diff --git a/openssl-1.0.1c-issuer-hash.patch b/openssl-1.0.1c-issuer-hash.patch new file mode 100644 index 0000000..f911501 --- /dev/null +++ b/openssl-1.0.1c-issuer-hash.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c +--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200 ++++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100 +@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has + char *f; + + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); + ret=strlen(f); + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) diff --git a/openssl.spec b/openssl.spec index 984d1b0..78af27f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem Name: openssl Version: 1.0.1c # Do not forget to bump SHLIB_VERSION on version upgrades -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert +Source7: renew-dummy-cert Source8: openssl-thread-test.c Source9: opensslconf-new.h Source10: opensslconf-new-warning.h @@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes Patch23: openssl-1.0.1c-default-paths.patch +Patch24: openssl-1.0.1c-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch @@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch9 -p1 -b .aliasing %patch23 -p1 -b .default-paths +%patch24 -p1 -b .issuer-hash %patch33 -p1 -b .ca-dir %patch34 -p1 -b .x509 @@ -300,6 +303,7 @@ done mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert +install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert # Make sure we actually include the headers we built against. for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do @@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Dec 21 2012 Tomas Mraz 1.0.1c-11 +- add script for renewal of a self-signed cert by Philip Prindeville (#871566) +- allow X509_issuer_and_serial_hash() produce correct result in + the FIPS mode (#881336) + * Thu Dec 6 2012 Tomas Mraz 1.0.1c-10 - do not load default verify paths if CApath or CAfile specified (#884305) diff --git a/renew-dummy-cert b/renew-dummy-cert new file mode 100755 index 0000000..50f9931 --- /dev/null +++ b/renew-dummy-cert @@ -0,0 +1,42 @@ +#!/bin/bash + +if [ $# -eq 0 ]; then + echo $"Usage: `basename $0` filename" 1>&2 + exit 1 +fi + +PEM=$1 +REQ=`/bin/mktemp /tmp/openssl.XXXXXX` +KEY=`/bin/mktemp /tmp/openssl.XXXXXX` +CRT=`/bin/mktemp /tmp/openssl.XXXXXX` +NEW=${PEM}_ + +trap "rm -f $REQ $KEY $CRT $NEW" SIGINT + +if [ ! -f $PEM ]; then + echo "$PEM: file not found" 1>&2 + exit 1 +fi + +let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2) +let SERIAL++ + +umask 077 + +OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'` + +openssl rsa -inform pem -in $PEM -out $KEY +openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ +openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \ + -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT + +(cat $KEY ; echo "" ; cat $CRT) > $NEW + +chown $OWNER $NEW + +mv -f $NEW $PEM + +rm -f $REQ $KEY $CRT + +exit 0 +