- update to final 1.0.0 upstream release
This commit is contained in:
Tomáš Mráz
parent
e8799f082e
commit
b825afeee6
|
|
@ -1 +1 @@
|
|||
openssl-1.0.0-beta4-usa.tar.bz2
|
||||
openssl-1.0.0-usa.tar.bz2
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,45 +0,0 @@
|
|||
diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
|
||||
--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
|
||||
@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
|
||||
}
|
||||
else ret= *a;
|
||||
|
||||
- ret->save_type=type;
|
||||
- ret->type=EVP_PKEY_type(type);
|
||||
- switch (ret->type)
|
||||
+ if (!EVP_PKEY_set_type(ret, type))
|
||||
+ {
|
||||
+ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ switch (EVP_PKEY_id(ret))
|
||||
{
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
case EVP_PKEY_RSA:
|
||||
diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
|
||||
--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
|
||||
@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* If we have an ENGINE release it */
|
||||
if (pkey->engine)
|
||||
+ {
|
||||
ENGINE_finish(pkey->engine);
|
||||
+ pkey->engine = NULL;
|
||||
+ }
|
||||
#endif
|
||||
}
|
||||
if (str)
|
||||
diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
|
||||
@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
|
||||
offset= -offset;
|
||||
}
|
||||
atm.type=ctm->type;
|
||||
+ atm.flags = 0;
|
||||
atm.length=sizeof(buff2);
|
||||
atm.data=(unsigned char *)buff2;
|
||||
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl
|
||||
--- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100
|
||||
@@ -19,6 +19,7 @@ my $code;
|
||||
sub round1_step
|
||||
{
|
||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
||||
$code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
|
||||
$code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
||||
$code .= <<EOF;
|
||||
@@ -43,6 +44,7 @@ EOF
|
||||
sub round2_step
|
||||
{
|
||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
||||
$code .= " mov 1*4(%rsi), %r10d /* (NEXT STEP) X[1] */\n" if ($pos == -1);
|
||||
$code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
||||
$code .= " mov %edx, %r12d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
||||
@@ -69,6 +71,7 @@ EOF
|
||||
sub round3_step
|
||||
{
|
||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
||||
$code .= " mov 5*4(%rsi), %r10d /* (NEXT STEP) X[5] */\n" if ($pos == -1);
|
||||
$code .= " mov %ecx, %r11d /* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
|
||||
$code .= <<EOF;
|
||||
@@ -91,6 +94,7 @@ EOF
|
||||
sub round4_step
|
||||
{
|
||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
||||
$code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
|
||||
$code .= " mov \$0xffffffff, %r11d\n" if ($pos == -1);
|
||||
$code .= " xor %edx, %r11d /* (NEXT STEP) not z' = not %edx*/\n"
|
||||
diff -up openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl
|
||||
--- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl 2009-11-12 17:24:18.000000000 +0100
|
||||
@@ -150,7 +150,7 @@ ___
|
||||
sub BODY_20_39 {
|
||||
my ($i,$a,$b,$c,$d,$e,$f)=@_;
|
||||
my $j=$i+1;
|
||||
-my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
|
||||
+my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
|
||||
$code.=<<___ if ($i<79);
|
||||
lea $K($xi,$e),$f
|
||||
mov `4*($j%16)`(%rsp),$xi
|
||||
@@ -187,7 +187,7 @@ sub BODY_40_59 {
|
||||
my ($i,$a,$b,$c,$d,$e,$f)=@_;
|
||||
my $j=$i+1;
|
||||
$code.=<<___;
|
||||
- lea 0x8f1bbcdc($xi,$e),$f
|
||||
+ lea -0x70e44324($xi,$e),$f
|
||||
mov `4*($j%16)`(%rsp),$xi
|
||||
mov $b,$t0
|
||||
mov $b,$t1
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
Do not enforce the renegotiation extension on the client - too many broken servers remain.
