update to upstream version 1.1.0e
add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
This commit is contained in:
parent
f6b0040c3e
commit
c676ac32d5
1
.gitignore
vendored
1
.gitignore
vendored
@ -34,3 +34,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.1.0b-hobbled.tar.xz
|
||||
/openssl-1.1.0c-hobbled.tar.xz
|
||||
/openssl-1.1.0d-hobbled.tar.xz
|
||||
/openssl-1.1.0e-hobbled.tar.xz
|
||||
|
@ -1,147 +0,0 @@
|
||||
From 3f60b8fbdc9b17572a86457fe5b11437c0d3fbc2 Mon Sep 17 00:00:00 2001
|
||||
From: "Dr. Stephen Henson" <steve@openssl.org>
|
||||
Date: Thu, 26 Jan 2017 17:11:14 +0000
|
||||
Subject: [PATCH] Use correct signature algorithm list when sending or
|
||||
checking.
|
||||
|
||||
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/2297)
|
||||
---
|
||||
ssl/ssl_locl.h | 2 +-
|
||||
ssl/statem/statem_srvr.c | 2 +-
|
||||
ssl/t1_lib.c | 12 ++++++------
|
||||
3 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||
index 4079b31..9a997cf 100644
|
||||
--- a/ssl/ssl_locl.h
|
||||
+++ b/ssl/ssl_locl.h
|
||||
@@ -2062,7 +2062,7 @@ __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
|
||||
const unsigned char *psig, size_t psiglen);
|
||||
__owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
|
||||
__owur int tls1_process_sigalgs(SSL *s);
|
||||
-__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
|
||||
+__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
|
||||
__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
||||
const unsigned char *sig, EVP_PKEY *pkey);
|
||||
void ssl_set_client_disabled(SSL *s);
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index d36d194..ad89e93 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
|
||||
if (SSL_USE_SIGALGS(s)) {
|
||||
const unsigned char *psigs;
|
||||
unsigned char *etmp = p;
|
||||
- nl = tls12_get_psigalgs(s, &psigs);
|
||||
+ nl = tls12_get_psigalgs(s, 1, &psigs);
|
||||
/* Skip over length for now */
|
||||
p += 2;
|
||||
nl = tls12_copy_sigalgs(s, p, psigs, nl);
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 1205f99..b75e568 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -711,7 +711,7 @@ static const unsigned char suiteb_sigalgs[] = {
|
||||
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
|
||||
};
|
||||
#endif
|
||||
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
|
||||
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
|
||||
{
|
||||
/*
|
||||
* If Suite B mode use Suite B sigalgs only, ignore any other
|
||||
@@ -733,7 +733,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
|
||||
}
|
||||
#endif
|
||||
/* If server use client authentication sigalgs if not NULL */
|
||||
- if (s->server && s->cert->client_sigalgs) {
|
||||
+ if (s->server == sent && s->cert->client_sigalgs) {
|
||||
*psigs = s->cert->client_sigalgs;
|
||||
return s->cert->client_sigalgslen;
|
||||
} else if (s->cert->conf_sigalgs) {
|
||||
@@ -797,7 +797,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
||||
#endif
|
||||
|
||||
/* Check signature matches a type we sent */
|
||||
- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
|
||||
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
|
||||
for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
|
||||
if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
|
||||
break;
|
||||
@@ -1189,7 +1189,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
||||
size_t salglen;
|
||||
const unsigned char *salg;
|
||||
unsigned char *etmp;
|
||||
- salglen = tls12_get_psigalgs(s, &salg);
|
||||
+ salglen = tls12_get_psigalgs(s, 1, &salg);
|
||||
|
||||
/*-
|
||||
* check for enough space.
|
||||
@@ -3396,7 +3396,7 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
|
||||
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
|
||||
* down calls to security callback only check if we have to.
|
||||
*/
|
||||
- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
|
||||
+ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
|
||||
for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
|
||||
switch (sigalgs[1]) {
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
@@ -3491,7 +3491,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
|
||||
conf = c->conf_sigalgs;
|
||||
conflen = c->conf_sigalgslen;
|
||||
} else
|
||||
- conflen = tls12_get_psigalgs(s, &conf);
|
||||
+ conflen = tls12_get_psigalgs(s, 0, &conf);
|
||||
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
|
||||
pref = conf;
|
||||
preflen = conflen;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
From b431b094330da3e54805c49fb262192e34bc3864 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Sat, 28 Jan 2017 17:43:17 +0100
|
||||
Subject: [PATCH] X509_CRL_digest() - ensure precomputed sha1 hash before
|
||||
returning it
|
||||
|
||||
X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
|
||||
present. This also makes sure there's an appropriate flag to check.
|
||||
|
||||
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/2314)
|
||||
(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)
|
||||
---
|
||||
crypto/x509/x_all.c | 2 +-
|
||||
crypto/x509/x_crl.c | 2 ++
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
|
||||
index 59f96a5..124dd2d 100644
|
||||
--- a/crypto/x509/x_all.c
|
||||
+++ b/crypto/x509/x_all.c
|
||||
@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
|
||||
int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
|
||||
unsigned char *md, unsigned int *len)
|
||||
{
|
||||
- if (type == EVP_sha1()) {
|
||||
+ if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
|
||||
/* Asking for SHA1; always computed in CRL d2i. */
|
||||
if (len != NULL)
|
||||
*len = sizeof(data->sha1_hash);
|
||||
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
|
||||
index da9c6b6..dbed850 100644
|
||||
--- a/crypto/x509/x_crl.c
|
||||
+++ b/crypto/x509/x_crl.c
|
||||
@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
||||
if (crl->meth->crl_init(crl) == 0)
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ crl->flags |= EXFLAG_SET;
|
||||
break;
|
||||
|
||||
case ASN1_OP_FREE_POST:
|
||||
--
|
||||
2.9.3
|
||||
|
@ -29,99 +29,3 @@ diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configu
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||
diff -up openssl-1.1.0c/crypto/ec/ec_lib.c.build openssl-1.1.0c/crypto/ec/ec_lib.c
|
||||
--- openssl-1.1.0c/crypto/ec/ec_lib.c.build 2016-11-10 15:03:44.000000000 +0100
|
||||
+++ openssl-1.1.0c/crypto/ec/ec_lib.c 2016-11-11 13:26:36.097400901 +0100
|
||||
@@ -74,9 +74,6 @@ void EC_pre_comp_free(EC_GROUP *group)
|
||||
break;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- case PCT_nistp224:
|
||||
- EC_nistp224_pre_comp_free(group->pre_comp.nistp224);
|
||||
- break;
|
||||
case PCT_nistp256:
|
||||
EC_nistp256_pre_comp_free(group->pre_comp.nistp256);
|
||||
break;
|
||||
@@ -152,9 +149,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const
|
||||
break;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- case PCT_nistp224:
|
||||
- dest->pre_comp.nistp224 = EC_nistp224_pre_comp_dup(src->pre_comp.nistp224);
|
||||
- break;
|
||||
case PCT_nistp256:
|
||||
dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256);
|
||||
break;
|
||||
diff -up openssl-1.1.0c/test/ecdhtest_cavs.h.build openssl-1.1.0c/test/ecdhtest_cavs.h
|
||||
--- openssl-1.1.0c/test/ecdhtest_cavs.h.build 2016-11-11 13:26:36.079400491 +0100
|
||||
+++ openssl-1.1.0c/test/ecdhtest_cavs.h 2016-11-11 13:26:36.097400901 +0100
|
||||
@@ -29,6 +29,7 @@ typedef struct {
|
||||
|
||||
static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
|
||||
/* curves over prime fields go here */
|
||||
+#if 0
|
||||
{ NID_X9_62_prime192v1,
|
||||
"42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
|
||||
"dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
|
||||
@@ -379,6 +380,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
|
||||
"a6b29632db94da2125dc1cf80e03702687b2acc1122022fa2174765a",
|
||||
"61723edd73e10daed73775278f1958ba56f1fc9d085ebc2b64c84fe5",
|
||||
"71954e2261e8510be1a060733671d2e9d0a2d012eb4e09556d697d2a" },
|
||||
+#endif
|
||||
{ NID_X9_62_prime256v1,
|
||||
"700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287",
|
||||
"db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
|
||||
diff -up openssl-1.1.0c/test/ecdhtest.c.build openssl-1.1.0c/test/ecdhtest.c
|
||||
--- openssl-1.1.0c/test/ecdhtest.c.build 2016-11-10 15:03:47.000000000 +0100
|
||||
+++ openssl-1.1.0c/test/ecdhtest.c 2016-11-11 13:26:36.097400901 +0100
|
||||
@@ -252,6 +252,7 @@ typedef struct {
|
||||
|
||||
static const ecdh_kat_t ecdh_kats[] = {
|
||||
/* Keys and shared secrets from RFC 5114 */
|
||||
+#if 0
|
||||
{ NID_X9_62_prime192v1,
|
||||
"323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
|
||||
"631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
|
||||
@@ -260,6 +261,7 @@ static const ecdh_kat_t ecdh_kats[] = {
|
||||
"B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
|
||||
"AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
|
||||
"52272F50F46F4EDC9151569092F46DF2D96ECC3B6DC1714A4EA949FA" },
|
||||
+#endif
|
||||
{ NID_X9_62_prime256v1,
|
||||
"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF",
|
||||
"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41",
|
||||
@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
|
||||
"01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
|
||||
"D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
|
||||
"DDEA" },
|
||||
+#if 0
|
||||
/* Keys and shared secrets from RFC 7027 */
|
||||
{ NID_brainpoolP256r1,
|
||||
"81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
|
||||
@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
|
||||
"ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
|
||||
"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
|
||||
"D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
|
||||
+#endif
|
||||
};
|
||||
|
||||
/* Given private value and NID, create EC_KEY structure */
|
||||
diff -up openssl-1.1.0c/test/ecdsatest.c.build openssl-1.1.0c/test/ecdsatest.c
|
||||
--- openssl-1.1.0c/test/ecdsatest.c.build 2016-11-10 15:03:47.000000000 +0100
|
||||
+++ openssl-1.1.0c/test/ecdsatest.c 2016-11-11 13:26:36.097400901 +0100
|
||||
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
|
||||
if (!change_rand())
|
||||
goto x962_err;
|
||||
|
||||
+#if 0
|
||||
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
|
||||
"3342403536405981729393488334694600415596881826869351677613",
|
||||
"5735822328888155254683894997897571951568553642892029982342"))
|
||||
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
|
||||
"3238135532097973577080787768312505059318910517550078427819"
|
||||
"78505179448783"))
|
||||
goto x962_err;
|
||||
+#endif
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
|
||||
"87194383164871543355722284926904419997237591535066528048",
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
|
||||
--- openssl-1.1.0d/apps/speed.c.curves 2017-01-26 14:10:21.000000000 +0100
|
||||
+++ openssl-1.1.0d/apps/speed.c 2017-01-26 15:53:33.913324153 +0100
|
||||
diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
|
||||
--- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100
|
||||
+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100
|
||||
@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
|
||||
#define R_EC_X25519 16
|
||||
#ifndef OPENSSL_NO_EC
|
||||
@ -44,9 +44,9 @@ diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{NULL}
|
||||
};
|
||||
diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves 2017-01-26 14:10:22.000000000 +0100
|
||||
+++ openssl-1.1.0d/crypto/ec/ecp_smpl.c 2017-01-26 15:53:33.913324153 +0100
|
||||
diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100
|
||||
+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100
|
||||
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
@ -59,3 +59,73 @@ diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.0e/test/ecdhtest_cavs.h.curves openssl-1.1.0e/test/ecdhtest_cavs.h
|
||||
--- openssl-1.1.0e/test/ecdhtest_cavs.h.curves 2017-02-16 15:46:22.237503550 +0100
|
||||
+++ openssl-1.1.0e/test/ecdhtest_cavs.h 2017-02-16 16:08:16.091687111 +0100
|
||||
@@ -29,6 +29,7 @@ typedef struct {
|
||||
|
||||
static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
|
||||
/* curves over prime fields go here */
|
||||
+#if 0
|
||||
{ NID_X9_62_prime192v1,
|
||||
"42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
|
||||
"dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
|
||||
@@ -204,6 +205,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
|
||||
"fcd345a976c720caaa97de6697226825615e1287a9eff67e",
|
||||
"58ea42edbeeafca9ff44cfd7f29abd2cbde7626d79e422c9",
|
||||
"72e88f3ea67d46d46dbf83926e7e2a6b85b54536741e6d2c" },
|
||||
+#endif
|
||||
{ NID_secp224r1,
|
||||
"af33cd0629bc7e996320a3f40368f74de8704fa37b8fab69abaae280",
|
||||
"882092ccbba7930f419a8a4f9bb16978bbc3838729992559a6f2e2d7",
|
||||
diff -up openssl-1.1.0e/test/ecdhtest.c.curves openssl-1.1.0e/test/ecdhtest.c
|
||||
--- openssl-1.1.0e/test/ecdhtest.c.curves 2017-02-16 12:58:24.000000000 +0100
|
||||
+++ openssl-1.1.0e/test/ecdhtest.c 2017-02-16 16:07:30.412629758 +0100
|
||||
@@ -252,10 +252,12 @@ typedef struct {
|
||||
|
||||
static const ecdh_kat_t ecdh_kats[] = {
|
||||
/* Keys and shared secrets from RFC 5114 */
|
||||
+#if 0
|
||||
{ NID_X9_62_prime192v1,
|
||||
"323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
|
||||
"631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
|
||||
"AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE" },
|
||||
+#endif
|
||||
{ NID_secp224r1,
|
||||
"B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
|
||||
"AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
|
||||
@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
|
||||
"01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
|
||||
"D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
|
||||
"DDEA" },
|
||||
+#if 0
|
||||
/* Keys and shared secrets from RFC 7027 */
|
||||
{ NID_brainpoolP256r1,
|
||||
"81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
|
||||
@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
|
||||
"ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
|
||||
"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
|
||||
"D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
|
||||
+#endif
|
||||
};
|
||||
|
||||
/* Given private value and NID, create EC_KEY structure */
|
||||
diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
|
||||
--- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100
|
||||
+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100
|
||||
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
|
||||
if (!change_rand())
|
||||
goto x962_err;
|
||||
|
||||
+#if 0
|
||||
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
|
||||
"3342403536405981729393488334694600415596881826869351677613",
|
||||
"5735822328888155254683894997897571951568553642892029982342"))
|
||||
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
|
||||
"3238135532097973577080787768312505059318910517550078427819"
|
||||
"78505179448783"))
|
||||
goto x962_err;
|
||||
+#endif
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
|
||||
"87194383164871543355722284926904419997237591535066528048",
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0b/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
|
||||
+++ openssl-1.1.0b/Configurations/unix-Makefile.tmpl 2016-09-26 16:41:17.796148764 +0200
|
||||
@@ -157,6 +157,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100
|
||||
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100
|
||||
@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
@ -12,7 +12,7 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -167,7 +171,7 @@ HTMLSUFFIX=html
|
||||
@@ -171,7 +175,7 @@ HTMLSUFFIX=html
|
||||
|
||||
CROSS_COMPILE= {- $config{cross_compile_prefix} -}
|
||||
CC= $(CROSS_COMPILE){- $target{cc} -}
|
||||
@ -21,9 +21,9 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
|
||||
CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
|
||||
LDFLAGS= {- $target{lflags} -}
|
||||
PLIB_LDFLAGS= {- $target{plib_lflags} -}
|
||||
diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
|
||||
--- openssl-1.1.0b/Configure.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
|
||||
+++ openssl-1.1.0b/Configure 2016-09-26 16:41:45.002787753 +0200
|
||||
diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||
--- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100
|
||||
+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100
|
||||
@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
|
||||
|
||||
# see INSTALL for instructions.
|
||||
@ -43,7 +43,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
|
||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||
#
|
||||
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
||||
@@ -292,6 +295,7 @@ $config{openssldir}="";
|
||||
@@ -293,6 +296,7 @@ $config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
$config{cross_compile_prefix}="";
|
||||
@ -51,7 +51,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
|
||||
$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
|
||||
my $nofipscanistercheck=0;
|
||||
$config{baseaddr}="0xFB00000";
|
||||
@@ -716,6 +720,10 @@ foreach (@argvcopy)
|
||||
@@ -718,6 +722,10 @@ while (@argvcopy)
|
||||
{
|
||||
$config{baseaddr}="$1";
|
||||
}
|
||||
@ -62,7 +62,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
|
||||
elsif (/^--cross-compile-prefix=(.*)$/)
|
||||
{
|
||||
$config{cross_compile_prefix}=$1;
|
||||
@@ -841,6 +849,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
|
||||
@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
|
||||
$target = "Cygwin".$1;
|
||||
}
|
||||
|
||||
@ -71,9 +71,28 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
|
||||
foreach (sort (keys %disabled))
|
||||
{
|
||||
$config{options} .= " no-$_";
|
||||
diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/include/openssl/ssl.h
|
||||
--- openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist 2016-09-26 11:46:07.000000000 +0200
|
||||
+++ openssl-1.1.0b/include/openssl/ssl.h 2016-09-26 16:58:03.752760070 +0200
|
||||
diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
|
||||
--- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100
|
||||
+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100
|
||||
@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
+=item B<PROFILE=SYSTEM>
|
||||
+
|
||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||
+See also L<update-crypto-policies(8)>.
|
||||
+This is the default behavior unless an application explicitly sets a cipher
|
||||
+list. If used in a cipher list configuration value this string must be at the
|
||||
+beginning of the cipher list, otherwise it will not be recognized.
|
||||
+
|
||||
=item B<HIGH>
|
||||
|
||||
"high" encryption cipher suites. This currently means those with key lengths
|
||||
diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
|
||||
--- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||
+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100
|
||||
@@ -201,6 +201,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
@ -86,9 +105,9 @@ diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/i
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist 2016-09-26 11:46:07.000000000 +0200
|
||||
+++ openssl-1.1.0b/ssl/ssl_ciph.c 2016-09-26 16:51:33.056591689 +0200
|
||||
diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||
+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100
|
||||
@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
|
||||
}
|
||||
#endif
|
||||
@ -140,7 +159,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
|
||||
**cipher_list, STACK_OF(SSL_CIPHER)
|
||||
**cipher_list_by_id,
|
||||
@@ -1296,19 +1340,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
{
|
||||
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
||||
uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
|
||||
@ -173,7 +192,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -1331,7 +1385,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
@ -182,7 +201,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1401,8 +1455,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
@ -192,7 +211,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1447,9 +1500,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
@ -203,7 +222,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1475,8 +1527,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
@ -213,7 +232,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1484,8 +1535,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
@ -223,7 +242,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1496,21 +1546,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
if (curr->active
|
||||
&& (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
||||
@ -249,7 +268,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
}
|
||||
sk_SSL_CIPHER_free(*cipher_list);
|
||||
*cipher_list = cipherstack;
|
||||
@@ -1520,6 +1570,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
|
||||
|
||||
sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
||||
@ -262,9 +281,9 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
|
||||
return (cipherstack);
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_lib.c
|
||||
--- openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
|
||||
+++ openssl-1.1.0b/ssl/ssl_lib.c 2016-09-26 16:55:23.668003396 +0200
|
||||
diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
|
||||
--- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100
|
||||
+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100
|
||||
@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
|
||||
sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
|
||||
@ -274,7 +293,7 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return (0);
|
||||
@@ -2395,7 +2395,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
#endif
|
||||
if (!ssl_create_cipher_list(ret->method,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
@ -283,9 +302,9 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff -up openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist openssl-1.1.0b/test/cipherlist_test.c
|
||||
--- openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist 2016-09-26 11:46:08.000000000 +0200
|
||||
+++ openssl-1.1.0b/test/cipherlist_test.c 2016-09-26 17:18:29.380513853 +0200
|
||||
diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
|
||||
--- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100
|
||||
+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100
|
||||
@@ -190,7 +190,9 @@ int main(int argc, char **argv)
|
||||
{
|
||||
int result = 0;
|
||||
|
11
openssl.spec
11
openssl.spec
@ -21,8 +21,8 @@
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.0d
|
||||
Release: 3%{?dist}
|
||||
Version: 1.1.0e
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -61,7 +61,6 @@ Patch42: openssl-1.1.0-fips.patch
|
||||
Patch43: openssl-1.1.0-afalg-eventfd2.patch
|
||||
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch60: openssl-1.1.0-backports.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -162,8 +161,6 @@ cp %{SOURCE13} test/
|
||||
%patch43 -p1 -b .eventfd2
|
||||
%patch44 -p1 -b .preserve-nl
|
||||
|
||||
%patch60 -p1 -b .backports
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
# default
|
||||
@ -430,6 +427,10 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1
|
||||
- update to upstream version 1.1.0e
|
||||
- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0d-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (openssl-1.1.0d-hobbled.tar.xz) = 375cecff07762593606d5e3ea145cf3dfad8ab5ce2fa2b696ffa2fbff9b45b929259f481c44d1db475183030e70eb443ae8c73ee9257fb766597032b27654349
|
||||
SHA512 (openssl-1.1.0e-hobbled.tar.xz) = 7db753907c211427ed494d92915c255d05faf9b47f22febfffbfe2be602777b6b82d7c71793003c2ebbbf7f67708c80a72aacde2582501ae63761b1090523974
|
||||
|
Loading…
Reference in New Issue
Block a user