pool/openssl
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 310849 from Base:System

Browse Source 
- update to 1.0.2a
  * Major changes since 1.0.1:
    - Suite B support for TLS 1.2 and DTLS 1.2
    - Support for DTLS 1.2
    - TLS automatic EC curve selection.
    - API to set TLS supported signature algorithms and curves
    - SSL_CONF configuration API.
    - TLS Brainpool support.
    - ALPN support.
    - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
  * merged patches modifying CIPHER_LIST into one, dropping:
    - openssl-1.0.1e-add-suse-default-cipher-header.patch
    - openssl-libssl-noweakciphers.patch
  * fix a manpage with invalid name
    - added openssl-fix_invalid_manpage_name.patch
  * remove a missing fips function
    - openssl-missing_FIPS_ec_group_new_by_curve_name.patch
  * reimported patches from Fedora
    dropped patches:
    - openssl-1.0.1c-default-paths.patch
    - openssl-1.0.1c-ipv6-apps.patch
    - openssl-1.0.1e-fips-ctor.patch
    - openssl-1.0.1e-fips-ec.patch
    - openssl-1.0.1e-fips.patch
    - openssl-1.0.1e-new-fips-reqs.patch
    - VIA_padlock_support_on_64systems.patch
    added patches:
    - openssl-1.0.2a-default-paths.patch
    - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/310849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127
This commit is contained in:
Dominique Leuenberger 2015-06-08 06:25:56 +00:00 committed by Git OBS Bridge
parent 42aa3a9eb7
commit bdf3209e96
46 changed files with 19319 additions and 26318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

385
0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
View File

@ -4,11 +4,11 @@ Date: Sun, 4 May 2014 23:36:54 -0400
Subject: [PATCH] Axe builtin printf implementation, use glibc instead Subject: [PATCH] Axe builtin printf implementation, use glibc instead
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c Index: openssl-1.0.2a/crypto/bio/b_print.c
index 143a7cf..657beb7 100644 ===================================================================
--- a/crypto/bio/b_print.c --- openssl-1.0.2a.orig/crypto/bio/b_print.c 2015-05-24 13:30:38.744606756 +0200
+++ b/crypto/bio/b_print.c +++ openssl-1.0.2a/crypto/bio/b_print.c 2015-05-24 13:41:38.708200825 +0200
@@ -56,17 +56,9 @@ @@ -56,17 +56,10 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
@ -20,15 +20,15 @@ index 143a7cf..657beb7 100644
+#ifndef _GNU_SOURCE +#ifndef _GNU_SOURCE
+#define _GNU_SOURCE +#define _GNU_SOURCE
#endif #endif
-
-/* -/*
- * Stolen from tjh's ssl/ssl_trc.c stuff. - * Stolen from tjh's ssl/ssl_trc.c stuff.
- */ - */
- -
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
@@ -79,690 +71,6 @@ @@ -79,671 +72,6 @@
#include <openssl/bn.h> /* To get BN_LLONG properly defined */ #include <openssl/bn.h> /* To get BN_LLONG properly defined */
#include <openssl/bio.h> #include <openssl/bio.h>
@ -47,7 +47,7 @@ index 143a7cf..657beb7 100644
- * on all source code distributions. - * on all source code distributions.
- */ - */
- -
-/* -/*-
- * This code contains numerious changes and enhancements which were - * This code contains numerious changes and enhancements which were
- * made by lots of contributors over the last years to Patrick Powell's - * made by lots of contributors over the last years to Patrick Powell's
- * original code: - * original code:
@ -63,31 +63,31 @@ index 143a7cf..657beb7 100644
- */ - */
- -
-#ifdef HAVE_LONG_DOUBLE -#ifdef HAVE_LONG_DOUBLE
-#define LDOUBLE long double -# define LDOUBLE long double
-#else -#else
-#define LDOUBLE double -# define LDOUBLE double
-#endif -#endif
- -
-#ifdef HAVE_LONG_LONG -#ifdef HAVE_LONG_LONG
-# if defined(_WIN32) && !defined(__GNUC__) -# if defined(_WIN32) && !defined(__GNUC__)
-# define LLONG __int64 -# define LLONG __int64
-# else -# else
-# define LLONG long long -# define LLONG long long
-# endif -# endif
-#else -#else
-#define LLONG long -# define LLONG long
-#endif -#endif
- -
-static void fmtstr (char **, char **, size_t *, size_t *, -static void fmtstr(char **, char **, size_t *, size_t *,
- const char *, int, int, int); - const char *, int, int, int);
-static void fmtint (char **, char **, size_t *, size_t *, -static void fmtint(char **, char **, size_t *, size_t *,
- LLONG, int, int, int, int); - LLONG, int, int, int, int);
-static void fmtfp (char **, char **, size_t *, size_t *, -static void fmtfp(char **, char **, size_t *, size_t *,
- LDOUBLE, int, int, int); - LDOUBLE, int, int, int);
-static void doapr_outch (char **, char **, size_t *, size_t *, int); -static void doapr_outch(char **, char **, size_t *, size_t *, int);
-static void _dopr(char **sbuffer, char **buffer, -static void _dopr(char **sbuffer, char **buffer,
- size_t *maxlen, size_t *retlen, int *truncated, - size_t *maxlen, size_t *retlen, int *truncated,
- const char *format, va_list args); - const char *format, va_list args);
- -
-/* format read states */ -/* format read states */
-#define DP_S_DEFAULT 0 -#define DP_S_DEFAULT 0
@ -119,14 +119,10 @@ index 143a7cf..657beb7 100644
-#define OSSL_MAX(p,q) ((p >= q) ? p : q) -#define OSSL_MAX(p,q) ((p >= q) ? p : q)
- -
-static void -static void
-_dopr( -_dopr(char **sbuffer,
- char **sbuffer, - char **buffer,
- char **buffer, - size_t *maxlen,
- size_t *maxlen, - size_t *retlen, int *truncated, const char *format, va_list args)
- size_t *retlen,
- int *truncated,
- const char *format,
- va_list args)
-{ -{
- char ch; - char ch;
- LLONG value; - LLONG value;
@ -153,7 +149,7 @@ index 143a7cf..657beb7 100644
- if (ch == '%') - if (ch == '%')
- state = DP_S_FLAGS; - state = DP_S_FLAGS;
- else - else
- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch); - doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
- ch = *format++; - ch = *format++;
- break; - break;
- case DP_S_FLAGS: - case DP_S_FLAGS:
@ -274,15 +270,13 @@ index 143a7cf..657beb7 100644
- value = (unsigned short int)va_arg(args, unsigned int); - value = (unsigned short int)va_arg(args, unsigned int);
- break; - break;
- case DP_C_LONG: - case DP_C_LONG:
- value = (LLONG) va_arg(args, - value = (LLONG) va_arg(args, unsigned long int);
- unsigned long int);
- break; - break;
- case DP_C_LLONG: - case DP_C_LLONG:
- value = va_arg(args, unsigned LLONG); - value = va_arg(args, unsigned LLONG);
- break; - break;
- default: - default:
- value = (LLONG) va_arg(args, - value = (LLONG) va_arg(args, unsigned int);
- unsigned int);
- break; - break;
- } - }
- fmtint(sbuffer, buffer, &currlen, maxlen, value, - fmtint(sbuffer, buffer, &currlen, maxlen, value,
@ -315,25 +309,25 @@ index 143a7cf..657beb7 100644
- break; - break;
- case 'c': - case 'c':
- doapr_outch(sbuffer, buffer, &currlen, maxlen, - doapr_outch(sbuffer, buffer, &currlen, maxlen,
- va_arg(args, int)); - va_arg(args, int));
- break; - break;
- case 's': - case 's':
- strvalue = va_arg(args, char *); - strvalue = va_arg(args, char *);
- if (max < 0) { - if (max < 0) {
- if (buffer) - if (buffer)
- max = INT_MAX; - max = INT_MAX;
- else - else
- max = *maxlen; - max = *maxlen;
- } - }
- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, - fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
- flags, min, max); - flags, min, max);
- break; - break;
- case 'p': - case 'p':
- value = (long)va_arg(args, void *); - value = (long)va_arg(args, void *);
- fmtint(sbuffer, buffer, &currlen, maxlen, - fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags|DP_F_NUM); - value, 16, min, max, flags | DP_F_NUM);
- break; - break;
- case 'n': /* XXX */ - case 'n': /* XXX */
- if (cflags == DP_C_SHORT) { - if (cflags == DP_C_SHORT) {
- short int *num; - short int *num;
- num = va_arg(args, short int *); - num = va_arg(args, short int *);
@ -341,13 +335,13 @@ index 143a7cf..657beb7 100644
- } else if (cflags == DP_C_LONG) { /* XXX */ - } else if (cflags == DP_C_LONG) { /* XXX */
- long int *num; - long int *num;
- num = va_arg(args, long int *); - num = va_arg(args, long int *);
- *num = (long int) currlen; - *num = (long int)currlen;
- } else if (cflags == DP_C_LLONG) { /* XXX */ - } else if (cflags == DP_C_LLONG) { /* XXX */
- LLONG *num; - LLONG *num;
- num = va_arg(args, LLONG *); - num = va_arg(args, LLONG *);
- *num = (LLONG) currlen; - *num = (LLONG) currlen;
- } else { - } else {
- int *num; - int *num;
- num = va_arg(args, int *); - num = va_arg(args, int *);
- *num = currlen; - *num = currlen;
- } - }
@ -383,23 +377,17 @@ index 143a7cf..657beb7 100644
-} -}
- -
-static void -static void
-fmtstr( -fmtstr(char **sbuffer,
- char **sbuffer, - char **buffer,
- char **buffer, - size_t *currlen,
- size_t *currlen, - size_t *maxlen, const char *value, int flags, int min, int max)
- size_t *maxlen,
- const char *value,
- int flags,
- int min,
- int max)
-{ -{
- int padlen, strln; - int padlen, strln;
- int cnt = 0; - int cnt = 0;
- -
- if (value == 0) - if (value == 0)
- value = "<NULL>"; - value = "<NULL>";
- for (strln = 0; value[strln]; ++strln) - for (strln = 0; value[strln]; ++strln) ;
- ;
- padlen = min - strln; - padlen = min - strln;
- if (padlen < 0) - if (padlen < 0)
- padlen = 0; - padlen = 0;
@ -423,21 +411,15 @@ index 143a7cf..657beb7 100644
-} -}
- -
-static void -static void
-fmtint( -fmtint(char **sbuffer,
- char **sbuffer, - char **buffer,
- char **buffer, - size_t *currlen,
- size_t *currlen, - size_t *maxlen, LLONG value, int base, int min, int max, int flags)
- size_t *maxlen,
- LLONG value,
- int base,
- int min,
- int max,
- int flags)
-{ -{
- int signvalue = 0; - int signvalue = 0;
- const char *prefix = ""; - const char *prefix = "";
- unsigned LLONG uvalue; - unsigned LLONG uvalue;
- char convert[DECIMAL_SIZE(value)+3]; - char convert[DECIMAL_SIZE(value) + 3];
- int place = 0; - int place = 0;
- int spadlen = 0; - int spadlen = 0;
- int zpadlen = 0; - int zpadlen = 0;
@ -456,23 +438,25 @@ index 143a7cf..657beb7 100644
- signvalue = ' '; - signvalue = ' ';
- } - }
- if (flags & DP_F_NUM) { - if (flags & DP_F_NUM) {
- if (base == 8) prefix = "0"; - if (base == 8)
- if (base == 16) prefix = "0x"; - prefix = "0";
- if (base == 16)
- prefix = "0x";
- } - }
- if (flags & DP_F_UP) - if (flags & DP_F_UP)
- caps = 1; - caps = 1;
- do { - do {
- convert[place++] = - convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")
- (caps ? "0123456789ABCDEF" : "0123456789abcdef") - [uvalue % (unsigned)base];
- [uvalue % (unsigned) base]; - uvalue = (uvalue / (unsigned)base);
- uvalue = (uvalue / (unsigned) base);
- } while (uvalue && (place < (int)sizeof(convert))); - } while (uvalue && (place < (int)sizeof(convert)));
- if (place == sizeof(convert)) - if (place == sizeof(convert))
- place--; - place--;
- convert[place] = 0; - convert[place] = 0;
- -
- zpadlen = max - place; - zpadlen = max - place;
- spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); - spadlen =
- min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
- if (zpadlen < 0) - if (zpadlen < 0)
- zpadlen = 0; - zpadlen = 0;
- if (spadlen < 0) - if (spadlen < 0)
@ -496,8 +480,8 @@ index 143a7cf..657beb7 100644
- -
- /* prefix */ - /* prefix */
- while (*prefix) { - while (*prefix) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); - doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
- prefix++; - prefix++;
- } - }
- -
- /* zeros */ - /* zeros */
@ -519,8 +503,7 @@ index 143a7cf..657beb7 100644
- return; - return;
-} -}
- -
-static LDOUBLE -static LDOUBLE abs_val(LDOUBLE value)
-abs_val(LDOUBLE value)
-{ -{
- LDOUBLE result = value; - LDOUBLE result = value;
- if (value < 0) - if (value < 0)
@ -528,8 +511,7 @@ index 143a7cf..657beb7 100644
- return result; - return result;
-} -}
- -
-static LDOUBLE -static LDOUBLE pow_10(int in_exp)
-pow_10(int in_exp)
-{ -{
- LDOUBLE result = 1; - LDOUBLE result = 1;
- while (in_exp) { - while (in_exp) {
@ -539,11 +521,10 @@ index 143a7cf..657beb7 100644
- return result; - return result;
-} -}
- -
-static long -static long roundv(LDOUBLE value)
-roundv(LDOUBLE value)
-{ -{
- long intpart; - long intpart;
- intpart = (long) value; - intpart = (long)value;
- value = value - intpart; - value = value - intpart;
- if (value >= 0.5) - if (value >= 0.5)
- intpart++; - intpart++;
@ -551,15 +532,10 @@ index 143a7cf..657beb7 100644
-} -}
- -
-static void -static void
-fmtfp( -fmtfp(char **sbuffer,
- char **sbuffer, - char **buffer,
- char **buffer, - size_t *currlen,
- size_t *currlen, - size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags)
- size_t *maxlen,
- LDOUBLE fvalue,
- int min,
- int max,
- int flags)
-{ -{
- int signvalue = 0; - int signvalue = 0;
- LDOUBLE ufvalue; - LDOUBLE ufvalue;
@ -569,7 +545,6 @@ index 143a7cf..657beb7 100644
- int fplace = 0; - int fplace = 0;
- int padlen = 0; - int padlen = 0;
- int zpadlen = 0; - int zpadlen = 0;
- int caps = 0;
- long intpart; - long intpart;
- long fracpart; - long fracpart;
- long max10; - long max10;
@ -586,13 +561,17 @@ index 143a7cf..657beb7 100644
- -
- intpart = (long)ufvalue; - intpart = (long)ufvalue;
- -
- /* sorry, we only support 9 digits past the decimal because of our - /*
- conversion method */ - * sorry, we only support 9 digits past the decimal because of our
- * conversion method
- */
- if (max > 9) - if (max > 9)
- max = 9; - max = 9;
- -
- /* we "cheat" by converting the fractional part to integer by - /*
- multiplying by a factor of 10 */ - * we "cheat" by converting the fractional part to integer by multiplying
- * by a factor of 10
- */
- max10 = roundv(pow_10(max)); - max10 = roundv(pow_10(max));
- fracpart = roundv(pow_10(max) * (ufvalue - intpart)); - fracpart = roundv(pow_10(max) * (ufvalue - intpart));
- -
@ -603,9 +582,7 @@ index 143a7cf..657beb7 100644
- -
- /* convert integer part */ - /* convert integer part */
- do { - do {
- iconvert[iplace++] = - iconvert[iplace++] = "0123456789"[intpart % 10];
- (caps ? "0123456789ABCDEF"
- : "0123456789abcdef")[intpart % 10];
- intpart = (intpart / 10); - intpart = (intpart / 10);
- } while (intpart && (iplace < (int)sizeof(iconvert))); - } while (intpart && (iplace < (int)sizeof(iconvert)));
- if (iplace == sizeof iconvert) - if (iplace == sizeof iconvert)
@ -614,9 +591,7 @@ index 143a7cf..657beb7 100644
- -
- /* convert fractional part */ - /* convert fractional part */
- do { - do {
- fconvert[fplace++] = - fconvert[fplace++] = "0123456789"[fracpart % 10];
- (caps ? "0123456789ABCDEF"
- : "0123456789abcdef")[fracpart % 10];
- fracpart = (fracpart / 10); - fracpart = (fracpart / 10);
- } while (fplace < max); - } while (fplace < max);
- if (fplace == sizeof fconvert) - if (fplace == sizeof fconvert)
@ -676,52 +651,58 @@ index 143a7cf..657beb7 100644
-} -}
- -
-static void -static void
-doapr_outch( -doapr_outch(char **sbuffer,
- char **sbuffer, - char **buffer, size_t *currlen, size_t *maxlen, int c)
- char **buffer,
- size_t *currlen,
- size_t *maxlen,
- int c)
-{ -{
- /* If we haven't at least one buffer, someone has doe a big booboo */ - /* If we haven't at least one buffer, someone has doe a big booboo */
- assert(*sbuffer != NULL || buffer != NULL); - assert(*sbuffer != NULL || buffer != NULL);
- -
- if (buffer) { - if (buffer) {
- while (*currlen >= *maxlen) { - while (*currlen >= *maxlen) {
- if (*buffer == NULL) { - if (*buffer == NULL) {
- if (*maxlen == 0) - if (*maxlen == 0)
- *maxlen = 1024; - *maxlen = 1024;
- *buffer = OPENSSL_malloc(*maxlen); - *buffer = OPENSSL_malloc(*maxlen);
- if (*currlen > 0) { - if(!*buffer) {
- assert(*sbuffer != NULL); - /* Panic! Can't really do anything sensible. Just return */
- memcpy(*buffer, *sbuffer, *currlen); - return;
- } - }
- *sbuffer = NULL; - if (*currlen > 0) {
- } else { - assert(*sbuffer != NULL);
- *maxlen += 1024; - memcpy(*buffer, *sbuffer, *currlen);
- *buffer = OPENSSL_realloc(*buffer, *maxlen); - }
- } - *sbuffer = NULL;
- } - } else {
- /* What to do if *buffer is NULL? */ - *maxlen += 1024;
- assert(*sbuffer != NULL || *buffer != NULL); - *buffer = OPENSSL_realloc(*buffer, *maxlen);
- if(!*buffer) {
- /* Panic! Can't really do anything sensible. Just return */
- return;
- }
- }
- }
- /* What to do if *buffer is NULL? */
- assert(*sbuffer != NULL || *buffer != NULL);
- } - }
- -
- if (*currlen < *maxlen) { - if (*currlen < *maxlen) {
- if (*sbuffer) - if (*sbuffer)
- (*sbuffer)[(*currlen)++] = (char)c; - (*sbuffer)[(*currlen)++] = (char)c;
- else - else
- (*buffer)[(*currlen)++] = (char)c; - (*buffer)[(*currlen)++] = (char)c;
- } - }
- -
- return; - return;
-} -}
- -
/***************************************************************************/ -/***************************************************************************/
-
int BIO_printf (BIO *bio, const char *format, ...) int BIO_printf(BIO *bio, const char *format, ...)
@@ -778,65 +86,70 @@ int BIO_printf (BIO *bio, const char *format, ...) {
return(ret); va_list args;
} @@ -757,28 +85,36 @@ int BIO_printf(BIO *bio, const char *for
return (ret);
}
+static ssize_t cookie_BIO_write(void *cookie, const char *buf, size_t size) +static ssize_t cookie_BIO_write(void *cookie, const char *buf, size_t size)
+{ +{
@ -733,20 +714,30 @@ index 143a7cf..657beb7 100644
+ return (ret < 0) ? 0 : ret; + return (ret < 0) ? 0 : ret;
+} +}
+ +
int BIO_vprintf (BIO *bio, const char *format, va_list args) int BIO_vprintf(BIO *bio, const char *format, va_list args)
- { {
+{
+ FILE *fp; + FILE *fp;
int ret; int ret;
- size_t retlen; - size_t retlen;
- char hugebuf[1024*2]; /* Was previously 10k, which is unreasonable - char hugebuf[1024 * 2]; /* Was previously 10k, which is unreasonable
- in small-stack environments, like threads - * in small-stack environments, like threads
- or DOS programs. */ - * or DOS programs. */
- char *hugebufp = hugebuf; - char *hugebufp = hugebuf;
- size_t hugebufsize = sizeof(hugebuf); - size_t hugebufsize = sizeof(hugebuf);
- char *dynbuf = NULL; - char *dynbuf = NULL;
- int ignored; - int ignored;
+ -
- dynbuf = NULL;
- CRYPTO_push_info("doapr()");
- _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args);
- if (dynbuf) {
- ret = BIO_write(bio, dynbuf, (int)retlen);
- OPENSSL_free(dynbuf);
- } else {
- ret = BIO_write(bio, hugebuf, (int)retlen);
- }
- CRYPTO_pop_info();
+
+ cookie_io_functions_t bio_funcs = { + cookie_io_functions_t bio_funcs = {
+ .read = NULL, + .read = NULL,
+ .write = cookie_BIO_write, + .write = cookie_BIO_write,
@ -762,74 +753,44 @@ index 143a7cf..657beb7 100644
+ ret = vfprintf(fp, format, args); + ret = vfprintf(fp, format, args);
+ +
+ fclose(fp); + fclose(fp);
return (ret);
}
- dynbuf = NULL; @@ -794,28 +130,22 @@ int BIO_snprintf(char *buf, size_t n, co
- CRYPTO_push_info("doapr()"); int ret;
- _dopr(&hugebufp, &dynbuf, &hugebufsize,
- &retlen, &ignored, format, args);
- if (dynbuf)
- {
- ret=BIO_write(bio, dynbuf, (int)retlen);
- OPENSSL_free(dynbuf);
- }
- else
- {
- ret=BIO_write(bio, hugebuf, (int)retlen);
- }
- CRYPTO_pop_info();
return(ret);
- }
+}
/* As snprintf is not available everywhere, we provide our own implementation. va_start(args, format);
* This function has nothing to do with BIOs, but it's closely related + ret = vsnprintf(buf, n, format, args);
* to BIO_printf, and we need *some* name prefix ... + va_end(args);
* (XXX the function should be renamed, but to what?) */
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
- {
+{
va_list args;
int ret;
va_start(args, format); - ret = BIO_vsnprintf(buf, n, format, args);
+ if (ret >= n || ret == -1) return (-1);
- ret = BIO_vsnprintf(buf, n, format, args); - va_end(args);
+ ret = vsnprintf(buf, n, format, args); return (ret);
}
va_end(args);
+
+ if (ret >= n || ret == -1) return (-1);
+
return(ret);
- }
+}
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
- { {
- size_t retlen; - size_t retlen;
- int truncated; - int truncated;
+{ + int ret;
+
+ int ret;
+
+ ret = vsnprintf(buf, n, format, args);
- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); - _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
+ if (ret >= n || ret == -1) + ret = vsnprintf(buf, n, format, args);
+ return (-1);
- if (truncated) - if (truncated)
- /* In case of truncation, return -1 like traditional snprintf. - /*
- * (Current drafts for ISO/IEC 9899 say snprintf should return - * In case of truncation, return -1 like traditional snprintf.
- * the number of characters that would have been written, - * (Current drafts for ISO/IEC 9899 say snprintf should return the
- * had the buffer been large enough.) */ - * number of characters that would have been written, had the buffer
- return -1; - * been large enough.)
- else - */
- return (retlen <= INT_MAX) ? (int)retlen : -1; - return -1;
- } - else
+ return (ret); - return (retlen <= INT_MAX) ? (int)retlen : -1;
+ if (ret >= n || ret == -1)
+ return (-1);
+ +
+} + return (ret);
-- }
1.8.4.5

1031
0001-libcrypto-Hide-library-private-symbols.patch
View File

File diff suppressed because it is too large Load Diff

138
0005-libssl-Hide-library-private-symbols.patch
View File

@ -16,58 +16,58 @@ API/ABI when GCC 4 or later is used.
ssl/t1_lib.c | 6 ++---- ssl/t1_lib.c | 6 ++----
8 files changed, 23 insertions(+), 12 deletions(-) 8 files changed, 23 insertions(+), 12 deletions(-)
Index: openssl-1.0.1i/ssl/d1_lib.c Index: openssl-1.0.2a/ssl/d1_lib.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/d1_lib.c --- openssl-1.0.2a.orig/ssl/d1_lib.c 2015-05-29 13:41:52.858088475 +0200
+++ openssl-1.0.1i/ssl/d1_lib.c +++ openssl-1.0.2a/ssl/d1_lib.c 2015-05-29 13:47:58.764278577 +0200
@@ -67,8 +67,7 @@ @@ -69,8 +69,7 @@
#endif
static void get_current_time(struct timeval *t); static void get_current_time(struct timeval *t);
-const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
static int dtls1_handshake_write(SSL *s);
-const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
-int dtls1_listen(SSL *s, struct sockaddr *client); -int dtls1_listen(SSL *s, struct sockaddr *client);
+static int dtls1_listen(SSL *s, struct sockaddr *client); +static int dtls1_listen(SSL *s, struct sockaddr *client);
SSL3_ENC_METHOD DTLSv1_enc_data={ SSL3_ENC_METHOD DTLSv1_enc_data = {
dtls1_enc, tls1_enc,
@@ -471,7 +470,7 @@ static void get_current_time(struct time @@ -539,7 +538,7 @@ static void get_current_time(struct time
#endif #endif
} }
-int dtls1_listen(SSL *s, struct sockaddr *client) -int dtls1_listen(SSL *s, struct sockaddr *client)
+static int dtls1_listen(SSL *s, struct sockaddr *client) +static int dtls1_listen(SSL *s, struct sockaddr *client)
{ {
int ret; int ret;
Index: openssl-1.0.1i/ssl/kssl_lcl.h Index: openssl-1.0.2a/ssl/kssl_lcl.h
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/kssl_lcl.h --- openssl-1.0.2a.orig/ssl/kssl_lcl.h 2015-05-29 13:41:52.858088475 +0200
+++ openssl-1.0.1i/ssl/kssl_lcl.h +++ openssl-1.0.2a/ssl/kssl_lcl.h 2015-05-29 13:46:44.708430822 +0200
@@ -61,6 +61,10 @@ @@ -62,6 +62,10 @@
#include <openssl/kssl.h> # include <openssl/kssl.h>
+#if defined(__GNUC__) && __GNUC__ >= 4 +#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility push(hidden) +#pragma GCC visibility push(hidden)
+#endif +#endif
+ +
#ifndef OPENSSL_NO_KRB5 # ifndef OPENSSL_NO_KRB5
#ifdef __cplusplus #ifdef __cplusplus
@@ -84,4 +88,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl @@ -85,4 +89,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl
} }
#endif #endif
#endif /* OPENSSL_NO_KRB5 */ # endif /* OPENSSL_NO_KRB5 */
+ +
+#if defined(__GNUC__) && __GNUC__ >= 4 +#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility pop +#pragma GCC visibility pop
+#endif +#endif
+ +
#endif /* KSSL_LCL_H */ #endif /* KSSL_LCL_H */
Index: openssl-1.0.1i/ssl/s23_srvr.c Index: openssl-1.0.2a/ssl/s23_srvr.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/s23_srvr.c --- openssl-1.0.2a.orig/ssl/s23_srvr.c 2015-05-29 13:41:51.427072084 +0200
+++ openssl-1.0.1i/ssl/s23_srvr.c +++ openssl-1.0.2a/ssl/s23_srvr.c 2015-05-29 13:47:16.275792355 +0200
@@ -120,7 +120,7 @@ @@ -120,7 +120,7 @@
#endif #endif
@ -75,92 +75,92 @@ Index: openssl-1.0.1i/ssl/s23_srvr.c
-int ssl23_get_client_hello(SSL *s); -int ssl23_get_client_hello(SSL *s);
+static int ssl23_get_client_hello(SSL *s); +static int ssl23_get_client_hello(SSL *s);
static const SSL_METHOD *ssl23_get_server_method(int ver) static const SSL_METHOD *ssl23_get_server_method(int ver)
{ {
#ifndef OPENSSL_NO_SSL2 #ifndef OPENSSL_NO_SSL2
@@ -235,7 +235,7 @@ end: @@ -233,7 +233,7 @@ int ssl23_accept(SSL *s)
} return (ret);
}
-int ssl23_get_client_hello(SSL *s) -int ssl23_get_client_hello(SSL *s)
+static int ssl23_get_client_hello(SSL *s) +static int ssl23_get_client_hello(SSL *s)
{ {
char buf_space[11]; /* Request this many bytes in initial read. /*-
* We can detect SSL 3.0/TLS 1.0 Client Hellos * Request this many bytes in initial read.
Index: openssl-1.0.1i/ssl/s2_lib.c Index: openssl-1.0.2a/ssl/s2_lib.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/s2_lib.c --- openssl-1.0.2a.orig/ssl/s2_lib.c 2015-05-29 13:41:52.859088486 +0200
+++ openssl-1.0.1i/ssl/s2_lib.c +++ openssl-1.0.2a/ssl/s2_lib.c 2015-05-29 13:47:37.964040715 +0200
@@ -116,7 +116,6 @@ @@ -116,7 +116,6 @@
#include <openssl/evp.h> # include <openssl/evp.h>
#include <openssl/md5.h> # include <openssl/md5.h>
-const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; -const char ssl2_version_str[] = "SSLv2" OPENSSL_VERSION_PTEXT;
#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) # define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
Index: openssl-1.0.1i/ssl/s3_lib.c Index: openssl-1.0.2a/ssl/s3_lib.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/s3_lib.c --- openssl-1.0.2a.orig/ssl/s3_lib.c 2015-05-29 13:41:52.859088486 +0200
+++ openssl-1.0.1i/ssl/s3_lib.c +++ openssl-1.0.2a/ssl/s3_lib.c 2015-05-29 13:49:33.525363159 +0200
@@ -162,7 +162,6 @@ @@ -157,7 +157,6 @@
#include <openssl/dh.h> # include <openssl/dh.h>
#endif #endif
-const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; -const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
Index: openssl-1.0.1i/ssl/ssl_lib.c Index: openssl-1.0.2a/ssl/ssl_lib.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_lib.c --- openssl-1.0.2a.orig/ssl/ssl_lib.c 2015-05-29 13:41:52.860088498 +0200
+++ openssl-1.0.1i/ssl/ssl_lib.c +++ openssl-1.0.2a/ssl/ssl_lib.c 2015-05-29 13:49:51.821573194 +0200
@@ -160,7 +160,6 @@ @@ -160,7 +160,6 @@
#include <openssl/engine.h> # include <openssl/engine.h>
#endif #endif
-const char *SSL_version_str=OPENSSL_VERSION_TEXT; -const char *SSL_version_str = OPENSSL_VERSION_TEXT;
SSL3_ENC_METHOD ssl3_undef_enc_method={ SSL3_ENC_METHOD ssl3_undef_enc_method = {
/* evil casts, but these functions are only called if there's a library bug */ /*
Index: openssl-1.0.1i/ssl/ssl_locl.h Index: openssl-1.0.2a/ssl/ssl_locl.h
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_locl.h --- openssl-1.0.2a.orig/ssl/ssl_locl.h 2015-05-29 13:41:52.860088498 +0200
+++ openssl-1.0.1i/ssl/ssl_locl.h +++ openssl-1.0.2a/ssl/ssl_locl.h 2015-05-29 13:51:29.789694782 +0200
@@ -165,6 +165,10 @@ @@ -165,6 +165,10 @@
#include <openssl/ssl.h> # include <openssl/ssl.h>
#include <openssl/symhacks.h> # include <openssl/symhacks.h>
+#if defined(__GNUC__) && __GNUC__ >= 4 +#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility push(hidden) +#pragma GCC visibility push(hidden)
+#endif +#endif
+ +
#ifdef OPENSSL_BUILD_SHLIBSSL # ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN # undef OPENSSL_EXTERN
# define OPENSSL_EXTERN OPENSSL_EXPORT # define OPENSSL_EXTERN OPENSSL_EXPORT
@@ -1194,5 +1198,14 @@ int srp_verify_server_param(SSL *s, int @@ -1475,5 +1479,14 @@ void custom_exts_free(custom_ext_methods
#define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat # define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
#define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat # define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat
+int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len, +int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len,
+ const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len, + const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len,
+ const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen); + const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen);
+ +
#endif # endif
+ +
+#if defined(__GNUC__) && __GNUC__ >= 4 +#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility pop +#pragma GCC visibility pop
+#endif +#endif
+ +
#endif #endif
Index: openssl-1.0.1i/ssl/t1_lib.c Index: openssl-1.0.2a/ssl/t1_lib.c
=================================================================== ===================================================================
--- openssl-1.0.1i.orig/ssl/t1_lib.c --- openssl-1.0.2a.orig/ssl/t1_lib.c 2015-05-29 13:41:52.861088510 +0200
+++ openssl-1.0.1i/ssl/t1_lib.c +++ openssl-1.0.2a/ssl/t1_lib.c 2015-05-29 13:51:50.181929005 +0200
@@ -117,7 +117,6 @@ @@ -120,7 +120,6 @@
#include <openssl/rand.h> #include <openssl/rand.h>
#include "ssl_locl.h" #include "ssl_locl.h"
-const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; -const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,

