rpms/openssl/devel openssl-1.0.0-fips.patch, NONE, 1.1 openssl-1.0.0-version.patch, NONE, 1.1 .cvsignore, 1.21, 1.22 openssl.spec, 1.158, 1.159 sources, 1.23, 1.24 openssl-1.0.0-beta5-cleanse.patch, 1.1, NONE openssl-1.0.0-beta5-fips.patch, 1.3, NONE openssl-1.0.0-beta5-version.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Tue Mar 30 09:37:41 UTC 2010
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv4602
Modified Files:
.cvsignore openssl.spec sources
Added Files:
openssl-1.0.0-fips.patch openssl-1.0.0-version.patch
Removed Files:
openssl-1.0.0-beta5-cleanse.patch
openssl-1.0.0-beta5-fips.patch
openssl-1.0.0-beta5-version.patch
Log Message:
* Tue Mar 30 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-1
- update to final 1.0.0 upstream release
openssl-1.0.0-fips.patch:
Configure | 14
Makefile.org | 6
crypto/Makefile | 6
crypto/bf/bf_skey.c | 7
crypto/bf/blowfish.h | 4
crypto/bn/Makefile | 4
crypto/bn/bn.h | 11
crypto/bn/bn_x931p.c | 272 ++++++++++
crypto/camellia/Makefile | 4
crypto/camellia/asm/cmll-x86.pl | 7
crypto/camellia/camellia.h | 5
crypto/camellia/cmll_fblk.c | 68 ++
crypto/camellia/cmll_misc.c | 9
crypto/cast/c_skey.c | 7
crypto/cast/cast.h | 4
crypto/crypto.h | 58 ++
crypto/dh/dh.h | 5
crypto/dh/dh_err.c | 3
crypto/dh/dh_gen.c | 18
crypto/dh/dh_key.c | 21
crypto/dsa/dsa.h | 23
crypto/dsa/dsa_gen.c | 19
crypto/dsa/dsa_key.c | 63 ++
crypto/dsa/dsa_ossl.c | 36 +
crypto/err/err_all.c | 6
crypto/evp/digest.c | 60 ++
crypto/evp/e_aes.c | 41 -
crypto/evp/e_camellia.c | 2
crypto/evp/e_des3.c | 24
crypto/evp/e_null.c | 2
crypto/evp/e_rc4.c | 1
crypto/evp/evp.h | 23
crypto/evp/evp_enc.c | 69 ++
crypto/evp/evp_err.c | 1
crypto/evp/evp_lib.c | 7
crypto/evp/evp_locl.h | 28 -
crypto/evp/m_dss.c | 2
crypto/evp/m_dss1.c | 2
crypto/evp/m_md2.c | 1
crypto/evp/m_md4.c | 1
crypto/evp/m_md5.c | 1
crypto/evp/m_mdc2.c | 1
crypto/evp/m_ripemd.c | 1
crypto/evp/m_sha1.c | 15
crypto/evp/m_wp.c | 1
crypto/evp/names.c | 8
crypto/evp/p_sign.c | 17
crypto/evp/p_verify.c | 17
crypto/fips/Makefile | 81 +++
crypto/fips/cavs/fips_aesavs.c | 939 +++++++++++++++++++++++++++++++++++++
crypto/fips/cavs/fips_desmovs.c | 702 +++++++++++++++++++++++++++
crypto/fips/cavs/fips_dssvs.c | 537 +++++++++++++++++++++
crypto/fips/cavs/fips_rngvs.c | 230 +++++++++
crypto/fips/cavs/fips_rsagtest.c | 390 +++++++++++++++
crypto/fips/cavs/fips_rsastest.c | 370 ++++++++++++++
crypto/fips/cavs/fips_rsavtest.c | 377 ++++++++++++++
crypto/fips/cavs/fips_shatest.c | 388 +++++++++++++++
crypto/fips/cavs/fips_utl.h | 343 +++++++++++++
crypto/fips/fips.c | 419 ++++++++++++++++
crypto/fips/fips.h | 163 ++++++
crypto/fips/fips_aes_selftest.c | 103 ++++
crypto/fips/fips_des_selftest.c | 139 +++++
crypto/fips/fips_dsa_selftest.c | 186 +++++++
crypto/fips/fips_hmac_selftest.c | 137 +++++
crypto/fips/fips_rand.c | 412 ++++++++++++++++
crypto/fips/fips_rand.h | 77 +++
crypto/fips/fips_rand_selftest.c | 373 ++++++++++++++
crypto/fips/fips_randtest.c | 248 +++++++++
crypto/fips/fips_rsa_selftest.c | 441 +++++++++++++++++
crypto/fips/fips_rsa_x931g.c | 281 +++++++++++
crypto/fips/fips_sha1_selftest.c | 99 +++
crypto/fips/fips_standalone_sha1.c | 173 ++++++
crypto/fips/fips_test_suite.c | 588 +++++++++++++++++++++++
crypto/fips_err.c | 7
crypto/fips_err.h | 137 +++++
crypto/fips_locl.h | 72 ++
crypto/hmac/hmac.c | 7
crypto/md2/md2.h | 3
crypto/md2/md2_dgst.c | 7
crypto/md4/md4.h | 3
crypto/md4/md4_dgst.c | 7
crypto/md5/md5.h | 3
crypto/md5/md5_dgst.c | 7
crypto/mdc2/mdc2.h | 4
crypto/mdc2/mdc2dgst.c | 7
crypto/mem.c | 2
crypto/o_init.c | 80 +++
crypto/opensslconf.h.in | 15
crypto/pkcs12/p12_crt.c | 11
crypto/rand/md_rand.c | 12
crypto/rand/rand.h | 17
crypto/rand/rand_err.c | 17
crypto/rand/rand_lib.c | 17
crypto/rc2/rc2.h | 4
crypto/rc2/rc2_skey.c | 17
crypto/rc4/Makefile | 4
crypto/rc4/asm/rc4-586.pl | 8
crypto/rc4/asm/rc4-s390x.pl | 2
crypto/rc4/asm/rc4-x86_64.pl | 2
crypto/rc4/rc4.h | 3
crypto/rc4/rc4_fblk.c | 75 ++
crypto/rc4/rc4_skey.c | 14
crypto/ripemd/ripemd.h | 3
crypto/ripemd/rmd_dgst.c | 7
crypto/rsa/rsa.h | 28 +
crypto/rsa/rsa_eay.c | 160 ++++--
crypto/rsa/rsa_err.c | 6
crypto/rsa/rsa_gen.c | 104 ++++
crypto/rsa/rsa_lib.c | 40 +
crypto/rsa/rsa_sign.c | 10
crypto/seed/seed.c | 14
crypto/seed/seed.h | 3
crypto/sha/sha.h | 3
crypto/sha/sha1dgst.c | 4
crypto/sha/sha256.c | 10
crypto/sha/sha512.c | 10
crypto/sha/sha_dgst.c | 6
crypto/sha/sha_locl.h | 7
crypto/whrlpool/whrlpool.h | 3
crypto/whrlpool/wp_dgst.c | 6
ssl/s23_clnt.c | 16
ssl/s23_srvr.c | 9
ssl/s3_clnt.c | 6
ssl/s3_enc.c | 4
ssl/s3_srvr.c | 2
ssl/ssl_ciph.c | 7
ssl/ssl_lib.c | 8
ssl/ssltest.c | 35 +
ssl/t1_enc.c | 2
129 files changed, 10143 insertions(+), 135 deletions(-)
--- NEW FILE openssl-1.0.0-fips.patch ---
diff -up openssl-1.0.0/Configure.fips openssl-1.0.0/Configure
--- openssl-1.0.0/Configure.fips 2010-03-30 10:33:46.000000000 +0200
+++ openssl-1.0.0/Configure 2010-03-30 10:33:46.000000000 +0200
@@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
my $processor="";
my $default_ranlib;
my $perl;
+my $fips=0;
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
@@ -806,6 +807,10 @@ PROCESS_ARGS:
}
elsif (/^386$/)
{ $processor=386; }
+ elsif (/^fips$/)
+ {
+ $fips=1;
+ }
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
@@ -1368,6 +1373,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
+if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+ }
+
$cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
@@ -1535,6 +1545,10 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+ if ($fips)
+ {
+ s/^FIPS=.*/FIPS=yes/;
+ }
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
diff -up openssl-1.0.0/crypto/bf/bf_skey.c.fips openssl-1.0.0/crypto/bf/bf_skey.c
--- openssl-1.0.0/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
+++ openssl-1.0.0/crypto/bf/bf_skey.c 2010-03-30 10:33:46.000000000 +0200
@@ -59,10 +59,15 @@
#include <stdio.h>
#include <string.h>
#include <openssl/blowfish.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#include "bf_locl.h"
#include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
{
int i;
BF_LONG *p,ri,in[2];
diff -up openssl-1.0.0/crypto/bf/blowfish.h.fips openssl-1.0.0/crypto/bf/blowfish.h
--- openssl-1.0.0/crypto/bf/blowfish.h.fips 2010-03-30 10:33:45.000000000 +0200
+++ openssl-1.0.0/crypto/bf/blowfish.h 2010-03-30 10:33:46.000000000 +0200
@@ -104,7 +104,9 @@ typedef struct bf_key_st
BF_LONG S[4*256];
} BF_KEY;
-
+#ifdef OPENSSL_FIPS
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff -up openssl-1.0.0/crypto/bn/bn.h.fips openssl-1.0.0/crypto/bn/bn.h
--- openssl-1.0.0/crypto/bn/bn.h.fips 2010-03-30 10:33:46.000000000 +0200
+++ openssl-1.0.0/crypto/bn/bn.h 2010-03-30 10:33:46.000000000 +0200
@@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n
int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
int do_trial_division, BN_GENCB *cb);
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+
+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+ BIGNUM *Xp1, BIGNUM *Xp2,
+ const BIGNUM *Xp,
+ const BIGNUM *e, BN_CTX *ctx,
+ BN_GENCB *cb);
+
BN_MONT_CTX *BN_MONT_CTX_new(void );
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
diff -up openssl-1.0.0/crypto/bn/bn_x931p.c.fips openssl-1.0.0/crypto/bn/bn_x931p.c
--- openssl-1.0.0/crypto/bn/bn_x931p.c.fips 2010-03-30 10:33:46.000000000 +0200
+++ openssl-1.0.0/crypto/bn/bn_x931p.c 2010-03-30 10:33:46.000000000 +0200
@@ -0,0 +1,272 @@
+/* bn_x931p.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+
+/* X9.31 routines for prime derivation */
+
+/* X9.31 prime derivation. This is used to generate the primes pi
+ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
+ * integers.
+ */
+
+static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
+ BN_GENCB *cb)
+ {
+ int i = 0;
+ if (!BN_copy(pi, Xpi))
+ return 0;
+ if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
+ return 0;
+ for(;;)
+ {
+ i++;
+ BN_GENCB_call(cb, 0, i);
+ /* NB 27 MR is specificed in X9.31 */
+ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
+ break;
+ if (!BN_add_word(pi, 2))
+ return 0;
+ }
+ BN_GENCB_call(cb, 2, i);
+ return 1;
+ }
+
+/* This is the main X9.31 prime derivation function. From parameters
+ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
+ * not NULL they will be returned too: this is needed for testing.
+ */
+
[...11765 lines suppressed...]
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -487,6 +490,9 @@ int main(int argc, char *argv[])
#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
verbose = 0;
debug = 0;
@@ -518,7 +524,16 @@ int main(int argc, char *argv[])
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
@@ -714,6 +729,20 @@ bad:
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
@@ -2156,12 +2185,12 @@ static int MS_CALLBACK app_verify_callba
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(1);
# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
+# if 0
if(s->version == TLS1_VERSION)
FIPS_allow_md5(0);
# endif
diff -up openssl-1.0.0/ssl/s23_clnt.c.fips openssl-1.0.0/ssl/s23_clnt.c
--- openssl-1.0.0/ssl/s23_clnt.c.fips 2010-02-16 15:20:40.000000000 +0100
+++ openssl-1.0.0/ssl/s23_clnt.c 2010-03-30 10:34:41.000000000 +0200
@@ -334,6 +334,14 @@ static int ssl23_client_hello(SSL *s)
version_major = TLS1_VERSION_MAJOR;
version_minor = TLS1_VERSION_MINOR;
}
+#ifdef OPENSSL_FIPS
+ else if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
else if (version == SSL3_VERSION)
{
version_major = SSL3_VERSION_MAJOR;
@@ -617,6 +625,14 @@ static int ssl23_get_server_hello(SSL *s
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ {
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
diff -up openssl-1.0.0/ssl/s23_srvr.c.fips openssl-1.0.0/ssl/s23_srvr.c
--- openssl-1.0.0/ssl/s23_srvr.c.fips 2010-02-16 15:20:40.000000000 +0100
+++ openssl-1.0.0/ssl/s23_srvr.c 2010-03-30 10:34:41.000000000 +0200
@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s)
}
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (s->version < TLS1_VERSION))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+ goto err;
+ }
+#endif
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
diff -up openssl-1.0.0/ssl/s3_clnt.c.fips openssl-1.0.0/ssl/s3_clnt.c
--- openssl-1.0.0/ssl/s3_clnt.c.fips 2010-02-28 01:24:24.000000000 +0100
+++ openssl-1.0.0/ssl/s3_clnt.c 2010-03-30 10:34:41.000000000 +0200
@@ -156,6 +156,10 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
@@ -1546,6 +1550,8 @@ int ssl3_get_key_exchange(SSL *s)
q=md_buf;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0/ssl/s3_enc.c.fips openssl-1.0.0/ssl/s3_enc.c
--- openssl-1.0.0/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200
+++ openssl-1.0.0/ssl/s3_enc.c 2010-03-30 10:34:41.000000000 +0200
@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
#endif
k=0;
EVP_MD_CTX_init(&m5);
+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_init(&s1);
for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
{
@@ -614,6 +615,8 @@ int ssl3_digest_cached_records(SSL *s)
if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
{
s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
}
@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in
return 0;
}
EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_MD_CTX_copy_ex(&ctx,d);
n=EVP_MD_CTX_size(&ctx);
if (n < 0)
diff -up openssl-1.0.0/ssl/s3_srvr.c.fips openssl-1.0.0/ssl/s3_srvr.c
--- openssl-1.0.0/ssl/s3_srvr.c.fips 2010-02-28 00:04:10.000000000 +0100
+++ openssl-1.0.0/ssl/s3_srvr.c 2010-03-30 10:34:41.000000000 +0200
@@ -1752,6 +1752,8 @@ int ssl3_send_server_key_exchange(SSL *s
j=0;
for (num=2; num > 0; num--)
{
+ EVP_MD_CTX_set_flags(&md_ctx,
+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(&md_ctx,(num == 2)
?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff -up openssl-1.0.0/ssl/t1_enc.c.fips openssl-1.0.0/ssl/t1_enc.c
--- openssl-1.0.0/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200
+++ openssl-1.0.0/ssl/t1_enc.c 2010-03-30 10:34:41.000000000 +0200
@@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md
HMAC_CTX_init(&ctx);
HMAC_CTX_init(&ctx_tmp);
+ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
openssl-1.0.0-version.patch:
opensslv.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE openssl-1.0.0-version.patch ---
diff -up openssl-1.0.0/crypto/opensslv.h.version openssl-1.0.0/crypto/opensslv.h
--- openssl-1.0.0/crypto/opensslv.h.version 2010-03-30 10:59:26.000000000 +0200
+++ openssl-1.0.0/crypto/opensslv.h 2010-03-30 11:00:52.000000000 +0200
@@ -25,7 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000000fL
+/* we have to keep the version number to not break the abi */
+#define OPENSSL_VERSION_NUMBER 0x10000003L
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips 29 Mar 2010"
#else
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/.cvsignore,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- .cvsignore 21 Jan 2010 08:12:11 -0000 1.21
+++ .cvsignore 30 Mar 2010 09:37:40 -0000 1.22
@@ -1 +1 @@
-openssl-1.0.0-beta5-usa.tar.bz2
+openssl-1.0.0-usa.tar.bz2
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -p -r1.158 -r1.159
--- openssl.spec 16 Feb 2010 22:54:12 -0000 1.158
+++ openssl.spec 30 Mar 2010 09:37:41 -0000 1.159
@@ -11,8 +11,6 @@
# 1.0.0 soversion = 10
%define soversion 10
-%define beta beta5
-
# Number of threads to spawn when testing some threading fixes.
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
@@ -23,10 +21,10 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.22.%{beta}%{?dist}
+Release: 1%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
-Source: openssl-%{version}-%{beta}-usa.tar.bz2
+Source: openssl-%{version}-usa.tar.bz2
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
@@ -51,7 +49,7 @@ Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-1.0.0-beta5-cipher-change.patch
Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
-Patch40: openssl-1.0.0-beta5-fips.patch
+Patch40: openssl-1.0.0-fips.patch
Patch41: openssl-1.0.0-beta3-fipscheck.patch
Patch43: openssl-1.0.0-beta3-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
@@ -59,10 +57,9 @@ Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0-beta5-version.patch
+Patch51: openssl-1.0.0-version.patch
Patch52: openssl-1.0.0-beta4-aesni.patch
# Backported fixes including security fixes
-Patch53: openssl-1.0.0-beta5-cleanse.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -112,7 +109,7 @@ package provides Perl scripts for conver
from other formats to the formats used by the OpenSSL toolkit.
%prep
-%setup -q -n %{name}-%{version}-%{beta}
+%setup -q -n %{name}-%{version}
%{SOURCE1} > /dev/null
%patch0 -p1 -b .redhat
@@ -141,7 +138,6 @@ from other formats to the formats used b
%patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version
%patch52 -p1 -b .aesni
-%patch53 -p1 -b .cleanse
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -387,6 +383,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%postun -p /sbin/ldconfig
%changelog
+* Tue Mar 30 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-1
+- update to final 1.0.0 upstream release
+
* Tue Feb 16 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.22.beta5
- make TLS work in the FIPS mode
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/sources,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- sources 21 Jan 2010 08:12:12 -0000 1.23
+++ sources 30 Mar 2010 09:37:41 -0000 1.24
@@ -1 +1 @@
-531160d84017cb52e3c23b52cca0d5cf openssl-1.0.0-beta5-usa.tar.bz2
+f1d0d73327d74b302f503763bddf1cf8 openssl-1.0.0-usa.tar.bz2
--- openssl-1.0.0-beta5-cleanse.patch DELETED ---
--- openssl-1.0.0-beta5-fips.patch DELETED ---
--- openssl-1.0.0-beta5-version.patch DELETED ---
More information about the scm-commits
mailing list