rpms/openssl/devel openssl-1.0.0-beta5-cipher-change.patch, NONE, 1.1 openssl-1.0.0-beta5-enginesdir.patch, NONE, 1.1 openssl-1.0.0-beta5-fips.patch, NONE, 1.1 openssl-1.0.0-beta5-readme-warning.patch, NONE, 1.1 openssl-1.0.0-beta5-version.patch, NONE, 1.1 .cvsignore, 1.20, 1.21 openssl.spec, 1.155, 1.156 sources, 1.22, 1.23 openssl-0.9.8j-readme-warning.patch, 1.1, NONE openssl-1.0.0-beta3-cipher-change.patch, 1.1, NONE openssl-1.0.0-beta4-backports.patch, 1.1, NONE openssl-1.0.0-beta4-backports2.patch, 1.1, NONE openssl-1.0.0-beta4-binutils.patch, 1.1, NONE openssl-1.0.0-beta4-client-reneg.patch, 1.1, NONE openssl-1.0.0-beta4-cve-2009-4355.patch, 1.1, NONE openssl-1.0.0-beta4-dtls-ipv6.patch, 1.2, NONE openssl-1.0.0-beta4-dtls-reneg.patch, 1.1, NONE openssl-1.0.0-beta4-enginesdir.patch, 1.1, NONE openssl-1.0.0-beta4-fips.patch, 1.2, NONE openssl-1.0.0-beta4-reneg-err.patch, 1.1, NONE openssl-1.0.0-beta4-reneg-scsv.patch, 1.1, NONE openssl-1.0.0-beta4-reneg.patch, 1.1, NONE openssl-1.0.0-beta4-tls-comp.patch, 1.1, NONE openssl-1.0.0-beta4-tlsver.patch, 1.1, NONE openssl-1.0.0-beta4-version.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jan 21 08:12:12 UTC 2010
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24124
Modified Files:
.cvsignore openssl.spec sources
Added Files:
openssl-1.0.0-beta5-cipher-change.patch
openssl-1.0.0-beta5-enginesdir.patch
openssl-1.0.0-beta5-fips.patch
openssl-1.0.0-beta5-readme-warning.patch
openssl-1.0.0-beta5-version.patch
Removed Files:
openssl-0.9.8j-readme-warning.patch
openssl-1.0.0-beta3-cipher-change.patch
openssl-1.0.0-beta4-backports.patch
openssl-1.0.0-beta4-backports2.patch
openssl-1.0.0-beta4-binutils.patch
openssl-1.0.0-beta4-client-reneg.patch
openssl-1.0.0-beta4-cve-2009-4355.patch
openssl-1.0.0-beta4-dtls-ipv6.patch
openssl-1.0.0-beta4-dtls-reneg.patch
openssl-1.0.0-beta4-enginesdir.patch
openssl-1.0.0-beta4-fips.patch
openssl-1.0.0-beta4-reneg-err.patch
openssl-1.0.0-beta4-reneg-scsv.patch
openssl-1.0.0-beta4-reneg.patch
openssl-1.0.0-beta4-tls-comp.patch
openssl-1.0.0-beta4-tlsver.patch
openssl-1.0.0-beta4-version.patch
Log Message:
* Wed Jan 20 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.20.beta5
- new upstream release
openssl-1.0.0-beta5-cipher-change.patch:
ssl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-cipher-change.patch ---
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL 0x80000FFFL
+#define SSL_OP_ALL 0x80000FF7L
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
openssl-1.0.0-beta5-enginesdir.patch:
Configure | 9 +++++++--
engines/Makefile | 2 +-
2 files changed, 8 insertions(+), 3 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-enginesdir.patch ---
diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $libdir="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
my $cross_compile_prefix="";
@@ -833,6 +834,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1673,7 +1678,7 @@ while (<IN>)
}
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
+ my $foo = "$enginesdir";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
@@ -124,7 +124,7 @@ install:
sfx=".so"; \
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi
openssl-1.0.0-beta5-fips.patch:
Configure | 14
Makefile.org | 6
crypto/Makefile | 6
crypto/bf/bf_skey.c | 7
crypto/bf/blowfish.h | 4
crypto/bn/Makefile | 4
crypto/bn/bn.h | 11
crypto/bn/bn_x931p.c | 272 ++++++++++
crypto/camellia/Makefile | 4
crypto/camellia/asm/cmll-x86.pl | 7
crypto/camellia/camellia.h | 5
crypto/camellia/cmll_fblk.c | 68 ++
crypto/camellia/cmll_misc.c | 9
crypto/cast/c_skey.c | 7
crypto/cast/cast.h | 4
crypto/crypto.h | 57 ++
crypto/dh/dh.h | 5
crypto/dh/dh_err.c | 3
crypto/dh/dh_gen.c | 18
crypto/dh/dh_key.c | 21
crypto/dsa/dsa.h | 23
crypto/dsa/dsa_gen.c | 19
crypto/dsa/dsa_key.c | 63 ++
crypto/dsa/dsa_ossl.c | 36 +
crypto/err/err_all.c | 6
crypto/evp/digest.c | 60 ++
crypto/evp/e_aes.c | 41 -
crypto/evp/e_camellia.c | 2
crypto/evp/e_des3.c | 24
crypto/evp/e_null.c | 2
crypto/evp/evp.h | 27 -
crypto/evp/evp_enc.c | 69 ++
crypto/evp/evp_err.c | 1
crypto/evp/evp_lib.c | 22
crypto/evp/evp_locl.h | 29 -
crypto/evp/m_dss.c | 2
crypto/evp/m_dss1.c | 2
crypto/evp/m_sha1.c | 15
crypto/evp/names.c | 8
crypto/evp/p_sign.c | 17
crypto/evp/p_verify.c | 17
crypto/fips/Makefile | 81 +++
crypto/fips/cavs/fips_aesavs.c | 939 +++++++++++++++++++++++++++++++++++++
crypto/fips/cavs/fips_desmovs.c | 702 +++++++++++++++++++++++++++
crypto/fips/cavs/fips_dssvs.c | 537 +++++++++++++++++++++
crypto/fips/cavs/fips_rngvs.c | 230 +++++++++
crypto/fips/cavs/fips_rsagtest.c | 390 +++++++++++++++
crypto/fips/cavs/fips_rsastest.c | 370 ++++++++++++++
crypto/fips/cavs/fips_rsavtest.c | 377 ++++++++++++++
crypto/fips/cavs/fips_shatest.c | 388 +++++++++++++++
crypto/fips/cavs/fips_utl.h | 343 +++++++++++++
crypto/fips/fips.c | 419 ++++++++++++++++
crypto/fips/fips.h | 163 ++++++
crypto/fips/fips_aes_selftest.c | 103 ++++
crypto/fips/fips_des_selftest.c | 139 +++++
crypto/fips/fips_dsa_selftest.c | 186 +++++++
crypto/fips/fips_hmac_selftest.c | 137 +++++
crypto/fips/fips_rand.c | 412 ++++++++++++++++
crypto/fips/fips_rand.h | 77 +++
crypto/fips/fips_rand_selftest.c | 373 ++++++++++++++
crypto/fips/fips_randtest.c | 248 +++++++++
crypto/fips/fips_rsa_selftest.c | 441 +++++++++++++++++
crypto/fips/fips_rsa_x931g.c | 281 +++++++++++
crypto/fips/fips_sha1_selftest.c | 99 +++
crypto/fips/fips_standalone_sha1.c | 173 ++++++
crypto/fips/fips_test_suite.c | 588 +++++++++++++++++++++++
crypto/fips_err.c | 7
crypto/fips_err.h | 137 +++++
crypto/fips_locl.h | 72 ++
crypto/hmac/hmac.c | 14
crypto/hmac/hmac.h | 1
crypto/md2/md2.h | 3
crypto/md2/md2_dgst.c | 7
crypto/md4/md4.h | 3
crypto/md4/md4_dgst.c | 7
crypto/md5/md5.h | 3
crypto/md5/md5_dgst.c | 7
crypto/mdc2/mdc2.h | 4
crypto/mdc2/mdc2dgst.c | 7
crypto/mem.c | 2
crypto/o_init.c | 80 +++
crypto/opensslconf.h.in | 15
crypto/pkcs12/p12_crt.c | 11
crypto/rand/md_rand.c | 12
crypto/rand/rand.h | 17
crypto/rand/rand_err.c | 17
crypto/rand/rand_lib.c | 17
crypto/rc2/rc2.h | 4
crypto/rc2/rc2_skey.c | 17
crypto/rc4/Makefile | 4
crypto/rc4/asm/rc4-586.pl | 8
crypto/rc4/asm/rc4-s390x.pl | 2
crypto/rc4/asm/rc4-x86_64.pl | 2
crypto/rc4/rc4.h | 3
crypto/rc4/rc4_fblk.c | 75 ++
crypto/rc4/rc4_skey.c | 14
crypto/ripemd/ripemd.h | 3
crypto/ripemd/rmd_dgst.c | 7
crypto/rsa/rsa.h | 28 +
crypto/rsa/rsa_eay.c | 160 ++++--
crypto/rsa/rsa_err.c | 6
crypto/rsa/rsa_gen.c | 104 ++++
crypto/rsa/rsa_lib.c | 40 +
crypto/rsa/rsa_sign.c | 10
crypto/sha/sha.h | 3
crypto/sha/sha1dgst.c | 4
crypto/sha/sha256.c | 10
crypto/sha/sha512.c | 10
crypto/sha/sha_dgst.c | 6
crypto/sha/sha_locl.h | 7
ssl/s23_clnt.c | 16
