rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

minor upstream release 1.0.2k fixing security issues 

also fix locking of RNG in FIPS mode for some obscure use-cases
This commit is contained in:
Tomas Mraz 2017-11-13 09:36:56 +01:00
parent c914702332
commit d060315de9
10 changed files with 569 additions and 585 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -32,3 +32,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.2i-hobbled.tar.xz
/openssl-1.0.2j-hobbled.tar.xz
/openssl-1.0.2k-hobbled.tar.xz
/openssl-1.0.2m-hobbled.tar.xz

115
openssl-1.0.2k-backports.patch
View File

@ -1,115 +0,0 @@
From e93f7d9c9873e8e9538c0be0b0d3b6851344dd6d Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 26 Jan 2017 17:39:48 +0000
Subject: [PATCH] Use correct signature algorithm list when sending or
checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2298)
---
ssl/s3_lib.c | 2 +-
ssl/s3_srvr.c | 2 +-
ssl/ssl_locl.h | 2 +-
ssl/t1_lib.c | 12 ++++++------
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0385e03..1014a3f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
return (int)s->cert->ctype_num;
}
/* get configured sigalgs */
- siglen = tls12_get_psigalgs(s, &sig);
+ siglen = tls12_get_psigalgs(s, 1, &sig);
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
nostrict = 0;
for (i = 0; i < siglen; i += 2, sig += 2) {
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ea56f9c..e5ee384 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2084,7 +2084,7 @@ int ssl3_send_certificate_request(SSL *s)
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- nl = tls12_get_psigalgs(s, &psigs);
+ nl = tls12_get_psigalgs(s, 1, &psigs);
s2n(nl, p);
memcpy(p, psigs, nl);
p += nl;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d50edd1..f582d5f 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
long ssl_get_algorithm2(SSL *s);
int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
int tls1_process_sigalgs(SSL *s);
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
const unsigned char *sig, EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e60c88b..5355f0e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1035,7 +1035,7 @@ static unsigned char suiteb_sigalgs[] = {
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
# endif
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
{
/*
* If Suite B mode use Suite B sigalgs only, ignore any other
@@ -1057,7 +1057,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
}
# endif
/* If server use client authentication sigalgs if not NULL */
- if (s->server && s->cert->client_sigalgs) {
+ if (s->server == sent && s->cert->client_sigalgs) {
*psigs = s->cert->client_sigalgs;
return s->cert->client_sigalgslen;
} else if (s->cert->conf_sigalgs) {
@@ -1121,7 +1121,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
# endif
/* Check signature matches a type we sent */
- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
break;
@@ -1169,7 +1169,7 @@ void ssl_set_client_disabled(SSL *s)
* Now go through all signature algorithms seeing if we support any for
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
*/
- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
+ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
switch (sigalgs[1]) {
# ifndef OPENSSL_NO_RSA
@@ -1440,7 +1440,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (SSL_CLIENT_USE_SIGALGS(s)) {
size_t salglen;
const unsigned char *salg;
- salglen = tls12_get_psigalgs(s, &salg);
+ salglen = tls12_get_psigalgs(s, 1, &salg);
/*-
* check for enough space.
@@ -3803,7 +3803,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
} else
- conflen = tls12_get_psigalgs(s, &conf);
+ conflen = tls12_get_psigalgs(s, 0, &conf);
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
pref = conf;
preflen = conflen;
--
2.9.3

78
openssl-1.0.2k-fips-randlock.patch Normal file
View File

@ -0,0 +1,78 @@
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-07 10:06:11.666777108 +0100
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
return drbg_reseed(dctx, adin, adinlen, 1);
}
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
+{
+ if (dctx->status == DRBG_STATUS_READY)
+ dctx->status = DRBG_STATUS_RESEED;
+}
+
static int fips_drbg_check(DRBG_CTX *dctx)
{
if (dctx->xflags & DRBG_FLAG_TEST)
diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
+++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
@@ -86,6 +86,7 @@ extern "C" {
const unsigned char *pers, size_t perslen);
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
size_t adinlen);
+ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen);
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-10-23 17:28:00.999638475 +0200
@@ -365,6 +365,14 @@ int ssleay_rand_bytes(unsigned char *buf
num_ceil =
(1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2);
+ /* always poll for external entropy in FIPS mode, drbg provides the
+ * expansion
+ */
+ if (FIPS_module_mode()) {
+ RAND_poll();
+ initialized = 1;
+ }
+
/*
* (Based on the rand(3) manpage:)
*
@@ -391,10 +399,7 @@ int ssleay_rand_bytes(unsigned char *buf
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
crypto_lock_rand = 1;
- /* always poll for external entropy in FIPS mode, drbg provides the
- * expansion
- */
- if (!initialized || FIPS_module_mode()) {
+ if (!initialized) {
RAND_poll();
initialized = 1;
}
diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
+++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
RAND_SSLeay()->add(in, inlen, entropy);
if (FIPS_rand_status()) {
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_set_reseed(ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}
return 1;
@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
RAND_SSLeay()->seed(in, inlen);
if (FIPS_rand_status()) {
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_set_reseed(ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}
return 1;

650
openssl-1.0.2i-fips.patch → openssl-1.0.2m-fips.patch
View File

File diff suppressed because it is too large Load Diff

46
openssl-1.0.2j-krb5keytab.patch → openssl-1.0.2m-krb5keytab.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.c
--- openssl-1.0.2j/apps/s_client.c.krb5keytab 2017-01-05 17:02:05.481441088 +0100
+++ openssl-1.0.2j/apps/s_client.c 2017-01-05 17:08:28.311073180 +0100
diff -up openssl-1.0.2m/apps/s_client.c.krb5keytab openssl-1.0.2m/apps/s_client.c
--- openssl-1.0.2m/apps/s_client.c.krb5keytab 2017-11-13 09:02:11.741337880 +0100
+++ openssl-1.0.2m/apps/s_client.c 2017-11-13 09:02:11.764338368 +0100
@@ -171,6 +171,10 @@ typedef unsigned int u_int;
#include "s_apps.h"
#include "timeouts.h"
@ -45,9 +45,9 @@ diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.c
--- openssl-1.0.2j/apps/s_server.c.krb5keytab 2017-01-05 17:02:05.482441111 +0100
+++ openssl-1.0.2j/apps/s_server.c 2017-01-05 17:16:36.458078609 +0100
diff -up openssl-1.0.2m/apps/s_server.c.krb5keytab openssl-1.0.2m/apps/s_server.c
--- openssl-1.0.2m/apps/s_server.c.krb5keytab 2017-11-13 09:02:11.742337901 +0100
+++ openssl-1.0.2m/apps/s_server.c 2017-11-13 09:02:11.764338368 +0100
@@ -206,6 +206,11 @@ typedef unsigned int u_int;
# include <fcntl.h>
#endif
@ -60,7 +60,7 @@ diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.
#ifndef OPENSSL_NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
@@ -579,6 +584,10 @@ static void sv_usage(void)
@@ -575,6 +580,10 @@ static void sv_usage(void)
BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
BIO_printf(bio_err, " -quiet - No server output\n");
BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
@ -71,7 +71,7 @@ diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
@@ -1326,6 +1335,17 @@ int MAIN(int argc, char *argv[])
@@ -1322,6 +1331,17 @@ int MAIN(int argc, char *argv[])
goto bad;
vfyCAfile = *(++argv);
}
@ -89,7 +89,7 @@ diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.
#ifdef FIONBIO
else if (strcmp(*argv, "-nbio") == 0) {
s_nbio = 1;
@@ -2226,8 +2246,10 @@ static int sv_body(char *hostname, int s
@@ -2222,8 +2242,10 @@ static int sv_body(char *hostname, int s
#ifndef OPENSSL_NO_KRB5
if ((kctx = kssl_ctx_new()) != NULL) {
SSL_set0_kssl_ctx(con, kctx);
@ -102,7 +102,7 @@ diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.
}
#endif /* OPENSSL_NO_KRB5 */
if (context)
@@ -2836,8 +2858,11 @@ static int www_body(char *hostname, int
@@ -2832,8 +2854,11 @@ static int www_body(char *hostname, int
#endif
#ifndef OPENSSL_NO_KRB5
if ((kctx = kssl_ctx_new()) != NULL) {
@ -116,18 +116,18 @@ diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.
}
#endif /* OPENSSL_NO_KRB5 */
if (context)
diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps/s_client.pod
--- openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab 2016-09-26 11:49:07.000000000 +0200
+++ openssl-1.0.2j/doc/apps/s_client.pod 2017-01-05 17:21:30.562709291 +0100
@@ -43,6 +43,7 @@ B<openssl> B<s_client>
[B<-fallback_scsv>]
[B<-bugs>]
diff -up openssl-1.0.2m/doc/apps/s_client.pod.krb5keytab openssl-1.0.2m/doc/apps/s_client.pod
--- openssl-1.0.2m/doc/apps/s_client.pod.krb5keytab 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:03:07.388519323 +0100
@@ -46,6 +46,7 @@ B<openssl> B<s_client>
[B<-sigalgs sigalglist>]
[B<-curves curvelist>]
[B<-cipher cipherlist>]
+[B<-krb5svc service>]
[B<-serverpref>]
[B<-starttls protocol>]
[B<-engine id>]
@@ -228,6 +229,12 @@ command for more information.
@@ -246,6 +247,12 @@ command for more information.
use the server's cipher preferences; only used for SSLV2.
@ -140,11 +140,11 @@ diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.
diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps/s_server.pod
--- openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab 2017-01-05 17:02:05.482441111 +0100
+++ openssl-1.0.2j/doc/apps/s_server.pod 2017-01-05 17:20:54.769902331 +0100
@@ -37,6 +37,8 @@ B<openssl> B<s_server>
[B<-nocert>]
diff -up openssl-1.0.2m/doc/apps/s_server.pod.krb5keytab openssl-1.0.2m/doc/apps/s_server.pod
--- openssl-1.0.2m/doc/apps/s_server.pod.krb5keytab 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:03:19.316772571 +0100
@@ -40,6 +40,8 @@ B<openssl> B<s_server>
[B<-named_curve curve>]
[B<-cipher cipherlist>]
[B<-serverpref>]
+[B<-krb5svc service>]
@ -152,7 +152,7 @@ diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl2>]
@@ -246,6 +248,17 @@ the B<ciphers> command for more informat
@@ -262,6 +264,17 @@ the B<ciphers> command for more informat
use the server's cipher preferences, rather than the client's preferences.

38
openssl-1.0.2g-manfix.patch → openssl-1.0.2m-manfix.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
--- openssl-1.0.2g/doc/apps/ec.pod.manfix 2016-03-01 14:35:05.000000000 +0100
+++ openssl-1.0.2g/doc/apps/ec.pod 2016-03-01 16:47:35.331568290 +0100
@@ -93,10 +93,6 @@ prints out the public, private key compo
diff -up openssl-1.0.2m/doc/apps/ec.pod.manfix openssl-1.0.2m/doc/apps/ec.pod
--- openssl-1.0.2m/doc/apps/ec.pod.manfix 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/ec.pod 2017-11-13 09:06:06.372591988 +0100
@@ -94,10 +94,6 @@ prints out the public, private key compo
this option prevents output of the encoded version of the key.
@ -12,9 +12,9 @@ diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
=item B<-pubin>
by default a private key is read from the input file: with this option a
diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/openssl.pod
--- openssl-1.0.2g/doc/apps/openssl.pod.manfix 2016-03-01 14:35:05.000000000 +0100
+++ openssl-1.0.2g/doc/apps/openssl.pod 2016-03-01 16:47:35.331568290 +0100
diff -up openssl-1.0.2m/doc/apps/openssl.pod.manfix openssl-1.0.2m/doc/apps/openssl.pod
--- openssl-1.0.2m/doc/apps/openssl.pod.manfix 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/openssl.pod 2017-11-13 09:06:06.372591988 +0100
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
Online Certificate Status Protocol utility.
@ -45,10 +45,10 @@ diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/open
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_client.pod
--- openssl-1.0.2g/doc/apps/s_client.pod.manfix 2016-03-01 14:35:53.000000000 +0100
+++ openssl-1.0.2g/doc/apps/s_client.pod 2016-03-01 16:47:35.358568902 +0100
@@ -35,6 +35,9 @@ B<openssl> B<s_client>
diff -up openssl-1.0.2m/doc/apps/s_client.pod.manfix openssl-1.0.2m/doc/apps/s_client.pod
--- openssl-1.0.2m/doc/apps/s_client.pod.manfix 2017-11-13 09:06:06.346591381 +0100
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:07:05.273965939 +0100
@@ -36,6 +36,9 @@ B<openssl> B<s_client>
[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
@ -58,19 +58,19 @@ diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_c
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
@@ -201,7 +204,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
@@ -208,7 +211,7 @@ given as a hexadecimal number without le
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
These options require or disable the use of the specified SSL or TLS protocols.
By default the initial handshake uses a I<version-flexible> method which will
diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_server.pod
--- openssl-1.0.2g/doc/apps/s_server.pod.manfix 2016-03-01 14:35:53.000000000 +0100
+++ openssl-1.0.2g/doc/apps/s_server.pod 2016-03-01 16:47:35.359568925 +0100
@@ -42,6 +42,8 @@ B<openssl> B<s_server>
diff -up openssl-1.0.2m/doc/apps/s_server.pod.manfix openssl-1.0.2m/doc/apps/s_server.pod
--- openssl-1.0.2m/doc/apps/s_server.pod.manfix 2017-11-13 09:06:06.346591381 +0100
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:07:24.481413978 +0100
@@ -47,6 +47,8 @@ B<openssl> B<s_server>
[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
@ -79,9 +79,9 @@ diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_s
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
@@ -217,7 +219,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
@@ -224,7 +226,7 @@ given as a hexadecimal number without le
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>

64
openssl-1.0.2i-secure-getenv.patch → openssl-1.0.2m-secure-getenv.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
diff -up openssl-1.0.2m/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2m/crypto/conf/conf_api.c
--- openssl-1.0.2m/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/crypto/conf/conf_api.c 2017-11-13 09:04:24.456214656 +0100
@@ -63,6 +63,8 @@
# define NDEBUG
#endif
@ -28,9 +28,9 @@ diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/cryp
}
#if 0 /* There's no way to provide error checking
diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
diff -up openssl-1.0.2m/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2m/crypto/conf/conf_mod.c
--- openssl-1.0.2m/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/crypto/conf/conf_mod.c 2017-11-13 09:04:24.456214656 +0100
@@ -57,6 +57,8 @@
*
*/
@ -49,9 +49,9 @@ diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/cryp
if (file)
return BUF_strdup(file);
diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
diff -up openssl-1.0.2m/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2m/crypto/engine/eng_list.c
--- openssl-1.0.2m/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/crypto/engine/eng_list.c 2017-11-13 09:04:24.456214656 +0100
@@ -62,6 +62,8 @@
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
@ -74,9 +74,9 @@ diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/cr
load_dir = ENGINESDIR;
# endif
iterator = ENGINE_by_id("dynamic");
diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
+++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
diff -up openssl-1.0.2m/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2m/crypto/md5/md5_dgst.c
--- openssl-1.0.2m/crypto/md5/md5_dgst.c.secure-getenv 2017-11-13 09:04:24.446214423 +0100
+++ openssl-1.0.2m/crypto/md5/md5_dgst.c 2017-11-13 09:04:24.456214656 +0100
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -96,9 +96,9 @@ diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypt
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c);
}
diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
+++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
diff -up openssl-1.0.2m/crypto/o_init.c.secure-getenv openssl-1.0.2m/crypto/o_init.c
--- openssl-1.0.2m/crypto/o_init.c.secure-getenv 2017-11-13 09:04:24.431214072 +0100
+++ openssl-1.0.2m/crypto/o_init.c 2017-11-13 09:04:24.456214656 +0100
@@ -53,6 +53,8 @@
*
*/
@ -117,9 +117,9 @@ diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_in
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
diff -up openssl-1.0.2m/crypto/rand/randfile.c.secure-getenv openssl-1.0.2m/crypto/rand/randfile.c
--- openssl-1.0.2m/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/crypto/rand/randfile.c 2017-11-13 09:04:24.457214679 +0100
@@ -55,6 +55,8 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
@ -146,9 +146,9 @@ diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/cryp
#ifdef DEFAULT_HOME
if (s == NULL) {
s = DEFAULT_HOME;
diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
diff -up openssl-1.0.2m/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2m/crypto/x509/by_dir.c
--- openssl-1.0.2m/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/crypto/x509/by_dir.c 2017-11-13 09:04:24.457214679 +0100
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -167,9 +167,9 @@ diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
else
diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
+++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
diff -up openssl-1.0.2m/crypto/x509/by_file.c.secure-getenv openssl-1.0.2m/crypto/x509/by_file.c
--- openssl-1.0.2m/crypto/x509/by_file.c.secure-getenv 2017-11-13 09:04:24.405213466 +0100
+++ openssl-1.0.2m/crypto/x509/by_file.c 2017-11-13 09:05:04.115139752 +0100
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -183,14 +183,14 @@ diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypt
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
- file = getenv(X509_get_default_cert_file_env());
+ file = secure_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
diff -up openssl-1.0.2m/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2m/crypto/x509/x509_vfy.c
--- openssl-1.0.2m/crypto/x509/x509_vfy.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/crypto/x509/x509_vfy.c 2017-11-13 09:04:24.458214702 +0100
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -209,9 +209,9 @@ diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/cryp
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
diff -up openssl-1.0.2m/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2m/engines/ccgost/gost_ctl.c
--- openssl-1.0.2m/engines/ccgost/gost_ctl.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/engines/ccgost/gost_ctl.c 2017-11-13 09:04:24.458214702 +0100
@@ -6,6 +6,8 @@
* Implementation of control commands for GOST engine *
* OpenSSL 0.9.9 libraries required *

140
openssl-1.0.2i-trusted-first-doc.patch → openssl-1.0.2m-trusted-first-doc.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
diff -up openssl-1.0.2m/apps/cms.c.trusted-first openssl-1.0.2m/apps/cms.c
--- openssl-1.0.2m/apps/cms.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/apps/cms.c 2017-11-13 09:08:18.613672265 +0100
@@ -644,6 +644,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
@ -10,9 +10,9 @@ diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
diff -up openssl-1.0.2m/apps/ocsp.c.trusted-first openssl-1.0.2m/apps/ocsp.c
--- openssl-1.0.2m/apps/ocsp.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/apps/ocsp.c 2017-11-13 09:08:18.613672265 +0100
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-CAfile file trusted certificates file\n");
@ -22,10 +22,10 @@ diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-VAfile file validator certificates file\n");
diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
+++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
@@ -330,6 +330,8 @@ static void sc_usage(void)
diff -up openssl-1.0.2m/apps/s_client.c.trusted-first openssl-1.0.2m/apps/s_client.c
--- openssl-1.0.2m/apps/s_client.c.trusted-first 2017-11-13 09:08:18.571671320 +0100
+++ openssl-1.0.2m/apps/s_client.c 2017-11-13 09:08:18.613672265 +0100
@@ -334,6 +334,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
@ -34,10 +34,10 @@ diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_clie
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
diff -up openssl-1.0.2m/apps/smime.c.trusted-first openssl-1.0.2m/apps/smime.c
--- openssl-1.0.2m/apps/smime.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/apps/smime.c 2017-11-13 09:08:18.614672288 +0100
@@ -440,6 +440,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
@ -46,10 +46,10 @@ diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
+++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
@@ -571,6 +571,8 @@ static void sv_usage(void)
diff -up openssl-1.0.2m/apps/s_server.c.trusted-first openssl-1.0.2m/apps/s_server.c
--- openssl-1.0.2m/apps/s_server.c.trusted-first 2017-11-13 09:08:18.560671072 +0100
+++ openssl-1.0.2m/apps/s_server.c 2017-11-13 09:08:18.614672288 +0100
@@ -572,6 +572,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
@ -58,9 +58,9 @@ diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_serv
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
+++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
diff -up openssl-1.0.2m/apps/s_time.c.trusted-first openssl-1.0.2m/apps/s_time.c
--- openssl-1.0.2m/apps/s_time.c.trusted-first 2017-11-13 09:08:18.526670306 +0100
+++ openssl-1.0.2m/apps/s_time.c 2017-11-13 09:08:18.614672288 +0100
@@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\
@ -69,9 +69,9 @@ diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
+++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
diff -up openssl-1.0.2m/apps/ts.c.trusted-first openssl-1.0.2m/apps/ts.c
--- openssl-1.0.2m/apps/ts.c.trusted-first 2017-11-13 09:08:18.569671275 +0100
+++ openssl-1.0.2m/apps/ts.c 2017-11-13 09:08:18.614672288 +0100
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] "
@ -81,10 +81,10 @@ diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
"-untrusted cert_file.pem\n");
cleanup:
/* Clean up. */
diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
+++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
diff -up openssl-1.0.2m/apps/verify.c.trusted-first openssl-1.0.2m/apps/verify.c
--- openssl-1.0.2m/apps/verify.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
+++ openssl-1.0.2m/apps/verify.c 2017-11-13 09:08:18.615672310 +0100
@@ -227,7 +227,7 @@ int MAIN(int argc, char **argv)
usage:
if (ret == 1) {
BIO_printf(bio_err,
@ -93,10 +93,10 @@ diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms>
diff -up openssl-1.0.2m/doc/apps/cms.pod.trusted-first openssl-1.0.2m/doc/apps/cms.pod
--- openssl-1.0.2m/doc/apps/cms.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/cms.pod 2017-11-13 09:08:18.615672310 +0100
@@ -36,6 +36,7 @@ B<openssl> B<cms>
[B<-print>]
[B<-CAfile file>]
[B<-CApath dir>]
@ -104,7 +104,7 @@ diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/c
[B<-no_alt_chains>]
[B<-md digest>]
[B<-[cipher]>]
@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
@@ -249,6 +250,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
@ -117,10 +117,10 @@ diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/c
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
+++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
diff -up openssl-1.0.2m/doc/apps/ocsp.pod.trusted-first openssl-1.0.2m/doc/apps/ocsp.pod
--- openssl-1.0.2m/doc/apps/ocsp.pod.trusted-first 2017-11-13 09:08:18.569671275 +0100
+++ openssl-1.0.2m/doc/apps/ocsp.pod 2017-11-13 09:08:18.615672310 +0100
@@ -31,6 +31,7 @@ B<openssl> B<ocsp>
[B<-path>]
[B<-CApath dir>]
[B<-CAfile file>]
@ -128,7 +128,7 @@ diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/
[B<-no_alt_chains>]
[B<-VAfile file>]
[B<-validity_period n>]
@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
@@ -154,6 +155,13 @@ connection timeout to the OCSP responder
file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
@ -142,10 +142,10 @@ diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/
=item B<-no_alt_chains>
See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
diff -up openssl-1.0.2m/doc/apps/s_client.pod.trusted-first openssl-1.0.2m/doc/apps/s_client.pod
--- openssl-1.0.2m/doc/apps/s_client.pod.trusted-first 2017-11-13 09:08:18.582671567 +0100
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:08:18.615672310 +0100
@@ -20,6 +20,7 @@ B<openssl> B<s_client>
[B<-pass arg>]
[B<-CApath directory>]
[B<-CAfile filename>]
@ -153,7 +153,7 @@ diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/a
[B<-no_alt_chains>]
[B<-reconnect>]
[B<-pause>]
@@ -125,7 +126,7 @@ also used when building the client certi
@@ -129,7 +130,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
@ -162,10 +162,10 @@ diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/a
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime>
diff -up openssl-1.0.2m/doc/apps/smime.pod.trusted-first openssl-1.0.2m/doc/apps/smime.pod
--- openssl-1.0.2m/doc/apps/smime.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/smime.pod 2017-11-13 09:08:18.615672310 +0100
@@ -16,6 +16,9 @@ B<openssl> B<smime>
[B<-pk7out>]
[B<-[cipher]>]
[B<-in file>]
@ -175,7 +175,7 @@ diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps
[B<-no_alt_chains>]
[B<-certfile file>]
[B<-signer file>]
@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
@@ -151,6 +154,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
@ -188,18 +188,18 @@ diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
diff -up openssl-1.0.2m/doc/apps/s_server.pod.trusted-first openssl-1.0.2m/doc/apps/s_server.pod
--- openssl-1.0.2m/doc/apps/s_server.pod.trusted-first 2017-11-13 09:08:18.583671590 +0100
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:09:04.706710088 +0100
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
[B<-state>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-nocert>]
[B<-cipher cipherlist>]
@@ -178,6 +179,12 @@ and to use when attempting to build the
[B<-client_sigalgs sigalglist>]
@@ -183,6 +184,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
@ -212,10 +212,10 @@ diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/a
=item B<-no_alt_chains>
See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
diff -up openssl-1.0.2m/doc/apps/s_time.pod.trusted-first openssl-1.0.2m/doc/apps/s_time.pod
--- openssl-1.0.2m/doc/apps/s_time.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/s_time.pod 2017-11-13 09:08:18.616672333 +0100
@@ -15,6 +15,7 @@ B<openssl> B<s_time>
[B<-key filename>]
[B<-CApath directory>]
[B<-CAfile filename>]
@ -223,7 +223,7 @@ diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/app
[B<-reuse>]
[B<-new>]
[B<-verify depth>]
@@ -76,6 +77,12 @@ also used when building the client certi
@@ -77,6 +78,12 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
@ -236,10 +236,10 @@ diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/app
=item B<-new>
performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
@@ -46,6 +46,7 @@ B<-verify>
diff -up openssl-1.0.2m/doc/apps/ts.pod.trusted-first openssl-1.0.2m/doc/apps/ts.pod
--- openssl-1.0.2m/doc/apps/ts.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/ts.pod 2017-11-13 09:08:18.616672333 +0100
@@ -47,6 +47,7 @@ B<-verify>
[B<-token_in>]
[B<-CApath> trusted_cert_path]
[B<-CAfile> trusted_certs.pem]
@ -247,7 +247,7 @@ diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts
[B<-untrusted> cert_file.pem]
=head1 DESCRIPTION
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
@@ -325,6 +326,12 @@ L<verify(1)|verify(1)> for additional de
or B<-CApath> must be specified.
(Optional)
@ -260,10 +260,10 @@ diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts
=item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
diff -up openssl-1.0.2m/doc/apps/verify.pod.trusted-first openssl-1.0.2m/doc/apps/verify.pod
--- openssl-1.0.2m/doc/apps/verify.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
+++ openssl-1.0.2m/doc/apps/verify.pod 2017-11-13 09:08:18.616672333 +0100
@@ -10,6 +10,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify>
[B<-CApath directory>]
[B<-CAfile file>]
@ -271,7 +271,7 @@ diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/app
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
@@ -87,6 +88,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together.

20
openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.2k
Version: 1.0.2m
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
@ -57,8 +57,8 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2i-fips.patch
Patch43: openssl-1.0.2j-krb5keytab.patch
Patch40: openssl-1.0.2m-fips.patch
Patch43: openssl-1.0.2m-krb5keytab.patch
Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
@ -70,9 +70,9 @@ Patch60: openssl-1.0.2a-apps-dgst.patch
Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2i-chil-fixes.patch
Patch66: openssl-1.0.2h-pkgconfig.patch
Patch68: openssl-1.0.2i-secure-getenv.patch
Patch68: openssl-1.0.2m-secure-getenv.patch
Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2g-manfix.patch
Patch71: openssl-1.0.2m-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2j-deprecate-algos.patch
@ -86,11 +86,11 @@ Patch93: openssl-1.0.2g-disable-sslv2v3.patch
Patch94: openssl-1.0.2d-secp256k1.patch
Patch95: openssl-1.0.2e-remove-nistp224.patch
Patch96: openssl-1.0.2e-speed-doc.patch
Patch99: openssl-1.0.2k-fips-randlock.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2i-trusted-first-doc.patch
Patch83: openssl-1.0.2k-backports.patch
Patch82: openssl-1.0.2m-trusted-first-doc.patch
License: OpenSSL
Group: System Environment/Libraries
@ -212,11 +212,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch94 -p1 -b .secp256k1
%patch95 -p1 -b .nistp224
%patch96 -p1 -b .speed-doc
%patch99 -p1 -b .randlock
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first
%patch83 -p1 -b .backports
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -517,6 +517,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
* Mon Nov 13 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2m-1
- minor upstream release 1.0.2k fixing security issues
- fix locking of RNG in FIPS mode for some obscure use-cases
* Mon Feb 6 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-1
- minor upstream release 1.0.2k fixing security issues
- deprecate and disable verification of insecure hash algorithms

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.0.2k-hobbled.tar.xz) = f702b9a18f4500f0263e0c1fc09985a8caf72c8bcb744b8d3683a49ec889120b1b595db42f2a66cae722312736b09236a0911548590d318382a2981f35fed533
SHA512 (openssl-1.0.2m-hobbled.tar.xz) = 6f12a3da610e6824dac5a9eee1384038aaf91b11f9c720cadef5a103d763e8816af1d3d472ca325868a6442311541013fb2eca65334297e14a241c91092fd589