- fix CVE-2009-3245 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433
This commit is contained in:
parent
72d6514f87
commit
578744ba64
|
@ -1 +1 @@
|
|||
openssl-0.9.8k-usa.tar.bz2
|
||||
openssl-0.9.8m-usa.tar.bz2
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
--- openssl-0.9.8a/Configure.enginesdir 2005-11-04 15:06:37.000000000 +0100
|
||||
+++ openssl-0.9.8a/Configure 2005-11-07 14:15:12.000000000 +0100
|
||||
@@ -560,6 +560,7 @@
|
||||
|
||||
my $prefix="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $no_threads=0;
|
||||
@@ -739,6 +740,10 @@
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -923,7 +928,7 @@
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1430,7 +1435,7 @@
|
||||
if (/^#define\s+OPENSSLDIR/)
|
||||
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
|
||||
elsif (/^#define\s+ENGINESDIR/)
|
||||
- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
|
||||
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
|
||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
||||
if $export_var_as_fn;
|
|
@ -1,24 +0,0 @@
|
|||
|
||||
This patch fixes a violation of the C aliasing rules that can cause
|
||||
miscompilation with some compiler versions.
|
||||
|
||||
--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100
|
||||
+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100
|
||||
@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
|
||||
static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
|
||||
{
|
||||
void *ptr;
|
||||
- DSO_FUNC_TYPE sym, *tsym = &sym;
|
||||
+ DSO_FUNC_TYPE sym;
|
||||
|
||||
if((dso == NULL) || (symname == NULL))
|
||||
{
|
||||
@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
|
||||
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
|
||||
return(NULL);
|
||||
}
|
||||
- *(void **)(tsym) = dlsym(ptr, symname);
|
||||
+ sym = dlsym(ptr, symname);
|
||||
if(sym == NULL)
|
||||
{
|
||||
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
|
|
@ -1,27 +0,0 @@
|
|||
diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
|
||||
--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200
|
||||
+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200
|
||||
@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
|
||||
+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
|
||||
+ {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret+=2;
|
||||
|
||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
||||
@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
|
||||
+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
|
||||
+ {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret+=2;
|
||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
||||
|
|
@ -1,164 +0,0 @@
|
|||
Support old DTLS version for compatibility with CISCO AnyConnect.
|
||||
Index: openssl/ssl/d1_clnt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
|
||||
rcsdiff -q -kk '-r1.3.2.15' '-r1.3.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_clnt.c 2009/04/14 15:20:47 1.3.2.15
|
||||
+++ openssl/ssl/d1_clnt.c 2009/04/19 18:08:11 1.3.2.16
|
||||
@@ -130,7 +130,7 @@
|
||||
|
||||
static SSL_METHOD *dtls1_get_client_method(int ver)
|
||||
{
|
||||
- if (ver == DTLS1_VERSION)
|
||||
+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
|
||||
return(DTLSv1_client_method());
|
||||
else
|
||||
return(NULL);
|
||||
@@ -181,7 +181,8 @@
|
||||
s->server=0;
|
||||
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
|
||||
|
||||
- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
|
||||
+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
|
||||
+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
|
||||
{
|
||||
SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
|
||||
ret = -1;
|
||||
Index: openssl/ssl/d1_lib.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_lib.c,v
|
||||
rcsdiff -q -kk '-r1.1.2.7' '-r1.1.2.8' -u '/v/openssl/cvs/openssl/ssl/d1_lib.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_lib.c 2009/04/02 22:34:59 1.1.2.7
|
||||
+++ openssl/ssl/d1_lib.c 2009/04/19 18:08:11 1.1.2.8
|
||||
@@ -198,7 +198,10 @@
|
||||
void dtls1_clear(SSL *s)
|
||||
{
|
||||
ssl3_clear(s);
|
||||
- s->version=DTLS1_VERSION;
|
||||
+ if (s->options & SSL_OP_CISCO_ANYCONNECT)
|
||||
+ s->version=DTLS1_BAD_VER;
|
||||
+ else
|
||||
+ s->version=DTLS1_VERSION;
|
||||
}
|
||||
|
||||
/*
|
||||
Index: openssl/ssl/d1_pkt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
|
||||
rcsdiff -q -kk '-r1.4.2.15' '-r1.4.2.16' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_pkt.c 2009/04/02 22:34:59 1.4.2.15
|
||||
+++ openssl/ssl/d1_pkt.c 2009/04/19 18:08:12 1.4.2.16
|
||||
@@ -1024,15 +1024,17 @@
|
||||
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
|
||||
{
|
||||
struct ccs_header_st ccs_hdr;
|
||||
+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
|
||||
|
||||
dtls1_get_ccs_header(rr->data, &ccs_hdr);
|
||||
|
||||
/* 'Change Cipher Spec' is just a single byte, so we know
|
||||
* exactly what the record payload has to look like */
|
||||
/* XDTLS: check that epoch is consistent */
|
||||
- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
|
||||
- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
|
||||
- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
|
||||
+ ccs_hdr_len = 3;
|
||||
+
|
||||
+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
{
|
||||
i=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
|
||||
@@ -1358,7 +1360,7 @@
|
||||
#if 0
|
||||
/* 'create_empty_fragment' is true only when this function calls itself */
|
||||
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
|
||||
- && SSL_version(s) != DTLS1_VERSION)
|
||||
+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
|
||||
{
|
||||
/* countermeasure against known-IV weakness in CBC ciphersuites
|
||||
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
|
||||
Index: openssl/ssl/s3_clnt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
|
||||
rcsdiff -q -kk '-r1.88.2.21' '-r1.88.2.22' -u '/v/openssl/cvs/openssl/ssl/s3_clnt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/s3_clnt.c 2009/02/14 21:50:14 1.88.2.21
|
||||
+++ openssl/ssl/s3_clnt.c 2009/04/19 18:08:12 1.88.2.22
|
||||
@@ -708,7 +708,7 @@
|
||||
|
||||
if (!ok) return((int)n);
|
||||
|
||||
- if ( SSL_version(s) == DTLS1_VERSION)
|
||||
+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
|
||||
{
|
||||
Index: openssl/ssl/ssl.h
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl.h,v
|
||||
rcsdiff -q -kk '-r1.161.2.21' '-r1.161.2.22' -u '/v/openssl/cvs/openssl/ssl/ssl.h,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl.h 2008/08/13 19:44:44 1.161.2.21
|
||||
+++ openssl/ssl/ssl.h 2009/04/19 18:08:12 1.161.2.22
|
||||
@@ -510,6 +510,8 @@
|
||||
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
|
||||
/* Don't use RFC4507 ticket extension */
|
||||
#define SSL_OP_NO_TICKET 0x00004000L
|
||||
+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
|
||||
+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
|
||||
|
||||
/* As server, disallow session resumption on renegotiation */
|
||||
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
|
||||
Index: openssl/ssl/ssl_lib.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl_lib.c,v
|
||||
rcsdiff -q -kk '-r1.133.2.16' '-r1.133.2.17' -u '/v/openssl/cvs/openssl/ssl/ssl_lib.c,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl_lib.c 2009/02/23 16:02:47 1.133.2.16
