv)
+
+ if (j == 0) {
+ for (i = 0; i < ALGOR_NUM; i++) {
+- if (i != D_EVP)
++ if (i != D_EVP &&
++ (!FIPS_mode() || (i != D_WHIRLPOOL &&
++ i != D_MD2 && i != D_MD4 &&
++ i != D_MD5 && i != D_MDC2 &&
++ i != D_RMD160)))
+ doit[i] = 1;
+ }
+ for (i = 0; i < RSA_NUM; i++)
+- rsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_RSA_512)
++ rsa_doit[i] = 1;
+ for (i = 0; i < DSA_NUM; i++)
+- dsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_DSA_512)
++ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+ for (i = 0; i < EC_NUM; i++)
+ ecdsa_doit[i] = 1;
+@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv)
+ AES_set_encrypt_key(key32, 256, &aes_ks3);
+ # endif
+ # ifndef OPENSSL_NO_CAMELLIA
+- Camellia_set_key(key16, 128, &camellia_ks1);
+- Camellia_set_key(ckey24, 192, &camellia_ks2);
+- Camellia_set_key(ckey32, 256, &camellia_ks3);
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++ Camellia_set_key(key16, 128, &camellia_ks1);
++ Camellia_set_key(ckey24, 192, &camellia_ks2);
++ Camellia_set_key(ckey32, 256, &camellia_ks3);
++ }
+ # endif
+ # ifndef OPENSSL_NO_IDEA
+- idea_set_encrypt_key(key16, &idea_ks);
++ if (doit[D_CBC_IDEA]) {
++ idea_set_encrypt_key(key16, &idea_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_SEED
+- SEED_set_key(key16, &seed_ks);
++ if (doit[D_CBC_SEED]) {
++ SEED_set_key(key16, &seed_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC4
+- RC4_set_key(&rc4_ks, 16, key16);
++ if (doit[D_RC4]) {
++ RC4_set_key(&rc4_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC2
+- RC2_set_key(&rc2_ks, 16, key16, 128);
++ if (doit[D_CBC_RC2]) {
++ RC2_set_key(&rc2_ks, 16, key16, 128);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC5
+- RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ if (doit[D_CBC_RC5]) {
++ RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ }
+ # endif
+ # ifndef OPENSSL_NO_BF
+- BF_set_key(&bf_ks, 16, key16);
++ if (doit[D_CBC_BF]) {
++ BF_set_key(&bf_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_CAST
+- CAST_set_key(&cast_ks, 16, key16);
++ if (doit[D_CBC_CAST]) {
++ CAST_set_key(&cast_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ memset(rsa_c, 0, sizeof(rsa_c));
+@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv)
+ HMAC_CTX hctx;
+
+ HMAC_CTX_init(&hctx);
++ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
+ 16, EVP_md5(), NULL);
+
+diff -up openssl-1.0.2e/Configure.fips openssl-1.0.2e/Configure
+--- openssl-1.0.2e/Configure.fips 2015-12-04 13:55:51.939561992 +0100
++++ openssl-1.0.2e/Configure 2015-12-04 13:55:51.956562389 +0100
+@@ -1058,11 +1058,6 @@ if (defined($disabled{"md5"}) || defined
+ $disabled{"ssl2"} = "forced";
+ }
+
+-if ($fips && $fipslibdir eq "")
+- {
+- $fipslibdir = $fipsdir . "/lib/";
+- }
+-
+ # RSAX ENGINE sets default non-FIPS RSA method.
