Merge remote-tracking branch 'up/f29' into f29-riscv64
Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
This commit is contained in:
commit
1ee3891bdc
1
.gitignore
vendored
1
.gitignore
vendored
@ -40,3 +40,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.1.0h-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||
/openssl-1.1.1-hobbled.tar.xz
|
||||
|
@ -1,6 +1,15 @@
|
||||
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
|
||||
--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
|
||||
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
|
||||
@@ -10,7 +10,7 @@
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
-RANDFILE = $ENV::HOME/.rnd
|
||||
+#RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
|
@ -1,30 +0,0 @@
|
||||
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
|
||||
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
|
||||
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
|
||||
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC12,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
#endif /* OPENSSL_NO_SEED */
|
||||
|
||||
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
+#if 0 /* No RC4 */
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC4_128_MD5,
|
@ -27,10 +27,11 @@ diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
|
||||
@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
@@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
|
||||
|
||||
+ if (meth->version != SSL3_VERSION) {
|
||||
+ /*
|
||||
+ * Disable SSLv3 by default. Applications can
|
||||
+ * re-enable it by configuring
|
||||
@ -38,6 +39,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ss
|
||||
+ * or by using the SSL_CONF API.
|
||||
+ */
|
||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||
+ }
|
||||
+
|
||||
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
|
||||
|
||||
|
@ -1,8 +1,40 @@
|
||||
diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
|
||||
--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200
|
||||
@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2];
|
||||
#define R_EC_X448 23
|
||||
diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
|
||||
--- openssl-1.1.1/apps/speed.c.curves 2018-09-11 14:48:20.000000000 +0200
|
||||
+++ openssl-1.1.1/apps/speed.c 2018-09-13 09:24:24.840081023 +0200
|
||||
@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
|
||||
static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
|
||||
#endif /* OPENSSL_NO_RSA */
|
||||
|
||||
-#define R_EC_P160 0
|
||||
-#define R_EC_P192 1
|
||||
-#define R_EC_P224 2
|
||||
-#define R_EC_P256 3
|
||||
-#define R_EC_P384 4
|
||||
-#define R_EC_P521 5
|
||||
-#define R_EC_K163 6
|
||||
-#define R_EC_K233 7
|
||||
-#define R_EC_K283 8
|
||||
-#define R_EC_K409 9
|
||||
-#define R_EC_K571 10
|
||||
-#define R_EC_B163 11
|
||||
-#define R_EC_B233 12
|
||||
-#define R_EC_B283 13
|
||||
-#define R_EC_B409 14
|
||||
-#define R_EC_B571 15
|
||||
-#define R_EC_BRP256R1 16
|
||||
-#define R_EC_BRP256T1 17
|
||||
-#define R_EC_BRP384R1 18
|
||||
-#define R_EC_BRP384T1 19
|
||||
-#define R_EC_BRP512R1 20
|
||||
-#define R_EC_BRP512T1 21
|
||||
-#define R_EC_X25519 22
|
||||
-#define R_EC_X448 23
|
||||
+#define R_EC_P224 0
|
||||
+#define R_EC_P256 1
|
||||
+#define R_EC_P384 2
|
||||
+#define R_EC_P521 3
|
||||
+#define R_EC_X25519 4
|
||||
+#define R_EC_X448 5
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static OPT_PAIR ecdsa_choices[] = {
|
||||
- {"ecdsap160", R_EC_P160},
|
||||
@ -58,10 +90,90 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{"ecdhx448", R_EC_X448}
|
||||
};
|
||||
diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200
|
||||
@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
|
||||
unsigned int bits;
|
||||
} test_curves[] = {
|
||||
/* Prime Curves */
|
||||
- {"secp160r1", NID_secp160r1, 160},
|
||||
- {"nistp192", NID_X9_62_prime192v1, 192},
|
||||
{"nistp224", NID_secp224r1, 224},
|
||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
{"nistp521", NID_secp521r1, 521},
|
||||
- /* Binary Curves */
|
||||
- {"nistk163", NID_sect163k1, 163},
|
||||
- {"nistk233", NID_sect233k1, 233},
|
||||
- {"nistk283", NID_sect283k1, 283},
|
||||
- {"nistk409", NID_sect409k1, 409},
|
||||
- {"nistk571", NID_sect571k1, 571},
|
||||
- {"nistb163", NID_sect163r2, 163},
|
||||
- {"nistb233", NID_sect233r1, 233},
|
||||
- {"nistb283", NID_sect283r1, 283},
|
||||
- {"nistb409", NID_sect409r1, 409},
|
||||
- {"nistb571", NID_sect571r1, 571},
|
||||
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
|
||||
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
|
||||
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
|
||||
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
|
||||
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
|
||||
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
|
||||
/* Other and ECDH only ones */
|
||||
{"X25519", NID_X25519, 253},
|
||||
{"X448", NID_X448, 448}
|
||||
@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
- ecdsa_c[R_EC_P160][0] = count / 1000;
|
||||
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
|
||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||
+ ecdsa_c[R_EC_P224][0] = count / 1000;
|
||||
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
|
||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
||||
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
||||
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
||||
@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
+#if 0
|
||||
ecdsa_c[R_EC_K163][0] = count / 1000;
|
||||
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
-
|
||||
- ecdh_c[R_EC_P160][0] = count / 1000;
|
||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||
+#endif
|
||||
+ ecdh_c[R_EC_P224][0] = count / 1000;
|
||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
||||
ecdh_doit[i] = 0;
|
||||
@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
+#if 0
|
||||
ecdh_c[R_EC_K163][0] = count / 1000;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
/* default iteration count for the last two EC Curves */
|
||||
ecdh_c[R_EC_X25519][0] = count / 1800;
|
||||
ecdh_c[R_EC_X448][0] = count / 7200;
|
||||
diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves 2018-09-11 14:48:21.000000000 +0200
|
||||
+++ openssl-1.1.1/crypto/ec/ecp_smpl.c 2018-09-13 09:09:26.841792619 +0200
|
||||
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -73,9 +185,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypt
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c
|
||||
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200
|
||||
diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
|
||||
--- openssl-1.1.1/test/ecdsatest.c.curves 2018-09-11 14:48:24.000000000 +0200
|
||||
+++ openssl-1.1.1/test/ecdsatest.c 2018-09-13 09:09:26.841792619 +0200
|
||||
@@ -173,6 +173,7 @@ static int x9_62_tests(void)
|
||||
if (!change_rand())
|
||||
goto x962_err;
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,14 +0,0 @@
|
||||
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
|
||||
index df5cff79c9..e740a8c25d 100644
|
||||
--- a/ssl/ssl_cert.c
|
||||
+++ b/ssl/ssl_cert.c
|
||||
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
||||
if (level >= 2 && c->algorithm_enc == SSL_RC4)
|
||||
return 0;
|
||||
/* Level 3: forward secure ciphersuites only */
|
||||
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
|
||||
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
|
||||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
|
||||
return 0;
|
||||
break;
|
||||
}
|
65
openssl-1.1.1-seclevel.patch
Normal file
65
openssl-1.1.1-seclevel.patch
Normal file
@ -0,0 +1,65 @@
|
||||
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 11:47:39.715317617 +0200
|
||||
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||
}
|
||||
|
||||
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
||||
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
|
||||
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
||||
|
||||
/*
|
||||
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
|
||||
|
||||
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
||||
return 0;
|
||||
-
|
||||
- return secbits >= minbits_table[level - 1];
|
||||
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
|
||||
+ if (FIPS_mode())
|
||||
+ return secbits >= minbits_table[level - 1];
|
||||
+ return secbits >= minbits_digest_table[level - 1];
|
||||
}
|
||||
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
||||
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-14 11:47:39.715317617 +0200
|
||||
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
||||
|
||||
=item B<Level 2>
|
||||
|
||||
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
|
||||
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
|
||||
+Security level set to 112 bits of security with the exception of SHA1 allowed
|
||||
+for signatures.
|
||||
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
|
||||
+shorter than 224 bits are prohibited.
|
||||
In addition to the level 1 exclusions any cipher suite using RC4 is also
|
||||
prohibited. SSL version 3 is also not allowed. Compression is disabled.
|
||||
|
||||
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
||||
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
||||
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 11:47:39.716317598 +0200
|
||||
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
||||
return 0;
|
||||
break;
|
||||
default:
|
||||
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
|
||||
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
|
||||
+ break;
|
||||
if (bits < minbits)
|
||||
return 0;
|
||||
}
|
||||
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
|
||||
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
|
||||
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-09-14 12:36:40.021812399 +0200
|
||||
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
||||
"CA with PSS signature using SHA256");
|
||||
|
||||
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
||||
- "Reject PSS signature using SHA1 and auth level 2");
|
||||
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
|
||||
+ "Reject PSS signature using SHA1 and auth level 3");
|
||||
|
||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
||||
"PSS signature using SHA256 and auth level 2");
|
@ -1,14 +1,12 @@
|
||||
diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200
|
||||
+++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200
|
||||
@@ -39,8 +39,8 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1/include/openssl/opensslv.h.version-override 2018-09-13 08:54:38.247940128 +0200
|
||||
+++ openssl-1.1.1/include/openssl/opensslv.h 2018-09-13 08:56:10.757779555 +0200
|
||||
@@ -40,7 +40,7 @@ extern "C" {
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-# define OPENSSL_VERSION_NUMBER 0x10101009L
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018"
|
||||
+# define OPENSSL_VERSION_NUMBER 0x1010100fL
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010100fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 FIPS 11 Sep 2018"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
57
openssl-1.1.1-weak-ciphers.patch
Normal file
57
openssl-1.1.1-weak-ciphers.patch
Normal file
@ -0,0 +1,57 @@
|
||||
diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
|
||||
--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers 2018-09-11 14:48:23.000000000 +0200
|
||||
+++ openssl-1.1.1/ssl/s3_lib.c 2018-09-17 12:53:33.850637181 +0200
|
||||
@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC12,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
#endif /* OPENSSL_NO_SEED */
|
||||
|
||||
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
+#if 0 /* No MD5 ciphersuites */
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC4_128_MD5,
|
||||
@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
128,
|
||||
128,
|
||||
},
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC4_128_SHA,
|
||||
@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
128,
|
||||
128,
|
||||
},
|
||||
+#endif
|
||||
+#if 0
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_ADH_RC4_128_MD5,
|
||||
@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
128,
|
||||
128,
|
||||
},
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
|
47
openssl.spec
47
openssl.spec
@ -19,17 +19,15 @@
|
||||
|
||||
%global _performance_build 1
|
||||
|
||||
%global prerelease pre9
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1
|
||||
Release: 0.%{prerelease}.1.0.riscv64%{?dist}
|
||||
Release: 3.0.riscv64%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||
Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz
|
||||
Source: openssl-%{version}-hobbled.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source6: make-dummy-cert
|
||||
@ -58,9 +56,9 @@ Patch41: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.1-fips.patch
|
||||
Patch43: openssl-1.1.1-ignore-bound.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.0-weak-ciphers.patch
|
||||
Patch45: openssl-1.1.1-weak-ciphers.patch
|
||||
Patch46: openssl-1.1.1-seclevel.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch70: openssl-1.1.1-seclevel-check.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -134,7 +132,7 @@ package provides Perl scripts for converting certificates and keys
|
||||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}-%{prerelease}
|
||||
%setup -q -n %{name}-%{version}
|
||||
|
||||
# The hobble_openssl is called here redundantly, just to be sure.
|
||||
# The tarball has already the sources removed.
|
||||
@ -162,8 +160,8 @@ cp %{SOURCE13} test/
|
||||
%patch43 -p1 -b .ignore-bound
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .seclevel
|
||||
|
||||
%patch70 -p1 -b .seclevel-check
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -246,8 +244,8 @@ export HASHBANGPERL=/usr/bin/perl
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
|
||||
enable-weak-ssl-ciphers \
|
||||
no-mdc2 no-ec2m no-sm2 \
|
||||
shared ${sslarch} $RPM_OPT_FLAGS
|
||||
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
||||
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
#util/mkdef.pl crypto update
|
||||
@ -344,6 +342,11 @@ for manpage in man*/* ; do
|
||||
done
|
||||
for conflict in passwd rand ; do
|
||||
rename ${conflict} ssl${conflict} man*/${conflict}*
|
||||
# Fix dangling symlinks
|
||||
manpage=man1/openssl-${conflict}.*
|
||||
if [ -L ${manpage} ] ; then
|
||||
ln -snf ssl${conflict}.1ssl ${manpage}
|
||||
fi
|
||||
done
|
||||
popd
|
||||
|
||||
@ -401,6 +404,7 @@ export LD_LIBRARY_PATH
|
||||
%exclude %{_mandir}/man1*/*.pl*
|
||||
%exclude %{_mandir}/man1*/c_rehash*
|
||||
%exclude %{_mandir}/man1*/tsget*
|
||||
%exclude %{_mandir}/man1*/openssl-tsget*
|
||||
|
||||
%files libs
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
@ -436,6 +440,7 @@ export LD_LIBRARY_PATH
|
||||
%{_mandir}/man1*/*.pl*
|
||||
%{_mandir}/man1*/c_rehash*
|
||||
%{_mandir}/man1*/tsget*
|
||||
%{_mandir}/man1*/openssl-tsget*
|
||||
%dir %{_sysconfdir}/pki/CA
|
||||
%dir %{_sysconfdir}/pki/CA/private
|
||||
%dir %{_sysconfdir}/pki/CA/certs
|
||||
@ -447,9 +452,29 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Sun Aug 26 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1-0.pre9.1.0.riscv64
|
||||
* Wed Oct 17 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1-3.0.riscv64
|
||||
- Add --libdir=%{_lib} for riscv64 (uses linux-generic64)
|
||||
|
||||
* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
|
||||
- reinstate accidentally dropped patch for weak ciphersuites
|
||||
|
||||
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
|
||||
- for consistent support of security policies we build
|
||||
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
|
||||
|
||||
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
|
||||
- update to the final 1.1.1 version
|
||||
|
||||
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
|
||||
- do not try to initialize RNG in cleanup if it was not initialized
|
||||
before (#1624554)
|
||||
- use only /dev/urandom if getrandom() is not available
|
||||
- disable SM4
|
||||
|
||||
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
|
||||
- fix dangling symlinks to manual pages
|
||||
- make SSLv3_method work
|
||||
|
||||
* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
|
||||
- update to the latest 1.1.1 beta version
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (openssl-1.1.1-pre9-hobbled.tar.xz) = 0f723cdb1789a8ea893bb6f194321e586d70ce1d19b9832072ab90c02805f4ab11fd762b5d7b4433063432c91a1904f9fac202e64f22b89f3df6cd6e2ef25401
|
||||
SHA512 (openssl-1.1.1-hobbled.tar.xz) = a593ea9b4b11745e1a4fa8be91c0dbb5ee7c4c1089410ad6e6501212e838573bcf7e78e843444de3f9ba0beccc7db138deef243a22cafe480c040c696e80b0b3
|
||||
|
Loading…
Reference in New Issue
Block a user