From 6a3418284aa8eb4648cb560c6fd9295fa4447e2e7fc18690ce6155a4498a38a3 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 14 May 2014 08:26:07 +0000 Subject: [PATCH] Accepting request 233553 from Base:System - Add upstream patches fixing coverity scan issues: * 0018-fix-coverity-issues-966593-966596.patch * 0020-Initialize-num-properly.patch * 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch * 0023-evp-prevent-underflow-in-base64-decoding.patch * 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch * 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch - Update 0001-libcrypto-Hide-library-private-symbols.patch to cover more private symbols, now 98% complete and probably not much more can be done to fix the rest of the ill-defined API. - openssl-fips-hidden.patch new, hides private symbols added by the FIPS patches. - openssl-no-egd.patch disable the EGD (entropy gathering daemon) interface, we have no EGD in the distro and obtaining entropy from a place other than /dev/*random, the hardware rng or the openSSL internal PRNG is an extremely bad & dangerous idea. - use secure_getenv instead of getenv everywhere. (forwarded request 233217 from elvigia) OBS-URL: https://build.opensuse.org/request/show/233553 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=117 --- ...bcrypto-Hide-library-private-symbols.patch | 281 ++++++++++++++---- 0018-fix-coverity-issues-966593-966596.patch | 26 ++ 0020-Initialize-num-properly.patch | 27 ++ ...ow-concurrent-BN_MONT_CTX_set_locked.patch | 85 ++++++ ...prevent-underflow-in-base64-decoding.patch | 30 ++ ...er-dereference-in-PKCS7_dataDecode-r.patch | 63 ++++ ...ue-966597-error-line-is-not-always-i.patch | 49 +++ openssl-fips-hidden.patch | 28 ++ openssl-no-egd.patch | 11 + openssl.changes | 25 ++ openssl.spec | 23 +- 11 files changed, 581 insertions(+), 67 deletions(-) create mode 100644 0018-fix-coverity-issues-966593-966596.patch create mode 100644 0020-Initialize-num-properly.patch create mode 100644 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch create mode 100644 0023-evp-prevent-underflow-in-base64-decoding.patch create mode 100644 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch create mode 100644 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch create mode 100644 openssl-fips-hidden.patch create mode 100644 openssl-no-egd.patch diff --git a/0001-libcrypto-Hide-library-private-symbols.patch b/0001-libcrypto-Hide-library-private-symbols.patch index c25529d..edec3f4 100644 --- a/0001-libcrypto-Hide-library-private-symbols.patch +++ b/0001-libcrypto-Hide-library-private-symbols.patch @@ -37,8 +37,6 @@ Subject: [PATCH] libcrypto: Hide library-private symbols crypto/x509v3/pcy_int.h | 3 +++ 31 files changed, 85 insertions(+), 17 deletions(-) -Index: openssl-1.0.1g/apps/Makefile -=================================================================== --- openssl-1.0.1g.orig/apps/Makefile +++ openssl-1.0.1g/apps/Makefile @@ -20,7 +20,7 @@ EXE_EXT= @@ -50,8 +48,6 @@ Index: openssl-1.0.1g/apps/Makefile GENERAL=Makefile makeapps.com install.com -Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h +++ openssl-1.0.1g/crypto/asn1/asn1_locl.h @@ -58,6 +58,8 @@ @@ -69,8 +65,6 @@ Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h }; + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/bn/bn_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h +++ openssl-1.0.1g/crypto/bn/bn_lcl.h @@ -483,6 +483,8 @@ extern "C" { @@ -91,8 +85,6 @@ Index: openssl-1.0.1g/crypto/bn/bn_lcl.h #ifdef __cplusplus } #endif -Index: openssl-1.0.1g/crypto/camellia/cmll_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/camellia/cmll_locl.h +++ openssl-1.0.1g/crypto/camellia/cmll_locl.h @@ -68,6 +68,8 @@ @@ -110,8 +102,6 @@ Index: openssl-1.0.1g/crypto/camellia/cmll_locl.h CAMELLIA_KEY *key); +#pragma GCC visibility pop #endif /* #ifndef HEADER_CAMELLIA_LOCL_H */ -Index: openssl-1.0.1g/crypto/cast/cast_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/cast/cast_lcl.h +++ openssl-1.0.1g/crypto/cast/cast_lcl.h @@ -217,6 +217,7 @@ @@ -127,8 +117,6 @@ Index: openssl-1.0.1g/crypto/cast/cast_lcl.h extern const CAST_LONG CAST_S_table6[256]; extern const CAST_LONG CAST_S_table7[256]; +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/cms/cms_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/cms/cms_lcl.h +++ openssl-1.0.1g/crypto/cms/cms_lcl.h @@ -426,6 +426,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA @@ -150,8 +138,6 @@ Index: openssl-1.0.1g/crypto/cms/cms_lcl.h #ifdef __cplusplus } #endif -Index: openssl-1.0.1g/crypto/des/des_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/des/des_locl.h +++ openssl-1.0.1g/crypto/des/des_locl.h @@ -421,10 +421,12 @@ @@ -167,8 +153,6 @@ Index: openssl-1.0.1g/crypto/des/des_locl.h #ifdef OPENSSL_SMALL_FOOTPRINT #undef DES_UNROLL -Index: openssl-1.0.1g/crypto/dsa/dsa_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/dsa/dsa_locl.h +++ openssl-1.0.1g/crypto/dsa/dsa_locl.h @@ -57,4 +57,4 @@ @@ -177,8 +161,6 @@ Index: openssl-1.0.1g/crypto/dsa/dsa_locl.h unsigned char *seed_out, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/ec/ec_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ec/ec_lcl.h +++ openssl-1.0.1g/crypto/ec/ec_lcl.h @@ -88,6 +88,8 @@ @@ -196,8 +178,6 @@ Index: openssl-1.0.1g/crypto/ec/ec_lcl.h #endif + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/ecdh/ech_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ecdh/ech_locl.h +++ openssl-1.0.1g/crypto/ecdh/ech_locl.h @@ -58,6 +58,8 @@ @@ -216,8 +196,6 @@ Index: openssl-1.0.1g/crypto/ecdh/ech_locl.h - +#pragma GCC visibility pop #endif /* HEADER_ECH_LOCL_H */ -Index: openssl-1.0.1g/crypto/ecdsa/ecs_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ecdsa/ecs_locl.h +++ openssl-1.0.1g/crypto/ecdsa/ecs_locl.h @@ -61,6 +61,8 @@ @@ -236,8 +214,6 @@ Index: openssl-1.0.1g/crypto/ecdsa/ecs_locl.h +#pragma GCC visibility pop + #endif /* HEADER_ECS_LOCL_H */ -Index: openssl-1.0.1g/crypto/engine/eng_int.h -=================================================================== --- openssl-1.0.1g.orig/crypto/engine/eng_int.h +++ openssl-1.0.1g/crypto/engine/eng_int.h @@ -68,6 +68,8 @@ @@ -256,8 +232,6 @@ Index: openssl-1.0.1g/crypto/engine/eng_int.h - +#pragma GCC visibility pop #endif /* HEADER_ENGINE_INT_H */ -Index: openssl-1.0.1g/crypto/engine/eng_rsax.c -=================================================================== --- openssl-1.0.1g.orig/crypto/engine/eng_rsax.c +++ openssl-1.0.1g/crypto/engine/eng_rsax.c @@ -262,7 +262,7 @@ static int mod_exp_pre_compute_data_512( @@ -269,8 +243,6 @@ Index: openssl-1.0.1g/crypto/engine/eng_rsax.c typedef struct st_e_rsax_mod_ctx { -Index: openssl-1.0.1g/crypto/evp/e_aes.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_aes.c +++ openssl-1.0.1g/crypto/evp/e_aes.c @@ -108,6 +108,8 @@ typedef struct @@ -318,8 +290,6 @@ Index: openssl-1.0.1g/crypto/evp/e_aes.c static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { -Index: openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c +++ openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -97,6 +97,8 @@ typedef struct @@ -340,8 +310,6 @@ Index: openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, -Index: openssl-1.0.1g/crypto/evp/evp_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/evp_locl.h +++ openssl-1.0.1g/crypto/evp/evp_locl.h @@ -263,6 +263,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void @@ -362,8 +330,6 @@ Index: openssl-1.0.1g/crypto/evp/evp_locl.h #ifdef OPENSSL_FIPS #ifdef OPENSSL_DOING_MAKEDEPEND -Index: openssl-1.0.1g/crypto/md4/md4_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/md4/md4_locl.h +++ openssl-1.0.1g/crypto/md4/md4_locl.h @@ -65,7 +65,7 @@ @@ -375,8 +341,6 @@ Index: openssl-1.0.1g/crypto/md4/md4_locl.h #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/md5/md5_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/md5/md5_locl.h +++ openssl-1.0.1g/crypto/md5/md5_locl.h @@ -74,7 +74,7 @@ @@ -388,8 +352,6 @@ Index: openssl-1.0.1g/crypto/md5/md5_locl.h #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/modes/modes_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h +++ openssl-1.0.1g/crypto/modes/modes_lcl.h @@ -83,6 +83,8 @@ typedef unsigned char u8; @@ -407,8 +369,6 @@ Index: openssl-1.0.1g/crypto/modes/modes_lcl.h }; - +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/o_str.h -=================================================================== --- openssl-1.0.1g.orig/crypto/o_str.h +++ openssl-1.0.1g/crypto/o_str.h @@ -61,8 +61,12 @@ @@ -424,8 +384,6 @@ Index: openssl-1.0.1g/crypto/o_str.h +#pragma GCC visibility pop + #endif -Index: openssl-1.0.1g/crypto/o_time.h -=================================================================== --- openssl-1.0.1g.orig/crypto/o_time.h +++ openssl-1.0.1g/crypto/o_time.h @@ -61,7 +61,11 @@ @@ -440,8 +398,6 @@ Index: openssl-1.0.1g/crypto/o_time.h +#pragma GCC visibility pop + #endif -Index: openssl-1.0.1g/crypto/ripemd/rmd_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ripemd/rmd_locl.h +++ openssl-1.0.1g/crypto/ripemd/rmd_locl.h @@ -76,7 +76,7 @@ @@ -453,8 +409,6 @@ Index: openssl-1.0.1g/crypto/ripemd/rmd_locl.h #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/rsa/rsa_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/rsa/rsa_locl.h +++ openssl-1.0.1g/crypto/rsa/rsa_locl.h @@ -1,4 +1,4 @@ @@ -463,8 +417,6 @@ Index: openssl-1.0.1g/crypto/rsa/rsa_locl.h const unsigned char *sigbuf, size_t siglen, - RSA *rsa); + RSA *rsa) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/sha/sha256.c -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha256.c +++ openssl-1.0.1g/crypto/sha/sha256.c @@ -110,7 +110,7 @@ int SHA224_Final (unsigned char *md, SHA @@ -476,8 +428,6 @@ Index: openssl-1.0.1g/crypto/sha/sha256.c #include "md32_common.h" -Index: openssl-1.0.1g/crypto/sha/sha512.c -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha512.c +++ openssl-1.0.1g/crypto/sha/sha512.c @@ -94,7 +94,7 @@ fips_md_init(SHA512) @@ -489,8 +439,6 @@ Index: openssl-1.0.1g/crypto/sha/sha512.c int SHA512_Final (unsigned char *md, SHA512_CTX *c) { -Index: openssl-1.0.1g/crypto/sha/sha_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha_locl.h +++ openssl-1.0.1g/crypto/sha/sha_locl.h @@ -108,7 +108,7 @@ static void sha_block_data_order (SHA_CT @@ -502,8 +450,6 @@ Index: openssl-1.0.1g/crypto/sha/sha_locl.h #else # error "Either SHA_0 or SHA_1 must be defined." -Index: openssl-1.0.1g/crypto/store/str_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/store/str_locl.h +++ openssl-1.0.1g/crypto/store/str_locl.h @@ -62,6 +62,8 @@ @@ -522,8 +468,6 @@ Index: openssl-1.0.1g/crypto/store/str_locl.h - +#pragma GCC visibility pop #endif -Index: openssl-1.0.1g/crypto/ui/ui_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ui/ui_locl.h +++ openssl-1.0.1g/crypto/ui/ui_locl.h @@ -66,6 +66,8 @@ @@ -542,8 +486,6 @@ Index: openssl-1.0.1g/crypto/ui/ui_locl.h - +#pragma GCC visibility pop #endif -Index: openssl-1.0.1g/crypto/whrlpool/wp_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/whrlpool/wp_locl.h +++ openssl-1.0.1g/crypto/whrlpool/wp_locl.h @@ -1,3 +1,3 @@ @@ -551,8 +493,6 @@ Index: openssl-1.0.1g/crypto/whrlpool/wp_locl.h -void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t); +void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/x509v3/ext_dat.h -=================================================================== --- openssl-1.0.1g.orig/crypto/x509v3/ext_dat.h +++ openssl-1.0.1g/crypto/x509v3/ext_dat.h @@ -57,6 +57,8 @@ @@ -572,8 +512,6 @@ Index: openssl-1.0.1g/crypto/x509v3/ext_dat.h /* Number of standard extensions */ #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) -Index: openssl-1.0.1g/crypto/x509v3/pcy_int.h -=================================================================== --- openssl-1.0.1g.orig/crypto/x509v3/pcy_int.h +++ openssl-1.0.1g/crypto/x509v3/pcy_int.h @@ -56,6 +56,7 @@ @@ -590,10 +528,19 @@ Index: openssl-1.0.1g/crypto/x509v3/pcy_int.h const X509_POLICY_CACHE *policy_cache_set(X509 *x); + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/modes/gcm128.c -=================================================================== --- openssl-1.0.1g.orig/crypto/modes/gcm128.c +++ openssl-1.0.1g/crypto/modes/gcm128.c +@@ -567,8 +567,8 @@ static void gcm_ghash_4bit(u64 Xi[2],con + } + #endif + #else +-void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]); +-void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len); ++void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]) __attribute__ ((visibility ("hidden"))); ++void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len) __attribute__ ((visibility ("hidden"))); + #endif + + #define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable) @@ -651,9 +651,9 @@ static void gcm_gmult_1bit(u64 Xi[2],con # define GCM_FUNCREF_4BIT extern unsigned int OPENSSL_ia32cap_P[2]; @@ -607,8 +554,6 @@ Index: openssl-1.0.1g/crypto/modes/gcm128.c # if defined(__i386) || defined(__i386__) || defined(_M_IX86) # define GHASH_ASM_X86 -Index: openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_rc4_hmac_md5.c +++ openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c @@ -78,7 +78,7 @@ typedef struct @@ -620,3 +565,207 @@ Index: openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c #define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data) +--- openssl-1.0.1g.orig/crypto/cmac/cm_ameth.c ++++ openssl-1.0.1g/crypto/cmac/cm_ameth.c +@@ -73,6 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey + CMAC_CTX_free(cmctx); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = + { + EVP_PKEY_CMAC, +--- openssl-1.0.1g.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.0.1g/crypto/evp/pmeth_lib.c +@@ -70,7 +70,7 @@ + typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); + + DECLARE_STACK_OF(EVP_PKEY_METHOD) +-STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; ++static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; + + extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; + extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; +--- openssl-1.0.1g.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.0.1g/crypto/cmac/cm_pmeth.c +@@ -188,6 +188,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C + return -2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD cmac_pkey_meth = + { + EVP_PKEY_CMAC, +--- openssl-1.0.1g.orig/crypto/rand/md_rand.c ++++ openssl-1.0.1g/crypto/rand/md_rand.c +@@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un + static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); + static int ssleay_rand_status(void); + +-RAND_METHOD rand_ssleay_meth={ ++static RAND_METHOD rand_ssleay_meth={ + ssleay_rand_seed, + ssleay_rand_nopseudo_bytes, + ssleay_rand_cleanup, +--- openssl-1.0.1g.orig/crypto/dh/dh_ameth.c ++++ openssl-1.0.1g/crypto/dh/dh_ameth.c +@@ -466,6 +466,7 @@ int DHparams_print(BIO *bp, const DH *x) + return do_dh_print(bp, x, 4, NULL, 0); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD dh_asn1_meth = + { + EVP_PKEY_DH, +--- openssl-1.0.1g.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.0.1g/crypto/dh/dh_pmeth.c +@@ -217,6 +217,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + return 1; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD dh_pkey_meth = + { + EVP_PKEY_DH, +--- openssl-1.0.1g.orig/crypto/dsa/dsa_ameth.c ++++ openssl-1.0.1g/crypto/dsa/dsa_ameth.c +@@ -639,7 +639,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, + } + + /* NB these are sorted in pkey_id order, lowest first */ +- ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = + { + +--- openssl-1.0.1g.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c +@@ -281,6 +281,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX + return DSA_generate_key(pkey->pkey.dsa); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD dsa_pkey_meth = + { + EVP_PKEY_DSA, +--- openssl-1.0.1g.orig/crypto/ec/ec_ameth.c ++++ openssl-1.0.1g/crypto/ec/ec_ameth.c +@@ -625,6 +625,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, + + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = + { + EVP_PKEY_EC, +--- openssl-1.0.1g.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.0.1g/crypto/ec/ec_pmeth.c +@@ -304,6 +304,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + return EC_KEY_generate_key(pkey->pkey.ec); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD ec_pkey_meth = + { + EVP_PKEY_EC, +--- openssl-1.0.1g.orig/crypto/hmac/hm_ameth.c ++++ openssl-1.0.1g/crypto/hmac/hm_ameth.c +@@ -138,6 +138,7 @@ static int old_hmac_encode(const EVP_PKE + + #endif + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = + { + EVP_PKEY_HMAC, +--- openssl-1.0.1g.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.0.1g/crypto/hmac/hm_pmeth.c +@@ -235,6 +235,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C + return -2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD hmac_pkey_meth = + { + EVP_PKEY_HMAC, +--- openssl-1.0.1g.orig/crypto/rsa/rsa_ameth.c ++++ openssl-1.0.1g/crypto/rsa/rsa_ameth.c +@@ -657,6 +657,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx + return 2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = + { + { +--- openssl-1.0.1g.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c +@@ -685,6 +685,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + return ret; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD rsa_pkey_meth = + { + EVP_PKEY_RSA, +--- openssl-1.0.1g.orig/crypto/objects/obj_xref.c ++++ openssl-1.0.1g/crypto/objects/obj_xref.c +@@ -60,7 +60,7 @@ + #include "obj_xref.h" + + DECLARE_STACK_OF(nid_triple) +-STACK_OF(nid_triple) *sig_app, *sigx_app; ++static STACK_OF(nid_triple) *sig_app, *sigx_app; + + static int sig_cmp(const nid_triple *a, const nid_triple *b) + { +--- openssl-1.0.1g.orig/crypto/pem/pem_lib.c ++++ openssl-1.0.1g/crypto/pem/pem_lib.c +@@ -80,7 +80,7 @@ const char PEM_version[]="PEM" OPENSSL_V + + static int load_iv(char **fromp,unsigned char *to, int num); + static int check_pem(const char *nm, const char *name); +-int pem_check_suffix(const char *pem_str, const char *suffix); ++int pem_check_suffix(const char *pem_str, const char *suffix) __attribute__ ((visibility ("hidden"))); + + int PEM_def_callback(char *buf, int num, int w, void *key) + { +--- openssl-1.0.1g.orig/crypto/asn1/tasn_prn.c ++++ openssl-1.0.1g/crypto/asn1/tasn_prn.c +@@ -72,7 +72,7 @@ + + /* ASN1_PCTX routines */ + +-ASN1_PCTX default_pctx = ++static ASN1_PCTX default_pctx = + { + ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */ + 0, /* nm_flags */ +--- openssl-1.0.1g.orig/crypto/bn/bn_exp.c ++++ openssl-1.0.1g/crypto/bn/bn_exp.c +@@ -684,11 +684,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr + { + void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap, + const void *table,const BN_ULONG *np, +- const BN_ULONG *n0,int num,int power); ++ const BN_ULONG *n0,int num,int power) __attribute__ ((visibility ("hidden"))); + void bn_scatter5(const BN_ULONG *inp,size_t num, +- void *table,size_t power); ++ void *table,size_t power) __attribute__ ((visibility ("hidden"))); + void bn_gather5(BN_ULONG *out,size_t num, +- void *table,size_t power); ++ void *table,size_t power) __attribute__ ((visibility ("hidden"))); + + BN_ULONG *np=mont->N.d, *n0=mont->n0; + +--- openssl-1.0.1g.orig/crypto/bn/bn_gf2m.c ++++ openssl-1.0.1g/crypto/bn/bn_gf2m.c +@@ -220,7 +220,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r, + r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */ + } + #else +-void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0); ++void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0) __attribute__ ((visibility ("hidden"))); + #endif + + /* Add polynomials a and b and store result in r; r could be a or b, a and b diff --git a/0018-fix-coverity-issues-966593-966596.patch b/0018-fix-coverity-issues-966593-966596.patch new file mode 100644 index 0000000..b069b17 --- /dev/null +++ b/0018-fix-coverity-issues-966593-966596.patch @@ -0,0 +1,26 @@ +From 7b7b18c57e899201338d91083bc49cc8c5a915fc Mon Sep 17 00:00:00 2001 +From: Tim Hudson +Date: Mon, 5 May 2014 06:41:22 +1000 +Subject: [PATCH 18/23] - fix coverity issues 966593-966596 + +--- + crypto/srp/srp_vfy.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c +index 4a3d13e..fdca19f 100644 +--- a/crypto/srp/srp_vfy.c ++++ b/crypto/srp/srp_vfy.c +@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src) + else a[i] = loc - b64table; + ++i; + } ++ /* if nothing valid to process we have a zero length response */ ++ if (i == 0) ++ return 0; + size = i; + i = size - 1; + j = size; +-- +1.8.4.5 + diff --git a/0020-Initialize-num-properly.patch b/0020-Initialize-num-properly.patch new file mode 100644 index 0000000..ca5e94a --- /dev/null +++ b/0020-Initialize-num-properly.patch @@ -0,0 +1,27 @@ +From a41d5174e27c99d1caefd76a8e927c814ede509e Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 6 May 2014 14:07:37 +0100 +Subject: [PATCH 20/23] Initialize num properly. + +PR#3289 +PR#3345 +(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155) +--- + crypto/evp/bio_b64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c +index ac6d441..16863fe 100644 +--- a/crypto/evp/bio_b64.c ++++ b/crypto/evp/bio_b64.c +@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl) + else if (ctx->start) + { + q=p=(unsigned char *)ctx->tmp; ++ num = 0; + for (j=0; j +Date: Sun, 4 May 2014 16:19:22 -0400 +Subject: [PATCH 22/23] bignum: allow concurrent BN_MONT_CTX_set_locked() + +The lazy-initialisation of BN_MONT_CTX was serialising all threads, as +noted by Daniel Sands and co at Sandia. This was to handle the case that +2 or more threads race to lazy-init the same context, but stunted all +scalability in the case where 2 or more threads are doing unrelated +things! We favour the latter case by punishing the former. The init work +gets done by each thread that finds the context to be uninitialised, and +we then lock the "set" logic after that work is done - the winning +thread's work gets used, the losing threads throw away what they've done. + +Signed-off-by: Geoff Thorpe +--- + crypto/bn/bn_mont.c | 46 ++++++++++++++++++++++++++-------------------- + 1 file changed, 26 insertions(+), 20 deletions(-) + +diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c +index 427b5cf..ee8532c 100644 +--- a/crypto/bn/bn_mont.c ++++ b/crypto/bn/bn_mont.c +@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) + BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, + const BIGNUM *mod, BN_CTX *ctx) + { +- int got_write_lock = 0; + BN_MONT_CTX *ret; + + CRYPTO_r_lock(lock); +- if (!*pmont) ++ ret = *pmont; ++ CRYPTO_r_unlock(lock); ++ if (ret) ++ return ret; ++ ++ /* We don't want to serialise globally while doing our lazy-init math in ++ * BN_MONT_CTX_set. That punishes threads that are doing independent ++ * things. Instead, punish the case where more than one thread tries to ++ * lazy-init the same 'pmont', by having each do the lazy-init math work ++ * independently and only use the one from the thread that wins the race ++ * (the losers throw away the work they've done). */ ++ ret = BN_MONT_CTX_new(); ++ if (!ret) ++ return NULL; ++ if (!BN_MONT_CTX_set(ret, mod, ctx)) + { +- CRYPTO_r_unlock(lock); +- CRYPTO_w_lock(lock); +- got_write_lock = 1; ++ BN_MONT_CTX_free(ret); ++ return NULL; ++ } + +- if (!*pmont) +- { +- ret = BN_MONT_CTX_new(); +- if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) +- BN_MONT_CTX_free(ret); +- else +- *pmont = ret; +- } ++ /* The locked compare-and-set, after the local work is done. */ ++ CRYPTO_w_lock(lock); ++ if (*pmont) ++ { ++ BN_MONT_CTX_free(ret); ++ ret = *pmont; + } +- +- ret = *pmont; +- +- if (got_write_lock) +- CRYPTO_w_unlock(lock); + else +- CRYPTO_r_unlock(lock); +- ++ *pmont = ret; ++ CRYPTO_w_unlock(lock); + return ret; + } +-- +1.8.4.5 + diff --git a/0023-evp-prevent-underflow-in-base64-decoding.patch b/0023-evp-prevent-underflow-in-base64-decoding.patch new file mode 100644 index 0000000..f33cd74 --- /dev/null +++ b/0023-evp-prevent-underflow-in-base64-decoding.patch @@ -0,0 +1,30 @@ +From d0666f289ac013094bbbf547bfbcd616199b7d2d Mon Sep 17 00:00:00 2001 +From: Geoff Thorpe +Date: Sun, 4 May 2014 18:44:14 -0400 +Subject: [PATCH 23/23] evp: prevent underflow in base64 decoding + +This patch resolves RT ticket #2608. + +Thanks to Robert Dugal for originally spotting this, and to David +Ramos for noticing that the ball had been dropped. + +Signed-off-by: Geoff Thorpe +--- + crypto/evp/encode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c +index 28546a8..4654bdc 100644 +--- a/crypto/evp/encode.c ++++ b/crypto/evp/encode.c +@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, + v=EVP_DecodeBlock(out,d,n); + n=0; + if (v < 0) { rv=0; goto end; } ++ if (eof > v) { rv=-1; goto end; } + ret+=(v-eof); + } + else +-- +1.8.4.5 + diff --git a/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch b/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch new file mode 100644 index 0000000..388bed4 --- /dev/null +++ b/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch @@ -0,0 +1,63 @@ +From c6a47f988c19093e4716d58dbed92938c18e1640 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 7 May 2014 23:21:02 +0100 +Subject: [PATCH 24/25] Fixed NULL pointer dereference in PKCS7_dataDecode + reported by David Ramos in PR#3339 + +--- + crypto/pkcs7/pk7_doit.c | 5 +++++ + crypto/pkcs7/pkcs7.h | 1 + + crypto/pkcs7/pkcs7err.c | 3 ++- + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index 4c12a9d..d91aa11 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) + { + case NID_pkcs7_signed: + data_body=PKCS7_get_octet_string(p7->d.sign->contents); ++ if (!PKCS7_is_detached(p7) && data_body == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE); ++ goto err; ++ } + md_sk=p7->d.sign->md_algs; + break; + case NID_pkcs7_signedAndEnveloped: +diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h +index e4d4431..04f6037 100644 +--- a/crypto/pkcs7/pkcs7.h ++++ b/crypto/pkcs7/pkcs7.h +@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void); + #define PKCS7_R_ERROR_SETTING_CIPHER 121 + #define PKCS7_R_INVALID_MIME_TYPE 131 + #define PKCS7_R_INVALID_NULL_POINTER 143 ++#define PKCS7_R_INVALID_SIGNED_DATA_TYPE 155 + #define PKCS7_R_MIME_NO_CONTENT_TYPE 132 + #define PKCS7_R_MIME_PARSE_ERROR 133 + #define PKCS7_R_MIME_SIG_PARSE_ERROR 134 +diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c +index d0af32a..f3db08e 100644 +--- a/crypto/pkcs7/pkcs7err.c ++++ b/crypto/pkcs7/pkcs7err.c +@@ -1,6 +1,6 @@ + /* crypto/pkcs7/pkcs7err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]= + {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"}, + {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE) ,"invalid mime type"}, + {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"}, ++{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"}, + {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"}, + {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR) ,"mime parse error"}, + {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"}, +-- +1.8.4.5 + diff --git a/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch b/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch new file mode 100644 index 0000000..60fba81 --- /dev/null +++ b/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch @@ -0,0 +1,49 @@ +From 6a60b414318ec4315ee016c3e15777c448603115 Mon Sep 17 00:00:00 2001 +From: Tim Hudson +Date: Mon, 5 May 2014 08:22:42 +1000 +Subject: [PATCH 25/25] fix coverity issue 966597 - error line is not always + initialised + +--- + ssl/ssl_asn1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c +index 38540be..4775003 100644 +--- a/ssl/ssl_asn1.c ++++ b/ssl/ssl_asn1.c +@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, + if (os.length != 3) + { + c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; ++ c.line=__LINE__; + goto err; + } + id=0x02000000L| +@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, + if (os.length != 2) + { + c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; ++ c.line=__LINE__; + goto err; + } + id=0x03000000L| +@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, + else + { + c.error=SSL_R_UNKNOWN_SSL_VERSION; ++ c.line=__LINE__; + goto err; + } + +@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, + if (os.length > SSL_MAX_SID_CTX_LENGTH) + { + c.error=SSL_R_BAD_LENGTH; ++ c.line=__LINE__; + goto err; + } + else +-- +1.8.4.5 + diff --git a/openssl-fips-hidden.patch b/openssl-fips-hidden.patch new file mode 100644 index 0000000..b874b6b --- /dev/null +++ b/openssl-fips-hidden.patch @@ -0,0 +1,28 @@ +--- openssl-1.0.1g.orig/crypto/fips/fips_rand_lcl.h ++++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h +@@ -51,6 +51,8 @@ + * ==================================================================== + */ + ++#pragma GCC visibility push(hidden) ++ + typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; + typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; + typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; +@@ -217,3 +219,5 @@ const struct evp_cipher_st *FIPS_get_cip + #define FIPS_digestupdate EVP_DigestUpdate + #define FIPS_digestfinal EVP_DigestFinal + #define M_EVP_MD_size EVP_MD_size ++ ++#pragma GCC visibility pop +--- openssl-1.0.1g.orig/crypto/fips/fips_rsa_x931g.c ++++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c +@@ -65,7 +65,7 @@ + #ifdef OPENSSL_FIPS + #include + +-extern int fips_check_rsa(RSA *rsa); ++extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden"))); + #endif + + /* X9.31 RSA key derivation and generation */ diff --git a/openssl-no-egd.patch b/openssl-no-egd.patch new file mode 100644 index 0000000..c1ddb08 --- /dev/null +++ b/openssl-no-egd.patch @@ -0,0 +1,11 @@ +--- openssl-1.0.1g.orig/crypto/rand/rand_egd.c ++++ openssl-1.0.1g/crypto/rand/rand_egd.c +@@ -95,7 +95,7 @@ + * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. + */ + +-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) ++#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) + int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) + { + return(-1); diff --git a/openssl.changes b/openssl.changes index 2d81aeb..e6b8654 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Fri May 9 04:42:46 UTC 2014 - crrodriguez@opensuse.org + +- Add upstream patches fixing coverity scan issues: +* 0018-fix-coverity-issues-966593-966596.patch +* 0020-Initialize-num-properly.patch +* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch +* 0023-evp-prevent-underflow-in-base64-decoding.patch +* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch + +- Update 0001-libcrypto-Hide-library-private-symbols.patch + to cover more private symbols, now 98% complete and probably + not much more can be done to fix the rest of the ill-defined API. + +- openssl-fips-hidden.patch new, hides private symbols added by the + FIPS patches. + +- openssl-no-egd.patch disable the EGD (entropy gathering daemon) + interface, we have no EGD in the distro and obtaining entropy from + a place other than /dev/*random, the hardware rng or the openSSL + internal PRNG is an extremely bad & dangerous idea. + +- use secure_getenv instead of getenv everywhere. + ------------------------------------------------------------------- Mon May 5 16:25:17 UTC 2014 - crrodriguez@opensuse.org diff --git a/openssl.spec b/openssl.spec index 22cdfc2..8c24008 100644 --- a/openssl.spec +++ b/openssl.spec @@ -72,6 +72,14 @@ Patch23: 0009-Fix-double-frees.patch Patch24: 0012-Fix-eckey_priv_encode.patch Patch25: 0017-Double-free-in-i2o_ECPublicKey.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +Patch27: 0018-fix-coverity-issues-966593-966596.patch +Patch28: 0020-Initialize-num-properly.patch +Patch29: 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch +Patch30: 0023-evp-prevent-underflow-in-base64-decoding.patch +Patch31: 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +Patch32: 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch +Patch33: openssl-no-egd.patch +Patch34: openssl-fips-hidden.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -185,6 +193,14 @@ this package's base documentation. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -222,6 +238,11 @@ CHANGES=`stat --format="%y" %SOURCE1` sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile %build + +%if 0%{suse_version} >= 1230 +find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} + +%endif + %ifarch armv5el armv5tel export MACHINE=armv5el %endif @@ -236,7 +257,7 @@ fips \ no-ssl2 \ enable-rfc3779 \ %endif -%ifarch x86_64 +%ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \