rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new upstream version

This commit is contained in:
Tomas Mraz 2012-04-26 18:10:52 +02:00
parent 6a4bd67710
commit 5eb4589d83
8 changed files with 533 additions and 1194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.1-beta3-usa.tar.xz
/openssl-1.0.1-usa.tar.xz
/openssl-1.0.1a-usa.tar.xz
/openssl-1.0.1b-usa.tar.xz

189
openssl-1.0.0-fips-pkcs8.patch Normal file
View File

@ -0,0 +1,189 @@
diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c
--- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 2006-11-06 20:53:37.000000000 +0100
+++ openssl-1.0.0/crypto/pem/pem_all.c 2012-04-26 17:17:35.765317652 +0200
@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN
IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
+#ifdef OPENSSL_FIPS
+static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+ {
+ if (FIPS_mode())
+ return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+ (char *)kstr, klen, cb, u);
+ else
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
+ bp,x,enc,kstr,klen,cb,u);
+ }
+
+#ifndef OPENSSL_NO_FP_API
+static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+ {
+ if (FIPS_mode())
+ return PEM_write_PKCS8PrivateKey(fp, x, enc,
+ (char *)kstr, klen, cb, u);
+ else
+ return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
+ fp,x,enc,kstr,klen,cb,u);
+ }
+#endif
+
+#endif
#ifndef OPENSSL_NO_RSA
@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS
#endif
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp,
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
}
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
#ifndef OPENSSL_NO_FP_API
@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b
IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
+#endif
+
IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
#ifndef OPENSSL_NO_FP_API

2
openssl-1.0.1-beta2-ssl-op-all.patch
View File

@ -15,7 +15,7 @@ diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL 0x80000BFFL
+#define SSL_OP_ALL 0x80000FF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
+#define SSL_OP_ALL 0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L

2
openssl-1.0.1-version.patch
View File

@ -26,7 +26,7 @@ diff -up openssl-1.0.1/crypto/opensslv.h.version openssl-1.0.1/crypto/opensslv.h
*/
#define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "1.0.0"
+#define SHLIB_VERSION_NUMBER "1.0.1a"
+#define SHLIB_VERSION_NUMBER "1.0.1b"
#endif /* HEADER_OPENSSLV_H */

41
openssl-1.0.1a-backport.patch
View File

@ -1,41 +0,0 @@
diff -up openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c
--- openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport 2012-04-18 19:51:33.000000000 +0200
+++ openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c 2012-04-20 09:20:29.411861130 +0200
@@ -121,6 +121,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
md5_off = MD5_CBLOCK-key->md.num,
blocks;
unsigned int l;
+ extern unsigned int OPENSSL_ia32cap_P[];
#endif
size_t plen = key->payload_length;
@@ -132,7 +133,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
/* cipher has to "fall behind" */
if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
- if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
+ if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
MD5_Update(&key->md,in,md5_off);
RC4(&key->ks,rc4_off,in,out);
@@ -172,7 +174,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
else rc4_off += MD5_CBLOCK;
- if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
+ if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
RC4(&key->ks,rc4_off,in,out);
MD5_Update(&key->md,out,md5_off);
@@ -289,8 +292,6 @@ static EVP_CIPHER r4_hmac_md5_cipher=
const EVP_CIPHER *EVP_rc4_hmac_md5(void)
{
- extern unsigned int OPENSSL_ia32cap_P[];
- /* RC4_CHAR flag ------------vvvvv */
- return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
+ return(&r4_hmac_md5_cipher);
}
#endif

1479
openssl-1.0.1a-fips.patch → openssl-1.0.1b-fips.patch
View File

File diff suppressed because it is too large Load Diff

11
openssl.spec
View File

@ -20,7 +20,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1a
Version: 1.0.1b
# Do not forget to bump SHLIB_VERSION on version upgrades
Release: 1%{?dist}
Epoch: 1
@ -51,7 +51,7 @@ Patch35: openssl-0.9.8j-version-add-engines.patch
Patch36: openssl-1.0.0e-doc-noeof.patch
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
Patch40: openssl-1.0.1a-fips.patch
Patch40: openssl-1.0.1b-fips.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.1a-algo-doc.patch
@ -63,9 +63,9 @@ Patch60: openssl-1.0.0d-apps-dgst.patch
Patch63: openssl-1.0.0d-xmpp-starttls.patch
Patch65: openssl-1.0.0e-chil-fixes.patch
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
Patch67: openssl-1.0.0-fips-pkcs8.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1a-backport.patch
License: OpenSSL
Group: System Environment/Libraries
@ -161,9 +161,9 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch63 -p1 -b .starttls
%patch65 -p1 -b .chil
%patch66 -p1 -b .krb5
%patch67 -p1 -b .pkcs8
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .backport
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@ -419,6 +419,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
* Thu Apr 26 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1b-1
- new upstream version
* Fri Apr 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1a-1
- new upstream version fixing CVE-2012-2110

2
sources
View File

@ -1 +1 @@
21a3b8bee1fdb7e60ca2e4aa50529f81 openssl-1.0.1a-usa.tar.xz
c8778627718f332f91c0041eb23fa251 openssl-1.0.1b-usa.tar.xz