172
VIA_padlock_support_on_64systems.patch
View File

@ -1,172 +0,0 @@
Index: openssl-1.0.1k/engines/e_padlock.c
===================================================================
--- openssl-1.0.1k.orig/engines/e_padlock.c
+++ openssl-1.0.1k/engines/e_padlock.c
@@ -101,7 +101,10 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
#if defined(__GNUC__) && __GNUC__>=2
+#if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -458,11 +462,136 @@ static inline void *name(size_t cnt, \
return iv; \
}
+
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+ static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+ size_t scratch;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile (
+ "movq %%rbx,%1\n"
+ "cpuid\n"
+ "movl %%ebx,(%2)\n"
+ "movl %%edx,4(%2)\n"
+ "movl %%ecx,8(%2)\n"
+ "movq %1,%%rbx"
+ : "+a"(eax), "=&r"(scratch) : "r"(vendor_string) : "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("movq %%rbx,%1; cpuid; movq %1,%%rbx"
+ : "+a"(eax), "=&r"(scratch) : : "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("movq %%rbx,%2; cpuid; movq %2,%%rbx"
+ : "+a"(eax), "=d"(edx), "=&r"(scratch) : : "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+ static inline void
+padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+#ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+ static inline void
+padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile (
+ "pushfq\n"
+ " btl $30,(%%rsp)\n"
+ " jnc 1f\n"
+ " cmpq %2,%1\n"
+ " je 1f\n"
+ " popfq\n"
+ " subq $8,%%rsp\n"
+ "1: addq $8,%%rsp\n"
+ " movq %2,%0"
+ :"+m"(padlock_saved_context)
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+ static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ size_t scratch; \
+ asm volatile ( "movq %%rbx,%4\n" \
+ " leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ " movq %4,%%rbx" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp), "=&r"(scratch) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rdx", "cc", "memory"); \
+ return iv; \
+}
+#endif
+
+#endif /* cpu */
+
+#ifndef OPENSSL_NO_AES
+
+
/* Generate all functions with appropriate opcodes */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
+
+/* Our own htonl()/ntohl() */
+static inline void
+padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0" : "+r"(*key));
+ key++;
+ }
+}
#endif
/* The RNG call itself */
@@ -493,8 +622,8 @@ padlock_xstore(void *addr, unsigned int
static inline unsigned char *
padlock_memcpy(void *dst,const void *src,size_t n)
{
- long *d=dst;
- const long *s=src;
+ size_t *d=dst;
+ const size_t *s=src;
n /= sizeof(*d);
do { *d++ = *s++; } while (--n);

8
bug610223.patch
View File

@ -1,8 +1,8 @@
Index: openssl-1.0.1g/Configure Index: openssl-1.0.2a/Configure
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/Configure --- openssl-1.0.2a.orig/Configure 2015-04-03 21:33:54.286437754 +0200
+++ openssl-1.0.1g/Configure +++ openssl-1.0.2a/Configure 2015-04-03 21:42:55.431975088 +0200
@@ -1804,7 +1804,8 @@ while (<IN>) @@ -1889,7 +1889,8 @@ while (<IN>)
} }
elsif (/^#define\s+ENGINESDIR/) elsif (/^#define\s+ENGINESDIR/)
{ {

46
compression_methods_switch.patch
View File

@ -1,7 +1,7 @@
Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod Index: openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
=================================================================== ===================================================================
--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod --- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:19.262805732 +0200
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod +++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:28.958939879 +0200
@@ -41,6 +41,24 @@ of compression methods supported on a pe @@ -41,6 +41,24 @@ of compression methods supported on a pe
The OpenSSL library has the compression methods B<COMP_rle()> and (when The OpenSSL library has the compression methods B<COMP_rle()> and (when
especially enabled during compilation) B<COMP_zlib()> available. especially enabled during compilation) B<COMP_zlib()> available.
@ -27,25 +27,25 @@ Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
=head1 WARNINGS =head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.1e/ssl/ssl_ciph.c Index: openssl-1.0.2a/ssl/ssl_ciph.c
=================================================================== ===================================================================
--- openssl-1.0.1e.orig/ssl/ssl_ciph.c --- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-04-03 22:10:28.959939893 +0200
+++ openssl-1.0.1e/ssl/ssl_ciph.c +++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-03 22:12:33.425662139 +0200
@@ -452,10 +452,16 @@ static void load_builtin_compressions(vo @@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
if (ssl_comp_methods == NULL)
{
SSL_COMP *comp = NULL;
+ const char *nodefaultzlib;
MemCheck_off(); if (ssl_comp_methods == NULL) {
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); SSL_COMP *comp = NULL;
- if (ssl_comp_methods != NULL) + const char *nodefaultzlib;
+
+ /* The default is "no" compression to avoid CRIME/BEAST */ MemCheck_off();
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB"); ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+ if ( ssl_comp_methods != NULL && - if (ssl_comp_methods != NULL) {
+ nodefaultzlib && + /* The default is "no" compression to avoid CRIME/BEAST */
+ strncmp( nodefaultzlib, "no", 2) == 0) + nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
{ + if ( ssl_comp_methods != NULL &&
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + nodefaultzlib &&
if (comp != NULL) + strncmp( nodefaultzlib, "no", 2) == 0)
+ {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();

35
merge_from_0.9.8k.patch
View File

@ -1,8 +1,8 @@
Index: openssl-1.0.1g/Configure Index: openssl-1.0.2a/Configure
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/Configure --- openssl-1.0.2a.orig/Configure 2015-05-30 21:58:49.358278076 +0200
+++ openssl-1.0.1g/Configure +++ openssl-1.0.2a/Configure 2015-05-30 21:58:52.830317683 +0200
@@ -933,7 +933,7 @@ PROCESS_ARGS: @@ -996,7 +996,7 @@ PROCESS_ARGS:
} }
else else
{ {
@ -11,7 +11,7 @@ Index: openssl-1.0.1g/Configure
$target=$_; $target=$_;
} }
@@ -1206,7 +1206,7 @@ if ($target =~ /^mingw/ && `$cc --target @@ -1276,7 +1276,7 @@ if ($target =~ /linux.*\-mips/ && !$no_a
my $no_shared_warn=0; my $no_shared_warn=0;
my $no_user_cflags=0; my $no_user_cflags=0;
@ -20,10 +20,10 @@ Index: openssl-1.0.1g/Configure
else { $no_user_cflags=1; } else { $no_user_cflags=1; }
# Kerberos settings. The flavor must be provided from outside, either through # Kerberos settings. The flavor must be provided from outside, either through
Index: openssl-1.0.1g/config Index: openssl-1.0.2a/config
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/config --- openssl-1.0.2a.orig/config 2015-05-30 21:58:49.358278076 +0200
+++ openssl-1.0.1g/config +++ openssl-1.0.2a/config 2015-05-30 21:58:52.830317683 +0200
@@ -573,7 +573,8 @@ case "$GUESSOS" in @@ -573,7 +573,8 @@ case "$GUESSOS" in
options="$options -arch%20${MACHINE}" options="$options -arch%20${MACHINE}"
OUT="iphoneos-cross" ;; OUT="iphoneos-cross" ;;
@ -34,17 +34,18 @@ Index: openssl-1.0.1g/config
case ${ISA:-generic} in case ${ISA:-generic} in
*[678]) OUT="linux-alpha+bwx-$CC" ;; *[678]) OUT="linux-alpha+bwx-$CC" ;;
*) OUT="linux-alpha-$CC" ;; *) OUT="linux-alpha-$CC" ;;
@@ -593,7 +594,8 @@ case "$GUESSOS" in @@ -598,7 +599,9 @@ case "$GUESSOS" in
echo " You have about 5 seconds to press Ctrl-C to abort." if [ "$KERNEL_BITS" = "64" ]; then
(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 OUT="linux-ppc64"
fi else
- OUT="linux-ppc" - OUT="linux-ppc"
+# OUT="linux-ppc"
+ # we have the target and force it here + # we have the target and force it here
+ OUT="linux-ppc64" + OUT="linux-ppc64"
(echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
fi
;; ;;
ppc-*-linux2) OUT="linux-ppc" ;; @@ -632,10 +635,10 @@ case "$GUESSOS" in
ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
@@ -614,10 +616,10 @@ case "$GUESSOS" in
sparc-*-linux2) sparc-*-linux2)
KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
case ${KARCH:-sun4} in case ${KARCH:-sun4} in
@ -59,7 +60,7 @@ Index: openssl-1.0.1g/config
esac ;; esac ;;
parisc*-*-linux2) parisc*-*-linux2)
# 64-bit builds under parisc64 linux are not supported and # 64-bit builds under parisc64 linux are not supported and
@@ -636,7 +638,11 @@ case "$GUESSOS" in @@ -654,7 +657,11 @@ case "$GUESSOS" in
# PA8500 -> 8000 (2.0) # PA8500 -> 8000 (2.0)
# PA8600 -> 8000 (2.0) # PA8600 -> 8000 (2.0)

19
openssl-1.0.0-c_rehash-compat.diff
View File

@ -7,11 +7,11 @@ Subject: [PATCH] also create old hash for compatibility
tools/c_rehash.in | 8 +++++++- tools/c_rehash.in | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-) 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in Index: openssl-1.0.2a/tools/c_rehash.in
index bfc4a69..f8d0ce1 100644 ===================================================================
--- a/tools/c_rehash.in --- openssl-1.0.2a.orig/tools/c_rehash.in 2015-04-03 21:41:53.440111263 +0200
+++ b/tools/c_rehash.in +++ openssl-1.0.2a/tools/c_rehash.in 2015-04-03 21:42:51.150916910 +0200
@@ -83,6 +83,7 @@ sub hash_dir { @@ -113,6 +113,7 @@ sub hash_dir {
next; next;
} }
link_hash_cert($fname) if($cert); link_hash_cert($fname) if($cert);
@ -19,18 +19,18 @@ index bfc4a69..f8d0ce1 100644
link_hash_crl($fname) if($crl); link_hash_crl($fname) if($crl);
} }
} }
@@ -116,8 +117,9 @@ sub check_file { @@ -146,8 +147,9 @@ sub check_file {
sub link_hash_cert { sub link_hash_cert {
my $fname = $_[0]; my $fname = $_[0];
+ my $hashopt = $_[1] || '-subject_hash'; + my $hashopt = $_[1] || '-subject_hash';
$fname =~ s/'/'\\''/g; $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
chomp $hash; chomp $hash;
chomp $fprint; chomp $fprint;
$fprint =~ s/^.*=//; $fprint =~ s/^.*=//;
@@ -147,6 +149,10 @@ sub link_hash_cert { @@ -177,6 +179,10 @@ sub link_hash_cert {
$hashlist{$hash} = $fprint; $hashlist{$hash} = $fprint;
} }
@ -41,6 +41,3 @@ index bfc4a69..f8d0ce1 100644
# Same as above except for a CRL. CRL links are of the form <hash>.r<n> # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl { sub link_hash_crl {
--
1.6.4.2

103
openssl-1.0.1c-default-paths.patch
View File

@ -1,103 +0,0 @@
Index: openssl-1.0.1g/apps/s_client.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_client.c
+++ openssl-1.0.1g/apps/s_client.c
@@ -1174,12 +1174,19 @@ bad:
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
#ifndef OPENSSL_NO_TLSEXT
Index: openssl-1.0.1g/apps/s_server.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_server.c
+++ openssl-1.0.1g/apps/s_server.c
@@ -1572,13 +1572,21 @@ bad:
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1629,8 +1637,11 @@ bad:
else
SSL_CTX_sess_set_cache_size(ctx2,128);
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
{
ERR_print_errors(bio_err);
}
Index: openssl-1.0.1g/apps/s_time.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_time.c
+++ openssl-1.0.1g/apps/s_time.c
@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)

523
openssl-1.0.1c-ipv6-apps.patch
View File

@ -1,523 +0,0 @@
Index: openssl-1.0.1h/apps/s_apps.h
===================================================================
--- openssl-1.0.1h.orig/apps/s_apps.h
+++ openssl-1.0.1h/apps/s_apps.h
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
-int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
Index: openssl-1.0.1h/apps/s_client.c
===================================================================
--- openssl-1.0.1h.orig/apps/s_client.c
+++ openssl-1.0.1h/apps/s_client.c
@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
- short port=PORT;
+ char *port_str = PORT_STR;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
@@ -668,13 +668,12 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
- port=atoi(*(++argv));
- if (port == 0) goto bad;
+ port_str= *(++argv);
}
else if (strcmp(*argv,"-connect") == 0)
{
if (--argc < 1) goto bad;
- if (!extract_host_port(*(++argv),&host,NULL,&port))
+ if (!extract_host_port(*(++argv),&host,&port_str))
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
@@ -1267,7 +1266,7 @@ bad:
re_start:
- if (init_client(&s,host,port,socket_type) == 0)
+ if (init_client(&s,host,port_str,socket_type) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
Index: openssl-1.0.1h/apps/s_server.c
===================================================================
--- openssl-1.0.1h.orig/apps/s_server.c
+++ openssl-1.0.1h/apps/s_server.c
@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
- short port=PORT;
+ char *port_str = PORT_STR;
char *CApath=NULL,*CAfile=NULL;
unsigned char *context = NULL;
char *dhfile = NULL;
@@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[])
(strcmp(*argv,"-accept") == 0))
{
if (--argc < 1) goto bad;
- if (!extract_port(*(++argv),&port))
- goto bad;
+ port_str= *(++argv);
}
else if (strcmp(*argv,"-verify") == 0)
{
@@ -1892,9 +1891,9 @@ bad:
BIO_printf(bio_s_out,"ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (www)
- do_server(port,socket_type,&accept_socket,www_body, context);
+ do_server(port_str,socket_type,&accept_socket,www_body, context);
else
- do_server(port,socket_type,&accept_socket,sv_body, context);
+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
print_stats(bio_s_out,ctx);
ret=0;
end:
Index: openssl-1.0.1h/apps/s_socket.c
===================================================================
--- openssl-1.0.1h.orig/apps/s_socket.c
+++ openssl-1.0.1h/apps/s_socket.c
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
#endif
static int ssl_sock_init(void);
-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port,char *ip, int type);
+static int init_server(int *sock, char *port, int type);
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
return(1);
}
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, char *host, char *port, int type)
{
- unsigned char ip[4];
-
- memset(ip, '\0', sizeof ip);
- if (!host_ip(host,&(ip[0])))
- return 0;
- return init_client_ip(sock,ip,port,type);
- }
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
- {
- unsigned long addr;
- struct sockaddr_in them;
- int s,i;
+ struct addrinfo *res, *res0, hints;
+ char * failed_call = NULL;
+ int s;
+ int e;
if (!ssl_sock_init()) return(0);
- memset((char *)&them,0,sizeof(them));
- them.sin_family=AF_INET;
- them.sin_port=htons((unsigned short)port);
- addr=(unsigned long)
- ((unsigned long)ip[0]<<24L)|
- ((unsigned long)ip[1]<<16L)|
- ((unsigned long)ip[2]<< 8L)|
- ((unsigned long)ip[3]);
- them.sin_addr.s_addr=htonl(addr);
-
- if (type == SOCK_STREAM)
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ e = getaddrinfo(host, port, &hints, &res);
+ if (e)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ }
+ res0 = res;
+ while (res)
+ {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET)
+ {
+ failed_call = "socket";
+ goto nextres;
+ }
#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
if (type == SOCK_STREAM)
{
- i=0;
- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
+ int i=0;
+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
+ (char *)&i,sizeof(i));
+ if (i < 0) {
+ failed_call = "keepalive";
+ goto nextres;
+ }
}
#endif
-
- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
- { closesocket(s); perror("connect"); return(0); }
+ if (connect(s,(struct sockaddr *)res->ai_addr,
+ res->ai_addrlen) == 0)
+ {
+ freeaddrinfo(res0);
*sock=s;
return(1);
}
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
+ failed_call = "socket";
+nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
+ }
+ freeaddrinfo(res0);
+
+ perror(failed_call);
+ return(0);
+ }
+
+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
{
int sock;
char *name = NULL;
@@ -322,33 +333,50 @@ int do_server(int port, int type, int *r
}
}
-static int init_server_long(int *sock, int port, char *ip, int type)
+static int init_server(int *sock, char *port, int type)
{
- int ret=0;
- struct sockaddr_in server;
- int s= -1;
+ struct addrinfo *res, *res0 = NULL, hints;
+ char * failed_call = NULL;
+ int s = INVALID_SOCKET;
+ int e;
if (!ssl_sock_init()) return(0);
- memset((char *)&server,0,sizeof(server));
- server.sin_family=AF_INET;
- server.sin_port=htons((unsigned short)port);
- if (ip == NULL)
- server.sin_addr.s_addr=INADDR_ANY;
- else
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-#ifndef BIT_FIELD_LIMITS
- memcpy(&server.sin_addr.s_addr,ip,4);
-#else
- memcpy(&server.sin_addr,ip,4);
-#endif
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE;
- if (type == SOCK_STREAM)
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e)
+ {
+ if (hints.ai_family == AF_INET)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ }
+ else
+ res = NULL;
+ }
- if (s == INVALID_SOCKET) goto err;
+ res0 = res;
+ while (res)
+ {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET)
+ {
+ failed_call = "socket";
+ goto nextres;
+ }
+ if (hints.ai_family == AF_INET6)
+ {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+ (void *) &j, sizeof j);
+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
@@ -356,35 +384,49 @@ static int init_server_long(int *sock, i
(void *) &j, sizeof j);
}
#endif
- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
+
+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
{
-#ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
-#endif
- goto err;
+ failed_call = "bind";
+ goto nextres;
}
- /* Make it 128 for linux */
- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
- *sock=s;
- ret=1;
-err:
- if ((ret == 0) && (s != -1))
+ if (type==SOCK_STREAM && listen(s,128) == -1)
{
- SHUTDOWN(s);
+ failed_call = "listen";
+ goto nextres;
}
- return(ret);
+
+ *sock=s;
+ return(1);
+
+nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
+ if (res0)
+ freeaddrinfo(res0);
-static int init_server(int *sock, int port, int type)
+ if (s == INVALID_SOCKET)
{
- return(init_server_long(sock, port, NULL, type));
+ if (hints.ai_family == AF_INET6)
+ {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return(0);
+ }
+
+ perror(failed_call);
+ return(0);
}
static int do_accept(int acc_sock, int *sock, char **host)
{
+ static struct sockaddr_storage from;
+ char buffer[NI_MAXHOST];
int ret;
- struct hostent *h1,*h2;
- static struct sockaddr_in from;
int len;
/* struct linger ling; */
@@ -431,138 +473,59 @@ redoit:
*/
if (host == NULL) goto end;
-#ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
- sizeof(from.sin_addr.s_addr),AF_INET);
-#else
- h1=gethostbyaddr((char *)&from.sin_addr,
- sizeof(struct in_addr),AF_INET);
-#endif
- if (h1 == NULL)
+
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
+ buffer, sizeof(buffer),
+ NULL, 0, 0))
{
- BIO_printf(bio_err,"bad gethostbyaddr\n");
+ BIO_printf(bio_err,"getnameinfo failed\n");
*host=NULL;
/* return(0); */
}
else
{
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
{
perror("OPENSSL_malloc");
closesocket(ret);
return(0);
}
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
-
- h2=GetHostByName(*host);
- if (h2 == NULL)
- {
- BIO_printf(bio_err,"gethostbyname failure\n");
- closesocket(ret);
- return(0);
- }
- if (h2->h_addrtype != AF_INET)
- {
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
- closesocket(ret);
- return(0);
- }
+ strcpy(*host, buffer);
}
end:
*sock=ret;
return(1);
}
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *port_ptr)
+int extract_host_port(char *str, char **host_ptr,
+ char **port_ptr)
{
- char *h,*p;
+ char *h,*p,*x;
- h=str;
- p=strchr(str,':');
+ x=h=str;
+ if (*h == '[')
+ {
+ h++;
+ p=strchr(h,']');
if (p == NULL)
{
- BIO_printf(bio_err,"no port defined\n");
+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
return(0);
}
*(p++)='\0';
-
- if ((ip != NULL) && !host_ip(str,ip))
- goto err;
- if (host_ptr != NULL) *host_ptr=h;
-
- if (!extract_port(p,port_ptr))
- goto err;
- return(1);
-err:
- return(0);
+ x = p;
}
-
-static int host_ip(char *str, unsigned char ip[4])
- {
- unsigned int in[4];
- int i;
-
- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
- {
- for (i=0; i<4; i++)
- if (in[i] > 255)
- {
- BIO_printf(bio_err,"invalid IP address\n");
- goto err;
- }
- ip[0]=in[0];
- ip[1]=in[1];
- ip[2]=in[2];
- ip[3]=in[3];
- }
- else
- { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init()) return(0);
-
- he=GetHostByName(str);
- if (he == NULL)
- {
- BIO_printf(bio_err,"gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
- if ((short)he->h_addrtype != AF_INET)
+ p=strchr(x,':');
+ if (p == NULL)
{
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
- return(0);
- }
- ip[0]=he->h_addr_list[0][0];
- ip[1]=he->h_addr_list[0][1];
- ip[2]=he->h_addr_list[0][2];
- ip[3]=he->h_addr_list[0][3];
- }
- return(1);
-err:
+ BIO_printf(bio_err,"no port defined\n");
return(0);
}
+ *(p++)='\0';
-int extract_port(char *str, short *port_ptr)
- {
- int i;
- struct servent *s;
+ if (host_ptr != NULL) *host_ptr=h;
+ if (port_ptr != NULL) *port_ptr=p;
- i=atoi(str);
- if (i != 0)
- *port_ptr=(unsigned short)i;
- else
- {
- s=getservbyname(str,"tcp");
- if (s == NULL)
- {
- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
- return(0);
- }
- *port_ptr=ntohs((unsigned short)s->s_port);
- }
return(1);
}

16
openssl-1.0.1e-add-suse-default-cipher-header.patch
View File

@ -1,16 +0,0 @@
Index: openssl-1.0.1g/ssl/ssl.h
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -332,9 +332,11 @@ extern "C" {
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+
#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
"DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
+
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!

67
openssl-1.0.1e-add-suse-default-cipher.patch
View File

@ -1,39 +1,38 @@
Index: openssl-1.0.1g/ssl/ssl_ciph.c Index: openssl-1.0.2a/ssl/ssl_ciph.c
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/ssl/ssl_ciph.c --- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-05-24 14:26:18.132243785 +0200
+++ openssl-1.0.1g/ssl/ssl_ciph.c +++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-05-24 14:26:18.229245199 +0200
@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1604,7 +1604,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/ */
ok = 1; ok = 1;
rule_p = rule_str; rule_p = rule_str;
- if (strncmp(rule_str,"DEFAULT",7) == 0) - if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ + if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
+ if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0) + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ { + &head, &tail, ca_list);
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + rule_p += 12;
+ &head, &tail, ca_list); + if (*rule_p == ':')
+ rule_p += 12; + rule_p++;
+ if (*rule_p == ':') + }
+ rule_p++; + else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ } ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+ &head, &tail, ca_list);
+ else if (strncmp(rule_str,"DEFAULT",7) == 0) rule_p += 7;
{ Index: openssl-1.0.2a/ssl/ssl.h
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
&head, &tail, ca_list);
Index: openssl-1.0.1g/ssl/ssl.h
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/ssl/ssl.h --- openssl-1.0.2a.orig/ssl/ssl.h 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.1g/ssl/ssl.h +++ openssl-1.0.2a/ssl/ssl.h 2015-05-24 14:31:25.801726491 +0200
@@ -331,7 +331,10 @@ extern "C" { @@ -338,7 +338,12 @@ extern "C" {
/* The following cipher list is used by default. * The following cipher list is used by default. It also is substituted when
* It also is substituted when an application-defined cipher list string * an application-defined cipher list string starts with 'DEFAULT'.
* starts with 'DEFAULT'. */ */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" -# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" +# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ +
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always +
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!