+ if ($fips)
+ {
+@@ -1551,7 +1546,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
+ if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+- $cflags .= " -I\$(FIPSDIR)/include";
+ }
+
+ $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
+@@ -1754,9 +1748,12 @@ while (<IN>)
+
+ s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+ s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
++ if ($fips)
++ {
++ s/^FIPS=.*/FIPS=yes/;
++ }
+ s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+ s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+diff -up openssl-1.0.2e/crypto/aes/aes_misc.c.fips openssl-1.0.2e/crypto/aes/aes_misc.c
+--- openssl-1.0.2e/crypto/aes/aes_misc.c.fips 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/crypto/aes/aes_misc.c 2015-12-04 13:55:51.956562389 +0100
+@@ -70,17 +70,11 @@ const char *AES_options(void)
+ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_encrypt_key(userKey, bits, key);
+ }
+
+ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_decrypt_key(userKey, bits, key);
+ }
+diff -up openssl-1.0.2e/crypto/cmac/cmac.c.fips openssl-1.0.2e/crypto/cmac/cmac.c
+--- openssl-1.0.2e/crypto/cmac/cmac.c.fips 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/crypto/cmac/cmac.c 2015-12-04 13:55:51.957562412 +0100
+@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void)
+
+ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2e-remove-nistp224.patch
^
|
| @@ -0,0 +1,15 @@
+diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h
+--- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100
++++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100
+@@ -149,11 +149,6 @@ const EC_METHOD *EC_GFp_mont_method(void
+ const EC_METHOD *EC_GFp_nist_method(void);
+
+ # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+-/** Returns 64-bit optimized methods for nistp224
+- * \return EC_METHOD object
+- */
+-const EC_METHOD *EC_GFp_nistp224_method(void);
+-
+ /** Returns 64-bit optimized methods for nistp256
+ * \return EC_METHOD object
+ */
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2e-rpmbuild.patch
^
|
| @@ -0,0 +1,115 @@
+diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
+--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
+@@ -365,8 +365,8 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+
+ #######################################################################
+ # Note that -march is not among compiler options in below linux-armv4
+@@ -395,31 +395,31 @@ my %table=(
+ #
+ # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
+ #
+-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ # Configure script adds minimally required -march for assembly support,
+ # if no -march was specified at command line. mips32 and mips64 below
+ # refer to contemporary MIPS Architecture specifications, MIPS32 and
+ # MIPS64, rather than to kernel bitness.
+-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
+-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
++"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
+-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+ # /proc/cpuinfo. The idea is to preserve most significant bits of
+@@ -437,12 +437,12 @@ my %table=(
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -1767,7 +1767,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
+--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -341,10 +342,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2e-speed-doc.patch
^
|
| @@ -0,0 +1,58 @@
+diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c
+--- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100
++++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100
+@@ -648,10 +648,6 @@ int MAIN(int argc, char **argv)
+ # endif
+ int multiblock = 0;
+
+-# ifndef TIMES
+- usertime = -1;
+-# endif
+-
+ apps_startup();
+ memset(results, 0, sizeof(results));
+ # ifndef OPENSSL_NO_DSA
+@@ -1145,10 +1141,8 @@ int MAIN(int argc, char **argv)
+
+ BIO_printf(bio_err, "\n");
+ BIO_printf(bio_err, "Available options:\n");
+-# if defined(TIMES) || defined(USE_TOD)
+ BIO_printf(bio_err, "-elapsed "
+ "measure time in real time instead of CPU user time.\n");
+-# endif
+ # ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err,
+ "-engine e "
+diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod
+--- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100
++++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100
+@@ -8,6 +8,9 @@ speed - test library performance
+
+ B<openssl speed>
+ [B<-engine id>]
++[B<-elapsed>]
++[B<-evp algo>]
++[B<-decrypt>]
+ [B<md2>]
+ [B<mdc2>]
+ [B<md5>]
+@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
+ thus initialising it if needed. The engine will then be set as the default
+ for all available algorithms.
+
++=item B<-elapsed>
++
++Measure time in real time instead of CPU time. It can be useful when testing
++speed of hardware engines.
++
++=item B<-evp algo>
++
++Use the specified cipher or message digest algorithm via the EVP interface.
++
++=item B<-decrypt>
++
++Time the decryption instead of encryption. Affects only the EVP testing.
++
+ =item B<[zero or more test algorithms]>
+
+ If any options are given, B<speed> tests those algorithms, otherwise all of
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2e-wrap-pad.patch
^
|
| @@ -0,0 +1,541 @@
+diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c
+--- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100
++++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100
+@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void)
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
++ EVP_add_cipher(EVP_des_ede3_wrap());
+ # endif
+
+ # ifndef OPENSSL_NO_AES
+@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # endif
+diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c
+--- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100
++++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100
+@@ -1,5 +1,5 @@
+ /* ====================================================================
+- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
+ wctx->iv = NULL;
+ }
+ if (iv) {
+- memcpy(ctx->iv, iv, 8);
++ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
+ wctx->iv = ctx->iv;
+ }
+ return 1;
+@@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+ {
+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
+ size_t rv;
++ /* AES wrap with padding has IV length of 4, without padding 8 */
++ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
++ /* No final operation so always return zero length */
+ if (!in)
+ return 0;
+- if (inlen % 8)
++ /* Input length must always be non-zero */
++ if (!inlen)
+ return -1;
+- if (ctx->encrypt && inlen < 8)
++ /* If decrypting need at least 16 bytes and multiple of 8 */
++ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
+ return -1;
+- if (!ctx->encrypt && inlen < 16)
++ /* If not padding input must be multiple of 8 */
++ if (!pad && inlen & 0x7)
+ return -1;
+ if (!out) {
+- if (ctx->encrypt)
++ if (ctx->encrypt) {
++ /* If padding round up to multiple of 8 */
++ if (pad)
++ inlen = (inlen + 7) / 8 * 8;
++ /* 8 byte prefix */
+ return inlen + 8;
+- else
++ } else {
++ /* If not padding output will be exactly 8 bytes
++ * smaller than input. If padding it will be at
++ * least 8 bytes smaller but we don't know how
++ * much.
++ */
+ return inlen - 8;
+ }
++ }
++ if (pad) {
+ if (ctx->encrypt)
+- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_encrypt);
+ else
+- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_decrypt);
++ } else {
++ if (ctx->encrypt)
++ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_encrypt);
++ else
++ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_decrypt);
++ }
+ return rv ? (int)rv : -1;
+ }
+
+-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
++# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
+
+@@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
+ {
+ return &aes_256_wrap;
+ }
++
++static const EVP_CIPHER aes_128_wrap_pad = {
++ NID_id_aes128_wrap_pad,
++ 8, 16, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
++{
++ return &aes_128_wrap_pad;
++}
++
++static const EVP_CIPHER aes_192_wrap_pad = {
++ NID_id_aes192_wrap_pad,
++ 8, 24, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
++{
++ return &aes_192_wrap_pad;
++}
++
++static const EVP_CIPHER aes_256_wrap_pad = {
++ NID_id_aes256_wrap_pad,
++ 8, 32, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
++{
++ return &aes_256_wrap_pad;
++}
+diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c
+--- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100
++++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100
+@@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = {
+ NID_id_smime_alg_CMS3DESwrap,
+ 8, 24, 0,
+ EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
+- | EVP_CIPH_FLAG_DEFAULT_ASN1,
++ | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_FIPS,
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-1.0.2f-new-fips-reqs.patch
^
|
| @@ -0,0 +1,1366 @@
+diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c
+--- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100
++++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100
+@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
+ goto err;
+ }
+
+- /* make a random number and set the top and bottom bits */
+- time(&tim);
+- RAND_add(&tim, sizeof(tim), 0.0);
++ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */
++ /* make a random number and set the top and bottom bits */
++ time(&tim);
++ RAND_add(&tim, sizeof(tim), 0.0);
++ }
+
+ if (pseudorand) {
+ if (RAND_pseudo_bytes(buf, bytes) == -1)
+diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c
+--- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100
++++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100
+@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
+ return 0;
+ }
+
+- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h
+--- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100
++++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100
+@@ -78,6 +78,7 @@
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100
++++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100
+@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ }
+
+ if (FIPS_module_mode() &&
+- (bits != 1024 || qbits != 160) &&
+- (bits != 2048 || qbits != 224) &&
+- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024
++ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048
++ || qbits !=
++ 256)
++ && (bits != 3072 || qbits != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h
+--- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100
