- listen on ipv6 wildcard in s_server so we accept connections

from both ipv4 and ipv6 (#601612) - fix openssl speed command so it can be used in the FIPS mode with FIPS allowed ciphers
2011-01-24 17:41:43 +01:00 · 2011-01-24 17:41:43 +01:00 · 09127ac54a
parent 540056f0e0
commit 09127ac54a
3 changed files with 162 additions and 1 deletions
--- a/openssl-1.0.0c-apps-ipv6listen.patch
+++ b/openssl-1.0.0c-apps-ipv6listen.patch
@ -0,0 +1,57 @@
+diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
+--- openssl-1.0.0c/apps/s_socket.c.ipv6listen	2011-01-24 16:44:18.000000000 +0100
+++ openssl-1.0.0c/apps/s_socket.c	2011-01-24 16:56:25.000000000 +0100
+@@ -335,15 +335,16 @@ int do_server(char *port, int type, int 
+ 
+ static int init_server(int *sock, char *port, int type)
+ 	{
+-	struct addrinfo *res, *res0, hints;
+	struct addrinfo *res, *res0 = NULL, hints;
+ 	char * failed_call = NULL;
+-	char port_name[8];
+ 	int s;
+ 	int e;
+ 
+ 	if (!ssl_sock_init()) return(0);
+ 
+ 	memset(&hints, '\0', sizeof(hints));
+        hints.ai_family = AF_INET6;
+tryipv4:
+ 	hints.ai_socktype = type;
+ 	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+ 	
+@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
+ 			failed_call = "socket";
+ 			goto nextres;
+ 			}
+		if (hints.ai_family == AF_INET6)
+			{
+			int j = 0;
+			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+				   (void *) &j, sizeof j);
+			}
+ #if defined SOL_SOCKET && defined SO_REUSEADDR
+ 		{
+ 		int j = 1;
+@@ -392,9 +399,19 @@ nextres:
+ 			close(s);
+ 		res = res->ai_next;
+ 	}
+-	freeaddrinfo(res0);
+	if (res0)
+		freeaddrinfo(res0);
+ 
+-	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+	if (s == INVALID_SOCKET)
+	{
+		if (hints.ai_family == AF_INET6)
+		{
+			hints.ai_family = AF_INET;
+			goto tryipv4;
+		}
+		perror("socket");
+		return(0);
+	}
+ 
+ 	perror(failed_call);
+ 	return(0);
--- a/openssl-1.0.0c-speed-fips.patch
+++ b/openssl-1.0.0c-speed-fips.patch
@ -0,0 +1,94 @@
+diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
+--- openssl-1.0.0c/apps/speed.c.spfips	2010-11-18 14:22:26.000000000 +0100
+++ openssl-1.0.0c/apps/speed.c	2011-01-24 17:25:32.000000000 +0100
+@@ -100,6 +100,9 @@
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+ #if !defined(OPENSSL_SYS_MSDOS)
+ #include OPENSSL_UNISTD
+ #endif
+@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_RSA
+ 			if (strcmp(*argv,"rsa") == 0)
+ 			{
+#ifdef OPENSSL_FIPS
+				if (!FIPS_mode())
+#endif
+				{
+ 			rsa_doit[R_RSA_512]=1;
+				}
+ 			rsa_doit[R_RSA_1024]=1;
+ 			rsa_doit[R_RSA_2048]=1;
+ 			rsa_doit[R_RSA_4096]=1;
+@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_DSA
+ 			if (strcmp(*argv,"dsa") == 0)
+ 			{
+#ifdef OPENSSL_FIPS
+				if (!FIPS_mode())
+#endif
+				{
+ 			dsa_doit[R_DSA_512]=1;
+				}
+ 			dsa_doit[R_DSA_1024]=1;
+ 			dsa_doit[R_DSA_2048]=1;
+ 			}
+@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
+ 	AES_set_encrypt_key(key32,256,&aes_ks3);
+ #endif
+ #ifndef OPENSSL_NO_CAMELLIA
+	if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
+	    {
+ 	Camellia_set_key(key16,128,&camellia_ks1);
+ 	Camellia_set_key(ckey24,192,&camellia_ks2);
+ 	Camellia_set_key(ckey32,256,&camellia_ks3);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_IDEA
+	if (doit[D_CBC_IDEA])
+	    {
+ 	idea_set_encrypt_key(key16,&idea_ks);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_SEED
+	if (doit[D_CBC_SEED])
+	    {
+ 	SEED_set_key(key16,&seed_ks);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_RC4
+	if (doit[D_RC4])
+	    {
+ 	RC4_set_key(&rc4_ks,16,key16);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_RC2
+	if (doit[D_CBC_RC2])
+	    {
+ 	RC2_set_key(&rc2_ks,16,key16,128);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_RC5
+	if (doit[D_CBC_RC5])
+	    {
+ 	RC5_32_set_key(&rc5_ks,16,key16,12);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_BF
+	if (doit[D_CBC_BF])
+	    {
+ 	BF_set_key(&bf_ks,16,key16);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_CAST
+	if (doit[D_CBC_CAST])
+	    {
+ 	CAST_set_key(&cast_ks,16,key16);
+	    }
+ #endif
+ #ifndef OPENSSL_NO_RSA
+ 	memset(rsa_c,0,sizeof(rsa_c));
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0c
-Release: 1%{?dist}
+Release: 2%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@ -62,6 +62,8 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
 Patch51: openssl-1.0.0c-version.patch
 Patch52: openssl-1.0.0b-aesni.patch
 Patch53: openssl-1.0.0-name-hash.patch
+Patch54: openssl-1.0.0c-speed-fips.patch
+Patch55: openssl-1.0.0c-apps-ipv6listen.patch
 # Backported fixes including security fixes

 License: OpenSSL
@ -144,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch51 -p1 -b .version
 %patch52 -p1 -b .aesni
 %patch53 -p1 -b .name-hash
+%patch54 -p1 -b .spfips
+%patch55 -p1 -b .ipv6listen

 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -393,6 +397,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
+- listen on ipv6 wildcard in s_server so we accept connections
+  from both ipv4 and ipv6 (#601612)
+- fix openssl speed command so it can be used in the FIPS mode
+  with FIPS allowed ciphers
+
 * Fri Dec  3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1
 - new upstream version fixing CVE-2010-4180