[openssl] do not move libcrypto to /lib

Tomáš Mráz tmraz at fedoraproject.org
Fri Jul 13 12:23:41 UTC 2012


commit c2e3151786ff607299496e6bae712e9001f8e276
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Jul 13 14:23:34 2012 +0200

    do not move libcrypto to /lib
    
    - do not use environment variables if __libc_enable_secure is on
    - fix strict aliasing problems in modes

 openssl-1.0.1c-aliasing.patch      |   12 ++
 openssl-1.0.1c-secure-getenv.patch |  206 ++++++++++++++++++++++++++++++++++++
 openssl.spec                       |   25 +++--
 3 files changed, 232 insertions(+), 11 deletions(-)
---
diff --git a/openssl-1.0.1c-aliasing.patch b/openssl-1.0.1c-aliasing.patch
new file mode 100644
index 0000000..582418c
--- /dev/null
+++ b/openssl-1.0.1c-aliasing.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
+--- openssl-1.0.1c/crypto/modes/Makefile.aliasing	2011-08-12 00:36:17.000000000 +0200
++++ openssl-1.0.1c/crypto/modes/Makefile	2012-07-13 11:32:10.767829077 +0200
+@@ -12,7 +12,7 @@ AR=		ar r
+ 
+ MODES_ASM_OBJ=
+ 
+-CFLAGS= $(INCLUDES) $(CFLAG)
++CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
+ ASFLAGS= $(INCLUDES) $(ASFLAG)
+ AFLAGS= $(ASFLAGS)
+ 
diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1c-secure-getenv.patch
new file mode 100644
index 0000000..2a0e5eb
--- /dev/null
+++ b/openssl-1.0.1c-secure-getenv.patch
@@ -0,0 +1,206 @@
+diff -up openssl-1.0.1c/Configure.secure-getenv openssl-1.0.1c/Configure
+--- openssl-1.0.1c/Configure.secure-getenv	2012-07-13 13:34:37.309433776 +0200
++++ openssl-1.0.1c/Configure	2012-07-13 13:34:37.309433776 +0200
+@@ -1437,6 +1437,10 @@ if ($target =~ /^BSD\-/)
+ 	$shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+ 	}
+ 
++if ($target =~ /^linux/i) {
++	$cflags .= " -DLIBC_ENABLE_SECURE";
++}
++
+ if ($sys_id ne "")
+ 	{
+ 	#$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";
+diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
+--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv	2011-09-02 13:20:32.000000000 +0200
++++ openssl-1.0.1c/crypto/conf/conf_api.c	2012-07-13 13:34:37.277433033 +0200
+@@ -140,7 +140,7 @@ char *_CONF_get_string(const CONF *conf,
+ 			vv.section=(char *)section;
+ 			v=lh_CONF_VALUE_retrieve(conf->data,&vv);
+ 			if (v != NULL) return(v->value);
+-			if (strcmp(section,"ENV") == 0)
++			if (!OPENSSL_issetugid() && (strcmp(section,"ENV") == 0))
+ 				{
+ 				p=getenv(name);
+ 				if (p != NULL) return(p);
+@@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf,
+ 			return(NULL);
+ 		}
+ 	else
+-		return(getenv(name));
++		return (OPENSSL_issetugid() ? NULL : getenv(name));
+ 	}
+ 
+ #if 0 /* There's no way to provide error checking with this function, so
+diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
+--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv	2008-11-05 19:38:55.000000000 +0100
++++ openssl-1.0.1c/crypto/conf/conf_mod.c	2012-07-13 13:34:37.277433033 +0200
+@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void
+ 	char *file;
+ 	int len;
+ 
+-	file = getenv("OPENSSL_CONF");
+-	if (file) 
++	if (!OPENSSL_issetugid() && 
++	    (file = getenv("OPENSSL_CONF")) != NULL);
+ 		return BUF_strdup(file);
+ 
+ 	len = strlen(X509_get_default_cert_area());
+diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
+--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv	2010-03-27 19:28:13.000000000 +0100
++++ openssl-1.0.1c/crypto/engine/eng_list.c	2012-07-13 13:34:37.278433056 +0200
+@@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id)
+ 	if (strcmp(id, "dynamic"))
+ 		{
+ #ifdef OPENSSL_SYS_VMS
+-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
