rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'up/f29' into f29-riscv64 

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
This commit is contained in:
David Abdurachmanov 2018-10-17 12:09:11 +02:00
parent e18afbe0a2 33bd389ea8
commit 1ee3891bdc
Signed by: davidlt
GPG Key ID: 7108702C938B13C1
12 changed files with 586 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -40,3 +40,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.0h-hobbled.tar.xz /openssl-1.1.0h-hobbled.tar.xz
/openssl-1.1.1-pre8-hobbled.tar.xz /openssl-1.1.1-pre8-hobbled.tar.xz
/openssl-1.1.1-pre9-hobbled.tar.xz /openssl-1.1.1-pre9-hobbled.tar.xz
/openssl-1.1.1-hobbled.tar.xz

9
openssl-1.1.0-defaults.patch
View File

@ -1,6 +1,15 @@
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200 --- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200 +++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
@@ -10,7 +10,7 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
+#RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for default_days = 365 # how long to certify for

30
openssl-1.1.0-weak-ciphers.patch
View File

@ -1,30 +0,0 @@
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_SEED */
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No RC4 */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,

18
openssl-1.1.1-disable-ssl3.patch
View File

@ -27,17 +27,19 @@ diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200 --- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200 +++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m @@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
*/ */
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ /* + if (meth->version != SSL3_VERSION) {
+ * Disable SSLv3 by default. Applications can + /*
+ * re-enable it by configuring + * Disable SSLv3 by default. Applications can
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); + * re-enable it by configuring
+ * or by using the SSL_CONF API. + * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ */ + * or by using the SSL_CONF API.
+ ret->options |= SSL_OP_NO_SSLv3; + */
+ ret->options |= SSL_OP_NO_SSLv3;
+ }
+ +
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;

136
openssl-1.1.1-ec-curves.patch
View File

@ -1,8 +1,40 @@
diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200 --- openssl-1.1.1/apps/speed.c.curves 2018-09-11 14:48:20.000000000 +0200
+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200 +++ openssl-1.1.1/apps/speed.c 2018-09-13 09:24:24.840081023 +0200
@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2]; @@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
#define R_EC_X448 23 static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */
-#define R_EC_P160 0
-#define R_EC_P192 1
-#define R_EC_P224 2
-#define R_EC_P256 3
-#define R_EC_P384 4
-#define R_EC_P521 5
-#define R_EC_K163 6
-#define R_EC_K233 7
-#define R_EC_K283 8
-#define R_EC_K409 9
-#define R_EC_K571 10
-#define R_EC_B163 11
-#define R_EC_B233 12
-#define R_EC_B283 13
-#define R_EC_B409 14
-#define R_EC_B571 15
-#define R_EC_BRP256R1 16
-#define R_EC_BRP256T1 17
-#define R_EC_BRP384R1 18
-#define R_EC_BRP384T1 19
-#define R_EC_BRP512R1 20
-#define R_EC_BRP512T1 21
-#define R_EC_X25519 22
-#define R_EC_X448 23
+#define R_EC_P224 0
+#define R_EC_P256 1
+#define R_EC_P384 2
+#define R_EC_P521 3
+#define R_EC_X25519 4
+#define R_EC_X448 5
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = { static OPT_PAIR ecdsa_choices[] = {
- {"ecdsap160", R_EC_P160}, - {"ecdsap160", R_EC_P160},
@ -58,10 +90,90 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
{"ecdhx25519", R_EC_X25519}, {"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448} {"ecdhx448", R_EC_X448}
}; };
diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c @@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200 unsigned int bits;
+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200 } test_curves[] = {
@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO /* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
- /* Binary Curves */
- {"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233},
- {"nistk283", NID_sect283k1, 283},
- {"nistk409", NID_sect409k1, 409},
- {"nistk571", NID_sect571k1, 571},
- {"nistb163", NID_sect163r2, 163},
- {"nistb233", NID_sect233r1, 233},
- {"nistb283", NID_sect283r1, 283},
- {"nistb409", NID_sect409r1, 409},
- {"nistb571", NID_sect571r1, 571},
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
- ecdsa_c[R_EC_P160][0] = count / 1000;
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+ ecdsa_c[R_EC_P224][0] = count / 1000;
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
}
}
}
-
- ecdh_c[R_EC_P160][0] = count / 1000;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+#endif
+ ecdh_c[R_EC_P224][0] = count / 1000;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#endif
/* default iteration count for the last two EC Curves */
ecdh_c[R_EC_X25519][0] = count / 1800;
ecdh_c[R_EC_X448][0] = count / 7200;
diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
--- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves 2018-09-11 14:48:21.000000000 +0200
+++ openssl-1.1.1/crypto/ec/ecp_smpl.c 2018-09-13 09:09:26.841792619 +0200
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -73,9 +185,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypt
if (ctx == NULL) { if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200 --- openssl-1.1.1/test/ecdsatest.c.curves 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200 +++ openssl-1.1.1/test/ecdsatest.c 2018-09-13 09:09:26.841792619 +0200
@@ -173,6 +173,7 @@ static int x9_62_tests(void) @@ -173,6 +173,7 @@ static int x9_62_tests(void)
if (!change_rand()) if (!change_rand())
goto x962_err; goto x962_err;

552
openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

14
openssl-1.1.1-seclevel-check.patch
View File

@ -1,14 +0,0 @@
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index df5cff79c9..e740a8c25d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
return 0;
break;
}

65
openssl-1.1.1-seclevel.patch Normal file
View File

@ -0,0 +1,65 @@
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 11:47:39.715317617 +0200
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
-
- return secbits >= minbits_table[level - 1];
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
+ if (FIPS_mode())
+ return secbits >= minbits_table[level - 1];
+ return secbits >= minbits_digest_table[level - 1];
}
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-14 11:47:39.715317617 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
+Security level set to 112 bits of security with the exception of SHA1 allowed
+for signatures.
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
+shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 11:47:39.716317598 +0200
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
return 0;
break;
default:
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
+ break;
if (bits < minbits)
return 0;
}
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-09-14 12:36:40.021812399 +0200
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
- "Reject PSS signature using SHA1 and auth level 2");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
+ "Reject PSS signature using SHA1 and auth level 3");
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");

16
openssl-1.1.1-version-override.patch
View File

@ -1,14 +1,12 @@
diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200 --- openssl-1.1.1/include/openssl/opensslv.h.version-override 2018-09-13 08:54:38.247940128 +0200
+++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200 +++ openssl-1.1.1/include/openssl/opensslv.h 2018-09-13 08:56:10.757779555 +0200
@@ -39,8 +39,8 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
-# define OPENSSL_VERSION_NUMBER 0x10101009L # define OPENSSL_VERSION_NUMBER 0x1010100fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018"
+# define OPENSSL_VERSION_NUMBER 0x1010100fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 FIPS 11 Sep 2018"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

57
openssl-1.1.1-weak-ciphers.patch Normal file
View File

@ -0,0 +1,57 @@
diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/s3_lib.c 2018-09-17 12:53:33.850637181 +0200
@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_SEED */
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No MD5 ciphersuites */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_SHA,
@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#if 0
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,

47
openssl.spec
View File

@ -19,17 +19,15 @@
%global _performance_build 1 %global _performance_build 1
%global prerelease pre9
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1 Version: 1.1.1
Release: 0.%{prerelease}.1.0.riscv64%{?dist} Release: 3.0.riscv64%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm. # The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl Source1: hobble-openssl
Source2: Makefile.certificate Source2: Makefile.certificate
Source6: make-dummy-cert Source6: make-dummy-cert
@ -58,9 +56,9 @@ Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch70: openssl-1.1.1-seclevel-check.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -134,7 +132,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit. from other formats to the formats used by the OpenSSL toolkit.
%prep %prep
%setup -q -n %{name}-%{version}-%{prerelease} %setup -q -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure. # The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed. # The tarball has already the sources removed.
@ -162,8 +160,8 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound %patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override %patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers %patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
%patch70 -p1 -b .seclevel-check
%build %build
# Figure out which flags we want to use. # Figure out which flags we want to use.
@ -246,8 +244,8 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \ enable-weak-ssl-ciphers \
no-mdc2 no-ec2m no-sm2 \ no-mdc2 no-ec2m no-sm2 no-sm4 \
shared ${sslarch} $RPM_OPT_FLAGS shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
# Do not run this in a production package the FIPS symbols must be patched-in # Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update #util/mkdef.pl crypto update
@ -344,6 +342,11 @@ for manpage in man*/* ; do
done done
for conflict in passwd rand ; do for conflict in passwd rand ; do
rename ${conflict} ssl${conflict} man*/${conflict}* rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
manpage=man1/openssl-${conflict}.*
if [ -L ${manpage} ] ; then
ln -snf ssl${conflict}.1ssl ${manpage}
fi
done done
popd popd
@ -401,6 +404,7 @@ export LD_LIBRARY_PATH
%exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash* %exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget* %exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget*
%files libs %files libs
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
@ -436,6 +440,7 @@ export LD_LIBRARY_PATH
%{_mandir}/man1*/*.pl* %{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash* %{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget* %{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/certs
@ -447,9 +452,29 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Sun Aug 26 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1-0.pre9.1.0.riscv64 * Wed Oct 17 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1-3.0.riscv64
- Add --libdir=%{_lib} for riscv64 (uses linux-generic64) - Add --libdir=%{_lib} for riscv64 (uses linux-generic64)
* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
- reinstate accidentally dropped patch for weak ciphersuites
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
- for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
- update to the final 1.1.1 version
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
- do not try to initialize RNG in cleanup if it was not initialized
before (#1624554)
- use only /dev/urandom if getrandom() is not available
- disable SM4
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
- fix dangling symlinks to manual pages
- make SSLv3_method work
* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1 * Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
- update to the latest 1.1.1 beta version - update to the latest 1.1.1 beta version

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.1.1-pre9-hobbled.tar.xz) = 0f723cdb1789a8ea893bb6f194321e586d70ce1d19b9832072ab90c02805f4ab11fd762b5d7b4433063432c91a1904f9fac202e64f22b89f3df6cd6e2ef25401 SHA512 (openssl-1.1.1-hobbled.tar.xz) = a593ea9b4b11745e1a4fa8be91c0dbb5ee7c4c1089410ad6e6501212e838573bcf7e78e843444de3f9ba0beccc7db138deef243a22cafe480c040c696e80b0b3