SHA256
1
0
forked from pool/openssl

Accepting request 492985 from security:tls

- Provide pkgconfig(openssl)

- Provide basic baselibs.conf for 32bit subpackages
- Specify this package as noarch (as we just provide README files)

- Fix typo in openssl requires
- Add dependency on the branched devel package
- Provide all pkgconfig symbols to hide them in versioned subpkgs
- This allows us to propagate only the preffered version of openssl
  while allowing us to add extra openssl only as additional dependency

- Remove the ssl provides as it is applicable for only those that
  really provide it

- Prepare to split to various subpackages converting main one to
  dummy package
- Reduce to only provide main pkg and devel and depend on proper
  soversioned package
- Version in this package needs to be synced with the one provided
  by the split package
- Remove all the patches, now in the proper versioned namespace:
  * merge_from_0.9.8k.patch
  * openssl-1.0.0-c_rehash-compat.diff
  * bug610223.patch
  * openssl-ocloexec.patch
  * openssl-1.0.2a-padlock64.patch
  * openssl-fix-pod-syntax.diff
  * openssl-truststore.patch
  * compression_methods_switch.patch
  * 0005-libssl-Hide-library-private-symbols.patch

OBS-URL: https://build.opensuse.org/request/show/492985
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=138
This commit is contained in:
Dominique Leuenberger 2017-05-18 18:46:33 +00:00 committed by Git OBS Bridge
parent 491c541700
commit 9d1003ce7d
46 changed files with 110 additions and 22263 deletions

View File

@ -1,843 +0,0 @@
From fd708c2242408187cff392e8b0850275ac99376f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
Date: Sun, 4 May 2014 23:36:54 -0400
Subject: [PATCH] Axe builtin printf implementation, use glibc instead
Index: openssl-1.0.2i/crypto/bio/b_print.c
===================================================================
--- openssl-1.0.2i.orig/crypto/bio/b_print.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/bio/b_print.c 2016-09-23 10:18:39.805097010 +0200
@@ -56,17 +56,10 @@
* [including the GNU Public Licence.]
*/
-/* disable assert() unless BIO_DEBUG has been defined */
-#ifndef BIO_DEBUG
-# ifndef NDEBUG
-# define NDEBUG
-# endif
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
#endif
-/*
- * Stolen from tjh's ssl/ssl_trc.c stuff.
- */
-
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -79,714 +72,6 @@
#include <openssl/bn.h> /* To get BN_LLONG properly defined */
#include <openssl/bio.h>
-#if defined(BN_LLONG) || defined(SIXTY_FOUR_BIT)
-# ifndef HAVE_LONG_LONG
-# define HAVE_LONG_LONG 1
-# endif
-#endif
-
-/***************************************************************************/
-
-/*
- * Copyright Patrick Powell 1995
- * This code is based on code written by Patrick Powell <papowell@astart.com>
- * It may be used for any purpose as long as this notice remains intact
- * on all source code distributions.
- */
-
-/*-
- * This code contains numerious changes and enhancements which were
- * made by lots of contributors over the last years to Patrick Powell's
- * original code:
- *
- * o Patrick Powell <papowell@astart.com> (1995)
- * o Brandon Long <blong@fiction.net> (1996, for Mutt)
- * o Thomas Roessler <roessler@guug.de> (1998, for Mutt)
- * o Michael Elkins <me@cs.hmc.edu> (1998, for Mutt)
- * o Andrew Tridgell <tridge@samba.org> (1998, for Samba)
- * o Luke Mewburn <lukem@netbsd.org> (1999, for LukemFTP)
- * o Ralf S. Engelschall <rse@engelschall.com> (1999, for Pth)
- * o ... (for OpenSSL)
- */
-
-#ifdef HAVE_LONG_DOUBLE
-# define LDOUBLE long double
-#else
-# define LDOUBLE double
-#endif
-
-#ifdef HAVE_LONG_LONG
-# if defined(_WIN32) && !defined(__GNUC__)
-# define LLONG __int64
-# else
-# define LLONG long long
-# endif
-#else
-# define LLONG long
-#endif
-
-static int fmtstr(char **, char **, size_t *, size_t *,
- const char *, int, int, int);
-static int fmtint(char **, char **, size_t *, size_t *,
- LLONG, int, int, int, int);
-static int fmtfp(char **, char **, size_t *, size_t *,
- LDOUBLE, int, int, int);
-static int doapr_outch(char **, char **, size_t *, size_t *, int);
-static int _dopr(char **sbuffer, char **buffer,
- size_t *maxlen, size_t *retlen, int *truncated,
- const char *format, va_list args);
-
-/* format read states */
-#define DP_S_DEFAULT 0
-#define DP_S_FLAGS 1
-#define DP_S_MIN 2
-#define DP_S_DOT 3
-#define DP_S_MAX 4
-#define DP_S_MOD 5
-#define DP_S_CONV 6
-#define DP_S_DONE 7
-
-/* format flags - Bits */
-#define DP_F_MINUS (1 << 0)
-#define DP_F_PLUS (1 << 1)
-#define DP_F_SPACE (1 << 2)
-#define DP_F_NUM (1 << 3)
-#define DP_F_ZERO (1 << 4)
-#define DP_F_UP (1 << 5)
-#define DP_F_UNSIGNED (1 << 6)
-
-/* conversion flags */
-#define DP_C_SHORT 1
-#define DP_C_LONG 2
-#define DP_C_LDOUBLE 3
-#define DP_C_LLONG 4
-
-/* some handy macros */
-#define char_to_int(p) (p - '0')
-#define OSSL_MAX(p,q) ((p >= q) ? p : q)
-
-static int
-_dopr(char **sbuffer,
- char **buffer,
- size_t *maxlen,
- size_t *retlen, int *truncated, const char *format, va_list args)
-{
- char ch;
- LLONG value;
- LDOUBLE fvalue;
- char *strvalue;
- int min;
- int max;
- int state;
- int flags;
- int cflags;
- size_t currlen;
-
- state = DP_S_DEFAULT;
- flags = currlen = cflags = min = 0;
- max = -1;
- ch = *format++;
-
- while (state != DP_S_DONE) {
- if (ch == '\0' || (buffer == NULL && currlen >= *maxlen))
- state = DP_S_DONE;
-
- switch (state) {
- case DP_S_DEFAULT:
- if (ch == '%')
- state = DP_S_FLAGS;
- else
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
- return 0;
- ch = *format++;
- break;
- case DP_S_FLAGS:
- switch (ch) {
- case '-':
- flags |= DP_F_MINUS;
- ch = *format++;
- break;
- case '+':
- flags |= DP_F_PLUS;
- ch = *format++;
- break;
- case ' ':
- flags |= DP_F_SPACE;
- ch = *format++;
- break;
- case '#':
- flags |= DP_F_NUM;
- ch = *format++;
- break;
- case '0':
- flags |= DP_F_ZERO;
- ch = *format++;
- break;
- default:
- state = DP_S_MIN;
- break;
- }
- break;
- case DP_S_MIN:
- if (isdigit((unsigned char)ch)) {
- min = 10 * min + char_to_int(ch);
- ch = *format++;
- } else if (ch == '*') {
- min = va_arg(args, int);
- ch = *format++;
- state = DP_S_DOT;
- } else
- state = DP_S_DOT;
- break;
- case DP_S_DOT:
- if (ch == '.') {
- state = DP_S_MAX;
- ch = *format++;
- } else
- state = DP_S_MOD;
- break;
- case DP_S_MAX:
- if (isdigit((unsigned char)ch)) {
- if (max < 0)
- max = 0;
- max = 10 * max + char_to_int(ch);
- ch = *format++;
- } else if (ch == '*') {
- max = va_arg(args, int);
- ch = *format++;
- state = DP_S_MOD;
- } else
- state = DP_S_MOD;
- break;
- case DP_S_MOD:
- switch (ch) {
- case 'h':
- cflags = DP_C_SHORT;
- ch = *format++;
- break;
- case 'l':
- if (*format == 'l') {
- cflags = DP_C_LLONG;
- format++;
- } else
- cflags = DP_C_LONG;
- ch = *format++;
- break;
- case 'q':
- cflags = DP_C_LLONG;
- ch = *format++;
- break;
- case 'L':
- cflags = DP_C_LDOUBLE;
- ch = *format++;
- break;
- default:
- break;
- }
- state = DP_S_CONV;
- break;
- case DP_S_CONV:
- switch (ch) {
- case 'd':
- case 'i':
- switch (cflags) {
- case DP_C_SHORT:
- value = (short int)va_arg(args, int);
- break;
- case DP_C_LONG:
- value = va_arg(args, long int);
- break;
- case DP_C_LLONG:
- value = va_arg(args, LLONG);
- break;
- default:
- value = va_arg(args, int);
- break;
- }
- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
- max, flags))
- return 0;
- break;
- case 'X':
- flags |= DP_F_UP;
- /* FALLTHROUGH */
- case 'x':
- case 'o':
- case 'u':
- flags |= DP_F_UNSIGNED;
- switch (cflags) {
- case DP_C_SHORT:
- value = (unsigned short int)va_arg(args, unsigned int);
- break;
- case DP_C_LONG:
- value = (LLONG) va_arg(args, unsigned long int);
- break;
- case DP_C_LLONG:
- value = va_arg(args, unsigned LLONG);
- break;
- default:
- value = (LLONG) va_arg(args, unsigned int);
- break;
- }
- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
- min, max, flags))
- return 0;
- break;
- case 'f':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
- if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
- flags))
- return 0;
- break;
- case 'E':
- flags |= DP_F_UP;
- case 'e':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
- break;
- case 'G':
- flags |= DP_F_UP;
- case 'g':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
- break;
- case 'c':
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
- va_arg(args, int)))
- return 0;
- break;
- case 's':
- strvalue = va_arg(args, char *);
- if (max < 0) {
- if (buffer)
- max = INT_MAX;
- else
- max = *maxlen;
- }
- if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
- flags, min, max))
- return 0;
- break;
- case 'p':
- value = (long)va_arg(args, void *);
- if (!fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags | DP_F_NUM))
- return 0;
- break;
- case 'n': /* XXX */
- if (cflags == DP_C_SHORT) {
- short int *num;
- num = va_arg(args, short int *);
- *num = currlen;
- } else if (cflags == DP_C_LONG) { /* XXX */
- long int *num;
- num = va_arg(args, long int *);
- *num = (long int)currlen;
- } else if (cflags == DP_C_LLONG) { /* XXX */
- LLONG *num;
- num = va_arg(args, LLONG *);
- *num = (LLONG) currlen;
- } else {
- int *num;
- num = va_arg(args, int *);
- *num = currlen;
- }
- break;
- case '%':
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
- return 0;
- break;
- case 'w':
- /* not supported yet, treat as next char */
- ch = *format++;
- break;
- default:
- /* unknown, skip */
- break;
- }
- ch = *format++;
- state = DP_S_DEFAULT;
- flags = cflags = min = 0;
- max = -1;
- break;
- case DP_S_DONE:
- break;
- default:
- break;
- }
- }
- /*
- * We have to truncate if there is no dynamic buffer and we have filled the
- * static buffer.
- */
- if (buffer == NULL) {
- *truncated = (currlen > *maxlen - 1);
- if (*truncated)
- currlen = *maxlen - 1;
- }
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
- return 0;
- *retlen = currlen - 1;
- return 1;
-}
-
-static int
-fmtstr(char **sbuffer,
- char **buffer,
- size_t *currlen,
- size_t *maxlen, const char *value, int flags, int min, int max)
-{
- int padlen;
- size_t strln;
- int cnt = 0;
-
- if (value == 0)
- value = "<NULL>";
-
- strln = strlen(value);
- if (strln > INT_MAX)
- strln = INT_MAX;
-
- padlen = min - strln;
- if (min < 0 || padlen < 0)
- padlen = 0;
- if (flags & DP_F_MINUS)
- padlen = -padlen;
-
- while ((padlen > 0) && (cnt < max)) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --padlen;
- ++cnt;
- }
- while (*value && (cnt < max)) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
- return 0;
- ++cnt;
- }
- while ((padlen < 0) && (cnt < max)) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++padlen;
- ++cnt;
- }
- return 1;
-}
-
-static int
-fmtint(char **sbuffer,
- char **buffer,
- size_t *currlen,
- size_t *maxlen, LLONG value, int base, int min, int max, int flags)
-{
- int signvalue = 0;
- const char *prefix = "";
- unsigned LLONG uvalue;
- char convert[DECIMAL_SIZE(value) + 3];
- int place = 0;
- int spadlen = 0;
- int zpadlen = 0;
- int caps = 0;
-
- if (max < 0)
- max = 0;
- uvalue = value;
- if (!(flags & DP_F_UNSIGNED)) {
- if (value < 0) {
- signvalue = '-';
- uvalue = -value;
- } else if (flags & DP_F_PLUS)
- signvalue = '+';
- else if (flags & DP_F_SPACE)
- signvalue = ' ';
- }
- if (flags & DP_F_NUM) {
- if (base == 8)
- prefix = "0";
- if (base == 16)
- prefix = "0x";
- }
- if (flags & DP_F_UP)
- caps = 1;
- do {
- convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")
- [uvalue % (unsigned)base];
- uvalue = (uvalue / (unsigned)base);
- } while (uvalue && (place < (int)sizeof(convert)));
- if (place == sizeof(convert))
- place--;
- convert[place] = 0;
-
- zpadlen = max - place;
- spadlen =
- min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
- if (zpadlen < 0)
- zpadlen = 0;
- if (spadlen < 0)
- spadlen = 0;
- if (flags & DP_F_ZERO) {
- zpadlen = OSSL_MAX(zpadlen, spadlen);
- spadlen = 0;
- }
- if (flags & DP_F_MINUS)
- spadlen = -spadlen;
-
- /* spaces */
- while (spadlen > 0) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --spadlen;
- }
-
- /* sign */
- if (signvalue)
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
-
- /* prefix */
- while (*prefix) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
- return 0;
- prefix++;
- }
-
- /* zeros */
- if (zpadlen > 0) {
- while (zpadlen > 0) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --zpadlen;
- }
- }
- /* digits */
- while (place > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
- return 0;
- }
-
- /* left justified spaces */
- while (spadlen < 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++spadlen;
- }
- return 1;
-}
-
-static LDOUBLE abs_val(LDOUBLE value)
-{
- LDOUBLE result = value;
- if (value < 0)
- result = -value;
- return result;
-}
-
-static LDOUBLE pow_10(int in_exp)
-{
- LDOUBLE result = 1;
- while (in_exp) {
- result *= 10;
- in_exp--;
- }
- return result;
-}
-
-static long roundv(LDOUBLE value)
-{
- long intpart;
- intpart = (long)value;
- value = value - intpart;
- if (value >= 0.5)
- intpart++;
- return intpart;
-}
-
-static int
-fmtfp(char **sbuffer,
- char **buffer,
- size_t *currlen,
- size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags)
-{
- int signvalue = 0;
- LDOUBLE ufvalue;
- char iconvert[20];
- char fconvert[20];
- int iplace = 0;
- int fplace = 0;
- int padlen = 0;
- int zpadlen = 0;
- long intpart;
- long fracpart;
- long max10;
-
- if (max < 0)
- max = 6;
- ufvalue = abs_val(fvalue);
- if (fvalue < 0)
- signvalue = '-';
- else if (flags & DP_F_PLUS)
- signvalue = '+';
- else if (flags & DP_F_SPACE)
- signvalue = ' ';
-
- intpart = (long)ufvalue;
-
- /*
- * sorry, we only support 9 digits past the decimal because of our
- * conversion method
- */
- if (max > 9)
- max = 9;
-
- /*
- * we "cheat" by converting the fractional part to integer by multiplying
- * by a factor of 10
- */
- max10 = roundv(pow_10(max));
- fracpart = roundv(pow_10(max) * (ufvalue - intpart));
-
- if (fracpart >= max10) {
- intpart++;
- fracpart -= max10;
- }
-
- /* convert integer part */
- do {
- iconvert[iplace++] = "0123456789"[intpart % 10];
- intpart = (intpart / 10);
- } while (intpart && (iplace < (int)sizeof(iconvert)));
- if (iplace == sizeof iconvert)
- iplace--;
- iconvert[iplace] = 0;
-
- /* convert fractional part */
- do {
- fconvert[fplace++] = "0123456789"[fracpart % 10];
- fracpart = (fracpart / 10);
- } while (fplace < max);
- if (fplace == sizeof fconvert)
- fplace--;
- fconvert[fplace] = 0;
-
- /* -1 for decimal point, another -1 if we are printing a sign */
- padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
- zpadlen = max - fplace;
- if (zpadlen < 0)
- zpadlen = 0;
- if (padlen < 0)
- padlen = 0;
- if (flags & DP_F_MINUS)
- padlen = -padlen;
-
- if ((flags & DP_F_ZERO) && (padlen > 0)) {
- if (signvalue) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
- --padlen;
- signvalue = 0;
- }
- while (padlen > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --padlen;
- }
- }
- while (padlen > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --padlen;
- }
- if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
-
- while (iplace > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
- return 0;
- }
-
- /*
- * Decimal point. This should probably use locale to find the correct
- * char to print out.
- */
- if (max > 0 || (flags & DP_F_NUM)) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
- return 0;
-
- while (fplace > 0) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
- fconvert[--fplace]))
- return 0;
- }
- }
- while (zpadlen > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --zpadlen;
- }
-
- while (padlen < 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++padlen;
- }
- return 1;
-}
-
-#define BUFFER_INC 1024
-
-static int
-doapr_outch(char **sbuffer,
- char **buffer, size_t *currlen, size_t *maxlen, int c)
-{
- /* If we haven't at least one buffer, someone has doe a big booboo */
- assert(*sbuffer != NULL || buffer != NULL);
-
- /* |currlen| must always be <= |*maxlen| */
- assert(*currlen <= *maxlen);
-
- if (buffer && *currlen == *maxlen) {
- if (*maxlen > INT_MAX - BUFFER_INC)
- return 0;
-
- *maxlen += BUFFER_INC;
- if (*buffer == NULL) {
- *buffer = OPENSSL_malloc(*maxlen);
- if (*buffer == NULL)
- return 0;
- if (*currlen > 0) {
- assert(*sbuffer != NULL);
- memcpy(*buffer, *sbuffer, *currlen);
- }
- *sbuffer = NULL;
- } else {
- char *tmpbuf;
- tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
- if (tmpbuf == NULL)
- return 0;
- *buffer = tmpbuf;
- }
- }
-
- if (*currlen < *maxlen) {
- if (*sbuffer)
- (*sbuffer)[(*currlen)++] = (char)c;
- else
- (*buffer)[(*currlen)++] = (char)c;
- }
-
- return 1;
-}
-
-/***************************************************************************/
-
int BIO_printf(BIO *bio, const char *format, ...)
{
va_list args;
@@ -800,32 +85,36 @@ int BIO_printf(BIO *bio, const char *for
return (ret);
}
+static ssize_t cookie_BIO_write(void *cookie, const char *buf, size_t size)
+{
+ int ret;
+ ret = BIO_write(cookie, buf, size);
+ /* BIO_write may return negative value on error,
+ * but we must return 0 on that case
+ */
+ return (ret < 0) ? 0 : ret;
+}
+
int BIO_vprintf(BIO *bio, const char *format, va_list args)
{
+ FILE *fp;
int ret;
- size_t retlen;
- char hugebuf[1024 * 2]; /* Was previously 10k, which is unreasonable
- * in small-stack environments, like threads
- * or DOS programs. */
- char *hugebufp = hugebuf;
- size_t hugebufsize = sizeof(hugebuf);
- char *dynbuf = NULL;
- int ignored;
-
- dynbuf = NULL;
- CRYPTO_push_info("doapr()");
- if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
- args)) {
- OPENSSL_free(dynbuf);
- return -1;
- }
- if (dynbuf) {
- ret = BIO_write(bio, dynbuf, (int)retlen);
- OPENSSL_free(dynbuf);
- } else {
- ret = BIO_write(bio, hugebuf, (int)retlen);
- }
- CRYPTO_pop_info();
+
+ cookie_io_functions_t bio_funcs = {
+ .read = NULL,
+ .write = cookie_BIO_write,
+ .seek = NULL,
+ .close = NULL,
+ };
+
+ fp = fopencookie(bio, "w", bio_funcs);
+
+ if (fp == NULL)
+ return -1;
+
+ ret = vfprintf(fp, format, args);
+
+ fclose(fp);
return (ret);
}
@@ -841,29 +130,21 @@ int BIO_snprintf(char *buf, size_t n, co
int ret;
va_start(args, format);
+ ret = vsnprintf(buf, n, format, args);
+ va_end(args);
- ret = BIO_vsnprintf(buf, n, format, args);
+ if (ret >= n || ret == -1) return (-1);
- va_end(args);
return (ret);
}
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
{
- size_t retlen;
- int truncated;
+ int ret;
+ ret = vsnprintf(buf, n, format, args);
- if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
- return -1;
+ if (ret >= n || ret == -1)
+ return (-1);
- if (truncated)
- /*
- * In case of truncation, return -1 like traditional snprintf.
- * (Current drafts for ISO/IEC 9899 say snprintf should return the
- * number of characters that would have been written, had the buffer
- * been large enough.)
- */
- return -1;
- else
- return (retlen <= INT_MAX) ? (int)retlen : -1;
+ return (ret);
}

View File

@ -1,834 +0,0 @@
From c4251c714a2fa6263e77103561b3dc4f6f5fed40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
Date: Mon, 21 Oct 2013 01:48:05 -0300
Subject: [PATCH] libcrypto: Hide library-private symbols
---
apps/Makefile | 2 +-
crypto/asn1/asn1_locl.h | 4 ++++
crypto/bn/bn_lcl.h | 4 ++++
crypto/camellia/cmll_locl.h | 3 +++
crypto/cast/cast_lcl.h | 2 ++
crypto/cms/cms_lcl.h | 5 ++++-
crypto/des/des_locl.h | 2 ++
crypto/dsa/dsa_locl.h | 2 +-
crypto/ec/ec_lcl.h | 4 ++++
crypto/ecdh/ech_locl.h | 4 +++-
crypto/ecdsa/ecs_locl.h | 4 ++++
crypto/engine/eng_int.h | 4 +++-
crypto/engine/eng_rsax.c | 2 +-
crypto/evp/e_aes.c | 10 ++++++++++
crypto/evp/e_aes_cbc_hmac_sha1.c | 4 ++++
crypto/evp/evp_locl.h | 4 ++++
crypto/md4/md4_locl.h | 2 +-
crypto/md5/md5_locl.h | 2 +-
crypto/modes/modes_lcl.h | 4 +++-
crypto/o_str.h | 4 ++++
crypto/o_time.h | 4 ++++
crypto/ripemd/rmd_locl.h | 2 +-
crypto/rsa/rsa_locl.h | 2 +-
crypto/sha/sha256.c | 2 +-
crypto/sha/sha512.c | 2 +-
crypto/sha/sha_locl.h | 2 +-
crypto/store/str_locl.h | 4 +++-
crypto/ui/ui_locl.h | 4 +++-
crypto/whrlpool/wp_locl.h | 2 +-
crypto/x509v3/ext_dat.h | 3 +++
crypto/x509v3/pcy_int.h | 3 +++
31 files changed, 85 insertions(+), 17 deletions(-)
Index: openssl-1.0.2i/apps/Makefile
===================================================================
--- openssl-1.0.2i.orig/apps/Makefile 2016-09-22 12:24:52.000000000 +0200
+++ openssl-1.0.2i/apps/Makefile 2016-09-23 10:20:47.883004040 +0200
@@ -20,7 +20,7 @@ EXE_EXT=
SHLIB_TARGET=
-CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG)
+CFLAGS= -fvisibility=hidden -DMONOLITH $(INCLUDES) $(CFLAG)
GENERAL=Makefile makeapps.com install.com
Index: openssl-1.0.2i/crypto/asn1/asn1_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/asn1/asn1_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/asn1/asn1_locl.h 2016-09-23 10:20:47.883004040 +0200
@@ -62,6 +62,8 @@
int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
+#pragma GCC visibility push(hidden)
+
/* ASN1 print context structure */
struct asn1_pctx_st {
@@ -133,3 +135,5 @@ struct x509_crl_method_st {
ASN1_INTEGER *ser, X509_NAME *issuer);
int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
};
+
+#pragma GCC visibility pop
Index: openssl-1.0.2i/crypto/bn/bn_lcl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/bn/bn_lcl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/bn/bn_lcl.h 2016-09-23 10:20:47.883004040 +0200
@@ -505,6 +505,8 @@ unsigned __int64 _umul128(unsigned __int
# undef bn_div_words
# endif
+#pragma GCC visibility push(hidden)
+
void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
@@ -530,6 +532,8 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
const BN_ULONG *np, const BN_ULONG *n0, int num);
+#pragma GCC visibility pop
+
#ifdef __cplusplus
}
#endif
Index: openssl-1.0.2i/crypto/cast/cast_lcl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/cast/cast_lcl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/cast/cast_lcl.h 2016-09-23 10:20:47.883004040 +0200
@@ -217,6 +217,7 @@
}
#endif
+#pragma GCC visibility push(hidden)
extern const CAST_LONG CAST_S_table0[256];
extern const CAST_LONG CAST_S_table1[256];
extern const CAST_LONG CAST_S_table2[256];
@@ -225,3 +226,4 @@ extern const CAST_LONG CAST_S_table4[256
extern const CAST_LONG CAST_S_table5[256];
extern const CAST_LONG CAST_S_table6[256];
extern const CAST_LONG CAST_S_table7[256];
+#pragma GCC visibility pop
Index: openssl-1.0.2i/crypto/cms/cms_lcl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/cms/cms_lcl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/cms/cms_lcl.h 2016-09-23 10:20:47.883004040 +0200
@@ -410,6 +410,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA
# define CMS_OIK_KEYIDENTIFIER 1
# define CMS_OIK_PUBKEY 2
+#pragma GCC visibility push(hidden)
+
BIO *cms_content_bio(CMS_ContentInfo *cms);
CMS_ContentInfo *cms_Data_create(void);
@@ -465,6 +467,8 @@ int cms_RecipientInfo_kari_encrypt(CMS_C
int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
int en_de);
+#pragma GCC visibility pop
+
#ifdef __cplusplus
}
#endif
Index: openssl-1.0.2i/crypto/des/des_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/des/des_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/des/des_locl.h 2016-09-23 10:20:47.883004040 +0200
@@ -432,10 +432,12 @@
PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
}
+#pragma GCC visibility push(hidden)
extern const DES_LONG DES_SPtrans[8][64];
void fcrypt_body(DES_LONG *out, DES_key_schedule *ks,
DES_LONG Eswap0, DES_LONG Eswap1);
+#pragma GCC visibility pop
# ifdef OPENSSL_SMALL_FOOTPRINT
# undef DES_UNROLL
Index: openssl-1.0.2i/crypto/dsa/dsa_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/dsa/dsa_locl.h 2016-09-23 10:20:47.695001240 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa_locl.h 2016-09-23 10:20:47.883004040 +0200
@@ -58,7 +58,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
const EVP_MD *evpmd, const unsigned char *seed_in,
size_t seed_len,
int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb);
+ BN_GENCB *cb) __attribute__ ((visibility ("hidden")));
int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
const EVP_MD *evpmd, const unsigned char *seed_in,
Index: openssl-1.0.2i/crypto/ec/ec_lcl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/ec/ec_lcl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ec/ec_lcl.h 2016-09-23 10:20:47.887004099 +0200
@@ -89,6 +89,8 @@
* change in future versions.
*/
+#pragma GCC visibility push(hidden)
+
struct ec_method_st {
/* Various method flags */
int flags;
@@ -566,3 +568,5 @@ EC_GROUP *FIPS_ec_group_new_curve_gf2m(c
const BIGNUM *b, BN_CTX *ctx);
EC_GROUP *FIPS_ec_group_new_by_curve_name(int nid);
#endif
+
+#pragma GCC visibility pop
Index: openssl-1.0.2i/crypto/ecdh/ech_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/ecdh/ech_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ecdh/ech_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -58,6 +58,8 @@
# include <openssl/ecdh.h>
+#pragma GCC visibility push(hidden)
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -101,4 +103,5 @@ ECDH_DATA *ecdh_check(EC_KEY *);
}
#endif
+#pragma GCC visibility pop
#endif /* HEADER_ECH_LOCL_H */
Index: openssl-1.0.2i/crypto/ecdsa/ecs_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/ecdsa/ecs_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ecdsa/ecs_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -61,6 +61,8 @@
# include <openssl/ecdsa.h>
+#pragma GCC visibility push(hidden)
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -117,4 +119,5 @@ ECDSA_DATA *ecdsa_check(EC_KEY *eckey);
}
#endif
+#pragma GCC visibility pop
#endif /* HEADER_ECS_LOCL_H */
Index: openssl-1.0.2i/crypto/engine/eng_int.h
===================================================================
--- openssl-1.0.2i.orig/crypto/engine/eng_int.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/engine/eng_int.h 2016-09-23 10:20:47.887004099 +0200
@@ -69,6 +69,8 @@
/* Take public definitions from engine.h */
# include <openssl/engine.h>
+#pragma GCC visibility push(hidden)
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -221,4 +223,5 @@ struct engine_st {
}
#endif
+#pragma GCC visibility pop
#endif /* HEADER_ENGINE_INT_H */
Index: openssl-1.0.2i/crypto/evp/e_aes.c
===================================================================
--- openssl-1.0.2i.orig/crypto/evp/e_aes.c 2016-09-23 10:20:47.695001240 +0200
+++ openssl-1.0.2i/crypto/evp/e_aes.c 2016-09-23 10:20:47.887004099 +0200
@@ -116,6 +116,8 @@ typedef struct {
# define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
+#pragma GCC visibility push(hidden)
+
# ifdef VPAES_ASM
int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
AES_KEY *key);
@@ -146,6 +148,7 @@ void bsaes_xts_decrypt(const unsigned ch
size_t len, const AES_KEY *key1,
const AES_KEY *key2, const unsigned char iv[16]);
# endif
+#pragma GCC visibility pop
# ifdef AES_CTR_ASM
void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
size_t blocks, const AES_KEY *key,
@@ -194,6 +197,8 @@ extern unsigned int OPENSSL_ia32cap_P[];
*/
# define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+#pragma GCC visibility push(hidden)
+
int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
AES_KEY *key);
int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
@@ -263,6 +268,8 @@ void gcm_ghash_avx(u64 Xi[2], const u128
# undef AES_GCM_ASM2 /* minor size optimization */
# endif
+#pragma GCC visibility pop
+
static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
Index: openssl-1.0.2i/crypto/evp/e_aes_cbc_hmac_sha1.c
===================================================================
--- openssl-1.0.2i.orig/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-09-23 10:20:47.887004099 +0200
@@ -98,6 +98,8 @@ typedef struct {
extern unsigned int OPENSSL_ia32cap_P[];
# define AESNI_CAPABLE (1<<(57-32))
+#pragma GCC visibility push(hidden)
+
int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
AES_KEY *key);
int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
@@ -116,6 +118,8 @@ void aesni256_cbc_sha1_dec(const void *i
const AES_KEY *key, unsigned char iv[16],
SHA_CTX *ctx, const void *in0);
+#pragma GCC visibility pop
+
# define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
Index: openssl-1.0.2i/crypto/evp/evp_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/evp/evp_locl.h 2016-09-23 10:20:47.695001240 +0200
+++ openssl-1.0.2i/crypto/evp/evp_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -261,6 +261,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
EVP_CIPH_FLAG_DEFAULT_ASN1, \
cipher##_init_key, NULL, NULL, NULL, NULL)
+#pragma GCC visibility push(hidden)
+
struct evp_pkey_ctx_st {
/* Method associated with this operation */
const EVP_PKEY_METHOD *pmeth;
@@ -334,6 +336,8 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
const EVP_MD *evp_get_fips_md(const EVP_MD *md);
const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher);
+#pragma GCC visibility pop
+
#ifdef OPENSSL_FIPS
# ifdef OPENSSL_DOING_MAKEDEPEND
Index: openssl-1.0.2i/crypto/md4/md4_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/md4/md4_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/md4/md4_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -65,7 +65,7 @@
# define MD4_LONG_LOG2 2 /* default to 32 bits */
#endif
-void md4_block_data_order(MD4_CTX *c, const void *p, size_t num);
+void md4_block_data_order(MD4_CTX *c, const void *p, size_t num) __attribute__ ((visibility ("hidden")));
#define DATA_ORDER_IS_LITTLE_ENDIAN
Index: openssl-1.0.2i/crypto/md5/md5_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/md5/md5_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/md5/md5_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -76,7 +76,7 @@
# endif
#endif
-void md5_block_data_order(MD5_CTX *c, const void *p, size_t num);
+void md5_block_data_order(MD5_CTX *c, const void *p, size_t num) __attribute__ ((visibility ("hidden")));
#define DATA_ORDER_IS_LITTLE_ENDIAN
Index: openssl-1.0.2i/crypto/modes/modes_lcl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/modes/modes_lcl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/modes/modes_lcl.h 2016-09-23 10:20:47.887004099 +0200
@@ -89,6 +89,9 @@ _asm mov eax, val _asm bswap eax}
# define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
# define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
#endif
+
+#pragma GCC visibility push(hidden)
+
/*- GCM definitions */ typedef struct {
u64 hi, lo;
} u128;
@@ -141,3 +144,5 @@ struct ccm128_context {
block128_f block;
void *key;
};
+
+#pragma GCC visibility pop
Index: openssl-1.0.2i/crypto/o_str.h
===================================================================
--- openssl-1.0.2i.orig/crypto/o_str.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/o_str.h 2016-09-23 10:20:47.887004099 +0200
@@ -61,9 +61,11 @@
# define HEADER_O_STR_H
# include <stddef.h> /* to get size_t */
+#pragma GCC visibility push(hidden)
int OPENSSL_strcasecmp(const char *str1, const char *str2);
int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n);
int OPENSSL_memcmp(const void *p1, const void *p2, size_t n);
+#pragma GCC visibility pop
#endif
Index: openssl-1.0.2i/crypto/o_time.h
===================================================================
--- openssl-1.0.2i.orig/crypto/o_time.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/o_time.h 2016-09-23 10:20:47.887004099 +0200
@@ -61,10 +61,12 @@
# define HEADER_O_TIME_H
# include <time.h>
+#pragma GCC visibility push(hidden)
struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec);
int OPENSSL_gmtime_diff(int *pday, int *psec,
const struct tm *from, const struct tm *to);
+#pragma GCC visibility pop
#endif
Index: openssl-1.0.2i/crypto/ripemd/rmd_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/ripemd/rmd_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ripemd/rmd_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -76,7 +76,7 @@
# endif
#endif
-void ripemd160_block_data_order(RIPEMD160_CTX *c, const void *p, size_t num);
+void ripemd160_block_data_order(RIPEMD160_CTX *c, const void *p, size_t num) __attribute__ ((visibility ("hidden")));
#define DATA_ORDER_IS_LITTLE_ENDIAN
Index: openssl-1.0.2i/crypto/rsa/rsa_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/rsa/rsa_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rsa/rsa_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -1,4 +1,4 @@
extern int int_rsa_verify(int dtype, const unsigned char *m,
unsigned int m_len, unsigned char *rm,
size_t *prm_len, const unsigned char *sigbuf,
- size_t siglen, RSA *rsa);
+ size_t siglen, RSA *rsa) __attribute__ ((visibility ("hidden")));
Index: openssl-1.0.2i/crypto/sha/sha256.c
===================================================================
--- openssl-1.0.2i.orig/crypto/sha/sha256.c 2016-09-23 10:20:47.707001419 +0200
+++ openssl-1.0.2i/crypto/sha/sha256.c 2016-09-23 10:20:47.887004099 +0200
@@ -135,7 +135,7 @@ int SHA224_Final(unsigned char *md, SHA2
# ifndef SHA256_ASM
static
# endif
-void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
+void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num) __attribute__ ((visibility ("hidden")));
# include "md32_common.h"
Index: openssl-1.0.2i/crypto/sha/sha512.c
===================================================================
--- openssl-1.0.2i.orig/crypto/sha/sha512.c 2016-09-23 10:20:47.707001419 +0200
+++ openssl-1.0.2i/crypto/sha/sha512.c 2016-09-23 10:20:47.887004099 +0200
@@ -109,7 +109,7 @@ fips_md_init(SHA512)
# ifndef SHA512_ASM
static
# endif
-void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num);
+void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num) __attribute__ ((visibility ("hidden")));
int SHA512_Final(unsigned char *md, SHA512_CTX *c)
{
Index: openssl-1.0.2i/crypto/sha/sha_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/sha/sha_locl.h 2016-09-23 10:20:47.707001419 +0200
+++ openssl-1.0.2i/crypto/sha/sha_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -108,7 +108,7 @@ static void sha_block_data_order(SHA_CTX
# ifndef SHA1_ASM
static
# endif
-void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num);
+void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num) __attribute__ ((visibility ("hidden")));
#else
# error "Either SHA_0 or SHA_1 must be defined."
Index: openssl-1.0.2i/crypto/store/str_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/store/str_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/store/str_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -63,6 +63,8 @@
# include <openssl/crypto.h>
# include <openssl/store.h>
+#pragma GCC visibility push(hidden)
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -121,5 +123,5 @@ struct store_st {
#ifdef __cplusplus
}
#endif
-
+#pragma GCC visibility pop
#endif
Index: openssl-1.0.2i/crypto/ui/ui_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/ui/ui_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ui/ui_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -67,6 +67,8 @@
# undef _
# endif
+#pragma GCC visibility push(hidden)
+
struct ui_method_st {
char *name;
/*
@@ -142,4 +144,5 @@ struct ui_st {
int flags;
};
+#pragma GCC visibility pop
#endif
Index: openssl-1.0.2i/crypto/whrlpool/wp_locl.h
===================================================================
--- openssl-1.0.2i.orig/crypto/whrlpool/wp_locl.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/whrlpool/wp_locl.h 2016-09-23 10:20:47.887004099 +0200
@@ -1,3 +1,3 @@
#include <openssl/whrlpool.h>
-void whirlpool_block(WHIRLPOOL_CTX *, const void *, size_t);
+void whirlpool_block(WHIRLPOOL_CTX *, const void *, size_t) __attribute__ ((visibility ("hidden")));
Index: openssl-1.0.2i/crypto/x509v3/ext_dat.h
===================================================================
--- openssl-1.0.2i.orig/crypto/x509v3/ext_dat.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509v3/ext_dat.h 2016-09-23 10:20:47.887004099 +0200
@@ -58,6 +58,8 @@
*/
/* This file contains a table of "standard" extensions */
+#pragma GCC visibility push(hidden)
+
extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
@@ -131,6 +133,7 @@ static const X509V3_EXT_METHOD *standard
&v3_ct_scts[1],
};
+#pragma GCC visibility pop
/* Number of standard extensions */
#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
Index: openssl-1.0.2i/crypto/x509v3/pcy_int.h
===================================================================
--- openssl-1.0.2i.orig/crypto/x509v3/pcy_int.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509v3/pcy_int.h 2016-09-23 10:20:47.887004099 +0200
@@ -57,6 +57,8 @@
*
*/
+#pragma GCC visibility push(hidden)
+
typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
DECLARE_STACK_OF(X509_POLICY_DATA)
@@ -215,3 +217,5 @@ int policy_node_match(const X509_POLICY_
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
const X509_POLICY_CACHE *policy_cache_set(X509 *x);
+
+#pragma GCC visibility pop
Index: openssl-1.0.2i/crypto/modes/gcm128.c
===================================================================
--- openssl-1.0.2i.orig/crypto/modes/gcm128.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/modes/gcm128.c 2016-09-23 10:20:47.887004099 +0200
@@ -602,9 +602,9 @@ static void gcm_ghash_4bit(u64 Xi[2], co
}
# endif
# else
-void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
+void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]) __attribute__ ((visibility ("hidden")));
void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp,
- size_t len);
+ size_t len) __attribute__ ((visibility ("hidden")));
# endif
# define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
@@ -696,10 +696,10 @@ static void gcm_gmult_1bit(u64 Xi[2], co
# define GCM_FUNCREF_4BIT
extern unsigned int OPENSSL_ia32cap_P[];
-void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]);
-void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]);
+void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]) __attribute__ ((visibility ("hidden")));
+void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]) __attribute__ ((visibility ("hidden")));
void gcm_ghash_clmul(u64 Xi[2], const u128 Htable[16], const u8 *inp,
- size_t len);
+ size_t len) __attribute__ ((visibility ("hidden")));
# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
# define gcm_init_avx gcm_init_clmul
Index: openssl-1.0.2i/crypto/evp/e_rc4_hmac_md5.c
===================================================================
--- openssl-1.0.2i.orig/crypto/evp/e_rc4_hmac_md5.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/e_rc4_hmac_md5.c 2016-09-23 10:20:47.887004099 +0200
@@ -78,7 +78,7 @@ typedef struct {
# define NO_PAYLOAD_LENGTH ((size_t)-1)
void rc4_md5_enc(RC4_KEY *key, const void *in0, void *out,
- MD5_CTX *ctx, const void *inp, size_t blocks);
+ MD5_CTX *ctx, const void *inp, size_t blocks) __attribute__ ((visibility ("hidden")));
# define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data)
Index: openssl-1.0.2i/crypto/cmac/cm_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/cmac/cm_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/cmac/cm_ameth.c 2016-09-23 10:20:47.887004099 +0200
@@ -73,7 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey
if (cmctx)
CMAC_CTX_free(cmctx);
}
-
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = {
EVP_PKEY_CMAC,
EVP_PKEY_CMAC,
Index: openssl-1.0.2i/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-1.0.2i.orig/crypto/evp/pmeth_lib.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/pmeth_lib.c 2016-09-23 10:20:47.887004099 +0200
@@ -71,7 +71,7 @@
typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
DECLARE_STACK_OF(EVP_PKEY_METHOD)
-STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth;
extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth;
Index: openssl-1.0.2i/crypto/cmac/cm_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/cmac/cm_pmeth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/cmac/cm_pmeth.c 2016-09-23 10:20:47.887004099 +0200
@@ -182,6 +182,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
return -2;
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD cmac_pkey_meth = {
EVP_PKEY_CMAC,
EVP_PKEY_FLAG_SIGCTX_CUSTOM,
Index: openssl-1.0.2i/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.2i.orig/crypto/rand/md_rand.c 2016-09-23 10:20:47.827003205 +0200
+++ openssl-1.0.2i/crypto/rand/md_rand.c 2016-09-23 10:20:47.887004099 +0200
@@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un
static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
static int ssleay_rand_status(void);
-RAND_METHOD rand_ssleay_meth = {
+static RAND_METHOD rand_ssleay_meth = {
ssleay_rand_seed,
ssleay_rand_nopseudo_bytes,
ssleay_rand_cleanup,
Index: openssl-1.0.2i/crypto/dh/dh_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/dh/dh_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/dh/dh_ameth.c 2016-09-23 10:20:47.887004099 +0200
@@ -584,6 +584,7 @@ static int dh_pkey_ctrl(EVP_PKEY *pkey,
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
EVP_PKEY_DH,
EVP_PKEY_DH,
Index: openssl-1.0.2i/crypto/dh/dh_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/dh/dh_pmeth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/dh/dh_pmeth.c 2016-09-23 10:20:47.887004099 +0200
@@ -482,6 +482,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
return 1;
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD dh_pkey_meth = {
EVP_PKEY_DH,
0,
Index: openssl-1.0.2i/crypto/dsa/dsa_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/dsa/dsa_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa_ameth.c 2016-09-23 10:20:47.887004099 +0200
@@ -621,6 +621,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
/* NB these are sorted in pkey_id order, lowest first */
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = {
{
Index: openssl-1.0.2i/crypto/dsa/dsa_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/dsa/dsa_pmeth.c 2016-09-23 10:20:47.695001240 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa_pmeth.c 2016-09-23 10:20:47.887004099 +0200
@@ -278,6 +278,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
return DSA_generate_key(pkey->pkey.dsa);
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD dsa_pkey_meth = {
EVP_PKEY_DSA,
EVP_PKEY_FLAG_AUTOARGLEN,
Index: openssl-1.0.2i/crypto/ec/ec_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/ec/ec_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ec/ec_ameth.c 2016-09-23 10:20:47.891004159 +0200
@@ -608,6 +608,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
EVP_PKEY_EC,
EVP_PKEY_EC,
Index: openssl-1.0.2i/crypto/ec/ec_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/ec/ec_pmeth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/ec/ec_pmeth.c 2016-09-23 10:20:47.891004159 +0200
@@ -491,6 +491,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
return EC_KEY_generate_key(pkey->pkey.ec);
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD ec_pkey_meth = {
EVP_PKEY_EC,
0,
Index: openssl-1.0.2i/crypto/hmac/hm_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/hmac/hm_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/hmac/hm_ameth.c 2016-09-23 10:20:47.891004159 +0200
@@ -140,6 +140,7 @@ static int old_hmac_encode(const EVP_PKE
#endif
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = {
EVP_PKEY_HMAC,
EVP_PKEY_HMAC,
Index: openssl-1.0.2i/crypto/hmac/hm_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/hmac/hm_pmeth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/hmac/hm_pmeth.c 2016-09-23 10:20:47.891004159 +0200
@@ -228,6 +228,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
return -2;
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD hmac_pkey_meth = {
EVP_PKEY_HMAC,
0,
Index: openssl-1.0.2i/crypto/rsa/rsa_ameth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/rsa/rsa_ameth.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rsa/rsa_ameth.c 2016-09-23 10:20:47.891004159 +0200
@@ -929,6 +929,7 @@ static int rsa_cms_encrypt(CMS_Recipient
}
#endif
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
{
EVP_PKEY_RSA,
Index: openssl-1.0.2i/crypto/rsa/rsa_pmeth.c
===================================================================
--- openssl-1.0.2i.orig/crypto/rsa/rsa_pmeth.c 2016-09-23 10:20:47.707001419 +0200
+++ openssl-1.0.2i/crypto/rsa/rsa_pmeth.c 2016-09-23 10:20:47.891004159 +0200
@@ -725,6 +725,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
return ret;
}
+ __attribute__ ((visibility ("hidden")))
const EVP_PKEY_METHOD rsa_pkey_meth = {
EVP_PKEY_RSA,
EVP_PKEY_FLAG_AUTOARGLEN,
Index: openssl-1.0.2i/crypto/objects/obj_xref.c
===================================================================
--- openssl-1.0.2i.orig/crypto/objects/obj_xref.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/objects/obj_xref.c 2016-09-23 10:20:47.891004159 +0200
@@ -61,7 +61,7 @@
#include "obj_xref.h"
DECLARE_STACK_OF(nid_triple)
-STACK_OF(nid_triple) *sig_app, *sigx_app;
+static STACK_OF(nid_triple) *sig_app, *sigx_app;
static int sig_cmp(const nid_triple *a, const nid_triple *b)
{
Index: openssl-1.0.2i/crypto/pem/pem_lib.c
===================================================================
--- openssl-1.0.2i.orig/crypto/pem/pem_lib.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/pem/pem_lib.c 2016-09-23 10:20:47.891004159 +0200
@@ -80,7 +80,7 @@ const char PEM_version[] = "PEM" OPENSSL
static int load_iv(char **fromp, unsigned char *to, int num);
static int check_pem(const char *nm, const char *name);
-int pem_check_suffix(const char *pem_str, const char *suffix);
+int pem_check_suffix(const char *pem_str, const char *suffix) __attribute__ ((visibility ("hidden")));
int PEM_def_callback(char *buf, int num, int w, void *key)
{
Index: openssl-1.0.2i/crypto/asn1/tasn_prn.c
===================================================================
--- openssl-1.0.2i.orig/crypto/asn1/tasn_prn.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/asn1/tasn_prn.c 2016-09-23 10:20:47.891004159 +0200
@@ -73,7 +73,7 @@
/* ASN1_PCTX routines */
-ASN1_PCTX default_pctx = {
+static ASN1_PCTX default_pctx = {
ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */
0, /* nm_flags */
0, /* cert_flags */
Index: openssl-1.0.2i/crypto/bn/bn_exp.c
===================================================================
--- openssl-1.0.2i.orig/crypto/bn/bn_exp.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/bn/bn_exp.c 2016-09-23 10:20:47.891004159 +0200
@@ -998,10 +998,10 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
*/
void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
const void *table, const BN_ULONG *np,
- const BN_ULONG *n0, int num, int power);
+ const BN_ULONG *n0, int num, int power) __attribute__ ((visibility ("hidden")));
void bn_scatter5(const BN_ULONG *inp, size_t num,
- void *table, size_t power);
- void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power);
+ void *table, size_t power) __attribute__ ((visibility ("hidden")));
+ void bn_gather5(BN_ULONG *out, size_t num, void *table, size_t power) __attribute__ ((visibility ("hidden")));
void bn_power5(BN_ULONG *rp, const BN_ULONG *ap,
const void *table, const BN_ULONG *np,
const BN_ULONG *n0, int num, int power);
Index: openssl-1.0.2i/crypto/bn/bn_gf2m.c
===================================================================
--- openssl-1.0.2i.orig/crypto/bn/bn_gf2m.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/bn/bn_gf2m.c 2016-09-23 10:20:47.891004159 +0200
@@ -321,7 +321,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r,
}
# else
void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
- BN_ULONG b0);
+ BN_ULONG b0) __attribute__ ((visibility ("hidden")));
# endif
/*

View File

@ -1,166 +0,0 @@
From f33b5a4cb7da3947d06b74e6f6cd2f264faca170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
Date: Sun, 20 Apr 2014 19:39:37 -0300
Subject: [PATCH] libssl: Hide library private symbols
It hides all the library symbols that are not part of the public
API/ABI when GCC 4 or later is used.
---
ssl/d1_lib.c | 5 ++---
ssl/kssl_lcl.h | 9 +++++++++
ssl/s23_srvr.c | 4 ++--
ssl/s2_lib.c | 1 -
ssl/s3_lib.c | 1 -
ssl/ssl_lib.c | 1 -
ssl/ssl_locl.h | 8 ++++++++
ssl/t1_lib.c | 6 ++----
8 files changed, 23 insertions(+), 12 deletions(-)
Index: openssl-1.0.2a/ssl/d1_lib.c
===================================================================
--- openssl-1.0.2a.orig/ssl/d1_lib.c 2015-05-29 13:41:52.858088475 +0200
+++ openssl-1.0.2a/ssl/d1_lib.c 2015-05-29 13:47:58.764278577 +0200
@@ -69,8 +69,7 @@
static void get_current_time(struct timeval *t);
static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
static int dtls1_handshake_write(SSL *s);
-const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
-int dtls1_listen(SSL *s, struct sockaddr *client);
+static int dtls1_listen(SSL *s, struct sockaddr *client);
SSL3_ENC_METHOD DTLSv1_enc_data = {
tls1_enc,
@@ -539,7 +538,7 @@ static void get_current_time(struct time
#endif
}
-int dtls1_listen(SSL *s, struct sockaddr *client)
+static int dtls1_listen(SSL *s, struct sockaddr *client)
{
int ret;
Index: openssl-1.0.2a/ssl/kssl_lcl.h
===================================================================
--- openssl-1.0.2a.orig/ssl/kssl_lcl.h 2015-05-29 13:41:52.858088475 +0200
+++ openssl-1.0.2a/ssl/kssl_lcl.h 2015-05-29 13:46:44.708430822 +0200
@@ -62,6 +62,10 @@
# include <openssl/kssl.h>
+#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility push(hidden)
+#endif
+
# ifndef OPENSSL_NO_KRB5
#ifdef __cplusplus
@@ -85,4 +89,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl
}
#endif
# endif /* OPENSSL_NO_KRB5 */
+
+#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility pop
+#endif
+
#endif /* KSSL_LCL_H */
Index: openssl-1.0.2a/ssl/s23_srvr.c
===================================================================
--- openssl-1.0.2a.orig/ssl/s23_srvr.c 2015-05-29 13:41:51.427072084 +0200
+++ openssl-1.0.2a/ssl/s23_srvr.c 2015-05-29 13:47:16.275792355 +0200
@@ -120,7 +120,7 @@
#endif
static const SSL_METHOD *ssl23_get_server_method(int ver);
-int ssl23_get_client_hello(SSL *s);
+static int ssl23_get_client_hello(SSL *s);
static const SSL_METHOD *ssl23_get_server_method(int ver)
{
#ifndef OPENSSL_NO_SSL2
@@ -233,7 +233,7 @@ int ssl23_accept(SSL *s)
return (ret);
}
-int ssl23_get_client_hello(SSL *s)
+static int ssl23_get_client_hello(SSL *s)
{
/*-
* Request this many bytes in initial read.
Index: openssl-1.0.2a/ssl/s2_lib.c
===================================================================
--- openssl-1.0.2a.orig/ssl/s2_lib.c 2015-05-29 13:41:52.859088486 +0200
+++ openssl-1.0.2a/ssl/s2_lib.c 2015-05-29 13:47:37.964040715 +0200
@@ -116,7 +116,6 @@
# include <openssl/evp.h>
# include <openssl/md5.h>
-const char ssl2_version_str[] = "SSLv2" OPENSSL_VERSION_PTEXT;
# define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
Index: openssl-1.0.2a/ssl/s3_lib.c
===================================================================
--- openssl-1.0.2a.orig/ssl/s3_lib.c 2015-05-29 13:41:52.859088486 +0200
+++ openssl-1.0.2a/ssl/s3_lib.c 2015-05-29 13:49:33.525363159 +0200
@@ -157,7 +157,6 @@
# include <openssl/dh.h>
#endif
-const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
Index: openssl-1.0.2a/ssl/ssl_lib.c
===================================================================
--- openssl-1.0.2a.orig/ssl/ssl_lib.c 2015-05-29 13:41:52.860088498 +0200
+++ openssl-1.0.2a/ssl/ssl_lib.c 2015-05-29 13:49:51.821573194 +0200
@@ -160,7 +160,6 @@
# include <openssl/engine.h>
#endif
-const char *SSL_version_str = OPENSSL_VERSION_TEXT;
SSL3_ENC_METHOD ssl3_undef_enc_method = {
/*
Index: openssl-1.0.2a/ssl/ssl_locl.h
===================================================================
--- openssl-1.0.2a.orig/ssl/ssl_locl.h 2015-05-29 13:41:52.860088498 +0200
+++ openssl-1.0.2a/ssl/ssl_locl.h 2015-05-29 13:51:29.789694782 +0200
@@ -165,6 +165,10 @@
# include <openssl/ssl.h>
# include <openssl/symhacks.h>
+#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility push(hidden)
+#endif
+
# ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
# define OPENSSL_EXTERN OPENSSL_EXPORT
@@ -1475,5 +1479,14 @@ void custom_exts_free(custom_ext_methods
# define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
# define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat
+int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len,
+ const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len,
+ const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen);
+
# endif
+
+#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility pop
+#endif
+
#endif
Index: openssl-1.0.2a/ssl/t1_lib.c
===================================================================
--- openssl-1.0.2a.orig/ssl/t1_lib.c 2015-05-29 13:41:52.861088510 +0200
+++ openssl-1.0.2a/ssl/t1_lib.c 2015-05-29 13:51:50.181929005 +0200
@@ -120,7 +120,6 @@
#include <openssl/rand.h>
#include "ssl_locl.h"
-const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
#ifndef OPENSSL_NO_TLSEXT
static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,

View File

@ -1,241 +0,0 @@
README-FIPS.txt - Roman Drahtmueller <draht@suse.de>, June 16 2012
NOTE: Finished the adjustment of DSO path and correct the version
information for SLE 12. Still need to review about AES-NI optimization.
Shawn Chang <shchang@suse.com>, Dec 7 2013.
NOTE: Outdated currently for openSUSE Factory / SLE 12, needs review
and adjustments. But basic settings still are the same.
Marcus Meissner <meissner@suse.de>, 2013/Dec/03.
* general information
* FIPS-140-2 mode of operation
* overview: openssl subpackages on SLES12
==============================================================================
* general information
==============================================================================
Dear user of the SUSE Linux Enterprise Server,
SLES12 comes with openssl of version 1.0.1e, a version upgrade from
0.9.8j that came with earlier revisions of SLES11-SP3.
The new version has support for FIPS-140-2 mode of operation.
FIPS is short for Federal Information Processing Standard.
For more information on FIPS-140-2, please see
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
and more publications on the NIST website.
The openssl shared libraries are used by numerous packages in the
SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode,
then the binary that links against the library at runtime makes use
of FIPS-140-2 validated cryptography as defined in its cryptographic
module. By consequence, a large number of packages can make a claim
about using FIPS-140-2 validated cryptographical functions.
Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2
mode of operation.
Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are
supported and used, if the used CPU supports the AES-NI instructions. These
assembler optimizations can deliver a substantial performance benefit.
To check if your system's CPU(s) has (have) AES-NI support, have a look
into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes"
flag.
AES-NI support can be disabled by setting the environment variable
OPENSSL_DISABLE_AESNI before running binaries that link against openssl.
The "openssl speed" command can give you an idea for the performance
differences.
The cryptographic module as defined for FIPS-140-2 is contained in the files
/lib64/.libcrypto.so.1.0.0.hmac
/lib64/.libssl.so.1.0.0.hmac
/lib64/libcrypto.so.1.0.0
/lib64/libssl.so.1.0.0
for 64bit operation and
/lib/.libcrypto.so.1.0.0.hmac
/lib/.libssl.so.1.0.0.hmac
/lib/libcrypto.so.1.0.0
/lib/libssl.so.1.0.0
for 32bit.
The .hmac files contain a HMAC for the internal integrity checking. They
are contained in the package libopenssl1_0_0-hmac, seperate from the
libopenssl1_0_0 package. These hashes are produced as one of the last steps
during the RPM build process.
If the library starts up in FIPS mode, the .hmac files are read, and the
checksum is verified against a new self-measurement of the library.
Essentially, this means that the FIPS mode of operation is not possible
without the .hmac files from the corresponding -hmac package installed.
If the library starts up in non-FIPS mode, it checks if the .hmac files
exist, and if so, it runs through the self-tests as if it operates in FIPS
mode. This self-test in non-FIPS mode is formally mandatory and comes with
a heavy CPU footprint. You can avoid this overhead by un-installing the
libopenssl1_0_0-hmac package (with the consequence that FIPS mode of
operation becomes unavailable).
The openssl library operates in non-FIPS mode by default.
* FIPS-140-2 mode of operation
==============================================================================
The openssl library operates in non-FIPS mode by default.
As noted above (* general information), the .hmac files for the integrity
self-check of the openssl library are contained in their own package.
Unfortunately, the self-test is mandatory even if the library runs in
non-FIPS mode, causing a significant CPU consumption during openssl's
initialization. You can avoid this overhead by de-installing the -hmac
package if you do not need FIPS mode of operation.
If you DO need to run binaries that are linked against the openssl
cryptographic library that runs in FIPS mode, you MUST have the
libopenssl1_0_0-hmac package installed.
!!! If you enable FIPS mode of operation with the methods below, you MUST
!!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link
!!! against openssl will abort if the FIPS self-tests (including the
!!! integrity check with the .hmac hashes) fail!
There are three ways to switch the shared libraries listed above to
FIPS-140-2 compliant mode:
1) Start your system with the kernel commandline option "fips=1". To
change the configuration for your system on a permanent basis, please
add the command line option to the corresponding line in the bootloader
configuration, typically /boot/grub/menu.lst .
You can check if the kernel has accepted the commandline option at boot
by inspecting the content of the file /proc/sys/crypto/fips_enabled .
Please note that the fips=1 kernel commandline option switches
the kernel's crypto API to FIPS mode operation, too. As a consequence,
some of the in-kernel cryptographical functions may become unavailable.
As of the writing of this README-FIPS.txt, the kernel's crypto API in
the SUSE Linux Enterprise Server was NOT FIPS-140-2 validated!
2) set the environment variable OPENSSL_FORCE_FIPS_MODE to "1":
export OPENSSL_FORCE_FIPS_MODE=1
and run your application with this environment variable set.
The FIPS-140-2 mode of operation is only given in the context of
processes that have OPENSSL_FORCE_FIPS_MODE set, unless the global
switch as in 1) above is active.
3) In your program, use the exported function
int FIPS_mode_set(int onoff);
to turn on FIPS-140-2 compliant mode. The library will conduct the
mandatory self-tests and the integrity check that makes use of the
.hmac files mentioned above.
The function
int FIPS_mode(void);
can be used to check if the library operates in FIPS-140-2 compliant
mode. It returns 1 in FIPS mode, 0 otherwise.
Notes:
- An easy way to verify if your openssl cryptography subsystem operates
in FIPS-140-2 compliant mode is to look at the output of the
openssl ciphers
command. In FIPS-140-2 compliant mode, the output lists fewer
algorythms.
- The startup time of programs that initialize the openssl shared libraries
in FIPS-140-2 compliant mode is considerably longer due to the self-tests
that are being executed. On fast systems, the startup overhead can be in the
range of 0.05-0.3s. The startup time is two orders of a magnitude smaller
in non-FIPS mode.
Please note that the self-test overhead only occurs during the
initialization of the cryptographic module. There is no other
performance impact of FIPS-140-2 compliant operation of the library.
- The environment variable OPENSSL_FIPS can be set to force the
/usr/bin/openssl binary to operate in FIPS-140-2 compliant mode:
OPENSSL_FIPS=1 openssl ciphers
The variable OPENSSL_FIPS has an effect on the openssl binary only.
- Services and daemons that make use of the openssl shared libraries in
FIPS-140-2 compliant mode need to be configured to use algorythms
from the list of permissable algorythms. If an algorythm is requested
by an application that is not allowed in FIPS-140-2 compliant mode,
the application will terminate (abort(3)).
Please see the FIPS-140-2 Security Policy document for the openssl
FIPS module on the SUSE Linux Enterprise Server 11 SP1 from the
SUSE website at http://www.suse.com/ or the NIST website at
http://csrc.nist.gov/ for more details.
- If you have any questions about the FIPS-140-2 compliant mode of openssl,
please send email to security@suse.com.
* overview: openssl subpackages on SLES12
==============================================================================
The openssl package consists of the following RPM package:
openssl
- manual pages
- the /etc/ssl configuration directory
- the /usr/bin/openssl program
- /usr/bin/fips_standalone_hmac, the program used to reproduce
the integrity HMAC that is contained in the package:
libopenssl1_0_0
- files:
/lib64/libcrypto.so.1.0.0
/lib64/libssl.so.1.0.0
/lib64/engines
/lib64/engines/libcapi.so
/lib64/engines/libgmp.so
/lib64/engines/libgost.so
/lib64/engines/libpadlock.so
libopenssl1_0_0-hmac
- files:
/lib64/.libcrypto.so.1.0.0.hmac
/lib64/.libssl.so.1.0.0.hmac
libopenssl1_0_0-32bit
- files as in package libopenssl1_0_0, but in /lib/.
The .so libraries are for the 32bit compatibility mode of the
openssl library.
libopenssl1_0_0-hmac-32bit
- files as in package libopenssl1_0_0-hmac, but in /lib/.
libopenssl-devel
- header files and static libraries for compiling applications with the
openssl library. Please note that running binaries that are statically
linked against openssl libraries is not supported in terms of FIPS-140-2
compliance.
openssl-doc
- more documentation and manual pages.
openssl-debuginfo
openssl-debugsource
- packages that provide debugging symbols and debugging source code for
running binaries (dynamically) linked against libopenssl1_0_0 in a
debugger.
openssl-certs
- CA certificate collection in /etc/ssl/certs
The openssl-certs package is not a subpackage of the openssl package,
but it merely provides CA certificates where the openssl package
finds them.

View File

@ -1,9 +1,9 @@
Please note that the man pages for the openssl libraries and tools
have been placed in a package on its own right: openssl-doc Please
install the openssl-doc package if you need the man pages, HTML
documentation or sample C programs.
========
OVERVIEW
The C header files and static libraries have also been extracted, they
can now be found in the openssl-devel package.
This package is a dummy package that always depends on the
version of corresponding openssl packages that openSUSE
currently supports.
Your SUSE Team.
There can be multiple openssl versions (newer or older) present
for compatibility reasons.

View File

@ -1,8 +1,6 @@
libopenssl1_0_0
obsoletes "openssl-<targettype> <= <version>"
openssl
requires "openssl-1_0_0-<targettype> = <version>"
libopenssl-devel
requires -libopenssl-<targettype>
requires "openssl-<targettype> = <version>"
requires "libopenssl1_0_0-<targettype> = <version>"
libopenssl1_0_0-hmac
requires -libopenssl1_0_0 = <version>
requires "libopenssl1_0_0-<targettype> = <version>-%release"
requires "libopenssl-1_0_0-devel-<targettype> = <version>"

View File

@ -1,14 +0,0 @@
Index: openssl-1.0.2a/Configure
===================================================================
--- openssl-1.0.2a.orig/Configure 2015-04-03 21:33:54.286437754 +0200
+++ openssl-1.0.2a/Configure 2015-04-03 21:42:55.431975088 +0200
@@ -1889,7 +1889,8 @@ while (<IN>)
}
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
+ #my $foo = "$prefix/$libdir/engines";
+ my $foo = "/$libdir/engines";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}

View File

@ -1,51 +0,0 @@
Index: openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod
===================================================================
--- openssl-1.0.2b.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:49.353667505 +0200
+++ openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:51.183689314 +0200
@@ -47,6 +47,24 @@ of compression methods supported on a pe
If enabled during compilation, the OpenSSL library will have the
COMP_zlib() compression method available.
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
+
+The variable can be switched on and off at runtime; when this variable
+is set "no" compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
=head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.2b/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.2b.orig/ssl/ssl_ciph.c 2015-06-11 20:11:49.353667505 +0200
+++ openssl-1.0.2b/ssl/ssl_ciph.c 2015-06-11 20:11:51.183689314 +0200
@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
if (ssl_comp_methods == NULL) {
SSL_COMP *comp = NULL;
+ const char *nodefaultzlib;
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL) {
+ /* The default is "no" compression to avoid CRIME/BEAST */
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
+ if ( ssl_comp_methods != NULL &&
+ nodefaultzlib &&
+ strncmp( nodefaultzlib, "no", 2) == 0)
+ {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();

View File

@ -1,82 +0,0 @@
---
Configure | 4 ++--
config | 23 +++++++++++++++--------
2 files changed, 17 insertions(+), 10 deletions(-)
Index: openssl-1.0.2a/Configure
===================================================================
--- openssl-1.0.2a.orig/Configure
+++ openssl-1.0.2a/Configure
@@ -978,7 +978,7 @@ PROCESS_ARGS:
}
else
{
- die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
+ warn "target already defined - $target (offending arg: $_)\n" if ($target ne "");
$target=$_;
}
@@ -1258,7 +1258,7 @@ if ($target =~ /linux.*\-mips/ && !$no_a
my $no_shared_warn=0;
my $no_user_cflags=0;
-if ($flags ne "") { $cflags="$flags$cflags"; }
+if ($flags ne "") { $cflags="$cflags $flags"; }
else { $no_user_cflags=1; }
# Kerberos settings. The flavor must be provided from outside, either through
Index: openssl-1.0.2a/config
===================================================================
--- openssl-1.0.2a.orig/config
+++ openssl-1.0.2a/config
@@ -573,7 +573,8 @@ case "$GUESSOS" in
options="$options -arch%20${MACHINE}"
OUT="iphoneos-cross" ;;
alpha-*-linux2)
- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+ ISA=EV56
case ${ISA:-generic} in
*[678]) OUT="linux-alpha+bwx-$CC" ;;
*) OUT="linux-alpha-$CC" ;;
@@ -598,8 +599,10 @@ case "$GUESSOS" in
if [ "$KERNEL_BITS" = "64" ]; then
OUT="linux-ppc64"
else
- OUT="linux-ppc"
- (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
+# OUT="linux-ppc"
+ # we have the target and force it here
+ OUT="linux-ppc64"
+ (echo "__LP64" | gcc -E -x c - 2>/dev/null | grep "^__LP64" 2>&1 > /dev/null) || options="$options -m32"
fi
;;
ppc64le-*-linux2) OUT="linux-ppc64le" ;;
@@ -632,10 +635,10 @@ case "$GUESSOS" in
sparc-*-linux2)
KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
case ${KARCH:-sun4} in
- sun4u*) OUT="linux-sparcv9" ;;
- sun4m) OUT="linux-sparcv8" ;;
- sun4d) OUT="linux-sparcv8" ;;
- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
+# sun4u*) OUT="linux-sparcv9" ;;
+# sun4m) OUT="linux-sparcv8" ;;
+# sun4d) OUT="linux-sparcv8" ;;
+ *) OUT="linux-sparcv8" ;;
esac ;;
parisc*-*-linux2)
# 64-bit builds under parisc64 linux are not supported and
@@ -654,7 +657,11 @@ case "$GUESSOS" in
# PA8500 -> 8000 (2.0)
# PA8600 -> 8000 (2.0)
- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
+ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'`
+ # lets have CPUSCHEDULE for 1.1:
+ CPUSCHEDULE=7100LC
+ # we want to support 1.1 CPUs as well:
+ CPUARCH=1.1
# Finish Model transformations
options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"

View File

@ -1,43 +0,0 @@
From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
---
tools/c_rehash.in | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
Index: openssl-1.0.2a/tools/c_rehash.in
===================================================================
--- openssl-1.0.2a.orig/tools/c_rehash.in 2015-04-03 21:41:53.440111263 +0200
+++ openssl-1.0.2a/tools/c_rehash.in 2015-04-03 21:42:51.150916910 +0200
@@ -113,6 +113,7 @@ sub hash_dir {
next;
}
link_hash_cert($fname) if($cert);
+ link_hash_cert_old($fname) if($cert);
link_hash_crl($fname) if($crl);
}
}
@@ -146,8 +147,9 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
+ my $hashopt = $_[1] || '-subject_hash';
$fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
@@ -177,6 +179,10 @@ sub link_hash_cert {
$hashlist{$hash} = $fprint;
}
+sub link_hash_cert_old {
+ link_hash_cert($_[0], '-subject_hash_old');
+}
+
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {

View File

@ -1,37 +0,0 @@
Index: openssl-1.0.2h/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.2h.orig/ssl/ssl_ciph.c 2016-05-03 16:36:50.482900040 +0200
+++ openssl-1.0.2h/ssl/ssl_ciph.c 2016-05-03 16:36:51.951922883 +0200
@@ -1608,7 +1608,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
&head, &tail, ca_list);
rule_p += 7;
Index: openssl-1.0.2h/ssl/ssl.h
===================================================================
--- openssl-1.0.2h.orig/ssl/ssl.h 2016-05-03 16:36:51.951922883 +0200
+++ openssl-1.0.2h/ssl/ssl.h 2016-05-03 16:41:00.024781841 +0200
@@ -338,7 +338,11 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
+
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is

View File

@ -1,30 +0,0 @@
Index: openssl-1.0.2b/test/testssl
===================================================================
--- openssl-1.0.2b.orig/test/testssl 2015-06-11 20:11:36.398513121 +0200
+++ openssl-1.0.2b/test/testssl 2015-06-11 20:15:40.833426946 +0200
@@ -192,6 +192,25 @@ for protocol in TLSv1.2 SSLv3; do
fi
done
+echo "Testing default ciphersuites"
+
+for cipher_suite in DEFAULT_SUSE DEFAULT; do
+ ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite
+ if [ $? -ne 0 ]; then
+ echo "Failed default ciphersuite $cipher_suite"
+ exit 1
+ fi
+done
+
+echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite"
+../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]"
+
+if [ $? -ne 1 ];then
+ echo "weak ciphers are present on DEFAULT_SUSE cipher suite"
+ exit 1
+fi
+
+
#############################################################################
if ../util/shlib_wrap.sh ../apps/openssl no-dh; then

View File

@ -1,80 +0,0 @@
Index: openssl-1.0.2b/apps/s_client.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_client.c 2015-06-11 17:28:32.039203737 +0200
+++ openssl-1.0.2b/apps/s_client.c 2015-06-11 17:39:40.138741521 +0200
@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)
ERR_print_errors(bio_err);
}
- ssl_ctx_add_crls(ctx, crls, crl_download);
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
- goto end;
-
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
Index: openssl-1.0.2b/apps/s_server.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_server.c 2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_server.c 2015-06-11 17:28:32.040203749 +0200
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
ERR_print_errors(bio_err);
}
if (vpm)
Index: openssl-1.0.2b/apps/s_time.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_time.c 2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_time.c 2015-06-11 17:28:32.040203749 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)

View File

@ -1,177 +0,0 @@
Index: openssl-1.0.2a/crypto/fips/fips.c
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips.c 2015-05-24 14:39:51.970094778 +0200
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-05-24 14:39:53.342114740 +0200
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
}
# define HMAC_PREFIX "."
-# define HMAC_SUFFIX ".hmac"
+# ifndef HMAC_SUFFIX
+# define HMAC_SUFFIX ".hmac"
+# endif
# define READ_BUFFER_LENGTH 16384
static char *make_hmac_path(const char *origpath)
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
return rv;
}
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
+static int FIPSCHECK_verify(const char *path)
{
- char path[PATH_MAX + 1];
- int rv;
+ int rv = 0;
FILE *hf;
char *hmacpath, *p;
char *hmac = NULL;
size_t n;
- rv = get_library_path(libname, symbolname, path, sizeof(path));
-
- if (rv < 0)
- return 0;
-
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
return 0;
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
return 1;
}
+static int verify_checksums(void)
+{
+ int rv;
+ char path[PATH_MAX + 1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
+ "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
+ p = stpcpy(p, "libssl");
+ memmove(p, p + 3, strlen(p + 2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+}
+
+# ifndef FIPS_MODULE_PATH
+# define FIPS_MODULE_PATH "/etc/system-fips"
+# endif
+
+int FIPS_module_installed(void)
+{
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+}
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
}
# endif
- if (!FIPSCHECK_verify
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if (!FIPSCHECK_verify
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
+ if (!verify_checksums()) {
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
Index: openssl-1.0.2a/crypto/fips/fips.h
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips.h 2015-05-24 14:39:51.971094793 +0200
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-05-24 14:39:53.343114755 +0200
@@ -74,6 +74,7 @@ extern "C" {
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+ int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
Index: openssl-1.0.2a/crypto/o_init.c
===================================================================
--- openssl-1.0.2a.orig/crypto/o_init.c 2015-05-24 14:39:51.971094793 +0200
+++ openssl-1.0.2a/crypto/o_init.c 2015-05-24 14:40:19.351493153 +0200
@@ -72,6 +72,9 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
+
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
@@ -83,8 +86,12 @@ static void init_fips_mode(void)
* otherwise..
*/
- if (buf[0] == '1') {
- FIPS_mode_set(1);
+ if (buf[0] != '1') {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ } else {
+ /* abort if selftest failed */
+ FIPS_selftest_check();
}
}
#endif
@@ -94,13 +101,16 @@ static void init_fips_mode(void)
* sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ if (!FIPS_module_installed()) {
+ return;
+ }
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode()) {

File diff suppressed because it is too large Load Diff

View File

@ -1,525 +0,0 @@
diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept);
@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
int ssl_print_curves(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *p);
+int extract_host_port(char *str, char **host_ptr, char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
int cbuf_len, cbuf_off;
int sbuf_len, sbuf_off;
fd_set readfds, writefds;
- short port = PORT;
+ char *port_str = PORT_STR;
int full_log = 1;
char *host = SSL_HOST_NAME;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
} else if (strcmp(*argv, "-port") == 0) {
if (--argc < 1)
goto bad;
- port = atoi(*(++argv));
- if (port == 0)
- goto bad;
+ port_str = *(++argv);
} else if (strcmp(*argv, "-connect") == 0) {
if (--argc < 1)
goto bad;
- if (!extract_host_port(*(++argv), &host, NULL, &port))
+ if (!extract_host_port(*(++argv), &host, &port_str))
goto bad;
} else if (strcmp(*argv, "-verify") == 0) {
verify = SSL_VERIFY_PEER;
@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
re_start:
- if (init_client(&s, host, port, socket_type) == 0) {
+ if (init_client(&s, host, port_str, socket_type) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
SHUTDOWN(s);
goto end;
diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
- short port = PORT;
+ char *port_str = PORT_STR;
char *CApath = NULL, *CAfile = NULL;
char *chCApath = NULL, *chCAfile = NULL;
char *vfyCApath = NULL, *vfyCAfile = NULL;
@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
if (--argc < 1)
goto bad;
- if (!extract_port(*(++argv), &port))
+ port_str = *(++argv);
+ if (port_str == NULL || *port_str == '\0')
goto bad;
} else if (strcmp(*argv, "-naccept") == 0) {
if (--argc < 1)
@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (rev)
- do_server(port, socket_type, &accept_socket, rev_body, context,
+ do_server(port_str, socket_type, &accept_socket, rev_body, context,
naccept);
else if (www)
- do_server(port, socket_type, &accept_socket, www_body, context,
+ do_server(port_str, socket_type, &accept_socket, www_body, context,
naccept);
else
- do_server(port, socket_type, &accept_socket, sv_body, context,
+ do_server(port_str, socket_type, &accept_socket, sv_body, context,
naccept);
print_stats(bio_s_out, ctx);
ret = 0;
diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
# endif
static int ssl_sock_init(void);
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port, char *ip, int type);
+static int init_server(int *sock, char *port, int type);
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
return (1);
}
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, char *host, char *port, int type)
{
- unsigned char ip[4];
-
- memset(ip, '\0', sizeof ip);
- if (!host_ip(host, &(ip[0])))
- return 0;
- return init_client_ip(sock, ip, port, type);
-}
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-{
- unsigned long addr;
- struct sockaddr_in them;
- int s, i;
+ struct addrinfo *res, *res0, hints;
+ char *failed_call = NULL;
+ int s;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&them, 0, sizeof(them));
- them.sin_family = AF_INET;
- them.sin_port = htons((unsigned short)port);
- addr = (unsigned long)
- ((unsigned long)ip[0] << 24L) |
- ((unsigned long)ip[1] << 16L) |
- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
- them.sin_addr.s_addr = htonl(addr);
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) {
- perror("socket");
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ e = getaddrinfo(host, port, &hints, &res);
+ if (e) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
return (0);
}
+
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM) {
- i = 0;
- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
- if (i < 0) {
- closesocket(s);
- perror("keepalive");
- return (0);
+ if (type == SOCK_STREAM) {
+ int i = 0;
+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
+ (char *)&i, sizeof(i));
+ if (i < 0) {
+ failed_call = "keepalive";
+ goto nextres;
+ }
}
- }
# endif
-
- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
- closesocket(s);
- perror("connect");
- return (0);
+ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
+ freeaddrinfo(res0);
+ *sock = s;
+ return (1);
+ }
+
+ failed_call = "socket";
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- *sock = s;
- return (1);
+ freeaddrinfo(res0);
+ closesocket(s);
+
+ perror(failed_call);
+ return (0);
}
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept)
@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
}
}
-static int init_server_long(int *sock, int port, char *ip, int type)
+static int init_server(int *sock, char *port, int type)
{
- int ret = 0;
- struct sockaddr_in server;
- int s = -1;
+ struct addrinfo *res, *res0 = NULL, hints;
+ char *failed_call = NULL;
+ int s = INVALID_SOCKET;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&server, 0, sizeof(server));
- server.sin_family = AF_INET;
- server.sin_port = htons((unsigned short)port);
- if (ip == NULL)
- server.sin_addr.s_addr = INADDR_ANY;
- else
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-# ifndef BIT_FIELD_LIMITS
- memcpy(&server.sin_addr.s_addr, ip, 4);
-# else
- memcpy(&server.sin_addr, ip, 4);
-# endif
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+ tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE;
+
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e) {
+ if (hints.ai_family == AF_INET) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ } else
+ res = NULL;
+ }
- if (s == INVALID_SOCKET)
- goto err;
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
+ if (hints.ai_family == AF_INET6) {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
+ }
# if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
- }
-# endif
- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-# ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
+ {
+ int j = 1;
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+ }
# endif
- goto err;
+
+ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
+ failed_call = "bind";
+ goto nextres;
+ }
+ if (type == SOCK_STREAM && listen(s, 128) == -1) {
+ failed_call = "listen";
+ goto nextres;
+ }
+
+ *sock = s;
+ return (1);
+
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- /* Make it 128 for linux */
- if (type == SOCK_STREAM && listen(s, 128) == -1)
- goto err;
- *sock = s;
- ret = 1;
- err:
- if ((ret == 0) && (s != -1)) {
- SHUTDOWN(s);
+ if (res0)
+ freeaddrinfo(res0);
+
+ if (s == INVALID_SOCKET) {
+ if (hints.ai_family == AF_INET6) {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return (0);
}
- return (ret);
-}
-static int init_server(int *sock, int port, int type)
-{
- return (init_server_long(sock, port, NULL, type));
+ perror(failed_call);
+ return (0);
}
static int do_accept(int acc_sock, int *sock, char **host)
{
+ static struct sockaddr_storage from;
+ char buffer[NI_MAXHOST];
int ret;
- struct hostent *h1, *h2;
- static struct sockaddr_in from;
int len;
/* struct linger ling; */
@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
ling.l_onoff=1;
ling.l_linger=0;
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
- if (i < 0) { perror("linger"); return(0); }
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
i=0;
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
*/
if (host == NULL)
goto end;
-# ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
- sizeof(from.sin_addr.s_addr), AF_INET);
-# else
- h1 = gethostbyaddr((char *)&from.sin_addr,
- sizeof(struct in_addr), AF_INET);
-# endif
- if (h1 == NULL) {
- BIO_printf(bio_err, "bad gethostbyaddr\n");
+
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
+ buffer, sizeof(buffer), NULL, 0, 0)) {
+ BIO_printf(bio_err, "getnameinfo failed\n");
*host = NULL;
/* return(0); */
} else {
- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
+ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
perror("OPENSSL_malloc");
closesocket(ret);
return (0);
}
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
- h2 = GetHostByName(*host);
- if (h2 == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- closesocket(ret);
- return (0);
- }
- if (h2->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- closesocket(ret);
- return (0);
- }
+ strcpy(*host, buffer);
}
end:
*sock = ret;
return (1);
}
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *port_ptr)
+int extract_host_port(char *str, char **host_ptr, char **port_ptr)
{
- char *h, *p;
+ char *h, *p, *x;
- h = str;
- p = strchr(str, ':');
+ x = h = str;
+ if (*h == '[') {
+ h++;
+ p = strchr(h, ']');
+ if (p == NULL) {
+ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
+ return (0);
+ }
+ *(p++) = '\0';
+ x = p;
+ }
+ p = strchr(x, ':');
if (p == NULL) {
BIO_printf(bio_err, "no port defined\n");
return (0);
}
*(p++) = '\0';
- if ((ip != NULL) && !host_ip(str, ip))
- goto err;
if (host_ptr != NULL)
*host_ptr = h;
+ if (port_ptr != NULL)
+ *port_ptr = p;
- if (!extract_port(p, port_ptr))
- goto err;
- return (1);
- err:
- return (0);
-}
-
-static int host_ip(char *str, unsigned char ip[4])
-{
- unsigned int in[4];
- int i;
-
- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
- 4) {
- for (i = 0; i < 4; i++)
- if (in[i] > 255) {
- BIO_printf(bio_err, "invalid IP address\n");
- goto err;
- }
- ip[0] = in[0];
- ip[1] = in[1];
- ip[2] = in[2];
- ip[3] = in[3];
- } else { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init())
- return (0);
-
- he = GetHostByName(str);
- if (he == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
- if ((short)he->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- return (0);
- }
- ip[0] = he->h_addr_list[0][0];
- ip[1] = he->h_addr_list[0][1];
- ip[2] = he->h_addr_list[0][2];
- ip[3] = he->h_addr_list[0][3];
- }
- return (1);
- err:
- return (0);
-}
-
-int extract_port(char *str, short *port_ptr)
-{
- int i;
- struct servent *s;
-
- i = atoi(str);
- if (i != 0)
- *port_ptr = (unsigned short)i;
- else {
- s = getservbyname(str, "tcp");
- if (s == NULL) {
- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
- return (0);
- }
- *port_ptr = ntohs((unsigned short)s->s_port);
- }
return (1);
}

View File

@ -1,198 +0,0 @@
diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
@@ -101,7 +101,10 @@
*/
# undef COMPILE_HW_PADLOCK
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
# endif
# elif defined(__GNUC__)
# ifndef alloca
-# define alloca(s) __builtin_alloca(s)
+# define alloca(s) __builtin_alloca((s))
# endif
# endif
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
# if defined(__GNUC__) && __GNUC__>=2
+# if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -379,22 +383,6 @@ static int padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-# ifndef OPENSSL_NO_AES
-# ifndef AES_ASM
-/* Our own htonl()/ntohl() */
-static inline void padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0":"+r" (*key));
- key++;
- }
-}
-# endif
-# endif
-
/*
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
* stack clears EFLAGS[30] which does the trick.
@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
asm volatile ("pushfl; popfl");
}
-# ifndef OPENSSL_NO_AES
+# ifndef OPENSSL_NO_AES
/*
* This is heuristic key context tracing. At first one
* believes that one should use atomic swap instructions,
@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
: "edx", "cc", "memory"); \
return iv; \
}
+# endif
+
+# elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile ("cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
+ "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
+ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+# ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile ("pushfq\n"
+ " btl $30,(%%rsp)\n"
+ " jnc 1f\n"
+ " cmpq %2,%1\n"
+ " je 1f\n"
+ " popfq\n"
+ " subq $8,%%rsp\n"
+ "1: addq $8,%%rsp\n"
+ " movq %2,%0":"+m" (padlock_saved_context)
+ :"r"(padlock_saved_context), "r"(cdata):"cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+# endif
+
+# endif /* cpu */
+
+# ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
/* rep xcryptecb */
@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
/* rep xcryptofb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
+
+# ifndef AES_ASM
+/* Our own htonl()/ntohl() */
+static inline void padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0":"+r" (*key));
+ key++;
+ }
+}
+# endif
# endif
/* The RNG call itself */
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
static inline unsigned char *padlock_memcpy(void *dst, const void *src,
size_t n)
{
- long *d = dst;
- const long *s = src;
+ size_t *d = dst;
+ const size_t *s = src;
n /= sizeof(*d);
do {

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0
size 5309236

View File

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJYifggAAoJENnE0m0OYESRTAIH/RsiR+7jvmA8AZJppQZOpVgX
8N5CZNBEaRTuKcRNmQX1oHk5Ms2g4MM4TmNDOFF7+ZtByoeyv2NWnLWJmBsSxuQU
ZEbeXFIgkBnvD5qOBdi84udw0/HOP5P3GcxAOC8QE1Av7pTwAdKToheqixuE5D8+
9zzw4VgXCa5L18JDf3XdkTDUUUQitz1o2ck8BVIGyhxgIUDJXEF8t29yTGYWF/YV
b45G1igbJlZtoR4IA1pSR3hrDjJaNQtCpkxK+DKoLTm+Z9RMTe40Q8W7dBn1iwUm
N/m9CUovBoqIv1nrSJeFNXuIuuHYt/1gflJBiem7QC9fNtdZuGlKXBq5bcL1qV8=
=uQ9m
-----END PGP SIGNATURE-----

View File

@ -1,12 +0,0 @@
Index: openssl-1.0.2g/crypto/o_init.c
===================================================================
--- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:54:05.763929573 +0200
+++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:59:08.366168879 +0200
@@ -91,6 +91,7 @@ static void init_fips_mode(void)
NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
+ ERR_clear_error();
} else {
/* abort if selftest failed */
FIPS_selftest_check();

View File

@ -1,128 +0,0 @@
Index: openssl-1.0.2i/apps/dgst.c
===================================================================
--- openssl-1.0.2i.orig/apps/dgst.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/dgst.c 2016-09-23 10:20:02.162323196 +0200
@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv)
/* first check the program name */
program_name(argv[0], pname, sizeof pname);
- md = EVP_get_digestbyname(pname);
+ md = EVP_get_digestbyname_fips_disabled(pname);
argc--;
argv++;
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
macopts = sk_OPENSSL_STRING_new_null();
if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
break;
- } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ } else if ((m = EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL)
md = m;
else
break;
Index: openssl-1.0.2i/apps/apps.c
===================================================================
--- openssl-1.0.2i.orig/apps/apps.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/apps.c 2016-09-23 10:20:02.162323196 +0200
@@ -3266,3 +3266,45 @@ int raw_write_stdout(const void *buf, in
return write(fileno_stdout(), buf, siz);
}
#endif
+
+
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_MD *md;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_digests();
+ md=EVP_get_digestbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return md;
+ }
+
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_CIPHER *ciph;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_ciphers();
+ ciph=EVP_get_cipherbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return ciph;
+ }
+
Index: openssl-1.0.2i/apps/apps.h
===================================================================
--- openssl-1.0.2i.orig/apps/apps.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/apps.h 2016-09-23 10:20:02.162323196 +0200
@@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x
void store_setup_crl_download(X509_STORE *st);
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name);
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name);
+
# define FORMAT_UNDEF 0
# define FORMAT_ASN1 1
# define FORMAT_TEXT 2
Index: openssl-1.0.2i/apps/enc.c
===================================================================
--- openssl-1.0.2i.orig/apps/enc.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/enc.c 2016-09-23 10:20:02.162323196 +0200
@@ -150,7 +150,7 @@ int MAIN(int argc, char **argv)
do_zlib = 1;
#endif
- cipher = EVP_get_cipherbyname(pname);
+ cipher = EVP_get_cipherbyname_fips_disabled(pname);
#ifdef ZLIB
if (!do_zlib && !base64 && (cipher == NULL)
&& (strcmp(pname, "enc") != 0))
@@ -269,7 +269,7 @@ int MAIN(int argc, char **argv)
} else if (strcmp(*argv, "-non-fips-allow") == 0)
non_fips_allow = 1;
else if ((argv[0][0] == '-') &&
- ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
+ ((c = EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) {
cipher = c;
} else if (strcmp(*argv, "-none") == 0)
cipher = NULL;
@@ -322,6 +322,10 @@ int MAIN(int argc, char **argv)
argv++;
}
+ /* drop out of fips mode if we should allow non-fips algos */
+ if (non_fips_allow)
+ FIPS_mode_set(0);
+
e = setup_engine(bio_err, engine, 0);
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
@@ -338,7 +342,7 @@ int MAIN(int argc, char **argv)
goto end;
}
- if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
+ if (md && (dgst = EVP_get_digestbyname_fips_disabled(md)) == NULL) {
BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
goto end;
}

View File

@ -1,16 +0,0 @@
Index: openssl-1.0.2h/crypto/o_init.c
===================================================================
--- openssl-1.0.2h.orig/crypto/o_init.c 2016-06-01 15:26:25.026937000 +0200
+++ openssl-1.0.2h/crypto/o_init.c 2016-06-01 16:23:24.980858697 +0200
@@ -111,9 +111,9 @@ void __attribute__ ((constructor)) OPENS
return;
done = 1;
#ifdef OPENSSL_FIPS
- if (!FIPS_module_installed()) {
+ /*if (!FIPS_module_installed()) {
return;
- }
+ }*/
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode()) {

View File

@ -1,14 +0,0 @@
Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-14 10:52:34.187646539 +0200
+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-14 10:53:39.335559301 +0200
@@ -465,7 +465,8 @@ static int rsa_builtin_keygen(RSA *rsa,
goto err;
bitsp = (bits + 1) / 2;
- bitsq = bits - bitsp;
+ /* Use the same number of bits for p and q, our checks assume it. */
+ bitsq = bitsp;
/* prepare a maximum for p and q */
/* 0xB504F334 is (sqrt(2)/2)*2^32 */

View File

@ -1,32 +0,0 @@
Index: openssl-1.0.2a/crypto/fips/fips_rand_lcl.h
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips_rand_lcl.h 2015-05-24 13:18:49.460282194 +0200
+++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-05-24 13:42:20.793812240 +0200
@@ -51,6 +51,8 @@
* ====================================================================
*/
+#pragma GCC visibility push(hidden)
+
typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
@@ -211,3 +213,5 @@ const struct evp_cipher_st *FIPS_get_cip
#define FIPS_digestupdate EVP_DigestUpdate
#define FIPS_digestfinal EVP_DigestFinal
#define M_EVP_MD_size EVP_MD_size
+
+#pragma GCC visibility pop
Index: openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c
===================================================================
--- openssl-1.0.2a.orig/crypto/fips/fips_rsa_x931g.c 2015-05-24 13:18:49.461282208 +0200
+++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-05-24 13:42:20.793812240 +0200
@@ -65,7 +65,7 @@
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
-extern int fips_check_rsa(RSA *rsa);
+extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden")));
#endif
/* X9.31 RSA key derivation and generation */

View File

@ -1,39 +0,0 @@
Index: openssl-1.0.2h/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2h.orig/crypto/rsa/rsa_gen.c 2016-07-14 15:25:28.640174922 +0200
+++ openssl-1.0.2h/crypto/rsa/rsa_gen.c 2016-07-14 15:27:41.330349764 +0200
@@ -234,6 +234,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
goto err;
}
+ BN_copy(rsa->e, e_value);
+
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+ test = 1;
+
+retry:
/* prepare approximate minimum p and q */
if (!BN_set_word(r0, 0xB504F334))
goto err;
@@ -246,12 +252,6 @@ static int FIPS_rsa_builtin_keygen(RSA *
if (!BN_lshift(r3, r3, pbits - 100))
goto err;
- BN_copy(rsa->e, e_value);
-
- if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
- test = 1;
-
- retry:
/* generate p and q */
for (i = 0; i < 5 * pbits; i++) {
ploop:
@@ -375,6 +375,8 @@ static int FIPS_rsa_builtin_keygen(RSA *
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
goto err; /* d */
+ /* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */
+ /* the LCM part is covered due to the generation by modulo above */
if (BN_num_bits(rsa->d) < pbits)
goto retry; /* d is too small */

View File

@ -1,74 +0,0 @@
Index: openssl-1.0.2g/crypto/fips/fips.c
===================================================================
--- openssl-1.0.2g.orig/crypto/fips/fips.c 2016-04-14 10:49:37.460170356 +0200
+++ openssl-1.0.2g/crypto/fips/fips.c 2016-04-14 10:49:47.270307813 +0200
@@ -448,6 +448,44 @@ int FIPS_module_mode_set(int onoff, cons
return ret;
}
+/* In non-FIPS mode, the selftests must succeed if the
+ * checksum files are present
+ */
+void NONFIPS_selftest_check(void)
+ {
+ int rv;
+ char *hmacpath;
+ char path[PATH_MAX+1];
+
+ if (fips_selftest_fail)
+ {
+ /* check if the checksum files are installed */
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+
+ if (access(hmacpath, F_OK))
+ {
+ /* no hmac file is present, ignore the failed selftests */
+ if (errno == ENOENT)
+ {
+ free(hmacpath);
+ return;
+ }
+ /* we fail on any other error */
+ }
+ /* if the file exists, but the selftests failed
+ (eg wrong checksum), we fail too */
+ free(hmacpath);
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+ }
+ /* otherwise ok, selftests were successful */
+ }
+
static CRYPTO_THREADID fips_thread;
static int fips_thread_set = 0;
Index: openssl-1.0.2g/crypto/fips/fips.h
===================================================================
--- openssl-1.0.2g.orig/crypto/fips/fips.h 2016-04-14 10:49:47.270307813 +0200
+++ openssl-1.0.2g/crypto/fips/fips.h 2016-04-14 10:50:45.867128848 +0200
@@ -107,6 +107,7 @@ extern "C" {
int FIPS_selftest_drbg(void);
int FIPS_selftest_drbg_all(void);
int FIPS_selftest_cmac(void);
+ void NONFIPS_selftest_check(void);
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
Index: openssl-1.0.2g/crypto/o_init.c
===================================================================
--- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:49:47.270307813 +0200
+++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:51:31.634770112 +0200
@@ -87,6 +87,8 @@ static void init_fips_mode(void)
*/
if (buf[0] != '1') {
+ /* abort if selftest failed and the module is complete */
+ NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {

View File

@ -1,16 +0,0 @@
Index: openssl-1.0.2g/crypto/engine/eng_all.c
===================================================================
--- openssl-1.0.2g.orig/crypto/engine/eng_all.c 2016-04-13 15:04:40.644190904 +0200
+++ openssl-1.0.2g/crypto/engine/eng_all.c 2016-04-13 15:06:04.092468490 +0200
@@ -70,11 +70,6 @@ void ENGINE_load_builtin_engines(void)
#ifdef OPENSSL_FIPS
OPENSSL_init_library();
if (FIPS_mode()) {
- /* We allow loading dynamic engine as a third party
- engine might be FIPS validated.
- User is disallowed to load non-validated engines
- by security policy. */
- ENGINE_load_dynamic();
return;
}
#endif

View File

@ -1,13 +0,0 @@
Index: openssl-1.0.2g/crypto/fips/fips_rand_lib.c
===================================================================
--- openssl-1.0.2g.orig/crypto/fips/fips_rand_lib.c 2016-04-13 15:01:53.236630810 +0200
+++ openssl-1.0.2g/crypto/fips/fips_rand_lib.c 2016-04-13 15:02:48.986482927 +0200
@@ -73,8 +73,6 @@ int FIPS_rand_set_method(const RAND_METH
if (!fips_rand_bits) {
if (meth == FIPS_drbg_method())
fips_approved_rand_meth = 1;
- else if (meth == FIPS_x931_method())
- fips_approved_rand_meth = 2;
else {
fips_approved_rand_meth = 0;
if (FIPS_module_mode()) {

View File

@ -1,348 +0,0 @@
Index: openssl-1.0.2h/crypto/fips/fips_drbg_rand.c
===================================================================
--- openssl-1.0.2h.orig/crypto/fips/fips_drbg_rand.c 2016-08-03 18:09:00.212901713 +0200
+++ openssl-1.0.2h/crypto/fips/fips_drbg_rand.c 2016-08-03 18:22:15.741698211 +0200
@@ -82,7 +82,8 @@ static int fips_drbg_bytes(unsigned char
if (count > dctx->min_entropy)
RAND_load_file("/dev/urandom", count - dctx->min_entropy);
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ int locked;
+ locked = private_RAND_lock(1);
do {
size_t rcnt;
if (count > (int)dctx->max_request)
@@ -111,7 +112,8 @@ static int fips_drbg_bytes(unsigned char
while (count);
rv = 1;
err:
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
return rv;
}
@@ -126,34 +128,50 @@ static int fips_drbg_status(void)
{
DRBG_CTX *dctx = &ossl_dctx;
int rv;
- CRYPTO_r_lock(CRYPTO_LOCK_RAND);
+ int locked;
+ locked = private_RAND_lock(1);
rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
- CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
return rv;
}
static void fips_drbg_cleanup(void)
{
DRBG_CTX *dctx = &ossl_dctx;
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ int locked;
+ locked = private_RAND_lock(1);
FIPS_drbg_uninstantiate(dctx);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
}
static int fips_drbg_seed(const void *seed, int seedlen)
{
DRBG_CTX *dctx = &ossl_dctx;
+ int locked;
+ int ret = 1;
+
+ locked = private_RAND_lock(1);
if (dctx->rand_seed_cb)
- return dctx->rand_seed_cb(dctx, seed, seedlen);
- return 1;
+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
+ if (locked)
+ private_RAND_lock(0);
+ return ret;
}
static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
{
DRBG_CTX *dctx = &ossl_dctx;
+ int locked;
+ int ret = 1;
+
+ locked = private_RAND_lock(1);
if (dctx->rand_add_cb)
- return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
- return 1;
+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
+ if (locked)
+ private_RAND_lock(0);
+ return ret;
}
static const RAND_METHOD rand_drbg_meth = {
Index: openssl-1.0.2h/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.2h.orig/crypto/rand/md_rand.c 2016-08-03 18:09:00.216901777 +0200
+++ openssl-1.0.2h/crypto/rand/md_rand.c 2016-08-04 10:42:01.775958714 +0200
@@ -144,13 +144,6 @@ static long md_count[2] = { 0, 0 };
static double entropy = 0;
static int initialized = 0;
-static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
- * holds CRYPTO_LOCK_RAND (to
- * prevent double locking) */
-/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
-/* valid iff crypto_lock_rand is set */
-static CRYPTO_THREADID locking_threadid;
-
#ifdef PREDICT
int rand_predictable = 0;
#endif
@@ -196,7 +189,7 @@ static void ssleay_rand_add(const void *
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX m;
- int do_not_lock;
+ int locked;
if (!num)
return;
@@ -216,18 +209,8 @@ static void ssleay_rand_add(const void *
* hash function.
*/
- /* check if we already have the lock */
- if (crypto_lock_rand) {
- CRYPTO_THREADID cur;
- CRYPTO_THREADID_current(&cur);
- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
- } else
- do_not_lock = 0;
+ locked = private_RAND_lock(1);
- if (!do_not_lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
st_idx = state_index;
/*
@@ -258,8 +241,8 @@ static void ssleay_rand_add(const void *
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
- if (!do_not_lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
EVP_MD_CTX_init(&m);
for (i = 0; i < num; i += MD_DIGEST_LENGTH) {
@@ -307,8 +290,7 @@ static void ssleay_rand_add(const void *
}
EVP_MD_CTX_cleanup(&m);
- if (!do_not_lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ locked = private_RAND_lock(1);
/*
* Don't just copy back local_md into md -- this could mean that other
* thread's seeding remains without effect (except for the incremented
@@ -320,8 +302,8 @@ static void ssleay_rand_add(const void *
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
- if (!do_not_lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
assert(md_c[1] == md_count[1]);
@@ -346,6 +328,7 @@ int ssleay_rand_bytes(unsigned char *buf
pid_t curr_pid = getpid();
#endif
int do_stir_pool = 0;
+ int locked;
#ifdef PREDICT
if (rand_predictable) {
@@ -387,13 +370,7 @@ int ssleay_rand_bytes(unsigned char *buf
* global 'md'.
*/
if (lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-
- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
- CRYPTO_THREADID_current(&locking_threadid);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
+ locked = private_RAND_lock(1);
/* always poll for external entropy in FIPS mode, drbg provides the
* expansion
@@ -468,9 +445,8 @@ int ssleay_rand_bytes(unsigned char *buf
md_count[0] += 1;
/* before unlocking, we must clear 'crypto_lock_rand' */
- crypto_lock_rand = 0;
- if (lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (lock && locked)
+ private_RAND_lock(0);
while (num > 0) {
/* num_ceil -= MD_DIGEST_LENGTH/2 */
@@ -519,11 +495,11 @@ int ssleay_rand_bytes(unsigned char *buf
MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
MD_Update(&m, local_md, MD_DIGEST_LENGTH);
if (lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ locked = private_RAND_lock(1);
MD_Update(&m, md, MD_DIGEST_LENGTH);
MD_Final(&m, md);
- if (lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (lock && locked)
+ private_RAND_lock(0);
EVP_MD_CTX_cleanup(&m);
if (ok)
@@ -553,33 +529,10 @@ static int ssleay_rand_pseudo_bytes(unsi
static int ssleay_rand_status(void)
{
- CRYPTO_THREADID cur;
int ret;
- int do_not_lock;
-
- CRYPTO_THREADID_current(&cur);
- /*
- * check if we already have the lock (could happen if a RAND_poll()
- * implementation calls RAND_status())
- */
- if (crypto_lock_rand) {
- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
- } else
- do_not_lock = 0;
+ int locked;
- if (!do_not_lock) {
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-
- /*
- * prevent ssleay_rand_bytes() from trying to obtain the lock again
- */
- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
- CRYPTO_THREADID_cpy(&locking_threadid, &cur);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
- }
+ locked = private_RAND_lock(1);
if (!initialized) {
RAND_poll();
@@ -588,12 +541,8 @@ static int ssleay_rand_status(void)
ret = entropy >= ENTROPY_NEEDED;
- if (!do_not_lock) {
- /* before unlocking, we must clear 'crypto_lock_rand' */
- crypto_lock_rand = 0;
-
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
- }
+ if (locked)
+ private_RAND_lock(0);
return ret;
}
Index: openssl-1.0.2h/crypto/rand/rand.h
===================================================================
--- openssl-1.0.2h.orig/crypto/rand/rand.h 2016-08-03 18:08:58.848879702 +0200
+++ openssl-1.0.2h/crypto/rand/rand.h 2016-08-03 18:09:00.216901777 +0200
@@ -123,6 +123,8 @@ void RAND_set_fips_drbg_type(int type, i
int RAND_init_fips(void);
# endif
+int private_RAND_lock(int lock);
+
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
Index: openssl-1.0.2h/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.0.2h.orig/crypto/rand/rand_lib.c 2016-08-03 18:08:58.848879702 +0200
+++ openssl-1.0.2h/crypto/rand/rand_lib.c 2016-08-04 10:45:28.691025336 +0200
@@ -176,6 +176,41 @@ int RAND_status(void)
return 0;
}
+int private_RAND_lock(int lock)
+ {
+ static int crypto_lock_rand;
+ static CRYPTO_THREADID locking_threadid;
+ int do_lock;
+
+ if (!lock)
+ {
+ crypto_lock_rand = 0;
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ return 0;
+ }
+
+ /* check if we already have the lock */
+ if (crypto_lock_rand)
+ {
+ CRYPTO_THREADID cur;
+ CRYPTO_THREADID_current(&cur);
+ CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
+ do_lock = !!CRYPTO_THREADID_cmp(&locking_threadid, &cur);
+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
+ }
+ else
+ do_lock = 1;
+ if (do_lock)
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
+ CRYPTO_THREADID_current(&locking_threadid);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+ crypto_lock_rand = 1;
+ }
+ return do_lock;
+ }
+
#ifdef OPENSSL_FIPS
/*
@@ -237,9 +272,10 @@ static int drbg_rand_add(DRBG_CTX *ctx,
{
RAND_SSLeay()->add(in, inlen, entropy);
if (FIPS_rand_status()) {
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ int locked = private_RAND_lock(1);
FIPS_drbg_reseed(ctx, in, inlen);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
}
return 1;
}
@@ -248,9 +284,10 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
{
RAND_SSLeay()->seed(in, inlen);
if (FIPS_rand_status()) {
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ int locked = private_RAND_lock(1);
FIPS_drbg_reseed(ctx, NULL, 0);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ if (locked)
+ private_RAND_lock(0);
}
return 1;
}

View File

@ -1,143 +0,0 @@
From jaenicke@openssl.net Thu May 30 09:46:58 2013
CC: Jonathan Liu <net147@gmail.com>
Resent-Date: Thu, 30 May 2013 09:46:58 +0200
X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_TO_NO_BRKTS_FREEMAIL autolearn=ham version=3.3.2
X-Mailer: git-send-email 1.8.3
Message-ID: <1369887573-10819-1-git-send-email-net147@gmail.com>
X-Received: by 10.68.65.134 with SMTP id x6mr5859535pbs.219.1369886755138; Wed, 29 May 2013 21:05:55 -0700 (PDT)
Resent-To: rt-i12@openssl.net
Received: by openssl.net (Postfix, from userid 29209) id 1548C1E0128; Thu, 30 May 2013 09:46:58 +0200 (CEST)
Received: by openssl.net (Postfix, from userid 65534) id 852471E12CB; Thu, 30 May 2013 06:14:07 +0200 (CEST)
Received: by openssl.net (Postfix, from userid 30009) id 6FF4D1E12CF; Thu, 30 May 2013 06:14:07 +0200 (CEST)
Received: from master.openssl.org (openssl.org [194.97.152.144]) by openssl.net (Postfix) with ESMTP id B4F491E12CB for <rt@openssl.net>; Thu, 30 May 2013 06:14:00 +0200 (CEST)
Received: by master.openssl.org (Postfix) id 53CEF1337D; Thu, 30 May 2013 06:14:00 +0200 (CEST)
Received: from mail-pd0-f180.google.com (mail-pd0-f180.google.com [209.85.192.180]) by master.openssl.org (Postfix) with ESMTP id BD43A1337C for <rt@openssl.org>; Thu, 30 May 2013 06:13:59 +0200 (CEST)
Received: by mail-pd0-f180.google.com with SMTP id 14so7525333pdc.39 for <rt@openssl.org>; Wed, 29 May 2013 21:13:58 -0700 (PDT)
Received: from 60-242-179-244.static.tpgi.com.au (60-242-179-244.static.tpgi.com.au. [60.242.179.244]) by mx.google.com with ESMTPSA id gh9sm39937623pbc.37.2013.05.29.21.05.52 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 29 May 2013 21:05:54 -0700 (PDT)
Delivered-To: rt-i12@openssl.net
Subject: [PATCH] Fix POD errors with pod2man from Perl 5.18.
Resent-From: Lutz Jaenicke <jaenicke@openssl.net>
Return-Path: <jaenicke@openssl.net>
X-Original-To: rt-i12@openssl.net
X-Original-To: jaenicke@localhost
X-Original-To: rt@openssl.net
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=7+ASUI5nk0djFCejseoyvHdfe1CBnwkjfwtKd/NZiyk=; b=Z8nPd4yIaqDTqC2lMbn6p2B4+cFrVY1CLkKn7W9dJucX5NWdr9xJFx3uBZgzONU48L 24eHjFUMScQtRepL0UbNbWOeUlLsTFicuSlx9FaEyK7ZY7zVzmdESmGeedInheWRaaz1 A818XmhAGYTO09kxRTrt8lswyegygIMna7vvjV5vP7wdRPLBejxvtSj24xz+b6bEub51 CvG+wjG+5SZt3XYdGtE3Rff49BaZg4zjpcH92H64bPsKClFx0dOYP849mEMuMzDsrcAO /2ZtXsPfkOHXSJAgGvvxEo7KQTUJol5+VtHzNjY7rRnrpKmS7U0+U8sasp4yetFIuXSZ U+eg==
Date: Thu, 30 May 2013 14:19:33 +1000
X-Spam-Level:
X-Greylist: delayed 483 seconds by postgrey-1.33 at master.openssl.org; Thu, 30 May 2013 06:13:59 CEST
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on openssl
Resent-Message-ID: <20130530074658.GA13997@openssl.net>
To: rt@openssl.org
From: Jonathan Liu <net147@gmail.com>
X-RT-Original-Encoding: ascii
content-type: text/plain; charset="utf-8"
Content-Length: 12835
---
doc/apps/cms.pod | 12 ++++++------
doc/apps/smime.pod | 12 ++++++------
doc/apps/ts.pod | 6 +++---
doc/crypto/OPENSSL_ia32cap.pod | 4 ++++
doc/crypto/rand.pod | 14 +++++++-------
doc/ssl/SSL_COMP_add_compression_method.pod | 4 ++--
doc/ssl/SSL_CTX_add_session.pod | 4 ++--
doc/ssl/SSL_CTX_load_verify_locations.pod | 4 ++--
doc/ssl/SSL_CTX_set_client_CA_list.pod | 4 ++--
doc/ssl/SSL_CTX_set_session_id_context.pod | 4 ++--
doc/ssl/SSL_CTX_set_ssl_version.pod | 4 ++--
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 2 +-
doc/ssl/SSL_accept.pod | 4 ++--
doc/ssl/SSL_clear.pod | 4 ++--
doc/ssl/SSL_connect.pod | 4 ++--
doc/ssl/SSL_do_handshake.pod | 4 ++--
doc/ssl/SSL_read.pod | 2 +-
doc/ssl/SSL_session_reused.pod | 4 ++--
doc/ssl/SSL_set_fd.pod | 4 ++--
doc/ssl/SSL_set_session.pod | 4 ++--
doc/ssl/SSL_set_shutdown.pod | 2 +-
doc/ssl/SSL_shutdown.pod | 6 +++---
doc/ssl/SSL_write.pod | 2 +-
23 files changed, 59 insertions(+), 55 deletions(-)
Index: openssl-1.0.2a/doc/apps/ts.pod
===================================================================
--- openssl-1.0.2a.orig/doc/apps/ts.pod 2015-04-03 22:07:02.024077520 +0200
+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-03 22:07:04.830116325 +0200
@@ -58,19 +58,19 @@ time. Here is a brief description of the
=over 4
-=item 1.
+=item Z<>1.
The TSA client computes a one-way hash value for a data file and sends
the hash to the TSA.
-=item 2.
+=item Z<>2.
The TSA attaches the current date and time to the received hash value,
signs them and sends the time stamp token back to the client. By
creating this token the TSA certifies the existence of the original
data file at the time of response generation.
-=item 3.
+=item Z<>3.
The TSA client receives the time stamp token and verifies the
signature on it. It also checks if the token contains the same hash
Index: openssl-1.0.2a/doc/crypto/rand.pod
===================================================================
--- openssl-1.0.2a.orig/doc/crypto/rand.pod 2015-04-03 22:07:02.025077534 +0200
+++ openssl-1.0.2a/doc/crypto/rand.pod 2015-04-03 22:07:04.830116325 +0200
@@ -74,16 +74,16 @@ First up I will state the things I belie
=over 4
-=item 1
+=item Z<>1
A good hashing algorithm to mix things up and to convert the RNG 'state'
to random numbers.
-=item 2
+=item Z<>2
An initial source of random 'state'.
-=item 3
+=item Z<>3
The state should be very large. If the RNG is being used to generate
4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
@@ -93,13 +93,13 @@ carried away on this last point but it d
a bad idea to keep quite a lot of RNG state. It should be easier to
break a cipher than guess the RNG seed data.
-=item 4
+=item Z<>4
Any RNG seed data should influence all subsequent random numbers
generated. This implies that any random seed data entered will have
an influence on all subsequent random numbers generated.
-=item 5
+=item Z<>5
When using data to seed the RNG state, the data used should not be
extractable from the RNG state. I believe this should be a
@@ -108,12 +108,12 @@ data would be a private key or a passwor
not be disclosed by either subsequent random numbers or a
'core' dump left by a program crash.
-=item 6
+=item Z<>6
Given the same initial 'state', 2 systems should deviate in their RNG state
(and hence the random numbers generated) over time if at all possible.
-=item 7
+=item Z<>7
Given the random number output stream, it should not be possible to determine
the RNG state or the next random number.

View File

@ -1,38 +0,0 @@
Index: openssl-1.0.2a/crypto/cryptlib.h
===================================================================
--- openssl-1.0.2a.orig/crypto/cryptlib.h 2015-05-24 13:18:57.391397563 +0200
+++ openssl-1.0.2a/crypto/cryptlib.h 2015-05-24 13:21:21.703498853 +0200
@@ -100,7 +100,7 @@ extern "C" {
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *fmta, ...);
+void OPENSSL_showfatal(const char *fmta, ...) __attribute__ ((format (printf, 1, 2)));
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
Index: openssl-1.0.2a/crypto/crypto.h
===================================================================
--- openssl-1.0.2a.orig/crypto/crypto.h 2015-05-24 13:18:57.391397563 +0200
+++ openssl-1.0.2a/crypto/crypto.h 2015-05-24 13:23:15.110150336 +0200
@@ -529,15 +529,15 @@ void CRYPTO_get_mem_debug_functions(void
void (**f) (void *, int),
void (**so) (long), long (**go) (void));
-void *CRYPTO_malloc_locked(int num, const char *file, int line);
+void *CRYPTO_malloc_locked(int num, const char *file, int line) __attribute__((alloc_size(1)));
void CRYPTO_free_locked(void *ptr);
-void *CRYPTO_malloc(int num, const char *file, int line);
+void *CRYPTO_malloc(int num, const char *file, int line) __attribute__((alloc_size(1)));
char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *ptr);
-void *CRYPTO_realloc(void *addr, int num, const char *file, int line);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2)));
void *CRYPTO_realloc_clean(void *addr, int old_num, int num, const char *file,
- int line);
-void *CRYPTO_remalloc(void *addr, int num, const char *file, int line);
+ int line) __attribute__((alloc_size(3)));
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2)));
void OPENSSL_cleanse(void *ptr, size_t len);

View File

@ -1,15 +0,0 @@
Index: openssl-1.0.2a/crypto/ec/ec_curve.c
===================================================================
--- openssl-1.0.2a.orig/crypto/ec/ec_curve.c 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/ec/ec_curve.c 2015-05-24 15:52:09.058151058 +0200
@@ -3162,10 +3162,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
size_t i;
EC_GROUP *ret = NULL;
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return FIPS_ec_group_new_by_curve_name(nid);
-#endif
if (nid <= 0)
return NULL;

View File

@ -1,13 +0,0 @@
Index: openssl-1.0.2a/crypto/rand/rand_egd.c
===================================================================
--- openssl-1.0.2a.orig/crypto/rand/rand_egd.c 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/rand/rand_egd.c 2015-05-24 13:42:06.277601355 +0200
@@ -95,7 +95,7 @@
* RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
*/
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
+#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
{
return (-1);

View File

@ -1,187 +0,0 @@
Index: crypto/bio/b_sock.c
===================================================================
--- crypto/bio/b_sock.c.orig 2016-04-14 11:01:01.957760118 +0200
+++ crypto/bio/b_sock.c 2016-04-14 11:01:04.759799369 +0200
@@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in
}
again:
- s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+ s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (s == INVALID_SOCKET) {
SYSerr(SYS_F_SOCKET, get_last_socket_error());
ERR_add_error_data(3, "port='", host, "'");
@@ -765,7 +765,7 @@ int BIO_get_accept_socket(char *host, in
} else
goto err;
}
- cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+ cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (cs != INVALID_SOCKET) {
int ii;
ii = connect(cs, &client.sa, addrlen);
@@ -847,7 +847,7 @@ int BIO_accept(int sock, char **addr)
sa.len.s = 0;
sa.len.i = sizeof(sa.from);
memset(&sa.from, 0, sizeof(sa.from));
- ret = accept(sock, &sa.from.sa, (void *)&sa.len);
+ ret = accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC);
if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
OPENSSL_assert(sa.len.s <= sizeof(sa.from));
sa.len.i = (int)sa.len.s;
Index: crypto/bio/bss_conn.c
===================================================================
--- crypto/bio/bss_conn.c.orig 2016-04-14 11:01:01.957760118 +0200
+++ crypto/bio/bss_conn.c 2016-04-14 11:01:04.759799369 +0200
@@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC
c->them.sin_addr.s_addr = htonl(l);
c->state = BIO_CONN_S_CREATE_SOCKET;
- ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+ ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
if (ret == INVALID_SOCKET) {
SYSerr(SYS_F_SOCKET, get_last_socket_error());
ERR_add_error_data(4, "host=", c->param_hostname,
Index: crypto/bio/bss_dgram.c
===================================================================
--- crypto/bio/bss_dgram.c.orig 2016-04-14 11:01:01.958760132 +0200
+++ crypto/bio/bss_dgram.c 2016-04-14 11:01:04.760799384 +0200
@@ -1175,7 +1175,7 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_control = cmsgbuf;
msg.msg_controllen = 512;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (n <= 0) {
if (n < 0)
@@ -1800,7 +1800,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
if (n <= 0) {
if ((n < 0) && (get_last_socket_error() != EAGAIN)
&& (get_last_socket_error() != EWOULDBLOCK))
@@ -1822,7 +1822,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (n <= 0) {
if ((n < 0) && (get_last_socket_error() != EAGAIN)
&& (get_last_socket_error() != EWOULDBLOCK))
@@ -1887,7 +1887,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
fcntl(b->num, F_SETFL, O_NONBLOCK);
}
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
if (is_dry) {
fcntl(b->num, F_SETFL, sockflags);
@@ -1929,7 +1929,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
sockflags = fcntl(b->num, F_GETFL, 0);
fcntl(b->num, F_SETFL, O_NONBLOCK);
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
fcntl(b->num, F_SETFL, sockflags);
/* if notification, process and try again */
@@ -1949,7 +1949,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (data->handle_notifications != NULL)
data->handle_notifications(b, data->notification_context,
Index: crypto/bio/bss_file.c
===================================================================
--- crypto/bio/bss_file.c.orig 2016-04-14 11:01:01.958760132 +0200
+++ crypto/bio/bss_file.c 2016-04-14 11:01:04.760799384 +0200
@@ -118,6 +118,10 @@ static BIO_METHOD methods_filep = {
static FILE *file_fopen(const char *filename, const char *mode)
{
FILE *file = NULL;
+ size_t modelen = strlen (mode);
+ char newmode[modelen + 2];
+
+ memcpy (mempcpy (newmode, mode, modelen), "e", 2);
# if defined(_WIN32) && defined(CP_UTF8)
int sz, len_0 = (int)strlen(filename) + 1;
@@ -161,7 +165,7 @@ static FILE *file_fopen(const char *file
file = fopen(filename, mode);
}
# else
- file = fopen(filename, mode);
+ file = fopen(filename, newmode);
# endif
return (file);
}
@@ -282,7 +286,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
long ret = 1;
FILE *fp = (FILE *)b->ptr;
FILE **fpp;
- char p[4];
+ char p[5];
switch (cmd) {
case BIO_C_FILE_SEEK:
@@ -393,6 +397,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
else
strcat(p, "t");
# endif
+ strcat(p, "e");
fp = file_fopen(ptr, p);
if (fp == NULL) {
SYSerr(SYS_F_FOPEN, get_last_sys_error());
Index: crypto/rand/rand_unix.c
===================================================================
--- crypto/rand/rand_unix.c.orig 2016-04-14 11:01:04.761799398 +0200
+++ crypto/rand/rand_unix.c 2016-04-14 11:02:13.950768594 +0200
@@ -270,7 +270,7 @@ int RAND_poll(void)
for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
(n < sizeof(tmpbuf)); i++) {
- if ((fd = open(randomfiles[i], O_RDONLY
+ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
# ifdef O_NONBLOCK
| O_NONBLOCK
# endif
Index: crypto/rand/randfile.c
===================================================================
--- crypto/rand/randfile.c.orig 2016-04-14 11:01:01.959760146 +0200
+++ crypto/rand/randfile.c 2016-04-14 11:01:04.761799398 +0200
@@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon
#ifdef OPENSSL_SYS_VMS
in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
#else
- in = fopen(file, "rb");
+ in = fopen(file, "rbe");
#endif
if (in == NULL)
goto err;
@@ -225,7 +225,7 @@ int RAND_write_file(const char *file)
* chmod(..., 0600) is too late to protect the file, permissions
* should be restrictive from the start
*/
- int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
+ int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600);
if (fd != -1)
out = fdopen(fd, "wb");
}
@@ -255,7 +255,7 @@ int RAND_write_file(const char *file)
out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
#else
if (out == NULL)
- out = fopen(file, "wb");
+ out = fopen(file, "wbe");
#endif
if (out == NULL)
goto err;

View File

@ -1,22 +0,0 @@
Index: openssl-1.0.2a/Makefile.org
===================================================================
--- openssl-1.0.2a.orig/Makefile.org 2015-04-04 11:17:01.000155196 +0200
+++ openssl-1.0.2a/Makefile.org 2015-04-04 11:17:03.379188598 +0200
@@ -368,7 +368,7 @@ libcrypto.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -382,7 +382,7 @@ libssl.pc: Makefile
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \

View File

@ -1,13 +0,0 @@
Index: openssl-1.0.2i/crypto/x509v3/v3_cpols.c
===================================================================
--- openssl-1.0.2i.orig/crypto/x509v3/v3_cpols.c 2016-09-23 11:35:30.509972948 +0200
+++ openssl-1.0.2i/crypto/x509v3/v3_cpols.c 2016-09-23 11:36:16.742667963 +0200
@@ -459,6 +459,8 @@ static void print_notice(BIO *out, USERN
if (i)
BIO_puts(out, ", ");
tmp = i2s_ASN1_INTEGER(NULL, num);
+ if (tmp == NULL)
+ return;
BIO_puts(out, tmp);
OPENSSL_free(tmp);
}

View File

@ -1,16 +0,0 @@
Index: openssl-1.0.2j/crypto/rand/randfile.c
===================================================================
--- openssl-1.0.2j.orig/crypto/rand/randfile.c 2016-09-27 13:52:29.265425064 +0200
+++ openssl-1.0.2j/crypto/rand/randfile.c 2016-09-27 13:53:34.162468100 +0200
@@ -205,6 +205,11 @@ int RAND_load_file(const char *file, lon
else
n = BUFSIZE;
i = fread(buf, 1, n, in);
+ if (i <= 0 && ferror(in) && errno == EINTR) {
+ clearerr(in);
+ continue;
+ }
+
if (i <= 0)
break;
#ifdef PURIFY

View File

@ -1,65 +0,0 @@
Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:18:47.520016582 +0200
+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:36:32.309233030 +0200
@@ -465,6 +465,19 @@ static int rsa_builtin_keygen(RSA *rsa,
bitsp = (bits + 1) / 2;
bitsq = bits - bitsp;
+ /* prepare a maximum for p and q */
+ /* 0xB504F334 is (sqrt(2)/2)*2^32 */
+ if (!BN_set_word(r0, 0xB504F334))
+ goto err;
+ if (!BN_lshift(r0, r0, bitsp - 32))
+ goto err;
+
+ /* prepare minimum p and q difference */
+ if (!BN_one(r3))
+ goto err;
+ if (!BN_lshift(r3, r3, bitsp - 100))
+ goto err;
+
/* We need the RSA components non-NULL */
if (!rsa->n && ((rsa->n = BN_new()) == NULL))
goto err;
@@ -489,6 +502,8 @@ static int rsa_builtin_keygen(RSA *rsa,
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
+ if (BN_cmp(rsa->p, r0) < 0)
+ continue;
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
@@ -501,21 +516,17 @@ static int rsa_builtin_keygen(RSA *rsa,
if (!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;) {
- /*
- * When generating ridiculously small keys, we can get stuck
- * continually regenerating the same prime values. Check for this and
- * bail if it happens 3 times.
- */
- unsigned int degenerate = 0;
- do {
- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
- goto err;
- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
- if (degenerate == 3) {
- ok = 0; /* we set our own err */
- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
+ /* This function will take care of setting the topmost bit via BN_rand(..,1,1), so
+ * the maximum distance between p and q is less than 2^bitsq */
+ if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+ goto err;
+ if (BN_cmp(rsa->q, r0) < 0)
+ continue;
+ /* check for minimum distance between p and q, 2^(bitsp-100) */
+ if (!BN_sub(r2, rsa->q, rsa->p))
goto err;
- }
+ if (BN_ucmp(r2, r3) <= 0)
+ continue;
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))

View File

@ -1,17 +0,0 @@
Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-1.0.2j/crypto/cryptlib.h
===================================================================
--- openssl-1.0.2j.orig/crypto/cryptlib.h 2017-02-01 16:50:51.103706760 +0100
+++ openssl-1.0.2j/crypto/cryptlib.h 2017-02-01 16:52:10.517058963 +0100
@@ -81,8 +81,8 @@ extern "C" {
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
-# define X509_CERT_DIR OPENSSLDIR "/certs"
-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
+# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"
+# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem"
# define X509_PRIVATE_DIR OPENSSLDIR "/private"
# else
# define X509_CERT_AREA "SSLROOT:[000000]"

View File

@ -1,100 +0,0 @@
Index: openssl-1.0.2g/crypto/rand/rand_unix.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rand/rand_unix.c 2016-04-15 14:27:32.058784436 +0200
+++ openssl-1.0.2g/crypto/rand/rand_unix.c 2016-04-15 14:27:32.711794567 +0200
@@ -245,7 +245,8 @@ int RAND_poll(void)
unsigned long l;
pid_t curr_pid = getpid();
# if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
- unsigned char tmpbuf[ENTROPY_NEEDED];
+ /* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */
+ unsigned char tmpbuf[1024];
int n = 0;
# endif
# ifdef DEVRANDOM
@@ -268,7 +269,7 @@ int RAND_poll(void)
*/
for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
- (n < ENTROPY_NEEDED); i++) {
+ (n < sizeof(tmpbuf)); i++) {
if ((fd = open(randomfiles[i], O_RDONLY
# ifdef O_NONBLOCK
| O_NONBLOCK
@@ -355,7 +356,7 @@ int RAND_poll(void)
if (try_read) {
r = read(fd, (unsigned char *)tmpbuf + n,
- ENTROPY_NEEDED - n);
+ sizeof(tmpbuf) - n);
if (r > 0)
n += r;
# if defined(OPENSSL_SYS_BEOS_R5)
@@ -376,7 +377,7 @@ int RAND_poll(void)
}
while ((r > 0 ||
(errno == EINTR || errno == EAGAIN)) && usec != 0
- && n < ENTROPY_NEEDED);
+ && n < sizeof(tmpbuf));
close(fd);
}
@@ -389,12 +390,12 @@ int RAND_poll(void)
* collecting daemon.
*/
- for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED;
+ for (egdsocket = egdsockets; *egdsocket && n < sizeof(tmpbuf);
egdsocket++) {
int r;
r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf + n,
- ENTROPY_NEEDED - n);
+ sizeof(tmpbuf) - n);
if (r > 0)
n += r;
}
Index: openssl-1.0.2g/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rand/md_rand.c 2016-04-15 14:27:32.711794567 +0200
+++ openssl-1.0.2g/crypto/rand/md_rand.c 2016-04-15 14:28:18.865510438 +0200
@@ -360,6 +360,10 @@ int ssleay_rand_bytes(unsigned char *buf
if (num <= 0)
return 1;
+ /* special rule for /dev/urandom seeding ... seed with as much bytes
+ * from /dev/urandom as you get out */
+ RAND_load_file("/dev/urandom", num);
+
EVP_MD_CTX_init(&m);
/* round upwards to multiple of MD_DIGEST_LENGTH/2 */
num_ceil =
Index: openssl-1.0.2g/crypto/fips/fips_drbg_rand.c
===================================================================
--- openssl-1.0.2g.orig/crypto/fips/fips_drbg_rand.c 2016-04-15 14:27:32.712794583 +0200
+++ openssl-1.0.2g/crypto/fips/fips_drbg_rand.c 2016-04-15 14:29:30.192616518 +0200
@@ -77,6 +77,11 @@ static int fips_drbg_bytes(unsigned char
int rv = 0;
unsigned char *adin = NULL;
size_t adinlen = 0;
+
+ /* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */
+ if (count > dctx->min_entropy)
+ RAND_load_file("/dev/urandom", count - dctx->min_entropy);
+
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
do {
size_t rcnt;
Index: openssl-1.0.2g/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rand/rand_lib.c 2016-04-15 14:27:32.712794583 +0200
+++ openssl-1.0.2g/crypto/rand/rand_lib.c 2016-04-15 14:30:45.074777402 +0200
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
RAND_SSLeay()->add(in, inlen, entropy);
if (FIPS_rand_status()) {
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_reseed(ctx, in, inlen);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}
return 1;

View File

@ -1,3 +1,78 @@
-------------------------------------------------------------------
Fri May 5 09:21:04 UTC 2017 - tchvatal@suse.com
- Provide pkgconfig(openssl)
-------------------------------------------------------------------
Tue May 2 10:34:51 UTC 2017 - tchvatal@suse.com
- Provide basic baselibs.conf for 32bit subpackages
- Specify this package as noarch (as we just provide README files)
-------------------------------------------------------------------
Wed Apr 26 12:51:45 UTC 2017 - tchvatal@suse.com
- Fix typo in openssl requires
- Add dependency on the branched devel package
- Provide all pkgconfig symbols to hide them in versioned subpkgs
- This allows us to propagate only the preffered version of openssl
while allowing us to add extra openssl only as additional dependency
-------------------------------------------------------------------
Wed Apr 12 12:25:26 UTC 2017 - tchvatal@suse.com
- Remove the ssl provides as it is applicable for only those that
really provide it
-------------------------------------------------------------------
Wed Apr 12 11:51:36 UTC 2017 - tchvatal@suse.com
- Prepare to split to various subpackages converting main one to
dummy package
- Reduce to only provide main pkg and devel and depend on proper
soversioned package
- Version in this package needs to be synced with the one provided
by the split package
- Remove all the patches, now in the proper versioned namespace:
* merge_from_0.9.8k.patch
* openssl-1.0.0-c_rehash-compat.diff
* bug610223.patch
* openssl-ocloexec.patch
* openssl-1.0.2a-padlock64.patch
* openssl-fix-pod-syntax.diff
* openssl-truststore.patch
* compression_methods_switch.patch
* 0005-libssl-Hide-library-private-symbols.patch
* openssl-1.0.2a-default-paths.patch
* openssl-pkgconfig.patch
* openssl-1.0.2a-ipv6-apps.patch
* 0001-libcrypto-Hide-library-private-symbols.patch
* openssl-1.0.2i-fips.patch
* openssl-1.0.2a-fips-ec.patch
* openssl-1.0.2a-fips-ctor.patch
* openssl-1.0.2i-new-fips-reqs.patch
* openssl-gcc-attributes.patch
* 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
* openssl-no-egd.patch
* openssl-fips-hidden.patch
* openssl-1.0.1e-add-suse-default-cipher.patch
* openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
* openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* openssl-fips-dont_run_FIPS_module_installed.patch
* openssl-fips_disallow_x931_rand_method.patch
* openssl-fips_disallow_ENGINE_loading.patch
* openssl-rsakeygen-minimum-distance.patch
* openssl-urandom-reseeding.patch
* openssl-fips-rsagen-d-bits.patch
* openssl-fips-selftests_in_nonfips_mode.patch
* openssl-fips-fix-odd-rsakeybits.patch
* openssl-fips-clearerror.patch
* openssl-fips-dont-fall-back-to-default-digest.patch
* openssl-fipslocking.patch
* openssl-print_notice-NULL_crash.patch
* openssl-randfile_fread_interrupt.patch
-------------------------------------------------------------------
Tue Apr 4 11:41:40 UTC 2017 - tchvatal@suse.com

View File

@ -1,158 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+viob8935Uirei4Fv
nzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeARGwWTQYGmFmrNRWZ
2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAjeU8uSarmeZgGVMAI
nsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE5Q7wnnoRXdLyNet0
AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R4gYFS/xGfTgocPUD
Z4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO5vISJkZvqE5UiQEc
BBABAgAGBQJUV6uPAAoJEPI0eUVcUbJ8A/4H/2h9ONzArTOEl5y/eN6jJrZc1Af3
sC/CKxOVBJzpfVnda9O9Ldc4IFJG40ksNWuetDvShQTQtTy7dgne1lkfhud/uUG0
uo5W2ZoYaHIXOqoC0uxCR3ctOQg5hiVsL5XPjR7YQT+0c/bDK4HWr2GgX7Fo03dt
8LETRSjovUO2xPb8MFUNc9eZNokLPq9CbOMvmEdbZIt2EEXBOnhktdT0SvXu5E0t
AC6HqZXAo+my1vSqDxxF9MlpDHysLKIM9G2mvLDbG583pYB3+DEYyr0F/vQIVEb+
O8qUFaYCFaZKmEhIb3NC4SqLXV24+QKVu2NWtKY7wrg/rsmSI5/DmHVejXeJARwE
EwECAAYFAlRX/6sACgkQumzaRh/o4CMu2AgAl1Th443nVuobOv3tKlC89l0m048J
LG7fg8uMV0ejogQ7MAHkzQt/9uq5pQfDEtuIdLaoKqz93RtPECXfj/cBUT5iEkWl
PmOOR4UXfKUahU3qHED9+niOmlip3vZII/92oGSHv4KXPHZHOFUPn+nvaNypnIWG
TUJODueW9neoa+D8y3CC0KlZ9jTbwxSHVWTZjo8pezpJ1Fr4tE9bDibkWEm3pIcp
demSodBatNliSFcj/VeOF2AV4ABSKH0PGSrZazrefdTKPGiz01ZHmPAb6qsbLd66
94/brzuVz9YhoSRJCTqSmXmEowPbs8TsjfMeSQkkx4STSr86+DNYmG3Kc4kCHAQQ
AQIABgUCVDuigAAKCRDfq1kqvdUvHHktD/9je36p4LXhLda0+NqWsh1Vm9dC9RxM
023LqwoMNw6khLiLzzhmXKyazvV/q/lidPYCr3rWR3tCrmEkULogHf60unBghxYH
xva5XvObFDVXDmMBTP2M3XvKIAQXhNk9I22HtfgYTIhI2Bs/D7HDFgszoBurLLQK
l+rjDevDbeWbdXJZ7J4Z63kb0GaIIHnNXnvxWo7muomXfdKJEL8LIlmeUOh/ZYcI
u8HMoGvDKYMeRZ9ph7f2Z7iJDCUmtMauLM/qPP9wiyzZKZE/wwapWkWL1KgAC+vt
hwrFzcirkhvI2rnWUOeec+nEjmnnnPzA5tDtpyOQYqkcIf9hewkfA6l9js3fbf1i
jCluP+nZjsbYb7MO9IT+bBQ1Jm0tjwu8MiX3HJZGl8CNBzk0UXImIl+0kSzSAnQg
MK6EweTzDkCMIjVLRQAmpNw/8smvzu4JF3bX+w1S1MWZ5NNebCT5hs4kVhXT8Uvw
TLmdt+afRpxtlKFxhJ05v6lNgV1o8CaOm1tmmgyqWM53/nGUi1XqtXu1+0uoO65f
JMoJOjCoK+tHzNUvyoPmU/qhyCC0yftZHA0k1BRaI7Kf0ll+i+8laJceFlFr+k6/
Be2Mzp/C/3KyK04nU3/jY9oyUKAjq5D1mb/Ht5TWEOPoSuUtlqzgWWpNxJWTq0xe
jsLg/e/q5z7mR4kCHAQQAQIABgUCVDumsQAKCRDV6eQ/ffnujDUSD/9ar/zoYKhJ
/SsEuhEZ+taED4YRgKy0eeaT7YPqtmGVcs4meww06Og9L9FeK/8Qn/pa3xnFtTvX
K6XriSLly4DtmAZnwmtARidgXeXp+hfjEoeIXoAUpY88Af4FQhIkmJwcWRZYtM6x
/Gno8+LyzQGrGNmeoNNLJ5t7RsvBHYRR44LQNbGpv8dN0LTOAWKCmnGmNn5cN9Uq
BvrgJRsJvvBRtF/V53Y5giHX4N9C4VT21odQ4sEq3HrsofwEWDHnl0hEoWOpu3zu
AcxsAdm4A113z2+WnTLcQnCRjmG7mGpDStLTiBcw45MsGOLnR2CgtNXEQOYp97/C
wkgNF5rUyx/Owr63uw0EWOFkaqDWd8KPt4ZTmOcOUChVnEyFCXu9F3oD2ypbaM5O
ielMwj3Uq8Br5c21g0qCeDAIUaNQLl6cFfPtD6jDiYNhVBgOGrlvHyGP3+mm+Ix3
w2CpKmHv6z0ed2XWqQElBuOr2I8vcSos8SAK5oJz50t1joLP5PQ4T/FlbBBfXYgW
PtEGsae9K/cXVSV6NSxcfXDtNggfDG1S4AkwH1Ka96AtrGutJCPm1xSMpMJ7m3+G
5EfEqHnF5lnn/By+gZTvC+nnqGM4UolcAyz6FFVha/CtfoYBiXekUXnz6dDEgxm5
fA7CVeo+TDg4LgvvHh+P+EuJKQ4lQqGQl4kCHAQQAQIABgUCVEJylwAKCRBDFxH3
bRiS9VfrD/9yo5fWTBHdCMAVRsLa/rKSk0oB2jKXg+5Jo1m/FM3UF4JibDor8VLo
TgKUXTn2eyqX3Dr6/3UiGFzU43kg+IG9ZdCLx8FwGAEo0MA7Tef7W0Drq00kAdVy
dhS+1gi4NZc4Hj+rSYcYkto2/e+zlSmD5CB3X3kgTK3+qv7bQbGlLMxZfP1sWsUd
jI2gWpxIeqqUZXM1CwIzqXWFEktKTov2CRLftk3pSQ6pS4sw60dpq2+e7EeARZfp
WIHAG8PXCgbq2M8mhAZ1NADWgXRPHCN3MeDV3qM5Lj6ov2/i3Crmy1IV5Bxt6QLD
A04Sbv5TpJ1tecriW2wTWUU3b/QWzFuCS+FUNSKWJe7tbQJyWQY+BtVZsMeFdjiY
B8QrUY5WOc97tgBVXZG7+5ustM5d0VDk83sHnQrGxPVqQq57Pwi1JFTxM7YDzePX
3KZVNXi5NR+EI69+Ej3cBRKpOUdAsq7ywKzlqiYtpcZD/uzJKi0F+AyOKLPFG4Ny
f8eGqr75tDAXqdoE4fu6IKSybc3MKlX9+LiDyTlQmgoZIRmczHPfbCBQQln7NNk/
6BegL87/yJYSZuR10SLzRNdYa2E1wliPZezrUxu6Y4OeYEIxL0/w6j7I1YFGqwR4
83B2SdTXC1NKQVDUR6tbm/oDhNVo7mZ4VjUFJ7oS8en5+rbNv30svokCHAQQAQoA
BgUCVD7PygAKCRAgZMU2QcJeXYG/D/9KUEi7mN50xURhILUp7KKJnS3WbGP32N+/
/XXr1QIEiOuRhbCBp49Y9/Q9TGYFYGm42ClkMyGLW9Dp7zcyejjVrVRO5srQ5e9g
q5IPgfeoa6Wu301YzsvO3RBa10dg9thA6HJsDlU+vyCnU8fKThdSS1aaYtBqEAUJ
IzdFK0KIShqHyjKB31iVg2NL8AziBKHWIqr5Tyh84DFRuT+PAwwSYW5sy5j9wsyX
FK1ZAfkmS9fJsrr3n0l9KsUYW8dJzLcdEmtS+dbJLAPrqbhssK1wk/NE1/N+8+Y6
ocegn2lFfMheA6s+d1ejBnk0angY8ZGgLIvCuB/iTfivDefqM2KtbQBOqbw6rf3B
TLlVVfiCbFo/RJgxoAQTKs4D+OH8RnWoNANoIOitpIpieBD2I0pFmVDob9sh0toV
Hk8aDO6s6lNoEiLEJVWoh/6+qxsRX/rDAGyWO+4Oz6ctyS/laQjT2FxLGODZBMxj
XrdyRXrC/nIcwYUlFfB3xX54xAo1j38OIauO9u93338LFLYAcpHhkW78nmkRxNa5
SjiribecDj5/bzOI7G7gfTCKmEkUuZltCrG5MwSHorhGP/v8M+TeLsjkvzgm1Hd6
0pf1+NXOPbZpiCq1S/yIs1zBEj1Q1t1PuJT+BYkOzlR/RhSJFSY/B4dBA+HxN/cY
KzwNZN88HLQfTWF0dCBDYXN3ZWxsIDxtYXR0QG9wZW5zc2wub3JnPokBOAQTAQIA
IgUCU96+vAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ2cTSbQ5gRJGg
PQf/WUQld+vrqt2+yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr9OOfzVPenCavcXgh
wsY0sPPgSDrvFur9PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZtEG7bgUozuhfcpC+
Ah0lZ3EccmyOkYJWITWYgUBEDOU37qne09udDMA2NHLuL89hT+eIZ2pVwyFydkJf
kXtgfrDq3RmZgfebVB5ESdap/G7t7Iewi95syApMj9swbxnsqUtmFr0fCsVdAA8h
JPqx9zVuUon0g1QMz2IroNH+6WTDt7SGYcuqNapizk/PJd6g2ew9cm3r3CIANiqP
go0Mh02nVGgX2p9vWcT4MzquBokCHAQQAQoABgUCVD7PygAKCRAgZMU2QcJeXSx6
EACM2ZWwnTz0FwLaQfqcAUEUee2rX03GwXgZsw00fIv+IRtCGvZ+c5OyP6Blujb+
gylHK6sohL/JBqPO6y49HlQ+VOjo2iFzeFdoC8No936fKxfvM1NeocsXShb1rXak
LDtiUj3UEqFbfdwrt7s6xqpNF6cEcci8sE8vGTSazNePui0C9NqV5Gh924MCNTwC
EasEhXvyurKB8Sgo2X5lH3OutDlHnUuiNtJ10n8rRNe87ZKgKcPahjpsMKC87rqK
55/sGLdqAndyXmnasHUKEd7bwQzq396SZgdKxlEruwQPyrecjaqf0CpHhGVsTpCi
78IQ7jR6xZWdBBAAn6SeFKfxnDypx5thqXsWDRrzH5gTXAqN3BNUluTn0gQgqGVx
dU5/uY0fHXlXjjyS/CcEBQlhMeMbXvnWCQ+IGOToRedpUwTENB1+TkdUz/RuQm/U
EP2Lmkfx4XDj+R+lgbftQ6cfJtZccmvh+euWRcbJUlPXIeM6DJVRaL700R1VHrSi
2oPXQi9YcMlyzh4BZ9fe3DIBiIDBDOURMGB75ULlCxi39H1H2Anf0/E11aPOOkr7
oavD6AVziihQJ8LqNI2obdX+UwivoU35NXZMCifmTOcCbrCxw+Xih+X6EPC0qwhR
pDevf7mqWxWVyu30hLv3YJOgmHEh+++GRzS7SL9iovev+4kBHAQQAQIABgUCU/p2
2gAKCRA1IssGdHjPYDuZB/9arXoSdE0WGasdEfG+Qup0lL2rsfAYYXyCP08wVsZ0
pBVmoby+hpIHEkcVH47Au+lYW9UTrvK3yMKEhSrxTzA9LIjC9Q0Mfms1CEo9oRa8
2p2jM9Yy9thCMR21Xhq/GmCkaKuR3oK5ofMXngTf4eyMwCQYPcYhL69OVx+/60w0
DbG6/nJ553Rd0qDTGxjk/gzji4VYe0rJcATZSIO5TjJdd2VATkDDvRWa2asvMMN+
CcPL6U2iZi8g4s413CmImz5W8/u7R2v7dkRJ0FLbP3+OAiHFD6n7uD0WAhZKT4+H
HSKbOnh6mMnyGMnyn2N5IvrEL3FM0cflUrKfqnbFa/KyiQEcBBABAgAGBQJUV6uP
AAoJEPI0eUVcUbJ8OaoIALRdJKgFzcsDqtX4SeJpefJ4796u8O5B7w/16nXwOw7i
2lDUpmz9+bwEliVOc8etFCRvB6nl/NSq8OUCdha5MIIJVoJn3EWz4LNHCcplxE0g
zHfVMBaV8eB/+AEyvJ6QlaeN+PKBW3VPPGHxnBQBDdXmfIh2ceAkB9pCU6zN/lHV
95fs+E3X028OAaN/uwbyaJYCmWxRYOA0nIA7A9C2UWugrnka1qISR6XtiOhjTe9u
G9/K9FclJueW0FnFVXXwl+/O0epy4oOq199UoJvF0FEDChNvnAjjrS1iUOxGcvJ7
/sSgCV3t8sYyNm+euCCXbKTdF5iPkpRvpSKauPjO5nmJARwEEwECAAYFAlRX/6sA
CgkQumzaRh/o4CM5egf+J/+ia/Iqes82Gd5Q5I+I9yrNy+itjtEpBHNX3XrT+iJH
BrRfVUN2MGW/ovElEOkxo7ZuA6c5zSnPBqsrzuLdacFR5LNMVrE2i5B7H5bcMGJ9
AZPXud1YBTzbGaKCzdVnvW9EnrYSQK5eiDTQkPPJiHjrvz1QLrng7AJUFfWm4/xh
RchpPT8cVHBRP7qAInkP1IYJ7dVDKOJRFsEM7J1Jx5M6vmSi1du1IvNsSeD19+8a
fyWc5q88fJRx/DlRZ+y/R4OH8wj4fbwRwuMTqWLXAlY4A8r0AGXYhR5BN4jKZAyx
pyq7hY64D9WNhojqYRYwxOADWn9GqxMfSesSCr1gzokCHAQQAQIABgUCVDuigAAK
CRDfq1kqvdUvHGVQD/9WuFZgc24DIw3mAJKk2dNG+zIEmJx+EKRTqhwrs97y48xP
0KWKGtmuEwx6fHDhBnHiOB41pixk2GD7K0XGy9sqTL3PBINgECgEPEhkmSLATqrp
bYFA6IiAGlDtc7ySZ3qlajUgLGoUTuen5HfMxrF8waldv1IUm2MarkCYShz7/RD8
Zq6VpnkqNAlUch9f3hnZgRI2MpuTRl2aij/vtPVzg01t5KFvfZLYI8OkJx57A1L+
/8w6BEmKyC5WhNEEaH9uF5qhnZjZHsien7BZS7Tvkgb+6OMowS3ShNqUH3A2YVbW
AupaLq1nRwvs7rTWDuoRMVZGGUm0SM08TUKkl16hWxsAJEzCCdVxO+8l5Ul26LkC
KJLdeFPrJmutgQnPJOQ6Q/EsYYua3iNAbJp+hZ9quw0R0oiyO5b7Cn8P9KffpiY0
01GQ4SqYrll80WJn1kUWp+QqvIvZC595aVmF9Fplqp24qXdXt2OMhzZF6FdSB0GS
xplHgjR866XD2EjH6RgHZ/PTUYI9zjEEro2gk/BG5dshSa42nBkD+aJfmvjQ4CDI
sccsHdYlLdtvujsN0F/rFRRKdIAPZhnbVB45AqNL81AUDEaXXWa93GyW58GjZy0i
l29i0Zg/hMn7vhqt3pZY8GL9ND3J90rJuvls/zmeITIUR3wDH20ZdTw07P62RIkC
HAQQAQIABgUCVDumsQAKCRDV6eQ/ffnujPWzD/43HZVkH0GTm9LpXlEvXGNGTmce
y5majqUTmEOmqD2j3wJZZatW8uOCDCclKdjcwiL3B1DOZbrtVZqit4mK6uhxN/MW
lgPnH3lO8o3xtmLNED3POZXkTUD1+VkOJRFiekg9Y9tVAn5CfUlu8/V/1p0smBvI
HArJmhgpOy4ZzGtMTrlJHxNCuxlj+IAGL48xw+3zIrgpjuUoGHZwiLO0+bTls3Tt
/xUvPH192OQlbBWIrby2uGfjaoM+iiRuuvztYzd/BpxLlbU61E7yYe9T/9Or35jh
40T20KC9Ugv9etHER5QdtoNxrXJhkBGfGz9av/apTTgEuG2WeSlyFlom2scfuEsV
XwXIHHewv9Hqpr9yIEi5vwSwEtn5/FFoAUl5cY3hN+6BMUTn7DEOIrKjuzyOwPTM
mrS+BL8nUg/FgiO6KvdNBHMwW2cB97DTCo3ThL0Hr87i3J8bg0mB7jUIWcldAox2
5vsKdGo9UBygEtHIHPojc5n3ludmeMpkMdM7pI8WvWfHqiOstaJhyyfWw+0RWr/c
n5e2RaK9Ieef5PwCn6yrFmzR/KOnSV34XkBgfzMBf8J3OJzDZXDuZzw9ns/3fU25
om3OsiCDLuXkRESLBCYBbYnenWiaUacDOkS+DqLw9P9SsPWIKOaz0cVnbPmZFIzu
67KxPiPHmY9DZ0xuFYkCHAQQAQIABgUCVEJylwAKCRBDFxH3bRiS9VzQEACuEjJC
doXPGk+e8orcS1Xq7/Y4FbtChfuYaqjreccV1fmTmY7EPMj6YARyVslM39TcwDwN
gYhZ52pn7BtAGUVoz+p+A+kEerwUE2Id7J3yViH0kFk2ar3FZTUXA8rp3HhBKOZj
P+d0FBEzTCEhS44s3SyoD+ByY7jZeTg0F9f2p4HBoEeEbTBcOR1fJv0NG/A+5lsc
zfD6YDgJsT9C3TCLKV4AMRy/wDZjkHMoXYB0ttXASlFzjsMGsy0FwbgyAdg9XIIt
7jrDuWHy9M9eVHCp8JBW+gEMq116Jmq1FT7/5VMBdK+o1fiU5zRRAPdYGfr9PWy5
ygH7g6nl/jFV5XmRnnrgL7etWI07pjpoPWqHqjUTGg5UbnzMfRk9TnPBAJGXFJIw
S2QszDEU3ApESc14NHrUUYVH4GvyeG5DYKZlz7HCpwtdpoYJ4DL2adE8U8qUmQkc
izaoE8x8rf0h6qrQcOOw4H1vX/RdhDtxbcK/fOgaHeQYOa5+lcNAlE7lU3z/bl6f
iB2hWlQdyzajceEoFJpxMm+QvRV/Z3wmwWeVPjZexFChbQVtaGagPJxXhid7rc2T
o8egQq5gAAfUOPwB5YWnvmFnmq3o1zCy5wZGUcm9aU0/sNZjBa9J7Fisv6uCQblQ
HA90wVUJ351GEm5Nh+j8oOpNafAgVim/zTaYS7kBDQRRgC7CAQgAz2dQkASmxUFj
Ar3Y8/0yWjX961enomAEjryw4InFPDMGttPMiV69VBepb3N04MPo5spyAY24b4bo
3Cfng/oxxGl3Z3Giv1gD7JojTJPoJWeHGxePBz++5Di0EAvq1+4wBdFUh4RWTbZw
qTgckHrwiZcIJF3JGL0cgTmJOtkewcLiyMCyKuGVzSjyFTeCqQqHYSHBrr5TyXM3
HTqGgURnEhVG16jPWPMIciYXsRfO0RwMhqY7y5yRUoC4psmAUaRTduS82BaVzw+D
Hi1FQ0kYLUsTidippITB57VKkD9V7CIM5uP3s+jMJMXNEJQEKdK9oCVOekD3ROc4
Mftqv4vloQARAQABiQEfBBgBAgAJBQJRgC7CAhsMAAoJENnE0m0OYESRCzYH/3pc
H2HIWlf9uG7jVg2vudIDrl0OL134+Qyq8ummJyQbdVHjFdbLDMQlPDpbYM0zIU7q
Y611daA12AMXscpli8cGvqnK20sAw/sF9YG9Tthjn24qZRJzm+XQ3OxpJvHk8NJA
SRIgIsj7+EjC4Rc5vpnuA6tfsXW7LzdOYcU46MPaYuXmKxTMWFotWTR9lJj6YKCD
f+KdvBvyDfX3VhuTYt9ead1oSx0TMwutPSDrAiCbJvPpR1W5U99I8aXLRVZUAbWw
084KkC4mk1Xr5XGt1WIDHe9A9vHdfOoMVLUhKWd3SpL/tFfAy4UOlUf8EO/NByiK
RaelFj+Wg8aRKDhMHto=
=m5FY
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -16,72 +16,20 @@
#
%define ssletcdir %{_sysconfdir}/ssl
#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
%define num_version 1.0.0
%define _sonum 1_0_0
Name: openssl
Version: 1.0.2k
Release: 0
Summary: Secure Sockets and Transport Layer Security
# Yes there is no license but to not confuse people keep it aligned to the pkg
License: OpenSSL
Group: Productivity/Networking/Security
Url: https://www.openssl.org/
Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz
# to get mtime of file:
Source1: openssl.changes
Source2: baselibs.conf
Source10: README.SUSE
Source11: README-FIPS.txt
Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/%name.keyring
Source43: %{name}.keyring
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: openssl-1.0.2a-padlock64.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
Patch6: openssl-truststore.patch
Patch7: compression_methods_switch.patch
Patch8: 0005-libssl-Hide-library-private-symbols.patch
Patch9: openssl-1.0.2a-default-paths.patch
Patch10: openssl-pkgconfig.patch
Patch13: openssl-1.0.2a-ipv6-apps.patch
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
# FIPS patches:
Patch15: openssl-1.0.2i-fips.patch
Patch16: openssl-1.0.2a-fips-ec.patch
Patch17: openssl-1.0.2a-fips-ctor.patch
Patch18: openssl-1.0.2i-new-fips-reqs.patch
Patch19: openssl-gcc-attributes.patch
Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
Patch33: openssl-no-egd.patch
Patch34: openssl-fips-hidden.patch
Patch35: openssl-1.0.1e-add-suse-default-cipher.patch
Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch38: openssl-missing_FIPS_ec_group_new_by_curve_name.patch
# FIPS patches from SLE-12
Patch41: openssl-fips-dont_run_FIPS_module_installed.patch
Patch50: openssl-fips_disallow_x931_rand_method.patch
Patch51: openssl-fips_disallow_ENGINE_loading.patch
Patch53: openssl-rsakeygen-minimum-distance.patch
Patch54: openssl-urandom-reseeding.patch
Patch55: openssl-fips-rsagen-d-bits.patch
Patch56: openssl-fips-selftests_in_nonfips_mode.patch
Patch57: openssl-fips-fix-odd-rsakeybits.patch
Patch58: openssl-fips-clearerror.patch
Patch59: openssl-fips-dont-fall-back-to-default-digest.patch
Patch61: openssl-fipslocking.patch
Patch62: openssl-print_notice-NULL_crash.patch
Patch63: openssl-randfile_fread_interrupt.patch
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Provides: ssl
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source0: README.SUSE
Source99: baselibs.conf
BuildRequires: libopenssl%{_sonum} = %{version}
Requires: openssl-%{_sonum} = %{version}
BuildArch: noarch
%description
The OpenSSL Project is a collaborative effort to develop a robust,
@ -92,395 +40,43 @@ by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
%package -n libopenssl1_0_0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
Group: Productivity/Networking/Security
Recommends: ca-certificates-mozilla
%description -n libopenssl1_0_0
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography. The project is managed
by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
%package -n libopenssl-devel
Summary: Include Files and Libraries mandatory for Development
License: OpenSSL
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}
Requires: libopenssl1_0_0 = %{version}
Requires: pkgconfig(zlib)
Requires: libopenssl%{_sonum} = %{version}
Requires: libopenssl-%{_sonum}-devel = %{version}
Requires: pkgconfig
Obsoletes: openssl-devel < %{version}
Provides: openssl-devel = %{version}
Provides: pkgconfig(libssl) = %{version}
Obsoletes: pkgconfig(libssl) < %{version}
Provides: pkgconfig(libopenssl) = %{version}
Obsoletes: pkgconfig(libopenssl) < %{version}
Provides: pkgconfig(libcrypto) = %{version}
Obsoletes: pkgconfig(libcrypto) < %{version}
Provides: pkgconfig(openssl) = %{version}
Obsoletes: pkgconfig(openssl) < %{version}
%description -n libopenssl-devel
This package contains all necessary include files and libraries needed
to develop applications that require these.
%package -n libopenssl1_0_0-hmac
Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
License: BSD-3-Clause
Group: Productivity/Networking/Security
Requires: libopenssl1_0_0 = %{version}-%{release}
%description -n libopenssl1_0_0-hmac
The FIPS compliant operation of the openssl shared libraries is NOT
possible without the HMAC hashes contained in this package!
%package doc
Summary: Additional Package Documentation
License: OpenSSL
Group: Productivity/Networking/Security
BuildArch: noarch
%description doc
This package contains optional documentation provided in addition to
this package's base documentation.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch9 -p1
%patch10 -p1
%patch13 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch26 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch37 -p1
%patch38 -p1
%patch41 -p1
%patch50 -p1
%patch51 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch3
%patch8 -p1
%patch14 -p1
cp -p %{SOURCE10} .
cp -p %{SOURCE11} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
cat <<EOF_ED | ed -s Configure
/^);
-
i
#
# local configuration added from specfile
# ... MOST of those are now correct in openssl's Configure already,
# so only add them for new ports!
#
#config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$wp_obj:$cmll_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags:$multilib
#"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME:",
#"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:\${ia64_asm}: $DSO_SCHEME:",
#"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
#"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
"linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
"linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
"linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:\${no_asm}: $DSO_SCHEME:",
#"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::::: $DSO_SCHEME:",
#"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
#"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
#"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
"linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:\${no_asm}: $DSO_SCHEME:",
.
wq
EOF_ED
# fix ENGINESDIR path
sed -i 's,/lib/engines,/%{_lib}/engines,' Configure
cp %{SOURCE0} .
%build
%if 0%{?suse_version} >= 1230
find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} +
%endif
%ifarch armv5el armv5tel
export MACHINE=armv5el
%endif
%ifarch armv6l armv6hl
export MACHINE=armv6l
%endif
./config --test-sanity
#
config_flags="threads shared no-rc5 no-idea \
fips \
no-ssl2 \
no-ssl3 \
enable-rfc3779 \
%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
%{optflags} -std=gnu99 \
-Wa,--noexecstack \
-Wl,-z,relro,-z,now \
-fno-common \
-DTERMIO \
-DPURIFY \
-D_GNU_SOURCE \
-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
-Wall "
#
#%{!?do_profiling:%define do_profiling 0}
#%if %do_profiling
# # generate feedback
# ./config $config_flags
# make depend CC="gcc %cflags_profile_generate"
# make CC="gcc %cflags_profile_generate"
# LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate"
# LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate"
# LD_LIBRARY_PATH=`pwd` apps/openssl speed
# make clean
# # compile with feedback
# # but not if it makes a cipher slower:
# #find crypto/aes -name '*.da' | xargs -r rm
# ./config $config_flags %cflags_profile_feedback
# make depend
# make
# LD_LIBRARY_PATH=`pwd` make rehash
# LD_LIBRARY_PATH=`pwd` make test
#%else
# OpenSSL relies on uname -m (not good). Thus that little sparc line.
./config \
%ifarch sparc64
linux64-sparcv9 \
%endif
$config_flags
# Record mtime of changes file instead of build time to make build-compare work
make PERL=perl -C crypto buildinf.h
CHANGES=`stat --format="%{y}" %{SOURCE1}`
cat crypto/buildinf.h
sed -i -e "s|#define DATE .*|#define DATE \"built on: $CHANGES\"|" crypto/buildinf.h
cat crypto/buildinf.h
make depend
make
LD_LIBRARY_PATH=`pwd` make rehash
# for FIPS mode testing; the same hashes are being created later just before
# the wrap-up of the files into the package.
# These files are just there for the make test below...
crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
%ifnarch armv4l
LD_LIBRARY_PATH=`pwd` make test
%endif
#%endif
# show settings
make %{?_smp_mflags} TABLE
echo %{optflags}
eval $(egrep PLATFORM='[[:alnum:]]' Makefile)
grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
:
%install
make MANDIR=%{_mandir} INSTALL_PREFIX=%{buildroot} install
cp -a crypto/fips/fips_standalone_hmac %{buildroot}%{_bindir}/fips_standalone_hmac
ln -sf ./%{name} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
#
:
# avoid file conflicts with man pages from other packages
#
pushd %{buildroot}/%{_mandir}
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
# replace spaces by underscores
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
for i in man?/*; do
if test -L $i ; then
LDEST=`readlink $i`
rm -f $i ${i}ssl
ln -sf ${LDEST}ssl ${i}ssl
else
mv $i ${i}ssl
fi
case "$i" in
*.1)
# these are the pages mentioned in openssl(1). They go into the main package.
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
*)
# the rest goes into the openssl-doc package.
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
esac
done
popd
#
# check wether some shared library has been installed
#
ls -l %{buildroot}%{_libdir}
test -f %{buildroot}%{_libdir}/libssl.so.%{num_version}
test -f %{buildroot}%{_libdir}/libcrypto.so.%{num_version}
test -L %{buildroot}%{_libdir}/libssl.so
test -L %{buildroot}%{_libdir}/libcrypto.so
#
# see what we've got
#
cat > showciphers.c <<EOF
#include <openssl/err.h>
#include <openssl/ssl.h>
int main(){
unsigned int i;
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
meth = SSLv23_client_method();
SSLeay_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL) return 0;
ssl = SSL_new(ctx);
if (!ssl) return 0;
for (i=0; ; i++) {
int j, k;
SSL_CIPHER *sc;
sc = (meth->get_cipher)(i);
if (!sc) break;
k = SSL_CIPHER_get_bits(sc, &j);
printf("%{s}\n", sc->name);
}
return 0;
};
EOF
gcc %{optflags} -I%{buildroot}%{_includedir} -c showciphers.c
gcc -o showciphers showciphers.o -L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
cat AVAILABLE_CIPHERS
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
# the hmac hashes:
#
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %expand of
# the macro is too late.
# remark: This is the same as running
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
%{expand:%%global __os_install_post {%__os_install_post
%{buildroot}%{_bindir}/fips_standalone_hmac \
%{buildroot}/%{_lib}/libssl.so.%{num_version} > \
%{buildroot}/%{_lib}/.libssl.so.%{num_version}.hmac
%{buildroot}%{_bindir}/fips_standalone_hmac \
%{buildroot}/%{_lib}/libcrypto.so.%{num_version} > \
%{buildroot}/%{_lib}/.libcrypto.so.%{num_version}.hmac
}}
#process openssllib
mkdir %{buildroot}/%{_lib}
mv %{buildroot}%{_libdir}/libssl.so.%{num_version} %{buildroot}/%{_lib}/
mv %{buildroot}%{_libdir}/libcrypto.so.%{num_version} %{buildroot}/%{_lib}/
mv %{buildroot}%{_libdir}/engines %{buildroot}/%{_lib}/
cd %{buildroot}%{_libdir}/
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do
rm %{buildroot}/%{_lib}/engines/lib$engine.so
done
%ifnarch %{ix86} x86_64
rm %{buildroot}/%{_lib}/engines/libpadlock.so
%endif
%post -n libopenssl1_0_0 -p /sbin/ldconfig
%postun -n libopenssl1_0_0 -p /sbin/ldconfig
%files -n libopenssl1_0_0
%files
%defattr(-, root, root)
/%{_lib}/libssl.so.%{num_version}
/%{_lib}/libcrypto.so.%{num_version}
/%{_lib}/engines
%files -n libopenssl1_0_0-hmac
%defattr(-, root, root)
/%{_lib}/.libssl.so.%{num_version}.hmac
/%{_lib}/.libcrypto.so.%{num_version}.hmac
%doc README.SUSE
%files -n libopenssl-devel
%defattr(-, root, root)
%{_includedir}/%{name}/
%{_includedir}/ssl
%exclude %{_libdir}/libcrypto.a
%exclude %{_libdir}/libssl.a
%{_libdir}/libssl.so
%{_libdir}/libcrypto.so
%{_libdir}/pkgconfig/libcrypto.pc
%{_libdir}/pkgconfig/libssl.pc
%{_libdir}/pkgconfig/openssl.pc
%files doc -f filelist.doc
%defattr(-, root, root)
%doc doc/* demos
%doc showciphers.c
%files -f filelist
%defattr(-, root, root)
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
%doc LICENSE NEWS README README.SUSE README-FIPS.txt
%dir %{ssletcdir}
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
%{_bindir}/fips_standalone_hmac
%{_bindir}/%{name}
%doc README.SUSE
%changelog

View File

@ -1,3 +0,0 @@
openssl autmatically tests iteslf, no further testing needed