- update to new major upstream release
This commit is contained in:
Tomáš Mráz
parent
58b40a384a
commit
2ccfa6b48f
|
|
@ -1 +1 @@
|
|||
openssl-0.9.8k-usa.tar.bz2
|
||||
openssl-1.0.0-beta3-usa.tar.bz2
|
||||
|
|
|
|||
|
|
@ -69,3 +69,7 @@ To query whether the module is in the error state:
|
|||
|
||||
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
|
||||
state, 0 otherwise.
|
||||
|
||||
To zeroize the FIPS RNG key and internal state the application calls:
|
||||
|
||||
- void RAND_cleanup(void)
|
||||
|
|
|
|||
|
|
@ -4,33 +4,32 @@
|
|||
set -e
|
||||
|
||||
# Clean out patent-or-otherwise-encumbered code.
|
||||
# MDC-2: 4,908,861 13/03/2007
|
||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||
# IDEA: 5,214,703 25/05/2010
|
||||
# RC5: 5,724,428 03/03/2015
|
||||
# EC: ????????? ??/??/2015
|
||||
|
||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||
(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv)
|
||||
(find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv)
|
||||
|
||||
# IDEA, MDC2, RC5, EC.
|
||||
for a in idea mdc2 rc5 ec ecdh ecdsa; do
|
||||
for a in idea rc5 ec ecdh ecdsa; do
|
||||
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
done
|
||||
|
||||
for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do
|
||||
for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_ecdsa.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||
echo Removing IDEA, MDC2, RC5, and EC references from $h
|
||||
echo Removing IDEA, RC5, and EC references from $h
|
||||
cat $h | \
|
||||
awk 'BEGIN {ech=1;} \
|
||||
/^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
|
||||
|
|
|
|||
|
|
@ -1,39 +0,0 @@
|
|||
--- openssl-0.9.8a/Configure.enginesdir 2005-11-04 15:06:37.000000000 +0100
|
||||
+++ openssl-0.9.8a/Configure 2005-11-07 14:15:12.000000000 +0100
|
||||
@@ -560,6 +560,7 @@
|
||||
|
||||
my $prefix="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $no_threads=0;
|
||||
@@ -739,6 +740,10 @@
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -923,7 +928,7 @@
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1430,7 +1435,7 @@
|
||||
if (/^#define\s+OPENSSLDIR/)
|
||||
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
|
||||
elsif (/^#define\s+ENGINESDIR/)
|
||||
- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
|
||||
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
|
||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
||||
if $export_var_as_fn;
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
--- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200
|
||||
+++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100
|
||||
@@ -266,7 +266,7 @@
|
||||
|
||||
do_$(SHLIB_TARGET):
|
||||
@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
|
||||
--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200
|
||||
+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200
|
||||
@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
|
||||
+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
|
||||
+ {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret+=2;
|
||||
|
||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
||||
@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
|
||||
+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
|
||||
+ {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret+=2;
|
||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
||||
|
||||
|
|
@ -1,378 +0,0 @@
|
|||
diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
|
||||
--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
|
||||
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
|
||||
|
||||
void tls1_free(SSL *s)
|
||||
{
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ if (s && s->tlsext_session_ticket)
|
||||
+ {
|
||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
ssl3_free(s);
|
||||
}
|
||||
|
||||
@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
int ticklen;
|
||||
if (s->session && s->session->tlsext_tick)
|
||||
ticklen = s->session->tlsext_ticklen;
|
||||
+ else if (s->session && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data)
|
||||
+ {
|
||||
+ ticklen = s->tlsext_session_ticket->length;
|
||||
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
|
||||
+ if (!s->session->tlsext_tick)
|
||||
+ return NULL;
|
||||
+ memcpy(s->session->tlsext_tick,
|
||||
+ s->tlsext_session_ticket->data,
|
||||
+ ticklen);
|
||||
+ s->session->tlsext_ticklen = ticklen;
|
||||
+ }
|
||||
else
|
||||
ticklen = 0;
|
||||
+ if (ticklen == 0 && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data == NULL)
|
||||
+ goto skip_ext;
|
||||
/* Check for enough room 2 for extension type, 2 for len
|
||||
* rest for ticket
|
||||
*/
|
||||
@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
ret += ticklen;
|
||||
}
|
||||
}
|
||||
+ skip_ext:
|
||||
|
||||
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
|
||||
{
|
||||
@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
}
|
||||
|
||||
}
|
||||
+ else if (type == TLSEXT_TYPE_session_ticket)
|
||||
+ {
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
else if (type == TLSEXT_TYPE_status_request
|
||||
&& s->ctx->tlsext_status_cb)
|
||||
{
|
||||
@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
}
|
||||
else if (type == TLSEXT_TYPE_session_ticket)
|
||||
{
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
|
||||
|| (size > 0))
|
||||
{
|
||||
@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
|
||||
s->tlsext_ticket_expected = 1;
|
||||
return 0; /* Cache miss */
|
||||
}
|
||||
+ if (s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ /* Indicate cache miss here and instead of
|
||||
+ * generating the session from ticket now,
|
||||
+ * trigger abbreviated handshake based on
|
||||
+ * external mechanism to calculate the master
|
||||
+ * secret later. */
|
||||
+ return 0;
|
||||
+ }
|
||||
return tls_decrypt_ticket(s, p, size, session_id, len,
|
||||
ret);
|
||||
}
|
||||
diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
|
||||
--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ /* check if we want to resume the session based on external pre-shared secret */
|
||||
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ SSL_CIPHER *pref_cipher=NULL;
|
||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
||||
+ if (s->tls_session_secret_cb(s, s->session->master_key,
|
||||
+ &s->session->master_key_length,
|
||||
+ NULL, &pref_cipher,
|
||||
+ s->tls_session_secret_cb_arg))
|
||||
+ {
|
||||
+ s->session->cipher = pref_cipher ?
|
||||
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
+
|
||||
if (j != 0 && j == s->session->session_id_length
|
||||
&& memcmp(p,s->session->session_id,j) == 0)
|
||||
{
|
||||
@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
|
||||
{
|
||||
int ok;
|
||||
long n;
|
||||
- /* If we have no ticket or session ID is non-zero length (a match of
|
||||
- * a non-zero session length would never reach here) it cannot be a
|
||||
- * resumed session.
|
||||
- */
|
||||
- if (!s->session->tlsext_tick || s->session->session_id_length)
|
||||
+ /* If we have no ticket it cannot be a resumed session. */
|
||||
+ if (!s->session->tlsext_tick)
|
||||
return 1;
|
||||
/* this function is called when we really expect a Certificate
|
||||
* message, so permit appropriate message length */
|
||||
diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
|
||||
--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
|
||||
+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
|
||||
return(s->session_timeout);
|
||||
}
|
||||
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
|
||||
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
|
||||
+ {
|
||||
+ if (s == NULL) return(0);
|
||||
+ s->tls_session_secret_cb = tls_session_secret_cb;
|
||||
+ s->tls_session_secret_cb_arg = arg;
|
||||
+ return(1);
|
||||
+ }
|
||||
+
|
||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
||||
+ void *arg)
|
||||
+ {
|
||||
+ if (s == NULL) return(0);
|
||||
+ s->tls_session_ticket_ext_cb = cb;
|
||||
+ s->tls_session_ticket_ext_cb_arg = arg;
|
||||
+ return(1);
|
||||
+ }
|
||||
+
|
||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
|
||||
+ {
|
||||
+ if (s->version >= TLS1_VERSION)
|
||||
+ {
|
||||
+ if (s->tlsext_session_ticket)
|
||||
+ {
|
||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
||||
+ s->tlsext_session_ticket = NULL;
|
||||
+ }
|
||||
+
|
||||
+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
|
||||
+ if (!s->tlsext_session_ticket)
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (ext_data)
|
||||
+ {
|
||||
+ s->tlsext_session_ticket->length = ext_len;
|
||||
+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
|
||||
+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ s->tlsext_session_ticket->length = 0;
|
||||
+ s->tlsext_session_ticket->data = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
+
|
||||
typedef struct timeout_param_st
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
|
||||
--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
|
||||
@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
||||
goto err;
|
||||
}
|
||||
+
|
||||
+ /* Check if we want to use external pre-shared secret for this
|
||||
+ * handshake for not reused session only. We need to generate
|
||||
+ * server_random before calling tls_session_secret_cb in order to allow
|
||||
+ * SessionTicket processing to use it in key derivation. */
|
||||
+ {
|
||||
+ unsigned long Time;
|
||||
+ unsigned char *pos;
|
||||
+ Time=(unsigned long)time(NULL); /* Time */
|
||||
+ pos=s->s3->server_random;
|
||||
+ l2n(Time,pos);
|
||||
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
|
||||
+ {
|
||||
+ al=SSL_AD_INTERNAL_ERROR;
|
||||
+ goto f_err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ SSL_CIPHER *pref_cipher=NULL;
|
||||
+
|
||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
||||
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
|
||||
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
|
||||
+ {
|
||||
+ s->hit=1;
|
||||
+ s->session->ciphers=ciphers;
|
||||
+ s->session->verify_result=X509_V_OK;
|
||||
+
|
||||
+ ciphers=NULL;
|
||||
+
|
||||
+ /* check if some cipher was preferred by call back */
|
||||
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
|
||||
+ if (pref_cipher == NULL)
|
||||
+ {
|
||||
+ al=SSL_AD_HANDSHAKE_FAILURE;
|
||||
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
|
||||
+ goto f_err;
|
||||
+ }
|
||||
+
|
||||
+ s->session->cipher=pref_cipher;
|
||||
+
|
||||
+ if (s->cipher_list)
|
||||
+ sk_SSL_CIPHER_free(s->cipher_list);
|
||||
+
|
||||
+ if (s->cipher_list_by_id)
|
||||
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
+
|
||||
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
|
||||
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
|
||||
+ }
|
||||
+ }
|
||||
#endif
|
||||
/* Worst case, we will use the NULL compression, but if we have other
|
||||
* options, we will now look for them. We have i-1 compression
|
||||
@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
|
||||
unsigned char *buf;
|
||||
unsigned char *p,*d;
|
||||
int i,sl;
|
||||
- unsigned long l,Time;
|
||||
+ unsigned long l;
|
||||
+#ifdef OPENSSL_NO_TLSEXT
|
||||
+ unsigned long Time;
|
||||
+#endif
|
||||
|
||||
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
|
||||
{
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
+#ifdef OPENSSL_NO_TLSEXT
|
||||
p=s->s3->server_random;
|
||||
+ /* Generate server_random if it was not needed previously */
|
||||
Time=(unsigned long)time(NULL); /* Time */
|
||||
l2n(Time,p);
|
||||
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
|
||||
return -1;
|
||||
+#endif
|
||||
/* Do the message type and length last */
|
||||
d=p= &(buf[4]);
|
||||
|
||||
diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
|
||||
--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
|
||||
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
|
||||
#endif
|
||||
|
||||
+/* TLS Session Ticket extension struct */
|
||||
+struct tls_session_ticket_ext_st
|
||||
+ {
|
||||
+ unsigned short length;
|
||||
+ void *data;
|
||||
+ };
|
||||
+
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
|
||||
--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
|
||||
+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
|
||||
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
|
||||
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
|
||||
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
|
||||
{0,NULL}
|
||||
};
|
||||
|
||||
diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
|
||||
--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
|
||||
@@ -344,6 +344,7 @@ extern "C" {
|
||||
* 'struct ssl_st *' function parameters used to prototype callbacks
|
||||
* in SSL_CTX. */
|
||||
typedef struct ssl_st *ssl_crock_st;
|
||||
+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
|
||||
|
||||
/* used to hold info on the particular ciphers used */
|
||||
typedef struct ssl_cipher_st
|
||||
@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
|
||||
|
||||
DECLARE_STACK_OF(SSL_CIPHER)
|
||||
|
||||
+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
|
||||
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
|
||||
+
|
||||
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
|
||||
typedef struct ssl_method_st
|
||||
{
|
||||
@@ -1034,6 +1038,18 @@ struct ssl_st
|
||||
|
||||
/* RFC4507 session ticket expected to be received or sent */
|
||||
int tlsext_ticket_expected;
|
||||
+
|
||||
+ /* TLS Session Ticket extension override */
|
||||
+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
|
||||
+
|
||||
+ /* TLS Session Ticket extension callback */
|
||||
+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
|
||||
+ void *tls_session_ticket_ext_cb_arg;
|
||||
+
|
||||
+ /* TLS pre-shared secret session resumption */
|
||||
+ tls_session_secret_cb_fn tls_session_secret_cb;
|
||||
+ void *tls_session_secret_cb_arg;
|
||||
+
|
||||
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
|
||||
#define session_ctx initial_ctx
|
||||
#else
|
||||
@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
|
||||
int SSL_COMP_add_compression_method(int id,void *cm);
|
||||
#endif
|
||||
|
||||
+/* TLS extensions functions */
|
||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
|
||||
+
|
||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
||||
+ void *arg);
|
||||
+
|
||||
+/* Pre-shared secret session resumption functions */
|
||||
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
|
||||
+
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_TLS1_ENC 210
|
||||
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
|
||||
#define SSL_F_WRITE_PENDING 212
|
||||
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
|
||||
|
||||
/* Reason codes. */
|
||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
|
||||
--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100
|
||||
+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100
|
||||
@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
|
||||
|
||||
my $prefix="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
|
||||
@@ -815,6 +816,10 @@ PROCESS_ARGS:
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1635,7 +1640,7 @@ while (<IN>)
|
||||
if (/^#define\s+OPENSSLDIR/)
|
||||
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
|
||||
elsif (/^#define\s+ENGINESDIR/)
|
||||
- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
|
||||
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
|
||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
||||
if $export_var_as_fn;
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c
|
||||
--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100
|
||||
+++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100
|
||||
@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
if (fips_rsa_pairwise_fail)
|
||||
BN_add_word(rsa->n, 1);
|
||||
|
||||
- if(!fips_check_rsa(rsa))
|
||||
+ if(FIPS_mode() && !fips_check_rsa(rsa))
|
||||
goto err;
|
||||
|
||||
ok=1;
|
||||
diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c
|
||||
--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200
|
||||
+++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100
|
||||
@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
|
||||
dsa->pub_key=pub_key;
|
||||
if (fips_dsa_pairwise_fail)
|
||||
BN_add_word(dsa->pub_key, 1);
|
||||
- if(!fips_check_dsa(dsa))
|
||||
+ if(FIPS_mode() && !fips_check_dsa(dsa))
|
||||
goto err;
|
||||
ok=1;
|
||||
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
Do not create a fipscanister.o, add the objects directly.
|
||||
diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
|
||||
--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100
|
||||
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100
|
||||
@@ -142,8 +142,24 @@ lib: $(LIB)
|
||||
if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
|
||||
@touch lib
|
||||
|
||||
-$(LIB): $(FIPSLIBDIR)fipscanister.o
|
||||
- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
|
||||
+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
|
||||
+ FIPS_ASM=""; \
|
||||
+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
|
||||
+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
|
||||
+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
|
||||
+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
|
||||
+ if [ -n "$(CPUID_OBJ)" ]; then \
|
||||
+ CPUID=../crypto/$(CPUID_OBJ) ; \
|
||||
+ else \
|
||||
+ CPUID="" ; \
|
||||
+ fi ; \
|
||||
+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
|
||||
+ for i in $(FIPS_OBJ_LISTS); do \
|
||||
+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
|
||||
+ objs="$$objs `sed "$$script" $$i`"; \
|
||||
+ done; \
|
||||
+ objs="$$objs" ; \
|
||||
+ $(AR) $(LIB) $$objs
|
||||
$(RANLIB) $(LIB) || echo Never mind.
|
||||
|
||||
$(FIPSCANLIB): $(FIPSCANLOC)
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
|
||||
--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
|
||||
@@ -320,28 +320,28 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
#### IA-32 targets...
|
||||
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
|
||||
####
|
||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
# assisted with debugging of following two configs.
|
||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
||||
# -Wa,-Av8plus should do the trick no matter what.
|
||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
# GCC 3.1 is a requirement
|
||||
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -355,8 +355,8 @@ my %table=(
|
||||
#
|
||||
# <appro@fy.chalmers.se>
|
||||
#
|
||||
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
||||
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
Define and use a soname -- because we have to care about binary
|
||||
compatibility, we have to increment the soname in order to allow
|
||||
this version to co-exist with another versions and have everything
|
||||
work right.
|
||||
|
||||
diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
|
||||
--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
|
||||
+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100
|
||||
@@ -1371,7 +1371,7 @@ while (<IN>)
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||
{
|
||||
my $sotmp = $1;
|
||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
||||
}
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||
{
|
||||
diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
|
||||
--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
|
||||
+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100
|
||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||
SHLIB_MAJOR=
|
||||
SHLIB_MINOR=
|
||||
SHLIB_EXT=
|
||||
+SHLIB_SONAMEVER=8
|
||||
PLATFORM=dist
|
||||
OPTIONS=
|
||||
CONFIGURE_ARGS=
|
||||
@@ -277,10 +278,9 @@ clean-shared:
|
||||
link-shared:
|
||||
@ set -e; for i in ${SHLIBDIRS}; do \
|
||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
|
||||
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
|
||||
symlink.$(SHLIB_TARGET); \
|
||||
- libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||
@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET):
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
|
||||
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
|
||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
||||
link_a.$(SHLIB_TARGET); \
|
||||
|
|
@ -1,164 +0,0 @@
|
|||
Support old DTLS version for compatibility with CISCO AnyConnect.
|
||||
Index: openssl/ssl/d1_clnt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
|
||||
rcsdiff -q -kk '-r1.3.2.15' '-r1.3.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_clnt.c 2009/04/14 15:20:47 1.3.2.15
|
||||
+++ openssl/ssl/d1_clnt.c 2009/04/19 18:08:11 1.3.2.16
|
||||
@@ -130,7 +130,7 @@
|
||||
|
||||
static SSL_METHOD *dtls1_get_client_method(int ver)
|
||||
{
|
||||
- if (ver == DTLS1_VERSION)
|
||||
+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
|
||||
return(DTLSv1_client_method());
|
||||
else
|
||||
return(NULL);
|
||||
@@ -181,7 +181,8 @@
|
||||
s->server=0;
|
||||
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
|
||||
|
||||
- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
|
||||
+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
|
||||
+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
|
||||
{
|
||||
SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
|
||||
ret = -1;
|
||||
Index: openssl/ssl/d1_lib.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_lib.c,v
|
||||
rcsdiff -q -kk '-r1.1.2.7' '-r1.1.2.8' -u '/v/openssl/cvs/openssl/ssl/d1_lib.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_lib.c 2009/04/02 22:34:59 1.1.2.7
|
||||
+++ openssl/ssl/d1_lib.c 2009/04/19 18:08:11 1.1.2.8
|
||||
@@ -198,7 +198,10 @@
|
||||
void dtls1_clear(SSL *s)
|
||||
{
|
||||
ssl3_clear(s);
|
||||
- s->version=DTLS1_VERSION;
|
||||
+ if (s->options & SSL_OP_CISCO_ANYCONNECT)
|
||||
+ s->version=DTLS1_BAD_VER;
|
||||
+ else
|
||||
+ s->version=DTLS1_VERSION;
|
||||
}
|
||||
|
||||
/*
|
||||
Index: openssl/ssl/d1_pkt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
|
||||
rcsdiff -q -kk '-r1.4.2.15' '-r1.4.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_pkt.c 2009/04/02 22:34:59 1.4.2.15
|
||||
+++ openssl/ssl/d1_pkt.c 2009/04/19 18:08:12 1.4.2.16
|
||||
@@ -1024,15 +1024,17 @@
|
||||
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
|
||||
{
|
||||
struct ccs_header_st ccs_hdr;
|
||||
+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
|
||||
|
||||
dtls1_get_ccs_header(rr->data, &ccs_hdr);
|
||||
|
||||
/* 'Change Cipher Spec' is just a single byte, so we know
|
||||
* exactly what the record payload has to look like */
|
||||
/* XDTLS: check that epoch is consistent */
|
||||
- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
|
||||
- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
|
||||
- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
|
||||
+ ccs_hdr_len = 3;
|
||||
+
|
||||
+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
{
|
||||
i=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
|
||||
@@ -1358,7 +1360,7 @@
|
||||
#if 0
|
||||
/* 'create_empty_fragment' is true only when this function calls itself */
|
||||
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
|
||||
- && SSL_version(s) != DTLS1_VERSION)
|
||||
+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
|
||||
{
|
||||
/* countermeasure against known-IV weakness in CBC ciphersuites
|
||||
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
|
||||
Index: openssl/ssl/s3_clnt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
|
||||
rcsdiff -q -kk '-r1.88.2.21' '-r1.88.2.22' -u '/v/openssl/cvs/openssl/ssl/s3_clnt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/s3_clnt.c 2009/02/14 21:50:14 1.88.2.21
|
||||
+++ openssl/ssl/s3_clnt.c 2009/04/19 18:08:12 1.88.2.22
|
||||
@@ -708,7 +708,7 @@
|
||||
|
||||
if (!ok) return((int)n);
|
||||
|
||||
- if ( SSL_version(s) == DTLS1_VERSION)
|
||||
+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
|
||||
{
|
||||
Index: openssl/ssl/ssl.h
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl.h,v
|
||||
rcsdiff -q -kk '-r1.161.2.21' '-r1.161.2.22' -u '/v/openssl/cvs/openssl/ssl/ssl.h,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl.h 2008/08/13 19:44:44 1.161.2.21
|
||||
+++ openssl/ssl/ssl.h 2009/04/19 18:08:12 1.161.2.22
|
||||
@@ -510,6 +510,8 @@
|
||||
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
|
||||
/* Don't use RFC4507 ticket extension */
|
||||
#define SSL_OP_NO_TICKET 0x00004000L
|
||||
+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
|
||||
+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
|
||||
|
||||
/* As server, disallow session resumption on renegotiation */
|
||||
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
|
||||
Index: openssl/ssl/ssl_lib.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl_lib.c,v
|
||||
rcsdiff -q -kk '-r1.133.2.16' '-r1.133.2.17' -u '/v/openssl/cvs/openssl/ssl/ssl_lib.c,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl_lib.c 2009/02/23 16:02:47 1.133.2.16
|
||||
+++ openssl/ssl/ssl_lib.c 2009/04/19 18:08:12 1.133.2.17
|
||||
@@ -995,7 +995,8 @@
|
||||
s->max_cert_list=larg;
|
||||
return(l);
|
||||
case SSL_CTRL_SET_MTU:
|
||||
- if (SSL_version(s) == DTLS1_VERSION)
|
||||
+ if (SSL_version(s) == DTLS1_VERSION ||
|
||||
+ SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
s->d1->mtu = larg;
|
||||
return larg;
|
||||
Index: openssl/ssl/ssl_sess.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl_sess.c,v
|
||||
rcsdiff -q -kk '-r1.51.2.9' '-r1.51.2.10' -u '/v/openssl/cvs/openssl/ssl/ssl_sess.c,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl_sess.c 2008/06/04 18:35:27 1.51.2.9
|
||||
+++ openssl/ssl/ssl_sess.c 2009/04/19 18:08:12 1.51.2.10
|
||||
@@ -211,6 +211,11 @@
|
||||
ss->ssl_version=TLS1_VERSION;
|
||||
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
}
|
||||
+ else if (s->version == DTLS1_BAD_VER)
|
||||
+ {
|
||||
+ ss->ssl_version=DTLS1_BAD_VER;
|
||||
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
+ }
|
||||
else if (s->version == DTLS1_VERSION)
|
||||
{
|
||||
ss->ssl_version=DTLS1_VERSION;
|
||||
Index: openssl/ssl/t1_enc.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/t1_enc.c,v
|
||||
rcsdiff -q -kk '-r1.35.2.8' '-r1.35.2.9' -u '/v/openssl/cvs/openssl/ssl/t1_enc.c,v' 2>/dev/null
|
||||
--- openssl/ssl/t1_enc.c 2009/01/05 14:43:07 1.35.2.8
|
||||
+++ openssl/ssl/t1_enc.c 2009/04/19 18:08:12 1.35.2.9
|
||||
@@ -765,10 +765,10 @@
|
||||
HMAC_CTX_init(&hmac);
|
||||
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
