New upstream release from the 1.0.1 branch, ABI compatible
- also add documentation for the -no_ign_eof option
This commit is contained in:
parent
d91aea8890
commit
ad05b50537
1
.gitignore
vendored
1
.gitignore
vendored
@ -5,3 +5,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.0.0e-usa.tar.bz2
|
||||
/openssl-1.0.0f-usa.tar.bz2
|
||||
/openssl-1.0.0g-usa.tar.xz
|
||||
/openssl-1.0.1-beta2-usa.tar.xz
|
||||
|
15
fixpatch
Executable file
15
fixpatch
Executable file
@ -0,0 +1,15 @@
|
||||
#!/bin/sh
|
||||
# Fixes patch from upstream tracker view
|
||||
gawk '
|
||||
BEGIN {
|
||||
dir=""
|
||||
}
|
||||
/^Index: openssl\// {
|
||||
dir = $2
|
||||
}
|
||||
/^(---|\+\+\+)/ {
|
||||
$2 = dir
|
||||
}
|
||||
{
|
||||
print
|
||||
}'
|
@ -5,31 +5,37 @@ set -e
|
||||
|
||||
# Clean out patent-or-otherwise-encumbered code.
|
||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||
# IDEA: 5,214,703 07/01/2012
|
||||
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||
# RC5: 5,724,428 01/11/2015
|
||||
# EC: ????????? ??/??/2020
|
||||
# SRP: ????????? ??/??/20??
|
||||
|
||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||
(find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv)
|
||||
(find crypto/{rc5}/asm -type f | xargs -r rm -fv)
|
||||
|
||||
# IDEA, MDC2, RC5, EC.
|
||||
for a in idea rc5 ec ecdh ecdsa; do
|
||||
# RC5, EC, SRP.
|
||||
for a in rc5 ec ecdh ecdsa srp; do
|
||||
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
done
|
||||
|
||||
for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_ecdsa.c"`; do
|
||||
for c in `find crypto/evp -name "*_rc5.c" -o -name "*_ecdsa.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||
echo Removing IDEA, RC5, and EC references from $h
|
||||
echo Removing RC5, SRP and EC references from $h
|
||||
cat $h | \
|
||||
awk 'BEGIN {ech=1;} \
|
||||
/^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
|
||||
/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
|
||||
|
@ -1,19 +0,0 @@
|
||||
diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
|
||||
--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200
|
||||
+++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200
|
||||
@@ -279,6 +279,15 @@ extern "C" {
|
||||
# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
|
||||
# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
|
||||
# endif
|
||||
+# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
|
||||
+# if defined(__GNUC__)
|
||||
+# define BN_UMULT_HIGH(a,b) ({ \
|
||||
+ register BN_ULONG ret; \
|
||||
+ asm ("xmpy.hu %0 = %1, %2" \
|
||||
+ : "=f"(ret) \
|
||||
+ : "f"(a), "f"(b)); \
|
||||
+ ret; })
|
||||
+# endif /* compiler */
|
||||
# endif /* cpu */
|
||||
#endif /* OPENSSL_NO_ASM */
|
||||
|
@ -1,400 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-10 20:11:59.000000000 +0200
|
||||
@@ -47,6 +47,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
+#define _GNU_SOURCE
|
||||
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
@@ -56,6 +57,9 @@
|
||||
#include <openssl/rsa.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
+#include <dlfcn.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
#include "fips_locl.h"
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
@@ -165,6 +169,204 @@ int FIPS_selftest()
|
||||
&& FIPS_selftest_dsa();
|
||||
}
|
||||
|
||||
+/* we implement what libfipscheck does ourselves */
|
||||
+
|
||||
+static int
|
||||
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
||||
+{
|
||||
+ Dl_info info;
|
||||
+ void *dl, *sym;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ dl = dlopen(libname, RTLD_LAZY);
|
||||
+ if (dl == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sym = dlsym(dl, symbolname);
|
||||
+
|
||||
+ if (sym != NULL && dladdr(sym, &info)) {
|
||||
+ strncpy(path, info.dli_fname, pathlen-1);
|
||||
+ path[pathlen-1] = '\0';
|
||||
+ rv = 0;
|
||||
+ }
|
||||
+
|
||||
+ dlclose(dl);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static const char conv[] = "0123456789abcdef";
|
||||
+
|
||||
+static char *
|
||||
+bin2hex(void *buf, size_t len)
|
||||
+{
|
||||
+ char *hex, *p;
|
||||
+ unsigned char *src = buf;
|
||||
+
|
||||
+ hex = malloc(len * 2 + 1);
|
||||
+ if (hex == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ p = hex;
|
||||
+
|
||||
+ while (len > 0) {
|
||||
+ unsigned c;
|
||||
+
|
||||
+ c = *src;
|
||||
+ src++;
|
||||
+
|
||||
+ *p = conv[c >> 4];
|
||||
+ ++p;
|
||||
+ *p = conv[c & 0x0f];
|
||||
+ ++p;
|
||||
+ --len;
|
||||
+ }
|
||||
+ *p = '\0';
|
||||
+ return hex;
|
||||
+}
|
||||
+
|
||||
+#define HMAC_PREFIX "."
|
||||
+#define HMAC_SUFFIX ".hmac"
|
||||
+#define READ_BUFFER_LENGTH 16384
|
||||
+
|
||||
+static char *
|
||||
+make_hmac_path(const char *origpath)
|
||||
+{
|
||||
+ char *path, *p;
|
||||
+ const char *fn;
|
||||
+
|
||||
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
|
||||
+ if(path == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ fn = strrchr(origpath, '/');
|
||||
+ if (fn == NULL) {
|
||||
+ fn = origpath;
|
||||
+ } else {
|
||||
+ ++fn;
|
||||
+ }
|
||||
+
|
||||
+ strncpy(path, origpath, fn-origpath);
|
||||
+ p = path + (fn - origpath);
|
||||
+ p = stpcpy(p, HMAC_PREFIX);
|
||||
+ p = stpcpy(p, fn);
|
||||
+ p = stpcpy(p, HMAC_SUFFIX);
|
||||
+
|
||||
+ return path;
|
||||
+}
|
||||
+
|
||||
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
|
||||
+
|
||||
+static int
|
||||
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
||||
+{
|
||||
+ FILE *f = NULL;
|
||||
+ int rv = -1;
|
||||
+ unsigned char rbuf[READ_BUFFER_LENGTH];
|
||||
+ size_t len;
|
||||
+ unsigned int hlen;
|
||||
+ HMAC_CTX c;
|
||||
+
|
||||
+ HMAC_CTX_init(&c);
|
||||
+
|
||||
+ f = fopen(path, "r");
|
||||
+
|
||||
+ if (f == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
|
||||
+
|
||||
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
|
||||
+ HMAC_Update(&c, rbuf, len);
|
||||
+ }
|
||||
+
|
||||
+ len = sizeof(rbuf);
|
||||
+ /* reuse rbuf for hmac */
|
||||
+ HMAC_Final(&c, rbuf, &hlen);
|
||||
+
|
||||
+ *buf = malloc(hlen);
|
||||
+ if (*buf == NULL) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ *hmaclen = hlen;
|
||||
+
|
||||
+ memcpy(*buf, rbuf, hlen);
|
||||
+
|
||||
+ rv = 0;
|
||||
+end:
|
||||
+ HMAC_CTX_cleanup(&c);
|
||||
+
|
||||
+ if (f)
|
||||
+ fclose(f);
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||
+{
|
||||
+ char path[PATH_MAX+1];
|
||||
+ int rv;
|
||||
+ FILE *hf;
|
||||
+ char *hmacpath, *p;
|
||||
+ char *hmac = NULL;
|
||||
+ size_t n;
|
||||
+
|
||||
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ hmacpath = make_hmac_path(path);
|
||||
+
|
||||
+ hf = fopen(hmacpath, "r");
|
||||
+ if (hf == NULL) {
|
||||
+ free(hmacpath);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (getline(&hmac, &n, hf) > 0) {
|
||||
+ void *buf;
|
||||
+ size_t hmaclen;
|
||||
+ char *hex;
|
||||
+
|
||||
+ if ((p=strchr(hmac, '\n')) != NULL)
|
||||
+ *p = '\0';
|
||||
+
|
||||
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
|
||||
+ rv = -4;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
|
||||
+ free(buf);
|
||||
+ rv = -5;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(hex, hmac) != 0) {
|
||||
+ rv = -1;
|
||||
+ }
|
||||
+ free(buf);
|
||||
+ free(hex);
|
||||
+ }
|
||||
+
|
||||
+end:
|
||||
+ free(hmac);
|
||||
+ free(hmacpath);
|
||||
+ fclose(hf);
|
||||
+
|
||||
+ if (rv < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* check successful */
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
int FIPS_mode_set(int onoff)
|
||||
{
|
||||
int fips_set_owning_thread();
|
||||
@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Perform RNG KAT before seeding */
|
||||
if (!FIPS_selftest_rng())
|
||||
{
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-10 20:11:59.000000000 +0200
|
||||
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
|
||||
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
|
||||
const char *key)
|
||||
{
|
||||
size_t len=strlen(key);
|
||||
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
if (len > SHA_CBLOCK)
|
||||
{
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,key,len);
|
||||
- SHA1_Final(keymd,md_ctx);
|
||||
- len=20;
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,key,len);
|
||||
+ SHA256_Final(keymd,md_ctx);
|
||||
+ len=SHA256_DIGEST_LENGTH;
|
||||
}
|
||||
else
|
||||
memcpy(keymd,key,len);
|
||||
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x36^keymd[i];
|
||||
- SHA1_Init(md_ctx);
|
||||
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(md_ctx);
|
||||
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
|
||||
|
||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
||||
pad[i]=0x5c^keymd[i];
|
||||
- SHA1_Init(o_ctx);
|
||||
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
|
||||
+ SHA256_Init(o_ctx);
|
||||
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
|
||||
}
|
||||
|
||||
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
|
||||
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
|
||||
{
|
||||
- unsigned char buf[20];
|
||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
|
||||
- SHA1_Final(buf,md_ctx);
|
||||
- SHA1_Update(o_ctx,buf,sizeof buf);
|
||||
- SHA1_Final(md,o_ctx);
|
||||
+ SHA256_Final(buf,md_ctx);
|
||||
+ SHA256_Update(o_ctx,buf,sizeof buf);
|
||||
+ SHA256_Final(md,o_ctx);
|
||||
}
|
||||
|
||||
#endif
|
||||
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
|
||||
int main(int argc,char **argv)
|
||||
{
|
||||
#ifdef OPENSSL_FIPS
|
||||
- static char key[]="etaonrishdlcupfm";
|
||||
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
|
||||
int n,binary=0;
|
||||
|
||||
if(argc < 2)
|
||||
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
|
||||
for(; n < argc ; ++n)
|
||||
{
|
||||
FILE *f=fopen(argv[n],"rb");
|
||||
- SHA_CTX md_ctx,o_ctx;
|
||||
- unsigned char md[20];
|
||||
+ SHA256_CTX md_ctx,o_ctx;
|
||||
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
int i;
|
||||
|
||||
if(!f)
|
||||
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
|
||||
else
|
||||
break;
|
||||
}
|
||||
- SHA1_Update(&md_ctx,buf,l);
|
||||
+ SHA256_Update(&md_ctx,buf,l);
|
||||
}
|
||||
hmac_final(md,&md_ctx,&o_ctx);
|
||||
|
||||
if (binary)
|
||||
{
|
||||
- fwrite(md,20,1,stdout);
|
||||
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
|
||||
break; /* ... for single(!) file */
|
||||
}
|
||||
|
||||
- printf("HMAC-SHA1(%s)= ",argv[n]);
|
||||
- for(i=0 ; i < 20 ; ++i)
|
||||
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
|
||||
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
|
||||
printf("%02x",md[i]);
|
||||
printf("\n");
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
|
||||
--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck 2009-08-10 20:11:59.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-10 20:27:45.000000000 +0200
|
||||
@@ -16,6 +16,9 @@ GENERAL=Makefile
|
||||
TEST=fips_test_suite.c fips_randtest.c
|
||||
APPS=
|
||||
|
||||
+PROGRAM= fips_standalone_sha1
|
||||
+EXE= $(PROGRAM)$(EXE_EXT)
|
||||
+
|
||||
LIB=$(TOP)/libcrypto.a
|
||||
LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
|
||||
fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
|
||||
@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
|
||||
fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
|
||||
fips_rsa_x931g.o
|
||||
|
||||
+LIBCRYPTO=-L.. -lcrypto
|
||||
+
|
||||
SRC= $(LIBSRC) fips_standalone_sha1.c
|
||||
|
||||
EXHEADER= fips.h fips_rand.h
|
||||
@@ -35,13 +40,15 @@ ALL= $(GENERAL) $(SRC) $(HEADER)
|
||||
top:
|
||||
(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
|
||||
|
||||
-all: lib
|
||||
+all: lib exe
|
||||
|
||||
lib: $(LIBOBJ)
|
||||
$(AR) $(LIB) $(LIBOBJ)
|
||||
$(RANLIB) $(LIB) || echo Never mind.
|
||||
@touch lib
|
||||
|
||||
+exe: $(EXE)
|
||||
+
|
||||
files:
|
||||
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
|
||||
|
||||
@@ -77,5 +84,9 @@ dclean:
|
||||
clean:
|
||||
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
|
||||
|
||||
+$(EXE): $(PROGRAM).o
|
||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
|
||||
+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
|
||||
+
|
||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||
|
@ -1,79 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200
|
||||
@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ /* now switch the RNG into FIPS mode */
|
||||
+ fips_set_rand_check(FIPS_rand_method());
|
||||
+ RAND_set_rand_method(FIPS_rand_method());
|
||||
+
|
||||
/* automagically seed PRNG if not already seeded */
|
||||
if(!FIPS_rand_status())
|
||||
{
|
||||
- if(RAND_bytes(buf,sizeof buf) <= 0)
|
||||
+ RAND_poll();
|
||||
+ if (!FIPS_rand_status())
|
||||
{
|
||||
fips_selftest_fail = 1;
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
- FIPS_rand_set_key(buf,32);
|
||||
- FIPS_rand_seed(buf+32,16);
|
||||
}
|
||||
|
||||
- /* now switch into FIPS mode */
|
||||
- fips_set_rand_check(FIPS_rand_method());
|
||||
- RAND_set_rand_method(FIPS_rand_method());
|
||||
if(FIPS_selftest())
|
||||
fips_set_mode(1);
|
||||
else
|
||||
diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
|
||||
--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200
|
||||
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
|
||||
{
|
||||
int i;
|
||||
if (!ctx->keyed)
|
||||
- return 0;
|
||||
+ {
|
||||
+ FIPS_RAND_SIZE_T keylen = 16;
|
||||
+
|
||||
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
|
||||
+ return 0;
|
||||
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
||||
+ keylen += 8;
|
||||
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
||||
+ keylen += 8;
|
||||
+ seedlen -= keylen;
|
||||
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
|
||||
+ }
|
||||
/* In test mode seed is just supplied data */
|
||||
if (ctx->test_mode)
|
||||
{
|
||||
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
|
||||
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
|
||||
unsigned char tmp[AES_BLOCK_LENGTH];
|
||||
int i;
|
||||
+ FIPS_selftest_check();
|
||||
if (ctx->error)
|
||||
{
|
||||
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
|
||||
diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200
|
||||
@@ -112,8 +112,11 @@
|
||||
#ifndef HEADER_RAND_LCL_H
|
||||
#define HEADER_RAND_LCL_H
|
||||
|
||||
+#ifndef OPENSSL_FIPS
|
||||
#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
|
||||
-
|
||||
+#else
|
||||
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
|
||||
+#endif
|
||||
|
||||
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
||||
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
@ -1,44 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.soversion 2009-08-04 23:06:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-04 23:06:52.000000000 +0200
|
||||
@@ -1514,7 +1514,7 @@ while (<IN>)
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||
{
|
||||
my $sotmp = $1;
|
||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
||||
}
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||
{
|
||||
diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
|
||||
--- openssl-1.0.0-beta3/Makefile.org.soversion 2009-08-04 23:06:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:11:01.000000000 +0200
|
||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||
SHLIB_MAJOR=
|
||||
SHLIB_MINOR=
|
||||
SHLIB_EXT=
|
||||
+SHLIB_SONAMEVER=10
|
||||
PLATFORM=dist
|
||||
OPTIONS=
|
||||
CONFIGURE_ARGS=
|
||||
@@ -289,10 +290,9 @@ clean-shared:
|
||||
link-shared:
|
||||
@ set -e; for i in $(SHLIBDIRS); do \
|
||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
symlink.$(SHLIB_TARGET); \
|
||||
- libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||
@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
||||
link_a.$(SHLIB_TARGET); \
|
@ -1,25 +0,0 @@
|
||||
Adding struct member is ABI breaker however as the structure is always allocated by
|
||||
the library calls we just move it to the end and it should be reasonably safe.
|
||||
diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
|
||||
--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
|
||||
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
|
||||
*/
|
||||
record_pqueue buffered_app_data;
|
||||
|
||||
- /* Is set when listening for new connections with dtls1_listen() */
|
||||
- unsigned int listen;
|
||||
-
|
||||
unsigned int mtu; /* max DTLS packet size */
|
||||
|
||||
struct hm_header_st w_msg_hdr;
|
||||
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
|
||||
unsigned int retransmitting;
|
||||
unsigned int change_cipher_spec_ok;
|
||||
|
||||
+ /* Is set when listening for new connections with dtls1_listen() */
|
||||
+ unsigned int listen;
|
||||
+
|
||||
} DTLS1_STATE;
|
||||
|
||||
typedef struct dtls1_record_data_st
|
@ -1,47 +0,0 @@
|
||||
diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
|
||||
--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/engine/eng_aesni.c 2011-06-08 14:19:22.000000000 +0200
|
||||
@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
|
||||
EVP_CIPHER_block_size_##umode, \
|
||||
ksize / 8, \
|
||||
AES_BLOCK_SIZE, \
|
||||
- 0 | EVP_CIPH_##umode##_MODE, \
|
||||
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE, \
|
||||
aesni_init_key, \
|
||||
aesni_cipher_##lmode, \
|
||||
NULL, \
|
||||
diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
|
||||
--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/fips/fips.c 2011-06-08 17:31:35.000000000 +0200
|
||||
@@ -55,6 +55,7 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/rsa.h>
|
||||
+#include <openssl/engine.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
#include <dlfcn.h>
|
||||
@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
|
||||
}
|
||||
|
||||
if(FIPS_selftest())
|
||||
- fips_set_mode(1);
|
||||
- else
|
||||
{
|
||||
- fips_selftest_fail = 1;
|
||||
- ret = 0;
|
||||
- goto end;
|
||||
+ ENGINE_load_aesni();
|
||||
+ if (FIPS_selftest_aes())
|
||||
+ {
|
||||
+ fips_set_mode(1);
|
||||
+ ret = 1;
|
||||
+ goto end;
|
||||
+ }
|
||||
}
|
||||
- ret = 1;
|
||||
+ fips_selftest_fail = 1;
|
||||
+ ret = 0;
|
||||
goto end;
|
||||
}
|
||||
fips_set_mode(0);
|
@ -1,22 +0,0 @@
|
||||
diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
|
||||
--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100
|
||||
+++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200
|
||||
@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
|
||||
{
|
||||
unsigned long ret=0;
|
||||
unsigned char md[16];
|
||||
+ EVP_MD_CTX ctx;
|
||||
|
||||
/* Make sure X509_NAME structure contains valid cached encoding */
|
||||
i2d_X509_NAME(x,NULL);
|
||||
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
|
||||
+
|
||||
+ EVP_MD_CTX_init(&ctx);
|
||||
+ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
|
||||
+ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
|
||||
+ && EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||
+ EVP_MD_CTX_cleanup(&ctx);
|
||||
|
||||
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
|
||||
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
|
@ -1,77 +0,0 @@
|
||||
diff -up openssl-1.0.0/crypto/fips/fips.c.sha2test openssl-1.0.0/crypto/fips/fips.c
|
||||
--- openssl-1.0.0/crypto/fips/fips.c.sha2test 2011-09-12 15:07:42.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/fips/fips.c 2011-09-26 11:03:17.000000000 +0200
|
||||
@@ -163,6 +163,7 @@ int FIPS_selftest()
|
||||
{
|
||||
|
||||
return FIPS_selftest_sha1()
|
||||
+ && FIPS_selftest_sha2()
|
||||
&& FIPS_selftest_hmac()
|
||||
&& FIPS_selftest_aes()
|
||||
&& FIPS_selftest_des()
|
||||
@@ -323,6 +324,8 @@ FIPSCHECK_verify(const char *libname, co
|
||||
return 0;
|
||||
|
||||
hmacpath = make_hmac_path(path);
|
||||
+ if (hmacpath == NULL)
|
||||
+ return 0;
|
||||
|
||||
hf = fopen(hmacpath, "r");
|
||||
if (hf == NULL) {
|
||||
@@ -627,6 +630,45 @@ int fips_cipher_test(EVP_CIPHER_CTX *ctx
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
|
||||
+ 0xfc };
|
||||
+static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
|
||||
+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
|
||||
+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
|
||||
+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
|
||||
+
|
||||
+static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
|
||||
+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
|
||||
+static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
|
||||
+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
|
||||
+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
|
||||
+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
|
||||
+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
|
||||
+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
|
||||
+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
|
||||
+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
|
||||
+
|
||||
+int FIPS_selftest_sha2(void)
|
||||
+ {
|
||||
+ unsigned char md[SHA512_DIGEST_LENGTH];
|
||||
+
|
||||
+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
|
||||
+ if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
|
||||
+ if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
|
||||
+ {
|
||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
#if 0
|
||||
/* The purpose of this is to ensure the error code exists and the function
|
||||
* name is to keep the error checking script quiet
|
||||
diff -up openssl-1.0.0/crypto/fips/fips.h.sha2test openssl-1.0.0/crypto/fips/fips.h
|
||||
--- openssl-1.0.0/crypto/fips/fips.h.sha2test 2011-09-12 15:07:42.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/fips/fips.h 2011-09-26 11:00:55.000000000 +0200
|
||||
@@ -72,6 +72,7 @@ int FIPS_selftest_failed(void);
|
||||
void FIPS_selftest_check(void);
|
||||
void FIPS_corrupt_sha1(void);
|
||||
int FIPS_selftest_sha1(void);
|
||||
+int FIPS_selftest_sha2(void);
|
||||
void FIPS_corrupt_aes(void);
|
||||
int FIPS_selftest_aes(void);
|
||||
void FIPS_corrupt_des(void);
|
@ -1,272 +0,0 @@
|
||||
diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
|
||||
--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
|
||||
+++ openssl-1.0.0a/crypto/engine/eng_all.c 2010-06-04 13:32:13.000000000 +0200
|
||||
@@ -58,9 +58,23 @@
|
||||
|
||||
#include "cryptlib.h"
|
||||
#include "eng_int.h"
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
|
||||
void ENGINE_load_builtin_engines(void)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init_library();
|
||||
+ if (FIPS_mode()) {
|
||||
+ /* We allow loading dynamic engine as a third party
|
||||
+ engine might be FIPS validated.
|
||||
+ User is disallowed to load non-validated engines
|
||||
+ by security policy. */
|
||||
+ ENGINE_load_dynamic();
|
||||
+ return;
|
||||
+ }
|
||||
+#endif
|
||||
#if 0
|
||||
/* There's no longer any need for an "openssl" ENGINE unless, one day,
|
||||
* it is the *only* way for standard builtin implementations to be be
|
||||
diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
|
||||
--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:12:24.000000000 +0100
|
||||
+++ openssl-1.0.0a/crypto/evp/c_allc.c 2010-06-04 13:32:13.000000000 +0200
|
||||
@@ -65,6 +65,11 @@
|
||||
void OpenSSL_add_all_ciphers(void)
|
||||
{
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init_library();
|
||||
+ if(!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cfb());
|
||||
EVP_add_cipher(EVP_des_cfb1());
|
||||
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
|
||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
|
||||
#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+#ifndef OPENSSL_NO_DES
|
||||
+ EVP_add_cipher(EVP_des_ede_cfb());
|
||||
+ EVP_add_cipher(EVP_des_ede3_cfb());
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede_ofb());
|
||||
+ EVP_add_cipher(EVP_des_ede3_ofb());
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede_cbc());
|
||||
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede());
|
||||
+ EVP_add_cipher(EVP_des_ede3());
|
||||
+#endif
|
||||
+
|
||||
+#ifndef OPENSSL_NO_AES
|
||||
+ EVP_add_cipher(EVP_aes_128_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_128_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_128_ofb());
|
||||
+#if 0
|
||||
+ EVP_add_cipher(EVP_aes_128_ctr());
|
||||
+#endif
|
||||
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
|
||||
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
|
||||
+ EVP_add_cipher(EVP_aes_192_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_192_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_192_ofb());
|
||||
+#if 0
|
||||
+ EVP_add_cipher(EVP_aes_192_ctr());
|
||||
+#endif
|
||||
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
|
||||
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
|
||||
+ EVP_add_cipher(EVP_aes_256_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_256_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_256_ofb());
|
||||
+#if 0
|
||||
+ EVP_add_cipher(EVP_aes_256_ctr());
|
||||
+#endif
|
||||
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
|
||||
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
|
||||
--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
|
||||
+++ openssl-1.0.0a/crypto/evp/c_alld.c 2010-06-04 13:32:13.000000000 +0200
|
||||
@@ -64,6 +64,11 @@
|
||||
|
||||
void OpenSSL_add_all_digests(void)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init_library();
|
||||
+ if (!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
EVP_add_digest(EVP_md4());
|
||||
#endif
|
||||
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
|
||||
#ifndef OPENSSL_NO_WHIRLPOOL
|
||||
EVP_add_digest(EVP_whirlpool());
|
||||
#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||
+ EVP_add_digest(EVP_sha1());
|
||||
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
+ EVP_add_digest(EVP_dss1());
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_ECDSA
|
||||
+ EVP_add_digest(EVP_ecdsa());
|
||||
+#endif
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA256
|
||||
+ EVP_add_digest(EVP_sha224());
|
||||
+ EVP_add_digest(EVP_sha256());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA512
|
||||
+ EVP_add_digest(EVP_sha384());
|
||||
+ EVP_add_digest(EVP_sha512());
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
|
||||
--- openssl-1.0.0a/crypto/o_init.c.fipsmode 2010-06-04 13:32:13.000000000 +0200
|
||||
+++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 13:32:13.000000000 +0200
|
||||
@@ -59,6 +59,43 @@
|
||||
#include <e_os.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#include <errno.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+static void init_fips_mode(void)
|
||||
+ {
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
||||
+ {
|
||||
+ buf[0] = '1';
|
||||
+ }
|
||||
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
|
||||
+ {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
||||
+ close(fd);
|
||||
+ }
|
||||
+ /* Failure reading the fips mode switch file means just not
|
||||
+ * switching into FIPS mode. We would break too many things
|
||||
+ * otherwise.
|
||||
+ */
|
||||
+
|
||||
+ if (buf[0] == '1')
|
||||
+ {
|
||||
+ FIPS_mode_set(1);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Perform any essential OpenSSL initialization operations.
|
||||
* Currently only sets FIPS callbacks
|
||||
*/
|
||||
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
|
||||
#ifdef CRYPTO_MDEBUG
|
||||
CRYPTO_malloc_debug_init();
|
||||
#endif
|
||||
+ init_fips_mode();
|
||||
done = 1;
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
|
||||
--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode 2010-04-07 15:18:30.000000000 +0200
|
||||
+++ openssl-1.0.0a/ssl/ssl_algs.c 2010-06-04 13:32:48.000000000 +0200
|
||||
@@ -64,6 +64,12 @@
|
||||
int SSL_library_init(void)
|
||||
{
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ OPENSSL_init_library();
|
||||
+ if (!FIPS_mode())
|
||||
+ {
|
||||
+#endif
|
||||
+
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cbc());
|
||||
EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
@@ -127,6 +133,48 @@ int SSL_library_init(void)
|
||||
EVP_add_digest(EVP_sha());
|
||||
EVP_add_digest(EVP_dss());
|
||||
#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+#ifndef OPENSSL_NO_DES
|
||||
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_AES
|
||||
+ EVP_add_cipher(EVP_aes_128_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_192_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_256_cbc());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_MD5
|
||||
+ /* needed even in the FIPS mode for TLS MAC */
|
||||
+ EVP_add_digest(EVP_md5());
|
||||
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
|
||||
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA
|
||||
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
|
||||
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA256
|
||||
+ EVP_add_digest(EVP_sha224());
|
||||
+ EVP_add_digest(EVP_sha256());
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA512
|
||||
+ EVP_add_digest(EVP_sha384());
|
||||
+ EVP_add_digest(EVP_sha512());
|
||||
+#endif
|
||||
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
|
||||
+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_ECDSA
|
||||
+ EVP_add_digest(EVP_ecdsa());
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
/* This will initialise the built-in compression algorithms.
|
||||
The value returned is a STACK_OF(SSL_COMP), but that can
|
@ -1,21 +0,0 @@
|
||||
diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
|
||||
--- openssl-1.0.0a/doc/apps/openssl.pod.manfix 2010-01-21 19:46:28.000000000 +0100
|
||||
+++ openssl-1.0.0a/doc/apps/openssl.pod 2010-06-30 14:24:50.000000000 +0200
|
||||
@@ -287,8 +287,6 @@ SHA Digest
|
||||
|
||||
SHA-1 Digest
|
||||
|
||||
-=back
|
||||
-
|
||||
=item B<sha224>
|
||||
|
||||
SHA-224 Digest
|
||||
@@ -305,6 +303,8 @@ SHA-384 Digest
|
||||
|
||||
SHA-512 Digest
|
||||
|
||||
+=back
|
||||
+
|
||||
=head2 ENCODING AND CIPHER COMMANDS
|
||||
|
||||
=over 10
|
File diff suppressed because it is too large
Load Diff
@ -1,57 +0,0 @@
|
||||
diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
|
||||
--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100
|
||||
+++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100
|
||||
@@ -335,15 +335,16 @@ int do_server(char *port, int type, int
|
||||
|
||||
static int init_server(int *sock, char *port, int type)
|
||||
{
|
||||
- struct addrinfo *res, *res0, hints;
|
||||
+ struct addrinfo *res, *res0 = NULL, hints;
|
||||
char * failed_call = NULL;
|
||||
- char port_name[8];
|
||||
int s;
|
||||
int e;
|
||||
|
||||
if (!ssl_sock_init()) return(0);
|
||||
|
||||
memset(&hints, '\0', sizeof(hints));
|
||||
+ hints.ai_family = AF_INET6;
|
||||
+tryipv4:
|
||||
hints.ai_socktype = type;
|
||||
hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
|
||||
|
||||
@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
|
||||
failed_call = "socket";
|
||||
goto nextres;
|
||||
}
|
||||
+ if (hints.ai_family == AF_INET6)
|
||||
+ {
|
||||
+ int j = 0;
|
||||
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
+ (void *) &j, sizeof j);
|
||||
+ }
|
||||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
{
|
||||
int j = 1;
|
||||
@@ -392,9 +399,19 @@ nextres:
|
||||
close(s);
|
||||
res = res->ai_next;
|
||||
}
|
||||
- freeaddrinfo(res0);
|
||||
+ if (res0)
|
||||
+ freeaddrinfo(res0);
|
||||
|
||||
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
|
||||
+ if (s == INVALID_SOCKET)
|
||||
+ {
|
||||
+ if (hints.ai_family == AF_INET6)
|
||||
+ {
|
||||
+ hints.ai_family = AF_INET;
|
||||
+ goto tryipv4;
|
||||
+ }
|
||||
+ perror("socket");
|
||||
+ return(0);
|
||||
+ }
|
||||
|
||||
perror(failed_call);
|
||||
return(0);
|
@ -1,384 +0,0 @@
|
||||
diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
|
||||
--- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
|
||||
+++ openssl-1.0.0c/crypto/dsa/dsa_gen.c 2011-02-04 08:54:42.000000000 +0100
|
||||
@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
int ok=0;
|
||||
unsigned char seed[SHA256_DIGEST_LENGTH];
|
||||
unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
|
||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
BIGNUM *r0,*W,*X,*c,*test;
|
||||
BIGNUM *g=NULL,*q=NULL,*p=NULL;
|
||||
BN_MONT_CTX *mont=NULL;
|
||||
- int i, k, n=0, m=0, qsize = qbits >> 3;
|
||||
+ int i, k, b, n=0, m=0, qsize = qbits >> 3;
|
||||
int counter=0;
|
||||
int r=0;
|
||||
BN_CTX *ctx=NULL;
|
||||
@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
goto err;
|
||||
}
|
||||
|
||||
- if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
|
||||
+ if (FIPS_mode() &&
|
||||
+ (bits != 1024 || qbits != 160) &&
|
||||
+ (bits != 2048 || qbits != 224) &&
|
||||
+ (bits != 2048 || qbits != 256) &&
|
||||
+ (bits != 3072 || qbits != 256))
|
||||
{
|
||||
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
|
||||
goto err;
|
||||
}
|
||||
#endif
|
||||
@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
return 0;
|
||||
|
||||
if (evpmd == NULL)
|
||||
- /* use SHA1 as default */
|
||||
- evpmd = EVP_sha1();
|
||||
+ {
|
||||
+ if (qbits <= 160)
|
||||
+ evpmd = EVP_sha1();
|
||||
+ else if (qbits <= 224)
|
||||
+ evpmd = EVP_sha224();
|
||||
+ else
|
||||
+ evpmd = EVP_sha256();
|
||||
+ }
|
||||
|
||||
if (bits < 512)
|
||||
bits = 512;
|
||||
|
||||
bits = (bits+63)/64*64;
|
||||
|
||||
- /* NB: seed_len == 0 is special case: copy generated seed to
|
||||
- * seed_in if it is not NULL.
|
||||
- */
|
||||
if (seed_len && (seed_len < (size_t)qsize))
|
||||
seed_in = NULL; /* seed buffer too small -- ignore */
|
||||
if (seed_len > (size_t)qsize)
|
||||
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
|
||||
- * but our internal buffers are restricted to 160 bits*/
|
||||
+ * but our internal buffers are restricted to 256 bits*/
|
||||
if (seed_in != NULL)
|
||||
memcpy(seed, seed_in, seed_len);
|
||||
|
||||
@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
if (!BN_lshift(test,BN_value_one(),bits-1))
|
||||
goto err;
|
||||
|
||||
+ /* step 3 n = \lceil bits / qbits \rceil - 1 */
|
||||
+ n = (bits+qbits-1)/qbits - 1;
|
||||
+ /* step 4 b = bits - 1 - n * qbits */
|
||||
+ b = bits - 1 - n*qbits;
|
||||
+
|
||||
for (;;)
|
||||
{
|
||||
for (;;) /* find q */
|
||||
{
|
||||
int seed_is_random;
|
||||
|
||||
- /* step 1 */
|
||||
+ /* step 5 generate seed */
|
||||
if(!BN_GENCB_call(cb, 0, m++))
|
||||
goto err;
|
||||
|
||||
@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
|
||||
}
|
||||
memcpy(buf , seed, qsize);
|
||||
- memcpy(buf2, seed, qsize);
|
||||
- /* precompute "SEED + 1" for step 7: */
|
||||
- for (i = qsize-1; i >= 0; i--)
|
||||
- {
|
||||
- buf[i]++;
|
||||
- if (buf[i] != 0)
|
||||
- break;
|
||||
- }
|
||||
|
||||
- /* step 2 */
|
||||
+ /* step 6 U = hash(seed) */
|
||||
EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
|
||||
- EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
|
||||
- for (i = 0; i < qsize; i++)
|
||||
- md[i]^=buf2[i];
|
||||
|
||||
- /* step 3 */
|
||||
+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
|
||||
md[0] |= 0x80;
|
||||
md[qsize-1] |= 0x01;
|
||||
if (!BN_bin2bn(md, qsize, q))
|
||||
goto err;
|
||||
|
||||
- /* step 4 */
|
||||
+ /* step 8 test for prime (64 round of Rabin-Miller) */
|
||||
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
|
||||
seed_is_random, cb);
|
||||
if (r > 0)
|
||||
@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
if (r != 0)
|
||||
goto err;
|
||||
|
||||
- /* do a callback call */
|
||||
- /* step 5 */
|
||||
}
|
||||
|
||||
if(!BN_GENCB_call(cb, 2, 0)) goto err;
|
||||
if(!BN_GENCB_call(cb, 3, 0)) goto err;
|
||||
|
||||
- /* step 6 */
|
||||
+ /* step 11 */
|
||||
counter=0;
|
||||
- /* "offset = 2" */
|
||||
-
|
||||
- n=(bits-1)/160;
|
||||
+ /* "offset = 1" */
|
||||
|
||||
for (;;)
|
||||
{
|
||||
if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
|
||||
goto err;
|
||||
|
||||
- /* step 7 */
|
||||
+ /* step 11.1, 11.2 obtain W */
|
||||
BN_zero(W);
|
||||
- /* now 'buf' contains "SEED + offset - 1" */
|
||||
for (k=0; k<=n; k++)
|
||||
{
|
||||
/* obtain "SEED + offset + k" by incrementing: */
|
||||
@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
|
||||
EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
|
||||
|
||||
- /* step 8 */
|
||||
if (!BN_bin2bn(md, qsize, r0))
|
||||
goto err;
|
||||
- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
|
||||
+ if (k == n)
|
||||
+ BN_mask_bits(r0,b);
|
||||
+ if (!BN_lshift(r0,r0,qbits*k)) goto err;
|
||||
if (!BN_add(W,W,r0)) goto err;
|
||||
}
|
||||
|
||||
- /* more of step 8 */
|
||||
- if (!BN_mask_bits(W,bits-1)) goto err;
|
||||
+ /* step 11.3 X = W + 2^(L-1) */
|
||||
if (!BN_copy(X,W)) goto err;
|
||||
if (!BN_add(X,X,test)) goto err;
|
||||
|
||||
- /* step 9 */
|
||||
+ /* step 11.4 c = X mod 2*q */
|
||||
if (!BN_lshift1(r0,q)) goto err;
|
||||
if (!BN_mod(c,X,r0,ctx)) goto err;
|
||||
+
|
||||
+ /* step 11.5 p = X - (c - 1) */
|
||||
if (!BN_sub(r0,c,BN_value_one())) goto err;
|
||||
if (!BN_sub(p,X,r0)) goto err;
|
||||
|
||||
- /* step 10 */
|
||||
+ /* step 11.6 */
|
||||
if (BN_cmp(p,test) >= 0)
|
||||
{
|
||||
- /* step 11 */
|
||||
+ /* step 11.7 */
|
||||
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
|
||||
ctx, 1, cb);
|
||||
if (r > 0)
|
||||
@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
goto err;
|
||||
}
|
||||
|
||||
- /* step 13 */
|
||||
+ /* step 11.9 */
|
||||
counter++;
|
||||
/* "offset = offset + n + 1" */
|
||||
|
||||
- /* step 14 */
|
||||
- if (counter >= 4096) break;
|
||||
+ /* step 12 */
|
||||
+ if (counter >= 4*bits) break;
|
||||
}
|
||||
}
|
||||
end:
|
||||
diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
|
||||
--- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 2011-02-03 21:04:14.000000000 +0100
|
||||
+++ openssl-1.0.0c/crypto/dsa/dsa.h 2011-02-03 21:04:14.000000000 +0100
|
||||
@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
|
||||
#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
|
||||
#define DSA_R_DECODE_ERROR 104
|
||||
#define DSA_R_INVALID_DIGEST_TYPE 106
|
||||
+#define DSA_R_KEY_SIZE_INVALID 113
|
||||
#define DSA_R_KEY_SIZE_TOO_SMALL 110
|
||||
#define DSA_R_MISSING_PARAMETERS 101
|
||||
#define DSA_R_MODULUS_TOO_LARGE 103
|
||||
diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
|
||||
--- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 2011-02-03 21:14:07.000000000 +0100
|
||||
+++ openssl-1.0.0c/crypto/dsa/dsatest.c 2011-02-04 08:40:24.000000000 +0100
|
||||
@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
|
||||
/* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
|
||||
* FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
|
||||
static unsigned char seed[20]={
|
||||
- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
|
||||
- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
|
||||
+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
|
||||
+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
|
||||
};
|
||||
|
||||
static unsigned char out_p[]={
|
||||
- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
|
||||
- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
|
||||
- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
|
||||
- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
|
||||
- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
|
||||
- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
|
||||
- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
|
||||
- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
|
||||
+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
|
||||
+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
|
||||
+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
|
||||
+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
|
||||
+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
|
||||
+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
|
||||
+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
|
||||
+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
|
||||
+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
|
||||
+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
|
||||
+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
|
||||
};
|
||||
|
||||
static unsigned char out_q[]={
|
||||
- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
|
||||
- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
|
||||
- 0xda,0xce,0x91,0x5f,
|
||||
+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
|
||||
+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
|
||||
};
|
||||
|
||||
static unsigned char out_g[]={
|
||||
- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
|
||||
- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
|
||||
- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
|
||||
- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
|
||||
- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
|
||||
- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
|
||||
- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
|
||||
- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
|
||||
+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
|
||||
+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
|
||||
+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
|
||||
+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
|
||||
+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
|
||||
+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
|
||||
+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
|
||||
+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
|
||||
+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
|
||||
+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
|
||||
+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
|
||||
};
|
||||
|
||||
static const unsigned char str1[]="12345678901234567890";
|
||||
@@ -157,7 +162,7 @@ int main(int argc, char **argv)
|
||||
BIO_printf(bio_err,"test generation of DSA parameters\n");
|
||||
|
||||
BN_GENCB_set(&cb, dsa_cb, bio_err);
|
||||
- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
|
||||
+ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
|
||||
seed, 20, &counter, &h, &cb))
|
||||
goto end;
|
||||
|
||||
@@ -170,9 +175,9 @@ int main(int argc, char **argv)
|
||||
BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
|
||||
|
||||
DSA_print(bio_err,dsa,0);
|
||||
- if (counter != 105)
|
||||
+ if (counter != 239)
|
||||
{
|
||||
- BIO_printf(bio_err,"counter should be 105\n");
|
||||
+ BIO_printf(bio_err,"counter should be 239\n");
|
||||
goto end;
|
||||
}
|
||||
if (h != 2)
|
||||
diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
|
||||
--- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
|
||||
+++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c 2011-02-04 09:03:03.000000000 +0100
|
||||
@@ -68,44 +68,42 @@
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
-/* seed, out_p, out_q, out_g are taken the NIST test vectors */
|
||||
-
|
||||
static unsigned char seed[20] = {
|
||||
- 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
|
||||
- 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
|
||||
- };
|
||||
+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
|
||||
+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
|
||||
+ };
|
||||
|
||||
static unsigned char out_p[] = {
|
||||
- 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
|
||||
- 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
|
||||
- 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
|
||||
- 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
|
||||
- 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
|
||||
- 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
|
||||
- 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
|
||||
- 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
|
||||
- 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
|
||||
- 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
|
||||
- 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
|
||||
+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
|
||||
+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
|
||||
+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
|
||||
+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
|
||||
+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
|
||||
+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
|
||||
+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
|
||||
+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
|
||||
+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
|
||||
+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
|
||||
+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
|
||||
};
|
||||
|
||||
static unsigned char out_q[] = {
|
||||
- 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
|
||||
- 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
|
||||
+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
|
||||
+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
|
||||
};
|
||||
|
||||
static unsigned char out_g[] = {
|
||||
- 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
|
||||
- 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
|
||||
- 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
|
||||
- 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
|
||||
- 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
|
||||
- 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
|
||||
- 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
|
||||
- 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
|
||||
- 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
|
||||
- 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
|
||||
- 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
|
||||
+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
|
||||
+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
|
||||
+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
|
||||
+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
|
||||
+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
|
||||
+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
|
||||
+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
|
||||
+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
|
||||
+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
|
||||
+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
|
||||
+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
|
||||
};
|
||||
|
||||
static const unsigned char str1[]="12345678901234567890";
|
||||
@@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
|
||||
goto err;
|
||||
if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
|
||||
goto err;
|
||||
- if (counter != 378)
|
||||
+ if (counter != 239)
|
||||
goto err;
|
||||
if (h != 2)
|
||||
goto err;
|
@ -1,25 +0,0 @@
|
||||
diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
|
||||
--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200
|
||||
+++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100
|
||||
@@ -67,6 +67,9 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
|
||||
#define PROG pkcs12_main
|
||||
|
||||
@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
apps_startup();
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (FIPS_mode())
|
||||
+ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
|
||||
+#endif
|
||||
+
|
||||
enc = EVP_des_ede3_cbc();
|
||||
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
|
||||
|
@ -1,94 +0,0 @@
|
||||
diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
|
||||
--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100
|
||||
+++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100
|
||||
@@ -100,6 +100,9 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
#if !defined(OPENSSL_SYS_MSDOS)
|
||||
#include OPENSSL_UNISTD
|
||||
#endif
|
||||
@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
if (strcmp(*argv,"rsa") == 0)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_mode())
|
||||
+#endif
|
||||
+ {
|
||||
rsa_doit[R_RSA_512]=1;
|
||||
+ }
|
||||
rsa_doit[R_RSA_1024]=1;
|
||||
rsa_doit[R_RSA_2048]=1;
|
||||
rsa_doit[R_RSA_4096]=1;
|
||||
@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (strcmp(*argv,"dsa") == 0)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_mode())
|
||||
+#endif
|
||||
+ {
|
||||
dsa_doit[R_DSA_512]=1;
|
||||
+ }
|
||||
dsa_doit[R_DSA_1024]=1;
|
||||
dsa_doit[R_DSA_2048]=1;
|
||||
}
|
||||
@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
|
||||
AES_set_encrypt_key(key32,256,&aes_ks3);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_CAMELLIA
|
||||
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
|
||||
+ {
|
||||
Camellia_set_key(key16,128,&camellia_ks1);
|
||||
Camellia_set_key(ckey24,192,&camellia_ks2);
|
||||
Camellia_set_key(ckey32,256,&camellia_ks3);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_IDEA
|
||||
+ if (doit[D_CBC_IDEA])
|
||||
+ {
|
||||
idea_set_encrypt_key(key16,&idea_ks);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SEED
|
||||
+ if (doit[D_CBC_SEED])
|
||||
+ {
|
||||
SEED_set_key(key16,&seed_ks);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
+ if (doit[D_RC4])
|
||||
+ {
|
||||
RC4_set_key(&rc4_ks,16,key16);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_RC2
|
||||
+ if (doit[D_CBC_RC2])
|
||||
+ {
|
||||
RC2_set_key(&rc2_ks,16,key16,128);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_RC5
|
||||
+ if (doit[D_CBC_RC5])
|
||||
+ {
|
||||
RC5_32_set_key(&rc5_ks,16,key16,12);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_BF
|
||||
+ if (doit[D_CBC_BF])
|
||||
+ {
|
||||
BF_set_key(&bf_ks,16,key16);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_CAST
|
||||
+ if (doit[D_CBC_CAST])
|
||||
+ {
|
||||
CAST_set_key(&cast_ks,16,key16);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
memset(rsa_c,0,sizeof(rsa_c));
|
@ -1,232 +0,0 @@
|
||||
diff -up openssl-1.0.0d/crypto/dsa/dsa_gen.c.cavs openssl-1.0.0d/crypto/dsa/dsa_gen.c
|
||||
--- openssl-1.0.0d/crypto/dsa/dsa_gen.c.cavs 2011-05-23 19:59:56.000000000 +0200
|
||||
+++ openssl-1.0.0d/crypto/dsa/dsa_gen.c 2011-05-23 22:32:45.000000000 +0200
|
||||
@@ -85,6 +85,14 @@
|
||||
#endif
|
||||
#include "dsa_locl.h"
|
||||
|
||||
+#ifndef OPENSSL_FIPS
|
||||
+static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
|
||||
+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
|
||||
+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
|
||||
+static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
|
||||
+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
|
||||
+#endif
|
||||
+
|
||||
int DSA_generate_parameters_ex(DSA *ret, int bits,
|
||||
const unsigned char *seed_in, int seed_len,
|
||||
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
|
||||
@@ -113,22 +121,26 @@ int DSA_generate_parameters_ex(DSA *ret,
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
||||
+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
|
||||
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
|
||||
+ {
|
||||
+ return dsa_builtin_paramgen(ret, bits, qbits,
|
||||
+ evpmd, seed_in, seed_len,
|
||||
+ counter_ret, h_ret, cb);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
||||
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
|
||||
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
|
||||
{
|
||||
int ok=0;
|
||||
unsigned char seed[SHA256_DIGEST_LENGTH];
|
||||
- unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
- unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
- BIGNUM *r0,*W,*X,*c,*test;
|
||||
BIGNUM *g=NULL,*q=NULL,*p=NULL;
|
||||
- BN_MONT_CTX *mont=NULL;
|
||||
- int i, k, b, n=0, m=0, qsize = qbits >> 3;
|
||||
- int counter=0;
|
||||
- int r=0;
|
||||
+ size_t qsize = qbits >> 3;
|
||||
BN_CTX *ctx=NULL;
|
||||
- unsigned int h=2;
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if(FIPS_selftest_failed())
|
||||
@@ -148,6 +160,65 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
goto err;
|
||||
}
|
||||
#endif
|
||||
+ if (seed_len && (seed_len < (size_t)qsize))
|
||||
+ seed_in = NULL; /* seed buffer too small -- ignore */
|
||||
+ if (seed_len > sizeof(seed))
|
||||
+ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
|
||||
+ * but our internal buffers are restricted to 256 bits*/
|
||||
+ if (seed_in != NULL)
|
||||
+ memcpy(seed, seed_in, seed_len);
|
||||
+ else
|
||||
+ seed_len = 0;
|
||||
+
|
||||
+ if ((ctx=BN_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ BN_CTX_start(ctx);
|
||||
+
|
||||
+ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
|
||||
+ seed, seed_len, &p, &q, counter_ret, cb))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
|
||||
+ goto err;
|
||||
+
|
||||
+ ok=1;
|
||||
+err:
|
||||
+ if (ok)
|
||||
+ {
|
||||
+ if(ret->p) BN_free(ret->p);
|
||||
+ if(ret->q) BN_free(ret->q);
|
||||
+ if(ret->g) BN_free(ret->g);
|
||||
+ ret->p=BN_dup(p);
|
||||
+ ret->q=BN_dup(q);
|
||||
+ ret->g=BN_dup(g);
|
||||
+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
|
||||
+ ok=0;
|
||||
+ }
|
||||
+ if(ctx)
|
||||
+ {
|
||||
+ BN_CTX_end(ctx);
|
||||
+ BN_CTX_free(ctx);
|
||||
+ }
|
||||
+ return ok;
|
||||
+ }
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS
|
||||
+static
|
||||
+#endif
|
||||
+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
|
||||
+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
|
||||
+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
|
||||
+ {
|
||||
+ int ok=0;
|
||||
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
||||
+ BIGNUM *r0,*W,*X,*c,*test;
|
||||
+ BIGNUM *g=NULL,*q=NULL,*p=NULL;
|
||||
+ BN_MONT_CTX *mont=NULL;
|
||||
+ int i, k, b, n=0, m=0, qsize = qbits >> 3;
|
||||
+ int counter=0;
|
||||
+ int r=0;
|
||||
|
||||
if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
|
||||
qsize != SHA256_DIGEST_LENGTH)
|
||||
@@ -169,28 +240,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
|
||||
bits = (bits+63)/64*64;
|
||||
|
||||
- if (seed_len && (seed_len < (size_t)qsize))
|
||||
- seed_in = NULL; /* seed buffer too small -- ignore */
|
||||
- if (seed_len > (size_t)qsize)
|
||||
- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
|
||||
- * but our internal buffers are restricted to 256 bits*/
|
||||
- if (seed_in != NULL)
|
||||
- memcpy(seed, seed_in, seed_len);
|
||||
-
|
||||
- if ((ctx=BN_CTX_new()) == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- if ((mont=BN_MONT_CTX_new()) == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- BN_CTX_start(ctx);
|
||||
r0 = BN_CTX_get(ctx);
|
||||
- g = BN_CTX_get(ctx);
|
||||
W = BN_CTX_get(ctx);
|
||||
- q = BN_CTX_get(ctx);
|
||||
+ *q_ret = q = BN_CTX_get(ctx);
|
||||
X = BN_CTX_get(ctx);
|
||||
c = BN_CTX_get(ctx);
|
||||
- p = BN_CTX_get(ctx);
|
||||
+ *p_ret = p = BN_CTX_get(ctx);
|
||||
test = BN_CTX_get(ctx);
|
||||
|
||||
if (!BN_lshift(test,BN_value_one(),bits-1))
|
||||
@@ -312,7 +367,33 @@ end:
|
||||
if(!BN_GENCB_call(cb, 2, 1))
|
||||
goto err;
|
||||
|
||||
- /* We now need to generate g */
|
||||
+ ok=1;
|
||||
+err:
|
||||
+ if (ok)
|
||||
+ {
|
||||
+ if (counter_ret != NULL) *counter_ret=counter;
|
||||
+ }
|
||||
+ return ok;
|
||||
+ }
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS
|
||||
+static
|
||||
+#endif
|
||||
+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
|
||||
+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
|
||||
+ {
|
||||
+ int ok=0;
|
||||
+ BIGNUM *r0, *test, *g = NULL;
|
||||
+ BN_MONT_CTX *mont;
|
||||
+ unsigned int h=2;
|
||||
+
|
||||
+ if ((mont=BN_MONT_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ r0 = BN_CTX_get(ctx);
|
||||
+ *g_ret = g = BN_CTX_get(ctx);
|
||||
+ test = BN_CTX_get(ctx);
|
||||
+
|
||||
/* Set r0=(p-1)/q */
|
||||
if (!BN_sub(test,p,BN_value_one())) goto err;
|
||||
if (!BN_div(r0,NULL,test,q,ctx)) goto err;
|
||||
@@ -336,25 +417,8 @@ end:
|
||||
err:
|
||||
if (ok)
|
||||
{
|
||||
- if(ret->p) BN_free(ret->p);
|
||||
- if(ret->q) BN_free(ret->q);
|
||||
- if(ret->g) BN_free(ret->g);
|
||||
- ret->p=BN_dup(p);
|
||||
- ret->q=BN_dup(q);
|
||||
- ret->g=BN_dup(g);
|
||||
- if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
|
||||
- {
|
||||
- ok=0;
|
||||
- goto err;
|
||||
- }
|
||||
- if (counter_ret != NULL) *counter_ret=counter;
|
||||
if (h_ret != NULL) *h_ret=h;
|
||||
}
|
||||
- if(ctx)
|
||||
- {
|
||||
- BN_CTX_end(ctx);
|
||||
- BN_CTX_free(ctx);
|
||||
- }
|
||||
if (mont != NULL) BN_MONT_CTX_free(mont);
|
||||
return ok;
|
||||
}
|
||||
diff -up openssl-1.0.0d/crypto/dsa/dsa.h.cavs openssl-1.0.0d/crypto/dsa/dsa.h
|
||||
--- openssl-1.0.0d/crypto/dsa/dsa.h.cavs 2011-05-23 19:59:56.000000000 +0200
|
||||
+++ openssl-1.0.0d/crypto/dsa/dsa.h 2011-05-23 22:33:33.000000000 +0200
|
||||
@@ -266,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
|
||||
DH *DSA_dup_DH(const DSA *r);
|
||||
#endif
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
||||
+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
|
||||
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
|
||||
+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
|
||||
+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
|
||||
+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
|
||||
+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
|
||||
+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
|
||||
+#endif
|
||||
+
|
||||
#define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
|
||||
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
|
||||
EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
|
File diff suppressed because it is too large
Load Diff
23
openssl-1.0.0e-doc-noeof.patch
Normal file
23
openssl-1.0.0e-doc-noeof.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
|
||||
--- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof 2009-06-26 13:28:51.000000000 +0200
|
||||
+++ openssl-1.0.0e/doc/apps/s_client.pod 2011-11-03 08:30:35.000000000 +0100
|
||||
@@ -27,6 +27,7 @@ B<openssl> B<s_client>
|
||||
[B<-nbio>]
|
||||
[B<-crlf>]
|
||||
[B<-ign_eof>]
|
||||
+[B<-no_ign_eof>]
|
||||
[B<-quiet>]
|
||||
[B<-ssl2>]
|
||||
[B<-ssl3>]
|
||||
@@ -161,6 +162,11 @@ by some servers.
|
||||
inhibit shutting down the connection when end of file is reached in the
|
||||
input.
|
||||
|
||||
+=item B<-no_ign_eof>
|
||||
+
|
||||
+shut down the connection when end of file is reached in the
|
||||
+input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
|
||||
+
|
||||
=item B<-quiet>
|
||||
|
||||
inhibit printing of session and certificate information. This implicitly
|
File diff suppressed because it is too large
Load Diff
@ -1,22 +0,0 @@
|
||||
diff -up openssl-1.0.0g/crypto/opensslv.h.version openssl-1.0.0g/crypto/opensslv.h
|
||||
--- openssl-1.0.0g/crypto/opensslv.h.version 2012-01-19 14:50:50.094028047 +0100
|
||||
+++ openssl-1.0.0g/crypto/opensslv.h 2012-01-19 14:51:48.655529671 +0100
|
||||
@@ -25,7 +25,8 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-#define OPENSSL_VERSION_NUMBER 0x1000007fL
|
||||
+/* we have to keep the version number to not break the abi */
|
||||
+#define OPENSSL_VERSION_NUMBER 0x10000003
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g-fips 18 Jan 2012"
|
||||
#else
|
||||
@@ -83,7 +84,7 @@
|
||||
* should only keep the versions that are binary compatible with the current.
|
||||
*/
|
||||
#define SHLIB_VERSION_HISTORY ""
|
||||
-#define SHLIB_VERSION_NUMBER "1.0.0"
|
||||
+#define SHLIB_VERSION_NUMBER "1.0.0g"
|
||||
|
||||
|
||||
#endif /* HEADER_OPENSSLV_H */
|
23
openssl-1.0.1-beta2-dtls1-abi.patch
Normal file
23
openssl-1.0.1-beta2-dtls1-abi.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
|
||||
--- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
|
||||
+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
|
||||
@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
|
||||
*/
|
||||
record_pqueue buffered_app_data;
|
||||
|
||||
- /* Is set when listening for new connections with dtls1_listen() */
|
||||
- unsigned int listen;
|
||||
-
|
||||
unsigned int mtu; /* max DTLS packet size */
|
||||
|
||||
struct hm_header_st w_msg_hdr;
|
||||
@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
|
||||
unsigned int retransmitting;
|
||||
unsigned int change_cipher_spec_ok;
|
||||
|
||||
+ /* Is set when listening for new connections with dtls1_listen() */
|
||||
+ unsigned int listen;
|
||||
+
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
/* used when SSL_ST_XX_FLUSH is entered */
|
||||
int next_state;
|
21
openssl-1.0.1-beta2-fips-md5-allow.patch
Normal file
21
openssl-1.0.1-beta2-fips-md5-allow.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
|
||||
--- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow 2012-02-06 20:09:56.000000000 +0100
|
||||
+++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c 2012-02-06 20:14:02.332117603 +0100
|
||||
@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
|
||||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||
|
||||
-nonfips_md_init(MD5)
|
||||
+int MD5_Init(MD5_CTX *c)
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ {
|
||||
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||
+ OpenSSLDie(__FILE__, __LINE__, \
|
||||
+ "Digest MD5 forbidden in FIPS mode!");
|
||||
+ return private_MD5_Init(c);
|
||||
+ }
|
||||
+int private_MD5_Init(MD5_CTX *c)
|
||||
+#endif
|
||||
{
|
||||
memset (c,0,sizeof(*c));
|
||||
c->A=INIT_DATA_A;
|
21143
openssl-1.0.1-beta2-fips.patch
Normal file
21143
openssl-1.0.1-beta2-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
|
||||
--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
|
||||
+++ openssl-1.0.0b/apps/s_apps.h 2010-11-16 17:19:29.000000000 +0100
|
||||
diff -up openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps openssl-1.0.1-beta2/apps/s_apps.h
|
||||
--- openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps 2012-02-02 12:56:27.216889198 +0100
|
||||
+++ openssl-1.0.1-beta2/apps/s_apps.h 2012-02-02 12:56:27.257889552 +0100
|
||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
@ -23,10 +23,10 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
|
||||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
|
||||
--- openssl-1.0.0b/apps/s_client.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
|
||||
+++ openssl-1.0.0b/apps/s_client.c 2010-11-16 17:19:29.000000000 +0100
|
||||
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps openssl-1.0.1-beta2/apps/s_client.c
|
||||
--- openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps 2012-02-02 12:56:27.238889388 +0100
|
||||
+++ openssl-1.0.1-beta2/apps/s_client.c 2012-02-02 12:56:27.258889561 +0100
|
||||
@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len,cbuf_off;
|
||||
int sbuf_len,sbuf_off;
|
||||
fd_set readfds,writefds;
|
||||
@ -35,7 +35,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
|
||||
int full_log=1;
|
||||
char *host=SSL_HOST_NAME;
|
||||
char *cert_file=NULL,*key_file=NULL;
|
||||
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
|
||||
@@ -670,13 +670,12 @@ int MAIN(int argc, char **argv)
|
||||
else if (strcmp(*argv,"-port") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
@ -51,7 +51,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
|
||||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -967,7 +966,7 @@ bad:
|
||||
@@ -1260,7 +1259,7 @@ bad:
|
||||
|
||||
re_start:
|
||||
|
||||
@ -60,10 +60,10 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
|
||||
{
|
||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
|
||||
--- openssl-1.0.0b/apps/s_server.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
|
||||
+++ openssl-1.0.0b/apps/s_server.c 2010-11-16 17:19:29.000000000 +0100
|
||||
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
|
||||
diff -up openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps openssl-1.0.1-beta2/apps/s_server.c
|
||||
--- openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps 2012-02-02 12:56:27.239889397 +0100
|
||||
+++ openssl-1.0.1-beta2/apps/s_server.c 2012-02-02 12:56:27.259889570 +0100
|
||||
@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
int badarg = 0;
|
||||
@ -72,7 +72,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
unsigned char *context = NULL;
|
||||
char *dhfile = NULL;
|
||||
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
|
||||
@@ -1010,8 +1010,7 @@ int MAIN(int argc, char *argv[])
|
||||
(strcmp(*argv,"-accept") == 0))
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
@ -82,7 +82,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
{
|
||||
@@ -1700,9 +1699,9 @@ bad:
|
||||
@@ -1888,9 +1887,9 @@ bad:
|
||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (www)
|
||||
@ -94,9 +94,9 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
|
||||
print_stats(bio_s_out,ctx);
|
||||
ret=0;
|
||||
end:
|
||||
diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps 2010-07-05 13:03:22.000000000 +0200
|
||||
+++ openssl-1.0.0b/apps/s_socket.c 2010-11-16 17:27:18.000000000 +0100
|
||||
diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/s_socket.c
|
||||
--- openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps 2011-12-02 15:39:40.000000000 +0100
|
||||
+++ openssl-1.0.1-beta2/apps/s_socket.c 2012-01-19 14:53:30.000000000 +0100
|
||||
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
|
||||
static void ssl_sock_cleanup(void);
|
||||
#endif
|
||||
@ -108,7 +108,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
|
||||
@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
|
||||
return(1);
|
||||
}
|
||||
|
||||
@ -117,11 +117,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
{
|
||||
- unsigned char ip[4];
|
||||
-
|
||||
- memset(ip, '\0', sizeof ip);
|
||||
- if (!host_ip(host,&(ip[0])))
|
||||
- {
|
||||
- return(0);
|
||||
- }
|
||||
- return(init_client_ip(sock,ip,port,type));
|
||||
- return 0;
|
||||
- return init_client_ip(sock,ip,port,type);
|
||||
- }
|
||||
-
|
||||
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
|
||||
@ -217,7 +216,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
{
|
||||
int sock;
|
||||
char *name = NULL;
|
||||
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
|
||||
@@ -322,33 +333,45 @@ int do_server(int port, int type, int *r
|
||||
}
|
||||
}
|
||||
|
||||
@ -227,9 +226,8 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
- int ret=0;
|
||||
- struct sockaddr_in server;
|
||||
- int s= -1;
|
||||
+ struct addrinfo *res, *res0, hints;
|
||||
+ struct addrinfo *res, *res0 = NULL, hints;
|
||||
+ char * failed_call = NULL;
|
||||
+ char port_name[8];
|
||||
+ int s;
|
||||
+ int e;
|
||||
|
||||
@ -248,6 +246,8 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
- memcpy(&server.sin_addr,ip,4);
|
||||
-#endif
|
||||
+ memset(&hints, '\0', sizeof(hints));
|
||||
+ hints.ai_family = AF_INET6;
|
||||
+tryipv4:
|
||||
+ hints.ai_socktype = type;
|
||||
+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
|
||||
|
||||
@ -273,11 +273,17 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
+ {
|
||||
+ failed_call = "socket";
|
||||
+ goto nextres;
|
||||
+ }
|
||||
+ if (hints.ai_family == AF_INET6)
|
||||
+ {
|
||||
+ int j = 0;
|
||||
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
+ (void *) &j, sizeof j);
|
||||
+ }
|
||||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
{
|
||||
int j = 1;
|
||||
@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
|
||||
@@ -356,35 +379,49 @@ static int init_server_long(int *sock, i
|
||||
(void *) &j, sizeof j);
|
||||
}
|
||||
#endif
|
||||
@ -314,12 +320,21 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
+ close(s);
|
||||
+ res = res->ai_next;
|
||||
}
|
||||
+ freeaddrinfo(res0);
|
||||
+ if (res0)
|
||||
+ freeaddrinfo(res0);
|
||||
|
||||
-static int init_server(int *sock, int port, int type)
|
||||
- {
|
||||
+ if (s == INVALID_SOCKET)
|
||||
{
|
||||
- return(init_server_long(sock, port, NULL, type));
|
||||
+ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
|
||||
+ if (hints.ai_family == AF_INET6)
|
||||
+ {
|
||||
+ hints.ai_family = AF_INET;
|
||||
+ goto tryipv4;
|
||||
+ }
|
||||
+ perror("socket");
|
||||
+ return(0);
|
||||
+ }
|
||||
+
|
||||
+ perror(failed_call);
|
||||
+ return(0);
|
||||
@ -335,7 +350,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
|
||||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
@@ -432,135 +451,58 @@ redoit:
|
||||
@@ -431,135 +468,58 @@ redoit:
|
||||
*/
|
||||
|
||||
if (host == NULL) goto end;
|
80
openssl-1.0.1-beta2-no-srp.patch
Normal file
80
openssl-1.0.1-beta2-no-srp.patch
Normal file
@ -0,0 +1,80 @@
|
||||
diff -up openssl-1.0.1-beta2/apps/progs.pl.no-srp openssl-1.0.1-beta2/apps/progs.pl
|
||||
--- openssl-1.0.1-beta2/apps/progs.pl.no-srp 2009-06-30 17:08:38.000000000 +0200
|
||||
+++ openssl-1.0.1-beta2/apps/progs.pl 2012-02-07 01:14:08.979758307 +0100
|
||||
@@ -51,6 +51,8 @@ foreach (@ARGV)
|
||||
{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
|
||||
elsif ( ($_ =~ /^ocsp$/))
|
||||
{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
|
||||
+ elsif ( ($_ =~ /^srp$/))
|
||||
+ { print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; }
|
||||
else
|
||||
{ print $str; }
|
||||
}
|
||||
diff -up openssl-1.0.1-beta2/apps/s_server.c.no-srp openssl-1.0.1-beta2/apps/s_server.c
|
||||
--- openssl-1.0.1-beta2/apps/s_server.c.no-srp 2012-02-07 01:04:12.000000000 +0100
|
||||
+++ openssl-1.0.1-beta2/apps/s_server.c 2012-02-07 01:13:21.573362310 +0100
|
||||
@@ -2248,6 +2248,7 @@ static int sv_body(char *hostname, int s
|
||||
{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
|
||||
#endif
|
||||
k=SSL_write(con,&(buf[l]),(unsigned int)i);
|
||||
+#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP renego during write\n");
|
||||
@@ -2258,6 +2259,7 @@ static int sv_body(char *hostname, int s
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
k=SSL_write(con,&(buf[l]),(unsigned int)i);
|
||||
}
|
||||
+#endif
|
||||
switch (SSL_get_error(con,k))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
||||
@@ -2305,6 +2307,7 @@ static int sv_body(char *hostname, int s
|
||||
{
|
||||
again:
|
||||
i=SSL_read(con,(char *)buf,bufsize);
|
||||
+#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP renego during read\n");
|
||||
@@ -2315,6 +2318,7 @@ again:
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_read(con,(char *)buf,bufsize);
|
||||
}
|
||||
+#endif
|
||||
switch (SSL_get_error(con,i))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
||||
@@ -2392,6 +2396,7 @@ static int init_ssl_connection(SSL *con)
|
||||
|
||||
|
||||
i=SSL_accept(con);
|
||||
+#ifndef OPENSSL_NO_SRP
|
||||
while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
|
||||
@@ -2402,6 +2407,7 @@ static int init_ssl_connection(SSL *con)
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_accept(con);
|
||||
}
|
||||
+#endif
|
||||
if (i <= 0)
|
||||
{
|
||||
if (BIO_sock_should_retry(i))
|
||||
@@ -2626,6 +2632,7 @@ static int www_body(char *hostname, int
|
||||
if (hack)
|
||||
{
|
||||
i=SSL_accept(con);
|
||||
+#ifndef OPENSSL_NO_SRP
|
||||
while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
|
||||
@@ -2636,7 +2643,7 @@ static int www_body(char *hostname, int
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_accept(con);
|
||||
}
|
||||
-
|
||||
+#endif
|
||||
switch (SSL_get_error(con,i))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_padlock.c
|
||||
--- openssl-1.0.0d/engines/e_padlock.c.padlock64 2011-01-30 02:05:38.000000000 +0100
|
||||
+++ openssl-1.0.0d/engines/e_padlock.c 2011-04-28 21:03:26.000000000 +0200
|
||||
@@ -101,10 +101,15 @@
|
||||
diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
|
||||
--- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
|
||||
+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
|
||||
@@ -101,7 +101,10 @@
|
||||
compiler choice is limited to GCC and Microsoft C. */
|
||||
#undef COMPILE_HW_PADLOCK
|
||||
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
|
||||
@ -12,13 +12,8 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
+ ) || \
|
||||
(defined(_MSC_VER) && defined(_M_IX86))
|
||||
# define COMPILE_HW_PADLOCK
|
||||
+# ifdef OPENSSL_NO_DYNAMIC_ENGINE
|
||||
static ENGINE *ENGINE_padlock (void);
|
||||
+# endif
|
||||
# endif
|
||||
#endif
|
||||
|
||||
@@ -135,7 +140,7 @@ void ENGINE_load_padlock (void)
|
||||
@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
|
||||
# endif
|
||||
#elif defined(__GNUC__)
|
||||
# ifndef alloca
|
||||
@ -27,23 +22,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
# endif
|
||||
#endif
|
||||
|
||||
@@ -197,6 +202,7 @@ padlock_bind_helper(ENGINE *e)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
|
||||
/* Constructor */
|
||||
static ENGINE *
|
||||
ENGINE_padlock(void)
|
||||
@@ -214,6 +220,7 @@ ENGINE_padlock(void)
|
||||
|
||||
return eng;
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Check availability of the engine */
|
||||
static int
|
||||
@@ -298,6 +305,7 @@ static volatile struct padlock_cipher_da
|
||||
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
|
||||
* =======================================================
|
||||
*/
|
||||
#if defined(__GNUC__) && __GNUC__>=2
|
||||
@ -51,7 +30,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
/*
|
||||
* As for excessive "push %ebx"/"pop %ebx" found all over.
|
||||
* When generating position-independent code GCC won't let
|
||||
@@ -377,21 +385,6 @@ padlock_available(void)
|
||||
@@ -383,21 +387,6 @@ padlock_available(void)
|
||||
return padlock_use_ace + padlock_use_rng;
|
||||
}
|
||||
|
||||
@ -73,7 +52,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
/* Force key reload from memory to the CPU microcode.
|
||||
Loading EFLAGS from the stack clears EFLAGS[30]
|
||||
which does the trick. */
|
||||
@@ -449,12 +442,127 @@ static inline void *name(size_t cnt, \
|
||||
@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
|
||||
: "edx", "cc", "memory"); \
|
||||
return iv; \
|
||||
}
|
||||
@ -88,7 +67,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
+{
|
||||
+ char vendor_string[16];
|
||||
+ unsigned int eax, edx;
|
||||
+
|
||||
|
||||
+ /* Are we running on the Centaur (VIA) CPU? */
|
||||
+ eax = 0x00000000;
|
||||
+ vendor_string[12] = 0;
|
||||
@ -119,7 +98,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
+
|
||||
+ return padlock_use_ace + padlock_use_rng;
|
||||
+}
|
||||
|
||||
+
|
||||
+/* Force key reload from memory to the CPU microcode.
|
||||
+ Loading EFLAGS from the stack clears EFLAGS[30]
|
||||
+ which does the trick. */
|
||||
@ -201,7 +180,7 @@ diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_p
|
||||
#endif
|
||||
|
||||
/* The RNG call itself */
|
||||
@@ -485,8 +593,8 @@ padlock_xstore(void *addr, unsigned int
|
||||
@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
|
||||
static inline unsigned char *
|
||||
padlock_memcpy(void *dst,const void *src,size_t n)
|
||||
{
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||
--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
|
||||
@@ -336,32 +336,32 @@ my %table=(
|
||||
diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
|
||||
--- openssl-1.0.1-beta2/Configure.rpmbuild 2012-01-05 01:07:34.000000000 +0100
|
||||
+++ openssl-1.0.1-beta2/Configure 2012-02-02 12:43:56.547409325 +0100
|
||||
@@ -343,23 +343,23 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||
@ -27,10 +27,19 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
#### So called "highgprs" target for z/Architecture CPUs
|
||||
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
||||
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
||||
@@ -373,16 +373,16 @@ my %table=(
|
||||
# ldconfig and run-time linker to autodiscover. Unfortunately it
|
||||
# doesn't work just yet, because of couple of bugs in glibc
|
||||
# sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
|
||||
-"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
|
||||
+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
# assisted with debugging of following two configs.
|
||||
@ -46,7 +55,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -375,8 +375,8 @@ my %table=(
|
||||
@@ -396,8 +396,8 @@ my %table=(
|
||||
#
|
||||
# <appro@fy.chalmers.se>
|
||||
#
|
||||
@ -57,3 +66,44 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||
|
||||
@@ -1678,7 +1678,7 @@ while (<IN>)
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||
{
|
||||
my $sotmp = $1;
|
||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
||||
}
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||
{
|
||||
diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
|
||||
--- openssl-1.0.1-beta2/Makefile.org.rpmbuild 2011-12-27 16:17:50.000000000 +0100
|
||||
+++ openssl-1.0.1-beta2/Makefile.org 2012-02-02 12:30:23.652495435 +0100
|
||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||
SHLIB_MAJOR=
|
||||
SHLIB_MINOR=
|
||||
SHLIB_EXT=
|
||||
+SHLIB_SONAMEVER=10
|
||||
PLATFORM=dist
|
||||
OPTIONS=
|
||||
CONFIGURE_ARGS=
|
||||
@@ -333,10 +334,9 @@ clean-shared:
|
||||
link-shared:
|
||||
@ set -e; for i in $(SHLIBDIRS); do \
|
||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
symlink.$(SHLIB_TARGET); \
|
||||
- libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||
@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
||||
link_a.$(SHLIB_TARGET); \
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
|
||||
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
|
||||
diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
|
||||
--- openssl-1.0.1-beta2/ssl/ssl.h.op-all 2012-02-02 12:49:00.828035916 +0100
|
||||
+++ openssl-1.0.1-beta2/ssl/ssl.h 2012-02-02 12:52:27.297818182 +0100
|
||||
@@ -540,7 +540,7 @@ struct ssl_session_st
|
||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
||||
/* Allow initial connection to servers that don't support RI */
|
||||
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
|
||||
@ -10,12 +10,12 @@ diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl
|
||||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
||||
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
|
||||
@@ -558,7 +558,7 @@ struct ssl_session_st
|
||||
|
||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
||||
-#define SSL_OP_ALL 0x80000FFFL
|
||||
+#define SSL_OP_ALL 0x80000FF7L
|
||||
-#define SSL_OP_ALL 0x80000BFFL
|
||||
+#define SSL_OP_ALL 0x80000FF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
|
||||
|
||||
/* DTLS options */
|
||||
#define SSL_OP_NO_QUERY_MTU 0x00001000L
|
21
openssl-1.0.1-beta2-version.patch
Normal file
21
openssl-1.0.1-beta2-version.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up openssl-1.0.1-beta2/crypto/opensslv.h.version openssl-1.0.1-beta2/crypto/opensslv.h
|
||||
--- openssl-1.0.1-beta2/crypto/opensslv.h.version 2012-02-06 17:16:55.529944485 +0100
|
||||
+++ openssl-1.0.1-beta2/crypto/opensslv.h 2012-02-06 17:16:53.161924733 +0100
|
||||
@@ -25,7 +25,7 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-#define OPENSSL_VERSION_NUMBER 0x10001002L
|
||||
+#define OPENSSL_VERSION_NUMBER 0x10000003L
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-fips-beta2 19 Jan 2012"
|
||||
#else
|
||||
@@ -83,7 +83,7 @@
|
||||
* should only keep the versions that are binary compatible with the current.
|
||||
*/
|
||||
#define SHLIB_VERSION_HISTORY ""
|
||||
-#define SHLIB_VERSION_NUMBER "1.0.0"
|
||||
+#define SHLIB_VERSION_NUMBER "1.0.1"
|
||||
|
||||
|
||||
#endif /* HEADER_OPENSSLV_H */
|
79
openssl.spec
79
openssl.spec
@ -20,12 +20,12 @@
|
||||
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.0g
|
||||
Release: 1%{?dist}
|
||||
Version: 1.0.1
|
||||
Release: 0.1.beta2%{?dist}
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||
Source: openssl-%{version}-usa.tar.xz
|
||||
Source: openssl-%{version}-beta2-usa.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source6: make-dummy-cert
|
||||
@ -34,9 +34,8 @@ Source9: opensslconf-new.h
|
||||
Source10: opensslconf-new-warning.h
|
||||
Source11: README.FIPS
|
||||
# Build changes
|
||||
Patch0: openssl-1.0.0-beta4-redhat.patch
|
||||
Patch1: openssl-1.0.0f-defaults.patch
|
||||
Patch3: openssl-1.0.0-beta3-soversion.patch
|
||||
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
||||
Patch2: openssl-1.0.0f-defaults.patch
|
||||
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
@ -44,42 +43,29 @@ Patch7: openssl-1.0.0-timezone.patch
|
||||
# Bug fixes
|
||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||
Patch24: openssl-0.9.8j-bad-mime.patch
|
||||
Patch25: openssl-1.0.0a-manfix.patch
|
||||
Patch26: openssl-1.0.0a-load-certs.patch
|
||||
# Functionality changes
|
||||
Patch32: openssl-0.9.8g-ia64.patch
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch38: openssl-1.0.0-beta5-cipher-change.patch
|
||||
Patch39: openssl-1.0.0b-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.0f-fips.patch
|
||||
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
||||
Patch43: openssl-1.0.0a-fipsmode.patch
|
||||
Patch44: openssl-1.0.0-beta3-fipsrng.patch
|
||||
Patch36: openssl-1.0.0e-doc-noeof.patch
|
||||
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
||||
Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.1-beta2-fips.patch
|
||||
Patch42: openssl-1.0.1-beta2-no-srp.patch
|
||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
||||
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.0g-version.patch
|
||||
Patch52: openssl-1.0.0b-aesni.patch
|
||||
Patch53: openssl-1.0.0-name-hash.patch
|
||||
Patch54: openssl-1.0.0c-speed-fips.patch
|
||||
Patch55: openssl-1.0.0c-apps-ipv6listen.patch
|
||||
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.1-beta2-version.patch
|
||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
||||
Patch57: openssl-1.0.0c-fips186-3.patch
|
||||
Patch58: openssl-1.0.0c-fips-md5-allow.patch
|
||||
Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
|
||||
Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
|
||||
Patch60: openssl-1.0.0d-apps-dgst.patch
|
||||
Patch61: openssl-1.0.0d-cavs.patch
|
||||
Patch62: openssl-1.0.0-fips-aesni.patch
|
||||
Patch63: openssl-1.0.0d-xmpp-starttls.patch
|
||||
Patch64: openssl-1.0.0d-intelopts.patch
|
||||
Patch65: openssl-1.0.0e-chil-fixes.patch
|
||||
Patch66: openssl-1.0.0-sha2test.patch
|
||||
Patch67: openssl-1.0.0e-pkgconfig-private.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch81: openssl-1.0.0d-padlock64.patch
|
||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -129,14 +115,13 @@ package provides Perl scripts for converting certificates and keys
|
||||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%setup -q -n %{name}-%{version}-beta2
|
||||
|
||||
# The hobble_openssl is called here redundantly, just to be sure.
|
||||
# The tarball has already the sources removed.
|
||||
%{SOURCE1} > /dev/null
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .defaults
|
||||
%patch3 -p1 -b .soversion
|
||||
%patch1 -p1 -b .rpmbuild
|
||||
%patch2 -p1 -b .defaults
|
||||
%patch4 -p1 -b .enginesdir %{?_rawbuild}
|
||||
%patch5 -p1 -b .no-rpath
|
||||
%patch6 -p1 -b .use-localhost
|
||||
@ -144,43 +129,29 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%patch23 -p1 -b .default-paths
|
||||
%patch24 -p1 -b .bad-mime
|
||||
%patch25 -p1 -b .manfix
|
||||
%patch26 -p1 -b .load-certs
|
||||
|
||||
%patch32 -p1 -b .ia64
|
||||
%patch33 -p1 -b .ca-dir
|
||||
%patch34 -p1 -b .x509
|
||||
%patch35 -p1 -b .version-add-engines
|
||||
%patch38 -p1 -b .cipher-change
|
||||
%patch36 -p1 -b .doc-noeof
|
||||
%patch38 -p1 -b .op-all
|
||||
%patch39 -p1 -b .ipv6-apps
|
||||
%patch40 -p1 -b .fips
|
||||
%patch41 -p1 -b .fipscheck
|
||||
%patch43 -p1 -b .fipsmode
|
||||
%patch44 -p1 -b .fipsrng
|
||||
%patch42 -p1 -b .no-srp
|
||||
%patch45 -p1 -b .env-nozlib
|
||||
%patch47 -p1 -b .warning
|
||||
%patch49 -p1 -b .algo-doc
|
||||
%patch50 -p1 -b .dtls1-abi
|
||||
%patch51 -p1 -b .version
|
||||
%patch52 -p1 -b .aesni
|
||||
%patch53 -p1 -b .name-hash
|
||||
%patch54 -p1 -b .spfips
|
||||
%patch55 -p1 -b .ipv6listen
|
||||
%patch56 -p1 -b .x931
|
||||
%patch57 -p1 -b .fips186-3
|
||||
%patch58 -p1 -b .md5-allow
|
||||
%patch59 -p1 -b .fips-default
|
||||
%patch60 -p1 -b .dgst
|
||||
%patch61 -p1 -b .cavs
|
||||
%patch62 -p1 -b .fips-aesni
|
||||
%patch63 -p1 -b .starttls
|
||||
%patch64 -p1 -b .intelopts
|
||||
%patch65 -p1 -b .chil
|
||||
%patch66 -p1 -b .sha2test
|
||||
%patch67 -p1 -b .private
|
||||
|
||||
%patch81 -p1 -b .padlock64
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
|
||||
@ -225,7 +196,7 @@ sslarch=linux-generic32
|
||||
./Configure \
|
||||
--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
||||
enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
|
||||
enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
|
||||
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
|
||||
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
|
||||
|
||||
@ -266,9 +237,9 @@ make -C test apps tests
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
|
||||
crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
|
||||
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
|
||||
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||
crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
||||
%{nil}
|
||||
|
||||
@ -429,6 +400,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Feb 7 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-0.1.beta2
|
||||
- new upstream release from the 1.0.1 branch, ABI compatible
|
||||
- add documentation for the -no_ign_eof option
|
||||
|
||||
* Thu Jan 19 2012 Tomas Mraz <tmraz@redhat.com> 1.0.0g-1
|
||||
- new upstream release fixing CVE-2012-0050 - DoS regression in
|
||||
DTLS support introduced by the previous release (#782795)
|
||||
|
Loading…
Reference in New Issue
Block a user