ssl/s23_srvr.c | 9
ssl/s3_clnt.c | 6
ssl/s3_enc.c | 4
ssl/s3_srvr.c | 2
ssl/ssl_ciph.c | 7
ssl/ssl_lib.c | 8
ssl/ssltest.c | 35 +
ssl/t1_enc.c | 2
119 files changed, 10138 insertions(+), 134 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-fips.patch ---
diff -up openssl-1.0.0-beta5/Configure.fips openssl-1.0.0-beta5/Configure
--- openssl-1.0.0-beta5/Configure.fips 2010-01-20 18:13:45.000000000 +0100
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:13:46.000000000 +0100
@@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
my $processor="";
my $default_ranlib;
my $perl;
+my $fips=0;
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
@@ -806,6 +807,10 @@ PROCESS_ARGS:
}
elsif (/^386$/)
{ $processor=386; }
+ elsif (/^fips$/)
+ {
+ $fips=1;
+ }
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
@@ -1368,6 +1373,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
+if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+ }
+
$cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
@@ -1535,6 +1545,10 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+ if ($fips)
+ {
+ s/^FIPS=.*/FIPS=yes/;
+ }
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
diff -up openssl-1.0.0-beta5/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta5/crypto/bf/bf_skey.c
--- openssl-1.0.0-beta5/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/bf/bf_skey.c 2010-01-20 18:13:46.000000000 +0100
@@ -59,10 +59,15 @@
#include <stdio.h>
#include <string.h>
#include <openssl/blowfish.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#include "bf_locl.h"
#include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
{
int i;
BF_LONG *p,ri,in[2];
diff -up openssl-1.0.0-beta5/crypto/bf/blowfish.h.fips openssl-1.0.0-beta5/crypto/bf/blowfish.h
--- openssl-1.0.0-beta5/crypto/bf/blowfish.h.fips 2010-01-20 18:13:45.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/bf/blowfish.h 2010-01-20 18:13:46.000000000 +0100
@@ -104,7 +104,9 @@ typedef struct bf_key_st
BF_LONG S[4*256];
} BF_KEY;
-
+#ifdef OPENSSL_FIPS
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff -up openssl-1.0.0-beta5/crypto/bn/bn.h.fips openssl-1.0.0-beta5/crypto/bn/bn.h
--- openssl-1.0.0-beta5/crypto/bn/bn.h.fips 2010-01-20 18:13:45.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/bn/bn.h 2010-01-20 18:13:46.000000000 +0100
@@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n
int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
int do_trial_division, BN_GENCB *cb);
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+
+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ BIGNUM *Xp1, BIGNUM *Xp2,
+ const BIGNUM *Xp,
+ const BIGNUM *e, BN_CTX *ctx,
+ BN_GENCB *cb);
+
BN_MONT_CTX *BN_MONT_CTX_new(void );
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
diff -up openssl-1.0.0-beta5/crypto/bn/bn_x931p.c.fips openssl-1.0.0-beta5/crypto/bn/bn_x931p.c
--- openssl-1.0.0-beta5/crypto/bn/bn_x931p.c.fips 2010-01-20 18:13:46.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/bn/bn_x931p.c 2010-01-20 18:13:46.000000000 +0100
@@ -0,0 +1,272 @@
+/* bn_x931p.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+
+/* X9.31 routines for prime derivation */
+
+/* X9.31 prime derivation. This is used to generate the primes pi
+ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
+ * integers.
+ */
+
+static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
+ BN_GENCB *cb)
+ {
+ int i = 0;
+ if (!BN_copy(pi, Xpi))
+ return 0;
+ if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
+ return 0;
+ for(;;)
+ {
+ i++;
+ BN_GENCB_call(cb, 0, i);
+ /* NB 27 MR is specificed in X9.31 */
+ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
+ break;
+ if (!BN_add_word(pi, 2))
+ return 0;
+ }
+ BN_GENCB_call(cb, 2, i);
+ return 1;
+ }
+
+/* This is the main X9.31 prime derivation function. From parameters
+ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
+ * not NULL they will be returned too: this is needed for testing.
+ */
+
[...11671 lines suppressed...]
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -485,6 +488,9 @@ int main(int argc, char *argv[])
#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
verbose = 0;
debug = 0;
@@ -516,7 +522,16 @@ int main(int argc, char *argv[])
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
@@ -712,6 +727,20 @@ bad:
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
@@ -2154,12 +2183,12 @@ static int MS_CALLBACK app_verify_callba
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(1);
# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(0);
# endif
diff -up openssl-1.0.0-beta5/ssl/s23_clnt.c.fips openssl-1.0.0-beta5/ssl/s23_clnt.c
--- openssl-1.0.0-beta5/ssl/s23_clnt.c.fips 2009-11-18 15:45:32.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/s23_clnt.c 2010-01-20 18:13:46.000000000 +0100
@@ -337,6 +337,14 @@ static int ssl23_client_hello(SSL *s)
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
+#ifdef OPENSSL_FIPS
+ else if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
@@ -620,6 +628,14 @@ static int ssl23_get_server_hello(SSL *s
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
diff -up openssl-1.0.0-beta5/ssl/s23_srvr.c.fips openssl-1.0.0-beta5/ssl/s23_srvr.c
--- openssl-1.0.0-beta5/ssl/s23_srvr.c.fips 2010-01-13 20:08:29.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/s23_srvr.c 2010-01-20 18:13:46.000000000 +0100
@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s)
}
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (s->version < TLS1_VERSION))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
diff -up openssl-1.0.0-beta5/ssl/s3_clnt.c.fips openssl-1.0.0-beta5/ssl/s3_clnt.c
--- openssl-1.0.0-beta5/ssl/s3_clnt.c.fips 2010-01-05 17:46:39.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/s3_clnt.c 2010-01-20 18:13:46.000000000 +0100
@@ -156,6 +156,10 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
@@ -1548,6 +1552,8 @@ int ssl3_get_key_exchange(SSL *s)
q=md_buf;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0-beta5/ssl/s3_enc.c.fips openssl-1.0.0-beta5/ssl/s3_enc.c
--- openssl-1.0.0-beta5/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200
+++ openssl-1.0.0-beta5/ssl/s3_enc.c 2010-01-20 18:13:46.000000000 +0100
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
#endif
k=0;
EVP_MD_CTX_init(&m5);
+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_init(&s1);
for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
{
@@ -614,6 +615,8 @@ int ssl3_digest_cached_records(SSL *s)
if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
{
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
}
@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in
return 0;
}
EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_copy_ex(&ctx,d);
n=EVP_MD_CTX_size(&ctx);
if (n < 0)
diff -up openssl-1.0.0-beta5/ssl/s3_srvr.c.fips openssl-1.0.0-beta5/ssl/s3_srvr.c
--- openssl-1.0.0-beta5/ssl/s3_srvr.c.fips 2010-01-01 15:39:51.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/s3_srvr.c 2010-01-20 18:13:46.000000000 +0100
@@ -1732,6 +1732,8 @@ int ssl3_send_server_key_exchange(SSL *s
j=0;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0-beta5/ssl/t1_enc.c.fips openssl-1.0.0-beta5/ssl/t1_enc.c
--- openssl-1.0.0-beta5/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200
+++ openssl-1.0.0-beta5/ssl/t1_enc.c 2010-01-20 18:13:46.000000000 +0100
@@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md
HMAC_CTX_init(&ctx);
HMAC_CTX_init(&ctx_tmp);
+ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
openssl-1.0.0-beta5-readme-warning.patch:
README | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
--- NEW FILE openssl-1.0.0-beta5-readme-warning.patch ---
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
@@ -5,6 +5,35 @@
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
+ WARNING
+ -------
+
+ This version of OpenSSL is built in a way that supports operation in
+ the so called FIPS mode. Note though that the library as we build it
+ is not FIPS validated and the FIPS mode is present for testing purposes
+ only.
+
+ This version also contains a few differences from the upstream code
+ some of which are:
+ * There are added changes forward ported from the upstream OpenSSL
+ 0.9.8 FIPS branch however the FIPS integrity verification check
+ is implemented differently from the upstream FIPS validated OpenSSL
+ module. It verifies HMAC-SHA256 checksum of the whole shared
+ libraries. For this reason the changes are ported to files in the
+ crypto directory and not in a separate fips subdirectory. Also
+ note that the FIPS integrity verification check requires unmodified
+ libcrypto and libssl shared library files which means that it will
+ fail if these files are modified for example by prelink.
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
+ FIPS mode could not be initialized. It is also possible to force the
+ OpenSSL library to FIPS mode especially for debugging purposes by
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
+ will not automatically load the built in compression method ZLIB
+ when initialized. Applications can still explicitely ask for ZLIB
+ compression method.
+
DESCRIPTION
-----------
openssl-1.0.0-beta5-version.patch:
opensslv.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openssl-1.0.0-beta5-version.patch ---
We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist
on having the same beta status of OpenSSL library as they were built against.
diff -up openssl-1.0.0-beta5/crypto/opensslv.h.version openssl-1.0.0-beta5/crypto/opensslv.h
--- openssl-1.0.0-beta5/crypto/opensslv.h.version 2010-01-20 18:16:43.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/opensslv.h 2010-01-20 20:20:23.000000000 +0100
@@ -25,7 +25,7 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x10000005L
+#define OPENSSL_VERSION_NUMBER 0x10000003L
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta5 20 Jan 2010"
#else
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/.cvsignore,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -p -r1.20 -r1.21
--- .cvsignore 12 Nov 2009 15:51:39 -0000 1.20
+++ .cvsignore 21 Jan 2010 08:12:11 -0000 1.21
@@ -1 +1 @@
-openssl-1.0.0-beta4-usa.tar.bz2
+openssl-1.0.0-beta5-usa.tar.bz2
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.155
retrieving revision 1.156
diff -u -p -r1.155 -r1.156
--- openssl.spec 14 Jan 2010 08:52:42 -0000 1.155
+++ openssl.spec 21 Jan 2010 08:12:12 -0000 1.156
@@ -11,7 +11,7 @@
# 1.0.0 soversion = 10
%define soversion 10
-%define beta beta4
+%define beta beta5
# Number of threads to spawn when testing some threading fixes.
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.19.%{beta}%{?dist}
+Release: 0.20.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -38,43 +38,30 @@ Source11: README.FIPS
Patch0: openssl-1.0.0-beta4-redhat.patch
Patch1: openssl-1.0.0-beta3-defaults.patch
Patch3: openssl-1.0.0-beta3-soversion.patch
-Patch4: openssl-1.0.0-beta4-enginesdir.patch
+Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
# Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch
-Patch24: openssl-1.0.0-beta4-binutils.patch
+Patch24: openssl-0.9.8j-bad-mime.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch38: openssl-1.0.0-beta3-cipher-change.patch
+Patch38: openssl-1.0.0-beta5-cipher-change.patch
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
-Patch40: openssl-1.0.0-beta4-fips.patch
+Patch40: openssl-1.0.0-beta5-fips.patch
Patch41: openssl-1.0.0-beta3-fipscheck.patch
Patch43: openssl-1.0.0-beta3-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
-Patch47: openssl-0.9.8j-readme-warning.patch
-Patch48: openssl-0.9.8j-bad-mime.patch
+Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0-beta4-version.patch
+Patch51: openssl-1.0.0-beta5-version.patch
+Patch52: openssl-1.0.0-beta4-aesni.patch
# Backported fixes including security fixes
-Patch60: openssl-1.0.0-beta4-reneg.patch
-# This one is not backported but has to be applied after reneg patch
-Patch61: openssl-1.0.0-beta4-client-reneg.patch
-Patch62: openssl-1.0.0-beta4-backports.patch
-Patch63: openssl-1.0.0-beta4-reneg-err.patch
-Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
-Patch65: openssl-1.0.0-beta4-dtls-reneg.patch
-Patch66: openssl-1.0.0-beta4-backports2.patch
-Patch67: openssl-1.0.0-beta4-reneg-scsv.patch
-Patch68: openssl-1.0.0-beta4-tls-comp.patch
-Patch69: openssl-1.0.0-beta4-aesni.patch
-Patch70: openssl-1.0.0-beta4-tlsver.patch
-Patch71: openssl-1.0.0-beta4-cve-2009-4355.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -135,7 +122,7 @@ from other formats to the formats used b
%patch6 -p1 -b .use-localhost
%patch23 -p1 -b .default-paths
-%patch24 -p1 -b .binutils
+%patch24 -p1 -b .bad-mime
%patch32 -p1 -b .ia64
%patch33 -p1 -b .ca-dir
@@ -149,23 +136,10 @@ from other formats to the formats used b
%patch44 -p1 -b .fipsrng
%patch45 -p1 -b .env-nozlib
%patch47 -p1 -b .warning
-%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version
-
-%patch60 -p1 -b .reneg
-%patch61 -p1 -b .client-reneg
-%patch62 -p1 -b .backports
-%patch63 -p1 -b .reneg-err
-%patch64 -p1 -b .dtls-ipv6
-%patch65 -p1 -b .dtls-reneg
-%patch66 -p1 -b .backports2
-%patch67 -p1 -b .scsv
-%patch68 -p1 -b .tls-comp
-%patch69 -p1 -b .aesni
-%patch70 -p1 -b .tlsver
-%patch71 -p1 -b .compleak
+%patch52 -p1 -b .aesni
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -264,12 +238,9 @@ make -C test apps tests
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
make INSTALL_PREFIX=$RPM_BUILD_ROOT install
make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
-# OpenSSL install doesn't use correct _libdir on 64 bit archs
-[ "%{_libdir}" != /usr/lib ] && mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT%{_libdir}/
-mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT%{_libdir}/openssl
+mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
-mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
@@ -414,6 +385,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%postun -p /sbin/ldconfig
%changelog
+* Wed Jan 20 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.20.beta5
+- new upstream release
+
* Thu Jan 14 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.19.beta4
- fix CVE-2009-4355 - leak in applications incorrectly calling
CRYPTO_free_all_ex_data() before application exit (#546707)
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/sources,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -p -r1.22 -r1.23
--- sources 12 Nov 2009 15:51:40 -0000 1.22
+++ sources 21 Jan 2010 08:12:12 -0000 1.23
@@ -1 +1 @@
-1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2
+531160d84017cb52e3c23b52cca0d5cf openssl-1.0.0-beta5-usa.tar.bz2
--- openssl-0.9.8j-readme-warning.patch DELETED ---
--- openssl-1.0.0-beta3-cipher-change.patch DELETED ---
--- openssl-1.0.0-beta4-backports.patch DELETED ---
--- openssl-1.0.0-beta4-backports2.patch DELETED ---
--- openssl-1.0.0-beta4-binutils.patch DELETED ---
--- openssl-1.0.0-beta4-client-reneg.patch DELETED ---
--- openssl-1.0.0-beta4-cve-2009-4355.patch DELETED ---
--- openssl-1.0.0-beta4-dtls-ipv6.patch DELETED ---
--- openssl-1.0.0-beta4-dtls-reneg.patch DELETED ---
--- openssl-1.0.0-beta4-enginesdir.patch DELETED ---
--- openssl-1.0.0-beta4-fips.patch DELETED ---
--- openssl-1.0.0-beta4-reneg-err.patch DELETED ---
--- openssl-1.0.0-beta4-reneg-scsv.patch DELETED ---
--- openssl-1.0.0-beta4-reneg.patch DELETED ---
--- openssl-1.0.0-beta4-tls-comp.patch DELETED ---
--- openssl-1.0.0-beta4-tlsver.patch DELETED ---
--- openssl-1.0.0-beta4-version.patch DELETED ---
More information about the scm-commits
mailing list