|
||||
|
||||
- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
|
||||
+ if (ssl->version == DTLS1_BAD_VER ||
|
||||
+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
|
||||
{
|
||||
unsigned char dtlsseq[8],*p=dtlsseq;
|
||||
-
|
||||
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
|
||||
memcpy (p,&seq[2],6);
|
||||
|
||||
@@ -793,7 +793,7 @@
|
||||
{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
|
||||
#endif
|
||||
|
||||
- if ( SSL_version(ssl) != DTLS1_VERSION)
|
||||
+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
|
||||
{
|
||||
for (i=7; i>=0; i--)
|
||||
{
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+pqueue_size(pqueue_s *pq)
|
||||
+{
|
||||
+ pitem *item = pq->items;
|
||||
+ int count = 0;
|
||||
+
|
||||
+ while(item != NULL)
|
||||
+ {
|
||||
+ count++;
|
||||
+ item = item->next;
|
||||
+ }
|
||||
+ return count;
|
||||
+}
|
||||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
|
||||
pitem *pqueue_next(piterator *iter);
|
||||
|
||||
void pqueue_print(pqueue pq);
|
||||
+int pqueue_size(pqueue pq);
|
||||
|
||||
#endif /* ! HEADER_PQUEUE_H */
|
||||
diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
|
||||
--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
|
||||
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
|
||||
{
|
||||
+ unsigned long frag_len = frag->msg_header.frag_len;
|
||||
pqueue_pop(s->d1->buffered_messages);
|
||||
|
||||
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
|
||||
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
if (al==0)
|
||||
{
|
||||
*ok = 1;
|
||||
- return frag->msg_header.frag_len;
|
||||
+ return frag_len;
|
||||
}
|
||||
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
|
||||
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
||||
goto err;
|
||||
|
||||
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
||||
+ /* Try to find item in queue, to prevent duplicate entries */
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ item = pqueue_find(s->d1->buffered_messages, seq64);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+
|
||||
+ /* Discard the message if sequence number was already there, is
|
||||
+ * too far in the future or the fragment is already in the queue */
|
||||
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
||||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
||||
{
|
||||
unsigned char devnull [256];
|
||||
|
||||
diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
|
||||
--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
||||
DTLS1_RECORD_DATA *rdata;
|
||||
pitem *item;
|
||||
|
||||
+ /* Limit the size of the queue to prevent DOS attacks */
|
||||
+ if (pqueue_size(queue->q) >= 100)
|
||||
+ return 0;
|
||||
+
|
||||
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
||||
item = pitem_new(priority, rdata);
|
||||
if (rdata == NULL || item == NULL)
|
||||
|
|
@ -1,114 +0,0 @@
|
|||
diff -up openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8k/fips/sha/Makefile
|
||||
--- openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/sha/Makefile 2009-03-25 20:18:08.000000000 +0100
|
||||
@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
|
||||
@echo $(LIBOBJ) > lib
|
||||
|
||||
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
|
||||
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
|
||||
|
||||
files:
|
||||
diff -up openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8k/fips/sha/fips_standalone_sha1.c
|
||||
--- openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2009-01-15 13:34:54.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/sha/fips_standalone_sha1.c 2009-03-25 20:18:08.000000000 +0100
|
||||
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
|
||||
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
|
||||
const char *key)
|
||||
{
|
||||
size_t len=strlen(key);
|
||||
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
if (len > SHA_CBLOCK)
|
||||
{
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,key,len);
|
||||
- SHA1_Final(keymd,md_ctx);
|
||||
- len=20;
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,key,len);
|
||||
+ SHA256_Final(keymd,md_ctx);
|
||||
+ len=SHA256_DIGEST_LENGTH;
|
||||
}
|
||||
else
|
||||
memcpy(keymd,key,len);
|
||||
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x36^keymd[i];
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x5c^keymd[i];
|
||||
- SHA1_Init(o_ctx);
|
||||
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(o_ctx);
|
||||
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
|
||||
}
|
||||
|
||||
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
|
||||
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
|
||||
{
|
||||
- unsigned char buf[20];
|
||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
|
||||
- SHA1_Final(buf,md_ctx);
|
||||
- SHA1_Update(o_ctx,buf,sizeof buf);
|
||||
- SHA1_Final(md,o_ctx);
|
||||
+ SHA256_Final(buf,md_ctx);
|
||||
+ SHA256_Update(o_ctx,buf,sizeof buf);
|
||||
+ SHA256_Final(md,o_ctx);
|
||||
}
|
||||
|
||||
#endif
|
||||
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
|
||||
int main(int argc,char **argv)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
- static char key[]="etaonrishdlcupfm";
|
||||
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
|
||||
int n,binary=0;
|
||||
|
||||
if(argc < 2)
|
||||
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
|
||||
for(; n < argc ; ++n)
|
||||
{
|
||||
FILE *f=fopen(argv[n],"rb");
|
||||
- SHA_CTX md_ctx,o_ctx;
|
||||
- unsigned char md[20];
|
||||
+ SHA256_CTX md_ctx,o_ctx;
|
||||
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
int i;
|
||||
|
||||
if(!f)
|
||||
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
|
||||
else
|
||||
break;
|
||||
}
|
||||
- SHA1_Update(&md_ctx,buf,l);
|
||||
+ SHA256_Update(&md_ctx,buf,l);
|
||||
}
|
||||
hmac_final(md,&md_ctx,&o_ctx);
|
||||
|
||||
if (binary)
|
||||
{
|
||||
- fwrite(md,20,1,stdout);
|
||||
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
|
||||
break; /* ... for single(!) file */
|
||||
}
|
||||
|
||||
- printf("HMAC-SHA1(%s)= ",argv[n]);
|
||||
- for(i=0 ; i < 20 ; ++i)
|
||||
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
|
||||
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
|
||||
printf("%02x",md[i]);
|
||||
printf("\n");
|
||||
}
|
||||
|
|
@ -1,90 +0,0 @@
|
|||
diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x509/x509_lu.c
|
||||
--- openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl 2005-05-11 05:45:35.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/x509/x509_lu.c 2009-03-26 15:47:45.000000000 +0100
|
||||
@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
|
||||
return sk_X509_OBJECT_value(h, idx);
|
||||
}
|
||||
|
||||
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
|
||||
+{
|
||||
+ if (a->signature == NULL || b->signature == NULL)
|
||||
+ return a->signature != b->signature;
|
||||
+
|
||||
+ if (a->signature->length != b->signature->length)
|
||||
+ return 0;
|
||||
+
|
||||
+ return memcmp(a->signature->data, b->signature->data, a->signature->length);
|
||||
+}
|
||||
+
|
||||
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
|
||||
{
|
||||
int idx, i;
|
||||
X509_OBJECT *obj;
|
||||
idx = sk_X509_OBJECT_find(h, x);
|
||||
if (idx == -1) return NULL;
|
||||
- if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
|
||||
+ if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
|
||||
+ return sk_X509_OBJECT_value(h, idx);
|
||||
for (i = idx; i < sk_X509_OBJECT_num(h); i++)
|
||||
{
|
||||
obj = sk_X509_OBJECT_value(h, i);
|
||||
if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
|
||||
return NULL;
|
||||
- if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
|
||||
+ if (x->type == X509_LU_X509)
|
||||
+ {
|
||||
+ if (!X509_cmp(obj->data.x509, x->data.x509))
|
||||
+ return obj;
|
||||
+ }
|
||||
+ else if (x->type == X509_LU_CRL)
|
||||
+ {
|
||||
+ if (!x509_crl_match(obj->data.crl, x->data.crl))
|
||||
+ return obj;
|
||||
+ }
|
||||
+ else
|
||||
return obj;
|
||||
}
|
||||
return NULL;
|
||||
diff -up openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8k/crypto/x509/x509_vfy.c
|
||||
--- openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl 2008-07-13 16:33:15.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/x509/x509_vfy.c 2009-03-26 15:47:45.000000000 +0100
|
||||
@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
- *pcrl = xobj.data.crl;
|
||||
+ /* If CRL times not valid look through store */
|
||||
+ if (!check_crl_time(ctx, xobj.data.crl, 0))
|
||||
+ {
|
||||
+ int idx, i;
|
||||
+ X509_OBJECT *pobj;
|
||||
+ X509_OBJECT_free_contents(&xobj);
|
||||
+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
|
||||
+ X509_LU_CRL, nm);
|
||||
+ if (idx == -1)
|
||||
+ return 0;
|
||||
+ *pcrl = NULL;
|
||||
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
|
||||
+ {
|
||||
+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
|
||||
+ /* Check to see if it is a CRL and issuer matches */
|
||||
+ if (pobj->type != X509_LU_CRL)
|
||||
+ break;
|
||||
+ if (X509_NAME_cmp(nm,
|
||||
+ X509_CRL_get_issuer(pobj->data.crl)))
|
||||
+ break;
|
||||
+ /* Set *pcrl because the CRL will either be valid or
|
||||
+ * a "best fit" CRL.
|
||||
+ */
|
||||
+ *pcrl = pobj->data.crl;
|
||||
+ if (check_crl_time(ctx, *pcrl, 0))
|
||||
+ break;
|
||||
+ }
|
||||
+ if (*pcrl)
|
||||
+ CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
|
||||
+ }
|
||||
+ else
|
||||
+ *pcrl = xobj.data.crl;
|
||||
if (crl)
|
||||
X509_CRL_free(crl);
|
||||
return 1;
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
diff -up openssl-0.9.8k/crypto/opensslv.h.shlib-version openssl-0.9.8k/crypto/opensslv.h
|
||||
--- openssl-0.9.8k/crypto/opensslv.h.shlib-version 2009-04-17 16:39:45.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/opensslv.h 2009-04-17 16:39:46.000000000 +0200
|
||||
@@ -83,7 +83,7 @@
|
||||
* should only keep the versions that are binary compatible with the current.
