rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'up/master' into master-riscv64 

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
This commit is contained in:
David Abdurachmanov 2019-01-16 09:07:15 +01:00
parent e18afbe0a2 301c642c7f
commit 9a70c0ecce
Signed by: davidlt
GPG Key ID: 7108702C938B13C1
15 changed files with 918 additions and 571 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -40,3 +40,5 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.0h-hobbled.tar.xz
/openssl-1.1.1-pre8-hobbled.tar.xz
/openssl-1.1.1-pre9-hobbled.tar.xz
/openssl-1.1.1-hobbled.tar.xz
/openssl-1.1.1a-hobbled.tar.xz

30
openssl-1.1.0-weak-ciphers.patch
View File

@ -1,30 +0,0 @@
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_SEED */
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No RC4 */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,

14
openssl-1.1.0-defaults.patch → openssl-1.1.1-defaults.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100
+++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100
@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
@ -10,7 +10,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -104,6 +104,7 @@ emailAddress = optional
@@ -106,6 +106,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
@ -18,7 +18,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -126,17 +127,18 @@ string_mask = utf8only
@@ -128,17 +129,18 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
@ -40,7 +40,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

18
openssl-1.1.1-disable-ssl3.patch
View File

@ -27,17 +27,19 @@ diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
@@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
*/
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+ /*
+ * Disable SSLv3 by default. Applications can
+ * re-enable it by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ * or by using the SSL_CONF API.
+ */
+ ret->options |= SSL_OP_NO_SSLv3;
+ if (meth->version != SSL3_VERSION) {
+ /*
+ * Disable SSLv3 by default. Applications can
+ * re-enable it by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ * or by using the SSL_CONF API.
+ */
+ ret->options |= SSL_OP_NO_SSLv3;
+ }
+
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;

136
openssl-1.1.1-ec-curves.patch
View File

@ -1,8 +1,40 @@
diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200
+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200
@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2];
#define R_EC_X448 23
diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
--- openssl-1.1.1/apps/speed.c.curves 2018-09-11 14:48:20.000000000 +0200
+++ openssl-1.1.1/apps/speed.c 2018-09-13 09:24:24.840081023 +0200
@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */
-#define R_EC_P160 0
-#define R_EC_P192 1
-#define R_EC_P224 2
-#define R_EC_P256 3
-#define R_EC_P384 4
-#define R_EC_P521 5
-#define R_EC_K163 6
-#define R_EC_K233 7
-#define R_EC_K283 8
-#define R_EC_K409 9
-#define R_EC_K571 10
-#define R_EC_B163 11
-#define R_EC_B233 12
-#define R_EC_B283 13
-#define R_EC_B409 14
-#define R_EC_B571 15
-#define R_EC_BRP256R1 16
-#define R_EC_BRP256T1 17
-#define R_EC_BRP384R1 18
-#define R_EC_BRP384T1 19
-#define R_EC_BRP512R1 20
-#define R_EC_BRP512T1 21
-#define R_EC_X25519 22
-#define R_EC_X448 23
+#define R_EC_P224 0
+#define R_EC_P256 1
+#define R_EC_P384 2
+#define R_EC_P521 3
+#define R_EC_X25519 4
+#define R_EC_X448 5
#ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = {
- {"ecdsap160", R_EC_P160},
@ -58,10 +90,90 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
{"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448}
};
diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200
@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
unsigned int bits;
} test_curves[] = {
/* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
- /* Binary Curves */
- {"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233},
- {"nistk283", NID_sect283k1, 283},
- {"nistk409", NID_sect409k1, 409},
- {"nistk571", NID_sect571k1, 571},
- {"nistb163", NID_sect163r2, 163},
- {"nistb233", NID_sect233r1, 233},
- {"nistb283", NID_sect283r1, 283},
- {"nistb409", NID_sect409r1, 409},
- {"nistb571", NID_sect571r1, 571},
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
- ecdsa_c[R_EC_P160][0] = count / 1000;
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+ ecdsa_c[R_EC_P224][0] = count / 1000;
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
}
}
}
-
- ecdh_c[R_EC_P160][0] = count / 1000;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+#endif
+ ecdh_c[R_EC_P224][0] = count / 1000;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#endif
/* default iteration count for the last two EC Curves */
ecdh_c[R_EC_X25519][0] = count / 1800;
ecdh_c[R_EC_X448][0] = count / 7200;
diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
--- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves 2018-09-11 14:48:21.000000000 +0200
+++ openssl-1.1.1/crypto/ec/ecp_smpl.c 2018-09-13 09:09:26.841792619 +0200
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0;
}
@ -73,9 +185,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypt
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200
+++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200
diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
--- openssl-1.1.1/test/ecdsatest.c.curves 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/ecdsatest.c 2018-09-13 09:09:26.841792619 +0200
@@ -173,6 +173,7 @@ static int x9_62_tests(void)
if (!change_rand())
goto x962_err;

155
openssl-1.1.1-fips-post-rand.patch Normal file
View File

@ -0,0 +1,155 @@
diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c
--- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100
+++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
# include "internal/thread_once.h"
+# include "internal/rand_int.h"
# ifndef PATH_MAX
# define PATH_MAX 1024
@@ -76,6 +77,7 @@
static int fips_selftest_fail = 0;
static int fips_mode = 0;
static int fips_started = 0;
+static int fips_post = 0;
static int fips_is_owning_thread(void);
static int fips_set_owning_thread(void);
@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
fips_selftest_fail = 1;
}
+int fips_in_post(void)
+{
+ return fips_post;
+}
+
/* we implement what libfipscheck does ourselves */
static int
@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
}
# endif
+ fips_post = 1;
+
if (!FIPS_selftest()) {
fips_selftest_fail = 1;
ret = 0;
@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
goto end;
}
+ fips_post = 0;
+
fips_set_mode(onoff);
+ /* force RNG reseed with entropy from getrandom() on next call */
+ rand_fork();
+
ret = 1;
goto end;
}
diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h
--- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100
+++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100
@@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
+int fips_in_post(void);
+
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c
--- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100
+++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100
@@ -16,10 +16,12 @@
#include <openssl/rand.h>
#include "rand_lcl.h"
#include "internal/rand_int.h"
+#include "internal/fips_int.h"
#include <stdio.h>
#include "internal/dso.h"
#if defined(__linux)
# include <sys/syscall.h>
+# include <sys/random.h>
#endif
#if defined(__FreeBSD__)
# include <sys/types.h>
@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
-static ssize_t syscall_random(void *buf, size_t buflen)
+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
+# if 0
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
-
+# endif
/* Linux supports this since version 3.17 */
# if defined(__linux) && defined(SYS_getrandom)
- return syscall(SYS_getrandom, buf, buflen, 0);
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
-
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
+ int in_post;
+
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
{
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
- bytes = syscall_random(buffer, bytes_needed);
+ bytes = syscall_random(buffer, bytes_needed, in_post);
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
- if (fd == -1)
+ if (fd == -1) {
+ OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
continue;
+ }
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
}
}
# endif
-
+# ifdef OPENSSL_RAND_SEED_GETRANDOM
+ }
+# endif
return rand_pool_entropy_available(pool);
# endif
}

593
openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

124
openssl-1.1.1-no-brainpool.patch Normal file
View File

@ -0,0 +1,124 @@
diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in
--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2018-11-20 14:35:42.000000000 +0100
+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in 2019-01-15 14:55:03.898065698 +0100
@@ -141,22 +141,23 @@ our @tests = (
{
name => "ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+# "Groups" => "brainpoolP256r1",
+ "CipherString" => "aNULL",
},
client => {
#We don't restrict this to TLSv1.2, although use of brainpool
#should force this anyway so that this should succeed
"CipherString" => "aECDSA",
"RequestCAFile" => test_pem("root-cert.pem"),
- "Groups" => "brainpoolP256r1",
+# "Groups" => "brainpoolP256r1",
},
test => {
- "ExpectedServerCertType" =>, "brainpoolP256r1",
- "ExpectedServerSignType" =>, "EC",
+# "ExpectedServerCertType" =>, "brainpoolP256r1",
+# "ExpectedServerSignType" =>, "EC",
# Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
+# "ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
{
name => "TLS 1.3 ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+# "Groups" => "brainpoolP256r1",
+ "CipherString" => "aNULL",
},
client => {
"RequestCAFile" => test_pem("root-cert.pem"),
- "Groups" => "brainpoolP256r1",
+# "Groups" => "brainpoolP256r1",
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
},
test => {
- "ExpectedResult" => "ServerFail"
+ "ExpectedResult" => "Success"
},
},
);
diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf
--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool 2018-11-20 14:35:42.000000000 +0100
+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf 2019-01-15 14:58:24.420416659 +0100
@@ -233,23 +233,23 @@ server = 5-ECDSA with brainpool-server
client = 5-ECDSA with brainpool-client
[5-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+CipherString = aNULL
+#Groups = brainpoolP256r1
+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
[5-ECDSA with brainpool-client]
CipherString = aECDSA
-Groups = brainpoolP256r1
+#Groups = brainpoolP256r1
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
-ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
+ExpectedResult = ServerFail
+#ExpectedServerCANames = empty
+#ExpectedServerCertType = brainpoolP256r1
+#ExpectedServerSignType = EC
# ===========================================================
@@ -1577,14 +1577,14 @@ server = 47-TLS 1.3 ECDSA with brainpool
client = 47-TLS 1.3 ECDSA with brainpool-client
[47-TLS 1.3 ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+CipherString = aNULL
+#Groups = brainpoolP256r1
+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
[47-TLS 1.3 ECDSA with brainpool-client]
CipherString = DEFAULT
-Groups = brainpoolP256r1
+#Groups = brainpoolP256r1
MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
@@ -1592,7 +1592,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
VerifyMode = Peer
[test-47]
-ExpectedResult = ServerFail
+ExpectedResult = Success
# ===========================================================

14
openssl-1.1.1-seclevel-check.patch
View File

@ -1,14 +0,0 @@
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index df5cff79c9..e740a8c25d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
return 0;
break;
}

65
openssl-1.1.1-seclevel.patch Normal file
View File

@ -0,0 +1,65 @@
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
-
- return secbits >= minbits_table[level - 1];
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
+ if (FIPS_mode())
+ return secbits >= minbits_table[level - 1];
+ return secbits >= minbits_digest_table[level - 1];
}
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
+Security level set to 112 bits of security with the exception of SHA1 allowed
+for signatures.
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
+shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
return 0;
break;
default:
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
+ break;
if (bits < minbits)
return 0;
}
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
- "Reject PSS signature using SHA1 and auth level 2");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
+ "Reject PSS signature using SHA1 and auth level 3");
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");

173
openssl-1.1.1-secure-getenv.patch
View File

@ -1,173 +0,0 @@
diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c
--- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200
@@ -9,6 +9,8 @@
/* Part of the code in here was originally in conf.c, which is now removed */
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "e_os.h"
#include <stdlib.h>
#include <string.h>
@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
if (v != NULL)
return v->value;
if (strcmp(section, "ENV") == 0) {
- p = getenv(name);
+ p = secure_getenv(name);
if (p != NULL)
return p;
}
diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c
--- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "internal/cryptlib.h"
#include <stdio.h>
#include <ctype.h>
@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void
int len;
if (!OPENSSL_issetugid()) {
- file = getenv("OPENSSL_CONF");
+ file = secure_getenv("OPENSSL_CONF");
if (file)
return OPENSSL_strdup(file);
}
diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c
--- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
{
- const char *fpath = getenv(CTLOG_FILE_EVP);
+ const char *fpath = secure_getenv(CTLOG_FILE_EVP);
if (fpath == NULL)
fpath = CTLOG_FILE;
diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c
--- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200
@@ -8,6 +8,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "eng_int.h"
/*
@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id)
*/
if (strcmp(id, "dynamic")) {
if (OPENSSL_issetugid()
- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
+ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c
--- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "e_os.h"
#include "internal/cryptlib.h"
#include "internal/cryptlib_int.h"
@@ -180,11 +182,11 @@ static int shouldfail(void)
void ossl_malloc_setup_failures(void)
{
- const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
+ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES");
if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
parseit();
- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
+ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL)
md_tracefd = atoi(cp);
}
#endif
diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c
--- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "internal/cryptlib.h"
#include <errno.h>
@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si
#else
if (OPENSSL_issetugid() != 0) {
use_randfile = 0;
- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
+ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') {
use_randfile = 0;
s = getenv("HOME");
}
diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c
--- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdio.h>
@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = getenv(X509_get_default_cert_dir_env());
+ const char *dir = secure_getenv(X509_get_default_cert_dir_env());
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c
--- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
+++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = getenv(X509_get_default_cert_file_env());
+ file = secure_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);

16
openssl-1.1.1-version-override.patch
View File

@ -1,14 +1,12 @@
diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200
+++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
diff -up openssl-1.1.1a/include/openssl/opensslv.h.version-override openssl-1.1.1a/include/openssl/opensslv.h
--- openssl-1.1.1a/include/openssl/opensslv.h.version-override 2019-01-15 14:09:04.591995174 +0100
+++ openssl-1.1.1a/include/openssl/opensslv.h 2019-01-15 14:11:31.976256442 +0100
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10101009L
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018"
+# define OPENSSL_VERSION_NUMBER 0x1010100fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
# define OPENSSL_VERSION_NUMBER 0x1010101fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a 20 Nov 2018"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a FIPS 20 Nov 2018"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

57
openssl-1.1.1-weak-ciphers.patch Normal file
View File

@ -0,0 +1,57 @@
diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/s3_lib.c 2018-09-17 12:53:33.850637181 +0200
@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_SEED */
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No MD5 ciphersuites */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_SHA,
@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#if 0
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,

90
openssl.spec
View File

@ -19,17 +19,15 @@
%global _performance_build 1
%global prerelease pre9
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1
Release: 0.%{prerelease}.1.0.riscv64%{?dist}
Version: 1.1.1a
Release: 1.0.riscv64%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz
Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
@ -41,7 +39,7 @@ Source12: ec_curve.c
Source13: ectest.c
# Build changes
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.0-defaults.patch
Patch2: openssl-1.1.1-defaults.patch
Patch3: openssl-1.1.0-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
@ -50,7 +48,7 @@ Patch21: openssl-1.1.0-issuer-hash.patch
Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch
Patch33: openssl-1.1.0-apps-dgst.patch
Patch36: openssl-1.1.1-secure-getenv.patch
Patch36: openssl-1.1.1-no-brainpool.patch
Patch37: openssl-1.1.1-ec-curves.patch
Patch38: openssl-1.1.0-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
@ -58,9 +56,10 @@ Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
# Backported fixes including security fixes
Patch70: openssl-1.1.1-seclevel-check.patch
License: OpenSSL
Group: System Environment/Libraries
@ -134,7 +133,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%prep
%setup -q -n %{name}-%{version}-%{prerelease}
%setup -q -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
@ -153,7 +152,7 @@ cp %{SOURCE13} test/
%patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
%patch36 -p1 -b .secure-getenv
%patch36 -p1 -b .no-brainpool
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
%patch40 -p1 -b .disable-ssl3
@ -162,8 +161,9 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
%patch48 -p1 -b .fips-post-rand
%patch70 -p1 -b .seclevel-check
%build
# Figure out which flags we want to use.
@ -229,7 +229,7 @@ sslarch=linux-generic64
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
export HASHBANGPERL=/usr/bin/perl
@ -246,8 +246,8 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
no-mdc2 no-ec2m no-sm2 \
shared ${sslarch} $RPM_OPT_FLAGS
no-mdc2 no-ec2m no-sm2 no-sm4 \
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
@ -323,13 +323,6 @@ install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
# Make sure we actually include the headers we built against.
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then
install -m644 include/openssl/`basename ${header}` ${header}
fi
done
# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
@ -344,6 +337,11 @@ for manpage in man*/* ; do
done
for conflict in passwd rand ; do
rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
manpage=man1/openssl-${conflict}.*
if [ -L ${manpage} ] ; then
ln -snf ssl${conflict}.1ssl ${manpage}
fi
done
popd
@ -373,6 +371,13 @@ basearch=sparc
basearch=sparc64
%endif
# Next step of gradual disablement of SSL3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
@ -401,6 +406,7 @@ export LD_LIBRARY_PATH
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget*
%files libs
%{!?_licensedir:%global license %%doc}
@ -436,6 +442,7 @@ export LD_LIBRARY_PATH
%{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
@ -447,9 +454,46 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Sun Aug 26 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1-0.pre9.1.0.riscv64
* Wed Jan 16 2019 David Abdurachmanov <david.abdurachmanov@gmail.com> 1.1.1a-1.0.riscv64
- Add --libdir=%{_lib} for riscv64 (uses linux-generic64)
* Tue Jan 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1a-1
- update to the 1.1.1a release
* Fri Nov 9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7
- use /dev/urandom for seeding the RNG in FIPS POST
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
- fix SECLEVEL 3 support
- fix some issues found in Coverity scan
* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
- Correctly invoke sed for defining OPENSSL_NO_SSL3
* Thu Sep 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4
- define OPENSSL_NO_SSL3 so the newly built dependencies do not
have access to SSL3 API calls anymore
* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
- reinstate accidentally dropped patch for weak ciphersuites
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
- for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
- update to the final 1.1.1 version
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
- do not try to initialize RNG in cleanup if it was not initialized
before (#1624554)
- use only /dev/urandom if getrandom() is not available
- disable SM4
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
- fix dangling symlinks to manual pages
- make SSLv3_method work
* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
- update to the latest 1.1.1 beta version

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.1.1-pre9-hobbled.tar.xz) = 0f723cdb1789a8ea893bb6f194321e586d70ce1d19b9832072ab90c02805f4ab11fd762b5d7b4433063432c91a1904f9fac202e64f22b89f3df6cd6e2ef25401
SHA512 (openssl-1.1.1a-hobbled.tar.xz) = 17d2703b2169f36b2ecd50d014103f31e22bbd42807b4688a3cd6140911e0aa9a2fa2bb1d4dda4eae000913a1551d85ac9c441a69c053a8ad10b593ec2a588b5