8
openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
View File

@ -1,8 +1,8 @@
Index: openssl-1.0.1f/test/testssl Index: openssl-1.0.2a/test/testssl
=================================================================== ===================================================================
--- openssl-1.0.1f.orig/test/testssl --- openssl-1.0.2a.orig/test/testssl 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.1f/test/testssl +++ openssl-1.0.2a/test/testssl 2015-05-24 14:06:02.038506053 +0200
@@ -136,6 +136,25 @@ for protocol in TLSv1.2 SSLv3; do @@ -138,6 +138,25 @@ for protocol in TLSv1.2 SSLv3; do
done done
done done

184
openssl-1.0.1e-fips-ctor.patch
View File

@ -1,184 +0,0 @@
Index: openssl-1.0.1e/crypto/fips/fips.c
===================================================================
--- openssl-1.0.1e.orig/crypto/fips/fips.c
+++ openssl-1.0.1e/crypto/fips/fips.c
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
return hex;
}
-#define HMAC_PREFIX "."
-#define HMAC_SUFFIX ".hmac"
+#define HMAC_PREFIX "."
+#ifndef HMAC_SUFFIX
+#define HMAC_SUFFIX ".hmac"
+#endif
#define READ_BUFFER_LENGTH 16384
static char *
@@ -279,19 +283,13 @@ end:
}
static int
-FIPSCHECK_verify(const char *libname, const char *symbolname)
+FIPSCHECK_verify(const char *path)
{
- char path[PATH_MAX+1];
- int rv;
+ int rv = 0;
FILE *hf;
char *hmacpath, *p;
char *hmac = NULL;
size_t n;
-
- rv = get_library_path(libname, symbolname, path, sizeof(path));
-
- if (rv < 0)
- return 0;
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
@@ -341,6 +339,53 @@ end:
return 1;
}
+static int
+verify_checksums(void)
+ {
+ int rv;
+ char path[PATH_MAX+1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
+ {
+ p = stpcpy(p, "libssl");
+ memmove(p, p+3, strlen(p+2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+ }
+
+#ifndef FIPS_MODULE_PATH
+#define FIPS_MODULE_PATH "/etc/system-fips"
+#endif
+
+int
+FIPS_module_installed(void)
+ {
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+ }
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
}
#endif
- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
- {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
+ if(!verify_checksums())
{
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
Index: openssl-1.0.1e/crypto/fips/fips.h
===================================================================
--- openssl-1.0.1e.orig/crypto/fips/fips.h
+++ openssl-1.0.1e/crypto/fips/fips.h
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
Index: openssl-1.0.1e/crypto/o_init.c
===================================================================
--- openssl-1.0.1e.orig/crypto/o_init.c
+++ openssl-1.0.1e/crypto/o_init.c
@@ -70,6 +70,9 @@ static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
+
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
{
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
* otherwise.
*/
- if (buf[0] == '1')
+ if (buf[0] != '1')
+ {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ }
+ else
{
- FIPS_mode_set(1);
+ /* abort if selftest failed */
+ FIPS_selftest_check();
}
}
#endif
@@ -96,13 +105,19 @@ static void init_fips_mode(void)
* Currently only sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ /* this should be an option, comment it, temporarily */
+ /* if (!FIPS_module_installed())
+ {
+ return;
+ }
+ */
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode())

1960
openssl-1.0.1e-fips-ec.patch
View File

File diff suppressed because it is too large Load Diff

20595
openssl-1.0.1e-fips.patch
View File

File diff suppressed because it is too large Load Diff

1115
openssl-1.0.1e-new-fips-reqs.patch
View File

File diff suppressed because it is too large Load Diff

20
openssl-1.0.1e-truststore.diff
View File

@ -1,15 +1,15 @@
Don't use the legacy /etc/ssl/certs directory anymore but rather the Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-1.0.1e/crypto/cryptlib.h Index: openssl-1.0.2a/crypto/cryptlib.h
=================================================================== ===================================================================
--- openssl-1.0.1e.orig/crypto/cryptlib.h --- openssl-1.0.2a.orig/crypto/cryptlib.h 2015-04-03 22:09:06.993805968 +0200
+++ openssl-1.0.1e/crypto/cryptlib.h +++ openssl-1.0.2a/crypto/cryptlib.h 2015-04-03 22:10:12.867717257 +0200
@@ -81,7 +81,7 @@ extern "C" { @@ -81,7 +81,7 @@ extern "C" {
#ifndef OPENSSL_SYS_VMS # ifndef OPENSSL_SYS_VMS
#define X509_CERT_AREA OPENSSLDIR # define X509_CERT_AREA OPENSSLDIR
-#define X509_CERT_DIR OPENSSLDIR "/certs" -# define X509_CERT_DIR OPENSSLDIR "/certs"
+#define X509_CERT_DIR "/var/lib/ca-certificates/openssl" +# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem" # define X509_CERT_FILE OPENSSLDIR "/cert.pem"
#define X509_PRIVATE_DIR OPENSSLDIR "/private" # define X509_PRIVATE_DIR OPENSSLDIR "/private"
#else # else

3
openssl-1.0.1k.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c
size 4434910

11
openssl-1.0.1k.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJUro4+AAoJENnE0m0OYESRdWQH/0h7DRno0VcesRBkHE0S8zyt
DNbIyJ2QwyhFw3yKvUcau2qP6DCAi+6Fcs/MONRI6uRAN7NWxsROBstkjIVEWLq/
fvhF27QWGCEUB9iYIk00dOtISGpUBuB0e5goOH5Gyb89c10wPkDa5ZLpAavZxzne
BFdfXQU624nt8D4k2Can9JIme3QCr6LgxVQhbU7pmXQN+dFOv8Bza9Fnm5sfo2fP
MDZNOIJusCpu15lSyJdoKpkCFy2OaQrDw6h/VAWfHENdklbkWJtCsJIV5zL6OlWn
2+6hABhE0ErmS3ax9uhWbDW9/Z0fz6WLSRGuWOVHb1ighzOj7K4WgTdMILcINQg=
=kQEU
-----END PGP SIGNATURE-----

94
openssl-1.0.2a-default-paths.patch Normal file
View File

@ -0,0 +1,94 @@
diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200
@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
SSL_CTX_set_verify(ctx, verify, verify_callback);
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
- ssl_ctx_add_crls(ctx, crls, crl_download);
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
- goto end;
-
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
ERR_print_errors(bio_err);
}
if (vpm)
diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200
+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)

177
openssl-1.0.2a-fips-ctor.patch Normal file
View File

@ -0,0 +1,177 @@
Index: openssl-1.0.2a/crypto/fips/fips.c
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips.c 2015-05-24 14:39:51.970094778 +0200
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-05-24 14:39:53.342114740 +0200
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
}
# define HMAC_PREFIX "."
-# define HMAC_SUFFIX ".hmac"
+# ifndef HMAC_SUFFIX
+# define HMAC_SUFFIX ".hmac"
+# endif
# define READ_BUFFER_LENGTH 16384
static char *make_hmac_path(const char *origpath)
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
return rv;
}
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
+static int FIPSCHECK_verify(const char *path)
{
- char path[PATH_MAX + 1];
- int rv;
+ int rv = 0;
FILE *hf;
char *hmacpath, *p;
char *hmac = NULL;
size_t n;
- rv = get_library_path(libname, symbolname, path, sizeof(path));
-
- if (rv < 0)
- return 0;
-
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
return 0;
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
return 1;
}
+static int verify_checksums(void)
+{
+ int rv;
+ char path[PATH_MAX + 1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
+ "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
+ p = stpcpy(p, "libssl");
+ memmove(p, p + 3, strlen(p + 2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+}
+
+# ifndef FIPS_MODULE_PATH
+# define FIPS_MODULE_PATH "/etc/system-fips"
+# endif
+
+int FIPS_module_installed(void)
+{
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+}
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
}
# endif
- if (!FIPSCHECK_verify
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if (!FIPSCHECK_verify
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
+ if (!verify_checksums()) {
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
Index: openssl-1.0.2a/crypto/fips/fips.h
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips.h 2015-05-24 14:39:51.971094793 +0200
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-05-24 14:39:53.343114755 +0200
@@ -74,6 +74,7 @@ extern "C" {
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+ int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
Index: openssl-1.0.2a/crypto/o_init.c
===================================================================
--- openssl-1.0.2a.orig/crypto/o_init.c 2015-05-24 14:39:51.971094793 +0200
+++ openssl-1.0.2a/crypto/o_init.c 2015-05-24 14:40:19.351493153 +0200
@@ -72,6 +72,9 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
+
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
@@ -83,8 +86,12 @@ static void init_fips_mode(void)
* otherwise..
*/
- if (buf[0] == '1') {
- FIPS_mode_set(1);
+ if (buf[0] != '1') {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ } else {
+ /* abort if selftest failed */
+ FIPS_selftest_check();
}
}
#endif
@@ -94,13 +101,16 @@ static void init_fips_mode(void)
* sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ if (!FIPS_module_installed()) {
+ return;
+ }
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode()) {

1936
openssl-1.0.2a-fips-ec.patch Normal file
View File

File diff suppressed because it is too large Load Diff

13792
openssl-1.0.2a-fips.patch Normal file
View File

File diff suppressed because it is too large Load Diff

525
openssl-1.0.2a-ipv6-apps.patch Normal file
View File

@ -0,0 +1,525 @@
diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept);
@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
int ssl_print_curves(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *p);
+int extract_host_port(char *str, char **host_ptr, char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
int cbuf_len, cbuf_off;
int sbuf_len, sbuf_off;
fd_set readfds, writefds;
- short port = PORT;
+ char *port_str = PORT_STR;
int full_log = 1;
char *host = SSL_HOST_NAME;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
} else if (strcmp(*argv, "-port") == 0) {
if (--argc < 1)
goto bad;
- port = atoi(*(++argv));
- if (port == 0)
- goto bad;
+ port_str = *(++argv);
} else if (strcmp(*argv, "-connect") == 0) {
if (--argc < 1)
goto bad;
- if (!extract_host_port(*(++argv), &host, NULL, &port))
+ if (!extract_host_port(*(++argv), &host, &port_str))
goto bad;
} else if (strcmp(*argv, "-verify") == 0) {
verify = SSL_VERIFY_PEER;
@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
re_start:
- if (init_client(&s, host, port, socket_type) == 0) {
+ if (init_client(&s, host, port_str, socket_type) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
SHUTDOWN(s);
goto end;
diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
- short port = PORT;
+ char *port_str = PORT_STR;
char *CApath = NULL, *CAfile = NULL;
char *chCApath = NULL, *chCAfile = NULL;
char *vfyCApath = NULL, *vfyCAfile = NULL;
@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
if (--argc < 1)
goto bad;
- if (!extract_port(*(++argv), &port))
+ port_str = *(++argv);
+ if (port_str == NULL || *port_str == '\0')
goto bad;
} else if (strcmp(*argv, "-naccept") == 0) {
if (--argc < 1)
@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (rev)
- do_server(port, socket_type, &accept_socket, rev_body, context,
+ do_server(port_str, socket_type, &accept_socket, rev_body, context,
naccept);
else if (www)
- do_server(port, socket_type, &accept_socket, www_body, context,
+ do_server(port_str, socket_type, &accept_socket, www_body, context,
naccept);
else
- do_server(port, socket_type, &accept_socket, sv_body, context,
+ do_server(port_str, socket_type, &accept_socket, sv_body, context,
naccept);
print_stats(bio_s_out, ctx);
ret = 0;
diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
# endif
static int ssl_sock_init(void);
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port, char *ip, int type);
+static int init_server(int *sock, char *port, int type);
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
return (1);
}
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, char *host, char *port, int type)
{
- unsigned char ip[4];
-
- memset(ip, '\0', sizeof ip);
- if (!host_ip(host, &(ip[0])))
- return 0;
- return init_client_ip(sock, ip, port, type);
-}
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-{
- unsigned long addr;
- struct sockaddr_in them;
- int s, i;
+ struct addrinfo *res, *res0, hints;
+ char *failed_call = NULL;
+ int s;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&them, 0, sizeof(them));
- them.sin_family = AF_INET;
- them.sin_port = htons((unsigned short)port);
- addr = (unsigned long)
- ((unsigned long)ip[0] << 24L) |
- ((unsigned long)ip[1] << 16L) |
- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
- them.sin_addr.s_addr = htonl(addr);
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) {
- perror("socket");
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ e = getaddrinfo(host, port, &hints, &res);
+ if (e) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
return (0);
}
+
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM) {
- i = 0;
- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
- if (i < 0) {
- closesocket(s);
- perror("keepalive");
- return (0);
+ if (type == SOCK_STREAM) {
+ int i = 0;
+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
+ (char *)&i, sizeof(i));
+ if (i < 0) {
+ failed_call = "keepalive";
+ goto nextres;
+ }
}
- }
# endif
-
- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
- closesocket(s);
- perror("connect");
- return (0);
+ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
+ freeaddrinfo(res0);
+ *sock = s;
+ return (1);
+ }
+
+ failed_call = "socket";
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- *sock = s;
- return (1);
+ freeaddrinfo(res0);
+ closesocket(s);
+
+ perror(failed_call);
+ return (0);
}
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept)
@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
}
}
-static int init_server_long(int *sock, int port, char *ip, int type)
+static int init_server(int *sock, char *port, int type)
{
- int ret = 0;
- struct sockaddr_in server;
- int s = -1;
+ struct addrinfo *res, *res0 = NULL, hints;
+ char *failed_call = NULL;
+ int s = INVALID_SOCKET;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&server, 0, sizeof(server));
- server.sin_family = AF_INET;
- server.sin_port = htons((unsigned short)port);
- if (ip == NULL)
- server.sin_addr.s_addr = INADDR_ANY;
- else
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-# ifndef BIT_FIELD_LIMITS
- memcpy(&server.sin_addr.s_addr, ip, 4);
-# else
- memcpy(&server.sin_addr, ip, 4);
-# endif
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+ tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE;
+
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e) {
+ if (hints.ai_family == AF_INET) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ } else
+ res = NULL;
+ }
- if (s == INVALID_SOCKET)
- goto err;
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
+ if (hints.ai_family == AF_INET6) {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
+ }
# if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
- }
-# endif
- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-# ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
+ {
+ int j = 1;
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+ }
# endif
- goto err;
+
+ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
+ failed_call = "bind";
+ goto nextres;
+ }
+ if (type == SOCK_STREAM && listen(s, 128) == -1) {
+ failed_call = "listen";
+ goto nextres;
+ }
+
+ *sock = s;
+ return (1);
+
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- /* Make it 128 for linux */
- if (type == SOCK_STREAM && listen(s, 128) == -1)
- goto err;
- *sock = s;
- ret = 1;
- err:
- if ((ret == 0) && (s != -1)) {
- SHUTDOWN(s);
+ if (res0)
+ freeaddrinfo(res0);
+
+ if (s == INVALID_SOCKET) {
+ if (hints.ai_family == AF_INET6) {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return (0);
}
- return (ret);
-}
-static int init_server(int *sock, int port, int type)
-{
- return (init_server_long(sock, port, NULL, type));
+ perror(failed_call);
+ return (0);
}
static int do_accept(int acc_sock, int *sock, char **host)
{
+ static struct sockaddr_storage from;
+ char buffer[NI_MAXHOST];
int ret;
- struct hostent *h1, *h2;
- static struct sockaddr_in from;
int len;
/* struct linger ling; */
@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
ling.l_onoff=1;
ling.l_linger=0;
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
- if (i < 0) { perror("linger"); return(0); }
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
i=0;
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
*/
if (host == NULL)
goto end;
-# ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
- sizeof(from.sin_addr.s_addr), AF_INET);
-# else
- h1 = gethostbyaddr((char *)&from.sin_addr,
- sizeof(struct in_addr), AF_INET);
-# endif
- if (h1 == NULL) {
- BIO_printf(bio_err, "bad gethostbyaddr\n");
+
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
+ buffer, sizeof(buffer), NULL, 0, 0)) {
+ BIO_printf(bio_err, "getnameinfo failed\n");
*host = NULL;
/* return(0); */
} else {
- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
+ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
perror("OPENSSL_malloc");
closesocket(ret);
return (0);
}
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
- h2 = GetHostByName(*host);
- if (h2 == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- closesocket(ret);
- return (0);
- }
- if (h2->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- closesocket(ret);
- return (0);
- }
+ strcpy(*host, buffer);
}
end:
*sock = ret;
return (1);
}
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *port_ptr)
+int extract_host_port(char *str, char **host_ptr, char **port_ptr)
{
- char *h, *p;
+ char *h, *p, *x;
- h = str;
- p = strchr(str, ':');
+ x = h = str;
+ if (*h == '[') {
+ h++;
+ p = strchr(h, ']');
+ if (p == NULL) {
+ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
+ return (0);
+ }
+ *(p++) = '\0';
+ x = p;
+ }
+ p = strchr(x, ':');
if (p == NULL) {
BIO_printf(bio_err, "no port defined\n");
return (0);
}
*(p++) = '\0';
- if ((ip != NULL) && !host_ip(str, ip))
- goto err;
if (host_ptr != NULL)
*host_ptr = h;
+ if (port_ptr != NULL)
+ *port_ptr = p;
- if (!extract_port(p, port_ptr))
- goto err;
- return (1);
- err:
- return (0);
-}
-
-static int host_ip(char *str, unsigned char ip[4])
-{
- unsigned int in[4];
- int i;
-
- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
- 4) {
- for (i = 0; i < 4; i++)
- if (in[i] > 255) {
- BIO_printf(bio_err, "invalid IP address\n");
- goto err;
- }
- ip[0] = in[0];
- ip[1] = in[1];
- ip[2] = in[2];
- ip[3] = in[3];
- } else { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init())
- return (0);
-
- he = GetHostByName(str);
- if (he == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
- if ((short)he->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- return (0);
- }
- ip[0] = he->h_addr_list[0][0];
- ip[1] = he->h_addr_list[0][1];
- ip[2] = he->h_addr_list[0][2];
- ip[3] = he->h_addr_list[0][3];
- }
- return (1);
- err:
- return (0);
-}
-
-int extract_port(char *str, short *port_ptr)
-{
- int i;
- struct servent *s;
-
- i = atoi(str);
- if (i != 0)
- *port_ptr = (unsigned short)i;
- else {
- s = getservbyname(str, "tcp");
- if (s == NULL) {
- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
- return (0);
- }
- *port_ptr = ntohs((unsigned short)s->s_port);
- }
return (1);
}