++++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100
+@@ -89,6 +89,7 @@
+ # endif
+
+ # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
+
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const D
+ int DSA_print_fp(FILE *bp, const DSA *x, int off);
+ # endif
+
+-# define DSS_prime_checks 50
++# define DSS_prime_checks 64
+ /*
+- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
+ * Rabin-Miller
+ */
+ # define DSA_is_prime(n, callback, cb_arg) \
+diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c
+--- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
++++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100
+@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ # ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c
+--- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
++++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100
+@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
+ ret = 0;
+ goto end;
+ }
+- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
+- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
+ }
+ # endif
+
+- if (!verify_checksums()) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ if (!FIPS_selftest()) {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+- if (FIPS_selftest())
+- fips_set_mode(onoff);
+- else {
++ if (!verify_checksums()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
++
++ fips_set_mode(onoff);
+ ret = 1;
+ goto end;
+ }
+diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c
+--- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100
++++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100
+@@ -0,0 +1,162 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2013 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dh_test_2048_p[] = {
++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
|
|
[-]
[+]
|
Added |
_service
^
|
| @@ -0,0 +1,7 @@
+<services>
+ <service name="download_src_package">
+ <param name="host">kojipkgs.fedoraproject.org</param>
+ <param name="protocol">https</param>
+ <param name="path">//packages/openssl/1.0.2f/1.fc24/src/openssl-1.0.2f-1.fc24.src.rpm</param>
+ </service>
+</services>
\ No newline at end of file
|
|
[-]
[+]
|
Added |
_service:download_src_package:Makefile.certificate
^
|
| @@ -0,0 +1,82 @@
+UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
+DAYS=365
+KEYLEN=2048
+TYPE=rsa:$(KEYLEN)
+EXTRA_FLAGS=
+ifdef SERIAL
+ EXTRA_FLAGS+=-set_serial $(SERIAL)
+endif
+
+.PHONY: usage
+.SUFFIXES: .key .csr .crt .pem
+.PRECIOUS: %.key %.csr %.crt %.pem
+
+usage:
+ @echo "This makefile allows you to create:"
+ @echo " o public/private key pairs"
+ @echo " o SSL certificate signing requests (CSRs)"
+ @echo " o self-signed SSL test certificates"
+ @echo
+ @echo "To create a key pair, run \"make SOMETHING.key\"."
+ @echo "To create a CSR, run \"make SOMETHING.csr\"."
+ @echo "To create a test certificate, run \"make SOMETHING.crt\"."
+ @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
+ @echo
+ @echo "To create a key for use with Apache, run \"make genkey\"."
+ @echo "To create a CSR for use with Apache, run \"make certreq\"."
+ @echo "To create a test certificate for use with Apache, run \"make testcert\"."
+ @echo
+ @echo "To create a test certificate with serial number other than random, add SERIAL=num"
+ @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
+ @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
+ @echo
+ @echo Examples:
+ @echo " make server.key"
+ @echo " make server.csr"
+ @echo " make server.crt"
+ @echo " make stunnel.pem"
+ @echo " make genkey"
+ @echo " make certreq"
+ @echo " make testcert"
+ @echo " make server.crt SERIAL=1"
+ @echo " make stunnel.pem EXTRA_FLAGS=-sha384"
+ @echo " make testcert DAYS=600"
+
+%.pem:
+ umask 77 ; \
+ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+ /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
+ cat $$PEM1 > $@ ; \
+ echo "" >> $@ ; \
+ cat $$PEM2 >> $@ ; \
+ $(RM) $$PEM1 $$PEM2
+
+%.key:
+ umask 77 ; \
+ /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
+
+%.csr: %.key
+ umask 77 ; \
+ /usr/bin/openssl req $(UTF8) -new -key $^ -out $@
+
+%.crt: %.key
+ umask 77 ; \
+ /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
+
+TLSROOT=/etc/pki/tls
+KEY=$(TLSROOT)/private/localhost.key
+CSR=$(TLSROOT)/certs/localhost.csr
+CRT=$(TLSROOT)/certs/localhost.crt
+
+genkey: $(KEY)
+certreq: $(CSR)
+testcert: $(CRT)
+
+$(CSR): $(KEY)
+ umask 77 ; \
+ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
+
+$(CRT): $(KEY)
+ umask 77 ; \
+ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
|
[-]
[+]
|
Added |
_service:download_src_package:README.FIPS
^
|
| @@ -0,0 +1,75 @@
+User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
+=================================================================
+
+This package contains libraries which comprise the FIPS 140-2
+Red Hat Enterprise Linux - OPENSSL Module.
+
+The module files
+================
+/usr/lib[64]/libcrypto.so.1.0.1e
+/usr/lib[64]/libssl.so.1.0.1e
+/usr/lib[64]/.libcrypto.so.1.0.1e.hmac
+/usr/lib[64]/.libssl.so.1.0.1e.hmac
+
+Dependencies
+============
+
+The approved mode of operation requires kernel with /dev/urandom RNG running
+with properties as defined in the security policy of the module. This is
+provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
+Crytographic Module.
+
+Installation
+============
+
+The RPM package of the module can be installed by standard tools recommended
+for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
+rpm, RHN remote management tool).
