Compare commits
6 Commits
Author | SHA1 | Date |
---|---|---|
Tomas Mraz | 10d3d0df07 | |
Tomas Mraz | d3eb330a7e | |
Tomas Mraz | d060315de9 | |
Tomas Mraz | c914702332 | |
Tomas Mraz | e665925b65 | |
Tomas Mraz | 94c1cf7e19 |
|
@ -31,3 +31,5 @@ openssl-1.0.0a-usa.tar.bz2
|
|||
/openssl-1.0.2h-hobbled.tar.xz
|
||||
/openssl-1.0.2i-hobbled.tar.xz
|
||||
/openssl-1.0.2j-hobbled.tar.xz
|
||||
/openssl-1.0.2k-hobbled.tar.xz
|
||||
/openssl-1.0.2m-hobbled.tar.xz
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
Guide for legacy support enablement
|
||||
===================================
|
||||
|
||||
To improve security provided by use of OpenSSL especially in context of
|
||||
TLS connections we regularly review and deprecate algorithms and algorithm
|
||||
settings which are no longer viewed as secure.
|
||||
|
||||
For some of these deprecated algorithms we provide a way for the
|
||||
system administrator to reenable them.
|
||||
|
||||
Deprecated algorithms, protocols and settings in OpenSSL
|
||||
========================================================
|
||||
|
||||
Previous Red Hat Enterprise Linux 7 update releases:
|
||||
|
||||
* SSL2 protocol disabled by default.
|
||||
* Minimum DH group size accepted by SSL/TLS client 768 bits.
|
||||
* Verification of certificates and signatures using MD5 hash
|
||||
disabled.
|
||||
|
||||
Red Hat Enterprise Linux 7.4:
|
||||
|
||||
* SSL2 protocol support completely disabled (cannot be re-enabled).
|
||||
* All SSL/TLS export ciphers disabled.
|
||||
* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
|
||||
* Minimum DH group size accepted by SSL/TLS client 1024 bits.
|
||||
* Disabled support for verification of certificates and signatures
|
||||
using MD2, MD4, MD5, and SHA0 hashes.
|
||||
|
||||
Legacy support enablement
|
||||
=========================
|
||||
|
||||
The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
|
||||
which can be created by the system administrator which contains lines with
|
||||
simple Key Value pairs.
|
||||
|
||||
The library recognizes the following possible configuration settings in
|
||||
that file:
|
||||
|
||||
LegacySigningMDs md2 md5
|
||||
MinimumDHBits 512
|
||||
|
||||
The LegacySigningMDs option allows reenabling support for verification of
|
||||
signatures with the specified hash algorithms. These can be any combination
|
||||
of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
|
||||
unrecognized algorithms are ignored.
|
||||
|
||||
The MinimumDHBits option allows setting of the minimum bit size of DH group
|
||||
accepted by SSL/TLS client. It can be any value between 512 and 10000.
|
||||
|
||||
If the configuration file is not present the built-in defaults (that is the
|
||||
secure defaults) are used. Any unrecognized lines (with other parameter
|
||||
names or comments) are ignored.
|
|
@ -1,25 +0,0 @@
|
|||
diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
|
||||
--- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify 2015-04-09 18:20:58.829680829 +0200
|
||||
+++ openssl-1.0.2a/crypto/asn1/a_verify.c 2015-04-09 18:20:54.495580710 +0200
|
||||
@@ -56,6 +56,9 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
+
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
|
||||
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
||||
if (ret != 2)
|
||||
goto err;
|
||||
ret = -1;
|
||||
+ } else if (mdnid == NID_md5
|
||||
+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
|
||||
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
|
||||
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
+ goto err;
|
||||
} else {
|
||||
const EVP_MD *type;
|
||||
type = EVP_get_digestbynid(mdnid);
|
|
@ -0,0 +1,226 @@
|
|||
diff -up openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos openssl-1.0.2j/crypto/asn1/a_verify.c
|
||||
--- openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos 2016-09-26 11:49:07.000000000 +0200
|
||||
+++ openssl-1.0.2j/crypto/asn1/a_verify.c 2017-01-09 16:47:11.666994197 +0100
|
||||
@@ -56,6 +56,9 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
+
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
|
||||
@@ -133,6 +136,30 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
|
||||
|
||||
#endif
|
||||
|
||||
+static int legacy_mds[] = { NID_md5, NID_sha, NID_md4, NID_md2, 0 };
|
||||
+extern int private_ossl_allowed_legacy_mds[];
|
||||
+
|
||||
+static int is_md_legacy_disallowed(int mdnid)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ for (i = 0; legacy_mds[i] != 0; ++i) {
|
||||
+ if (mdnid == legacy_mds[i]) {
|
||||
+ int j;
|
||||
+
|
||||
+ for (j = 0; private_ossl_allowed_legacy_mds[j] != 0; ++j) {
|
||||
+ if (mdnid == private_ossl_allowed_legacy_mds[j])
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
|
||||
ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
|
||||
{
|
||||
@@ -174,6 +201,10 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
||||
if (ret != 2)
|
||||
goto err;
|
||||
ret = -1;
|
||||
+ } else if (is_md_legacy_disallowed(mdnid)) {
|
||||
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
|
||||
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
+ goto err;
|
||||
} else {
|
||||
const EVP_MD *type;
|
||||
type = EVP_get_digestbynid(mdnid);
|
||||
diff -up openssl-1.0.2j/crypto/o_init.c.deprecate-algos openssl-1.0.2j/crypto/o_init.c
|
||||
--- openssl-1.0.2j/crypto/o_init.c.deprecate-algos 2017-01-05 17:49:00.000000000 +0100
|
||||
+++ openssl-1.0.2j/crypto/o_init.c 2017-01-09 16:52:29.018298611 +0100
|
||||
@@ -64,11 +64,21 @@
|
||||
# include <unistd.h>
|
||||
# include <errno.h>
|
||||
# include <stdlib.h>
|
||||
+# include <stdio.h>
|
||||
+# include <string.h>
|
||||
+# include <strings.h>
|
||||
+# include <ctype.h>
|
||||
# include <openssl/fips.h>
|
||||
# include <openssl/rand.h>
|
||||
+# include <openssl/dh.h>
|
||||
+# include <openssl/objects.h>
|
||||
|
||||
# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
|
||||
+# define LEGACY_SETTINGS_FILE "/etc/pki/tls/legacy-settings"
|
||||
+
|
||||
+# define NUM_MAX_LEGACY_MDS 8
|
||||
+
|
||||
static void init_fips_mode(void)
|
||||
{
|
||||
char buf[2] = "0";
|
||||
@@ -98,6 +108,115 @@ static void init_fips_mode(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+int private_ossl_allowed_legacy_mds[NUM_MAX_LEGACY_MDS + 1]; /* zero terminated */
|
||||
+
|
||||
+int private_ossl_minimum_dh_bits;
|
||||
+
|
||||
+static void parse_legacy_mds(char *p)
|
||||
+{
|
||||
+ int idx = 0;
|
||||
+ char *e = p;
|
||||
+
|
||||
+ while (p[0] != '\0') {
|
||||
+ while (e[0] != '\0' && !isspace(e[0]) && e[0] != ',') {
|
||||
+ ++e;
|
||||
+ }
|
||||
+ if (e[0] != '\0') {
|
||||
+ e[0] = '\0';
|
||||
+ ++e;
|
||||
+ }
|
||||
+
|
||||
+ if (strcasecmp(p, "md5") == 0) {
|
||||
+ private_ossl_allowed_legacy_mds[idx++] = NID_md5;
|
||||
+ } else if (strcasecmp(p, "md4") == 0) {
|
||||
+ private_ossl_allowed_legacy_mds[idx++] = NID_md4;
|
||||
+ } else if (strcasecmp(p, "sha") == 0) {
|
||||
+ private_ossl_allowed_legacy_mds[idx++] = NID_sha;
|
||||
+ } else if (strcasecmp(p, "md2") == 0) {
|
||||
+ private_ossl_allowed_legacy_mds[idx++] = NID_md2;
|
||||
+ }
|
||||
+
|
||||
+ if (idx >=
|
||||
+ sizeof(private_ossl_allowed_legacy_mds) /
|
||||
+ sizeof(private_ossl_allowed_legacy_mds[0])) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ while (e[0] == ',' || isspace(e[0])) {
|
||||
+ ++e;
|
||||
+ }
|
||||
+
|
||||
+ p = e;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void parse_minimum_dh_bits(char *p)
|
||||
+{
|
||||
+ private_ossl_minimum_dh_bits = strtol(p, NULL, 10);
|
||||
+ if (private_ossl_minimum_dh_bits < 512
|
||||
+ || private_ossl_minimum_dh_bits > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ /* use default */
|
||||
+ private_ossl_minimum_dh_bits = 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void load_legacy_settings(void)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ char *line = NULL;
|
||||
+ size_t len = 0;
|
||||
+
|
||||
+ if ((f = fopen(LEGACY_SETTINGS_FILE, "r")) == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ while (getline(&line, &len, f) > 0) {
|
||||
+ char *p = line, *e, *val;
|
||||
+
|
||||
+ /* skip initial whitespace */
|
||||
+ while (isspace(p[0])) {
|
||||
+ ++p;
|
||||
+ }
|
||||
+
|
||||
+ e = p;
|
||||
+
|
||||
+ while (e[0] != '\0' && !isspace(e[0])) {
|
||||
+ ++e;
|
||||
+ }
|
||||
+
|
||||
+ /* terminate name, skip whitespace between name and value */
|
||||
+ if (e[0] != '\0') {
|
||||
+ e[0] = '\0';
|
||||
+ ++e;
|
||||
+ while (isspace(e[0])) {
|
||||
+ ++e;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ val = e;
|
||||
+
|
||||
+ e = e + strlen(val);
|
||||
+
|
||||
+ /* trim terminating whitespace */
|
||||
+ while (e > val) {
|
||||
+ --e;
|
||||
+ if (isspace(e[0])) {
|
||||
+ e[0] = '\0';
|
||||
+ } else {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (strcasecmp(p, "LegacySigningMDs") == 0) {
|
||||
+ parse_legacy_mds(val);
|
||||
+ } else if (strcasecmp(line, "MinimumDHBits") == 0) {
|
||||
+ parse_minimum_dh_bits(val);
|
||||
+ }
|
||||
+ /* simply skip other unrecognized lines */
|
||||
+ }
|
||||
+ (void)fclose(f);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Perform any essential OpenSSL initialization operations. Currently only
|
||||
* sets FIPS callbacks
|
||||
@@ -109,6 +228,7 @@ void __attribute__ ((constructor)) OPENS
|
||||
if (done)
|
||||
return;
|
||||
done = 1;
|
||||
+ load_legacy_settings();
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (!FIPS_module_installed()) {
|
||||
return;
|
||||
diff -up openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos openssl-1.0.2j/ssl/s3_clnt.c
|
||||
--- openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos 2016-09-26 11:49:07.000000000 +0200
|
||||
+++ openssl-1.0.2j/ssl/s3_clnt.c 2017-01-09 17:01:19.428506961 +0100
|
||||
@@ -3478,6 +3478,8 @@ int ssl3_send_client_certificate(SSL *s)
|
||||
|
||||
#define has_bits(i,m) (((i)&(m)) == (m))
|
||||
|
||||
+extern int private_ossl_minimum_dh_bits;
|
||||
+
|
||||
int ssl3_check_cert_and_algorithm(SSL *s)
|
||||
{
|
||||
int i, idx;
|
||||
@@ -3608,8 +3610,7 @@ int ssl3_check_cert_and_algorithm(SSL *s
|
||||
DH_free(dh_srvr);
|
||||
}
|
||||
|
||||
- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
|
||||
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
|
||||
+ if (dh_size < (private_ossl_minimum_dh_bits ? private_ossl_minimum_dh_bits : 1024)) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
|
||||
goto f_err;
|
||||
}
|
|
@ -0,0 +1,138 @@
|
|||
diff -up openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength openssl-1.0.2j/ssl/s3_lib.c
|
||||
--- openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength 2017-01-05 17:23:21.091203023 +0100
|
||||
+++ openssl-1.0.2j/ssl/s3_lib.c 2017-01-05 17:36:37.250194225 +0100
|
||||
@@ -227,7 +227,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -243,7 +243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -278,7 +278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
@@ -575,7 +575,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -730,7 +730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -746,7 +746,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -796,7 +796,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_SSLV3,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -1429,7 +1429,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
@@ -1714,7 +1714,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -2106,7 +2106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -2186,7 +2186,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -2266,7 +2266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -2346,7 +2346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
||||
@@ -2426,7 +2426,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||
SSL_TLSV1,
|
||||
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
- 128,
|
||||
+ 112,
|
||||
128,
|
||||
},
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/bn_rand.c
|
||||
--- openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs 2016-09-22 13:54:26.533848449 +0200
|
||||
+++ openssl-1.0.2i/crypto/bn/bn_rand.c 2016-09-22 13:56:52.169233060 +0200
|
||||
diff -up openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2j/crypto/bn/bn_rand.c
|
||||
--- openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
|
||||
+++ openssl-1.0.2j/crypto/bn/bn_rand.c 2017-01-10 16:25:11.142340595 +0100
|
||||
@@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
|
||||
}
|
||||
|
||||
|
@ -15,9 +15,9 @@ diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/b
|
|||
|
||||
/* We ignore the value of pseudorand and always call RAND_bytes */
|
||||
if (RAND_bytes(buf, bytes) <= 0)
|
||||
diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh_gen.c
|
||||
--- openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs 2016-09-22 13:54:26.489847426 +0200
|
||||
+++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:54:26.533848449 +0200
|
||||
diff -up openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2j/crypto/dh/dh_gen.c
|
||||
--- openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs 2017-01-10 16:25:11.099339627 +0100
|
||||
+++ openssl-1.0.2j/crypto/dh/dh_gen.c 2017-01-10 16:25:11.142340595 +0100
|
||||
@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
|
||||
return 0;
|
||||
}
|
||||
|
@ -27,9 +27,9 @@ diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh
|
|||
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
|
||||
goto err;
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
|
||||
--- openssl-1.0.2i/crypto/dh/dh.h.fips-reqs 2016-09-22 13:54:26.489847426 +0200
|
||||
+++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:54:26.534848472 +0200
|
||||
diff -up openssl-1.0.2j/crypto/dh/dh.h.fips-reqs openssl-1.0.2j/crypto/dh/dh.h
|
||||
--- openssl-1.0.2j/crypto/dh/dh.h.fips-reqs 2017-01-10 16:25:11.099339627 +0100
|
||||
+++ openssl-1.0.2j/crypto/dh/dh.h 2017-01-10 16:25:11.142340595 +0100
|
||||
@@ -78,6 +78,7 @@
|
||||
# endif
|
||||
|
||||
|
@ -38,9 +38,9 @@ diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
|
|||
|
||||
# define DH_FLAG_CACHE_MONT_P 0x01
|
||||
|
||||
diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_gen.c
|
||||
--- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs 2016-09-22 13:54:26.490847450 +0200
|
||||
+++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:54:26.534848472 +0200
|
||||
diff -up openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_gen.c
|
||||
--- openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs 2017-01-10 16:25:11.100339650 +0100
|
||||
+++ openssl-1.0.2j/crypto/dsa/dsa_gen.c 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
|
||||
}
|
||||
|
||||
|
@ -56,9 +56,9 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa
|
|||
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
|
||||
goto err;
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa.h
|
||||
--- openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs 2016-09-22 13:54:26.490847450 +0200
|
||||
+++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:54:26.534848472 +0200
|
||||
diff -up openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2j/crypto/dsa/dsa.h
|
||||
--- openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs 2017-01-10 16:25:11.100339650 +0100
|
||||
+++ openssl-1.0.2j/crypto/dsa/dsa.h 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -89,6 +89,7 @@
|
||||
# endif
|
||||
|
||||
|
@ -79,9 +79,9 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa
|
|||
* Rabin-Miller
|
||||
*/
|
||||
# define DSA_is_prime(n, callback, cb_arg) \
|
||||
diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_key.c
|
||||
--- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
|
||||
+++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:54:26.534848472 +0200
|
||||
diff -up openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_key.c
|
||||
--- openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs 2017-01-10 16:25:11.141340573 +0100
|
||||
+++ openssl-1.0.2j/crypto/dsa/dsa_key.c 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
|
||||
|
||||
# ifdef OPENSSL_FIPS
|
||||
|
@ -91,9 +91,40 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa
|
|||
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
|
||||
goto err;
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/fips.c
|
||||
--- openssl-1.0.2i/crypto/fips/fips.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:54:26.534848472 +0200
|
||||
diff -up openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs openssl-1.0.2j/crypto/evp/e_aes.c
|
||||
--- openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs 2017-01-10 16:25:11.102339695 +0100
|
||||
+++ openssl-1.0.2j/crypto/evp/e_aes.c 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -381,6 +381,8 @@ static int aesni_xts_init_key(EVP_CIPHER
|
||||
|
||||
if (key) {
|
||||
/* key_len is two AES keys */
|
||||
+ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
|
||||
+ return 0;
|
||||
if (enc) {
|
||||
aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
|
||||
xctx->xts.block1 = (block128_f) aesni_encrypt;
|
||||
@@ -701,6 +703,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
|
||||
|
||||
if (key) {
|
||||
int bits = ctx->key_len * 4;
|
||||
+
|
||||
+ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
|
||||
+ return 0;
|
||||
xctx->stream = NULL;
|
||||
/* key_len is two AES keys */
|
||||
if (enc) {
|
||||
@@ -1645,6 +1650,8 @@ static int aes_xts_init_key(EVP_CIPHER_C
|
||||
|
||||
if (key)
|
||||
do {
|
||||
+ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
|
||||
+ return 0;
|
||||
# ifdef AES_XTS_ASM
|
||||
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
|
||||
# else
|
||||
diff -up openssl-1.0.2j/crypto/fips/fips.c.fips-reqs openssl-1.0.2j/crypto/fips/fips.c
|
||||
--- openssl-1.0.2j/crypto/fips/fips.c.fips-reqs 2017-01-10 16:25:11.141340573 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/fips.c 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
|
||||
ret = 0;
|
||||
goto end;
|
||||
|
@ -127,9 +158,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/
|
|||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_dh_selftest.c
|
||||
--- openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-09-22 13:54:26.535848495 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/fips_dh_selftest.c 2016-09-22 13:54:26.535848495 +0200
|
||||
diff -up openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_dh_selftest.c
|
||||
--- openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs 2017-01-10 16:25:11.143340618 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/fips_dh_selftest.c 2017-01-10 16:25:11.143340618 +0100
|
||||
@@ -0,0 +1,162 @@
|
||||
+/* ====================================================================
|
||||
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
|
||||
|
@ -293,9 +324,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/
|
|||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/fips.h
|
||||
--- openssl-1.0.2i/crypto/fips/fips.h.fips-reqs 2016-09-22 13:54:26.527848309 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:54:26.535848495 +0200
|
||||
diff -up openssl-1.0.2j/crypto/fips/fips.h.fips-reqs openssl-1.0.2j/crypto/fips/fips.h
|
||||
--- openssl-1.0.2j/crypto/fips/fips.h.fips-reqs 2017-01-10 16:25:11.137340483 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/fips.h 2017-01-10 16:25:11.144340641 +0100
|
||||
@@ -96,6 +96,7 @@ extern "C" {
|
||||
int FIPS_selftest_dsa(void);
|
||||
int FIPS_selftest_ecdsa(void);
|
||||
|
@ -304,9 +335,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/
|
|||
void FIPS_corrupt_rng(void);
|
||||
void FIPS_rng_stick(void);
|
||||
void FIPS_x931_stick(int onoff);
|
||||
diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_post.c
|
||||
--- openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs 2016-09-22 13:54:26.524848240 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:54:26.535848495 +0200
|
||||
diff -up openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_post.c
|
||||
--- openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs 2017-01-10 16:25:11.134340415 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/fips_post.c 2017-01-10 16:25:11.144340641 +0100
|
||||
@@ -99,6 +99,8 @@ int FIPS_selftest(void)
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_dsa())
|
||||
|
@ -316,9 +347,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/
|
|||
if (!FIPS_selftest_ecdh())
|
||||
rv = 0;
|
||||
return rv;
|
||||
diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c
|
||||
--- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-09-22 13:54:26.499847659 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:54:26.537848542 +0200
|
||||
diff -up openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c
|
||||
--- openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs 2017-01-10 16:25:11.109339852 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c 2017-01-10 16:25:11.144340641 +0100
|
||||
@@ -60,68 +60,107 @@
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
|
@ -973,9 +1004,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i
|
|||
RSA_free(key);
|
||||
return ret;
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fips/Makefile
|
||||
--- openssl-1.0.2i/crypto/fips/Makefile.fips-reqs 2016-09-22 13:54:26.524848240 +0200
|
||||
+++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:54:26.537848542 +0200
|
||||
diff -up openssl-1.0.2j/crypto/fips/Makefile.fips-reqs openssl-1.0.2j/crypto/fips/Makefile
|
||||
--- openssl-1.0.2j/crypto/fips/Makefile.fips-reqs 2017-01-10 16:25:11.134340415 +0100
|
||||
+++ openssl-1.0.2j/crypto/fips/Makefile 2017-01-10 16:25:11.144340641 +0100
|
||||
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
|
||||
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
|
||||
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
||||
|
@ -994,9 +1025,9 @@ diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fip
|
|||
|
||||
LIBCRYPTO=-L.. -lcrypto
|
||||
|
||||
diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs 2016-09-22 13:54:26.261842127 +0200
|
||||
+++ openssl-1.0.2i/crypto/rand/rand_lcl.h 2016-09-22 13:54:26.537848542 +0200
|
||||
diff -up openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2j/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs 2017-01-10 16:25:10.830333571 +0100
|
||||
+++ openssl-1.0.2j/crypto/rand/rand_lcl.h 2017-01-10 16:25:11.144340641 +0100
|
||||
@@ -112,7 +112,7 @@
|
||||
#ifndef HEADER_RAND_LCL_H
|
||||
# define HEADER_RAND_LCL_H
|
||||
|
@ -1006,9 +1037,9 @@ diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/r
|
|||
|
||||
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
||||
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||
diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/rand/rand_lib.c
|
||||
--- openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/rand/rand_lib.c 2016-09-22 13:54:26.537848542 +0200
|
||||
diff -up openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2j/crypto/rand/rand_lib.c
|
||||
--- openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
|
||||
+++ openssl-1.0.2j/crypto/rand/rand_lib.c 2017-01-10 16:25:11.145340663 +0100
|
||||
@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
|
||||
double entropy)
|
||||
{
|
||||
|
@ -1032,9 +1063,9 @@ diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/r
|
|||
return 1;
|
||||
}
|
||||
|
||||
diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs 2016-09-22 13:54:26.502847728 +0200
|
||||
+++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:54:26.538848565 +0200
|
||||
diff -up openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2j/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs 2017-01-10 16:25:11.112339920 +0100
|
||||
+++ openssl-1.0.2j/crypto/rsa/rsa_gen.c 2017-01-10 16:25:11.145340663 +0100
|
||||
@@ -1,5 +1,6 @@
|
||||
/* crypto/rsa/rsa_gen.c */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
|
@ -1336,9 +1367,9 @@ diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa
|
|||
ok = 1;
|
||||
err:
|
||||
if (ok == -1) {
|
||||
diff -up openssl-1.0.2i/ssl/t1_enc.c.fips-reqs openssl-1.0.2i/ssl/t1_enc.c
|
||||
--- openssl-1.0.2i/ssl/t1_enc.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/ssl/t1_enc.c 2016-09-22 13:54:26.538848565 +0200
|
||||
diff -up openssl-1.0.2j/ssl/t1_enc.c.fips-reqs openssl-1.0.2j/ssl/t1_enc.c
|
||||
--- openssl-1.0.2j/ssl/t1_enc.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
|
||||
+++ openssl-1.0.2j/ssl/t1_enc.c 2017-01-10 16:25:11.145340663 +0100
|
||||
@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
|
||||
return ret;
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs 2015-04-09 18:22:58.638448432 +0200
|
||||
+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-09 18:22:57.264416692 +0200
|
||||
diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2k/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs 2017-02-06 16:42:47.313963001 +0100
|
||||
+++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2017-02-06 16:46:54.453628783 +0100
|
||||
@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
|
||||
goto err;
|
||||
|
@ -11,10 +11,10 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/r
|
|||
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
|
||||
+ goto err;
|
||||
+
|
||||
BN_copy(rsa->e, e_value);
|
||||
if (BN_copy(rsa->e, e_value) == NULL)
|
||||
goto err;
|
||||
|
||||
/* generate p and q */
|
||||
@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
@@ -502,7 +508,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
do {
|
||||
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||
goto err;
|
|
@ -0,0 +1,65 @@
|
|||
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
|
||||
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
|
||||
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
|
||||
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
||||
}
|
||||
|
||||
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
|
||||
+{
|
||||
+ if (dctx->status == DRBG_STATUS_READY)
|
||||
+ dctx->reseed_counter = dctx->reseed_interval;
|
||||
+}
|
||||
+
|
||||
static int fips_drbg_check(DRBG_CTX *dctx)
|
||||
{
|
||||
if (dctx->xflags & DRBG_FLAG_TEST)
|
||||
diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
|
||||
--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
|
||||
+++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
|
||||
@@ -86,6 +86,7 @@ extern "C" {
|
||||
const unsigned char *pers, size_t perslen);
|
||||
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
|
||||
size_t adinlen);
|
||||
+ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
|
||||
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen);
|
||||
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
|
||||
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
|
||||
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
|
||||
@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
||||
crypto_lock_rand = 1;
|
||||
|
||||
- /* always poll for external entropy in FIPS mode, drbg provides the
|
||||
- * expansion
|
||||
+ /* always poll for external entropy in FIPS mode, if run as seed
|
||||
+ * source, drbg provides the expansion
|
||||
*/
|
||||
- if (!initialized || FIPS_module_mode()) {
|
||||
+ if (!initialized || (!lock && FIPS_module_mode())) {
|
||||
RAND_poll();
|
||||
initialized = 1;
|
||||
}
|
||||
diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
|
||||
--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
|
||||
+++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
|
||||
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
|
||||
RAND_SSLeay()->add(in, inlen, entropy);
|
||||
if (FIPS_rand_status()) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
- FIPS_drbg_reseed(ctx, NULL, 0);
|
||||
+ FIPS_drbg_set_reseed(ctx);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
}
|
||||
return 1;
|
||||
@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
|
||||
RAND_SSLeay()->seed(in, inlen);
|
||||
if (FIPS_rand_status()) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
- FIPS_drbg_reseed(ctx, NULL, 0);
|
||||
+ FIPS_drbg_set_reseed(ctx);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
}
|
||||
return 1;
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,172 @@
|
|||
diff -up openssl-1.0.2m/apps/s_client.c.krb5keytab openssl-1.0.2m/apps/s_client.c
|
||||
--- openssl-1.0.2m/apps/s_client.c.krb5keytab 2017-11-13 09:02:11.741337880 +0100
|
||||
+++ openssl-1.0.2m/apps/s_client.c 2017-11-13 09:02:11.764338368 +0100
|
||||
@@ -171,6 +171,10 @@ typedef unsigned int u_int;
|
||||
#include "s_apps.h"
|
||||
#include "timeouts.h"
|
||||
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+static char *krb5svc = NULL;
|
||||
+#endif
|
||||
+
|
||||
#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
|
||||
/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
|
||||
# undef FIONBIO
|
||||
@@ -400,6 +404,9 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err,
|
||||
" only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
|
||||
BIO_printf(bio_err, " are supported.\n");
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
BIO_printf(bio_err,
|
||||
" -engine id - Initialise and use the specified engine\n");
|
||||
@@ -1069,6 +1076,13 @@ int MAIN(int argc, char **argv)
|
||||
c_nbio = 1;
|
||||
}
|
||||
#endif
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+ else if (strcmp(*argv, "-krb5svc") == 0) {
|
||||
+ if (--argc < 1)
|
||||
+ goto bad;
|
||||
+ krb5svc= *(++argv);
|
||||
+ }
|
||||
+#endif
|
||||
else if (strcmp(*argv, "-starttls") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
@@ -1435,6 +1449,8 @@ int MAIN(int argc, char **argv)
|
||||
if (con && (kctx = kssl_ctx_new()) != NULL) {
|
||||
SSL_set0_kssl_ctx(con, kctx);
|
||||
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
|
||||
+ if (krb5svc != NULL)
|
||||
+ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
|
||||
}
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
/* SSL_set_cipher_list(con,"RC4-MD5"); */
|
||||
diff -up openssl-1.0.2m/apps/s_server.c.krb5keytab openssl-1.0.2m/apps/s_server.c
|
||||
--- openssl-1.0.2m/apps/s_server.c.krb5keytab 2017-11-13 09:02:11.742337901 +0100
|
||||
+++ openssl-1.0.2m/apps/s_server.c 2017-11-13 09:02:11.764338368 +0100
|
||||
@@ -206,6 +206,11 @@ typedef unsigned int u_int;
|
||||
# include <fcntl.h>
|
||||
#endif
|
||||
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+static char *krb5svc = NULL;
|
||||
+static char *keytab = NULL;
|
||||
+#endif
|
||||
+
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
|
||||
#endif
|
||||
@@ -575,6 +580,10 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
|
||||
BIO_printf(bio_err, " -quiet - No server output\n");
|
||||
BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
|
||||
+ BIO_printf(bio_err, " -keytab arg - Kerberos keytab filename\n");
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
|
||||
BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
|
||||
@@ -1322,6 +1331,17 @@ int MAIN(int argc, char *argv[])
|
||||
goto bad;
|
||||
vfyCAfile = *(++argv);
|
||||
}
|
||||
+#ifndef OPENSSL_NO_KRB5
|
||||
+ else if (strcmp(*argv, "-krb5svc") == 0) {
|
||||
+ if (--argc < 1)
|
||||
+ goto bad;
|
||||
+ krb5svc = *(++argv);
|
||||
+ } else if (strcmp(*argv, "-keytab") == 0) {
|
||||
+ if (--argc < 1)
|
||||
+ goto bad;
|
||||
+ keytab = *(++argv);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef FIONBIO
|
||||
else if (strcmp(*argv, "-nbio") == 0) {
|
||||
s_nbio = 1;
|
||||
@@ -2222,8 +2242,10 @@ static int sv_body(char *hostname, int s
|
||||
#ifndef OPENSSL_NO_KRB5
|
||||
if ((kctx = kssl_ctx_new()) != NULL) {
|
||||
SSL_set0_kssl_ctx(con, kctx);
|
||||
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
||||
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
||||
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
||||
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
||||
+ if (keytab != NULL)
|
||||
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
||||
}
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
if (context)
|
||||
@@ -2832,8 +2854,11 @@ static int www_body(char *hostname, int
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_KRB5
|
||||
if ((kctx = kssl_ctx_new()) != NULL) {
|
||||
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
||||
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
||||
+ SSL_set0_kssl_ctx(con, kctx);
|
||||
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
||||
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
||||
+ if (keytab != NULL)
|
||||
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
||||
}
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
if (context)
|
||||
diff -up openssl-1.0.2m/doc/apps/s_client.pod.krb5keytab openssl-1.0.2m/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_client.pod.krb5keytab 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:03:07.388519323 +0100
|
||||
@@ -46,6 +46,7 @@ B<openssl> B<s_client>
|
||||
[B<-sigalgs sigalglist>]
|
||||
[B<-curves curvelist>]
|
||||
[B<-cipher cipherlist>]
|
||||
+[B<-krb5svc service>]
|
||||
[B<-serverpref>]
|
||||
[B<-starttls protocol>]
|
||||
[B<-engine id>]
|
||||
@@ -246,6 +247,12 @@ command for more information.
|
||||
|
||||
use the server's cipher preferences; only used for SSLV2.
|
||||
|
||||
+=item B<-krb5svc service>
|
||||
+
|
||||
+the Kerberos service name to use (default "host"). This means s_server
|
||||
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
||||
+need keys for that principal in its keytab.
|
||||
+
|
||||
=item B<-starttls protocol>
|
||||
|
||||
send the protocol-specific message(s) to switch to TLS for communication.
|
||||
diff -up openssl-1.0.2m/doc/apps/s_server.pod.krb5keytab openssl-1.0.2m/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_server.pod.krb5keytab 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:03:19.316772571 +0100
|
||||
@@ -40,6 +40,8 @@ B<openssl> B<s_server>
|
||||
[B<-named_curve curve>]
|
||||
[B<-cipher cipherlist>]
|
||||
[B<-serverpref>]
|
||||
+[B<-krb5svc service>]
|
||||
+[B<-keytab filename>]
|
||||
[B<-quiet>]
|
||||
[B<-no_tmp_rsa>]
|
||||
[B<-ssl2>]
|
||||
@@ -262,6 +264,17 @@ the B<ciphers> command for more informat
|
||||
|
||||
use the server's cipher preferences, rather than the client's preferences.
|
||||
|
||||
+=item B<-krb5svc service>
|
||||
+
|
||||
+the Kerberos service name to use (default "host"). This means s_server
|
||||
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
||||
+need keys for that principal in its keytab.
|
||||
+
|
||||
+=item B<-keytab filename>
|
||||
+
|
||||
+the Kerberos "keytab" (key table) file, containing keys for the s_server
|
||||
+service principal (Kerberos identity; see -krb5svc).
|
||||
+
|
||||
=item B<-tlsextdebug>
|
||||
|
||||
print out a hex dump of any TLS extensions received from the server.
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
|
||||
--- openssl-1.0.2g/doc/apps/ec.pod.manfix 2016-03-01 14:35:05.000000000 +0100
|
||||
+++ openssl-1.0.2g/doc/apps/ec.pod 2016-03-01 16:47:35.331568290 +0100
|
||||
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
||||
diff -up openssl-1.0.2m/doc/apps/ec.pod.manfix openssl-1.0.2m/doc/apps/ec.pod
|
||||
--- openssl-1.0.2m/doc/apps/ec.pod.manfix 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/ec.pod 2017-11-13 09:06:06.372591988 +0100
|
||||
@@ -94,10 +94,6 @@ prints out the public, private key compo
|
||||
|
||||
this option prevents output of the encoded version of the key.
|
||||
|
||||
|
@ -12,9 +12,9 @@ diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
|
|||
=item B<-pubin>
|
||||
|
||||
by default a private key is read from the input file: with this option a
|
||||
diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/openssl.pod
|
||||
--- openssl-1.0.2g/doc/apps/openssl.pod.manfix 2016-03-01 14:35:05.000000000 +0100
|
||||
+++ openssl-1.0.2g/doc/apps/openssl.pod 2016-03-01 16:47:35.331568290 +0100
|
||||
diff -up openssl-1.0.2m/doc/apps/openssl.pod.manfix openssl-1.0.2m/doc/apps/openssl.pod
|
||||
--- openssl-1.0.2m/doc/apps/openssl.pod.manfix 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/openssl.pod 2017-11-13 09:06:06.372591988 +0100
|
||||
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
||||
|
||||
Online Certificate Status Protocol utility.
|
||||
|
@ -45,10 +45,10 @@ diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/open
|
|||
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
|
||||
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
||||
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
||||
diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2g/doc/apps/s_client.pod.manfix 2016-03-01 14:35:53.000000000 +0100
|
||||
+++ openssl-1.0.2g/doc/apps/s_client.pod 2016-03-01 16:47:35.358568902 +0100
|
||||
@@ -35,6 +35,9 @@ B<openssl> B<s_client>
|
||||
diff -up openssl-1.0.2m/doc/apps/s_client.pod.manfix openssl-1.0.2m/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_client.pod.manfix 2017-11-13 09:06:06.346591381 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:07:05.273965939 +0100
|
||||
@@ -36,6 +36,9 @@ B<openssl> B<s_client>
|
||||
[B<-ssl2>]
|
||||
[B<-ssl3>]
|
||||
[B<-tls1>]
|
||||
|
@ -58,19 +58,19 @@ diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_c
|
|||
[B<-no_ssl2>]
|
||||
[B<-no_ssl3>]
|
||||
[B<-no_tls1>]
|
||||
@@ -201,7 +204,7 @@ Use the PSK key B<key> when using a PSK
|
||||
given as a hexadecimal number without leading 0x, for example -psk
|
||||
@@ -208,7 +211,7 @@ given as a hexadecimal number without le
|
||||
1a2b3c4d.
|
||||
This option must be provided in order to use a PSK cipher.
|
||||
|
||||
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||
|
||||
These options require or disable the use of the specified SSL or TLS protocols.
|
||||
By default the initial handshake uses a I<version-flexible> method which will
|
||||
diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2g/doc/apps/s_server.pod.manfix 2016-03-01 14:35:53.000000000 +0100
|
||||
+++ openssl-1.0.2g/doc/apps/s_server.pod 2016-03-01 16:47:35.359568925 +0100
|
||||
@@ -42,6 +42,8 @@ B<openssl> B<s_server>
|
||||
diff -up openssl-1.0.2m/doc/apps/s_server.pod.manfix openssl-1.0.2m/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_server.pod.manfix 2017-11-13 09:06:06.346591381 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:07:24.481413978 +0100
|
||||
@@ -47,6 +47,8 @@ B<openssl> B<s_server>
|
||||
[B<-ssl2>]
|
||||
[B<-ssl3>]
|
||||
[B<-tls1>]
|
||||
|
@ -79,9 +79,9 @@ diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_s
|
|||
[B<-no_ssl2>]
|
||||
[B<-no_ssl3>]
|
||||
[B<-no_tls1>]
|
||||
@@ -217,7 +219,7 @@ Use the PSK key B<key> when using a PSK
|
||||
given as a hexadecimal number without leading 0x, for example -psk
|
||||
@@ -224,7 +226,7 @@ given as a hexadecimal number without le
|
||||
1a2b3c4d.
|
||||
This option must be provided in order to use a PSK cipher.
|
||||
|
||||
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
|
||||
--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
|
||||
diff -up openssl-1.0.2m/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2m/crypto/conf/conf_api.c
|
||||
--- openssl-1.0.2m/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/conf/conf_api.c 2017-11-13 09:04:24.456214656 +0100
|
||||
@@ -63,6 +63,8 @@
|
||||
# define NDEBUG
|
||||
#endif
|
||||
|
@ -28,9 +28,9 @@ diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/cryp
|
|||
}
|
||||
|
||||
#if 0 /* There's no way to provide error checking
|
||||
diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
|
||||
--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
|
||||
diff -up openssl-1.0.2m/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2m/crypto/conf/conf_mod.c
|
||||
--- openssl-1.0.2m/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/conf/conf_mod.c 2017-11-13 09:04:24.456214656 +0100
|
||||
@@ -57,6 +57,8 @@
|
||||
*
|
||||
*/
|
||||
|
@ -49,9 +49,9 @@ diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/cryp
|
|||
if (file)
|
||||
return BUF_strdup(file);
|
||||
|
||||
diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
|
||||
--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
|
||||
diff -up openssl-1.0.2m/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2m/crypto/engine/eng_list.c
|
||||
--- openssl-1.0.2m/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/engine/eng_list.c 2017-11-13 09:04:24.456214656 +0100
|
||||
@@ -62,6 +62,8 @@
|
||||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||
*/
|
||||
|
@ -74,9 +74,9 @@ diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/cr
|
|||
load_dir = ENGINESDIR;
|
||||
# endif
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
|
||||
--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
|
||||
+++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
|
||||
diff -up openssl-1.0.2m/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2m/crypto/md5/md5_dgst.c
|
||||
--- openssl-1.0.2m/crypto/md5/md5_dgst.c.secure-getenv 2017-11-13 09:04:24.446214423 +0100
|
||||
+++ openssl-1.0.2m/crypto/md5/md5_dgst.c 2017-11-13 09:04:24.456214656 +0100
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
@ -96,9 +96,9 @@ diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypt
|
|||
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
|
||||
return private_MD5_Init(c);
|
||||
}
|
||||
diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
|
||||
--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
|
||||
+++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
|
||||
diff -up openssl-1.0.2m/crypto/o_init.c.secure-getenv openssl-1.0.2m/crypto/o_init.c
|
||||
--- openssl-1.0.2m/crypto/o_init.c.secure-getenv 2017-11-13 09:04:24.431214072 +0100
|
||||
+++ openssl-1.0.2m/crypto/o_init.c 2017-11-13 09:04:24.456214656 +0100
|
||||
@@ -53,6 +53,8 @@
|
||||
*
|
||||
*/
|
||||
|
@ -117,9 +117,9 @@ diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_in
|
|||
buf[0] = '1';
|
||||
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
|
||||
--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
|
||||
diff -up openssl-1.0.2m/crypto/rand/randfile.c.secure-getenv openssl-1.0.2m/crypto/rand/randfile.c
|
||||
--- openssl-1.0.2m/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/rand/randfile.c 2017-11-13 09:04:24.457214679 +0100
|
||||
@@ -55,6 +55,8 @@
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
|
@ -146,9 +146,9 @@ diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/cryp
|
|||
#ifdef DEFAULT_HOME
|
||||
if (s == NULL) {
|
||||
s = DEFAULT_HOME;
|
||||
diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
|
||||
--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
|
||||
diff -up openssl-1.0.2m/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2m/crypto/x509/by_dir.c
|
||||
--- openssl-1.0.2m/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/x509/by_dir.c 2017-11-13 09:04:24.457214679 +0100
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
@ -167,9 +167,9 @@ diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto
|
|||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
else
|
||||
diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
|
||||
--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
|
||||
diff -up openssl-1.0.2m/crypto/x509/by_file.c.secure-getenv openssl-1.0.2m/crypto/x509/by_file.c
|
||||
--- openssl-1.0.2m/crypto/x509/by_file.c.secure-getenv 2017-11-13 09:04:24.405213466 +0100
|
||||
+++ openssl-1.0.2m/crypto/x509/by_file.c 2017-11-13 09:05:04.115139752 +0100
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
@ -183,14 +183,14 @@ diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypt
|
|||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- file = (char *)getenv(X509_get_default_cert_file_env());
|
||||
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
|
||||
- file = getenv(X509_get_default_cert_file_env());
|
||||
+ file = secure_getenv(X509_get_default_cert_file_env());
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
||||
diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
|
||||
diff -up openssl-1.0.2m/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2m/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.2m/crypto/x509/x509_vfy.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/crypto/x509/x509_vfy.c 2017-11-13 09:04:24.458214702 +0100
|
||||
@@ -56,6 +56,8 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
@ -209,9 +209,9 @@ diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/cryp
|
|||
allow_proxy_certs = 1;
|
||||
purpose = ctx->param->purpose;
|
||||
}
|
||||
diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
|
||||
--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
|
||||
diff -up openssl-1.0.2m/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2m/engines/ccgost/gost_ctl.c
|
||||
--- openssl-1.0.2m/engines/ccgost/gost_ctl.c.secure-getenv 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/engines/ccgost/gost_ctl.c 2017-11-13 09:04:24.458214702 +0100
|
||||
@@ -6,6 +6,8 @@
|
||||
* Implementation of control commands for GOST engine *
|
||||
* OpenSSL 0.9.9 libraries required *
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
|
||||
--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
|
||||
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.2m/apps/cms.c.trusted-first openssl-1.0.2m/apps/cms.c
|
||||
--- openssl-1.0.2m/apps/cms.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/apps/cms.c 2017-11-13 09:08:18.613672265 +0100
|
||||
@@ -644,6 +644,8 @@ int MAIN(int argc, char **argv)
|
||||
"-CApath dir trusted certificates directory\n");
|
||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
|
@ -10,9 +10,9 @@ diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
|
|||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
|
||||
--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
|
||||
diff -up openssl-1.0.2m/apps/ocsp.c.trusted-first openssl-1.0.2m/apps/ocsp.c
|
||||
--- openssl-1.0.2m/apps/ocsp.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/apps/ocsp.c 2017-11-13 09:08:18.613672265 +0100
|
||||
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf(bio_err,
|
||||
"-CAfile file trusted certificates file\n");
|
||||
|
@ -22,10 +22,10 @@ diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
|
|||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-VAfile file validator certificates file\n");
|
||||
diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
|
||||
--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
|
||||
+++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
|
||||
@@ -330,6 +330,8 @@ static void sc_usage(void)
|
||||
diff -up openssl-1.0.2m/apps/s_client.c.trusted-first openssl-1.0.2m/apps/s_client.c
|
||||
--- openssl-1.0.2m/apps/s_client.c.trusted-first 2017-11-13 09:08:18.571671320 +0100
|
||||
+++ openssl-1.0.2m/apps/s_client.c 2017-11-13 09:08:18.613672265 +0100
|
||||
@@ -334,6 +334,8 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||
BIO_printf(bio_err,
|
||||
|
@ -34,10 +34,10 @@ diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_clie
|
|||
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||
diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
|
||||
--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
|
||||
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.2m/apps/smime.c.trusted-first openssl-1.0.2m/apps/smime.c
|
||||
--- openssl-1.0.2m/apps/smime.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/apps/smime.c 2017-11-13 09:08:18.614672288 +0100
|
||||
@@ -440,6 +440,8 @@ int MAIN(int argc, char **argv)
|
||||
"-CApath dir trusted certificates directory\n");
|
||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
|
@ -46,10 +46,10 @@ diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
|
|||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
|
||||
--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
|
||||
+++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
|
||||
@@ -571,6 +571,8 @@ static void sv_usage(void)
|
||||
diff -up openssl-1.0.2m/apps/s_server.c.trusted-first openssl-1.0.2m/apps/s_server.c
|
||||
--- openssl-1.0.2m/apps/s_server.c.trusted-first 2017-11-13 09:08:18.560671072 +0100
|
||||
+++ openssl-1.0.2m/apps/s_server.c 2017-11-13 09:08:18.614672288 +0100
|
||||
@@ -572,6 +572,8 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||
BIO_printf(bio_err,
|
||||
|
@ -58,9 +58,9 @@ diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_serv
|
|||
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
" -nocert - Don't use any certificates (Anon-DH)\n");
|
||||
diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
|
||||
--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
|
||||
+++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
|
||||
diff -up openssl-1.0.2m/apps/s_time.c.trusted-first openssl-1.0.2m/apps/s_time.c
|
||||
--- openssl-1.0.2m/apps/s_time.c.trusted-first 2017-11-13 09:08:18.526670306 +0100
|
||||
+++ openssl-1.0.2m/apps/s_time.c 2017-11-13 09:08:18.614672288 +0100
|
||||
@@ -182,6 +182,7 @@ static void s_time_usage(void)
|
||||
file if not specified by this option\n\
|
||||
-CApath arg - PEM format directory of CA's\n\
|
||||
|
@ -69,9 +69,9 @@ diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
|
|||
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
||||
|
||||
printf("usage: s_time <args>\n\n");
|
||||
diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
|
||||
--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
|
||||
+++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
|
||||
diff -up openssl-1.0.2m/apps/ts.c.trusted-first openssl-1.0.2m/apps/ts.c
|
||||
--- openssl-1.0.2m/apps/ts.c.trusted-first 2017-11-13 09:08:18.569671275 +0100
|
||||
+++ openssl-1.0.2m/apps/ts.c 2017-11-13 09:08:18.614672288 +0100
|
||||
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
|
||||
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
||||
"[-queryfile request.tsq] "
|
||||
|
@ -81,10 +81,10 @@ diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
|
|||
"-untrusted cert_file.pem\n");
|
||||
cleanup:
|
||||
/* Clean up. */
|
||||
diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
|
||||
--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
|
||||
+++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
|
||||
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.2m/apps/verify.c.trusted-first openssl-1.0.2m/apps/verify.c
|
||||
--- openssl-1.0.2m/apps/verify.c.trusted-first 2017-11-02 15:32:57.000000000 +0100
|
||||
+++ openssl-1.0.2m/apps/verify.c 2017-11-13 09:08:18.615672310 +0100
|
||||
@@ -227,7 +227,7 @@ int MAIN(int argc, char **argv)
|
||||
usage:
|
||||
if (ret == 1) {
|
||||
BIO_printf(bio_err,
|
||||
|
@ -93,10 +93,10 @@ diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
|
|||
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
BIO_printf(bio_err, " [-engine e]");
|
||||
diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
|
||||
--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
|
||||
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||
diff -up openssl-1.0.2m/doc/apps/cms.pod.trusted-first openssl-1.0.2m/doc/apps/cms.pod
|
||||
--- openssl-1.0.2m/doc/apps/cms.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/cms.pod 2017-11-13 09:08:18.615672310 +0100
|
||||
@@ -36,6 +36,7 @@ B<openssl> B<cms>
|
||||
[B<-print>]
|
||||
[B<-CAfile file>]
|
||||
[B<-CApath dir>]
|
||||
|
@ -104,7 +104,7 @@ diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/c
|
|||
[B<-no_alt_chains>]
|
||||
[B<-md digest>]
|
||||
[B<-[cipher]>]
|
||||
@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
|
||||
@@ -249,6 +250,12 @@ B<-verify>. This directory must be a sta
|
||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||
to each certificate.
|
||||
|
||||
|
@ -117,10 +117,10 @@ diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/c
|
|||
=item B<-md digest>
|
||||
|
||||
digest algorithm to use when signing or resigning. If not present then the
|
||||
diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
|
||||
--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
|
||||
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||
diff -up openssl-1.0.2m/doc/apps/ocsp.pod.trusted-first openssl-1.0.2m/doc/apps/ocsp.pod
|
||||
--- openssl-1.0.2m/doc/apps/ocsp.pod.trusted-first 2017-11-13 09:08:18.569671275 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/ocsp.pod 2017-11-13 09:08:18.615672310 +0100
|
||||
@@ -31,6 +31,7 @@ B<openssl> B<ocsp>
|
||||
[B<-path>]
|
||||
[B<-CApath dir>]
|
||||
[B<-CAfile file>]
|
||||
|
@ -128,7 +128,7 @@ diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/
|
|||
[B<-no_alt_chains>]
|
||||
[B<-VAfile file>]
|
||||
[B<-validity_period n>]
|
||||
@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
|
||||
@@ -154,6 +155,13 @@ connection timeout to the OCSP responder
|
||||
file or pathname containing trusted CA certificates. These are used to verify
|
||||
the signature on the OCSP response.
|
||||
|
||||
|
@ -142,10 +142,10 @@ diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/
|
|||
=item B<-no_alt_chains>
|
||||
|
||||
See L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
|
||||
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
||||
diff -up openssl-1.0.2m/doc/apps/s_client.pod.trusted-first openssl-1.0.2m/doc/apps/s_client.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_client.pod.trusted-first 2017-11-13 09:08:18.582671567 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_client.pod 2017-11-13 09:08:18.615672310 +0100
|
||||
@@ -20,6 +20,7 @@ B<openssl> B<s_client>
|
||||
[B<-pass arg>]
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
|
@ -153,7 +153,7 @@ diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/a
|
|||
[B<-no_alt_chains>]
|
||||
[B<-reconnect>]
|
||||
[B<-pause>]
|
||||
@@ -125,7 +126,7 @@ also used when building the client certi
|
||||
@@ -129,7 +130,7 @@ also used when building the client certi
|
||||
A file containing trusted certificates to use during server authentication
|
||||
and to use when attempting to build the client certificate chain.
|
||||
|
||||
|
@ -162,10 +162,10 @@ diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/a
|
|||
|
||||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
|
||||
--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
|
||||
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
||||
diff -up openssl-1.0.2m/doc/apps/smime.pod.trusted-first openssl-1.0.2m/doc/apps/smime.pod
|
||||
--- openssl-1.0.2m/doc/apps/smime.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/smime.pod 2017-11-13 09:08:18.615672310 +0100
|
||||
@@ -16,6 +16,9 @@ B<openssl> B<smime>
|
||||
[B<-pk7out>]
|
||||
[B<-[cipher]>]
|
||||
[B<-in file>]
|
||||
|
@ -175,7 +175,7 @@ diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps
|
|||
[B<-no_alt_chains>]
|
||||
[B<-certfile file>]
|
||||
[B<-signer file>]
|
||||
@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
|
||||
@@ -151,6 +154,12 @@ B<-verify>. This directory must be a sta
|
||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||
to each certificate.
|
||||
|
||||
|
@ -188,18 +188,18 @@ diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps
|
|||
=item B<-md digest>
|
||||
|
||||
digest algorithm to use when signing or resigning. If not present then the
|
||||
diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
|
||||
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||
diff -up openssl-1.0.2m/doc/apps/s_server.pod.trusted-first openssl-1.0.2m/doc/apps/s_server.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_server.pod.trusted-first 2017-11-13 09:08:18.583671590 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_server.pod 2017-11-13 09:09:04.706710088 +0100
|
||||
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
|
||||
[B<-state>]
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
+[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-nocert>]
|
||||
[B<-cipher cipherlist>]
|
||||
@@ -178,6 +179,12 @@ and to use when attempting to build the
|
||||
[B<-client_sigalgs sigalglist>]
|
||||
@@ -183,6 +184,12 @@ and to use when attempting to build the
|
||||
is also used in the list of acceptable client CAs passed to the client when
|
||||
a certificate is requested.
|
||||
|
||||
|
@ -212,10 +212,10 @@ diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/a
|
|||
=item B<-no_alt_chains>
|
||||
|
||||
See the L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
|
||||
--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
|
||||
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
||||
diff -up openssl-1.0.2m/doc/apps/s_time.pod.trusted-first openssl-1.0.2m/doc/apps/s_time.pod
|
||||
--- openssl-1.0.2m/doc/apps/s_time.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/s_time.pod 2017-11-13 09:08:18.616672333 +0100
|
||||
@@ -15,6 +15,7 @@ B<openssl> B<s_time>
|
||||
[B<-key filename>]
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
|
@ -223,7 +223,7 @@ diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/app
|
|||
[B<-reuse>]
|
||||
[B<-new>]
|
||||
[B<-verify depth>]
|
||||
@@ -76,6 +77,12 @@ also used when building the client certi
|
||||
@@ -77,6 +78,12 @@ also used when building the client certi
|
||||
A file containing trusted certificates to use during server authentication
|
||||
and to use when attempting to build the client certificate chain.
|
||||
|
||||
|
@ -236,10 +236,10 @@ diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/app
|
|||
=item B<-new>
|
||||
|
||||
performs the timing test using a new session ID for each connection.
|
||||
diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
|
||||
--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
|
||||
@@ -46,6 +46,7 @@ B<-verify>
|
||||
diff -up openssl-1.0.2m/doc/apps/ts.pod.trusted-first openssl-1.0.2m/doc/apps/ts.pod
|
||||
--- openssl-1.0.2m/doc/apps/ts.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/ts.pod 2017-11-13 09:08:18.616672333 +0100
|
||||
@@ -47,6 +47,7 @@ B<-verify>
|
||||
[B<-token_in>]
|
||||
[B<-CApath> trusted_cert_path]
|
||||
[B<-CAfile> trusted_certs.pem]
|
||||
|
@ -247,7 +247,7 @@ diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts
|
|||
[B<-untrusted> cert_file.pem]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
|
||||
@@ -325,6 +326,12 @@ L<verify(1)|verify(1)> for additional de
|
||||
or B<-CApath> must be specified.
|
||||
(Optional)
|
||||
|
||||
|
@ -260,10 +260,10 @@ diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts
|
|||
=item B<-untrusted> cert_file.pem
|
||||
|
||||
Set of additional untrusted certificates in PEM format which may be
|
||||
diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
|
||||
--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
|
||||
+++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
|
||||
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
||||
diff -up openssl-1.0.2m/doc/apps/verify.pod.trusted-first openssl-1.0.2m/doc/apps/verify.pod
|
||||
--- openssl-1.0.2m/doc/apps/verify.pod.trusted-first 2017-11-02 15:32:58.000000000 +0100
|
||||
+++ openssl-1.0.2m/doc/apps/verify.pod 2017-11-13 09:08:18.616672333 +0100
|
||||
@@ -10,6 +10,7 @@ verify - Utility to verify certificates.
|
||||
B<openssl> B<verify>
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile file>]
|
||||
|
@ -271,7 +271,7 @@ diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/app
|
|||
[B<-purpose purpose>]
|
||||
[B<-policy arg>]
|
||||
[B<-ignore_critical>]
|
||||
@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
|
||||
@@ -87,6 +88,12 @@ If a valid CRL cannot be found an error
|
||||
A file of untrusted certificates. The file should contain multiple certificates
|
||||
in PEM format concatenated together.
|
||||
|
50
openssl.spec
50
openssl.spec
|
@ -22,8 +22,8 @@
|
|||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.2j
|
||||
Release: 2%{?dist}
|
||||
Version: 1.0.2m
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
@ -31,6 +31,7 @@ Epoch: 1
|
|||
Source: openssl-%{version}-hobbled.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source5: README.legacy-settings
|
||||
Source6: make-dummy-cert
|
||||
Source7: renew-dummy-cert
|
||||
Source8: openssl-thread-test.c
|
||||
|
@ -56,7 +57,8 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
|||
Patch34: openssl-1.0.2a-x509.patch
|
||||
Patch35: openssl-1.0.2a-version-add-engines.patch
|
||||
Patch39: openssl-1.0.2a-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.2i-fips.patch
|
||||
Patch40: openssl-1.0.2m-fips.patch
|
||||
Patch43: openssl-1.0.2m-krb5keytab.patch
|
||||
Patch45: openssl-1.0.2a-env-zlib.patch
|
||||
Patch47: openssl-1.0.2a-readme-warning.patch
|
||||
Patch49: openssl-1.0.1i-algo-doc.patch
|
||||
|
@ -68,25 +70,27 @@ Patch60: openssl-1.0.2a-apps-dgst.patch
|
|||
Patch63: openssl-1.0.2a-xmpp-starttls.patch
|
||||
Patch65: openssl-1.0.2i-chil-fixes.patch
|
||||
Patch66: openssl-1.0.2h-pkgconfig.patch
|
||||
Patch68: openssl-1.0.2i-secure-getenv.patch
|
||||
Patch68: openssl-1.0.2m-secure-getenv.patch
|
||||
Patch70: openssl-1.0.2a-fips-ec.patch
|
||||
Patch71: openssl-1.0.2g-manfix.patch
|
||||
Patch71: openssl-1.0.2m-manfix.patch
|
||||
Patch72: openssl-1.0.2a-fips-ctor.patch
|
||||
Patch73: openssl-1.0.2c-ecc-suiteb.patch
|
||||
Patch74: openssl-1.0.2a-no-md5-verify.patch
|
||||
Patch74: openssl-1.0.2j-deprecate-algos.patch
|
||||
Patch75: openssl-1.0.2a-compat-symbols.patch
|
||||
Patch76: openssl-1.0.2i-new-fips-reqs.patch
|
||||
Patch78: openssl-1.0.2a-cc-reqs.patch
|
||||
Patch76: openssl-1.0.2j-new-fips-reqs.patch
|
||||
Patch77: openssl-1.0.2j-downgrade-strength.patch
|
||||
Patch78: openssl-1.0.2k-cc-reqs.patch
|
||||
Patch90: openssl-1.0.2i-enc-fail.patch
|
||||
Patch92: openssl-1.0.2a-system-cipherlist.patch
|
||||
Patch93: openssl-1.0.2g-disable-sslv2v3.patch
|
||||
Patch94: openssl-1.0.2d-secp256k1.patch
|
||||
Patch95: openssl-1.0.2e-remove-nistp224.patch
|
||||
Patch96: openssl-1.0.2e-speed-doc.patch
|
||||
Patch99: openssl-1.0.2k-fips-randlock.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch80: openssl-1.0.2e-wrap-pad.patch
|
||||
Patch81: openssl-1.0.2a-padlock64.patch
|
||||
Patch82: openssl-1.0.2i-trusted-first-doc.patch
|
||||
Patch82: openssl-1.0.2m-trusted-first-doc.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
@ -180,6 +184,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||
%patch35 -p1 -b .version-add-engines
|
||||
%patch39 -p1 -b .ipv6-apps
|
||||
%patch40 -p1 -b .fips
|
||||
%patch43 -p1 -b .krb5keytab
|
||||
%patch45 -p1 -b .env-zlib
|
||||
%patch47 -p1 -b .warning
|
||||
%patch49 -p1 -b .algo-doc
|
||||
|
@ -196,9 +201,10 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||
%patch71 -p1 -b .manfix
|
||||
%patch72 -p1 -b .fips-ctor
|
||||
%patch73 -p1 -b .suiteb
|
||||
%patch74 -p1 -b .no-md5-verify
|
||||
%patch74 -p1 -b .deprecate-algos
|
||||
%patch75 -p1 -b .compat
|
||||
%patch76 -p1 -b .fips-reqs
|
||||
%patch77 -p1 -b .strength
|
||||
%patch78 -p1 -b .cc-reqs
|
||||
%patch90 -p1 -b .enc-fail
|
||||
%patch92 -p1 -b .system
|
||||
|
@ -206,6 +212,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||
%patch94 -p1 -b .secp256k1
|
||||
%patch95 -p1 -b .nistp224
|
||||
%patch96 -p1 -b .speed-doc
|
||||
%patch99 -p1 -b .randlock
|
||||
|
||||
%patch80 -p1 -b .wrap
|
||||
%patch81 -p1 -b .padlock64
|
||||
|
@ -304,8 +311,8 @@ make all
|
|||
# Generate hashes for the included certs.
|
||||
make rehash
|
||||
|
||||
# Overwrite FIPS README
|
||||
cp -f %{SOURCE11} .
|
||||
# Overwrite FIPS README and copy README.legacy-settings
|
||||
cp -f %{SOURCE5} %{SOURCE11} .
|
||||
|
||||
# Clean up the .pc files
|
||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||
|
@ -446,7 +453,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%defattr(-,root,root)
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license LICENSE
|
||||
%doc FAQ NEWS README README.FIPS
|
||||
%doc FAQ NEWS README
|
||||
%doc README.FIPS
|
||||
%doc README.legacy-settings
|
||||
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
|
||||
%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
|
||||
%{_sysconfdir}/pki/tls/certs/Makefile
|
||||
|
@ -508,6 +517,21 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Mon Nov 13 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2m-1
|
||||
- minor upstream release 1.0.2m fixing security issues
|
||||
- fix locking of RNG in FIPS mode for some obscure use-cases
|
||||
|
||||
* Mon Feb 6 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-1
|
||||
- minor upstream release 1.0.2k fixing security issues
|
||||
- deprecate and disable verification of insecure hash algorithms
|
||||
- add support for /etc/pki/tls/legacy-settings also for minimum DH length
|
||||
accepted by SSL client
|
||||
- compare the encrypt and tweak key in XTS as required by FIPS
|
||||
|
||||
* Fri Dec 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-2
|
||||
- drop read lock in fips_drbg_status that is unnecessary
|
||||
and causes deadlock when reseeding (#1400922)
|
||||
|
||||
* Fri Oct 07 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.0.2j-2
|
||||
- Add flags for riscv64.
|
||||
|
||||
|
|
Loading…
Reference in New Issue