1400
openssl-1.0.2a-new-fips-reqs.patch Normal file
View File

File diff suppressed because it is too large Load Diff

198
openssl-1.0.2a-padlock64.patch Normal file
View File

@ -0,0 +1,198 @@
diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
@@ -101,7 +101,10 @@
*/
# undef COMPILE_HW_PADLOCK
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
# endif
# elif defined(__GNUC__)
# ifndef alloca
-# define alloca(s) __builtin_alloca(s)
+# define alloca(s) __builtin_alloca((s))
# endif
# endif
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
# if defined(__GNUC__) && __GNUC__>=2
+# if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -379,22 +383,6 @@ static int padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-# ifndef OPENSSL_NO_AES
-# ifndef AES_ASM
-/* Our own htonl()/ntohl() */
-static inline void padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0":"+r" (*key));
- key++;
- }
-}
-# endif
-# endif
-
/*
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
* stack clears EFLAGS[30] which does the trick.
@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
asm volatile ("pushfl; popfl");
}
-# ifndef OPENSSL_NO_AES
+# ifndef OPENSSL_NO_AES
/*
* This is heuristic key context tracing. At first one
* believes that one should use atomic swap instructions,
@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
: "edx", "cc", "memory"); \
return iv; \
}
+# endif
+
+# elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile ("cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
+ "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
+ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+# ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile ("pushfq\n"
+ " btl $30,(%%rsp)\n"
+ " jnc 1f\n"
+ " cmpq %2,%1\n"
+ " je 1f\n"
+ " popfq\n"
+ " subq $8,%%rsp\n"
+ "1: addq $8,%%rsp\n"
+ " movq %2,%0":"+m" (padlock_saved_context)
+ :"r"(padlock_saved_context), "r"(cdata):"cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+# endif
+
+# endif /* cpu */
+
+# ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
/* rep xcryptecb */
@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
/* rep xcryptofb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
+
+# ifndef AES_ASM
+/* Our own htonl()/ntohl() */
+static inline void padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0":"+r" (*key));
+ key++;
+ }
+}
+# endif
# endif
/* The RNG call itself */
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
static inline unsigned char *padlock_memcpy(void *dst, const void *src,
size_t n)
{
- long *d = dst;
- const long *s = src;
+ size_t *d = dst;
+ const size_t *s = src;
n /= sizeof(*d);
do {

3
openssl-1.0.2a.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a
size 5262089

11
openssl-1.0.2a.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVCs+pAAoJENnE0m0OYESRFCAH+gLn6G4l1HY1R6agC3WYf8Xj
iTUFCJnwHN1jSgF9edLxASDS5DJ9kstEu1xyswdJT4jumFusxgnrDkqorN0K50Xe
PlflZyRdr8Fkg9M3pYkRZ7hxvZszmdx53hnuYTZ5m4C/8EUd12icAHhho8M0ks+E
rT1VfVKfX7iD9MIgLJ+9ZVGWUdUH/1RsQPPEWPWed5TCQUmilvm6Ygz2LsTKYQSQ
TOvhCMCnWl6gVrc3o0AlrgHRL01dq6kMwNSnvC09Iby/C3N+b7VbOG3sZU/xTO/M
YhqFJOjGYk5W1SFJ4PNpM504sPo2N6uJ8pCgSa3chcqfvzSjFgKzAqI9CHv8BD4=
=mSK1
-----END PGP SIGNATURE-----

40
openssl-CVE-2015-0209.patch
View File

@ -1,40 +0,0 @@
commit 89117535f1bb3ea72a17933b703271587d7aaf0b
Author: Matt Caswell <matt@openssl.org>
Date: Mon Feb 9 11:38:41 2015 +0000
Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
CVE-2015-0209
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Index: openssl-1.0.1k/crypto/ec/ec_asn1.c
===================================================================
--- openssl-1.0.1k.orig/crypto/ec/ec_asn1.c 2015-03-19 15:58:22.021039425 +0100
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 15:58:26.431103852 +0100
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (a)
- *a = ret;
}
else
ret = *a;
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
+ if (a)
+ *a = ret;
ok = 1;
err:
if (!ok)
{
- if (ret)
+ if (ret && (a == NULL || *a != ret))
EC_KEY_free(ret);
ret = NULL;
}

28
openssl-CVE-2015-0286.patch
View File

@ -1,28 +0,0 @@
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Mar 9 23:11:45 2015 +0000
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
Index: openssl-1.0.1i/crypto/asn1/a_type.c
===================================================================
--- openssl-1.0.1i.orig/crypto/asn1/a_type.c 2015-03-17 14:15:18.832332902 +0100
+++ openssl-1.0.1i/crypto/asn1/a_type.c 2015-03-17 14:15:19.738346161 +0100
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
case V_ASN1_OBJECT:
result = OBJ_cmp(a->value.object, b->value.object);
break;
+ case V_ASN1_BOOLEAN:
+ result = a->value.boolean - b->value.boolean;
+ break;
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;

85
openssl-CVE-2015-0287.patch
View File

@ -1,85 +0,0 @@
commit 1a87b757b9f755f687492f6b9f685be8e0cd82b0
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Feb 23 12:57:50 2015 +0000
Free up passed ASN.1 structure if reused.
Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
structure is freed and a pointer to the new one used. If it is not
successful then the passed structure is untouched.
Exception made for primitive types so ssl_asn1.c still works.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Feb 23 02:32:44 2015 +0000
Free up ADB and CHOICE if already initialised.
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c
===================================================================
--- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-03-17 13:18:26.732161376 +0100
+++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-03-17 13:22:20.424576154 +0100
@@ -311,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
- /* Allocate structure */
- if (!*pval && !ASN1_item_ex_new(pval, it))
- {
+ if (*pval) {
+ /* Free up and zero CHOICE value if initialised */
+ i = asn1_get_choice_selector(pval, it);
+ if ((i >= 0) && (i < it->tcount)) {
+ tt = it->templates + i;
+ pchptr = asn1_get_field_ptr(pval, tt);
+ ASN1_template_free(pchptr, tt);
+ asn1_set_choice_selector(pval, -1, it);
+ }
+ } else if (!ASN1_item_ex_new(pval, it)) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
@@ -407,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
+ /* Free up and zero any ADB found */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
+ const ASN1_TEMPLATE *seqtt;
+ ASN1_VALUE **pseqval;
+ seqtt = asn1_do_adb(pval, tt, 1);
+ pseqval = asn1_get_field_ptr(pval, seqtt);
+ ASN1_template_free(pseqval, seqtt);
+ }
+ }
+
/* Get each field entry */
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
{
Index: openssl-1.0.1i/doc/crypto/d2i_X509.pod
===================================================================
--- openssl-1.0.1i.orig/doc/crypto/d2i_X509.pod 2015-03-17 13:18:26.731161362 +0100
+++ openssl-1.0.1i/doc/crypto/d2i_X509.pod 2015-03-17 13:18:52.046531518 +0100
@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts
persist if they are not present in the new one. As a result the use
of this "reuse" behaviour is strongly discouraged.
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
i2d_X509() will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the

25
openssl-CVE-2015-0288.patch
View File

@ -1,25 +0,0 @@
commit 51527f1e3564f210e984fe5b654c45d34e4f03d7
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Wed Feb 18 00:34:59 2015 +0000
Check public key is not NULL.
CVE-2015-0288
PR#3708
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9)
Index: openssl-1.0.1i/crypto/x509/x509_req.c
===================================================================
--- openssl-1.0.1i.orig/crypto/x509/x509_req.c 2015-03-17 13:22:30.712726374 +0100
+++ openssl-1.0.1i/crypto/x509/x509_req.c 2015-03-17 13:23:20.486453016 +0100
@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
goto err;
pktmp = X509_get_pubkey(x);
+ if (pktmp == NULL)
+ goto err;
i=X509_REQ_set_pubkey(ret,pktmp);
EVP_PKEY_free(pktmp);
if (!i) goto err;

191
openssl-CVE-2015-0289.patch
View File

@ -1,191 +0,0 @@
commit d3d52c73544bba800c2a8f5ef3376358158cf2ca
Author: Emilia Kasper <emilia@openssl.org>
Date: Fri Feb 27 16:52:23 2015 +0100
PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.
This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.
Correcting all low-level API calls requires further work.
CVE-2015-0289
Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: Steve Henson <steve@openssl.org>
Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c
===================================================================
--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c 2015-03-17 13:23:33.961649688 +0100
+++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c 2015-03-17 13:34:34.445347342 +0100
@@ -272,6 +272,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
PKCS7_RECIP_INFO *ri=NULL;
ASN1_OCTET_STRING *os=NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+ /*
+ * The content field in the PKCS7 ContentInfo is optional, but that really
+ * only applies to inner content (precisely, detached signatures).
+ *
+ * When reading content, missing outer content is therefore treated as an
+ * error.
+ *
+ * When creating content, PKCS7_content_new() must be called before
+ * calling this method, so a NULL p7->d is always an error.
+ */
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -433,6 +452,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
unsigned char *ek = NULL, *tkey = NULL;
int eklen = 0, tkeylen = 0;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -752,6 +781,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
ASN1_OCTET_STRING *os=NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
EVP_MD_CTX_init(&ctx_tmp);
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -796,6 +835,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
/* If detached data then the content is excluded */
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.sign->contents->d.data = NULL;
}
break;
@@ -806,6 +846,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
{
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.digest->contents->d.data = NULL;
}
break;
@@ -878,24 +919,31 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
}
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
- {
- char *cont;
- long contlen;
- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
- if (btmp == NULL)
- {
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
- goto err;
- }
- contlen = BIO_get_mem_data(btmp, &cont);
- /* Mark the BIO read only then we can use its copy of the data
- * instead of making an extra copy.
- */
- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
- BIO_set_mem_eof_return(btmp, 0);
- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
- }
+ if (!PKCS7_is_detached(p7)) {
+ /*
+ * NOTE(emilia): I think we only reach os == NULL here because detached
+ * digested data support is broken.
+ */
+ if (os == NULL)
+ goto err;
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
+ char *cont;
+ long contlen;
+ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
+ if (btmp == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+ goto err;
+ }
+ contlen = BIO_get_mem_data(btmp, &cont);
+ /*
+ * Mark the BIO read only then we can use its copy of the data
+ * instead of making an extra copy.
+ */
+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+ BIO_set_mem_eof_return(btmp, 0);
+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+ }
+ }
ret=1;
err:
EVP_MD_CTX_cleanup(&ctx_tmp);
@@ -971,6 +1019,16 @@ int PKCS7_dataVerify(X509_STORE *cert_st
STACK_OF(X509) *cert;
X509 *x509;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
if (PKCS7_type_is_signed(p7))
{
cert=p7->d.sign->cert;
Index: openssl-1.0.1i/crypto/pkcs7/pk7_lib.c
===================================================================
--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_lib.c 2015-03-17 13:23:37.451700626 +0100
+++ openssl-1.0.1i/crypto/pkcs7/pk7_lib.c 2015-03-17 13:36:01.708627632 +0100
@@ -71,6 +71,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long
switch (cmd)
{
+ /* NOTE(emilia): does not support detached digested data. */
case PKCS7_OP_SET_DETACHED_SIGNATURE:
if (nid == NID_pkcs7_signed)
{
@@ -459,6 +460,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
{
+ if (p7 == NULL || p7->d.ptr == NULL)
+ return NULL;
if (PKCS7_type_is_signed(p7))
{
return(p7->d.sign->signer_info);

124
openssl-CVE-2015-0293.patch
View File

@ -1,124 +0,0 @@
commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2
Author: Emilia Kasper <emilia@openssl.org>
Date: Wed Mar 4 09:05:02 2015 -0800
Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Index: openssl-1.0.1i/ssl/s2_lib.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s2_lib.c 2015-03-17 14:05:13.745459798 +0100
+++ openssl-1.0.1i/ssl/s2_lib.c 2015-03-17 14:05:14.763474757 +0100
@@ -487,7 +487,7 @@ int ssl2_generate_key_material(SSL *s)
OPENSSL_assert(s->session->master_key_length >= 0
&& s->session->master_key_length
- < (int)sizeof(s->session->master_key));
+ <= (int)sizeof(s->session->master_key));
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
EVP_DigestUpdate(&ctx,&c,1);
c++;
Index: openssl-1.0.1i/ssl/s2_srvr.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s2_srvr.c 2015-03-17 14:05:13.721459445 +0100
+++ openssl-1.0.1i/ssl/s2_srvr.c 2015-03-17 14:07:43.262655766 +0100
@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
return(-1);
}
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
is_export=SSL_C_IS_EXPORT(s->session->cipher);
@@ -467,21 +464,59 @@ static int get_client_master_key(SSL *s)
else
ek=5;
+ /*
+ * The format of the CLIENT-MASTER-KEY message is
+ * 1 byte message type
+ * 3 bytes cipher
+ * 2-byte clear key length (stored in s->s2->tmp.clear)
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+ * 2-byte key args length (IV etc)
+ * clear key
+ * encrypted key
+ * key args
+ *
+ * If the cipher is an export cipher, then the encrypted key bytes
+ * are a fixed portion of the total key (5 or 8 bytes). The size of
+ * this portion is in |ek|. If the cipher is not an export cipher,
+ * then the entire key material is encrypted (i.e., clear key length
+ * must be zero).
+ */
+ if ((!is_export && s->s2->tmp.clear != 0) ||
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+ return -1;
+ }
+ /*
+ * The encrypted blob must decrypt to the encrypted portion of the key.
+ * Decryption can't be expanding, so if we don't have enough encrypted
+ * bytes to fit the key in the buffer, stop now.
+ */
+ if ((is_export && s->s2->tmp.enc < ek) ||
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+ return -1;
+ }
+
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+ &(p[s->s2->tmp.clear]),
+ &(p[s->s2->tmp.clear]),
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+ RSA_PKCS1_PADDING);
+
/* bad decrypt */
#if 1
/* If a bad decrypt, continue with protocol but with a
* random master secret (Bleichenbacher attack) */
- if ((i < 0) ||
- ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
- (unsigned int)EVP_CIPHER_key_length(c))))))
- {
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+ || (is_export && i != ek))) {
ERR_clear_error();
if (is_export)
i=ek;
else
i=EVP_CIPHER_key_length(c);
- if (RAND_pseudo_bytes(p,i) <= 0)
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
return 0;
}
#else
@@ -505,7 +540,8 @@ static int get_client_master_key(SSL *s)
}
#endif
- if (is_export) i+=s->s2->tmp.clear;
+ if (is_export)
+ i = EVP_CIPHER_key_length(c);
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{

16
openssl-fips-hidden.patch
View File

@ -1,5 +1,7 @@
--- openssl-1.0.1g.orig/crypto/fips/fips_rand_lcl.h Index: openssl-1.0.2a/crypto/fips/fips_rand_lcl.h
+++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h ===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips_rand_lcl.h 2015-05-24 13:18:49.460282194 +0200
+++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-05-24 13:42:20.793812240 +0200
@@ -51,6 +51,8 @@ @@ -51,6 +51,8 @@
* ==================================================================== * ====================================================================
*/ */
@ -9,17 +11,19 @@
typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
@@ -217,3 +219,5 @@ const struct evp_cipher_st *FIPS_get_cip @@ -211,3 +213,5 @@ const struct evp_cipher_st *FIPS_get_cip
#define FIPS_digestupdate EVP_DigestUpdate #define FIPS_digestupdate EVP_DigestUpdate
#define FIPS_digestfinal EVP_DigestFinal #define FIPS_digestfinal EVP_DigestFinal
#define M_EVP_MD_size EVP_MD_size #define M_EVP_MD_size EVP_MD_size
+ +
+#pragma GCC visibility pop +#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/fips/fips_rsa_x931g.c Index: openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c
+++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c ===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips_rsa_x931g.c 2015-05-24 13:18:49.461282208 +0200
+++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-05-24 13:42:20.793812240 +0200
@@ -65,7 +65,7 @@ @@ -65,7 +65,7 @@
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
#include <openssl/fips.h> # include <openssl/fips.h>
-extern int fips_check_rsa(RSA *rsa); -extern int fips_check_rsa(RSA *rsa);
+extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden"))); +extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden")));

34
openssl-fix-pod-syntax.diff
View File

@ -59,10 +59,10 @@ Content-Length: 12835
doc/ssl/SSL_write.pod | 2 +- doc/ssl/SSL_write.pod | 2 +-
23 files changed, 59 insertions(+), 55 deletions(-) 23 files changed, 59 insertions(+), 55 deletions(-)
Index: openssl-1.0.1h/doc/apps/ts.pod Index: openssl-1.0.2a/doc/apps/ts.pod
=================================================================== ===================================================================
--- openssl-1.0.1h.orig/doc/apps/ts.pod --- openssl-1.0.2a.orig/doc/apps/ts.pod 2015-04-03 22:07:02.024077520 +0200
+++ openssl-1.0.1h/doc/apps/ts.pod +++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-03 22:07:04.830116325 +0200
@@ -58,19 +58,19 @@ time. Here is a brief description of the @@ -58,19 +58,19 @@ time. Here is a brief description of the
=over 4 =over 4
@ -86,32 +86,10 @@ Index: openssl-1.0.1h/doc/apps/ts.pod
The TSA client receives the time stamp token and verifies the The TSA client receives the time stamp token and verifies the
signature on it. It also checks if the token contains the same hash signature on it. It also checks if the token contains the same hash
Index: openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod Index: openssl-1.0.2a/doc/crypto/rand.pod
=================================================================== ===================================================================
--- openssl-1.0.1h.orig/doc/crypto/OPENSSL_ia32cap.pod --- openssl-1.0.2a.orig/doc/crypto/rand.pod 2015-04-03 22:07:02.025077534 +0200
+++ openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod +++ openssl-1.0.2a/doc/crypto/rand.pod 2015-04-03 22:07:04.830116325 +0200
@@ -20,6 +20,8 @@ toolkit initialization, but can be manip
crypto library behaviour. For the moment of this writing six bits are
significant, namely:
+=over 4
+
1. bit #28 denoting Hyperthreading, which is used to distiguish
cores with shared cache;
2. bit #26 denoting SSE2 support;
@@ -29,6 +31,8 @@ significant, namely:
pathes;
6. bit #4 denoting presence of Time-Stamp Counter.
+=back
+
For example, clearing bit #26 at run-time disables high-performance
SSE2 code present in the crypto library. You might have to do this if
target OpenSSL application is executed on SSE2 capable CPU, but under
Index: openssl-1.0.1h/doc/crypto/rand.pod
===================================================================
--- openssl-1.0.1h.orig/doc/crypto/rand.pod
+++ openssl-1.0.1h/doc/crypto/rand.pod
@@ -74,16 +74,16 @@ First up I will state the things I belie @@ -74,16 +74,16 @@ First up I will state the things I belie
=over 4 =over 4

13
openssl-fix_invalid_manpage_name.patch Normal file
View File

@ -0,0 +1,13 @@
Index: openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod
===================================================================
--- openssl-1.0.2a.orig/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-05-29 11:33:45.390463069 +0200
@@ -2,7 +2,7 @@
=head1 NAME
-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo
=head1 SYNOPSIS

41
openssl-gcc-attributes.patch
View File

@ -1,19 +1,23 @@
--- openssl-1.0.1g.orig/crypto/cryptlib.h Index: openssl-1.0.2a/crypto/cryptlib.h
+++ openssl-1.0.1g/crypto/cryptlib.h ===================================================================
--- openssl-1.0.2a.orig/crypto/cryptlib.h 2015-05-24 13:18:57.391397563 +0200
+++ openssl-1.0.2a/crypto/cryptlib.h 2015-05-24 13:21:21.703498853 +0200
@@ -100,7 +100,7 @@ extern "C" { @@ -100,7 +100,7 @@ extern "C" {
void OPENSSL_cpuid_setup(void); void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[]; extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *fmta,...); -void OPENSSL_showfatal(const char *fmta, ...);
+void OPENSSL_showfatal(const char *fmta,...) __attribute__ ((format (printf, 1, 2))); +void OPENSSL_showfatal(const char *fmta, ...) __attribute__ ((format (printf, 1, 2)));
void *OPENSSL_stderr(void); void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated; extern int OPENSSL_NONPIC_relocated;
--- openssl-1.0.1g.orig/crypto/crypto.h Index: openssl-1.0.2a/crypto/crypto.h
+++ openssl-1.0.1g/crypto/crypto.h ===================================================================
@@ -487,15 +487,15 @@ void CRYPTO_get_mem_debug_functions(void --- openssl-1.0.2a.orig/crypto/crypto.h 2015-05-24 13:18:57.391397563 +0200
void (**so)(long), +++ openssl-1.0.2a/crypto/crypto.h 2015-05-24 13:23:15.110150336 +0200
long (**go)(void)); @@ -529,15 +529,15 @@ void CRYPTO_get_mem_debug_functions(void
void (**f) (void *, int),
void (**so) (long), long (**go) (void));
-void *CRYPTO_malloc_locked(int num, const char *file, int line); -void *CRYPTO_malloc_locked(int num, const char *file, int line);
+void *CRYPTO_malloc_locked(int num, const char *file, int line) __attribute__((alloc_size(1))); +void *CRYPTO_malloc_locked(int num, const char *file, int line) __attribute__((alloc_size(1)));
@ -22,24 +26,13 @@
+void *CRYPTO_malloc(int num, const char *file, int line) __attribute__((alloc_size(1))); +void *CRYPTO_malloc(int num, const char *file, int line) __attribute__((alloc_size(1)));
char *CRYPTO_strdup(const char *str, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *ptr); void CRYPTO_free(void *ptr);
-void *CRYPTO_realloc(void *addr,int num, const char *file, int line); -void *CRYPTO_realloc(void *addr, int num, const char *file, int line);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2))); +void *CRYPTO_realloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2)));
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, void *CRYPTO_realloc_clean(void *addr, int old_num, int num, const char *file,
- int line); - int line);
-void *CRYPTO_remalloc(void *addr,int num, const char *file, int line); -void *CRYPTO_remalloc(void *addr, int num, const char *file, int line);
+ int line) __attribute__((alloc_size(3))); + int line) __attribute__((alloc_size(3)));
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2))); +void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2)));
void OPENSSL_cleanse(void *ptr, size_t len); void OPENSSL_cleanse(void *ptr, size_t len);
--- openssl-1.0.1g.orig/crypto/buffer/buffer.h
+++ openssl-1.0.1g/crypto/buffer/buffer.h
@@ -87,7 +87,7 @@ int BUF_MEM_grow(BUF_MEM *str, size_t le
int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
char * BUF_strdup(const char *str);
char * BUF_strndup(const char *str, size_t siz);
-void * BUF_memdup(const void *data, size_t siz);
+void * BUF_memdup(const void *data, size_t siz) __attribute__((alloc_size(2)));
void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
/* safe string functions */

11
openssl-libssl-noweakciphers.patch
View File

@ -1,11 +0,0 @@
--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -331,7 +331,7 @@ extern "C" {
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!

15
openssl-missing_FIPS_ec_group_new_by_curve_name.patch Normal file
View File

@ -0,0 +1,15 @@
Index: openssl-1.0.2a/crypto/ec/ec_curve.c
===================================================================
--- openssl-1.0.2a.orig/crypto/ec/ec_curve.c 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/ec/ec_curve.c 2015-05-24 15:52:09.058151058 +0200
@@ -3162,10 +3162,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
size_t i;
EC_GROUP *ret = NULL;
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return FIPS_ec_group_new_by_curve_name(nid);
-#endif
if (nid <= 0)
return NULL;

10
openssl-no-egd.patch
View File

@ -1,5 +1,7 @@
--- openssl-1.0.1g.orig/crypto/rand/rand_egd.c Index: openssl-1.0.2a/crypto/rand/rand_egd.c
+++ openssl-1.0.1g/crypto/rand/rand_egd.c ===================================================================
--- openssl-1.0.2a.orig/crypto/rand/rand_egd.c 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/rand/rand_egd.c 2015-05-24 13:42:06.277601355 +0200
@@ -95,7 +95,7 @@ @@ -95,7 +95,7 @@
* RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
*/ */
@ -7,5 +9,5 @@
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
+#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) +#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
{ {
return(-1); return (-1);

305
openssl-ocloexec.patch
View File

@ -1,188 +1,187 @@
Index: crypto/bio/b_sock.c Index: crypto/bio/b_sock.c
=================================================================== ===================================================================
--- crypto/bio/b_sock.c.orig --- crypto/bio/b_sock.c.orig 2015-05-29 11:54:57.219659682 +0200
+++ crypto/bio/b_sock.c +++ crypto/bio/b_sock.c 2015-05-29 11:56:47.059884761 +0200
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in @@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in
} }
again: again:
- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); - s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (s == INVALID_SOCKET) if (s == INVALID_SOCKET) {
{ SYSerr(SYS_F_SOCKET, get_last_socket_error());
SYSerr(SYS_F_SOCKET,get_last_socket_error()); ERR_add_error_data(3, "port='", host, "'");
@@ -784,7 +784,7 @@ again: @@ -765,7 +765,7 @@ int BIO_get_accept_socket(char *host, in
} } else
else goto err; goto err;
} }
- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); - cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (cs != INVALID_SOCKET) if (cs != INVALID_SOCKET) {
{ int ii;
int ii; ii = connect(cs, &client.sa, addrlen);
@@ -866,7 +866,7 @@ int BIO_accept(int sock, char **addr) @@ -847,7 +847,7 @@ int BIO_accept(int sock, char **addr)
sa.len.s=0; sa.len.s = 0;
sa.len.i=sizeof(sa.from); sa.len.i = sizeof(sa.from);
memset(&sa.from,0,sizeof(sa.from)); memset(&sa.from, 0, sizeof(sa.from));
- ret=accept(sock,&sa.from.sa,(void *)&sa.len); - ret = accept(sock, &sa.from.sa, (void *)&sa.len);
+ ret=accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC); + ret = accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC);
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
{ OPENSSL_assert(sa.len.s <= sizeof(sa.from));
OPENSSL_assert(sa.len.s<=sizeof(sa.from)); sa.len.i = (int)sa.len.s;
Index: crypto/bio/bss_conn.c Index: crypto/bio/bss_conn.c
=================================================================== ===================================================================
--- crypto/bio/bss_conn.c.orig --- crypto/bio/bss_conn.c.orig 2015-05-29 11:54:57.219659682 +0200
+++ crypto/bio/bss_conn.c +++ crypto/bio/bss_conn.c 2015-05-29 11:57:45.668538446 +0200
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC @@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC
c->them.sin_addr.s_addr=htonl(l); c->them.sin_addr.s_addr = htonl(l);
c->state=BIO_CONN_S_CREATE_SOCKET; c->state = BIO_CONN_S_CREATE_SOCKET;
- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); - ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (ret == INVALID_SOCKET) if (ret == INVALID_SOCKET) {
{ SYSerr(SYS_F_SOCKET, get_last_socket_error());
SYSerr(SYS_F_SOCKET,get_last_socket_error()); ERR_add_error_data(4, "host=", c->param_hostname,
Index: crypto/bio/bss_dgram.c Index: crypto/bio/bss_dgram.c
=================================================================== ===================================================================
--- crypto/bio/bss_dgram.c.orig --- crypto/bio/bss_dgram.c.orig 2015-05-29 11:54:57.221659705 +0200
+++ crypto/bio/bss_dgram.c +++ crypto/bio/bss_dgram.c 2015-05-29 13:29:42.463696425 +0200
@@ -1101,7 +1101,7 @@ static int dgram_sctp_read(BIO *b, char @@ -1176,7 +1176,7 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_control = cmsgbuf; msg.msg_control = cmsgbuf;
msg.msg_controllen = 512; msg.msg_controllen = 512;
msg.msg_flags = 0; msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0); - n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (n <= 0) if (n <= 0) {
{ if (n < 0)
@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) @@ -1801,7 +1801,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0; msg.msg_controllen = 0;
msg.msg_flags = 0; msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, MSG_PEEK); - n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
if (n <= 0) if (n <= 0) {
{ if ((n < 0) && (get_last_socket_error() != EAGAIN)
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1711,7 +1711,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) @@ -1823,7 +1823,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0; msg.msg_controllen = 0;
msg.msg_flags = 0; msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0); - n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (n <= 0) if (n <= 0) {
{ if ((n < 0) && (get_last_socket_error() != EAGAIN)
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1772,7 +1772,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) @@ -1888,7 +1888,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
fcntl(b->num, F_SETFL, O_NONBLOCK); fcntl(b->num, F_SETFL, O_NONBLOCK);
} }
- n = recvmsg(b->num, &msg, MSG_PEEK); - n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
if (is_dry) if (is_dry) {
{ fcntl(b->num, F_SETFL, sockflags);
@@ -1816,7 +1816,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) @@ -1930,7 +1930,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
sockflags = fcntl(b->num, F_GETFL, 0); sockflags = fcntl(b->num, F_GETFL, 0);
fcntl(b->num, F_SETFL, O_NONBLOCK); fcntl(b->num, F_SETFL, O_NONBLOCK);
- n = recvmsg(b->num, &msg, MSG_PEEK); - n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
fcntl(b->num, F_SETFL, sockflags); fcntl(b->num, F_SETFL, sockflags);
/* if notification, process and try again */ /* if notification, process and try again */
@@ -1837,7 +1837,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) @@ -1950,7 +1950,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
msg.msg_control = NULL; msg.msg_control = NULL;
msg.msg_controllen = 0; msg.msg_controllen = 0;
msg.msg_flags = 0; msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0); - n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (data->handle_notifications != NULL) if (data->handle_notifications != NULL)
data->handle_notifications(b, data->notification_context, (void*) &snp); data->handle_notifications(b, data->notification_context,
Index: crypto/bio/bss_file.c Index: crypto/bio/bss_file.c
=================================================================== ===================================================================
--- crypto/bio/bss_file.c.orig --- crypto/bio/bss_file.c.orig 2015-05-29 11:54:57.221659705 +0200
+++ crypto/bio/bss_file.c +++ crypto/bio/bss_file.c 2015-05-29 13:33:08.553070567 +0200
@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename, @@ -119,6 +119,10 @@ BIO *BIO_new_file(const char *filename,
{ {
BIO *ret; BIO *ret;
FILE *file=NULL; FILE *file = NULL;
+ size_t modelen = strlen (mode); + size_t modelen = strlen (mode);
+ char newmode[modelen + 2]; + char newmode[modelen + 2];
+ +
+ memcpy (mempcpy (newmode, mode, modelen), "e", 2); + memcpy (mempcpy (newmode, mode, modelen), "e", 2);
#if defined(_WIN32) && defined(CP_UTF8) # if defined(_WIN32) && defined(CP_UTF8)
int sz, len_0 = (int)strlen(filename)+1; int sz, len_0 = (int)strlen(filename) + 1;
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename, @@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
file = fopen(filename,mode); file = fopen(filename, mode);
} }
#else # else
- file=fopen(filename,mode); - file = fopen(filename, mode);
+ file=fopen(filename,newmode); + file = fopen(filename, newmode);
#endif # endif
if (file == NULL) if (file == NULL) {
{ SYSerr(SYS_F_FOPEN, get_last_sys_error());
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b @@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
long ret=1; long ret = 1;
FILE *fp=(FILE *)b->ptr; FILE *fp = (FILE *)b->ptr;
FILE **fpp; FILE **fpp;
- char p[4]; - char p[4];
+ char p[5]; + char p[5];
switch (cmd) switch (cmd) {
{ case BIO_C_FILE_SEEK:
@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b @@ -386,6 +390,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
else else
strcat(p,"t"); strcat(p, "t");
#endif # endif
+ strcat(p, "e"); + strcat(p, "e");
+ fp = fopen(ptr, p);
fp=fopen(ptr,p); if (fp == NULL) {
if (fp == NULL) SYSerr(SYS_F_FOPEN, get_last_sys_error());
{
Index: crypto/rand/rand_unix.c Index: crypto/rand/rand_unix.c
=================================================================== ===================================================================
--- crypto/rand/rand_unix.c.orig --- crypto/rand/rand_unix.c.orig 2015-05-29 11:54:57.222659716 +0200
+++ crypto/rand/rand_unix.c +++ crypto/rand/rand_unix.c 2015-05-29 13:36:11.270174218 +0200
@@ -262,7 +262,7 @@ int RAND_poll(void) @@ -269,7 +269,7 @@ int RAND_poll(void)
for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
(n < ENTROPY_NEEDED); i++) for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
{ (n < ENTROPY_NEEDED); i++) {
- if ((fd = open(randomfiles[i], O_RDONLY - if ((fd = open(randomfiles[i], O_RDONLY
+ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC + if ((fd = open(randomfiles[i], O_RDONLY|O_CLOEXEC
#ifdef O_NONBLOCK # ifdef O_NONBLOCK
|O_NONBLOCK | O_NONBLOCK
#endif # endif
Index: crypto/rand/randfile.c Index: crypto/rand/randfile.c
=================================================================== ===================================================================
--- crypto/rand/randfile.c.orig --- crypto/rand/randfile.c.orig 2015-05-29 11:54:57.222659716 +0200
+++ crypto/rand/randfile.c +++ crypto/rand/randfile.c 2015-05-29 13:37:38.156170674 +0200
@@ -137,7 +137,7 @@ int RAND_load_file(const char *file, lon @@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon
#ifdef OPENSSL_SYS_VMS #ifdef OPENSSL_SYS_VMS
in=vms_fopen(file,"rb",VMS_OPEN_ATTRS); in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
#else #else
- in=fopen(file,"rb"); - in = fopen(file, "rb");
+ in=fopen(file,"rbe"); + in = fopen(file, "rbe");
#endif #endif
if (in == NULL) goto err; if (in == NULL)
#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO) goto err;
@@ -210,7 +210,7 @@ int RAND_write_file(const char *file) @@ -225,7 +225,7 @@ int RAND_write_file(const char *file)
#endif * chmod(..., 0600) is too late to protect the file, permissions
/* chmod(..., 0600) is too late to protect the file, * should be restrictive from the start
* permissions should be restrictive from the start */ */
- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600); - int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
+ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600); + int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600);
if (fd != -1) if (fd != -1)
out = fdopen(fd, "wb"); out = fdopen(fd, "wb");
} }
@@ -241,7 +241,7 @@ int RAND_write_file(const char *file) @@ -255,7 +255,7 @@ int RAND_write_file(const char *file)
out = vms_fopen(file,"wb",VMS_OPEN_ATTRS); out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
#else #else
if (out == NULL) if (out == NULL)
- out = fopen(file,"wb"); - out = fopen(file, "wb");
+ out = fopen(file,"wbe"); + out = fopen(file, "wbe");
#endif #endif
if (out == NULL) goto err; if (out == NULL)
goto err;

23
openssl-pkgconfig.patch
View File

@ -1,8 +1,8 @@
Index: openssl-1.0.1g/Makefile.org Index: openssl-1.0.2a/Makefile.org
=================================================================== ===================================================================
--- openssl-1.0.1g.orig/Makefile.org --- openssl-1.0.2a.orig/Makefile.org 2015-04-04 11:17:01.000155196 +0200
+++ openssl-1.0.1g/Makefile.org +++ openssl-1.0.2a/Makefile.org 2015-04-04 11:17:03.379188598 +0200
@@ -367,7 +367,7 @@ libcrypto.pc: Makefile @@ -368,7 +368,7 @@ libcrypto.pc: Makefile
echo 'Requires: '; \ echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \ echo 'Libs.private: $(EX_LIBS)'; \
@ -11,21 +11,12 @@ Index: openssl-1.0.1g/Makefile.org
libssl.pc: Makefile libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \ @ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -381,7 +381,7 @@ libssl.pc: Makefile @@ -382,7 +382,7 @@ libssl.pc: Makefile
echo 'Requires: '; \ echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \
echo 'Libs.private: $(EX_LIBS)'; \ echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile openssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \ @ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -395,7 +395,7 @@ openssl.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
Makefile: Makefile.org Configure config
@echo "Makefile is older than Makefile.org, Configure or config."

48
openssl.changes
View File

@ -1,3 +1,51 @@
-------------------------------------------------------------------
Sun May 24 12:13:14 UTC 2015 - vcizek@suse.com
- update to 1.0.2a
* Major changes since 1.0.1:
- Suite B support for TLS 1.2 and DTLS 1.2
- Support for DTLS 1.2
- TLS automatic EC curve selection.
- API to set TLS supported signature algorithms and curves
- SSL_CONF configuration API.
- TLS Brainpool support.
- ALPN support.
- CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
* merged patches modifying CIPHER_LIST into one, dropping:
- openssl-1.0.1e-add-suse-default-cipher-header.patch
- openssl-libssl-noweakciphers.patch
* fix a manpage with invalid name
- added openssl-fix_invalid_manpage_name.patch
* remove a missing fips function
- openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* reimported patches from Fedora
dropped patches:
- openssl-1.0.1c-default-paths.patch
- openssl-1.0.1c-ipv6-apps.patch
- openssl-1.0.1e-fips-ctor.patch
- openssl-1.0.1e-fips-ec.patch
- openssl-1.0.1e-fips.patch
- openssl-1.0.1e-new-fips-reqs.patch
- VIA_padlock_support_on_64systems.patch
added patches:
- openssl-1.0.2a-default-paths.patch
- openssl-1.0.2a-fips-ctor.patch
- openssl-1.0.2a-fips-ec.patch
- openssl-1.0.2a-fips.patch
- openssl-1.0.2a-ipv6-apps.patch
- openssl-1.0.2a-new-fips-reqs.patch
- openssl-1.0.2a-padlock64.patch
* dropped security fixes (upstream)
- openssl-CVE-2015-0209.patch
- openssl-CVE-2015-0286.patch
- openssl-CVE-2015-0287.patch
- openssl-CVE-2015-0288.patch
- openssl-CVE-2015-0289.patch
- openssl-CVE-2015-0293.patch
* upstream reformatted the sources, so all the patches have to
be refreshed
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 19 14:26:01 UTC 2015 - vcizek@suse.com Thu Mar 19 14:26:01 UTC 2015 - vcizek@suse.com

53
openssl.spec
View File

@ -29,7 +29,7 @@ Provides: ssl
%ifarch ppc64 %ifarch ppc64
Obsoletes: openssl-64bit Obsoletes: openssl-64bit
%endif %endif
Version: 1.0.1k Version: 1.0.2a
Release: 0 Release: 0
Summary: Secure Sockets and Transport Layer Security Summary: Secure Sockets and Transport Layer Security
License: OpenSSL License: OpenSSL
@ -51,36 +51,29 @@ Patch2: bug610223.patch
%if 0%{?suse_version} >= 1120 %if 0%{?suse_version} >= 1120
Patch3: openssl-ocloexec.patch Patch3: openssl-ocloexec.patch
%endif %endif
Patch4: VIA_padlock_support_on_64systems.patch Patch4: openssl-1.0.2a-padlock64.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff Patch5: openssl-fix-pod-syntax.diff
Patch6: openssl-1.0.1e-truststore.diff Patch6: openssl-1.0.1e-truststore.diff
Patch7: compression_methods_switch.patch Patch7: compression_methods_switch.patch
Patch8: 0005-libssl-Hide-library-private-symbols.patch Patch8: 0005-libssl-Hide-library-private-symbols.patch
Patch9: openssl-1.0.1c-default-paths.patch Patch9: openssl-1.0.2a-default-paths.patch
Patch10: openssl-pkgconfig.patch Patch10: openssl-pkgconfig.patch
# From Fedora openssl. Patch13: openssl-1.0.2a-ipv6-apps.patch
Patch13: openssl-1.0.1c-ipv6-apps.patch
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
# FIPS patches: # FIPS patches:
Patch15: openssl-1.0.1e-fips.patch Patch15: openssl-1.0.2a-fips.patch
Patch16: openssl-1.0.1e-fips-ec.patch Patch16: openssl-1.0.2a-fips-ec.patch
Patch17: openssl-1.0.1e-fips-ctor.patch Patch17: openssl-1.0.2a-fips-ctor.patch
Patch18: openssl-1.0.1e-new-fips-reqs.patch Patch18: openssl-1.0.2a-new-fips-reqs.patch
Patch19: openssl-gcc-attributes.patch Patch19: openssl-gcc-attributes.patch
Patch21: openssl-libssl-noweakciphers.patch
Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
Patch33: openssl-no-egd.patch Patch33: openssl-no-egd.patch
Patch34: openssl-fips-hidden.patch Patch34: openssl-fips-hidden.patch
Patch35: openssl-1.0.1e-add-suse-default-cipher.patch Patch35: openssl-1.0.1e-add-suse-default-cipher.patch
Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch52: openssl-CVE-2015-0209.patch Patch38: openssl-missing_FIPS_ec_group_new_by_curve_name.patch
Patch53: openssl-CVE-2015-0286.patch Patch39: openssl-fix_invalid_manpage_name.patch
Patch54: openssl-CVE-2015-0287.patch
Patch55: openssl-CVE-2015-0288.patch
Patch56: openssl-CVE-2015-0289.patch
Patch57: openssl-CVE-2015-0293.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -173,36 +166,30 @@ this package's base documentation.
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%if 0%{?suse_version} >= 1120
%patch3
%endif
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch13 -p1 %patch13 -p1
%patch14 -p1
%patch15 -p1 %patch15 -p1
%patch16 -p1 %patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1 %patch18 -p1
%patch19 -p1 %patch19 -p1
%patch21 -p1
%patch26 -p1 %patch26 -p1
%patch33 -p1 %patch33 -p1
%patch34 -p1 %patch34 -p1
%patch35 -p1 %patch35 -p1
%patch36 -p1
%patch37 -p1 %patch37 -p1
%patch52 -p1 %patch38 -p1
%patch53 -p1 %patch39 -p1
%patch54 -p1 %if 0%{?suse_version} >= 1120
%patch55 -p1 %patch3
%patch56 -p1 %endif
%patch57 -p1 %patch8 -p1
%patch14 -p1
cp -p %{S:10} . cp -p %{S:10} .
cp -p %{S:11} . cp -p %{S:11} .
echo "adding/overwriting some entries in the 'table' hash in Configure" echo "adding/overwriting some entries in the 'table' hash in Configure"
@ -248,7 +235,7 @@ export MACHINE=armv5el
%ifarch armv6l armv6hl %ifarch armv6l armv6hl
export MACHINE=armv6l export MACHINE=armv6l
%endif %endif
./config --test-sanity ./config --test-sanity
# #
config_flags="threads shared no-rc5 no-idea \ config_flags="threads shared no-rc5 no-idea \
fips \ fips \
@ -486,7 +473,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
%files doc -f filelist.doc %files doc -f filelist.doc
%defattr(-, root, root) %defattr(-, root, root)
%doc doc/* demos %doc doc/* demos
%doc showciphers.c %doc showciphers.c
%files -f filelist %files -f filelist
%defattr(-, root, root) %defattr(-, root, root)