|
||||
+++ openssl/ssl/ssl_lib.c 2009/04/19 18:08:12 1.133.2.17
|
||||
@@ -995,7 +995,8 @@
|
||||
s->max_cert_list=larg;
|
||||
return(l);
|
||||
case SSL_CTRL_SET_MTU:
|
||||
- if (SSL_version(s) == DTLS1_VERSION)
|
||||
+ if (SSL_version(s) == DTLS1_VERSION ||
|
||||
+ SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
s->d1->mtu = larg;
|
||||
return larg;
|
||||
Index: openssl/ssl/ssl_sess.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl_sess.c,v
|
||||
rcsdiff -q -kk '-r1.51.2.9' '-r1.51.2.10' -u '/v/openssl/cvs/openssl/ssl/ssl_sess.c,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl_sess.c 2008/06/04 18:35:27 1.51.2.9
|
||||
+++ openssl/ssl/ssl_sess.c 2009/04/19 18:08:12 1.51.2.10
|
||||
@@ -211,6 +211,11 @@
|
||||
ss->ssl_version=TLS1_VERSION;
|
||||
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
}
|
||||
+ else if (s->version == DTLS1_BAD_VER)
|
||||
+ {
|
||||
+ ss->ssl_version=DTLS1_BAD_VER;
|
||||
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
+ }
|
||||
else if (s->version == DTLS1_VERSION)
|
||||
{
|
||||
ss->ssl_version=DTLS1_VERSION;
|
||||
Index: openssl/ssl/t1_enc.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/t1_enc.c,v
|
||||
rcsdiff -q -kk '-r1.35.2.8' '-r1.35.2.9' -u '/v/openssl/cvs/openssl/ssl/t1_enc.c,v' 2>/dev/null
|
||||
--- openssl/ssl/t1_enc.c 2009/01/05 14:43:07 1.35.2.8
|
||||
+++ openssl/ssl/t1_enc.c 2009/04/19 18:08:12 1.35.2.9
|
||||
@@ -765,10 +765,10 @@
|
||||
HMAC_CTX_init(&hmac);
|
||||
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
|
||||
|
||||
- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
|
||||
+ if (ssl->version == DTLS1_BAD_VER ||
|
||||
+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
|
||||
{
|
||||
unsigned char dtlsseq[8],*p=dtlsseq;
|
||||
-
|
||||
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
|
||||
memcpy (p,&seq[2],6);
|
||||
|
||||
@@ -793,7 +793,7 @@
|
||||
{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
|
||||
#endif
|
||||
|
||||
- if ( SSL_version(ssl) != DTLS1_VERSION)
|
||||
+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
|
||||
{
|
||||
for (i=7; i>=0; i--)
|
||||
{
|
|
@ -1,83 +0,0 @@
|
|||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+pqueue_size(pqueue_s *pq)
|
||||
+{
|
||||
+ pitem *item = pq->items;
|
||||
+ int count = 0;
|
||||
+
|
||||
+ while(item != NULL)
|
||||
+ {
|
||||
+ count++;
|
||||
+ item = item->next;
|
||||
+ }
|
||||
+ return count;
|
||||
+}
|
||||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
|
||||
pitem *pqueue_next(piterator *iter);
|
||||
|
||||
void pqueue_print(pqueue pq);
|
||||
+int pqueue_size(pqueue pq);
|
||||
|
||||
#endif /* ! HEADER_PQUEUE_H */
|
||||
diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
|
||||
--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
|
||||
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
|
||||
{
|
||||
+ unsigned long frag_len = frag->msg_header.frag_len;
|
||||
pqueue_pop(s->d1->buffered_messages);
|
||||
|
||||
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
|
||||
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
if (al==0)
|
||||
{
|
||||
*ok = 1;
|
||||
- return frag->msg_header.frag_len;
|
||||
+ return frag_len;
|
||||
}
|
||||
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
|
||||
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
||||
goto err;
|
||||
|
||||
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
||||
+ /* Try to find item in queue, to prevent duplicate entries */
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ item = pqueue_find(s->d1->buffered_messages, seq64);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+
|
||||
+ /* Discard the message if sequence number was already there, is
|
||||
+ * too far in the future or the fragment is already in the queue */
|
||||
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
||||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
||||
{
|
||||
unsigned char devnull [256];
|
||||
|
||||
diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
|
||||
--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
||||
DTLS1_RECORD_DATA *rdata;
|
||||
pitem *item;
|
||||
|
||||
+ /* Limit the size of the queue to prevent DOS attacks */
|
||||
+ if (pqueue_size(queue->q) >= 100)
|
||||
+ return 0;
|
||||
+
|
||||
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
||||
item = pitem_new(priority, rdata);
|
||||
if (rdata == NULL || item == NULL)
|
|
@ -1,30 +1,6 @@
|
|||
diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
|
||||
--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
|
||||
+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
|
||||
@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = ../../CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
|
||||
--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
|
||||
+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
|
||||
@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
|
||||
VERIFY="$OPENSSL verify"
|
||||
X509="$OPENSSL x509"
|
||||
|
||||
-CATOP=./demoCA
|
||||
+CATOP=../../CA
|
||||
CAKEY=./cakey.pem
|
||||
CAREQ=./careq.pem
|
||||
CACERT=./cacert.pem
|
||||
diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
|
||||
--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
|
||||
+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
|
||||
diff -up openssl-0.9.8m/apps/CA.pl.in.ca-dir openssl-0.9.8m/apps/CA.pl.in
|
||||
--- openssl-0.9.8m/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
|
||||
+++ openssl-0.9.8m/apps/CA.pl.in 2010-03-22 17:53:47.000000000 +0100
|
||||
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
|
||||
$X509="$openssl x509";
|
||||
$PKCS12="$openssl pkcs12";
|
||||
|
@ -34,3 +10,27 @@ diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
|
|||
$CAKEY="cakey.pem";
|
||||
$CAREQ="careq.pem";
|
||||
$CACERT="cacert.pem";
|
||||
diff -up openssl-0.9.8m/apps/CA.sh.ca-dir openssl-0.9.8m/apps/CA.sh
|
||||
--- openssl-0.9.8m/apps/CA.sh.ca-dir 2009-10-15 19:28:02.000000000 +0200
|
||||
+++ openssl-0.9.8m/apps/CA.sh 2010-03-22 17:55:06.000000000 +0100
|
||||
@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
|
||||
X509="$OPENSSL x509"
|
||||
PKCS12="openssl pkcs12"
|
||||
|
||||
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
|
||||
+CATOP=../../CA
|
||||
CAKEY=./cakey.pem
|
||||
CAREQ=./careq.pem
|
||||
CACERT=./cacert.pem
|
||||
diff -up openssl-0.9.8m/apps/openssl.cnf.ca-dir openssl-0.9.8m/apps/openssl.cnf
|
||||
--- openssl-0.9.8m/apps/openssl.cnf.ca-dir 2010-03-22 17:53:47.000000000 +0100
|
||||
+++ openssl-0.9.8m/apps/openssl.cnf 2010-03-22 17:53:47.000000000 +0100
|
||||
@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = ../../CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
|
@ -0,0 +1,13 @@
|
|||
diff -up openssl-0.9.8m/ssl/kssl.c.krbdos openssl-0.9.8m/ssl/kssl.c
|
||||
--- openssl-0.9.8m/ssl/kssl.c.krbdos 2009-04-16 18:43:18.000000000 +0200
|
||||
+++ openssl-0.9.8m/ssl/kssl.c 2010-03-22 20:57:06.000000000 +0100
|
||||
@@ -1802,6 +1802,9 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
|
||||
kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
|
||||
KRB5_NT_SRV_HST, &princ);
|
||||
|
||||
+ if (krb5rc)
|
||||
+ goto exit;
|
||||
+
|
||||
krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
|
||||
princ,
|
||||
0 /* IGNORE_VNO */,
|
|
@ -1,42 +1,7 @@
|
|||
diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
|
||||
--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100
|
||||
@@ -1077,12 +1077,13 @@ bad:
|
||||
}
|
||||
#endif
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
||||
{
|
||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
||||
ERR_print_errors(bio_err);
|
||||
- /* goto end; */
|
||||
}
|
||||
store = SSL_CTX_get_cert_store(ctx);
|
||||
X509_STORE_set_flags(store, vflags);
|
||||
@@ -1132,8 +1133,11 @@ bad:
|
||||
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
|
||||
--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100
|
||||
@@ -673,12 +673,13 @@ bad:
|
||||
diff -up openssl-0.9.8m/apps/s_client.c.default-paths openssl-0.9.8m/apps/s_client.c
|
||||
--- openssl-0.9.8m/apps/s_client.c.default-paths 2009-12-16 21:34:19.000000000 +0100
|
||||
+++ openssl-0.9.8m/apps/s_client.c 2010-03-22 17:48:51.000000000 +0100
|
||||
@@ -741,12 +741,13 @@ bad:
|
||||
if (!set_cert_key_stuff(ctx,cert,key))
|
||||
goto end;
|
||||
|
||||
|
@ -54,9 +19,44 @@ diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_clie
|
|||
}
|
||||
|
||||
store = SSL_CTX_get_cert_store(ctx);
|
||||
diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
|
||||
--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100
|
||||
+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100
|
||||
diff -up openssl-0.9.8m/apps/s_server.c.default-paths openssl-0.9.8m/apps/s_server.c
|
||||
--- openssl-0.9.8m/apps/s_server.c.default-paths 2010-01-24 14:52:38.000000000 +0100
|
||||
+++ openssl-0.9.8m/apps/s_server.c 2010-03-22 17:50:44.000000000 +0100
|
||||
@@ -1275,12 +1275,13 @@ bad:
|
||||
}
|
||||
#endif
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
||||
{
|
||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
||||
ERR_print_errors(bio_err);
|
||||
- /* goto end; */
|
||||
}
|
||||
store = SSL_CTX_get_cert_store(ctx);
|
||||
X509_STORE_set_flags(store, vflags);
|
||||
@@ -1333,8 +1334,11 @@ bad:
|
||||
else
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
||||
+ {
|
||||
+ ERR_print_errors(bio_err);
|
||||
+ }
|
||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
diff -up openssl-0.9.8m/apps/s_time.c.default-paths openssl-0.9.8m/apps/s_time.c
|
||||
--- openssl-0.9.8m/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100
|
||||
+++ openssl-0.9.8m/apps/s_time.c 2010-03-22 17:48:51.000000000 +0100
|
||||
@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
SSL_load_error_strings();
|
|
@ -1,141 +1,82 @@
|
|||
diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
|
||||
--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
|
||||
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
|
||||
diff -up openssl-0.9.8m/ssl/ssl_err.c.eap-fast openssl-0.9.8m/ssl/ssl_err.c
|
||||
--- openssl-0.9.8m/ssl/ssl_err.c.eap-fast 2010-01-06 18:59:41.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/ssl_err.c 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -262,6 +262,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
|
||||
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
|
||||
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
|
||||
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
|
||||
{0,NULL}
|
||||
};
|
||||
|
||||
void tls1_free(SSL *s)
|
||||
{
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ if (s && s->tlsext_session_ticket)
|
||||
+ {
|
||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
ssl3_free(s);
|
||||
}
|
||||
diff -up openssl-0.9.8m/ssl/ssl.h.eap-fast openssl-0.9.8m/ssl/ssl.h
|
||||
--- openssl-0.9.8m/ssl/ssl.h.eap-fast 2010-03-22 18:12:49.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/ssl.h 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -344,6 +344,7 @@ extern "C" {
|
||||
* 'struct ssl_st *' function parameters used to prototype callbacks
|
||||
* in SSL_CTX. */
|
||||
typedef struct ssl_st *ssl_crock_st;
|
||||
+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
|
||||
|
||||
@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
int ticklen;
|
||||
if (s->session && s->session->tlsext_tick)
|
||||
ticklen = s->session->tlsext_ticklen;
|
||||
+ else if (s->session && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data)
|
||||
+ {
|
||||
+ ticklen = s->tlsext_session_ticket->length;
|
||||
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
|
||||
+ if (!s->session->tlsext_tick)
|
||||
+ return NULL;
|
||||
+ memcpy(s->session->tlsext_tick,
|
||||
+ s->tlsext_session_ticket->data,
|
||||
+ ticklen);
|
||||
+ s->session->tlsext_ticklen = ticklen;
|
||||
+ }
|
||||
else
|
||||
ticklen = 0;
|
||||
+ if (ticklen == 0 && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data == NULL)
|
||||
+ goto skip_ext;
|
||||
/* Check for enough room 2 for extension type, 2 for len
|
||||
* rest for ticket
|
||||
*/
|
||||
@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
ret += ticklen;
|
||||
}
|
||||
}
|
||||
+ skip_ext:
|
||||
/* used to hold info on the particular ciphers used */
|
||||
typedef struct ssl_cipher_st
|
||||
@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
|
||||
|
||||
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
|
||||
{
|
||||
@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
}
|
||||
DECLARE_STACK_OF(SSL_CIPHER)
|
||||
|
||||
}
|
||||
+ else if (type == TLSEXT_TYPE_session_ticket)
|
||||
+ {
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
else if (type == TLSEXT_TYPE_status_request
|
||||
&& s->ctx->tlsext_status_cb)
|
||||
{
|
||||
@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
}
|
||||
else if (type == TLSEXT_TYPE_session_ticket)
|
||||
{
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
|
||||
|| (size > 0))
|
||||
{
|
||||
@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
|
||||
s->tlsext_ticket_expected = 1;
|
||||
return 0; /* Cache miss */
|
||||
}
|
||||
+ if (s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ /* Indicate cache miss here and instead of
|
||||
+ * generating the session from ticket now,
|
||||
+ * trigger abbreviated handshake based on
|
||||
+ * external mechanism to calculate the master
|
||||
+ * secret later. */
|
||||
+ return 0;
|
||||
+ }
|
||||
return tls_decrypt_ticket(s, p, size, session_id, len,
|
||||
ret);
|
||||
}
|
||||
diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
|
||||
--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ /* check if we want to resume the session based on external pre-shared secret */
|
||||
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ SSL_CIPHER *pref_cipher=NULL;
|
||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
||||
+ if (s->tls_session_secret_cb(s, s->session->master_key,
|
||||
+ &s->session->master_key_length,
|
||||
+ NULL, &pref_cipher,
|
||||
+ s->tls_session_secret_cb_arg))
|
||||
+ {
|
||||
+ s->session->cipher = pref_cipher ?
|
||||
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
|
||||
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
|
||||
+
|
||||
if (j != 0 && j == s->session->session_id_length
|
||||
&& memcmp(p,s->session->session_id,j) == 0)
|
||||
{
|
||||
@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
|
||||
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
|
||||
typedef struct ssl_method_st
|
||||
{
|
||||
int ok;
|
||||
long n;
|
||||
- /* If we have no ticket or session ID is non-zero length (a match of
|
||||
- * a non-zero session length would never reach here) it cannot be a
|
||||
- * resumed session.
|
||||
- */
|
||||
- if (!s->session->tlsext_tick || s->session->session_id_length)
|
||||
+ /* If we have no ticket it cannot be a resumed session. */
|
||||
+ if (!s->session->tlsext_tick)
|
||||
return 1;
|
||||
/* this function is called when we really expect a Certificate
|
||||
* message, so permit appropriate message length */
|
||||
diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
|
||||
--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
|
||||
+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
|
||||
@@ -1050,6 +1054,18 @@ struct ssl_st
|
||||
|
||||
/* RFC4507 session ticket expected to be received or sent */
|
||||
int tlsext_ticket_expected;
|
||||
+
|
||||
+ /* TLS Session Ticket extension override */
|
||||
+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
|
||||
+
|
||||
+ /* TLS Session Ticket extension callback */
|
||||
+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
|
||||
+ void *tls_session_ticket_ext_cb_arg;
|
||||
+
|
||||
+ /* TLS pre-shared secret session resumption */
|
||||
+ tls_session_secret_cb_fn tls_session_secret_cb;
|
||||
+ void *tls_session_secret_cb_arg;
|
||||
+
|
||||
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
|
||||
#define session_ctx initial_ctx
|
||||
#else
|
||||
@@ -1655,6 +1671,15 @@ void *SSL_COMP_get_compression_methods(v
|
||||
int SSL_COMP_add_compression_method(int id,void *cm);
|
||||
#endif
|
||||
|
||||
+/* TLS extensions functions */
|
||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
|
||||
+
|
||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
||||
+ void *arg);
|
||||
+
|
||||
+/* Pre-shared secret session resumption functions */
|
||||
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
|
||||
+
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
@@ -1856,6 +1881,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_TLS1_ENC 210
|
||||
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
|
||||
#define SSL_F_WRITE_PENDING 212
|
||||
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
|
||||
|
||||
/* Reason codes. */
|
||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||
diff -up openssl-0.9.8m/ssl/ssl_sess.c.eap-fast openssl-0.9.8m/ssl/ssl_sess.c
|
||||
--- openssl-0.9.8m/ssl/ssl_sess.c.eap-fast 2010-02-01 17:48:40.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/ssl_sess.c 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -712,6 +712,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
|
||||
return(s->session_timeout);
|
||||
}
|
||||
|
||||
|
@ -197,10 +138,51 @@ diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
|
|||
typedef struct timeout_param_st
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
|
||||
--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
|
||||
@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
|
||||
diff -up openssl-0.9.8m/ssl/s3_clnt.c.eap-fast openssl-0.9.8m/ssl/s3_clnt.c
|
||||
--- openssl-0.9.8m/ssl/s3_clnt.c.eap-fast 2010-01-26 20:40:36.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/s3_clnt.c 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -758,6 +758,23 @@ int ssl3_get_server_hello(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ /* check if we want to resume the session based on external pre-shared secret */
|
||||
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ SSL_CIPHER *pref_cipher=NULL;
|
||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
||||
+ if (s->tls_session_secret_cb(s, s->session->master_key,
|
||||
+ &s->session->master_key_length,
|
||||
+ NULL, &pref_cipher,
|
||||
+ s->tls_session_secret_cb_arg))
|
||||
+ {
|
||||
+ s->session->cipher = pref_cipher ?
|
||||
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
+
|
||||
if (j != 0 && j == s->session->session_id_length
|
||||
&& memcmp(p,s->session->session_id,j) == 0)
|
||||
{
|
||||
@@ -2722,11 +2739,8 @@ int ssl3_check_finished(SSL *s)
|
||||
{
|
||||
int ok;
|
||||
long n;
|
||||
- /* If we have no ticket or session ID is non-zero length (a match of
|
||||
- * a non-zero session length would never reach here) it cannot be a
|
||||
- * resumed session.
|
||||
- */
|
||||
- if (!s->session->tlsext_tick || s->session->session_id_length)
|
||||
+ /* If we have no ticket it cannot be a resumed session. */
|
||||
+ if (!s->session->tlsext_tick)
|
||||
return 1;
|
||||
/* this function is called when we really expect a Certificate
|
||||
* message, so permit appropriate message length */
|
||||
diff -up openssl-0.9.8m/ssl/s3_srvr.c.eap-fast openssl-0.9.8m/ssl/s3_srvr.c
|
||||
--- openssl-0.9.8m/ssl/s3_srvr.c.eap-fast 2010-01-26 20:40:36.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/s3_srvr.c 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -990,6 +990,59 @@ int ssl3_get_client_hello(SSL *s)
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
||||
goto err;
|
||||
}
|
||||
|
@ -260,7 +242,7 @@ diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
|
|||
#endif
|
||||
/* Worst case, we will use the NULL compression, but if we have other
|
||||
* options, we will now look for them. We have i-1 compression
|
||||
@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
|
||||
@@ -1128,16 +1181,22 @@ int ssl3_send_server_hello(SSL *s)
|
||||
unsigned char *buf;
|
||||
unsigned char *p,*d;
|
||||
int i,sl;
|
||||
|
@ -284,10 +266,10 @@ diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
|
|||
/* Do the message type and length last */
|
||||
d=p= &(buf[4]);
|
||||
|
||||
diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
|
||||
--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
|
||||
diff -up openssl-0.9.8m/ssl/tls1.h.eap-fast openssl-0.9.8m/ssl/tls1.h
|
||||
--- openssl-0.9.8m/ssl/tls1.h.eap-fast 2010-03-22 18:12:49.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/tls1.h 2010-03-22 18:12:49.000000000 +0100
|
||||
@@ -401,6 +401,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
|
||||
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
|
||||
#endif
|
||||
|
||||
|
@ -301,78 +283,96 @@ diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
|
|||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
|
||||
--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
|
||||
+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
|
||||
@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
|
||||
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
|
||||
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
|
||||
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
|
||||
{0,NULL}
|
||||
};
|
||||
diff -up openssl-0.9.8m/ssl/t1_lib.c.eap-fast openssl-0.9.8m/ssl/t1_lib.c
|
||||
--- openssl-0.9.8m/ssl/t1_lib.c.eap-fast 2010-02-17 19:37:47.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/t1_lib.c 2010-03-22 18:16:50.000000000 +0100
|
||||
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
|
||||
|
||||
diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
|
||||
--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
||||
+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
|
||||
@@ -344,6 +344,7 @@ extern "C" {
|
||||
* 'struct ssl_st *' function parameters used to prototype callbacks
|
||||
* in SSL_CTX. */
|
||||
typedef struct ssl_st *ssl_crock_st;
|
||||
+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
|
||||
|
||||
/* used to hold info on the particular ciphers used */
|
||||
typedef struct ssl_cipher_st
|
||||
@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
|
||||
|
||||
DECLARE_STACK_OF(SSL_CIPHER)
|
||||
|
||||
+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
|
||||
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
|
||||
+
|
||||
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
|
||||
typedef struct ssl_method_st
|
||||
void tls1_free(SSL *s)
|
||||
{
|
||||
@@ -1034,6 +1038,18 @@ struct ssl_st
|
||||
+#ifndef OPENSSL_NO_TLSEXT
|
||||
+ if (s && s->tlsext_session_ticket)
|
||||
+ {
|
||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
||||
+ }
|
||||
+#endif /* OPENSSL_NO_TLSEXT */
|
||||
ssl3_free(s);
|
||||
}
|
||||
|
||||
/* RFC4507 session ticket expected to be received or sent */
|
||||
int tlsext_ticket_expected;
|
||||
+
|
||||
+ /* TLS Session Ticket extension override */
|
||||
+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
|
||||
+
|
||||
+ /* TLS Session Ticket extension callback */
|
||||
+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
|
||||
+ void *tls_session_ticket_ext_cb_arg;
|
||||
+
|
||||
+ /* TLS pre-shared secret session resumption */
|
||||
+ tls_session_secret_cb_fn tls_session_secret_cb;
|
||||
+ void *tls_session_secret_cb_arg;
|
||||
+
|
||||
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
|
||||
#define session_ctx initial_ctx
|
||||
#else
|
||||
@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
|
||||
int SSL_COMP_add_compression_method(int id,void *cm);
|
||||
#endif
|
||||
@@ -206,8 +212,23 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
int ticklen;
|
||||
if (!s->new_session && s->session && s->session->tlsext_tick)
|
||||
ticklen = s->session->tlsext_ticklen;
|
||||
+ else if (s->session && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data)
|
||||
+ {
|
||||
+ ticklen = s->tlsext_session_ticket->length;
|
||||
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
|
||||
+ if (!s->session->tlsext_tick)
|
||||
+ return NULL;
|
||||
+ memcpy(s->session->tlsext_tick,
|
||||
+ s->tlsext_session_ticket->data,
|
||||
+ ticklen);
|
||||
+ s->session->tlsext_ticklen = ticklen;
|
||||
+ }
|
||||
else
|
||||
ticklen = 0;
|
||||
+ if (ticklen == 0 && s->tlsext_session_ticket &&
|
||||
+ s->tlsext_session_ticket->data == NULL)
|
||||
+ goto skip_ext;
|
||||
/* Check for enough room 2 for extension type, 2 for len
|
||||
* rest for ticket
|
||||
*/
|
||||
@@ -221,6 +242,7 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
ret += ticklen;
|
||||
}
|
||||
}
|
||||
+ skip_ext:
|
||||
|
||||
+/* TLS extensions functions */
|
||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
|
||||
+
|
||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
||||
+ void *arg);
|
||||
+
|
||||
+/* Pre-shared secret session resumption functions */
|
||||
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
|
||||
+
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_TLS1_ENC 210
|
||||
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
|
||||
#define SSL_F_WRITE_PENDING 212
|
||||
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
|
||||
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
|
||||
s->version != DTLS1_VERSION)
|
||||
@@ -470,6 +492,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
}
|
||||
|
||||
/* Reason codes. */
|
||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||
}
|
||||
+ else if (type == TLSEXT_TYPE_session_ticket)
|
||||
+ {
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
else if (type == TLSEXT_TYPE_renegotiate)
|
||||
{
|
||||
if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
|
||||
@@ -636,6 +667,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
}
|
||||
else if (type == TLSEXT_TYPE_session_ticket)
|
||||
{
|
||||
+ if (s->tls_session_ticket_ext_cb &&
|
||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
||||
+ {
|
||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
|
||||
|| (size > 0))
|
||||
{
|
||||
@@ -893,6 +930,15 @@ int tls1_process_ticket(SSL *s, unsigned
|
||||
s->tlsext_ticket_expected = 1;
|
||||
return 0; /* Cache miss */
|
||||
}
|
||||
+ if (s->tls_session_secret_cb)
|
||||
+ {
|
||||
+ /* Indicate cache miss here and instead of
|
||||
+ * generating the session from ticket now,
|
||||
+ * trigger abbreviated handshake based on
|
||||
+ * external mechanism to calculate the master
|
||||
+ * secret later. */
|
||||
+ return 0;
|
||||
+ }
|
||||
return tls_decrypt_ticket(s, p, size, session_id, len,
|
||||
ret);
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
diff -up openssl-0.9.8m/Configure.enginesdir openssl-0.9.8m/Configure
|
||||
--- openssl-0.9.8m/Configure.enginesdir 2010-03-22 17:36:34.000000000 +0100
|
||||
+++ openssl-0.9.8m/Configure 2010-03-22 17:39:03.000000000 +0100
|
||||
@@ -590,6 +590,7 @@ my $idx_arflags = $idx++;
|
||||
my $prefix="";
|
||||
my $libdir="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||
my $cross_compile_prefix="";
|
||||
@@ -837,6 +838,10 @@ PROCESS_ARGS:
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1111,7 +1116,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1692,14 +1697,7 @@ while (<IN>)
|
||||
print OUT "#define OPENSSLDIR \"$foo\"\n";
|
||||
}
|
||||
elsif (/^#define\s+ENGINESDIR/)
|
||||
- {
|
||||
- # $foo is to become "$prefix/lib$multilib/engines";
|
||||
- # as Makefile.org and engines/Makefile are adapted for
|
||||
- # $multilib suffix.
|
||||
- my $foo = "$prefix/lib/engines";
|
||||
- $foo =~ s/\\/\\\\/g;
|
||||
- print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||
- }
|
||||
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
|
||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
||||
if $export_var_as_fn;
|
|
@ -1,18 +1,6 @@
|
|||
diff -up openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8k/fips/sha/Makefile
|
||||
--- openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/sha/Makefile 2009-03-25 20:18:08.000000000 +0100
|
||||
@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
|
||||
@echo $(LIBOBJ) > lib
|
||||
|
||||
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
|
||||
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
|
||||
|
||||
files:
|
||||
diff -up openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8k/fips/sha/fips_standalone_sha1.c
|
||||
--- openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2009-01-15 13:34:54.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/sha/fips_standalone_sha1.c 2009-03-25 20:18:08.000000000 +0100
|
||||
diff -up openssl-0.9.8m/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8m/fips/sha/fips_standalone_sha1.c
|
||||
--- openssl-0.9.8m/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2009-01-15 13:34:54.000000000 +0100
|
||||
+++ openssl-0.9.8m/fips/sha/fips_standalone_sha1.c 2010-03-22 18:05:47.000000000 +0100
|
||||
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
@ -112,3 +100,19 @@ diff -up openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0
|
|||
printf("%02x",md[i]);
|
||||
printf("\n");
|
||||
}
|
||||
diff -up openssl-0.9.8m/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8m/fips/sha/Makefile
|
||||
--- openssl-0.9.8m/fips/sha/Makefile.fipscheck-hmac 2009-10-15 16:14:35.000000000 +0200
|
||||
+++ openssl-0.9.8m/fips/sha/Makefile 2010-03-22 18:07:36.000000000 +0100
|
||||
@@ -47,10 +47,10 @@ lib: $(LIBOBJ)
|
||||
|
||||
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
|
||||
if [ -z "$(HOSTCC)" ] ; then \
|
||||
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
||||
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM ; \
|
||||
else \
|
||||
- $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../../include -I../../crypto fips_standalone_sha1.c ../../crypto/sha/sha1dgst.c ; \
|
||||
+ $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../../include -I../../crypto fips_standalone_sha1.c ../../crypto/sha/sha256.c ; \
|
||||
fi
|
||||
|
||||
files:
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/engine/eng_all.c
|
||||
--- openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode 2008-06-04 20:01:39.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/engine/eng_all.c 2009-04-15 14:31:32.000000000 +0200
|
||||
diff -up openssl-0.9.8m/crypto/engine/eng_all.c.fipsmode openssl-0.9.8m/crypto/engine/eng_all.c
|
||||
--- openssl-0.9.8m/crypto/engine/eng_all.c.fipsmode 2008-06-04 20:01:39.000000000 +0200
|
||||
+++ openssl-0.9.8m/crypto/engine/eng_all.c 2010-03-22 18:08:24.000000000 +0100
|
||||
@@ -58,9 +58,23 @@
|
||||
|
||||
#include "cryptlib.h"
|
||||
|
@ -25,9 +25,9 @@ diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/e
|
|||
/* There's no longer any need for an "openssl" ENGINE unless, one day,
|
||||
* it is the *only* way for standard builtin implementations to be be
|
||||
* accessed (ie. it would be possible to statically link binaries with
|
||||
diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c_allc.c
|
||||
--- openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:50:04.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/evp/c_allc.c 2009-03-26 15:53:42.000000000 +0100
|
||||
diff -up openssl-0.9.8m/crypto/evp/c_allc.c.fipsmode openssl-0.9.8m/crypto/evp/c_allc.c
|
||||
--- openssl-0.9.8m/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:11:18.000000000 +0100
|
||||
+++ openssl-0.9.8m/crypto/evp/c_allc.c 2010-03-22 18:10:11.000000000 +0100
|
||||
@@ -65,6 +65,11 @@
|
||||
void OpenSSL_add_all_ciphers(void)
|
||||
{
|
||||
|
@ -40,7 +40,7 @@ diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cfb());
|
||||
EVP_add_cipher(EVP_des_cfb1());
|
||||
@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
|
||||
@@ -221,6 +226,65 @@ void OpenSSL_add_all_ciphers(void)
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
|
||||
#endif
|
||||
|
@ -51,6 +51,8 @@ diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
+#ifndef OPENSSL_NO_DES
|
||||
+ EVP_add_cipher(EVP_des_ede_cfb());
|
||||
+ EVP_add_cipher(EVP_des_ede3_cfb());
|
||||
+ EVP_add_cipher(EVP_des_ede3_cfb1());
|
||||
+ EVP_add_cipher(EVP_des_ede3_cfb8());
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede_ofb());
|
||||
+ EVP_add_cipher(EVP_des_ede3_ofb());
|
||||
|
@ -104,9 +106,9 @@ diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
|
||||
PKCS12_PBE_add();
|
||||
PKCS5_PBE_add();
|
||||
diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c_alld.c
|
||||
--- openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode 2005-04-30 23:51:40.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/evp/c_alld.c 2009-03-26 15:53:42.000000000 +0100
|
||||
diff -up openssl-0.9.8m/crypto/evp/c_alld.c.fipsmode openssl-0.9.8m/crypto/evp/c_alld.c
|
||||
--- openssl-0.9.8m/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:33:26.000000000 +0200
|
||||
+++ openssl-0.9.8m/crypto/evp/c_alld.c 2010-03-22 18:10:43.000000000 +0100
|
||||
@@ -64,6 +64,11 @@
|
||||
|
||||
void OpenSSL_add_all_digests(void)
|
||||
|
@ -116,10 +118,10 @@ diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
+ if (!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_MD2
|
||||
EVP_add_digest(EVP_md2());
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
EVP_add_digest(EVP_md4());
|
||||
#endif
|
||||
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
|
||||
@@ -108,4 +113,32 @@ void OpenSSL_add_all_digests(void)
|
||||
EVP_add_digest(EVP_sha384());
|
||||
EVP_add_digest(EVP_sha512());
|
||||
#endif
|
||||
|
@ -152,13 +154,14 @@ diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c
|
|||
+ }
|
||||
+#endif
|
||||
}
|
||||
diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
|
||||
--- openssl-0.9.8k/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
|
||||
+++ openssl-0.9.8k/crypto/o_init.c 2009-03-26 15:53:42.000000000 +0100
|
||||
@@ -59,6 +59,45 @@
|
||||
#include <e_os.h>
|
||||
#include <openssl/err.h>
|
||||
diff -up openssl-0.9.8m/crypto/o_init.c.fipsmode openssl-0.9.8m/crypto/o_init.c
|
||||
--- openssl-0.9.8m/crypto/o_init.c.fipsmode 2010-01-27 14:21:34.000000000 +0100
|
||||
+++ openssl-0.9.8m/crypto/o_init.c 2010-03-22 18:11:53.000000000 +0100
|
||||
@@ -64,6 +64,46 @@ extern void int_EVP_MD_init_engine_callb
|
||||
extern void int_EVP_CIPHER_init_engine_callbacks(void );
|
||||
extern void int_RAND_init_engine_callbacks(void );
|
||||
|
||||
+
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
|
@ -201,22 +204,9 @@ diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
|
|||
/* Perform any essential OpenSSL initialization operations.
|
||||
* Currently only sets FIPS callbacks
|
||||
*/
|
||||
@@ -73,11 +112,10 @@ void OPENSSL_init(void)
|
||||
#ifdef CRYPTO_MDEBUG
|
||||
CRYPTO_malloc_debug_init();
|
||||
#endif
|
||||
-#ifdef OPENSSL_ENGINE
|
||||
+ init_fips_mode();
|
||||
int_EVP_MD_init_engine_callbacks();
|
||||
int_EVP_CIPHER_init_engine_callbacks();
|
||||
int_RAND_init_engine_callbacks();
|
||||
-#endif
|
||||
done = 1;
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-0.9.8k/ssl/ssl_algs.c.fipsmode openssl-0.9.8k/ssl/ssl_algs.c
|
||||
--- openssl-0.9.8k/ssl/ssl_algs.c.fipsmode 2007-04-24 01:50:21.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/ssl_algs.c 2009-04-15 14:32:13.000000000 +0200
|
||||
diff -up openssl-0.9.8m/ssl/ssl_algs.c.fipsmode openssl-0.9.8m/ssl/ssl_algs.c
|
||||
--- openssl-0.9.8m/ssl/ssl_algs.c.fipsmode 2009-07-08 10:33:27.000000000 +0200
|
||||
+++ openssl-0.9.8m/ssl/ssl_algs.c 2010-03-22 18:08:24.000000000 +0100
|
||||
@@ -64,6 +64,10 @@
|
||||
int SSL_library_init(void)
|
||||
{
|
|
@ -1,10 +1,13 @@
|
|||
diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x509/x509_lu.c
|
||||
--- openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl 2005-05-11 05:45:35.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/x509/x509_lu.c 2009-03-26 15:47:45.000000000 +0100
|
||||
@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
|
||||
diff -up openssl-0.9.8m/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8m/crypto/x509/x509_lu.c
|
||||
--- openssl-0.9.8m/crypto/x509/x509_lu.c.multi-crl 2010-02-19 19:25:39.000000000 +0100
|
||||
+++ openssl-0.9.8m/crypto/x509/x509_lu.c 2010-03-22 18:21:20.000000000 +0100
|
||||
@@ -458,7 +458,18 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
|
||||
idx = X509_OBJECT_idx_by_subject(h, type, name);
|
||||
if (idx==-1) return NULL;
|
||||
return sk_X509_OBJECT_value(h, idx);
|
||||
}
|
||||
|
||||
- }
|
||||
+}
|
||||
+
|
||||
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
|
||||
+{
|
||||
+ if (a->signature == NULL || b->signature == NULL)
|
||||
|
@ -15,10 +18,10 @@ diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x5
|
|||
+
|
||||
+ return memcmp(a->signature->data, b->signature->data, a->signature->length);
|
||||
+}
|
||||
+
|
||||
|
||||
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
|
||||
{
|
||||
int idx, i;
|
||||
{
|
||||
@@ -466,13 +477,24 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
|
||||
X509_OBJECT *obj;
|
||||
idx = sk_X509_OBJECT_find(h, x);
|
||||
if (idx == -1) return NULL;
|
||||
|
@ -45,9 +48,9 @@ diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x5
|
|||
return obj;
|
||||
}
|
||||
return NULL;
|
||||
diff -up openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8k/crypto/x509/x509_vfy.c
|
||||
--- openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl 2008-07-13 16:33:15.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/x509/x509_vfy.c 2009-03-26 15:47:45.000000000 +0100
|
||||
diff -up openssl-0.9.8m/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8m/crypto/x509/x509_vfy.c
|
||||
--- openssl-0.9.8m/crypto/x509/x509_vfy.c.multi-crl 2009-06-26 13:34:21.000000000 +0200
|
||||
+++ openssl-0.9.8m/crypto/x509/x509_vfy.c 2010-03-22 18:17:30.000000000 +0100
|
||||
@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx,
|
||||
return 0;
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
|
||||
--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
|
||||
+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
|
||||
@@ -320,28 +320,28 @@ my %table=(
|
||||
diff -up openssl-0.9.8m/Configure.redhat openssl-0.9.8m/Configure
|
||||
--- openssl-0.9.8m/Configure.redhat 2009-11-09 15:14:26.000000000 +0100
|
||||
+++ openssl-0.9.8m/Configure 2010-03-22 17:32:27.000000000 +0100
|
||||
@@ -331,28 +331,28 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||
|
@ -23,8 +23,8 @@ diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
|
|||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
# assisted with debugging of following two configs.
|
||||
|
@ -40,7 +40,7 @@ diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
|
|||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -355,8 +355,8 @@ my %table=(
|
||||
@@ -366,8 +366,8 @@ my %table=(
|
||||
#
|
||||
# <appro@fy.chalmers.se>
|
||||
#
|
|
@ -1,15 +1,16 @@
|
|||
--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100
|
||||
+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100
|
||||
@@ -477,7 +477,7 @@
|
||||
|
||||
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
||||
diff -up openssl-0.9.8m/ssl/ssl.h.cipher-change openssl-0.9.8m/ssl/ssl.h
|
||||
--- openssl-0.9.8m/ssl/ssl.h.cipher-change 2010-03-22 17:55:54.000000000 +0100
|
||||
+++ openssl-0.9.8m/ssl/ssl.h 2010-03-22 17:57:38.000000000 +0100
|
||||
@@ -487,7 +487,7 @@ typedef struct ssl_session_st
|
||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
||||
/* Allow initial connection to servers that don't support RI */
|
||||
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
|
||||
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
|
||||
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
||||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
||||
@@ -494,7 +494,7 @@
|
||||
@@ -504,7 +504,7 @@ typedef struct ssl_session_st
|
||||
|
||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
|
@ -1,63 +1,6 @@
|
|||
diff -up openssl-0.9.8k/test/Makefile.use-fipscheck openssl-0.9.8k/test/Makefile
|
||||
--- openssl-0.9.8k/test/Makefile.use-fipscheck 2009-03-25 11:59:22.000000000 +0100
|
||||
+++ openssl-0.9.8k/test/Makefile 2009-03-25 20:14:10.000000000 +0100
|
||||
@@ -401,9 +401,6 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
|
||||
fi; \
|
||||
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
|
||||
LIBRARIES="-L$(TOP) -lfips"; \
|
||||
- elif [ -n "$(FIPSCANLIB)" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
|
||||
else \
|
||||
LIBRARIES="$(LIBCRYPTO)"; \
|
||||
fi; \
|
||||
@@ -416,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
|
||||
shlib_target="$(SHLIB_TARGET)"; \
|
||||
fi; \
|
||||
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
|
||||
- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
|
||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
||||
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
||||
diff -up openssl-0.9.8k/Makefile.org.use-fipscheck openssl-0.9.8k/Makefile.org
|
||||
--- openssl-0.9.8k/Makefile.org.use-fipscheck 2009-03-25 20:10:37.000000000 +0100
|
||||
+++ openssl-0.9.8k/Makefile.org 2009-03-25 20:10:37.000000000 +0100
|
||||
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
||||
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
|
||||
$(AR) libcrypto.a fips/fipscanister.o ; \
|
||||
else \
|
||||
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
|
||||
- export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
||||
fi \
|
||||
else \
|
||||
@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
||||
fips/fipscanister.o: build_fips
|
||||
libfips$(SHLIB_EXT): fips/fipscanister.o
|
||||
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
|
||||
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- CC=$${CC} LIBNAME=fips THIS=$@ \
|
||||
+ CC=$(CC) LIBNAME=fips THIS=$@ \
|
||||
LIBEXTRAS=fips/fipscanister.o \
|
||||
LIBDEPS="$(EX_LIBS)" \
|
||||
LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
@@ -469,7 +464,7 @@ openssl.pc: Makefile
|
||||
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
||||
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
||||
|
||||
Makefile: Makefile.org Configure config
|
||||
diff -up openssl-0.9.8k/fips/fips.c.use-fipscheck openssl-0.9.8k/fips/fips.c
|
||||
--- openssl-0.9.8k/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/fips.c 2009-03-25 20:10:37.000000000 +0100
|
||||
diff -up openssl-0.9.8m/fips/fips.c.use-fipscheck openssl-0.9.8m/fips/fips.c
|
||||
--- openssl-0.9.8m/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
|
||||
+++ openssl-0.9.8m/fips/fips.c 2010-03-22 17:58:22.000000000 +0100
|
||||
@@ -47,6 +47,7 @@
|
||||
*
|
||||
*/
|
||||
|
@ -326,17 +269,31 @@ diff -up openssl-0.9.8k/fips/fips.c.use-fipscheck openssl-0.9.8k/fips/fips.c
|
|||
|
||||
/* Generalized public key test routine. Signs and verifies the data
|
||||
* supplied in tbs using mesage digest md and setting option digest
|
||||
diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile
|
||||
--- openssl-0.9.8k/fips/Makefile.use-fipscheck 2009-03-25 20:10:37.000000000 +0100
|
||||
+++ openssl-0.9.8k/fips/Makefile 2009-03-25 20:16:09.000000000 +0100
|
||||
diff -up openssl-0.9.8m/fips/fips_locl.h.use-fipscheck openssl-0.9.8m/fips/fips_locl.h
|
||||
--- openssl-0.9.8m/fips/fips_locl.h.use-fipscheck 2009-08-09 18:42:55.000000000 +0200
|
||||
+++ openssl-0.9.8m/fips/fips_locl.h 2010-03-22 18:05:09.000000000 +0100
|
||||
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
|
||||
int fips_set_owning_thread(void);
|
||||
void fips_set_selftest_fail(void);
|
||||
int fips_clear_owning_thread(void);
|
||||
+#if 0
|
||||
unsigned char *fips_signature_witness(void);
|
||||
+#endif
|
||||
int fips_check_rsa(RSA *rsa);
|
||||
|
||||
#define FIPS_MAX_CIPHER_TEST_SIZE 16
|
||||
diff -up openssl-0.9.8m/fips/Makefile.use-fipscheck openssl-0.9.8m/fips/Makefile
|
||||
--- openssl-0.9.8m/fips/Makefile.use-fipscheck 2010-03-22 17:58:21.000000000 +0100
|
||||
+++ openssl-0.9.8m/fips/Makefile 2010-03-22 18:04:08.000000000 +0100
|
||||
@@ -62,9 +62,9 @@ testapps:
|
||||
|
||||
all:
|
||||
@if [ -z "$(FIPSLIBDIR)" ]; then \
|
||||
- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
|
||||
+ $(MAKE) -e subdirs lib; \
|
||||
else \
|
||||
- else \
|
||||
- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
|
||||
+ $(MAKE) -e subdirs lib; \
|
||||
+ else \
|
||||
+ $(MAKE) -e lib; \
|
||||
fi
|
||||
|
||||
|
@ -345,11 +302,11 @@ diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile
|
|||
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
|
||||
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
|
||||
esac fi
|
||||
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
|
||||
- ./fips_standalone_sha1$(EXE_EXT) fipscanister.o > fipscanister.o.sha1
|
||||
|
||||
# If another exception is immediately required, assign approprite
|
||||
# site-specific ld command to FIPS_SITE_LD environment variable.
|
||||
@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
|
||||
@@ -175,7 +174,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
|
||||
$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
|
||||
@touch lib
|
||||
|
||||
|
@ -358,7 +315,7 @@ diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile
|
|||
|
||||
libs:
|
||||
@target=lib; $(RECURSIVE_MAKE)
|
||||
@@ -195,17 +194,6 @@ install:
|
||||
@@ -199,17 +198,6 @@ install:
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
|
||||
done;
|
||||
@target=install; $(RECURSIVE_MAKE)
|
||||
|
@ -371,21 +328,62 @@ diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile
|
|||
- done
|
||||
- cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \
|
||||
- $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \
|
||||
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
|
||||
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
|
||||
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/; \
|
||||
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/fips*
|
||||
|
||||
lint:
|
||||
@target=lint; $(RECURSIVE_MAKE)
|
||||
diff -up openssl-0.9.8k/fips/fips_locl.h.use-fipscheck openssl-0.9.8k/fips/fips_locl.h
|
||||
--- openssl-0.9.8k/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
|
||||
+++ openssl-0.9.8k/fips/fips_locl.h 2009-03-25 20:10:37.000000000 +0100
|
||||
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
|
||||
int fips_set_owning_thread(void);
|
||||
void fips_set_selftest_fail(void);
|
||||
int fips_clear_owning_thread(void);
|
||||
+#if 0
|
||||
unsigned char *fips_signature_witness(void);
|
||||
+#endif
|
||||
|
||||
#define FIPS_MAX_CIPHER_TEST_SIZE 16
|
||||
diff -up openssl-0.9.8m/Makefile.org.use-fipscheck openssl-0.9.8m/Makefile.org
|
||||
--- openssl-0.9.8m/Makefile.org.use-fipscheck 2010-03-22 17:58:21.000000000 +0100
|
||||
+++ openssl-0.9.8m/Makefile.org 2010-03-22 18:00:46.000000000 +0100
|
||||
@@ -359,10 +359,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
||||
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
|
||||
$(AR) libcrypto.a fips/fipscanister.o ; \
|
||||
else \
|
||||
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
||||
- FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
|
||||
- export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
||||
fi \
|
||||
else \
|
||||
@@ -383,7 +379,6 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
||||
fips/fipscanister.o: build_fips
|
||||
libfips$(SHLIB_EXT): fips/fipscanister.o
|
||||
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
||||
- FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \
|
||||
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
CC=$${CC} LIBNAME=fips THIS=$@ \
|
||||
LIBEXTRAS=fips/fipscanister.o \
|
||||
@@ -471,7 +466,7 @@ openssl.pc: Makefile
|
||||
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
||||
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
||||
|
||||
Makefile: Makefile.org Configure config
|
||||
diff -up openssl-0.9.8m/test/Makefile.use-fipscheck openssl-0.9.8m/test/Makefile
|
||||
--- openssl-0.9.8m/test/Makefile.use-fipscheck 2009-08-10 13:52:15.000000000 +0200
|
||||
+++ openssl-0.9.8m/test/Makefile 2010-03-22 17:59:44.000000000 +0100
|
||||
@@ -401,9 +401,6 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
|
||||
fi; \
|
||||
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
|
||||
LIBRARIES="-L$(TOP) -lfips"; \
|
||||
- elif [ -n "$(FIPSCANLIB)" ]; then \
|
||||
- FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
|
||||
else \
|
||||
LIBRARIES="$(LIBCRYPTO)"; \
|
||||
fi; \
|
||||
@@ -416,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
|
||||
shlib_target="$(SHLIB_TARGET)"; \
|
||||
fi; \
|
||||
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
|
||||
- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
|
||||
- FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
- fi; \
|
||||
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
||||
CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
38
openssl.spec
38
openssl.spec
|
@ -22,8 +22,8 @@
|
|||
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 0.9.8k
|
||||
Release: 5%{?dist}
|
||||
Version: 0.9.8m
|
||||
Release: 1%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-usa.tar.bz2
|
||||
|
@ -34,40 +34,37 @@ Source8: openssl-thread-test.c
|
|||
Source9: opensslconf-new.h
|
||||
Source10: opensslconf-new-warning.h
|
||||
# Build changes
|
||||
Patch0: openssl-0.9.8j-redhat.patch
|
||||
Patch0: openssl-0.9.8m-redhat.patch
|
||||
Patch1: openssl-0.9.8a-defaults.patch
|
||||
Patch2: openssl-0.9.8a-link-krb5.patch
|
||||
Patch3: openssl-0.9.8j-soversion.patch
|
||||
Patch4: openssl-0.9.8j-enginesdir.patch
|
||||
Patch4: openssl-0.9.8m-enginesdir.patch
|
||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
Patch7: openssl-0.9.8k-shlib-version.patch
|
||||
# Bug fixes
|
||||
Patch21: openssl-0.9.8b-aliasing-bug.patch
|
||||
Patch22: openssl-0.9.8k-x509-name-cmp.patch
|
||||
Patch23: openssl-0.9.8g-default-paths.patch
|
||||
Patch24: openssl-0.9.8g-no-extssl.patch
|
||||
Patch23: openssl-0.9.8m-default-paths.patch
|
||||
# Functionality changes
|
||||
Patch32: openssl-0.9.8g-ia64.patch
|
||||
Patch33: openssl-0.9.8j-ca-dir.patch
|
||||
Patch33: openssl-0.9.8m-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch38: openssl-0.9.8a-reuse-cipher-change.patch
|
||||
Patch38: openssl-0.9.8m-reuse-cipher-change.patch
|
||||
Patch39: openssl-0.9.8g-ipv6-apps.patch
|
||||
Patch40: openssl-0.9.8j-nocanister.patch
|
||||
Patch41: openssl-0.9.8k-use-fipscheck.patch
|
||||
Patch42: openssl-0.9.8k-fipscheck-hmac.patch
|
||||
Patch44: openssl-0.9.8k-kernel-fipsmode.patch
|
||||
Patch41: openssl-0.9.8m-use-fipscheck.patch
|
||||
Patch42: openssl-0.9.8m-fipscheck-hmac.patch
|
||||
Patch44: openssl-0.9.8m-kernel-fipsmode.patch
|
||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||
Patch46: openssl-0.9.8j-eap-fast.patch
|
||||
Patch46: openssl-0.9.8m-eap-fast.patch
|
||||
Patch47: openssl-0.9.8j-readme-warning.patch
|
||||
Patch48: openssl-0.9.8j-bad-mime.patch
|
||||
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
|
||||
Patch50: openssl-0.9.8j-fips-rng-seed.patch
|
||||
Patch51: openssl-0.9.8k-multi-crl.patch
|
||||
Patch52: openssl-0.9.8k-dtls-compat.patch
|
||||
Patch53: openssl-0.9.8k-dtls-dos.patch
|
||||
Patch51: openssl-0.9.8m-multi-crl.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch60: openssl-0.9.8m-cve-2010-0433.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
@ -130,10 +127,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch6 -p1 -b .use-localhost
|
||||
%patch7 -p1 -b .shlib-version
|
||||
|
||||
%patch21 -p1 -b .aliasing-bug
|
||||
%patch22 -p1 -b .name-cmp
|
||||
%patch23 -p1 -b .default-paths
|
||||
%patch24 -p1 -b .no-extssl
|
||||
|
||||
%patch32 -p1 -b .ia64
|
||||
%patch33 -p1 -b .ca-dir
|
||||
|
@ -152,8 +147,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch49 -p1 -b .no-pairwise
|
||||
%patch50 -p1 -b .rng-seed
|
||||
%patch51 -p1 -b .multi-crl
|
||||
%patch52 -p1 -b .dtls-compat
|
||||
%patch53 -p1 -b .dtls-dos
|
||||
|
||||
%patch60 -p1 -b .krbdos
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
|
@ -412,6 +407,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Mon Mar 22 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8m-1
|
||||
- fix CVE-2009-3245 CVE-2009-3555 CVE-2009-4355 CVE-2010-0433
|
||||
|
||||
* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
|
||||
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
|
||||
(DTLS DoS problems) (#501253, #501254, #501572)
|
||||
|
|
Loading…
Reference in New Issue