+
+For proper operation of the in-module integrity verification the prelink has to
+be disabled. This can be done with setting PRELINKING=no in the
+/etc/sysconfig/prelink configuration file. If the libraries were already
+prelinked the prelink should be undone on all the system files with the
+'prelink -u -a' command.
+
+Usage and API
+=============
+
+The module respects kernel command line FIPS setting. If the kernel command
+line contains option fips=1 the module will initialize in the FIPS approved
+mode of operation automatically. To allow for the automatic initialization the
+application using the module has to call one of the following API calls:
+
+- void OPENSSL_init_library(void) - this will do only a basic initialization
+of the library and does initialization of the FIPS approved mode without setting
+up EVP API with supported algorithms.
+
+- void OPENSSL_add_all_algorithms(void) - this API function calls
+OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
+in the approved mode
+
+- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
+adds algorithms which are necessary for TLS protocol support and initializes
+the SSL library.
+
+To explicitely put the library to the approved mode the application can call
+the following function:
+
+- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
+the library from the non-approved to the approved mode. If any of the selftests
+and integrity verification tests fail, the library is put into the error state
+and 0 is returned. If they succeed the return value is 1.
+
+To query the module whether it is in the approved mode or not:
+
+- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
+0 otherwise.
+
+To query whether the module is in the error state:
+
+- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
+state, 0 otherwise.
+
+To zeroize the FIPS RNG key and internal state the application calls:
+
+- void RAND_cleanup(void)
|
|
[-]
[+]
|
Added |
_service:download_src_package:ec_curve.c
^
|
| @@ -0,0 +1,455 @@
+/* crypto/ec/ec_curve.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include <string.h>
+#include "ec_lcl.h"
+#include <openssl/err.h>
+#include <openssl/obj_mac.h>
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
+typedef struct {
+ int field_type, /* either NID_X9_62_prime_field or
+ * NID_X9_62_characteristic_two_field */
+ seed_len, param_len;
+ unsigned int cofactor; /* promoted to BN_ULONG */
+} EC_CURVE_DATA;
+
+/* the nist prime curves */
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 48 * 6];
+} _EC_NIST_PRIME_384 = {
+ {
+ NID_X9_62_prime_field, 20, 48, 1
+ },
+ {
+ /* seed */
+ 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
+ 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
+ /* x */
+ 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
+ /* y */
+ 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
+ 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
+ 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
+ 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
+ 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 66 * 6];
+} _EC_NIST_PRIME_521 = {
+ {
+ NID_X9_62_prime_field, 20, 66, 1
+ },
+ {
+ /* seed */
+ 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
+ 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
+ /* p */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
+ 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
+ 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
+ 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
+ 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
+ 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
+ /* x */
+ 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
+ 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
+ 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
+ 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
+ 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
+ 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
+ /* y */
+ 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
+ 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
+ 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
+ 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
+ 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
+ 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
+ /* order */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
+ 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
+ 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
+ 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 32 * 6];
+} _EC_X9_62_PRIME_256V1 = {
+ {
+ NID_X9_62_prime_field, 20, 32, 1
+ },
+ {
+ /* seed */
+ 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
|
[-]
[+]
|
Added |
_service:download_src_package:ectest.c
^
|
| @@ -0,0 +1,985 @@
+/* crypto/ec/ectest.c */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef FLAT_INC
+# include "e_os.h"
+#else
+# include "../e_os.h"
+#endif
+#include <string.h>
+#include <time.h>
+
+#ifdef OPENSSL_NO_EC
+int main(int argc, char *argv[])
+{
+ puts("Elliptic curves are disabled.");
+ return 0;
+}
+#else
+
+# include <openssl/ec.h>
+# ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+# endif
+# include <openssl/err.h>
+# include <openssl/obj_mac.h>
+# include <openssl/objects.h>
+# include <openssl/rand.h>
+# include <openssl/bn.h>
+# include <openssl/opensslconf.h>
+
+# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
+/* suppress "too big too optimize" warning */
+# pragma warning(disable:4959)
+# endif
+
+# define ABORT do { \
+ fflush(stdout); \
+ fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
+ ERR_print_errors_fp(stderr); \
+ EXIT(1); \
+} while (0)
+
+# define TIMING_BASE_PT 0
+# define TIMING_RAND_PT 1
+# define TIMING_SIMUL 2
+
+# if 0
+static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
+{
+ clock_t clck;
+ int i, j;
+ BIGNUM *s;
+ BIGNUM *r[10], *r0[10];
+ EC_POINT *P;
+
+ s = BN_new();
+ if (s == NULL)
+ ABORT;
+
+ fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
+ if (!EC_GROUP_get_order(group, s, ctx))
+ ABORT;
+ fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
+ fflush(stdout);
+
+ P = EC_POINT_new(group);
+ if (P == NULL)
+ ABORT;
+ EC_POINT_copy(P, EC_GROUP_get0_generator(group));
+
+ for (i = 0; i < 10; i++) {
+ if ((r[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ if (type != TIMING_BASE_PT) {
+ if ((r0[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ }
+ }
+
+ clck = clock();
+ for (i = 0; i < 10; i++) {
+ for (j = 0; j < 10; j++) {
+ if (!EC_POINT_mul
+ (group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
+ (type != TIMING_BASE_PT) ? P : NULL,
+ (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx))
+ ABORT;
+ }
+ }
+ clck = clock() - clck;
+
+ fprintf(stdout, "\n");
+
+# ifdef CLOCKS_PER_SEC
+ /*
+ * "To determine the time in seconds, the value returned by the clock
+ * function should be divided by the value of the macro CLOCKS_PER_SEC."
+ * -- ISO/IEC 9899
+ */
+# define UNIT "s"
+# else
+ /*
+ * "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on
+ * NeXTstep/OpenStep
+ */
+# define UNIT "units"
+# define CLOCKS_PER_SEC 1
+# endif
+
+ if (type == TIMING_BASE_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "base point multiplications", (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_RAND_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "random point multiplications",
+ (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_SIMUL) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "s*P+t*Q operations", (double)clck / CLOCKS_PER_SEC);
+ }
+ fprintf(stdout, "average: %.4f " UNIT "\n",
+ (double)clck / (CLOCKS_PER_SEC * i * j));
+
+ EC_POINT_free(P);
+ BN_free(s);
|
|
[-]
[+]
|
Added |
_service:download_src_package:hobble-openssl
^
|
| @@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Quit out if anything fails.
+set -e
+
+# Clean out patent-or-otherwise-encumbered code.
+# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
+# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
+# RC5: 5,724,428 01/11/2015
+# EC: ????????? ??/??/2020
+# SRP: ????????? ??/??/20??
+
+# Remove assembler portions of IDEA, MDC2, and RC5.
+(find crypto/rc5/asm -type f | xargs -r rm -fv)
+
+# RC5, SRP.
+for a in rc5 srp; do
+ for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
+ echo Destroying $c
+ > $c
+ done
+done
+
+for c in `find crypto/evp -name "*_rc5.c"`; do
+ echo Destroying $c
+ > $c
+done
+
+for c in `find crypto/bn -name "*gf2m.c"`; do
+ echo Destroying $c
+ > $c
+done
+
+for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
+ echo Destroying $c
+ > $c
+done
+
+for h in `find crypto ssl apps test -name "*.h"` ; do
+ echo Removing RC5, SRP and EC2M references from $h
+ cat $h | \
+ awk 'BEGIN {ech=1;} \
+ /^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
+ /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
+ /^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
+ /^#[ \t]*if/ {if(ech < 1) ech--;} \
+ {if(ech>0) {;print $0};} \
+ /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
+ mv $h.hobbled $h
+done
+
+# Make the makefiles happy.
+touch crypto/rc5/asm/rc5-586.pl
|
|
[-]
[+]
|
Added |
_service:download_src_package:make-dummy-cert
^
|
| @@ -0,0 +1,28 @@
+#!/bin/sh
+umask 077
+
+answers() {
+ echo --
+ echo SomeState
+ echo SomeCity
+ echo SomeOrganization
+ echo SomeOrganizationalUnit
+ echo localhost.localdomain
+ echo root@localhost.localdomain
+}
+
+if [ $# -eq 0 ] ; then
+ echo $"Usage: `basename $0` filename [...]"
+ exit 0
+fi
+
+for target in $@ ; do
+ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
+ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
+ trap "rm -f $PEM1 $PEM2" SIGINT
+ answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+ cat $PEM1 > ${target}
+ echo "" >> ${target}
+ cat $PEM2 >> ${target}
+ rm -f $PEM1 $PEM2
+done
|
|
|
Added |
_service:download_src_package:openssl-1.0.2f-hobbled.tar.xz
^
|
|
[-]
[+]
|
Added |
_service:download_src_package:openssl-thread-test.c
^
|
| @@ -0,0 +1,400 @@
+/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+#include <openssl/ssl.h>
+
+/* Just assume we want to do engine stuff if we're using 0.9.6b or
+ * higher. This assumption is only valid for versions bundled with RHL. */
+#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
+#include <openssl/engine.h>
+#define USE_ENGINE
+#endif
+
+#define MAX_THREAD_COUNT 10000
+#define ITERATION_COUNT 10
+#define MAIN_COUNT 100
+
+/* OpenSSL requires us to provide thread ID and locking primitives. */
+pthread_mutex_t *mutex_locks = NULL;
+static unsigned long
+thread_id_cb(void)
+{
+ return (unsigned long) pthread_self();
+}
+static void
+lock_cb(int mode, int n, const char *file, int line)
+{
+ if (mode & CRYPTO_LOCK) {
+ pthread_mutex_lock(&mutex_locks[n]);
+ } else {
+ pthread_mutex_unlock(&mutex_locks[n]);
+ }
+}
+
+struct thread_args {
+ RSA *rsa;
+ int digest_type;
+ unsigned char *digest;
+ unsigned int digest_len;
+ unsigned char *signature;
+ unsigned int signature_len;
+ pthread_t main_thread;
+};
+
+static int print = 0;
+
+pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_sign = 0;
+static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
+static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
+
+pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
+static int locked_verify = 0;
+static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
+static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
+
+pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
+long failure_count = 0;
+static void
+failure()
+{
+ pthread_mutex_lock(&failure_count_lock);
+ failure_count++;
+ pthread_mutex_unlock(&failure_count_lock);
+}
+
+static void *
+thread_main(void *argp)
+{
+ struct thread_args *args = argp;
+ unsigned char *signature;
+ unsigned int signature_len, signature_alloc_len;
+ int ret, i;
+
+ signature_alloc_len = args->signature_len;
+ if (RSA_size(args->rsa) > signature_alloc_len) {
+ signature_alloc_len = RSA_size(args->rsa);
+ }
+ signature = malloc(signature_alloc_len);
+ if (signature == NULL) {
+ fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
+ (unsigned long) pthread_self(), strerror(errno));
+ pthread_exit(0);
+ return NULL;
+ }
+ for (i = 0; i < ITERATION_COUNT; i++) {
+ signature_len = signature_alloc_len;
+ SIGN_LOCK();
+ ret = RSA_check_key(args->rsa);
+ ERR_print_errors_fp(stdout);
+ if (ret != 1) {
+ failure();
+ break;
+ }
+ ret = RSA_sign(args->digest_type,
+ args->digest,
+ args->digest_len,
+ signature, &signature_len,
+ args->rsa);
+ SIGN_UNLOCK();
+ ERR_print_errors_fp(stdout);
+ if (ret != 1) {
+ failure();
+ break;
+ }
+
+ VERIFY_LOCK();
+ ret = RSA_verify(args->digest_type,
+ args->digest,
+ args->digest_len,
+ signature, signature_len,
+ args->rsa);
+ VERIFY_UNLOCK();
+ if (ret != 1) {
+ fprintf(stderr,
+ "Signature from thread %lu(%d) fails "
+ "verification (passed in thread #%lu)!\n",
+ (long) pthread_self(), i,
+ (long) args->main_thread);
+ ERR_print_errors_fp(stdout);
+ failure();
+ continue;
+ }
+ if (print) {
+ fprintf(stderr, ">%d\n", i);
+ }
+ }
+ free(signature);
+
+ pthread_exit(0);
+
+ return NULL;
+}
+
+unsigned char *
+xmemdup(unsigned char *s, size_t len)
+{
+ unsigned char *r;
+ r = malloc(len);
+ if (r == NULL) {
+ fprintf(stderr, "Out of memory.\n");
+ ERR_print_errors_fp(stdout);
+ assert(r != NULL);
+ }
+ memcpy(r, s, len);
+ return r;
+}
+
+int
+main(int argc, char **argv)
+{
+ RSA *rsa;
+ MD5_CTX md5;
+ int fd, i;
+ pthread_t threads[MAX_THREAD_COUNT];
+ int thread_count = 1000;
+ unsigned char *message, *digest;
+ unsigned int message_len, digest_len;
+ unsigned char *correct_signature;
+ unsigned int correct_siglen, ret;
+ struct thread_args master_args, *args;
+ int sync = 0, seed = 0;
+ int again = 1;
+#ifdef USE_ENGINE
+ char *engine = NULL;
+ ENGINE *e = NULL;
+#endif
+
+ pthread_mutex_init(&failure_count_lock, NULL);
+
+ for (i = 1; i < argc; i++) {
+ if (strcmp(argv[i], "--seed") == 0) {
+ printf("Seeding PRNG.\n");
+ seed++;
+ } else
+ if (strcmp(argv[i], "--sync") == 0) {
+ printf("Running synchronized.\n");
+ sync++;
+ } else
+ if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
+ i++;
+ thread_count = atol(argv[i]);
+ if (thread_count > MAX_THREAD_COUNT) {
+ thread_count = MAX_THREAD_COUNT;
+ }
+ printf("Starting %d threads.\n", thread_count);
|
|
[-]
[+]
|
Added |
_service:download_src_package:opensslconf-new-warning.h
^
|
| @@ -0,0 +1,7 @@
+/* Prepended at openssl package build-time. Don't include this file directly,
+ * use <openssl/opensslconf.h> instead. */
+
+#ifndef openssl_opensslconf_multilib_redirection_h
+#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
+#endif
+
|
|
[-]
[+]
|
Added |
_service:download_src_package:opensslconf-new.h
^
|
| @@ -0,0 +1,47 @@
+/* This file is here to prevent a file conflict on multiarch systems. A
+ * conflict will frequently occur because arch-specific build-time
+ * configuration options are stored (and used, so they can't just be stripped
+ * out) in opensslconf.h. The original opensslconf.h has been renamed.
+ * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
+
+#ifdef openssl_opensslconf_multilib_redirection_h
+#error "Do not define openssl_opensslconf_multilib_redirection_h!"
+#endif
+#define openssl_opensslconf_multilib_redirection_h
+
+#if defined(__i386__)
+#include "opensslconf-i386.h"
+#elif defined(__ia64__)
+#include "opensslconf-ia64.h"
+#elif defined(__mips64) && defined(__MIPSEL__)
+#include "opensslconf-mips64el.h"
+#elif defined(__mips64)
+#include "opensslconf-mips64.h"
+#elif defined(__mips) && defined(__MIPSEL__)
+#include "opensslconf-mipsel.h"
+#elif defined(__mips)
+#include "opensslconf-mips.h"
+#elif defined(__powerpc64__)
+#include <endian.h>
+#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+#include "opensslconf-ppc64.h"
+#else
+#include "opensslconf-ppc64le.h"
+#endif
+#elif defined(__powerpc__)
+#include "opensslconf-ppc.h"
+#elif defined(__s390x__)
+#include "opensslconf-s390x.h"
+#elif defined(__s390__)
+#include "opensslconf-s390.h"
+#elif defined(__sparc__) && defined(__arch64__)
+#include "opensslconf-sparc64.h"
+#elif defined(__sparc__)
+#include "opensslconf-sparc.h"
+#elif defined(__x86_64__)
+#include "opensslconf-x86_64.h"
+#else
+#error "This openssl-devel package does not work your architecture?"
+#endif
+
+#undef openssl_opensslconf_multilib_redirection_h
|
|
[-]
[+]
|
Added |
_service:download_src_package:renew-dummy-cert
^
|
| @@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+ echo $"Usage: `basename $0` filename" 1>&2
+ exit 1
+fi
+
+PEM=$1
+REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
+KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
+CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
+NEW=${PEM}_
+
+trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
+
+if [ ! -f $PEM ]; then
+ echo "$PEM: file not found" 1>&2
+ exit 1
+fi
+
+let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
+let SERIAL++
+
+umask 077
+
+OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
+
+openssl rsa -inform pem -in $PEM -out $KEY
+openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
+openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
+ -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
+
+(cat $KEY ; echo "" ; cat $CRT) > $NEW
+
+chown $OWNER $NEW
+
+mv -f $NEW $PEM
+
+rm -f $REQ $KEY $CRT
+
+exit 0
+
|