|
||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
|
||||
@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
|
||||
if (data >= (d+n-2))
|
||||
{
|
||||
+#if 0
|
||||
/* Because the client does not see any renegotiation during an
|
||||
attack, we must enforce this on all server hellos, even the
|
||||
first */
|
||||
@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
if (!renegotiate_seen
|
||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
if (!s->hit && tlsext_servername == 1)
|
||||
{
|
||||
|
|
@ -1,219 +0,0 @@
|
|||
diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
|
||||
--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100
|
||||
@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
|
||||
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
||||
{
|
||||
OPENSSL_assert(sa.len.s<=sizeof(sa.from));
|
||||
- sa.len.i = (unsigned int)sa.len.s;
|
||||
+ sa.len.i = (int)sa.len.s;
|
||||
+ /* use sa.len.i from this point */
|
||||
}
|
||||
if (ret == INVALID_SOCKET)
|
||||
{
|
||||
diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
|
||||
--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100
|
||||
@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
|
||||
|
||||
typedef struct bio_dgram_data_st
|
||||
{
|
||||
+ union {
|
||||
+ struct sockaddr sa;
|
||||
+ struct sockaddr_in sa_in;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- struct sockaddr_storage peer;
|
||||
-#else
|
||||
- struct sockaddr_in peer;
|
||||
+ struct sockaddr_in6 sa_in6;
|
||||
#endif
|
||||
+ } peer;
|
||||
unsigned int connected;
|
||||
unsigned int _errno;
|
||||
unsigned int mtu;
|
||||
@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
|
||||
int ret=0;
|
||||
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
|
||||
|
||||
+ struct {
|
||||
+ /*
|
||||
+ * See commentary in b_sock.c. <appro>
|
||||
+ */
|
||||
+ union { size_t s; int i; } len;
|
||||
+ union {
|
||||
+ struct sockaddr sa;
|
||||
+ struct sockaddr_in sa_in;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- struct sockaddr_storage peer;
|
||||
-#else
|
||||
- struct sockaddr_in peer;
|
||||
+ struct sockaddr_in6 sa_in6;
|
||||
#endif
|
||||
- int peerlen = sizeof(peer);
|
||||
+ } peer;
|
||||
+ } sa;
|
||||
+
|
||||
+ sa.len.s=0;
|
||||
+ sa.len.i=sizeof(sa.peer);
|
||||
|
||||
if (out != NULL)
|
||||
{
|
||||
clear_socket_error();
|
||||
- memset(&peer, 0x00, peerlen);
|
||||
- /* Last arg in recvfrom is signed on some platforms and
|
||||
- * unsigned on others. It is of type socklen_t on some
|
||||
- * but this is not universal. Cast to (void *) to avoid
|
||||
- * compiler warnings.
|
||||
- */
|
||||
+ memset(&sa.peer, 0x00, sizeof(sa.peer));
|
||||
dgram_adjust_rcv_timeout(b);
|
||||
- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
|
||||
+ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
|
||||
+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
||||
+ {
|
||||
+ OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
|
||||
+ sa.len.i = (int)sa.len.s;
|
||||
+ }
|
||||
dgram_reset_rcv_timeout(b);
|
||||
|
||||
if ( ! data->connected && ret >= 0)
|
||||
- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
|
||||
+ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
if (ret < 0)
|
||||
@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
|
||||
if ( data->connected )
|
||||
ret=writesocket(b->num,in,inl);
|
||||
else
|
||||
-#if OPENSSL_USE_IPV6
|
||||
- if (data->peer.ss_family == AF_INET)
|
||||
#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
||||
+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
||||
#else
|
||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
- else
|
||||
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
|
||||
-#else
|
||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
|
||||
-#endif
|
||||
-#else
|
||||
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
||||
-#else
|
||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
||||
#endif
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd,
|
||||
else
|
||||
{
|
||||
#endif
|
||||
+ switch (to->sa_family)
|
||||
+ {
|
||||
+ case AF_INET:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
+ break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
|
||||
-#else
|
||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
+ case AF_INET6:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
+ break;
|
||||
+#endif
|
||||
+ default:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
+ break;
|
||||
+ }
|
||||
#if 0
|
||||
}
|
||||
#endif
|
||||
@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd,
|
||||
if ( to != NULL)
|
||||
{
|
||||
data->connected = 1;
|
||||
+ switch (to->sa_family)
|
||||
+ {
|
||||
+ case AF_INET:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
+ break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
|
||||
-#else
|
||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
+ case AF_INET6:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
+ break;
|
||||
+#endif
|
||||
+ default:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
{
|
||||
data->connected = 0;
|
||||
-#if OPENSSL_USE_IPV6
|
||||
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
|
||||
-#else
|
||||
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
+ memset(&(data->peer), 0x00, sizeof(data->peer));
|
||||
}
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_GET_PEER:
|
||||
to = (struct sockaddr *) ptr;
|
||||
-
|
||||
+ switch (to->sa_family)
|
||||
+ {
|
||||
+ case AF_INET:
|
||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
|
||||
+ break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
|
||||
- ret = sizeof(struct sockaddr_storage);
|
||||
-#else
|
||||
- memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
|
||||
- ret = sizeof(struct sockaddr_in);
|
||||
-#endif
|
||||
+ case AF_INET6:
|
||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
|
||||
+ break;
|
||||
+#endif
|
||||
+ default:
|
||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
|
||||
+ break;
|
||||
+ }
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_SET_PEER:
|
||||
to = (struct sockaddr *) ptr;
|
||||
-
|
||||
+ switch (to->sa_family)
|
||||
+ {
|
||||
+ case AF_INET:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
+ break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
|
||||
-#else
|
||||
- memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
|
||||
-#endif
|
||||
+ case AF_INET6:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
+ break;
|
||||
+#endif
|
||||
+ default:
|
||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
+ break;
|
||||
+ }
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
|
||||
memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
|
||||
|
|
@ -22,7 +22,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
|||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)",
|
||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
|
|
|||
|
|
@ -1,93 +0,0 @@
|
|||
Better error reporting for unsafe renegotiation.
|
||||
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
|
||||
--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
|
||||
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
|
||||
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
|
||||
{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
|
||||
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
|
||||
{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
|
||||
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
|
||||
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
|
||||
{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
|
||||
{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
|
||||
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
||||
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
|
||||
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
|
||||
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
|
||||
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
|
||||
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
|
||||
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
|
||||
{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
|
||||
diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
|
||||
@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
|
||||
#define SSL_F_SSL_NEW 186
|
||||
#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
|
||||
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
|
||||
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
|
||||
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
|
||||
#define SSL_F_SSL_PEEK 270
|
||||
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
|
||||
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
|
||||
@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
|
||||
#define SSL_R_UNKNOWN_SSL_VERSION 254
|
||||
#define SSL_R_UNKNOWN_STATE 255
|
||||
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
|
||||
#define SSL_R_UNSUPPORTED_CIPHER 256
|
||||
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
|
||||
#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
|
||||
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
|
||||
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
|
||||
@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
|
||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
|
||||
goto err;
|
||||
#else
|
||||
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||
+ goto err;
|
||||
+ }
|
||||
/* we are talking sslv2 */
|
||||
/* we need to clean up the SSLv3/TLSv1 setup and put in the
|
||||
* sslv2 stuff. */
|
||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
|
||||
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
{
|
||||
/* We should always see one extension: the renegotiate extension */
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
if (s->new_session && !renegotiate_seen
|
||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
return 0;
|
||||
}
|
||||
@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
{
|
||||
/* We should always see one extension: the renegotiate extension */
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
@ -1,237 +0,0 @@
|
|||
diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
|
||||
--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
|
||||
extname = "server ticket";
|
||||
break;
|
||||
|
||||
+ case TLSEXT_TYPE_renegotiate:
|
||||
+ extname = "renegotiate";
|
||||
+ break;
|
||||
+
|
||||
#ifdef TLSEXT_TYPE_opaque_prf_input
|
||||
case TLSEXT_TYPE_opaque_prf_input:
|
||||
extname = "opaque PRF input";
|
||||
diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
|
||||
--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100
|
||||
@@ -343,6 +343,7 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err," -status - request certificate status from server\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
#endif
|
||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
|
||||
#endif
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
|
||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
|
||||
--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100
|
||||
@@ -491,6 +491,7 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
|
||||
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
|
||||
verify_return_error = 1;
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
|
||||
--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -201,6 +201,9 @@ extern "C" {
|
||||
# define TLSEXT_TYPE_opaque_prf_input ?? */
|
||||
#endif
|
||||
|
||||
+/* Temporary extension type */
|
||||
+#define TLSEXT_TYPE_renegotiate 0xff01
|
||||
+
|
||||
/* NameType value from RFC 3546 */
|
||||
#define TLSEXT_NAMETYPE_host_name 0
|
||||
/* status request value from RFC 3546 */
|
||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
ret+=size_str;
|
||||
}
|
||||
|
||||
+ /* Add the renegotiation option: TODOEKR switch */
|
||||
+ {
|
||||
+ int el;
|
||||
+
|
||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
||||
+
|
||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
+ s2n(el,ret);
|
||||
+
|
||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret += el;
|
||||
+ }
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
if (s->tlsext_ecpointformatlist != NULL)
|
||||
{
|
||||
@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
|
||||
s2n(TLSEXT_TYPE_server_name,ret);
|
||||
s2n(0,ret);
|
||||
}
|
||||
+
|
||||
+ if(s->s3->send_connection_binding)
|
||||
+ {
|
||||
+ int el;
|
||||
+
|
||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
||||
+
|
||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
+ s2n(el,ret);
|
||||
+
|
||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret += el;
|
||||
+ }
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
if (s->tlsext_ecpointformatlist != NULL)
|
||||
{
|
||||
@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
unsigned short size;
|
||||
unsigned short len;
|
||||
unsigned char *data = *p;
|
||||
+ int renegotiate_seen = 0;
|
||||
+
|
||||
s->servername_done = 0;
|
||||
s->tlsext_status_type = -1;
|
||||
+ s->s3->send_connection_binding = 0;
|
||||
|
||||
if (data >= (d+n-2))
|
||||
+ {
|
||||
+ if (s->new_session
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ /* We should always see one extension: the renegotiate extension */
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
return 1;
|
||||
+ }
|
||||
n2s(data,len);
|
||||
|
||||
if (data > (d+n-len))
|
||||
@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
||||
+ {
|
||||
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
|
||||
+ return 0;
|
||||
+ renegotiate_seen = 1;
|
||||
+ }
|
||||
else if (type == TLSEXT_TYPE_status_request
|
||||
&& s->ctx->tlsext_status_cb)
|
||||
{
|
||||
@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
/* session ticket processed earlier */
|
||||
data+=size;
|
||||
}
|
||||
+
|
||||
+ if (s->new_session && !renegotiate_seen
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
|
||||
*p = data;
|
||||
return 1;
|
||||
@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
unsigned short size;
|
||||
unsigned short len;
|
||||
unsigned char *data = *p;
|
||||
-
|
||||
int tlsext_servername = 0;
|
||||
+ int renegotiate_seen = 0;
|
||||
|
||||
if (data >= (d+n-2))
|
||||
+ {
|
||||
+ /* Because the client does not see any renegotiation during an
|
||||
+ attack, we must enforce this on all server hellos, even the
|
||||
+ first */
|
||||
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ /* We should always see one extension: the renegotiate extension */
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
return 1;
|
||||
+ }
|
||||
|
||||
n2s(data,len);
|
||||
|
||||
@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
/* Set flag to expect CertificateStatus message */
|
||||
s->tlsext_status_expected = 1;
|
||||
}
|
||||
-
|
||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
||||
+ {
|
||||
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
|
||||
+ return 0;
|
||||
+ renegotiate_seen = 1;
|
||||
+ }
|
||||
data+=size;
|
||||
}
|
||||
|
||||
@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!renegotiate_seen
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!s->hit && tlsext_servername == 1)
|
||||
{
|
||||
if (s->tlsext_hostname)
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist
|
||||
on having the same beta status of OpenSSL library as they were built against.
|
||||
diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h
|
||||
--- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100
|
||||
@@ -25,7 +25,7 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-#define OPENSSL_VERSION_NUMBER 0x10000004L
|
||||
+#define OPENSSL_VERSION_NUMBER 0x10000003L
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009"
|
||||
#else
|
||||
|
|
@ -1,16 +1,16 @@
|
|||
diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200
|
||||
@@ -511,7 +511,7 @@ typedef struct ssl_session_st
|
||||
|
||||
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
||||
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
|
||||
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
|
||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
||||
/* Allow initial connection to servers that don't support RI */
|
||||
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
|
||||
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
|
||||
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
||||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
||||
@@ -528,7 +528,7 @@ typedef struct ssl_session_st
|
||||
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
|
||||
|
||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
||||
--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100
|
||||
diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
||||
--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
|
||||
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
|
||||
my $prefix="";
|
||||
my $libdir="";
|
||||
|
|
@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
|||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
|
|
@ -29,18 +29,18 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
|||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1676,7 +1681,7 @@ while (<IN>)
|
||||
# $foo is to become "$prefix/lib$multilib/engines";
|
||||
# as Makefile.org and engines/Makefile are adapted for
|
||||
# $multilib suffix.
|
||||
- my $foo = "$prefix/lib/engines";
|
||||
@@ -1673,7 +1678,7 @@ while (<IN>)
|
||||
}
|
||||
elsif (/^#define\s+ENGINESDIR/)
|
||||
{
|
||||
- my $foo = "$prefix/$libdir/engines";
|
||||
+ my $foo = "$enginesdir";
|
||||
$foo =~ s/\\/\\\\/g;
|
||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||
}
|
||||
diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
|
||||
--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100
|
||||
diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
|
||||
--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
|
||||
@@ -124,7 +124,7 @@ install:
|
||||
sfx=".so"; \
|
||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h
|
||||
--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h
|
||||
--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
|
@ -23,10 +23,10 @@ diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_
|
|||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c
|
||||
--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200
|
||||
@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c
|
||||
--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len,cbuf_off;
|
||||
int sbuf_len,sbuf_off;
|
||||
fd_set readfds,writefds;
|
||||
|
|
@ -35,7 +35,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
int full_log=1;
|
||||
char *host=SSL_HOST_NAME;
|
||||
char *cert_file=NULL,*key_file=NULL;
|
||||
@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv)
|
||||
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
|
||||
else if (strcmp(*argv,"-port") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
|
|
@ -51,7 +51,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -956,7 +955,7 @@ bad:
|
||||
@@ -967,7 +966,7 @@ bad:
|
||||
|
||||
re_start:
|
||||
|
||||
|
|
@ -60,10 +60,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
{
|
||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c
|
||||
--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[])
|
||||
diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c
|
||||
--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
int badarg = 0;
|
||||
|
|
@ -72,7 +72,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
char *CApath=NULL,*CAfile=NULL;
|
||||
unsigned char *context = NULL;
|
||||
char *dhfile = NULL;
|
||||
@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[])
|
||||
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
|
||||
(strcmp(*argv,"-accept") == 0))
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
|
|
@ -82,7 +82,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
{
|
||||
@@ -1685,9 +1684,9 @@ bad:
|
||||
@@ -1700,9 +1699,9 @@ bad:
|
||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (www)
|
||||
|
|
@ -94,10 +94,10 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
print_stats(bio_s_out,ctx);
|
||||
ret=0;
|
||||
end:
|
||||
diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c
|
||||
--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
|
||||
diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c
|
||||
--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100
|
||||
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
|
||||
static void ssl_sock_cleanup(void);
|
||||
#endif
|
||||
static int ssl_sock_init(void);
|
||||
|
|
@ -108,7 +108,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
@@ -228,58 +226,70 @@ static int ssl_sock_init(void)
|
||||
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
|
||||
return(1);
|
||||
}
|
||||
|
||||
|
|
@ -217,7 +217,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
{
|
||||
int sock;
|
||||
char *name = NULL;
|
||||
@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r
|
||||
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
{
|
||||
int j = 1;
|
||||
@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i
|
||||
@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i
|
||||
(void *) &j, sizeof j);
|
||||
}
|
||||
#endif
|
||||
|
|
@ -337,11 +337,10 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
@@ -425,137 +443,62 @@ redoit:
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
@@ -432,136 +450,58 @@ redoit:
|
||||
*/
|
||||
|
||||
- if (host == NULL) goto end;
|
||||
if (host == NULL) goto end;
|
||||
-#ifndef BIT_FIELD_LIMITS
|
||||
- /* I should use WSAAsyncGetHostByName() under windows */
|
||||
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||
|
|
@ -351,50 +350,44 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
|||
- sizeof(struct in_addr),AF_INET);
|
||||
-#endif
|
||||
- if (h1 == NULL)
|
||||
+ if (host == NULL)
|
||||
{
|
||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||
- *host=NULL;
|
||||
- /* return(0); */
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||
- {
|
||||
- perror("OPENSSL_malloc");
|
||||
+ *sock=ret;
|
||||
return(0);
|
||||
}
|
||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
||||
|
||||
- h2=GetHostByName(*host);
|
||||
- if (h2 == NULL)
|
||||
+
|
||||
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
||||
+ buffer, sizeof(buffer),
|
||||
+ NULL, 0, 0))
|
||||
{
|
||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
||||
{
|
||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||
+ BIO_printf(bio_err,"getnameinfo failed\n");
|
||||
+ *host=NULL;
|
||||
*host=NULL;
|
||||
/* return(0); */
|
||||
}
|
||||
else
|
||||
{
|
||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
||||
{
|
||||
perror("OPENSSL_malloc");
|
||||
return(0);
|
||||
}
|
||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
||||
-
|
||||
- h2=GetHostByName(*host);
|
||||
- if (h2 == NULL)
|
||||
- {
|
||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
||||
- return(0);
|
||||
- }
|
||||
- i=0;
|
||||
- if (h2->h_addrtype != AF_INET)
|
||||
+ else
|
||||
{
|
||||
- {
|
||||
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
||||
+ {
|
||||
+ perror("OPENSSL_malloc");
|
||||
return(0);
|
||||
}
|
||||
- }
|
||||
-end:
|
||||
- return(0);
|
||||
- }
|
||||
+ strcpy(*host, buffer);
|
||||
}
|
||||
end:
|
||||
*sock=ret;
|
||||
return(1);
|
||||
}
|
||||
+ }
|
||||
|
||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||
- short *port_ptr)
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
||||
--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100
|
||||
+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100
|
||||
@@ -5,6 +5,31 @@
|
||||
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
|
||||
--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
|
||||
@@ -5,6 +5,35 @@
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
|
|
@ -15,9 +15,15 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
|||
+
|
||||
+ This version also contains a few differences from the upstream code
|
||||
+ some of which are:
|
||||
+ * The FIPS integrity verification check is implemented differently
|
||||
+ from the upstream FIPS validated OpenSSL module. It verifies
|
||||
+ HMAC-SHA256 checksum of the whole libcrypto shared library.
|
||||
+ * There are added changes forward ported from the upstream OpenSSL
|
||||
+ 0.9.8 FIPS branch however the FIPS integrity verification check
|
||||
+ is implemented differently from the upstream FIPS validated OpenSSL
|
||||
+ module. It verifies HMAC-SHA256 checksum of the whole shared
|
||||
+ libraries. For this reason the changes are ported to files in the
|
||||
+ crypto directory and not in a separate fips subdirectory. Also
|
||||
+ note that the FIPS integrity verification check requires unmodified
|
||||
+ libcrypto and libssl shared library files which means that it will
|
||||
+ fail if these files are modified for example by prelink.
|
||||
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
|
||||
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
|
||||
+ FIPS mode could not be initialized. It is also possible to force the
|
||||
|
|
@ -27,8 +33,6 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
|||
+ will not automatically load the built in compression method ZLIB
|
||||
+ when initialized. Applications can still explicitely ask for ZLIB
|
||||
+ compression method.
|
||||
+ * There is added a support for EAP-FAST through TLS extension. This code
|
||||
+ is backported from OpenSSL upstream development branch.
|
||||
+
|
||||
DESCRIPTION
|
||||
-----------
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,13 @@
|
|||
diff -up openssl-1.0.0/crypto/opensslv.h.version openssl-1.0.0/crypto/opensslv.h
|
||||
--- openssl-1.0.0/crypto/opensslv.h.version 2010-03-30 10:59:26.000000000 +0200
|
||||
+++ openssl-1.0.0/crypto/opensslv.h 2010-03-30 11:00:52.000000000 +0200
|
||||
@@ -25,7 +25,8 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-#define OPENSSL_VERSION_NUMBER 0x1000000fL
|
||||
+/* we have to keep the version number to not break the abi */
|
||||
+#define OPENSSL_VERSION_NUMBER 0x10000003L
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips 29 Mar 2010"
|
||||
#else
|
||||
82
openssl.spec
82
openssl.spec
|
|
@ -11,8 +11,6 @@
|
|||
# 1.0.0 soversion = 10
|
||||
%define soversion 10
|
||||
|
||||
%define beta beta4
|
||||
|
||||
# Number of threads to spawn when testing some threading fixes.
|
||||
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
||||
|
||||
|
|
@ -23,10 +21,10 @@
|
|||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.0
|
||||
Release: 0.16.%{beta}%{?dist}
|
||||
Release: 1%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
||||
Source: openssl-%{version}-usa.tar.bz2
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source6: make-dummy-cert
|
||||
|
|
@ -38,36 +36,30 @@ Source11: README.FIPS
|
|||
Patch0: openssl-1.0.0-beta4-redhat.patch
|
||||
Patch1: openssl-1.0.0-beta3-defaults.patch
|
||||
Patch3: openssl-1.0.0-beta3-soversion.patch
|
||||
Patch4: openssl-1.0.0-beta4-enginesdir.patch
|
||||
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
# Bug fixes
|
||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||
Patch24: openssl-1.0.0-beta4-binutils.patch
|
||||
Patch24: openssl-0.9.8j-bad-mime.patch
|
||||
# Functionality changes
|
||||
Patch32: openssl-0.9.8g-ia64.patch
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch38: openssl-1.0.0-beta3-cipher-change.patch
|
||||
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.0-beta4-fips.patch
|
||||
Patch38: openssl-1.0.0-beta5-cipher-change.patch
|
||||
Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.0-fips.patch
|
||||
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
||||
Patch43: openssl-1.0.0-beta3-fipsmode.patch
|
||||
Patch44: openssl-1.0.0-beta3-fipsrng.patch
|
||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||
Patch47: openssl-0.9.8j-readme-warning.patch
|
||||
Patch48: openssl-0.9.8j-bad-mime.patch
|
||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
||||
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.0-beta4-version.patch
|
||||
Patch51: openssl-1.0.0-version.patch
|
||||
Patch52: openssl-1.0.0-beta4-aesni.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch60: openssl-1.0.0-beta4-reneg.patch
|
||||
# This one is not backported but has to be applied after reneg patch
|
||||
Patch61: openssl-1.0.0-beta4-client-reneg.patch
|
||||
Patch62: openssl-1.0.0-beta4-backports.patch
|
||||
Patch63: openssl-1.0.0-beta4-reneg-err.patch
|
||||
Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -117,7 +109,7 @@ package provides Perl scripts for converting certificates and keys
|
|||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}-%{beta}
|
||||
%setup -q -n %{name}-%{version}
|
||||
|
||||
%{SOURCE1} > /dev/null
|
||||
%patch0 -p1 -b .redhat
|
||||
|
|
@ -128,7 +120,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch6 -p1 -b .use-localhost
|
||||
|
||||
%patch23 -p1 -b .default-paths
|
||||
%patch24 -p1 -b .binutils
|
||||
%patch24 -p1 -b .bad-mime
|
||||
|
||||
%patch32 -p1 -b .ia64
|
||||
%patch33 -p1 -b .ca-dir
|
||||
|
|
@ -142,16 +134,10 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch44 -p1 -b .fipsrng
|
||||
%patch45 -p1 -b .env-nozlib
|
||||
%patch47 -p1 -b .warning
|
||||
%patch48 -p1 -b .bad-mime
|
||||
%patch49 -p1 -b .algo-doc
|
||||
%patch50 -p1 -b .dtls1-abi
|
||||
%patch51 -p1 -b .version
|
||||
|
||||
%patch60 -p1 -b .reneg
|
||||
%patch61 -p1 -b .client-reneg
|
||||
%patch62 -p1 -b .backports
|
||||
%patch63 -p1 -b .reneg-err
|
||||
%patch64 -p1 -b .dtls-ipv6
|
||||
%patch52 -p1 -b .aesni
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
|
|
@ -160,7 +146,7 @@ perl util/perlpath.pl `dirname %{__perl}`
|
|||
touch Makefile
|
||||
make TABLE PERL=%{__perl}
|
||||
|
||||
%build
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
# default
|
||||
sslarch=%{_os}-%{_arch}
|
||||
|
|
@ -250,12 +236,9 @@ make -C test apps tests
|
|||
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
|
||||
make INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
||||
make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
|
||||
# OpenSSL install doesn't use correct _libdir on 64 bit archs
|
||||
[ "%{_libdir}" != /usr/lib ] && mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT%{_libdir}/
|
||||
mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT%{_libdir}/openssl
|
||||
mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
|
||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
|
||||
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
|
||||
mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
|
||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||
chmod 755 ${lib}
|
||||
|
|
@ -347,7 +330,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%clean
|
||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc FAQ LICENSE CHANGES NEWS INSTALL README
|
||||
%doc doc/c-indentation.el doc/openssl.txt
|
||||
|
|
@ -400,6 +383,33 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
|
||||
- update to final 1.0.0 upstream release
|
||||
|
||||
* Tue Feb 16 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.22.beta5
|
||||
- make TLS work in the FIPS mode
|
||||
|
||||
* Fri Feb 12 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.21.beta5
|
||||
- gracefully handle zero length in assembler implementations of
|
||||
OPENSSL_cleanse (#564029)
|
||||
- do not fail in s_server if client hostname not resolvable (#561260)
|
||||
|
||||
* Wed Jan 20 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.20.beta5
|
||||
- new upstream release
|
||||
|
||||
* Thu Jan 14 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.19.beta4
|
||||
- fix CVE-2009-4355 - leak in applications incorrectly calling
|
||||
CRYPTO_free_all_ex_data() before application exit (#546707)
|
||||
- upstream fix for future TLS protocol version handling
|
||||
|
||||
* Wed Jan 13 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.18.beta4
|
||||
- add support for Intel AES-NI
|
||||
|
||||
* Thu Jan 7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.17.beta4
|
||||
- upstream fix compression handling on session resumption
|
||||
- various null checks and other small fixes from upstream
|
||||
- upstream changes for the renegotiation info according to the latest draft
|
||||
|
||||
* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
|
||||
- fix non-fips mingw build (patch by Kalev Lember)
|
||||
- add IPV6 fix for DTLS
|
||||
|
|
@ -419,7 +429,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
openssh and possibly other dependencies with too strict version check
|
||||
|
||||
* Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
|
||||
- update to new upstream version, no soname bump needed
|
||||
- update to new upstream version, no soname bump needed
|
||||
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
|
||||
so the compatibility with unfixed clients is not broken. The
|
||||
protocol extension is also not final.
|
||||
|
|
@ -525,7 +535,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
- temporarily provide symlink to old soname to make it possible to rebuild
|
||||
the dependent packages in rawhide
|
||||
- add eap-fast support (#428181)
|
||||
- add possibility to disable zlib by setting
|
||||
- add possibility to disable zlib by setting
|
||||
- add fips mode support for testing purposes
|
||||
- do not null dereference on some invalid smime files
|
||||
- add buildrequires pkgconfig (#479493)
|
||||
|
|
@ -732,7 +742,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
- upgrade to new upstream version (no soname bump needed)
|
||||
- disable thread test - it was testing the backport of the
|
||||
RSA blinding - no longer needed
|
||||
- added support for changing serial number to
|
||||
- added support for changing serial number to
|
||||
Makefile.certificate (#151188)
|
||||
- make ca-bundle.crt a config file (#118903)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue