rpms/openssl/devel openssl-0.9.8j-bad-mime.patch, NONE, 1.1 openssl-0.9.8j-ca-dir.patch, NONE, 1.1 openssl-0.9.8j-eap-fast.patch, NONE, 1.1 openssl-0.9.8j-enginesdir.patch, NONE, 1.1 openssl-0.9.8j-env-nozlib.patch, NONE, 1.1 openssl-0.9.8j-evp-nonfips.patch, NONE, 1.1 openssl-0.9.8j-fipscheck-hmac.patch, NONE, 1.1 openssl-0.9.8j-kernel-fipsmode.patch, NONE, 1.1 openssl-0.9.8j-nocanister.patch, NONE, 1.1 openssl-0.9.8j-readme-warning.patch, NONE, 1.1 openssl-0.9.8j-redhat.patch, NONE, 1.1 openssl-0.9.8j-shlib-version.patch, NONE, 1.1 openssl-0.9.8j-soversion.patch, NONE, 1.1 openssl-0.9.8j-use-fipscheck.patch, NONE, 1.1 openssl-0.9.8j-version-add-engines.patch, NONE, 1.1 .cvsignore, 1.16, 1.17 openssl.spec, 1.113, 1.114 sources, 1.18, 1.19 openssl-0.9.7-beta5-version-add-engines.patch, 1.1, NONE openssl-0.9.7f-ca-dir.patch, 1.1, NONE openssl-0.9.8g-bn-mul-bug.patch, 1.1, NONE openssl-0.9.8g-cve-2008-0891.patch, 1.1, NONE openssl-0.9.8g-cve-2008-1671.patch, 1.1, NONE openssl-0.9.8g-redhat.patch, 1.1, NONE openssl-0.9.8g-shlib-version.patch, 1.1, NONE openssl-0.9.8g-soversion.patch, 1.1, NONE openssl-0.9.8g-speed-bug.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jan 15 09:10:25 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv750
Modified Files:
.cvsignore openssl.spec sources
Added Files:
openssl-0.9.8j-bad-mime.patch openssl-0.9.8j-ca-dir.patch
openssl-0.9.8j-eap-fast.patch openssl-0.9.8j-enginesdir.patch
openssl-0.9.8j-env-nozlib.patch
openssl-0.9.8j-evp-nonfips.patch
openssl-0.9.8j-fipscheck-hmac.patch
openssl-0.9.8j-kernel-fipsmode.patch
openssl-0.9.8j-nocanister.patch
openssl-0.9.8j-readme-warning.patch
openssl-0.9.8j-redhat.patch openssl-0.9.8j-shlib-version.patch
openssl-0.9.8j-soversion.patch
openssl-0.9.8j-use-fipscheck.patch
openssl-0.9.8j-version-add-engines.patch
Removed Files:
openssl-0.9.7-beta5-version-add-engines.patch
openssl-0.9.7f-ca-dir.patch openssl-0.9.8g-bn-mul-bug.patch
openssl-0.9.8g-cve-2008-0891.patch
openssl-0.9.8g-cve-2008-1671.patch openssl-0.9.8g-redhat.patch
openssl-0.9.8g-shlib-version.patch
openssl-0.9.8g-soversion.patch openssl-0.9.8g-speed-bug.patch
Log Message:
* Thu Jan 15 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8j-1
- new upstream version with necessary soname bump (#455753)
- temporarily provide symlink to old soname to make it possible to rebuild
the dependent packages in rawhide
- add eap-fast support (#428181)
- add possibility to disable zlib by setting
- add fips mode support for testing purposes
- do not null dereference on some invalid smime files
- add buildrequires pkgconfig (#479493)
openssl-0.9.8j-bad-mime.patch:
--- NEW FILE openssl-0.9.8j-bad-mime.patch ---
diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200
+++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100
@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
+ if ((*a)->name == NULL || (*b)->name == NULL)
+ return (*a)->name - (*b)->name < 0 ? -1 :
+ (*a)->name - (*b)->name > 0 ? 1 : 0;
+
return(strcmp((*a)->name, (*b)->name));
}
openssl-0.9.8j-ca-dir.patch:
--- NEW FILE openssl-0.9.8j-ca-dir.patch ---
diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = ../../CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
-CATOP=./demoCA
+CATOP=../../CA
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+$CATOP="../../CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
openssl-0.9.8j-eap-fast.patch:
--- NEW FILE openssl-0.9.8j-eap-fast.patch ---
diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+#ifndef OPENSSL_NO_TLSEXT
+ if (s && s->tlsext_session_ticket)
+ {
+ OPENSSL_free(s->tlsext_session_ticket);
+ }
+#endif /* OPENSSL_NO_TLSEXT */
ssl3_free(s);
}
@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
int ticklen;
if (s->session && s->session->tlsext_tick)
ticklen = s->session->tlsext_ticklen;
+ else if (s->session && s->tlsext_session_ticket &&
+ s->tlsext_session_ticket->data)
+ {
+ ticklen = s->tlsext_session_ticket->length;
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
+ if (!s->session->tlsext_tick)
+ return NULL;
+ memcpy(s->session->tlsext_tick,
+ s->tlsext_session_ticket->data,
+ ticklen);
+ s->session->tlsext_ticklen = ticklen;
+ }
else
ticklen = 0;
+ if (ticklen == 0 && s->tlsext_session_ticket &&
+ s->tlsext_session_ticket->data == NULL)
+ goto skip_ext;
/* Check for enough room 2 for extension type, 2 for len
* rest for ticket
*/
@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
ret += ticklen;
}
}
+ skip_ext:
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
{
@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
}
+ else if (type == TLSEXT_TYPE_session_ticket)
+ {
+ if (s->tls_session_ticket_ext_cb &&
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ }
else if (type == TLSEXT_TYPE_status_request
&& s->ctx->tlsext_status_cb)
{
@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
}
else if (type == TLSEXT_TYPE_session_ticket)
{
+ if (s->tls_session_ticket_ext_cb &&
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
|| (size > 0))
{
@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
s->tlsext_ticket_expected = 1;
return 0; /* Cache miss */
}
+ if (s->tls_session_secret_cb)
+ {
+ /* Indicate cache miss here and instead of
+ * generating the session from ticket now,
+ * trigger abbreviated handshake based on
+ * external mechanism to calculate the master
+ * secret later. */
+ return 0;
+ }
return tls_decrypt_ticket(s, p, size, session_id, len,
ret);
}
diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared secret */
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key,
+ &s->session->master_key_length,
+ NULL, &pref_cipher,
+ s->tls_session_secret_cb_arg))
+ {
+ s->session->cipher = pref_cipher ?
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
- * a non-zero session length would never reach here) it cannot be a
- * resumed session.
- */
- if (!s->session->tlsext_tick || s->session->session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s->session->tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+#ifndef OPENSSL_NO_TLSEXT
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+ {
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+ }
+
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
+ void *arg)
+ {
+ if (s == NULL) return(0);
+ s->tls_session_ticket_ext_cb = cb;
+ s->tls_session_ticket_ext_cb_arg = arg;
+ return(1);
+ }
+
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
+ {
+ if (s->version >= TLS1_VERSION)
+ {
+ if (s->tlsext_session_ticket)
+ {
+ OPENSSL_free(s->tlsext_session_ticket);
+ s->tlsext_session_ticket = NULL;
+ }
+
+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
+ if (!s->tlsext_session_ticket)
+ {
+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (ext_data)
+ {
+ s->tlsext_session_ticket->length = ext_len;
+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+ }
+ else
+ {
+ s->tlsext_session_ticket->length = 0;
+ s->tlsext_session_ticket->data = NULL;
+ }
+
+ return 1;
+ }
+
+ return 0;
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+ * handshake for not reused session only. We need to generate
+ * server_random before calling tls_session_secret_cb in order to allow
+ * SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s->s3->server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
#endif
/* Worst case, we will use the NULL compression, but if we have other
* options, we will now look for them. We have i-1 compression
@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i,sl;
- unsigned long l,Time;
+ unsigned long l;
+#ifdef OPENSSL_NO_TLSEXT
+ unsigned long Time;
+#endif
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
buf=(unsigned char *)s->init_buf->data;
+#ifdef OPENSSL_NO_TLSEXT
p=s->s3->server_random;
+ /* Generate server_random if it was not needed previously */
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
+#endif
/* Do the message type and length last */
d=p= &(buf[4]);
diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS Session Ticket extension struct */
+struct tls_session_ticket_ext_st
+ {
+ unsigned short length;
+ void *data;
+ };
+
#ifdef __cplusplus
}
#endif
diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{0,NULL}
};
diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
@@ -344,6 +344,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
DECLARE_STACK_OF(SSL_CIPHER)
+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -1034,6 +1038,18 @@ struct ssl_st
/* RFC4507 session ticket expected to be received or sent */
int tlsext_ticket_expected;
+
+ /* TLS Session Ticket extension override */
+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
+
+ /* TLS Session Ticket extension callback */
+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
+ void *tls_session_ticket_ext_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
+
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
#define session_ctx initial_ctx
#else
@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
+
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
+ void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
openssl-0.9.8j-enginesdir.patch:
--- NEW FILE openssl-0.9.8j-enginesdir.patch ---
diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100
+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100
@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
my $prefix="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix="";
my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
@@ -815,6 +816,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1635,7 +1640,7 @@ while (<IN>)
if (/^#define\s+OPENSSLDIR/)
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
elsif (/^#define\s+ENGINESDIR/)
- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
if $export_var_as_fn;
openssl-0.9.8j-env-nozlib.patch:
--- NEW FILE openssl-0.9.8j-env-nozlib.patch ---
Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100
+++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100
@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
MemCheck_off();
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL)
+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
{
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL)
openssl-0.9.8j-evp-nonfips.patch:
--- NEW FILE openssl-0.9.8j-evp-nonfips.patch ---
diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200
+++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100
@@ -64,6 +64,11 @@
void OpenSSL_add_all_digests(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+ if (!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_MD2
EVP_add_digest(EVP_md2());
#endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+ EVP_add_digest(EVP_dss1());
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+ }
+#endif
}
diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200
+++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100
@@ -65,6 +65,11 @@
void OpenSSL_add_all_ciphers(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+ if(!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede_cfb());
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede_ofb());
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+ }
+#endif
PKCS12_PBE_add();
PKCS5_PBE_add();
openssl-0.9.8j-fipscheck-hmac.patch:
--- NEW FILE openssl-0.9.8j-fipscheck-hmac.patch ---
Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
We use the binary just during the OpenSSL build to checksum the libcrypto.
diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100
@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
@echo $(LIBOBJ) > lib
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
files:
diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200
+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
#ifdef OPENSSL_FIPS
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
const char *key)
{
int len=strlen(key);
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
if (len > SHA_CBLOCK)
{
- SHA1_Init(md_ctx);
- SHA1_Update(md_ctx,key,len);
- SHA1_Final(keymd,md_ctx);
- len=20;
+ SHA256_Init(md_ctx);
+ SHA256_Update(md_ctx,key,len);
+ SHA256_Final(keymd,md_ctx);
+ len=SHA256_DIGEST_LENGTH;
}
else
memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
pad[i]=0x36^keymd[i];
- SHA1_Init(md_ctx);
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
+ SHA256_Init(md_ctx);
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
pad[i]=0x5c^keymd[i];
- SHA1_Init(o_ctx);
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
+ SHA256_Init(o_ctx);
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
}
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
{
- unsigned char buf[20];
+ unsigned char buf[SHA256_DIGEST_LENGTH];
- SHA1_Final(buf,md_ctx);
- SHA1_Update(o_ctx,buf,sizeof buf);
- SHA1_Final(md,o_ctx);
+ SHA256_Final(buf,md_ctx);
+ SHA256_Update(o_ctx,buf,sizeof buf);
+ SHA256_Final(md,o_ctx);
}
#endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
int main(int argc,char **argv)
{
#ifdef OPENSSL_FIPS
- static char key[]="etaonrishdlcupfm";
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
int n,binary=0;
if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
for(; n < argc ; ++n)
{
FILE *f=fopen(argv[n],"rb");
- SHA_CTX md_ctx,o_ctx;
- unsigned char md[20];
+ SHA256_CTX md_ctx,o_ctx;
+ unsigned char md[SHA256_DIGEST_LENGTH];
int i;
if(!f)
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
for( ; ; )
{
char buf[1024];
- int l=fread(buf,1,sizeof buf,f);
+ size_t l=fread(buf,1,sizeof buf,f);
if(l == 0)
{
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
else
break;
}
- SHA1_Update(&md_ctx,buf,l);
+ SHA256_Update(&md_ctx,buf,l);
}
hmac_final(md,&md_ctx,&o_ctx);
if (binary)
{
- fwrite(md,20,1,stdout);
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
break; /* ... for single(!) file */
}
- printf("HMAC-SHA1(%s)= ",argv[n]);
- for(i=0 ; i < 20 ; ++i)
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
printf("%02x",md[i]);
printf("\n");
}
openssl-0.9.8j-kernel-fipsmode.patch:
--- NEW FILE openssl-0.9.8j-kernel-fipsmode.patch ---
diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
--- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
+++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100
@@ -59,6 +59,45 @@
#include <e_os.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+ {
+ char buf[2] = "0";
+ int fd;
+
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ {
+ buf[0] = '1';
+ }
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+ {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise.
+ */
+
+ if (buf[0] == '1')
+ {
+ FIPS_mode_set(1);
+ }
+ }
+#endif
+
/* Perform any essential OpenSSL initialization operations.
* Currently only sets FIPS callbacks
*/
@@ -73,11 +112,10 @@ void OPENSSL_init(void)
#ifdef CRYPTO_MDEBUG
CRYPTO_malloc_debug_init();
#endif
-#ifdef OPENSSL_ENGINE
+ init_fips_mode();
int_EVP_MD_init_engine_callbacks();
int_EVP_CIPHER_init_engine_callbacks();
int_RAND_init_engine_callbacks();
-#endif
done = 1;
}
#endif
openssl-0.9.8j-nocanister.patch:
--- NEW FILE openssl-0.9.8j-nocanister.patch ---
Do not create a fipscanister.o, add the objects directly.
diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100
@@ -142,8 +142,24 @@ lib: $(LIB)
if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
@touch lib
-$(LIB): $(FIPSLIBDIR)fipscanister.o
- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
+ FIPS_ASM=""; \
+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
+ if [ -n "$(CPUID_OBJ)" ]; then \
+ CPUID=../crypto/$(CPUID_OBJ) ; \
+ else \
+ CPUID="" ; \
+ fi ; \
+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
+ for i in $(FIPS_OBJ_LISTS); do \
+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
+ objs="$$objs `sed "$$script" $$i`"; \
+ done; \
+ objs="$$objs" ; \
+ $(AR) $(LIB) $$objs
$(RANLIB) $(LIB) || echo Never mind.
$(FIPSCANLIB): $(FIPSCANLOC)
openssl-0.9.8j-readme-warning.patch:
--- NEW FILE openssl-0.9.8j-readme-warning.patch ---
diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100
+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100
@@ -5,6 +5,31 @@
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
+ WARNING
+ -------
+
+ This version of OpenSSL is built in a way that supports operation in
+ the so called FIPS mode. Note though that the library as we build it
+ is not FIPS validated and the FIPS mode is present for testing purposes
+ only.
+
+ This version also contains a few differences from the upstream code
+ some of which are:
+ * The FIPS integrity verification check is implemented differently
+ from the upstream FIPS validated OpenSSL module. It verifies
+ HMAC-SHA256 checksum of the whole libcrypto shared library.
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
+ FIPS mode could not be initialized. It is also possible to force the
+ OpenSSL library to FIPS mode especially for debugging purposes by
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
+ will not automatically load the built in compression method ZLIB
+ when initialized. Applications can still explicitely ask for ZLIB
+ compression method.
+ * There is added a support for EAP-FAST through TLS extension. This code
+ is backported from OpenSSL upstream development branch.
+
DESCRIPTION
-----------
openssl-0.9.8j-redhat.patch:
--- NEW FILE openssl-0.9.8j-redhat.patch ---
diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
@@ -320,28 +320,28 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
#### IA-32 targets...
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
####
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
#### SPARC Linux setups
# Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# GCC 3.1 is a requirement
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -355,8 +355,8 @@ my %table=(
#
# <appro at fy.chalmers.se>
#
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
openssl-0.9.8j-shlib-version.patch:
--- NEW FILE openssl-0.9.8j-shlib-version.patch ---
diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h
--- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100
+++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100
@@ -83,7 +83,7 @@
* should only keep the versions that are binary compatible with the current.
*/
#define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "0.9.8"
+#define SHLIB_VERSION_NUMBER "0.9.8j"
#endif /* HEADER_OPENSSLV_H */
openssl-0.9.8j-soversion.patch:
--- NEW FILE openssl-0.9.8j-soversion.patch ---
Define and use a soname -- because we have to care about binary
compatibility, we have to increment the soname in order to allow
this version to co-exist with another versions and have everything
work right.
diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100
@@ -1371,7 +1371,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
+SHLIB_SONAMEVER=8
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
@@ -277,10 +278,9 @@ clean-shared:
link-shared:
@ set -e; for i in ${SHLIBDIRS}; do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
symlink.$(SHLIB_TARGET); \
- libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \
openssl-0.9.8j-use-fipscheck.patch:
--- NEW FILE openssl-0.9.8j-use-fipscheck.patch ---
Use fipscheck compatible way of verification of the integrity of the libcrypto
shared library.
diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
LIBRARIES="-L$(TOP) -lfips"; \
elif [ -n "$(FIPSCANLIB)" ]; then \
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
+ LIBRARIES="$(LIBCRYPTO)"; \
fi; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
shlib_target="$(SHLIB_TARGET)"; \
fi; \
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
- fi; \
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
$(AR) libcrypto.a fips/fipscanister.o ; \
else \
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
- export CC FIPSLD_CC; \
- fi; \
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
fi \
else \
@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
fips/fipscanister.o: build_fips
libfips$(SHLIB_EXT): fips/fipscanister.o
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
- CC=$${CC} LIBNAME=fips THIS=$@ \
+ CC=$(CC) LIBNAME=fips THIS=$@ \
LIBEXTRAS=fips/fipscanister.o \
LIBDEPS="$(EX_LIBS)" \
LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -469,7 +464,7 @@ openssl.pc: Makefile
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
echo 'Version: '$(VERSION); \
echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
Makefile: Makefile.org Configure config
diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
@@ -47,6 +47,7 @@
*
*/
+#define _GNU_SOURCE
#include <openssl/rand.h>
#include <openssl/fips_rand.h>
@@ -56,6 +57,9 @@
#include <openssl/rsa.h>
#include <string.h>
#include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -165,6 +169,7 @@ int FIPS_selftest()
&& FIPS_selftest_dsa();
}
+#if 0
extern const void *FIPS_text_start(), *FIPS_text_end();
extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
unsigned char FIPS_signature [20] = { 0 };
@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
return 1;
}
+#else
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *
+bin2hex(void *buf, size_t len)
+{
+ char *hex, *p;
+ unsigned char *src = buf;
+
+ hex = malloc(len * 2 + 1);
+ if (hex == NULL)
+ return NULL;
+
+ p = hex;
+
+ while (len > 0) {
+ unsigned c;
+
+ c = *src;
+ src++;
+
+ *p = conv[c >> 4];
+ ++p;
+ *p = conv[c & 0x0f];
+ ++p;
+ --len;
+ }
+ *p = '\0';
+ return hex;
+}
+
+#define HMAC_PREFIX "."
+#define HMAC_SUFFIX ".hmac"
+#define READ_BUFFER_LENGTH 16384
+
+static char *
+make_hmac_path(const char *origpath)
+{
+ char *path, *p;
+ const char *fn;
+
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+ if(path == NULL) {
+ return NULL;
+ }
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn-origpath);
+ p = path + (fn - origpath);
+ p = stpcpy(p, HMAC_PREFIX);
+ p = stpcpy(p, fn);
+ p = stpcpy(p, HMAC_SUFFIX);
+
+ return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *f = NULL;
+ int rv = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ size_t len;
+ unsigned int hlen;
+ HMAC_CTX c;
+
+ HMAC_CTX_init(&c);
+
+ f = fopen(path, "r");
+
+ if (f == NULL) {
+ goto end;
+ }
+
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
+
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+ HMAC_Update(&c, rbuf, len);
+ }
+
+ len = sizeof(rbuf);
+ /* reuse rbuf for hmac */
+ HMAC_Final(&c, rbuf, &hlen);
+
+ *buf = malloc(hlen);
+ if (*buf == NULL) {
+ goto end;
+ }
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rv = 0;
+end:
+ HMAC_CTX_cleanup(&c);
+
+ if (f)
+ fclose(f);
+
+ return rv;
+}
+
+static int
+FIPSCHECK_verify(const char *libname, const char *symbolname)
+{
+ char path[PATH_MAX+1];
+ int rv;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
+
+ if (rv < 0)
+ return 0;
+
+ hmacpath = make_hmac_path(path);
+
+ hf = fopen(hmacpath, "r");
+ if (hf == NULL) {
+ free(hmacpath);
+ return 0;
+ }
+
+ if (getline(&hmac, &n, hf) > 0) {
+ void *buf;
+ size_t hmaclen;
+ char *hex;
+
+ if ((p=strchr(hmac, '\n')) != NULL)
+ *p = '\0';
+
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+ rv = -4;
+ goto end;
+ }
+
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
+ free(buf);
+ rv = -5;
+ goto end;
+ }
+
+ if (strcmp(hex, hmac) != 0) {
+ rv = -1;
+ }
+ free(buf);
+ free(hex);
+ }
+
+end:
+ free(hmac);
+ free(hmacpath);
+ fclose(hf);
+
+ if (rv < 0)
+ return 0;
+
+ /* check successful */
+ return 1;
+}
+
+#endif
int FIPS_mode_set(int onoff)
{
@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
}
#endif
- if(fips_signature_witness() != FIPS_signature)
- {
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if(!FIPS_check_incore_fingerprint())
+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
{
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
ret = 0;
goto end;
@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
return ret;
}
+#if 0
unsigned char *fips_signature_witness(void)
{
extern unsigned char FIPS_signature[];
return FIPS_signature;
}
+#endif
/* Generalized public key test routine. Signs and verifies the data
* supplied in tbs using mesage digest md and setting option digest
diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
@@ -62,9 +62,9 @@ testapps:
all:
@if [ -z "$(FIPSLIBDIR)" ]; then \
- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
+ $(MAKE) -e subdirs lib; \
else \
- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
+ $(MAKE) -e lib; \
fi
# Idea behind fipscanister.o is to "seize" the sequestered code between
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
esac fi
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
# If another exception is immediately required, assign approprite
# site-specific ld command to FIPS_SITE_LD environment variable.
@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
@touch lib
-shared: lib subdirs fips_premain_dso$(EXE_EXT)
+shared: lib subdirs
libs:
@target=lib; $(RECURSIVE_MAKE)
@@ -195,10 +194,6 @@ install:
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
@target=install; $(RECURSIVE_MAKE)
- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
- fips_premain.c.sha1 \
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
lint:
@target=lint; $(RECURSIVE_MAKE)
diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
int fips_set_owning_thread(void);
void fips_set_selftest_fail(void);
int fips_clear_owning_thread(void);
+#if 0
unsigned char *fips_signature_witness(void);
+#endif
#define FIPS_MAX_CIPHER_TEST_SIZE 16
openssl-0.9.8j-version-add-engines.patch:
--- NEW FILE openssl-0.9.8j-version-add-engines.patch ---
diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
--- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
@@ -131,6 +131,7 @@
#ifndef OPENSSL_NO_BF
# include <openssl/blowfish.h>
#endif
+#include <openssl/engine.h>
#undef PROG
#define PROG version_main
@@ -140,7 +141,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int i,ret=0;
- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
apps_startup();
@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
else if (strcmp(argv[i],"-d") == 0)
dir=1;
else if (strcmp(argv[i],"-a") == 0)
- date=version=cflags=options=platform=dir=1;
+ date=version=cflags=options=platform=dir=engines=1;
else
{
BIO_printf(bio_err,"usage:version -[avbofpd]\n");
@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
}
if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
+ if (engines)
+ {
+ ENGINE *e;
+ printf("engines: ");
+ e = ENGINE_get_first();
+ while (e)
+ {
+ printf("%s ", ENGINE_get_id(e));
+ e = ENGINE_get_next(e);
+ }
+ printf("\n");
+ }
end:
apps_shutdown();
OPENSSL_EXIT(ret);
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/.cvsignore,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- .cvsignore 3 Dec 2007 14:24:08 -0000 1.16
+++ .cvsignore 15 Jan 2009 09:10:25 -0000 1.17
@@ -1 +1 @@
-openssl-0.9.8g-usa.tar.bz2
+openssl-0.9.8j-usa.tar.bz2
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -r1.113 -r1.114
--- openssl.spec 10 Aug 2008 20:36:12 -0000 1.113
+++ openssl.spec 15 Jan 2009 09:10:25 -0000 1.114
@@ -7,7 +7,8 @@
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
-%define soversion 7
+# 0.9.8j + EAP-FAST soversion = 8
+%define soversion 8
# Number of threads to spawn when testing some threading fixes.
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
@@ -19,10 +20,10 @@
# Arches for which we don't build subpackages.
%define optimize_arches i686
-Summary: The OpenSSL toolkit
+Summary: A general purpose cryptography library with TLS implementation
Name: openssl
-Version: 0.9.8g
-Release: 11%{?dist}
+Version: 0.9.8j
+Release: 1%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -33,14 +34,14 @@
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
# Build changes
-Patch0: openssl-0.9.8g-redhat.patch
+Patch0: openssl-0.9.8j-redhat.patch
Patch1: openssl-0.9.8a-defaults.patch
Patch2: openssl-0.9.8a-link-krb5.patch
-Patch3: openssl-0.9.8g-soversion.patch
-Patch4: openssl-0.9.8a-enginesdir.patch
+Patch3: openssl-0.9.8j-soversion.patch
+Patch4: openssl-0.9.8j-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
-Patch7: openssl-0.9.8g-shlib-version.patch
+Patch7: openssl-0.9.8j-shlib-version.patch
# Bug fixes
Patch21: openssl-0.9.8b-aliasing-bug.patch
Patch22: openssl-0.9.8b-x509-name-cmp.patch
@@ -48,16 +49,21 @@
Patch24: openssl-0.9.8g-no-extssl.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
-Patch33: openssl-0.9.7f-ca-dir.patch
+Patch33: openssl-0.9.8j-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
-Patch35: openssl-0.9.7-beta5-version-add-engines.patch
+Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-0.9.8a-reuse-cipher-change.patch
Patch39: openssl-0.9.8g-ipv6-apps.patch
+Patch40: openssl-0.9.8j-nocanister.patch
+Patch41: openssl-0.9.8j-use-fipscheck.patch
+Patch42: openssl-0.9.8j-fipscheck-hmac.patch
+Patch43: openssl-0.9.8j-evp-nonfips.patch
+Patch44: openssl-0.9.8j-kernel-fipsmode.patch
+Patch45: openssl-0.9.8j-env-nozlib.patch
+Patch46: openssl-0.9.8j-eap-fast.patch
+Patch47: openssl-0.9.8j-readme-warning.patch
+Patch48: openssl-0.9.8j-bad-mime.patch
# Backported fixes including security fixes
-Patch50: openssl-0.9.8g-speed-bug.patch
-Patch51: openssl-0.9.8g-bn-mul-bug.patch
-Patch52: openssl-0.9.8g-cve-2008-0891.patch
-Patch53: openssl-0.9.8g-cve-2008-1671.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -65,8 +71,18 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
BuildRequires: /usr/bin/rename
+BuildRequires: pkgconfig
Requires: mktemp, ca-certificates >= 2008-5
+# Temporary hack
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+%ifarch ppc64 s390x sparc64 x86_64
+Provides: libcrypto.so.7()(64bit) libssl.so.7()(64bit)
+%else
+Provides: libcrypto.so.7 libssl.so.7
+%endif
+
%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
@@ -116,15 +132,20 @@
%patch24 -p1 -b .no-extssl
%patch32 -p1 -b .ia64
-#patch33 is applied after make test
+%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
%patch38 -p1 -b .cipher-change
%patch39 -p1 -b .ipv6-apps
-%patch50 -p1 -b .speed-bug
-%patch51 -p1 -b .bn-mul-bug
-%patch52 -p0 -b .srvname-crash
-%patch53 -p0 -b .srv-kex-crash
+%patch40 -p1 -b .nocanister
+%patch41 -p1 -b .use-fipscheck
+%patch42 -p1 -b .fipscheck-hmac
+%patch43 -p1 -b .evp-nonfips
+%patch44 -p1 -b .fipsmode
+%patch45 -p1 -b .env-nozlib
+%patch46 -p1 -b .eap-fast
+%patch47 -p1 -b .warning
+%patch48 -p1 -b .bad-mime
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -170,21 +191,26 @@
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \
+ enable-cms no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
-I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib} \
- ${sslarch}
+ ${sslarch} fipscanisterbuild
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
-make all build-shared
+make all
# Generate hashes for the included certs.
-make rehash build-shared
+make rehash
+%check
# Verify that what was compiled actually works.
+
+# We must revert patch33 before tests otherwise they will fail
+patch -p1 -R < %{PATCH33}
+
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
make -C test apps tests
@@ -199,18 +225,21 @@
-lpthread -lz -ldl
./openssl-thread-test --threads %{thread_test_threads}
-# Patch33 must be patched after tests otherwise they will fail
-patch -p1 -b -z .ca-dir < %{PATCH33}
+# Add generation of HMAC checksum of the final stripped library
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+ fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
+ ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+%{nil}
-if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
- iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
- mv -f CHANGES.utf8 CHANGES
-fi
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT/{%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
-make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared
+make INSTALL_PREFIX=$RPM_BUILD_ROOT install
+make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
# OpenSSL install doesn't use correct _libdir
mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/
mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT/%{_libdir}/openssl
@@ -222,6 +251,8 @@
chmod 755 ${lib}
ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
+# temporary hack
+ ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.7
rm -f $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
@@ -313,8 +344,10 @@
rm -rf $RPM_BUILD_ROOT/%{_sysconfdir}/pki/tls/misc/*.pl
%endif
-# Remove fips fingerprint script
+# Remove unused files from upstream fips support
rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
+rm -rf $RPM_BUILD_ROOT/%{_libdir}/fips_premain.*
+rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
@@ -322,7 +355,7 @@
%files
%defattr(-,root,root)
%doc FAQ LICENSE CHANGES NEWS INSTALL README
-%doc doc/README doc/c-indentation.el doc/openssl.txt
+%doc doc/c-indentation.el doc/openssl.txt
%doc doc/openssl_button.html doc/openssl_button.gif
%doc doc/ssleay.txt
%dir %{_sysconfdir}/pki/tls
@@ -341,6 +374,9 @@
%attr(0755,root,root) %{_bindir}/openssl
%attr(0755,root,root) /%{_lib}/*.so.%{version}
%attr(0755,root,root) /%{_lib}/*.so.%{soversion}
+%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac
+# temporary hack
+%attr(0755,root,root) /%{_lib}/*.so.7
%attr(0755,root,root) %{_libdir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
%attr(0644,root,root) %{_mandir}/man5*/*
@@ -363,11 +399,23 @@
%{_sysconfdir}/pki/tls/misc/*.pl
%endif
-%post -p /sbin/ldconfig
+%post
+/sbin/ldconfig -X
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig -X
%changelog
+* Thu Jan 15 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8j-1
+- new upstream version with necessary soname bump (#455753)
+- temporarily provide symlink to old soname to make it possible to rebuild
+ the dependent packages in rawhide
+- add eap-fast support (#428181)
+- add possibility to disable zlib by setting
+- add fips mode support for testing purposes
+- do not null dereference on some invalid smime files
+- add buildrequires pkgconfig (#479493)
+
* Sun Aug 10 2008 Tomas Mraz <tmraz at redhat.com> 0.9.8g-11
- do not add tls extensions to server hello for SSLv3 either
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/sources,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sources 3 Dec 2007 14:24:08 -0000 1.18
+++ sources 15 Jan 2009 09:10:25 -0000 1.19
@@ -1 +1 @@
-3208630e1965e9b801a21831995ad537 openssl-0.9.8g-usa.tar.bz2
+573353d8cb4330b71e9985cea4785d61 openssl-0.9.8j-usa.tar.bz2
--- openssl-0.9.7-beta5-version-add-engines.patch DELETED ---
--- openssl-0.9.7f-ca-dir.patch DELETED ---
--- openssl-0.9.8g-bn-mul-bug.patch DELETED ---
--- openssl-0.9.8g-cve-2008-0891.patch DELETED ---
--- openssl-0.9.8g-cve-2008-1671.patch DELETED ---
--- openssl-0.9.8g-redhat.patch DELETED ---
--- openssl-0.9.8g-shlib-version.patch DELETED ---
--- openssl-0.9.8g-soversion.patch DELETED ---
--- openssl-0.9.8g-speed-bug.patch DELETED ---
More information about the fedora-extras-commits
mailing list