|
||||
*/
|
||||
#define SHLIB_VERSION_HISTORY ""
|
||||
-#define SHLIB_VERSION_NUMBER "0.9.8"
|
||||
+#define SHLIB_VERSION_NUMBER "0.9.8k"
|
||||
|
||||
|
||||
#endif /* HEADER_OPENSSLV_H */
|
||||
|
|
@ -1,391 +0,0 @@
|
|||
diff -up openssl-0.9.8k/test/Makefile.use-fipscheck openssl-0.9.8k/test/Makefile
|
||||
--- openssl-0.9.8k/test/Makefile.use-fipscheck 2009-03-25 11:59:22.000000000 +0100
|
||||
+++ openssl-0.9.8k/test/Makefile 2009-03-25 20:14:10.000000000 +0100
|
||||
@@ -401,9 +401,6 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
|
||||
fi; \
|
||||
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
|
||||
LIBRARIES="-L$(TOP) -lfips"; \
|
||||
- elif [ -n "$(FIPSCANLIB)" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
|
||||
else \
|
||||
LIBRARIES="$(LIBCRYPTO)"; \
|
||||
fi; \
|
||||
@@ -416,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
|
||||
shlib_target="$(SHLIB_TARGET)"; \
|
||||
fi; \
|
||||
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
|
||||
- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
|
||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
||||
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
||||
diff -up openssl-0.9.8k/Makefile.org.use-fipscheck openssl-0.9.8k/Makefile.org
|
||||
--- openssl-0.9.8k/Makefile.org.use-fipscheck 2009-03-25 20:10:37.000000000 +0100
|
||||
+++ openssl-0.9.8k/Makefile.org 2009-03-25 20:10:37.000000000 +0100
|
||||
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
||||
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
|
||||
$(AR) libcrypto.a fips/fipscanister.o ; \
|
||||
else \
|
||||
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
|
||||
- export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
||||
fi \
|
||||
else \
|
||||
@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
||||
fips/fipscanister.o: build_fips
|
||||
libfips$(SHLIB_EXT): fips/fipscanister.o
|
||||
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
|
||||
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- CC=$${CC} LIBNAME=fips THIS=$@ \
|
||||
+ CC=$(CC) LIBNAME=fips THIS=$@ \
|
||||
LIBEXTRAS=fips/fipscanister.o \
|
||||
LIBDEPS="$(EX_LIBS)" \
|
||||
LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
@@ -469,7 +464,7 @@ openssl.pc: Makefile
|
||||
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
||||
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
||||
|
||||
Makefile: Makefile.org Configure config
|
||||
diff -up openssl-0.9.8k/fips/fips.c.use-fipscheck openssl-0.9.8k/fips/fips.c
|
||||
--- openssl-0.9.8k/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/fips.c 2009-03-25 20:10:37.000000000 +0100
|
||||
@@ -47,6 +47,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
+#define _GNU_SOURCE
|
||||
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
@@ -56,6 +57,9 @@
|
||||
#include <openssl/rsa.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
+#include <dlfcn.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
#include "fips_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -165,6 +169,7 @@ int FIPS_selftest()
|
||||
&& FIPS_selftest_dsa();
|
||||
}
|
||||
|
||||
+#if 0
|
||||
extern const void *FIPS_text_start(), *FIPS_text_end();
|
||||
extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
|
||||
unsigned char FIPS_signature [20] = { 0 };
|
||||
@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
|
||||
|
||||
return 1;
|
||||
}
|
||||
+#else
|
||||
+/* we implement what libfipscheck does ourselves */
|
||||
+
|
||||
+static int
|
||||
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
||||
+{
|
||||
+ Dl_info info;
|
||||
+ void *dl, *sym;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ dl = dlopen(libname, RTLD_LAZY);
|
||||
+ if (dl == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sym = dlsym(dl, symbolname);
|
||||
+
|
||||
+ if (sym != NULL && dladdr(sym, &info)) {
|
||||
+ strncpy(path, info.dli_fname, pathlen-1);
|
||||
+ path[pathlen-1] = '\0';
|
||||
+ rv = 0;
|
||||
+ }
|
||||
+
|
||||
+ dlclose(dl);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static const char conv[] = "0123456789abcdef";
|
||||
+
|
||||
+static char *
|
||||
+bin2hex(void *buf, size_t len)
|
||||
+{
|
||||
+ char *hex, *p;
|
||||
+ unsigned char *src = buf;
|
||||
+
|
||||
+ hex = malloc(len * 2 + 1);
|
||||
+ if (hex == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ p = hex;
|
||||
+
|
||||
+ while (len > 0) {
|
||||
+ unsigned c;
|
||||
+
|
||||
+ c = *src;
|
||||
+ src++;
|
||||
+
|
||||
+ *p = conv[c >> 4];
|
||||
+ ++p;
|
||||
+ *p = conv[c & 0x0f];
|
||||
+ ++p;
|
||||
+ --len;
|
||||
+ }
|
||||
+ *p = '\0';
|
||||
+ return hex;
|
||||
+}
|
||||
+
|
||||
+#define HMAC_PREFIX "."
|
||||
+#define HMAC_SUFFIX ".hmac"
|
||||
+#define READ_BUFFER_LENGTH 16384
|
||||
+
|
||||
+static char *
|
||||
+make_hmac_path(const char *origpath)
|
||||
+{
|
||||
+ char *path, *p;
|
||||
+ const char *fn;
|
||||
+
|
||||
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
|
||||
+ if(path == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ fn = strrchr(origpath, '/');
|
||||
+ if (fn == NULL) {
|
||||
+ fn = origpath;
|
||||
+ } else {
|
||||
+ ++fn;
|
||||
+ }
|
||||
+
|
||||
+ strncpy(path, origpath, fn-origpath);
|
||||
+ p = path + (fn - origpath);
|
||||
+ p = stpcpy(p, HMAC_PREFIX);
|
||||
+ p = stpcpy(p, fn);
|
||||
+ p = stpcpy(p, HMAC_SUFFIX);
|
||||
+
|
||||
+ return path;
|
||||
+}
|
||||
+
|
||||
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
|
||||
+
|
||||
+static int
|
||||
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
||||
+{
|
||||
+ FILE *f = NULL;
|
||||
+ int rv = -1;
|
||||
+ unsigned char rbuf[READ_BUFFER_LENGTH];
|
||||
+ size_t len;
|
||||
+ unsigned int hlen;
|
||||
+ HMAC_CTX c;
|
||||
+
|
||||
+ HMAC_CTX_init(&c);
|
||||
+
|
||||
+ f = fopen(path, "r");
|
||||
+
|
||||
+ if (f == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
|
||||
+
|
||||
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
|
||||
+ HMAC_Update(&c, rbuf, len);
|
||||
+ }
|
||||
+
|
||||
+ len = sizeof(rbuf);
|
||||
+ /* reuse rbuf for hmac */
|
||||
+ HMAC_Final(&c, rbuf, &hlen);
|
||||
+
|
||||
+ *buf = malloc(hlen);
|
||||
+ if (*buf == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ *hmaclen = hlen;
|
||||
+
|
||||
+ memcpy(*buf, rbuf, hlen);
|
||||
+
|
||||
+ rv = 0;
|
||||
+end:
|
||||
+ HMAC_CTX_cleanup(&c);
|
||||
+
|
||||
+ if (f)
|
||||
+ fclose(f);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||
+{
|
||||
+ char path[PATH_MAX+1];
|
||||
+ int rv;
|
||||
+ FILE *hf;
|
||||
+ char *hmacpath, *p;
|
||||
+ char *hmac = NULL;
|
||||
+ size_t n;
|
||||
+
|
||||
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ hmacpath = make_hmac_path(path);
|
||||
+
|
||||
+ hf = fopen(hmacpath, "r");
|
||||
+ if (hf == NULL) {
|
||||
+ free(hmacpath);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (getline(&hmac, &n, hf) > 0) {
|
||||
+ void *buf;
|
||||
+ size_t hmaclen;
|
||||
+ char *hex;
|
||||
+
|
||||
+ if ((p=strchr(hmac, '\n')) != NULL)
|
||||
+ *p = '\0';
|
||||
+
|
||||
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
|
||||
+ rv = -4;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
|
||||
+ free(buf);
|
||||
+ rv = -5;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(hex, hmac) != 0) {
|
||||
+ rv = -1;
|
||||
+ }
|
||||
+ free(buf);
|
||||
+ free(hex);
|
||||
+ }
|
||||
+
|
||||
+end:
|
||||
+ free(hmac);
|
||||
+ free(hmacpath);
|
||||
+ fclose(hf);
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* check successful */
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
|
||||
int FIPS_mode_set(int onoff)
|
||||
{
|
||||
@@ -280,16 +485,17 @@ int FIPS_mode_set(int onoff)
|
||||
}
|
||||
#endif
|
||||
|
||||
- if(fips_signature_witness() != FIPS_signature)
|
||||
+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||
{
|
||||
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
fips_selftest_fail = 1;
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
|
||||
- if(!FIPS_check_incore_fingerprint())
|
||||
+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||
{
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
fips_selftest_fail = 1;
|
||||
ret = 0;
|
||||
goto end;
|
||||
@@ -405,11 +611,13 @@ int fips_clear_owning_thread(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
unsigned char *fips_signature_witness(void)
|
||||
{
|
||||
extern unsigned char FIPS_signature[];
|
||||
return FIPS_signature;
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Generalized public key test routine. Signs and verifies the data
|
||||
* supplied in tbs using mesage digest md and setting option digest
|
||||
diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile
|
||||
--- openssl-0.9.8k/fips/Makefile.use-fipscheck 2009-03-25 20:10:37.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/Makefile 2009-03-25 20:16:09.000000000 +0100
|
||||
@@ -62,9 +62,9 @@ testapps:
|
||||
|
||||
all:
|
||||
@if [ -z "$(FIPSLIBDIR)" ]; then \
|
||||
- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
|
||||
+ $(MAKE) -e subdirs lib; \
|
||||
else \
|
||||
- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
|
||||
+ $(MAKE) -e lib; \
|
||||
fi
|
||||
|
||||
# Idea behind fipscanister.o is to "seize" the sequestered code between
|
||||
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
|
||||
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
|
||||
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
|
||||
esac fi
|
||||
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
|
||||
|
||||
# If another exception is immediately required, assign approprite
|
||||
# site-specific ld command to FIPS_SITE_LD environment variable.
|
||||
@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
|
||||
$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
|
||||
@touch lib
|
||||
|
||||
-shared: lib subdirs fips_premain_dso$(EXE_EXT)
|
||||
+shared: lib subdirs
|
||||
|
||||
libs:
|
||||
@target=lib; $(RECURSIVE_MAKE)
|
||||
@@ -195,17 +194,6 @@ install:
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
|
||||
done;
|
||||
@target=install; $(RECURSIVE_MAKE)
|
||||
- for i in $(EXE) ; \
|
||||
- do \
|
||||
- echo "installing $$i"; \
|
||||
- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
|
||||
- chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
|
||||
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
|
||||
- done
|
||||
- cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \
|
||||
- $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \
|
||||
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
|
||||
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
|
||||
|
||||
lint:
|
||||
@target=lint; $(RECURSIVE_MAKE)
|
||||
diff -up openssl-0.9.8k/fips/fips_locl.h.use-fipscheck openssl-0.9.8k/fips/fips_locl.h
|
||||
--- openssl-0.9.8k/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/fips_locl.h 2009-03-25 20:10:37.000000000 +0100
|
||||
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
|
||||
int fips_set_owning_thread(void);
|
||||
void fips_set_selftest_fail(void);
|
||||
int fips_clear_owning_thread(void);
|
||||
+#if 0
|
||||
unsigned char *fips_signature_witness(void);
|
||||
+#endif
|
||||
|
||||
#define FIPS_MAX_CIPHER_TEST_SIZE 16
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
diff -up openssl-0.9.8k/crypto/x509/x509_cmp.c.name-cmp openssl-0.9.8k/crypto/x509/x509_cmp.c
|
||||
--- openssl-0.9.8k/crypto/x509/x509_cmp.c.name-cmp 2009-02-15 13:10:39.000000000 +0100
|
||||
+++ openssl-0.9.8k/crypto/x509/x509_cmp.c 2009-03-25 20:04:41.000000000 +0100
|
||||
@@ -282,15 +282,7 @@ int X509_NAME_cmp(const X509_NAME *a, co
|
||||
nb=sk_X509_NAME_ENTRY_value(b->entries,i);
|
||||
j=na->value->type-nb->value->type;
|
||||
if (j)
|
||||
- {
|
||||
- nabit = ASN1_tag2bit(na->value->type);
|
||||
- nbbit = ASN1_tag2bit(nb->value->type);
|
||||
- if (!(nabit & STR_TYPE_CMP) ||
|
||||
- !(nbbit & STR_TYPE_CMP))
|
||||
- return j;
|
||||
- if (!asn1_string_memcmp(na->value, nb->value))
|
||||
- j = 0;
|
||||
- }
|
||||
+ return j;
|
||||
else if (na->value->type == V_ASN1_PRINTABLESTRING)
|
||||
j=nocase_spacenorm_cmp(na->value, nb->value);
|
||||
else if (na->value->type == V_ASN1_IA5STRING
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100
|
||||
+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100
|
||||
@@ -477,7 +477,7 @@
|
||||
diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200
|
||||
@@ -511,7 +511,7 @@ typedef struct ssl_session_st
|
||||
|
||||
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
||||
|
|
@ -9,12 +10,12 @@
|
|||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
||||
@@ -494,7 +494,7 @@
|
||||
@@ -528,7 +528,7 @@ typedef struct ssl_session_st
|
||||
|
||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
||||
-#define SSL_OP_ALL 0x00000FFFL
|
||||
+#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */
|
||||
-#define SSL_OP_ALL 0x80000FFFL
|
||||
+#define SSL_OP_ALL 0x80000FF7L
|
||||
|
||||
/* DTLS options */
|
||||
#define SSL_OP_NO_QUERY_MTU 0x00001000L
|
||||
|
|
@ -1,42 +1,7 @@
|
|||
diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
|
||||
--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100
|
||||
@@ -1077,12 +1077,13 @@ bad:
|
||||
}
|
||||
#endif
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
||||
{
|
||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
||||
ERR_print_errors(bio_err);
|
||||
- /* goto end; */
|
||||
}
|
||||
store = SSL_CTX_get_cert_store(ctx);
|
||||
X509_STORE_set_flags(store, vflags);
|
||||
@@ -1132,8 +1133,11 @@ bad:
|
||||
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
|
||||
--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100
|
||||
@@ -673,12 +673,13 @@ bad:
|
||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
|
||||
--- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200
|
||||
@@ -888,12 +888,13 @@ bad:
|
||||
if (!set_cert_key_stuff(ctx,cert,key))
|
||||
goto end;
|
||||
|
||||
|
|
@ -53,11 +18,46 @@ diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_clie
|
|||
- /* goto end; */
|
||||
}
|
||||
|
||||
store = SSL_CTX_get_cert_store(ctx);
|
||||
diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
|
||||
--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100
|
||||
@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
|
||||
--- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200
|
||||
@@ -1403,12 +1403,13 @@ bad:
|
||||
}
|
||||
#endif
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
||||
{
|
||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
||||
ERR_print_errors(bio_err);
|
||||
- /* goto end; */
|
||||
}
|
||||
if (vpm)
|
||||
SSL_CTX_set1_param(ctx, vpm);
|
||||
@@ -1457,8 +1458,11 @@ bad:
|
||||
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
|
||||
--- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200
|
||||
@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
SSL_load_error_strings();
|
||||
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
|
||||
+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
|
||||
@@ -98,7 +98,8 @@
|
||||
diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf
|
||||
--- openssl-1.0.0-beta3/apps/openssl.cnf.defaults 2009-04-04 20:09:43.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/openssl.cnf 2009-08-04 22:57:16.000000000 +0200
|
||||
@@ -103,7 +103,8 @@ emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
|
|
@ -10,38 +11,29 @@
|
|||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@@ -116,23 +117,26 @@
|
||||
# MASK:XXXX a literal mask value.
|
||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||
# so use this option with caution!
|
||||
-string_mask = nombstr
|
||||
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
|
||||
+# the resulting certificates are compatible with Netscape
|
||||
+string_mask = MASK:0x2002
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
@@ -126,17 +127,18 @@ string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
-countryName_default = AU
|
||||
+countryName_default = GB
|
||||
+countryName_default = XX
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
-stateOrProvinceName_default = Some-State
|
||||
+stateOrProvinceName_default = Berkshire
|
||||
+#stateOrProvinceName_default = Default Province
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
+localityName_default = Newbury
|
||||
+localityName_default = Default City
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||
+0.organizationName_default = My Company Ltd
|
||||
+0.organizationName_default = Default Company Ltd
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
@@ -141,7 +145,7 @@
|
||||
@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.enginesdir 2009-08-10 19:46:32.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-10 19:46:32.000000000 +0200
|
||||
@@ -616,6 +616,7 @@ my $idx_multilib = $idx++;
|
||||
|
||||
my $prefix="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $cross_compile_prefix="";
|
||||
@@ -820,6 +821,10 @@ PROCESS_ARGS:
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1645,7 +1650,7 @@ while (<IN>)
|
||||
# $foo is to become "$prefix/lib$multilib/engines";
|
||||
# as Makefile.org and engines/Makefile are adapted for
|
||||
# $multilib suffix.
|
||||
- my $foo = "$prefix/lib/engines";
|
||||
+ my $foo = "$enginesdir";
|
||||
$foo =~ s/\\/\\\\/g;
|
||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile
|
||||
--- openssl-1.0.0-beta3/engines/Makefile.enginesdir 2009-06-14 04:37:22.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/engines/Makefile 2009-08-10 19:46:48.000000000 +0200
|
||||
@@ -123,7 +123,7 @@ install:
|
||||
sfx=".so"; \
|
||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
fi; \
|
||||
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \
|
||||
done; \
|
||||
fi
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,400 @@
|
|||
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-10 20:11:59.000000000 +0200
|
||||
@@ -47,6 +47,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
+#define _GNU_SOURCE
|
||||
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
@@ -56,6 +57,9 @@
|
||||
#include <openssl/rsa.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
+#include <dlfcn.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
#include "fips_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -165,6 +169,204 @@ int FIPS_selftest()
|
||||
&& FIPS_selftest_dsa();
|
||||
}
|
||||
|
||||
+/* we implement what libfipscheck does ourselves */
|
||||
+
|
||||
+static int
|
||||
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
||||
+{
|
||||
+ Dl_info info;
|
||||
+ void *dl, *sym;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ dl = dlopen(libname, RTLD_LAZY);
|
||||
+ if (dl == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sym = dlsym(dl, symbolname);
|
||||
+
|
||||
+ if (sym != NULL && dladdr(sym, &info)) {
|
||||
+ strncpy(path, info.dli_fname, pathlen-1);
|
||||
+ path[pathlen-1] = '\0';
|
||||
+ rv = 0;
|
||||
+ }
|
||||
+
|
||||
+ dlclose(dl);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static const char conv[] = "0123456789abcdef";
|
||||
+
|
||||
+static char *
|
||||
+bin2hex(void *buf, size_t len)
|
||||
+{
|
||||
+ char *hex, *p;
|
||||
+ unsigned char *src = buf;
|
||||
+
|
||||
+ hex = malloc(len * 2 + 1);
|
||||
+ if (hex == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ p = hex;
|
||||
+
|
||||
+ while (len > 0) {
|
||||
+ unsigned c;
|
||||
+
|
||||
+ c = *src;
|
||||
+ src++;
|
||||
+
|
||||
+ *p = conv[c >> 4];
|
||||
+ ++p;
|
||||
+ *p = conv[c & 0x0f];
|
||||
+ ++p;
|
||||
+ --len;
|
||||
+ }
|
||||
+ *p = '\0';
|
||||
+ return hex;
|
||||
+}
|
||||
+
|
||||
+#define HMAC_PREFIX "."
|
||||
+#define HMAC_SUFFIX ".hmac"
|
||||
+#define READ_BUFFER_LENGTH 16384
|
||||
+
|
||||
+static char *
|
||||
+make_hmac_path(const char *origpath)
|
||||
+{
|
||||
+ char *path, *p;
|
||||
+ const char *fn;
|
||||
+
|
||||
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
|
||||
+ if(path == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ fn = strrchr(origpath, '/');
|
||||
+ if (fn == NULL) {
|
||||
+ fn = origpath;
|
||||
+ } else {
|
||||
+ ++fn;
|
||||
+ }
|
||||
+
|
||||
+ strncpy(path, origpath, fn-origpath);
|
||||
+ p = path + (fn - origpath);
|
||||
+ p = stpcpy(p, HMAC_PREFIX);
|
||||
+ p = stpcpy(p, fn);
|
||||
+ p = stpcpy(p, HMAC_SUFFIX);
|
||||
+
|
||||
+ return path;
|
||||
+}
|
||||
+
|
||||
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
|
||||
+
|
||||
+static int
|
||||
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
||||
+{
|
||||
+ FILE *f = NULL;
|
||||
+ int rv = -1;
|
||||
+ unsigned char rbuf[READ_BUFFER_LENGTH];
|
||||
+ size_t len;
|
||||
+ unsigned int hlen;
|
||||
+ HMAC_CTX c;
|
||||
+
|
||||
+ HMAC_CTX_init(&c);
|
||||
+
|
||||
+ f = fopen(path, "r");
|
||||
+
|
||||
+ if (f == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
|
||||
+
|
||||
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
|
||||
+ HMAC_Update(&c, rbuf, len);
|
||||
+ }
|
||||
+
|
||||
+ len = sizeof(rbuf);
|
||||
+ /* reuse rbuf for hmac */
|
||||
+ HMAC_Final(&c, rbuf, &hlen);
|
||||
+
|
||||
+ *buf = malloc(hlen);
|
||||
+ if (*buf == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ *hmaclen = hlen;
|
||||
+
|
||||
+ memcpy(*buf, rbuf, hlen);
|
||||
+
|
||||
+ rv = 0;
|
||||
+end:
|
||||
+ HMAC_CTX_cleanup(&c);
|
||||
+
|
||||
+ if (f)
|
||||
+ fclose(f);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||
+{
|
||||
+ char path[PATH_MAX+1];
|
||||
+ int rv;
|
||||
+ FILE *hf;
|
||||
+ char *hmacpath, *p;
|
||||
+ char *hmac = NULL;
|
||||
+ size_t n;
|
||||
+
|
||||
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ hmacpath = make_hmac_path(path);
|
||||
+
|
||||
+ hf = fopen(hmacpath, "r");
|
||||
+ if (hf == NULL) {
|
||||
+ free(hmacpath);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (getline(&hmac, &n, hf) > 0) {
|
||||
+ void *buf;
|
||||
+ size_t hmaclen;
|
||||
+ char *hex;
|
||||
+
|
||||
+ if ((p=strchr(hmac, '\n')) != NULL)
|
||||
+ *p = '\0';
|
||||
+
|
||||
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
|
||||
+ rv = -4;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
|
||||
+ free(buf);
|
||||
+ rv = -5;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(hex, hmac) != 0) {
|
||||
+ rv = -1;
|
||||
+ }
|
||||
+ free(buf);
|
||||
+ free(hex);
|
||||
+ }
|
||||
+
|
||||
+end:
|
||||
+ free(hmac);
|
||||
+ free(hmacpath);
|
||||
+ fclose(hf);
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* check successful */
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
int FIPS_mode_set(int onoff)
|
||||
{
|
||||
int fips_set_owning_thread();
|
||||
@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Perform RNG KAT before seeding */
|
||||
if (!FIPS_selftest_rng())
|
||||
{
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-10 20:11:59.000000000 +0200
|
||||
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
|
||||
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
|
||||
const char *key)
|
||||
{
|
||||
size_t len=strlen(key);
|
||||
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
if (len > SHA_CBLOCK)
|
||||
{
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,key,len);
|
||||
- SHA1_Final(keymd,md_ctx);
|
||||
- len=20;
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,key,len);
|
||||
+ SHA256_Final(keymd,md_ctx);
|
||||
+ len=SHA256_DIGEST_LENGTH;
|
||||
}
|
||||
else
|
||||
memcpy(keymd,key,len);
|
||||
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x36^keymd[i];
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x5c^keymd[i];
|
||||
- SHA1_Init(o_ctx);
|
||||
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(o_ctx);
|
||||
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
|
||||
}
|
||||
|
||||
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
|
||||
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
|
||||
{
|
||||
- unsigned char buf[20];
|
||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
|
||||
- SHA1_Final(buf,md_ctx);
|
||||
- SHA1_Update(o_ctx,buf,sizeof buf);
|
||||
- SHA1_Final(md,o_ctx);
|
||||
+ SHA256_Final(buf,md_ctx);
|
||||
+ SHA256_Update(o_ctx,buf,sizeof buf);
|
||||
+ SHA256_Final(md,o_ctx);
|
||||
}
|
||||
|
||||
#endif
|
||||
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
|
||||
int main(int argc,char **argv)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
- static char key[]="etaonrishdlcupfm";
|
||||
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
|
||||
int n,binary=0;
|
||||
|
||||
if(argc < 2)
|
||||
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
|
||||
for(; n < argc ; ++n)
|
||||
{
|
||||
FILE *f=fopen(argv[n],"rb");
|
||||
- SHA_CTX md_ctx,o_ctx;
|
||||
- unsigned char md[20];
|
||||
+ SHA256_CTX md_ctx,o_ctx;
|
||||
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
int i;
|
||||
|
||||
if(!f)
|
||||
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
|
||||
else
|
||||
break;
|
||||
}
|
||||
- SHA1_Update(&md_ctx,buf,l);
|
||||
+ SHA256_Update(&md_ctx,buf,l);
|
||||
}
|
||||
hmac_final(md,&md_ctx,&o_ctx);
|
||||
|
||||
if (binary)
|
||||
{
|
||||
- fwrite(md,20,1,stdout);
|
||||
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
|
||||
break; /* ... for single(!) file */
|
||||
}
|
||||
|
||||
- printf("HMAC-SHA1(%s)= ",argv[n]);
|
||||
- for(i=0 ; i < 20 ; ++i)
|
||||
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
|
||||
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
|
||||
printf("%02x",md[i]);
|
||||
printf("\n");
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
|
||||
--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-10 20:27:45.000000000 +0200
|
||||
@@ -16,6 +16,9 @@ GENERAL=Makefile
|
||||
TEST=fips_test_suite.c fips_randtest.c
|
||||
APPS=
|
||||
|
||||
+PROGRAM= fips_standalone_sha1
|
||||
+EXE= $(PROGRAM)$(EXE_EXT)
|
||||
+
|
||||
LIB=$(TOP)/libcrypto.a
|
||||
LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
|
||||
fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
|
||||
@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
|
||||
fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
|
||||
fips_rsa_x931g.o
|
||||
|
||||
+LIBCRYPTO=-L.. -lcrypto
|
||||
+
|
||||
SRC= $(LIBSRC) fips_standalone_sha1.c
|
||||
|
||||
EXHEADER= fips.h fips_rand.h
|
||||
@@ -35,13 +40,15 @@ ALL= $(GENERAL) $(SRC) $(HEADER)
|
||||
top:
|
||||
(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
|
||||
|
||||
-all: lib
|
||||
+all: lib exe
|
||||
|
||||
lib: $(LIBOBJ)
|
||||
$(AR) $(LIB) $(LIBOBJ)
|
||||
$(RANLIB) $(LIB) || echo Never mind.
|
||||
@touch lib
|
||||
|
||||
+exe: $(EXE)
|
||||
+
|
||||
files:
|
||||
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
|
||||
|
||||
@@ -77,5 +84,9 @@ dclean:
|
||||
clean:
|
||||
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
|
||||
|
||||
+$(EXE): $(PROGRAM).o
|
||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
|
||||
+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
|
||||
+
|
||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/engine/eng_all.c
|
||||
--- openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode 2008-06-04 20:01:39.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/engine/eng_all.c 2009-04-15 14:31:32.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta3/crypto/engine/eng_all.c
|
||||
--- openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/engine/eng_all.c 2009-08-11 17:37:16.000000000 +0200
|
||||
@@ -58,9 +58,23 @@
|
||||
|
||||
#include "cryptlib.h"
|
||||
|
|
@ -12,7 +12,7 @@ diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/e
|
|||
void ENGINE_load_builtin_engines(void)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init();
|
||||
+ OPENSSL_init_library();
|
||||
+ if (FIPS_mode()) {
|
||||
+ /* We allow loading dynamic engine as a third party
|
||||
+ engine might be FIPS validated.
|
||||
|
|
@ -22,25 +22,25 @@ diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/e
|
|||
+ return;
|
||||
+ }
|
||||
+#endif
|
||||
#if 0
|
||||
/* There's no longer any need for an "openssl" ENGINE unless, one day,
|
||||
* it is the *only* way for standard builtin implementations to be be
|
||||
* accessed (ie. it would be possible to statically link binaries with
|
||||
diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c_allc.c
|
||||
--- openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:50:04.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/evp/c_allc.c 2009-03-26 15:53:42.000000000 +0100
|
||||
diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_allc.c
|
||||
--- openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:48:28.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/evp/c_allc.c 2009-08-11 17:42:34.000000000 +0200
|
||||
@@ -65,6 +65,11 @@
|
||||
void OpenSSL_add_all_ciphers(void)
|
||||
{
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init();
|
||||
+ OPENSSL_init_library();
|
||||
+ if(!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cfb());
|
||||
EVP_add_cipher(EVP_des_cfb1());
|
||||
@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
|
||||
@@ -219,4 +224,61 @@ void OpenSSL_add_all_ciphers(void)
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
|
||||
#endif
|
||||
|
|
@ -101,33 +101,32 @@ diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
PKCS12_PBE_add();
|
||||
PKCS5_PBE_add();
|
||||
diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c_alld.c
|
||||
--- openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode 2005-04-30 23:51:40.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/evp/c_alld.c 2009-03-26 15:53:42.000000000 +0100
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_alld.c
|
||||
--- openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/evp/c_alld.c 2009-08-11 17:54:08.000000000 +0200
|
||||
@@ -64,6 +64,11 @@
|
||||
|
||||
void OpenSSL_add_all_digests(void)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init();
|
||||
+ OPENSSL_init_library();
|
||||
+ if (!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_MD2
|
||||
EVP_add_digest(EVP_md2());
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
EVP_add_digest(EVP_md4());
|
||||
#endif
|
||||
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
|
||||
EVP_add_digest(EVP_sha384());
|
||||
EVP_add_digest(EVP_sha512());
|
||||
@@ -110,5 +115,33 @@ void OpenSSL_add_all_digests(void)
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_WHIRLPOOL
|
||||
EVP_add_digest(EVP_whirlpool());
|
||||
+#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+#ifndef OPENSSL_NO_SHA
|
||||
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||
+ EVP_add_digest(EVP_sha1());
|
||||
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||
|
|
@ -150,12 +149,12 @@ diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
+ EVP_add_digest(EVP_sha512());
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
#endif
|
||||
}
|
||||
diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
|
||||
--- openssl-0.9.8k/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
|
||||
+++ openssl-0.9.8k/crypto/o_init.c 2009-03-26 15:53:42.000000000 +0100
|
||||
@@ -59,6 +59,45 @@
|
||||
diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto/o_init.c
|
||||
--- openssl-1.0.0-beta3/crypto/o_init.c.fipsmode 2009-08-11 17:28:25.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 17:39:06.000000000 +0200
|
||||
@@ -59,6 +59,43 @@
|
||||
#include <e_os.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
|
|
@ -167,8 +166,6 @@ diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
|
|||
+#include <errno.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
|
|
@ -201,30 +198,66 @@ diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
|
|||
/* Perform any essential OpenSSL initialization operations.
|
||||
* Currently only sets FIPS callbacks
|
||||
*/
|
||||
@@ -73,11 +112,10 @@ void OPENSSL_init(void)
|
||||
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
|
||||
#ifdef CRYPTO_MDEBUG
|
||||
CRYPTO_malloc_debug_init();
|
||||
#endif
|
||||
-#ifdef OPENSSL_ENGINE
|
||||
+ init_fips_mode();
|
||||
int_EVP_MD_init_engine_callbacks();
|
||||
int_EVP_CIPHER_init_engine_callbacks();
|
||||
int_RAND_init_engine_callbacks();
|
||||
-#endif
|
||||
done = 1;
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-0.9.8k/ssl/ssl_algs.c.fipsmode openssl-0.9.8k/ssl/ssl_algs.c
|
||||
--- openssl-0.9.8k/ssl/ssl_algs.c.fipsmode 2007-04-24 01:50:21.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/ssl_algs.c 2009-04-15 14:32:13.000000000 +0200
|
||||
@@ -64,6 +64,10 @@
|
||||
diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl_algs.c
|
||||
--- openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl_algs.c 2009-08-11 18:01:13.000000000 +0200
|
||||
@@ -64,6 +64,12 @@
|
||||
int SSL_library_init(void)
|
||||
{
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init();
|
||||
+ OPENSSL_init_library();
|
||||
+ if (!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
+
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cbc());
|
||||
EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
@@ -115,6 +121,38 @@ int SSL_library_init(void)
|
||||
EVP_add_digest(EVP_sha());
|
||||
EVP_add_digest(EVP_dss());
|
||||
#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+#ifndef OPENSSL_NO_DES
|
||||
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_AES
|
||||
+ EVP_add_cipher(EVP_aes_128_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_192_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_256_cbc());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_MD5
|
||||
+ /* needed even in the FIPS mode for TLS MAC */
|
||||
+ EVP_add_digest(EVP_md5());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA
|
||||
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
|
||||
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||
+#endif
|
||||
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
|
||||
+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_ECDSA
|
||||
+ EVP_add_digest(EVP_ecdsa());
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
/* This will initialise the built-in compression algorithms.
|
||||
The value returned is a STACK_OF(SSL_COMP), but that can
|
||||
|
|
@ -1,23 +1,11 @@
|
|||
diff -up openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8k/crypto/rand/rand_lcl.h
|
||||
--- openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed 2009-04-21 11:43:58.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/rand/rand_lcl.h 2009-04-21 11:44:01.000000000 +0200
|
||||
@@ -112,7 +112,7 @@
|
||||
#ifndef HEADER_RAND_LCL_H
|
||||
#define HEADER_RAND_LCL_H
|
||||
|
||||
-#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
|
||||
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
|
||||
|
||||
|
||||
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
||||
diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
|
||||
--- openssl-0.9.8k/fips/fips.c.rng-seed 2009-04-21 11:44:01.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/fips.c 2009-04-21 11:44:02.000000000 +0200
|
||||
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200
|
||||
@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ /* now switch into FIPS mode */
|
||||
+ /* now switch the RNG into FIPS mode */
|
||||
+ fips_set_rand_check(FIPS_rand_method());
|
||||
+ RAND_set_rand_method(FIPS_rand_method());
|
||||
+
|
||||
|
|
@ -42,9 +30,9 @@ diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
|
|||
if(FIPS_selftest())
|
||||
fips_set_mode(1);
|
||||
else
|
||||
diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/fips_rand.c
|
||||
--- openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/rand/fips_rand.c 2009-06-30 12:00:53.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200
|
||||
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
|
||||
{
|
||||
int i;
|
||||
|
|
@ -73,3 +61,19 @@ diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/
|
|||
if (ctx->error)
|
||||
{
|
||||
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
|
||||
diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200
|
||||
@@ -112,8 +112,11 @@
|
||||
#ifndef HEADER_RAND_LCL_H
|
||||
#define HEADER_RAND_LCL_H
|
||||
|
||||
+#ifndef OPENSSL_FIPS
|
||||
#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
|
||||
-
|
||||
+#else
|
||||
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
|
||||
+#endif
|
||||
|
||||
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
||||
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||
|
|
@ -1,6 +1,102 @@
|
|||
diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
||||
--- openssl-0.9.8g/apps/s_socket.c.ipv6-apps 2005-06-13 05:21:00.000000000 +0200
|
||||
+++ openssl-0.9.8g/apps/s_socket.c 2007-12-03 13:28:42.000000000 +0100
|
||||
diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h
|
||||
--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
||||
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
||||
#ifdef HEADER_X509_H
|
||||
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
|
||||
#endif
|
||||
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
|
||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
|
||||
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
|
||||
#endif
|
||||
-int init_client(int *sock, char *server, int port, int type);
|
||||
+int init_client(int *sock, char *server, char *port, int type);
|
||||
int should_retry(int i);
|
||||
-int extract_port(char *str, short *port_ptr);
|
||||
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
|
||||
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
|
||||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c
|
||||
--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200
|
||||
@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len,cbuf_off;
|
||||
int sbuf_len,sbuf_off;
|
||||
fd_set readfds,writefds;
|
||||
- short port=PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
int full_log=1;
|
||||
char *host=SSL_HOST_NAME;
|
||||
char *cert_file=NULL,*key_file=NULL;
|
||||
@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv)
|
||||
else if (strcmp(*argv,"-port") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- port=atoi(*(++argv));
|
||||
- if (port == 0) goto bad;
|
||||
+ port_str= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-connect") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- if (!extract_host_port(*(++argv),&host,NULL,&port))
|
||||
+ if (!extract_host_port(*(++argv),&host,&port_str))
|
||||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -956,7 +955,7 @@ bad:
|
||||
|
||||
re_start:
|
||||
|
||||
- if (init_client(&s,host,port,socket_type) == 0)
|
||||
+ if (init_client(&s,host,port_str,socket_type) == 0)
|
||||
{
|
||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c
|
||||
--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
int badarg = 0;
|
||||
- short port=PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
unsigned char *context = NULL;
|
||||
char *dhfile = NULL;
|
||||
@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[])
|
||||
(strcmp(*argv,"-accept") == 0))
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- if (!extract_port(*(++argv),&port))
|
||||
- goto bad;
|
||||
+ port_str= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
{
|
||||
@@ -1685,9 +1684,9 @@ bad:
|
||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (www)
|
||||
- do_server(port,socket_type,&accept_socket,www_body, context);
|
||||
+ do_server(port_str,socket_type,&accept_socket,www_body, context);
|
||||
else
|
||||
- do_server(port,socket_type,&accept_socket,sv_body, context);
|
||||
+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
|
||||
print_stats(bio_s_out,ctx);
|
||||
ret=0;
|
||||
end:
|
||||
diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c
|
||||
--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
|
||||
static void ssl_sock_cleanup(void);
|
||||
#endif
|
||||
|
|
@ -12,7 +108,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
@@ -228,60 +226,69 @@ static int ssl_sock_init(void)
|
||||
@@ -228,58 +226,70 @@ static int ssl_sock_init(void)
|
||||
return(1);
|
||||
}
|
||||
|
||||
|
|
@ -20,13 +116,11 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
+int init_client(int *sock, char *host, char *port, int type)
|
||||
{
|
||||
- unsigned char ip[4];
|
||||
- short p=0;
|
||||
-
|
||||
- if (!host_ip(host,&(ip[0])))
|
||||
- {
|
||||
- return(0);
|
||||
- }
|
||||
- if (p != 0) port=p;
|
||||
- return(init_client_ip(sock,ip,port,type));
|
||||
- }
|
||||
-
|
||||
|
|
@ -80,7 +174,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
+ failed_call = "socket";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
#ifndef OPENSSL_SYS_MPE
|
||||
#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
|
||||
if (type == SOCK_STREAM)
|
||||
{
|
||||
- i=0;
|
||||
|
|
@ -97,7 +191,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
#endif
|
||||
-
|
||||
- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
|
||||
- { close(s); perror("connect"); return(0); }
|
||||
- { closesocket(s); perror("connect"); return(0); }
|
||||
+ if (connect(s,(struct sockaddr *)res->ai_addr,
|
||||
+ res->ai_addrlen) == 0)
|
||||
+ {
|
||||
|
|
@ -105,6 +199,8 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
*sock=s;
|
||||
return(1);
|
||||
}
|
||||
|
||||
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
|
||||
+ failed_call = "socket";
|
||||
+nextres:
|
||||
+ if (s != INVALID_SOCKET)
|
||||
|
|
@ -112,8 +208,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
+ res = res->ai_next;
|
||||
+ }
|
||||
+ freeaddrinfo(res0);
|
||||
|
||||
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
|
||||
+
|
||||
+ perror(failed_call);
|
||||
+ return(0);
|
||||
+ }
|
||||
|
|
@ -122,7 +217,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
{
|
||||
int sock;
|
||||
char *name = NULL;
|
||||
@@ -319,33 +326,38 @@ int do_server(int port, int type, int *r
|
||||
@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -182,7 +277,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
{
|
||||
int j = 1;
|
||||
@@ -353,36 +365,39 @@ static int init_server_long(int *sock, i
|
||||
@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i
|
||||
(void *) &j, sizeof j);
|
||||
}
|
||||
#endif
|
||||
|
|
@ -242,7 +337,7 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
@@ -427,137 +442,62 @@ redoit:
|
||||
@@ -425,137 +443,62 @@ redoit:
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
*/
|
||||
|
||||
|
|
@ -256,14 +351,14 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
- sizeof(struct in_addr),AF_INET);
|
||||
-#endif
|
||||
- if (h1 == NULL)
|
||||
- {
|
||||
+ if (host == NULL)
|
||||
{
|
||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||
- *host=NULL;
|
||||
- /* return(0); */
|
||||
- }
|
||||
- else
|
||||
+ if (host == NULL)
|
||||
{
|
||||
- {
|
||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||
- {
|
||||
- perror("OPENSSL_malloc");
|
||||
|
|
@ -409,99 +504,3 @@ diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
|
|||
return(1);
|
||||
}
|
||||
|
||||
diff -up openssl-0.9.8g/apps/s_server.c.ipv6-apps openssl-0.9.8g/apps/s_server.c
|
||||
--- openssl-0.9.8g/apps/s_server.c.ipv6-apps 2007-08-23 14:16:02.000000000 +0200
|
||||
+++ openssl-0.9.8g/apps/s_server.c 2007-12-03 13:31:14.000000000 +0100
|
||||
@@ -592,7 +592,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_STORE *store = NULL;
|
||||
int vflags = 0;
|
||||
- short port=PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
unsigned char *context = NULL;
|
||||
char *dhfile = NULL;
|
||||
@@ -662,8 +662,7 @@ int MAIN(int argc, char *argv[])
|
||||
(strcmp(*argv,"-accept") == 0))
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- if (!extract_port(*(++argv),&port))
|
||||
- goto bad;
|
||||
+ port_str= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
{
|
||||
@@ -1332,9 +1331,9 @@ bad:
|
||||
}
|
||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||
if (www)
|
||||
- do_server(port,socket_type,&accept_socket,www_body, context);
|
||||
+ do_server(port_str,socket_type,&accept_socket,www_body, context);
|
||||
else
|
||||
- do_server(port,socket_type,&accept_socket,sv_body, context);
|
||||
+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
|
||||
print_stats(bio_s_out,ctx);
|
||||
ret=0;
|
||||
end:
|
||||
diff -up openssl-0.9.8g/apps/s_client.c.ipv6-apps openssl-0.9.8g/apps/s_client.c
|
||||
--- openssl-0.9.8g/apps/s_client.c.ipv6-apps 2007-08-23 14:20:56.000000000 +0200
|
||||
+++ openssl-0.9.8g/apps/s_client.c 2007-12-03 13:28:42.000000000 +0100
|
||||
@@ -285,7 +285,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len,cbuf_off;
|
||||
int sbuf_len,sbuf_off;
|
||||
fd_set readfds,writefds;
|
||||
- short port=PORT;
|
||||
+ char *port_str = PORT_STR;
|
||||
int full_log=1;
|
||||
char *host=SSL_HOST_NAME;
|
||||
char *cert_file=NULL,*key_file=NULL;
|
||||
@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv)
|
||||
else if (strcmp(*argv,"-port") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- port=atoi(*(++argv));
|
||||
- if (port == 0) goto bad;
|
||||
+ port_str= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-connect") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
- if (!extract_host_port(*(++argv),&host,NULL,&port))
|
||||
+ if (!extract_host_port(*(++argv),&host,&port_str))
|
||||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -739,7 +738,7 @@ bad:
|
||||
|
||||
re_start:
|
||||
|
||||
- if (init_client(&s,host,port,sock_type) == 0)
|
||||
+ if (init_client(&s,host,port_str,sock_type) == 0)
|
||||
{
|
||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
diff -up openssl-0.9.8g/apps/s_apps.h.ipv6-apps openssl-0.9.8g/apps/s_apps.h
|
||||
--- openssl-0.9.8g/apps/s_apps.h.ipv6-apps 2007-12-03 13:28:42.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_apps.h 2007-12-03 13:28:42.000000000 +0100
|
||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
||||
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
||||
#ifdef HEADER_X509_H
|
||||
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
|
||||
#endif
|
||||
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
|
||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
|
||||
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
|
||||
#endif
|
||||
-int init_client(int *sock, char *server, int port, int type);
|
||||
+int init_client(int *sock, char *server, char *port, int type);
|
||||
int should_retry(int i);
|
||||
-int extract_port(char *str, short *port_ptr);
|
||||
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
|
||||
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
|
||||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org
|
||||
--- openssl-1.0.0-beta3/Makefile.org.krb5 2009-04-23 18:12:09.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:01:16.000000000 +0200
|
||||
@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh
|
||||
|
||||
do_$(SHLIB_TARGET):
|
||||
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
|
||||
- if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
|
|
@ -0,0 +1,253 @@
|
|||
Index: openssl/crypto/asn1/a_set.c
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v
|
||||
rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20
|
||||
+++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1
|
||||
@@ -85,7 +85,7 @@
|
||||
}
|
||||
|
||||
/* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */
|
||||
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
|
||||
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
|
||||
i2d_of_void *i2d, int ex_tag, int ex_class,
|
||||
int is_set)
|
||||
{
|
||||
@@ -97,8 +97,8 @@
|
||||
int totSize;
|
||||
|
||||
if (a == NULL) return(0);
|
||||
- for (i=sk_BLOCK_num(a)-1; i>=0; i--)
|
||||
- ret+=i2d(sk_BLOCK_value(a,i),NULL);
|
||||
+ for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--)
|
||||
+ ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL);
|
||||
r=ASN1_object_size(1,ret,ex_tag);
|
||||
if (pp == NULL) return(r);
|
||||
|
||||
@@ -109,10 +109,10 @@
|
||||
/* And then again by Ben */
|
||||
/* And again by Steve */
|
||||
|
||||
- if(!is_set || (sk_BLOCK_num(a) < 2))
|
||||
+ if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2))
|
||||
{
|
||||
- for (i=0; i<sk_BLOCK_num(a); i++)
|
||||
- i2d(sk_BLOCK_value(a,i),&p);
|
||||
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
|
||||
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
|
||||
|
||||
*pp=p;
|
||||
return(r);
|
||||
@@ -120,17 +120,17 @@
|
||||
|
||||
pStart = p; /* Catch the beg of Setblobs*/
|
||||
/* In this array we will store the SET blobs */
|
||||
- rgSetBlob = OPENSSL_malloc(sk_BLOCK_num(a) * sizeof(MYBLOB));
|
||||
+ rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
|
||||
if (rgSetBlob == NULL)
|
||||
{
|
||||
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
return(0);
|
||||
}
|
||||
|
||||
- for (i=0; i<sk_BLOCK_num(a); i++)
|
||||
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
|
||||
{
|
||||
rgSetBlob[i].pbData = p; /* catch each set encode blob */
|
||||
- i2d(sk_BLOCK_value(a,i),&p);
|
||||
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
|
||||
rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
|
||||
SetBlob
|
||||
*/
|
||||
@@ -140,7 +140,7 @@
|
||||
|
||||
/* Now we have to sort the blobs. I am using a simple algo.
|
||||
*Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
|
||||
- qsort( rgSetBlob, sk_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
|
||||
+ qsort( rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
|
||||
if (!(pTempMem = OPENSSL_malloc(totSize)))
|
||||
{
|
||||
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
@@ -149,7 +149,7 @@
|
||||
|
||||
/* Copy to temp mem */
|
||||
p = pTempMem;
|
||||
- for(i=0; i<sk_BLOCK_num(a); ++i)
|
||||
+ for(i=0; i<sk_OPENSSL_BLOCK_num(a); ++i)
|
||||
{
|
||||
memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
|
||||
p += rgSetBlob[i].cbData;
|
||||
@@ -163,17 +163,18 @@
|
||||
return(r);
|
||||
}
|
||||
|
||||
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
|
||||
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
|
||||
+ const unsigned char **pp,
|
||||
long length, d2i_of_void *d2i,
|
||||
- void (*free_func)(BLOCK), int ex_tag,
|
||||
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
|
||||
int ex_class)
|
||||
{
|
||||
ASN1_const_CTX c;
|
||||
- STACK_OF(BLOCK) *ret=NULL;
|
||||
+ STACK_OF(OPENSSL_BLOCK) *ret=NULL;
|
||||
|
||||
if ((a == NULL) || ((*a) == NULL))
|
||||
{
|
||||
- if ((ret=sk_BLOCK_new_null()) == NULL)
|
||||
+ if ((ret=sk_OPENSSL_BLOCK_new_null()) == NULL)
|
||||
{
|
||||
ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
@@ -221,7 +222,7 @@
|
||||
asn1_add_error(*pp,(int)(c.p- *pp));
|
||||
goto err;
|
||||
}
|
||||
- if (!sk_BLOCK_push(ret,s)) goto err;
|
||||
+ if (!sk_OPENSSL_BLOCK_push(ret,s)) goto err;
|
||||
}
|
||||
if (a != NULL) (*a)=ret;
|
||||
*pp=c.p;
|
||||
@@ -230,9 +231,9 @@
|
||||
if ((ret != NULL) && ((a == NULL) || (*a != ret)))
|
||||
{
|
||||
if (free_func != NULL)
|
||||
- sk_BLOCK_pop_free(ret,free_func);
|
||||
+ sk_OPENSSL_BLOCK_pop_free(ret,free_func);
|
||||
else
|
||||
- sk_BLOCK_free(ret);
|
||||
+ sk_OPENSSL_BLOCK_free(ret);
|
||||
}
|
||||
return(NULL);
|
||||
}
|
||||
Index: openssl/crypto/asn1/asn1.h
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn1.h,v
|
||||
rcsdiff -q -kk '-r1.166.2.3' '-r1.166.2.4' -u '/v/openssl/cvs/openssl/crypto/asn1/asn1.h,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3
|
||||
+++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4
|
||||
@@ -887,12 +887,13 @@
|
||||
ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
|
||||
int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
|
||||
|
||||
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
|
||||
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
|
||||
i2d_of_void *i2d, int ex_tag, int ex_class,
|
||||
int is_set);
|
||||
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
|
||||
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
|
||||
+ const unsigned char **pp,
|
||||
long length, d2i_of_void *d2i,
|
||||
- void (*free_func)(BLOCK), int ex_tag,
|
||||
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
|
||||
int ex_class);
|
||||
|
||||
#ifndef OPENSSL_NO_BIO
|
||||
@@ -1045,9 +1046,9 @@
|
||||
int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
|
||||
unsigned char *data, int max_len);
|
||||
|
||||
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
- d2i_of_void *d2i, void (*free_func)(BLOCK));
|
||||
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
|
||||
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK));
|
||||
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
|
||||
unsigned char **buf, int *len );
|
||||
void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
|
||||
void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
|
||||
Index: openssl/crypto/asn1/asn_pack.c
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v
|
||||
rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19
|
||||
+++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1
|
||||
@@ -66,10 +66,10 @@
|
||||
|
||||
/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
|
||||
|
||||
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
- d2i_of_void *d2i, void (*free_func)(BLOCK))
|
||||
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK))
|
||||
{
|
||||
- STACK_OF(BLOCK) *sk;
|
||||
+ STACK_OF(OPENSSL_BLOCK) *sk;
|
||||
const unsigned char *pbuf;
|
||||
pbuf = buf;
|
||||
if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
|
||||
@@ -82,7 +82,7 @@
|
||||
* OPENSSL_malloc'ed buffer
|
||||
*/
|
||||
|
||||
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
|
||||
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
|
||||
unsigned char **buf, int *len)
|
||||
{
|
||||
int safelen;
|
||||
Index: openssl/crypto/stack/safestack.h
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v
|
||||
rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null
|
||||
--- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4
|
||||
+++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5
|
||||
@@ -128,8 +128,8 @@
|
||||
* nul-terminated. These should also be distinguished from "normal"
|
||||
* stacks. */
|
||||
|
||||
-typedef void *BLOCK;
|
||||
-DECLARE_SPECIAL_STACK_OF(BLOCK, void)
|
||||
+typedef void *OPENSSL_BLOCK;
|
||||
+DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
|
||||
|
||||
/* SKM_sk_... stack macros are internal to safestack.h:
|
||||
* never use them directly, use sk_<type>_... instead */
|
||||
@@ -2055,29 +2055,29 @@
|
||||
#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
|
||||
|
||||
|
||||
-#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
-#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
|
||||
-#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i))
|
||||
-#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st)
|
||||
-#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
|
||||
-#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
|
||||
-#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
|
||||
-#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
|
||||
-#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
|
||||
-#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
|
||||
-#define sk_BLOCK_set_cmp_func(st, cmp) \
|
||||
+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
|
||||
+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
|
||||
+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
|
||||
+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
|
||||
+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
|
||||
+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
|
||||
+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp) \
|
||||
((int (*)(const void * const *,const void * const *)) \
|
||||
- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
-#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
|
||||
-#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
|
||||
-#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
|
||||
-#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
|
||||
-#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
|
||||
+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
|
||||
+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
|
||||
|
||||
|
||||
#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,59 @@
|
|||
diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200
|
||||
@@ -331,32 +331,32 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
# It's believed that majority of ARM toolchains predefine appropriate -march.
|
||||
# If you compiler does not, do complement config command line with one!
|
||||
-"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
#### IA-32 targets...
|
||||
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
|
||||
####
|
||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
# assisted with debugging of following two configs.
|
||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
||||
# -Wa,-Av8plus should do the trick no matter what.
|
||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
# GCC 3.1 is a requirement
|
||||
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -370,8 +370,8 @@ my %table=(
|
||||
#
|
||||
# <appro@fy.chalmers.se>
|
||||
#
|
||||
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.soversion 2009-08-04 23:06:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-04 23:06:52.000000000 +0200
|
||||
@@ -1514,7 +1514,7 @@ while (<IN>)
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||
{
|
||||
my $sotmp = $1;
|
||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
||||
}
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||
{
|
||||
diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
|
||||
--- openssl-1.0.0-beta3/Makefile.org.soversion 2009-08-04 23:06:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:11:01.000000000 +0200
|
||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||
SHLIB_MAJOR=
|
||||
SHLIB_MINOR=
|
||||
SHLIB_EXT=
|
||||
+SHLIB_SONAMEVER=10
|
||||
PLATFORM=dist
|
||||
OPTIONS=
|
||||
CONFIGURE_ARGS=
|
||||
@@ -289,10 +290,9 @@ clean-shared:
|
||||
link-shared:
|
||||
@ set -e; for i in $(SHLIBDIRS); do \
|
||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
symlink.$(SHLIB_TARGET); \
|
||||
- libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||
@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
||||
link_a.$(SHLIB_TARGET); \
|
||||
10
openssl.spec
10
openssl.spec
|
|
@ -379,7 +379,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%attr(0644,root,root) %{_mandir}/man7*/*
|
||||
|
||||
# Temporary hack
|
||||
%attr(0755,root,root) /%{_lib}/*.so.8
|
||||
%attr(0755,root,root) %{_libdir}/*.so.8
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root)
|
||||
|
|
@ -406,11 +406,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%triggerpostun -- openssl < 1.0.0
|
||||
# Temporary hack
|
||||
[ $1 != 0 ] || exit 0
|
||||
if [ "$(readlink /%{_lib}/libcrypto.so.8)" != libcrypto.so.%{version} ] ; then
|
||||
ln -sf libcrypto.so.%{version} /%{_lib}/libcrypto.so.8 || :
|
||||
if [ "$(readlink %{_libdir}/libcrypto.so.8)" != libcrypto.so.%{version} ] ; then
|
||||
ln -sf libcrypto.so.%{version} %{_libdir}/libcrypto.so.8 || :
|
||||
fi
|
||||
if [ "$(readlink /%{_lib}/libssl.so.8)" != libssl.so.%{version} ] ; then
|
||||
ln -sf libssl.so.%{version} /%{_lib}/libssl.so.8 || :
|
||||
if [ "$(readlink %{_libdir}/libssl.so.8)" != libssl.so.%{version} ] ; then
|
||||
ln -sf libssl.so.%{version} %{_libdir}/libssl.so.8 || :
|
||||
fi
|
||||
/sbin/ldconfig -X
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue