rpms/mingw32-openssl/devel openssl-1.0.0-beta4-aesni.patch, NONE, 1.1 openssl-1.0.0-beta5-cipher-change.patch, NONE, 1.1 openssl-1.0.0-beta5-enginesdir.patch, NONE, 1.1 openssl-1.0.0-beta5-ipv6-apps.patch, NONE, 1.1 openssl-1.0.0-beta5-readme-warning.patch, NONE, 1.1 openssl-1.0.0-name-hash.patch, NONE, 1.1 openssl-1.0.0-timezone.patch, NONE, 1.1 openssl-1.0.0a-fips.patch, NONE, 1.1 openssl-1.0.0a-fipsmode.patch, NONE, 1.1 openssl-1.0.0a-version.patch, NONE, 1.1 .cvsignore, 1.4, 1.5 mingw32-openssl.spec, 1.14, 1.15 sources, 1.4, 1.5 openssl-0.9.8j-readme-warning.patch, 1.1, NONE openssl-1.0.0-beta3-cipher-change.patch, 1.1, NONE openssl-1.0.0-beta3-fipsmode.patch, 1.2, NONE openssl-1.0.0-beta3-ipv6-apps.patch, 1.1, NONE openssl-1.0.0-beta4-backports.patch, 1.1, NONE openssl-1.0.0-beta4-binutils.patch, 1.1, NONE openssl-1.0.0-beta4-client-reneg.patch, 1.1, NONE openssl-1.0.0-beta4-dtls-ipv6.patch, 1.1, NONE openssl-1.0.0-beta4-enginesdir.patch, 1.1, NONE openssl-1.0.0-beta4-fips.patch, 1.2, NONE openssl-1.0.0-beta4-reneg-err.patch, 1.1, NONE openssl-1.0.0-beta4-reneg.patch, 1.1, NONE openssl-1.0.0-beta4-version.patch, 1.1, NONE
Kalev Lember
kalev at fedoraproject.org
Sat Jun 19 19:33:41 UTC 2010
Author: kalev
Update of /cvs/pkgs/rpms/mingw32-openssl/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv24429
Modified Files:
.cvsignore mingw32-openssl.spec sources
Added Files:
openssl-1.0.0-beta4-aesni.patch
openssl-1.0.0-beta5-cipher-change.patch
openssl-1.0.0-beta5-enginesdir.patch
openssl-1.0.0-beta5-ipv6-apps.patch
openssl-1.0.0-beta5-readme-warning.patch
openssl-1.0.0-name-hash.patch openssl-1.0.0-timezone.patch
openssl-1.0.0a-fips.patch openssl-1.0.0a-fipsmode.patch
openssl-1.0.0a-version.patch
Removed Files:
openssl-0.9.8j-readme-warning.patch
openssl-1.0.0-beta3-cipher-change.patch
openssl-1.0.0-beta3-fipsmode.patch
openssl-1.0.0-beta3-ipv6-apps.patch
openssl-1.0.0-beta4-backports.patch
openssl-1.0.0-beta4-binutils.patch
openssl-1.0.0-beta4-client-reneg.patch
openssl-1.0.0-beta4-dtls-ipv6.patch
openssl-1.0.0-beta4-enginesdir.patch
openssl-1.0.0-beta4-fips.patch
openssl-1.0.0-beta4-reneg-err.patch
openssl-1.0.0-beta4-reneg.patch
openssl-1.0.0-beta4-version.patch
Log Message:
- Updated to openssl 1.0.0a
- Synced patches with Fedora native openssl-1.0.0a-1
openssl-1.0.0-beta4-aesni.patch:
Configure | 7
crypto/aes/Makefile | 4
crypto/aes/asm/aesni-x86.pl | 765 +++++++++++++++++++++++++++++++
crypto/aes/asm/aesni-x86_64.pl | 991 +++++++++++++++++++++++++++++++++++++++++
crypto/engine/Makefile | 6
crypto/engine/eng_aesni.c | 413 +++++++++++++++++
crypto/engine/eng_all.c | 3
crypto/engine/engine.h | 1
crypto/evp/evp.h | 1
crypto/evp/evp_err.c | 5
test/test_aesni | 69 ++
11 files changed, 2258 insertions(+), 7 deletions(-)
--- NEW FILE openssl-1.0.0-beta4-aesni.patch ---
diff -up openssl-1.0.0-beta4/Configure.aesni openssl-1.0.0-beta4/Configure
--- openssl-1.0.0-beta4/Configure.aesni 2010-01-07 23:38:31.000000000 +0100
+++ openssl-1.0.0-beta4/Configure 2010-01-12 22:18:06.000000000 +0100
@@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket";
my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT ";
-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o";
+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o";
my $x86_elf_asm="$x86_asm:elf";
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o";
my $ia64_asm="ia64cpuid.o:bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::void";
my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::void";
my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::void";
@@ -491,7 +491,7 @@ my %table=(
#
# Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
-"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
+"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
# x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
# 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
"VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
@@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/)
if ($aes_obj =~ /\.o$/)
{
$cflags.=" -DAES_ASM";
+ $aes_obj =~ s/\s*aesni\-x86\.o// if ($no_sse2);
}
else {
$aes_obj=$aes_enc;
diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl
--- openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni 2010-01-12 22:18:06.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl 2010-01-12 22:18:06.000000000 +0100
@@ -0,0 +1,765 @@
+#!/usr/bin/env perl
+
+# ====================================================================
+# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+# project. The module is, however, dual licensed under OpenSSL and
+# CRYPTOGAMS licenses depending on where you obtain it. For further
+# details see http://www.openssl.org/~appro/cryptogams/.
+# ====================================================================
+#
+# This module implements support for Intel AES-NI extension. In
+# OpenSSL context it's used with Intel engine, but can also be used as
+# drop-in replacement for crypto/aes/asm/aes-586.pl [see below for
+# details].
+
+$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
+ # generates drop-in replacement for
+ # crypto/aes/asm/aes-586.pl:-)
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+push(@INC,"${dir}","${dir}../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+$movekey = eval($RREFIX eq "aseni" ? "*movaps" : "*movups");
+
+$len="eax";
+$rounds="ecx";
+$key="edx";
+$inp="esi";
+$out="edi";
+$rounds_="ebx"; # backup copy for $rounds
+$key_="ebp"; # backup copy for $key
+
+$inout0="xmm0";
+$inout1="xmm1";
+$inout2="xmm2";
+$rndkey0="xmm3";
+$rndkey1="xmm4";
+$ivec="xmm5";
+$in0="xmm6";
+$in1="xmm7"; $inout3="xmm7";
+
+# Inline version of internal aesni_[en|de]crypt1
+sub aesni_inline_generate1
+{ my $p=shift;
+
+ &$movekey ($rndkey0,&QWP(0,$key));
+ &$movekey ($rndkey1,&QWP(16,$key));
+ &lea ($key,&DWP(32,$key));
+ &pxor ($inout0,$rndkey0);
+ &set_label("${p}1_loop");
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &dec ($rounds);
+ &$movekey ($rndkey1,&QWP(0,$key));
+ &lea ($key,&DWP(16,$key));
+ &jnz (&label("${p}1_loop"));
+ eval"&aes${p}last ($inout0,$rndkey1)";
+}
+
+sub aesni_generate1 # fully unrolled loop
+{ my $p=shift;
+
+ &function_begin_B("_aesni_${p}rypt1");
+ &$movekey ($rndkey0,&QWP(0,$key));
+ &$movekey ($rndkey1,&QWP(0x10,$key));
+ &cmp ($rounds,11);
+ &pxor ($inout0,$rndkey0);
+ &$movekey ($rndkey0,&QWP(0x20,$key));
+ &lea ($key,&DWP(0x30,$key));
+ &jb (&label("${p}128"));
+ &lea ($key,&DWP(0x20,$key));
+ &je (&label("${p}192"));
+ &lea ($key,&DWP(0x20,$key));
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(-0x40,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(-0x30,$key));
+ &set_label("${p}192");
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(-0x20,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(-0x10,$key));
+ &set_label("${p}128");
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x10,$key));
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x20,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x30,$key));
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x40,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x50,$key));
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x60,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x70,$key));
+ eval"&aes${p} ($inout0,$rndkey1)";
+ eval"&aes${p}last ($inout0,$rndkey0)";
+ &ret();
+ &function_end_B("_aesni_${p}rypt1");
+}
+
+# void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key);
+# &aesni_generate1("dec");
+&function_begin_B("${PREFIX}_encrypt");
+ &mov ("eax",&wparam(0));
+ &mov ($key,&wparam(2));
+ &movups ($inout0,&QWP(0,"eax"));
+ &mov ($rounds,&DWP(240,$key));
+ &mov ("eax",&wparam(1));
+ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
+ &movups (&QWP(0,"eax"),$inout0);
+ &ret ();
+&function_end_B("${PREFIX}_encrypt");
+
+# void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key);
+# &aesni_generate1("dec");
+&function_begin_B("${PREFIX}_decrypt");
+ &mov ("eax",&wparam(0));
+ &mov ($key,&wparam(2));
+ &movups ($inout0,&QWP(0,"eax"));
+ &mov ($rounds,&DWP(240,$key));
+ &mov ("eax",&wparam(1));
+ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt1");
+ &movups (&QWP(0,"eax"),$inout0);
+ &ret ();
+&function_end_B("${PREFIX}_decrypt");
+�
+# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
+# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
+# latency is 6, it turned out that it can be scheduled only every
+# *second* cycle. Thus 3x interleave is the one providing optimal
+# utilization, i.e. when subroutine's throughput is virtually same as
+# of non-interleaved subroutine [for number of input blocks up to 3].
+# This is why it makes no sense to implement 2x subroutine. As soon
+# as/if Intel improves throughput by making it possible to schedule
+# the instructions in question *every* cycles I would have to
+# implement 6x interleave and use it in loop...
+sub aesni_generate3
+{ my $p=shift;
+
+ &function_begin_B("_aesni_${p}rypt3");
+ &$movekey ($rndkey0,&QWP(0,$key));
+ &shr ($rounds,1);
+ &$movekey ($rndkey1,&QWP(16,$key));
+ &lea ($key,&DWP(32,$key));
+ &pxor ($inout0,$rndkey0);
+ &pxor ($inout1,$rndkey0);
+ &pxor ($inout2,$rndkey0);
+ &jmp (&label("${p}3_loop"));
+ &set_label("${p}3_loop",16);
+ eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey0,&QWP(0,$key));
+ eval"&aes${p} ($inout1,$rndkey1)";
+ &dec ($rounds);
+ eval"&aes${p} ($inout2,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(16,$key));
[...1989 lines suppressed...]
+ case NID_aes_128_cfb:
+ *cipher = &aesni_128_cfb;
+ break;
+ case NID_aes_128_ofb:
+ *cipher = &aesni_128_ofb;
+ break;
+
+ case NID_aes_192_ecb:
+ *cipher = &aesni_192_ecb;
+ break;
+ case NID_aes_192_cbc:
+ *cipher = &aesni_192_cbc;
+ break;
+ case NID_aes_192_cfb:
+ *cipher = &aesni_192_cfb;
+ break;
+ case NID_aes_192_ofb:
+ *cipher = &aesni_192_ofb;
+ break;
+
+ case NID_aes_256_ecb:
+ *cipher = &aesni_256_ecb;
+ break;
+ case NID_aes_256_cbc:
+ *cipher = &aesni_256_cbc;
+ break;
+ case NID_aes_256_cfb:
+ *cipher = &aesni_256_cfb;
+ break;
+ case NID_aes_256_ofb:
+ *cipher = &aesni_256_ofb;
+ break;
+
+ default:
+ /* Sorry, we don't support this NID */
+ *cipher = NULL;
+ return 0;
+ }
+
+ return 1;
+}
+
+#endif /* COMPILE_HW_AESNI */
+#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */
diff -up openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni openssl-1.0.0-beta4/crypto/engine/eng_all.c
--- openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni 2010-01-07 23:38:31.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/engine/eng_all.c 2010-01-12 22:18:06.000000000 +0100
@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void)
#if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
ENGINE_load_cryptodev();
#endif
+#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI)
+ ENGINE_load_aesni();
+#endif
ENGINE_load_dynamic();
#ifndef OPENSSL_NO_STATIC_ENGINE
#ifndef OPENSSL_NO_HW
diff -up openssl-1.0.0-beta4/crypto/engine/engine.h.aesni openssl-1.0.0-beta4/crypto/engine/engine.h
--- openssl-1.0.0-beta4/crypto/engine/engine.h.aesni 2010-01-07 23:38:30.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/engine/engine.h 2010-01-12 22:18:06.000000000 +0100
@@ -342,6 +342,7 @@ void ENGINE_load_gost(void);
#endif
#endif
void ENGINE_load_cryptodev(void);
+void ENGINE_load_aesni(void);
void ENGINE_load_builtin_engines(void);
/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff -up openssl-1.0.0-beta4/crypto/engine/Makefile.aesni openssl-1.0.0-beta4/crypto/engine/Makefile
--- openssl-1.0.0-beta4/crypto/engine/Makefile.aesni 2008-06-04 13:01:29.000000000 +0200
+++ openssl-1.0.0-beta4/crypto/engine/Makefile 2010-01-12 22:18:06.000000000 +0100
@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
eng_table.c eng_pkey.c eng_fat.c eng_all.c \
tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c
+ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
+ eng_aesni.c
LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
eng_table.o eng_pkey.o eng_fat.o eng_all.o \
tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o
+ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
+ eng_aesni.o
SRC= $(LIBSRC)
diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni openssl-1.0.0-beta4/crypto/evp/evp_err.c
--- openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni 2010-01-07 23:38:31.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2010-01-12 22:18:06.000000000 +0100
@@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */
/* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -70,6 +70,7 @@
static ERR_STRING_DATA EVP_str_functs[]=
{
+{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
@@ -85,7 +86,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
-{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"},
+{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.aesni openssl-1.0.0-beta4/crypto/evp/evp.h
--- openssl-1.0.0-beta4/crypto/evp/evp.h.aesni 2010-01-07 23:38:31.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2010-01-12 22:18:06.000000000 +0100
@@ -1162,6 +1162,7 @@ void ERR_load_EVP_strings(void);
/* Error codes for the EVP functions. */
/* Function codes. */
+#define EVP_F_AESNI_INIT_KEY 163
#define EVP_F_AES_INIT_KEY 133
#define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_D2I_PKEY 100
diff -up openssl-1.0.0-beta4/test/test_aesni.aesni openssl-1.0.0-beta4/test/test_aesni
--- openssl-1.0.0-beta4/test/test_aesni.aesni 2010-01-12 22:18:06.000000000 +0100
+++ openssl-1.0.0-beta4/test/test_aesni 2010-01-12 22:18:06.000000000 +0100
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+PROG=$1
+
+if [ -x $PROG ]; then
+ if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then
+ :
+ else
+ echo "$PROG is not OpenSSL executable"
+ exit 1
+ fi
+else
+ echo "$PROG is not executable"
+ exit 1;
+fi
+
+if $PROG engine aesni | grep -v no-aesni; then
+
+ HASH=`cat $PROG | $PROG dgst -hex`
+
+ AES_ALGS=" aes-128-ecb aes-192-ecb aes-256-ecb \
+ aes-128-cbc aes-192-cbc aes-256-cbc \
+ aes-128-cfb aes-192-cfb aes-256-cfb \
+ aes-128-ofb aes-192-ofb aes-256-ofb"
+ BUFSIZE="16 32 48 64 80 96 128 144 999"
+
+ nerr=0
+
+ for alg in $AES_ALGS; do
+ echo $alg
+ for bufsize in $BUFSIZE; do
+ TEST=`( cat $PROG | \
+ $PROG enc -e -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
+ $PROG enc -d -k "$HASH" -$alg | \
+ $PROG dgst -hex ) 2>/dev/null`
+ if [ "$TEST" != "$HASH" ]; then
+ echo "-$alg/$bufsize encrypt test failed"
+ nerr=`expr $nerr + 1`
+ fi
+ done
+ for bufsize in $BUFSIZE; do
+ TEST=`( cat $PROG | \
+ $PROG enc -e -k "$HASH" -$alg | \
+ $PROG enc -d -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
+ $PROG dgst -hex ) 2>/dev/null`
+ if [ "$TEST" != "$HASH" ]; then
+ echo "-$alg/$bufsize decrypt test failed"
+ nerr=`expr $nerr + 1`
+ fi
+ done
+ TEST=`( cat $PROG | \
+ $PROG enc -e -k "$HASH" -$alg -engine aesni | \
+ $PROG enc -d -k "$HASH" -$alg -engine aesni | \
+ $PROG dgst -hex ) 2>/dev/null`
+ if [ "$TEST" != "$HASH" ]; then
+ echo "-$alg en/decrypt test failed"
+ nerr=`expr $nerr + 1`
+ fi
+ done
+
+ if [ $nerr -gt 0 ]; then
+ echo "AESNI engine test failed."
+ exit 1;
+ fi
+else
+ echo "AESNI engine is not available"
+fi
+
+exit 0
openssl-1.0.0-beta5-cipher-change.patch:
ssl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-cipher-change.patch ---
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL 0x80000FFFL
+#define SSL_OP_ALL 0x80000FF7L
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
openssl-1.0.0-beta5-enginesdir.patch:
Configure | 9 +++++++--
engines/Makefile | 2 +-
2 files changed, 8 insertions(+), 3 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-enginesdir.patch ---
diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $libdir="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
my $cross_compile_prefix="";
@@ -833,6 +834,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1673,7 +1678,7 @@ while (<IN>)
}
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
+ my $foo = "$enginesdir";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
@@ -124,7 +124,7 @@ install:
sfx=".so"; \
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi
openssl-1.0.0-beta5-ipv6-apps.patch:
s_apps.h | 7 -
s_client.c | 9 -
s_server.c | 9 -
s_socket.c | 306 ++++++++++++++++++++++++-------------------------------------
4 files changed, 134 insertions(+), 197 deletions(-)
--- NEW FILE openssl-1.0.0-beta5-ipv6-apps.patch ---
diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h
--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
-int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c
--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
- short port=PORT;
+ char *port_str = PORT_STR;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
- port=atoi(*(++argv));
- if (port == 0) goto bad;
+ port_str= *(++argv);
}
else if (strcmp(*argv,"-connect") == 0)
{
if (--argc < 1) goto bad;
- if (!extract_host_port(*(++argv),&host,NULL,&port))
+ if (!extract_host_port(*(++argv),&host,&port_str))
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
@@ -967,7 +966,7 @@ bad:
re_start:
- if (init_client(&s,host,port,socket_type) == 0)
+ if (init_client(&s,host,port_str,socket_type) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c
--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
- short port=PORT;
+ char *port_str = PORT_STR;
char *CApath=NULL,*CAfile=NULL;
unsigned char *context = NULL;
char *dhfile = NULL;
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
(strcmp(*argv,"-accept") == 0))
{
if (--argc < 1) goto bad;
- if (!extract_port(*(++argv),&port))
- goto bad;
+ port_str= *(++argv);
}
else if (strcmp(*argv,"-verify") == 0)
{
@@ -1700,9 +1699,9 @@ bad:
BIO_printf(bio_s_out,"ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (www)
- do_server(port,socket_type,&accept_socket,www_body, context);
+ do_server(port_str,socket_type,&accept_socket,www_body, context);
else
- do_server(port,socket_type,&accept_socket,sv_body, context);
+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
print_stats(bio_s_out,ctx);
ret=0;
end:
diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c
--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200
+++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
#endif
static int ssl_sock_init(void);
-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port,char *ip, int type);
+static int init_server(int *sock, char *port, int type);
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
return(1);
}
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, char *host, char *port, int type)
{
- unsigned char ip[4];
-
- if (!host_ip(host,&(ip[0])))
- {
- return(0);
- }
- return(init_client_ip(sock,ip,port,type));
- }
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
- {
- unsigned long addr;
- struct sockaddr_in them;
- int s,i;
+ struct addrinfo *res, *res0, hints;
+ char * failed_call = NULL;
+ int s;
+ int e;
if (!ssl_sock_init()) return(0);
- memset((char *)&them,0,sizeof(them));
- them.sin_family=AF_INET;
- them.sin_port=htons((unsigned short)port);
- addr=(unsigned long)
- ((unsigned long)ip[0]<<24L)|
- ((unsigned long)ip[1]<<16L)|
- ((unsigned long)ip[2]<< 8L)|
- ((unsigned long)ip[3]);
- them.sin_addr.s_addr=htonl(addr);
-
- if (type == SOCK_STREAM)
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ e = getaddrinfo(host, port, &hints, &res);
+ if (e)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ }
+ res0 = res;
+ while (res)
+ {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET)
+ {
+ failed_call = "socket";
+ goto nextres;
+ }
#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
if (type == SOCK_STREAM)
{
- i=0;
- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
+ int i=0;
+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
+ (char *)&i,sizeof(i));
+ if (i < 0) {
+ failed_call = "keepalive";
+ goto nextres;
+ }
}
#endif
-
- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
- { closesocket(s); perror("connect"); return(0); }
+ if (connect(s,(struct sockaddr *)res->ai_addr,
+ res->ai_addrlen) == 0)
+ {
+ freeaddrinfo(res0);
*sock=s;
return(1);
}
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
+ failed_call = "socket";
+nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
+ }
+ freeaddrinfo(res0);
+
+ perror(failed_call);
+ return(0);
+ }
+
+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
{
int sock;
char *name = NULL;
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
}
}
-static int init_server_long(int *sock, int port, char *ip, int type)
+static int init_server(int *sock, char *port, int type)
{
- int ret=0;
- struct sockaddr_in server;
- int s= -1,i;
+ struct addrinfo *res, *res0, hints;
+ char * failed_call = NULL;
+ char port_name[8];
+ int s;
+ int e;
if (!ssl_sock_init()) return(0);
- memset((char *)&server,0,sizeof(server));
- server.sin_family=AF_INET;
- server.sin_port=htons((unsigned short)port);
- if (ip == NULL)
- server.sin_addr.s_addr=INADDR_ANY;
- else
-/* Added for T3E, address-of fails on bit field (beckman at acl.lanl.gov) */
-#ifndef BIT_FIELD_LIMITS
- memcpy(&server.sin_addr.s_addr,ip,4);
-#else
- memcpy(&server.sin_addr,ip,4);
-#endif
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
- if (type == SOCK_STREAM)
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ }
- if (s == INVALID_SOCKET) goto err;
+ res0 = res;
+ while (res)
+ {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET)
+ {
+ failed_call = "socket";
+ goto nextres;
+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i
(void *) &j, sizeof j);
}
#endif
- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
+
+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
{
-#ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
-#endif
- goto err;
+ failed_call = "bind";
+ goto nextres;
}
- /* Make it 128 for linux */
- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
- i=0;
- *sock=s;
- ret=1;
-err:
- if ((ret == 0) && (s != -1))
+ if (type==SOCK_STREAM && listen(s,128) == -1)
{
- SHUTDOWN(s);
+ failed_call = "listen";
+ goto nextres;
}
- return(ret);
+
+ *sock=s;
+ return(1);
+
+nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
+ freeaddrinfo(res0);
-static int init_server(int *sock, int port, int type)
- {
- return(init_server_long(sock, port, NULL, type));
+ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+
+ perror(failed_call);
+ return(0);
}
static int do_accept(int acc_sock, int *sock, char **host)
{
- int ret,i;
- struct hostent *h1,*h2;
- static struct sockaddr_in from;
+ static struct sockaddr_storage from;
+ char buffer[NI_MAXHOST];
+ int ret;
int len;
/* struct linger ling; */
@@ -432,136 +450,58 @@ redoit:
*/
if (host == NULL) goto end;
-#ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
- sizeof(from.sin_addr.s_addr),AF_INET);
-#else
- h1=gethostbyaddr((char *)&from.sin_addr,
- sizeof(struct in_addr),AF_INET);
-#endif
- if (h1 == NULL)
+
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
+ buffer, sizeof(buffer),
+ NULL, 0, 0))
{
- BIO_printf(bio_err,"bad gethostbyaddr\n");
+ BIO_printf(bio_err,"getnameinfo failed\n");
*host=NULL;
/* return(0); */
}
else
{
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
{
perror("OPENSSL_malloc");
return(0);
}
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
-
- h2=GetHostByName(*host);
- if (h2 == NULL)
- {
- BIO_printf(bio_err,"gethostbyname failure\n");
- return(0);
- }
- i=0;
- if (h2->h_addrtype != AF_INET)
- {
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
- return(0);
- }
+ strcpy(*host, buffer);
}
end:
*sock=ret;
return(1);
}
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *port_ptr)
+int extract_host_port(char *str, char **host_ptr,
+ char **port_ptr)
{
- char *h,*p;
+ char *h,*p,*x;
- h=str;
- p=strchr(str,':');
+ x=h=str;
+ if (*h == '[')
+ {
+ h++;
+ p=strchr(h,']');
if (p == NULL)
{
- BIO_printf(bio_err,"no port defined\n");
+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
return(0);
}
*(p++)='\0';
-
- if ((ip != NULL) && !host_ip(str,ip))
- goto err;
- if (host_ptr != NULL) *host_ptr=h;
-
- if (!extract_port(p,port_ptr))
- goto err;
- return(1);
-err:
- return(0);
+ x = p;
}
-
-static int host_ip(char *str, unsigned char ip[4])
- {
- unsigned int in[4];
- int i;
-
- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
- {
- for (i=0; i<4; i++)
- if (in[i] > 255)
- {
- BIO_printf(bio_err,"invalid IP address\n");
- goto err;
- }
- ip[0]=in[0];
- ip[1]=in[1];
- ip[2]=in[2];
- ip[3]=in[3];
- }
- else
- { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init()) return(0);
-
- he=GetHostByName(str);
- if (he == NULL)
- {
- BIO_printf(bio_err,"gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
- if ((short)he->h_addrtype != AF_INET)
+ p=strchr(x,':');
+ if (p == NULL)
{
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
- return(0);
- }
- ip[0]=he->h_addr_list[0][0];
- ip[1]=he->h_addr_list[0][1];
- ip[2]=he->h_addr_list[0][2];
- ip[3]=he->h_addr_list[0][3];
- }
- return(1);
-err:
+ BIO_printf(bio_err,"no port defined\n");
return(0);
}
+ *(p++)='\0';
-int extract_port(char *str, short *port_ptr)
- {
- int i;
- struct servent *s;
+ if (host_ptr != NULL) *host_ptr=h;
+ if (port_ptr != NULL) *port_ptr=p;
- i=atoi(str);
- if (i != 0)
- *port_ptr=(unsigned short)i;
- else
- {
- s=getservbyname(str,"tcp");
- if (s == NULL)
- {
- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
- return(0);
- }
- *port_ptr=ntohs((unsigned short)s->s_port);
- }
return(1);
}
openssl-1.0.0-beta5-readme-warning.patch:
README | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
--- NEW FILE openssl-1.0.0-beta5-readme-warning.patch ---
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
@@ -5,6 +5,35 @@
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
+ WARNING
+ -------
+
+ This version of OpenSSL is built in a way that supports operation in
+ the so called FIPS mode. Note though that the library as we build it
+ is not FIPS validated and the FIPS mode is present for testing purposes
+ only.
+
+ This version also contains a few differences from the upstream code
+ some of which are:
+ * There are added changes forward ported from the upstream OpenSSL
+ 0.9.8 FIPS branch however the FIPS integrity verification check
+ is implemented differently from the upstream FIPS validated OpenSSL
+ module. It verifies HMAC-SHA256 checksum of the whole shared
+ libraries. For this reason the changes are ported to files in the
+ crypto directory and not in a separate fips subdirectory. Also
+ note that the FIPS integrity verification check requires unmodified
+ libcrypto and libssl shared library files which means that it will
+ fail if these files are modified for example by prelink.
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
+ FIPS mode could not be initialized. It is also possible to force the
+ OpenSSL library to FIPS mode especially for debugging purposes by
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
+ will not automatically load the built in compression method ZLIB
+ when initialized. Applications can still explicitely ask for ZLIB
+ compression method.
+
DESCRIPTION
-----------
openssl-1.0.0-name-hash.patch:
x509_cmp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- NEW FILE openssl-1.0.0-name-hash.patch ---
diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100
+++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200
@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
{
unsigned long ret=0;
unsigned char md[16];
+ EVP_MD_CTX ctx;
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
+ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
+ && EVP_DigestFinal_ex(&ctx, md, NULL);
+ EVP_MD_CTX_cleanup(&ctx);
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
openssl-1.0.0-timezone.patch:
Makefile.org | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE openssl-1.0.0-timezone.patch ---
diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200
+++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200
@@ -609,7 +609,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
@@ -626,7 +626,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
openssl-1.0.0a-fips.patch:
Configure | 14
Makefile.org | 6
crypto/Makefile | 6
crypto/bf/bf_skey.c | 7
crypto/bf/blowfish.h | 4
crypto/bn/Makefile | 4
crypto/bn/bn.h | 11
crypto/bn/bn_x931p.c | 272 ++++++++++
crypto/camellia/Makefile | 4
crypto/camellia/asm/cmll-x86.pl | 7
crypto/camellia/camellia.h | 5
crypto/camellia/cmll_fblk.c | 68 ++
crypto/camellia/cmll_misc.c | 9
crypto/cast/c_skey.c | 7
crypto/cast/cast.h | 4
crypto/crypto.h | 58 ++
crypto/dh/dh.h | 5
crypto/dh/dh_err.c | 3
crypto/dh/dh_gen.c | 18
crypto/dh/dh_key.c | 21
crypto/dsa/dsa.h | 23
crypto/dsa/dsa_gen.c | 19
crypto/dsa/dsa_key.c | 63 ++
crypto/dsa/dsa_ossl.c | 36 +
crypto/err/err_all.c | 6
crypto/evp/digest.c | 60 ++
crypto/evp/e_aes.c | 41 -
crypto/evp/e_camellia.c | 2
crypto/evp/e_des3.c | 24
crypto/evp/e_null.c | 2
crypto/evp/e_rc4.c | 1
crypto/evp/evp.h | 23
crypto/evp/evp_enc.c | 69 ++
crypto/evp/evp_err.c | 1
crypto/evp/evp_lib.c | 7
crypto/evp/evp_locl.h | 28 -
crypto/evp/m_dss.c | 2
crypto/evp/m_dss1.c | 2
crypto/evp/m_md2.c | 1
crypto/evp/m_md4.c | 1
crypto/evp/m_md5.c | 1
crypto/evp/m_mdc2.c | 1
crypto/evp/m_ripemd.c | 1
crypto/evp/m_sha1.c | 15
crypto/evp/m_wp.c | 1
crypto/evp/names.c | 8
crypto/evp/p_sign.c | 17
crypto/evp/p_verify.c | 17
crypto/fips/Makefile | 81 +++
crypto/fips/cavs/fips_aesavs.c | 939 +++++++++++++++++++++++++++++++++++++
crypto/fips/cavs/fips_desmovs.c | 702 +++++++++++++++++++++++++++
crypto/fips/cavs/fips_dssvs.c | 537 +++++++++++++++++++++
crypto/fips/cavs/fips_rngvs.c | 230 +++++++++
crypto/fips/cavs/fips_rsagtest.c | 390 +++++++++++++++
crypto/fips/cavs/fips_rsastest.c | 370 ++++++++++++++
crypto/fips/cavs/fips_rsavtest.c | 377 ++++++++++++++
crypto/fips/cavs/fips_shatest.c | 388 +++++++++++++++
crypto/fips/cavs/fips_utl.h | 343 +++++++++++++
crypto/fips/fips.c | 419 ++++++++++++++++
crypto/fips/fips.h | 163 ++++++
crypto/fips/fips_aes_selftest.c | 103 ++++
crypto/fips/fips_des_selftest.c | 139 +++++
crypto/fips/fips_dsa_selftest.c | 186 +++++++
crypto/fips/fips_hmac_selftest.c | 137 +++++
crypto/fips/fips_rand.c | 412 ++++++++++++++++
crypto/fips/fips_rand.h | 77 +++
crypto/fips/fips_rand_selftest.c | 373 ++++++++++++++
crypto/fips/fips_randtest.c | 248 +++++++++
crypto/fips/fips_rsa_selftest.c | 441 +++++++++++++++++
crypto/fips/fips_rsa_x931g.c | 281 +++++++++++
crypto/fips/fips_sha1_selftest.c | 99 +++
crypto/fips/fips_standalone_sha1.c | 173 ++++++
crypto/fips/fips_test_suite.c | 588 +++++++++++++++++++++++
crypto/fips_err.c | 7
crypto/fips_err.h | 137 +++++
crypto/fips_locl.h | 72 ++
crypto/hmac/hmac.c | 7
crypto/md2/md2.h | 3
crypto/md2/md2_dgst.c | 7
crypto/md4/md4.h | 3
crypto/md4/md4_dgst.c | 7
crypto/md5/md5.h | 3
crypto/md5/md5_dgst.c | 7
crypto/mdc2/mdc2.h | 4
crypto/mdc2/mdc2dgst.c | 7
crypto/mem.c | 2
crypto/o_init.c | 80 +++
crypto/opensslconf.h.in | 15
crypto/pkcs12/p12_crt.c | 11
crypto/rand/md_rand.c | 12
crypto/rand/rand.h | 17
crypto/rand/rand_err.c | 17
crypto/rand/rand_lib.c | 17
crypto/rc2/rc2.h | 4
crypto/rc2/rc2_skey.c | 17
crypto/rc4/Makefile | 4
crypto/rc4/asm/rc4-586.pl | 8
crypto/rc4/asm/rc4-s390x.pl | 2
crypto/rc4/asm/rc4-x86_64.pl | 2
crypto/rc4/rc4.h | 3
crypto/rc4/rc4_fblk.c | 75 ++
crypto/rc4/rc4_skey.c | 14
crypto/ripemd/ripemd.h | 3
crypto/ripemd/rmd_dgst.c | 7
crypto/rsa/rsa.h | 28 +
crypto/rsa/rsa_eay.c | 160 ++++--
crypto/rsa/rsa_err.c | 6
crypto/rsa/rsa_gen.c | 104 ++++
crypto/rsa/rsa_lib.c | 40 +
crypto/rsa/rsa_sign.c | 10
crypto/seed/seed.c | 14
crypto/seed/seed.h | 3
crypto/sha/sha.h | 3
crypto/sha/sha1dgst.c | 4
crypto/sha/sha256.c | 10
crypto/sha/sha512.c | 10
crypto/sha/sha_dgst.c | 6
crypto/sha/sha_locl.h | 7
crypto/whrlpool/whrlpool.h | 3
crypto/whrlpool/wp_dgst.c | 6
ssl/s23_clnt.c | 16
ssl/s23_srvr.c | 9
ssl/s3_clnt.c | 6
ssl/s3_enc.c | 4
ssl/s3_srvr.c | 2
ssl/ssl_ciph.c | 7
ssl/ssl_lib.c | 8
ssl/ssltest.c | 35 +
ssl/t1_enc.c | 2
129 files changed, 10143 insertions(+), 135 deletions(-)
--- NEW FILE openssl-1.0.0a-fips.patch ---
diff -up openssl-1.0.0a/Configure.fips openssl-1.0.0a/Configure
--- openssl-1.0.0a/Configure.fips 2010-06-04 12:25:15.000000000 +0200
+++ openssl-1.0.0a/Configure 2010-06-04 12:25:15.000000000 +0200
@@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
my $processor="";
my $default_ranlib;
my $perl;
+my $fips=0;
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
@@ -806,6 +807,10 @@ PROCESS_ARGS:
}
elsif (/^386$/)
{ $processor=386; }
+ elsif (/^fips$/)
+ {
+ $fips=1;
+ }
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
@@ -1368,6 +1373,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
+if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+ }
+
$cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
@@ -1535,6 +1545,10 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+ if ($fips)
+ {
+ s/^FIPS=.*/FIPS=yes/;
+ }
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
diff -up openssl-1.0.0a/crypto/bf/bf_skey.c.fips openssl-1.0.0a/crypto/bf/bf_skey.c
--- openssl-1.0.0a/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
+++ openssl-1.0.0a/crypto/bf/bf_skey.c 2010-06-04 12:25:15.000000000 +0200
@@ -59,10 +59,15 @@
#include <stdio.h>
#include <string.h>
#include <openssl/blowfish.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#include "bf_locl.h"
#include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
{
int i;
BF_LONG *p,ri,in[2];
diff -up openssl-1.0.0a/crypto/bf/blowfish.h.fips openssl-1.0.0a/crypto/bf/blowfish.h
--- openssl-1.0.0a/crypto/bf/blowfish.h.fips 2010-06-04 12:25:14.000000000 +0200
+++ openssl-1.0.0a/crypto/bf/blowfish.h 2010-06-04 12:25:15.000000000 +0200
@@ -104,7 +104,9 @@ typedef struct bf_key_st
BF_LONG S[4*256];
} BF_KEY;
-
+#ifdef OPENSSL_FIPS
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff -up openssl-1.0.0a/crypto/bn/bn.h.fips openssl-1.0.0a/crypto/bn/bn.h
--- openssl-1.0.0a/crypto/bn/bn.h.fips 2010-06-04 12:25:15.000000000 +0200
+++ openssl-1.0.0a/crypto/bn/bn.h 2010-06-04 12:25:15.000000000 +0200
@@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n
int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
int do_trial_division, BN_GENCB *cb);
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+
+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ BIGNUM *Xp1, BIGNUM *Xp2,
+ const BIGNUM *Xp,
+ const BIGNUM *e, BN_CTX *ctx,
+ BN_GENCB *cb);
+
BN_MONT_CTX *BN_MONT_CTX_new(void );
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
diff -up openssl-1.0.0a/crypto/bn/bn_x931p.c.fips openssl-1.0.0a/crypto/bn/bn_x931p.c
--- openssl-1.0.0a/crypto/bn/bn_x931p.c.fips 2010-06-04 12:25:15.000000000 +0200
+++ openssl-1.0.0a/crypto/bn/bn_x931p.c 2010-06-04 12:25:15.000000000 +0200
@@ -0,0 +1,272 @@
+/* bn_x931p.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+
+/* X9.31 routines for prime derivation */
+
+/* X9.31 prime derivation. This is used to generate the primes pi
+ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
+ * integers.
+ */
+
+static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
+ BN_GENCB *cb)
+ {
+ int i = 0;
+ if (!BN_copy(pi, Xpi))
+ return 0;
+ if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
+ return 0;
+ for(;;)
+ {
+ i++;
+ BN_GENCB_call(cb, 0, i);
+ /* NB 27 MR is specificed in X9.31 */
+ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
+ break;
+ if (!BN_add_word(pi, 2))
+ return 0;
+ }
+ BN_GENCB_call(cb, 2, i);
+ return 1;
+ }
+
+/* This is the main X9.31 prime derivation function. From parameters
+ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
+ * not NULL they will be returned too: this is needed for testing.
+ */
+
[...11765 lines suppressed...]
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -487,6 +490,9 @@ int main(int argc, char *argv[])
#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
verbose = 0;
debug = 0;
@@ -518,7 +524,16 @@ int main(int argc, char *argv[])
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
@@ -714,6 +729,20 @@ bad:
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
@@ -2156,12 +2185,12 @@ static int MS_CALLBACK app_verify_callba
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(1);
# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(0);
# endif
diff -up openssl-1.0.0a/ssl/s23_clnt.c.fips openssl-1.0.0a/ssl/s23_clnt.c
--- openssl-1.0.0a/ssl/s23_clnt.c.fips 2010-02-16 15:20:40.000000000 +0100
+++ openssl-1.0.0a/ssl/s23_clnt.c 2010-06-04 12:25:15.000000000 +0200
@@ -334,6 +334,14 @@ static int ssl23_client_hello(SSL *s)
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
+#ifdef OPENSSL_FIPS
+ else if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
@@ -617,6 +625,14 @@ static int ssl23_get_server_hello(SSL *s
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
diff -up openssl-1.0.0a/ssl/s23_srvr.c.fips openssl-1.0.0a/ssl/s23_srvr.c
--- openssl-1.0.0a/ssl/s23_srvr.c.fips 2010-02-16 15:20:40.000000000 +0100
+++ openssl-1.0.0a/ssl/s23_srvr.c 2010-06-04 12:25:15.000000000 +0200
@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s)
}
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (s->version < TLS1_VERSION))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
diff -up openssl-1.0.0a/ssl/s3_clnt.c.fips openssl-1.0.0a/ssl/s3_clnt.c
--- openssl-1.0.0a/ssl/s3_clnt.c.fips 2010-02-28 01:24:24.000000000 +0100
+++ openssl-1.0.0a/ssl/s3_clnt.c 2010-06-04 12:25:15.000000000 +0200
@@ -156,6 +156,10 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
@@ -1546,6 +1550,8 @@ int ssl3_get_key_exchange(SSL *s)
q=md_buf;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0a/ssl/s3_enc.c.fips openssl-1.0.0a/ssl/s3_enc.c
--- openssl-1.0.0a/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200
+++ openssl-1.0.0a/ssl/s3_enc.c 2010-06-04 12:25:15.000000000 +0200
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
#endif
k=0;
EVP_MD_CTX_init(&m5);
+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_init(&s1);
for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
{
@@ -614,6 +615,8 @@ int ssl3_digest_cached_records(SSL *s)
if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
{
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
}
@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in
return 0;
}
EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_copy_ex(&ctx,d);
n=EVP_MD_CTX_size(&ctx);
if (n < 0)
diff -up openssl-1.0.0a/ssl/s3_srvr.c.fips openssl-1.0.0a/ssl/s3_srvr.c
--- openssl-1.0.0a/ssl/s3_srvr.c.fips 2010-02-28 00:04:10.000000000 +0100
+++ openssl-1.0.0a/ssl/s3_srvr.c 2010-06-04 12:25:15.000000000 +0200
@@ -1752,6 +1752,8 @@ int ssl3_send_server_key_exchange(SSL *s
j=0;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0a/ssl/t1_enc.c.fips openssl-1.0.0a/ssl/t1_enc.c
--- openssl-1.0.0a/ssl/t1_enc.c.fips 2010-05-17 13:26:56.000000000 +0200
+++ openssl-1.0.0a/ssl/t1_enc.c 2010-06-04 13:28:01.000000000 +0200
@@ -170,6 +170,8 @@ static int tls1_P_hash(const EVP_MD *md,
HMAC_CTX_init(&ctx);
HMAC_CTX_init(&ctx_tmp);
+ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL))
goto err;
if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL))
openssl-1.0.0a-fipsmode.patch:
crypto/engine/eng_all.c | 14 ++++++++++
crypto/evp/c_allc.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
crypto/evp/c_alld.c | 33 +++++++++++++++++++++++++
crypto/o_init.c | 38 +++++++++++++++++++++++++++++
ssl/ssl_algs.c | 48 +++++++++++++++++++++++++++++++++++++
5 files changed, 195 insertions(+)
--- NEW FILE openssl-1.0.0a-fipsmode.patch ---
diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
+++ openssl-1.0.0a/crypto/engine/eng_all.c 2010-06-04 13:32:13.000000000 +0200
@@ -58,9 +58,23 @@
#include "cryptlib.h"
#include "eng_int.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
void ENGINE_load_builtin_engines(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (FIPS_mode()) {
+ /* We allow loading dynamic engine as a third party
+ engine might be FIPS validated.
+ User is disallowed to load non-validated engines
+ by security policy. */
+ ENGINE_load_dynamic();
+ return;
+ }
+#endif
#if 0
/* There's no longer any need for an "openssl" ENGINE unless, one day,
* it is the *only* way for standard builtin implementations to be be
diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:12:24.000000000 +0100
+++ openssl-1.0.0a/crypto/evp/c_allc.c 2010-06-04 13:32:13.000000000 +0200
@@ -65,6 +65,11 @@
void OpenSSL_add_all_ciphers(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if(!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede_cfb());
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede_ofb());
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+ }
+#endif
}
diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
+++ openssl-1.0.0a/crypto/evp/c_alld.c 2010-06-04 13:32:13.000000000 +0200
@@ -64,6 +64,11 @@
void OpenSSL_add_all_digests(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());
#endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
#ifndef OPENSSL_NO_WHIRLPOOL
EVP_add_digest(EVP_whirlpool());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+ EVP_add_digest(EVP_dss1());
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+ }
+#endif
}
diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
--- openssl-1.0.0a/crypto/o_init.c.fipsmode 2010-06-04 13:32:13.000000000 +0200
+++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 13:32:13.000000000 +0200
@@ -59,6 +59,43 @@
#include <e_os.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+ {
+ char buf[2] = "0";
+ int fd;
+
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ {
+ buf[0] = '1';
+ }
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+ {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise.
+ */
+
+ if (buf[0] == '1')
+ {
+ FIPS_mode_set(1);
+ }
+ }
+#endif
+
/* Perform any essential OpenSSL initialization operations.
* Currently only sets FIPS callbacks
*/
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
#ifdef CRYPTO_MDEBUG
CRYPTO_malloc_debug_init();
#endif
+ init_fips_mode();
done = 1;
}
#endif
diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode 2010-04-07 15:18:30.000000000 +0200
+++ openssl-1.0.0a/ssl/ssl_algs.c 2010-06-04 13:32:48.000000000 +0200
@@ -64,6 +64,12 @@
int SSL_library_init(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (!FIPS_mode())
+ {
+#endif
+
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
@@ -127,6 +133,48 @@ int SSL_library_init(void)
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cbc());
+#endif
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_256_cbc());
+#endif
+#ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS MAC */
+ EVP_add_digest(EVP_md5());
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+ }
+#endif
#ifndef OPENSSL_NO_COMP
/* This will initialise the built-in compression algorithms.
The value returned is a STACK_OF(SSL_COMP), but that can
openssl-1.0.0a-version.patch:
opensslv.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE openssl-1.0.0a-version.patch ---
diff -up openssl-1.0.0a/crypto/opensslv.h.version openssl-1.0.0a/crypto/opensslv.h
--- openssl-1.0.0a/crypto/opensslv.h.version 2010-06-04 13:28:52.000000000 +0200
+++ openssl-1.0.0a/crypto/opensslv.h 2010-06-04 13:29:42.000000000 +0200
@@ -25,7 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000001fL
+/* we have to keep the version number to not break the abi */
+#define OPENSSL_VERSION_NUMBER 0x10000003L
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0a-fips 1 Jun 2010"
#else
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/mingw32-openssl/devel/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- .cvsignore 22 Nov 2009 17:44:33 -0000 1.4
+++ .cvsignore 19 Jun 2010 19:33:40 -0000 1.5
@@ -1 +1 @@
-openssl-1.0.0-beta4-usa.tar.bz2
+openssl-1.0.0a-usa.tar.bz2
Index: mingw32-openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mingw32-openssl/devel/mingw32-openssl.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- mingw32-openssl.spec 26 Nov 2009 07:00:46 -0000 1.14
+++ mingw32-openssl.spec 19 Jun 2010 19:33:40 -0000 1.15
@@ -18,8 +18,6 @@
# 1.0.0 soversion = 10
%global soversion 10
-%global beta beta4
-
# Enable the tests.
# These only work some of the time, but fail randomly at other times
# (although I have had them complete a few times, so I don't think
@@ -30,16 +28,17 @@
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
Name: mingw32-openssl
-Version: 1.0.0
-Release: 0.6.%{beta}%{?dist}
+Version: 1.0.0a
+Release: 1%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
Group: Development/Libraries
URL: http://www.openssl.org/
-# Use the hobble-openssl script to create the source file.
-Source0: openssl-%{version}-%{beta}-usa.tar.bz2
+# We remove certain patented algorithms from the openssl source tarball
+# with the hobble-openssl script which is included below.
+Source0: openssl-%{version}-usa.tar.bz2
Source1: hobble-openssl
Source2: Makefile.certificate
@@ -53,37 +52,33 @@ Source10: opensslconf-new-warning.
Patch0: openssl-1.0.0-beta4-redhat.patch
Patch1: openssl-1.0.0-beta3-defaults.patch
Patch3: openssl-1.0.0-beta3-soversion.patch
-Patch4: openssl-1.0.0-beta4-enginesdir.patch
+Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
+Patch7: openssl-1.0.0-timezone.patch
# Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch
-Patch24: openssl-1.0.0-beta4-binutils.patch
+Patch24: openssl-0.9.8j-bad-mime.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch38: openssl-1.0.0-beta3-cipher-change.patch
+Patch38: openssl-1.0.0-beta5-cipher-change.patch
# Disabled this because it uses getaddrinfo which is lacking on Windows.
-#Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
-Patch40: openssl-1.0.0-beta4-fips.patch
+#Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
+Patch40: openssl-1.0.0a-fips.patch
Patch41: openssl-1.0.0-beta3-fipscheck.patch
-Patch43: openssl-1.0.0-beta3-fipsmode.patch
+Patch43: openssl-1.0.0a-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
-Patch47: openssl-0.9.8j-readme-warning.patch
-Patch48: openssl-0.9.8j-bad-mime.patch
+Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0-beta4-version.patch
+Patch51: openssl-1.0.0a-version.patch
+Patch52: openssl-1.0.0-beta4-aesni.patch
+Patch53: openssl-1.0.0-name-hash.patch
# Backported fixes including security fixes
-Patch60: openssl-1.0.0-beta4-reneg.patch
-# This one is not backported but has to be applied after reneg patch
-Patch61: openssl-1.0.0-beta4-client-reneg.patch
-Patch62: openssl-1.0.0-beta4-backports.patch
-Patch63: openssl-1.0.0-beta4-reneg-err.patch
-Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
# MinGW-specific patches.
# Use MINGW32_CFLAGS (set below) in Configure script
@@ -154,7 +149,7 @@ Static version of the MinGW port of the
%prep
-%setup -q -n openssl-%{version}-%{beta}
+%setup -q -n openssl-%{version}
%{SOURCE1} > /dev/null
%patch0 -p1 -b .redhat
@@ -163,9 +158,10 @@ Static version of the MinGW port of the
%patch4 -p1 -b .enginesdir
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost
+%patch7 -p1 -b .timezone
%patch23 -p1 -b .default-paths
-%patch24 -p1 -b .binutils
+%patch24 -p1 -b .bad-mime
%patch32 -p1 -b .ia64
#patch33 is applied after make test
@@ -179,16 +175,11 @@ Static version of the MinGW port of the
%patch44 -p1 -b .fipsrng
%patch45 -p1 -b .env-nozlib
%patch47 -p1 -b .warning
-%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version
-
-%patch60 -p1 -b .reneg
-%patch61 -p1 -b .client-reneg
-%patch62 -p1 -b .backports
-%patch63 -p1 -b .reneg-err
-%patch64 -p1 -b .dtls-ipv6
+%patch52 -p1 -b .aesni
+%patch53 -p1 -b .name-hash
%patch100 -p1 -b .mingw-configure
%patch101 -p1 -b .mingw-libversion
@@ -352,6 +343,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Sat Jun 19 2010 Kalev Lember <kalev at smartlink.ee> - 1.0.0a-1
+- Updated to openssl 1.0.0a
+- Synced patches with Fedora native openssl-1.0.0a-1
+
* Thu Nov 26 2009 Kalev Lember <kalev at smartlink.ee> - 1.0.0-0.6.beta4
- Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4)
- Dropped the patch to fix non-fips mingw build,
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/mingw32-openssl/devel/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- sources 22 Nov 2009 17:44:35 -0000 1.4
+++ sources 19 Jun 2010 19:33:41 -0000 1.5
@@ -1 +1 @@
-1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2
+36a9936e1791566b205daa7cb4bea074 openssl-1.0.0a-usa.tar.bz2
--- openssl-0.9.8j-readme-warning.patch DELETED ---
--- openssl-1.0.0-beta3-cipher-change.patch DELETED ---
--- openssl-1.0.0-beta3-fipsmode.patch DELETED ---
--- openssl-1.0.0-beta3-ipv6-apps.patch DELETED ---
--- openssl-1.0.0-beta4-backports.patch DELETED ---
--- openssl-1.0.0-beta4-binutils.patch DELETED ---
--- openssl-1.0.0-beta4-client-reneg.patch DELETED ---
--- openssl-1.0.0-beta4-dtls-ipv6.patch DELETED ---
--- openssl-1.0.0-beta4-enginesdir.patch DELETED ---
--- openssl-1.0.0-beta4-fips.patch DELETED ---
--- openssl-1.0.0-beta4-reneg-err.patch DELETED ---
--- openssl-1.0.0-beta4-reneg.patch DELETED ---
--- openssl-1.0.0-beta4-version.patch DELETED ---
More information about the scm-commits
mailing list