++		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
+ #else
+-		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
++		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
+ #endif
+ 		iterator = ENGINE_by_id("dynamic");
+ 		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
+diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
+--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv	2012-07-13 13:34:37.000000000 +0200
++++ openssl-1.0.1c/crypto/md5/md5_dgst.c	2012-07-13 13:37:27.709392052 +0200
+@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V
+ int MD5_Init(MD5_CTX *c)
+ #ifdef OPENSSL_FIPS
+ 	{
+-	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++	if (FIPS_mode() && (OPENSSL_issetugid() || getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL))
+ 		OpenSSLDie(__FILE__, __LINE__, \
+                 "Digest MD5 forbidden in FIPS mode!");
+ 	return private_MD5_Init(c);
+diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
+--- openssl-1.0.1c/crypto/o_init.c.secure-getenv	2012-07-13 13:34:37.237432103 +0200
++++ openssl-1.0.1c/crypto/o_init.c	2012-07-13 13:34:37.278433056 +0200
+@@ -71,7 +71,7 @@ static void init_fips_mode(void)
+ 	char buf[2] = "0";
+ 	int fd;
+ 	
+-	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++	if (!OPENSSL_issetugid() && getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ 		{
+ 		buf[0] = '1';
+ 		}
+diff -up openssl-1.0.1c/crypto/uid.c.secure-getenv openssl-1.0.1c/crypto/uid.c
+--- openssl-1.0.1c/crypto/uid.c.secure-getenv	2003-11-28 14:10:55.000000000 +0100
++++ openssl-1.0.1c/crypto/uid.c	2012-07-13 13:34:37.278433056 +0200
+@@ -77,8 +77,26 @@ int OPENSSL_issetugid(void)
+ #include OPENSSL_UNISTD
+ #include <sys/types.h>
+ 
++#ifdef LIBC_ENABLE_SECURE
++extern int __libc_enable_secure;
++#endif
++#ifdef PRCTL_DUMPABLE
++#include <sys/prctl.h>
++#endif
++
+ int OPENSSL_issetugid(void)
+ 	{
++#ifdef LIBC_ENABLE_SECURE
++	if (__libc_enable_secure) return 1;
++#endif
++#ifdef PRCTL_DUMPABLE
++	/* 0 -> not dumpable, 2 -> dumpable by root only from
++	 * Linux kernel 2.6.13 - 2.6.17, so we require dumpable
++	 * flag to be == 1 to accept non-secure mode.
++	 */
++	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1)
++		return 1;
++#endif
+ 	if (getuid() != geteuid()) return 1;
+ 	if (getgid() != getegid()) return 1;
+ 	return 0;
+diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
+--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv	2010-02-19 19:26:23.000000000 +0100
++++ openssl-1.0.1c/crypto/x509/by_dir.c	2012-07-13 13:34:37.279433079 +0200
+@@ -135,7 +135,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+ 	case X509_L_ADD_DIR:
+ 		if (argl == X509_FILETYPE_DEFAULT)
+ 			{
+-			dir=(char *)getenv(X509_get_default_cert_dir_env());
++			if (!OPENSSL_issetugid())
++				dir=(char *)getenv(X509_get_default_cert_dir_env());
+ 			if (dir)
+ 				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+ 			else
+diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
+--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv	2012-07-13 13:34:37.187430942 +0200
++++ openssl-1.0.1c/crypto/x509/by_file.c	2012-07-13 13:34:37.279433079 +0200
+@@ -93,14 +93,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+ 	     char **ret)
+ 	{
+ 	int ok=0;
+-	char *file;
++	char *file = NULL;
+ 
+ 	switch (cmd)
+ 		{
+ 	case X509_L_FILE_LOAD:
+ 		if (argl == X509_FILETYPE_DEFAULT)
+ 			{
+-			file = (char *)getenv(X509_get_default_cert_file_env());
++			if (!OPENSSL_issetugid())
++				file = (char *)getenv(X509_get_default_cert_file_env());
+ 			if (file)
+ 				ok = (X509_load_cert_crl_file(ctx,file,
+ 					      X509_FILETYPE_PEM) != 0);
+diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
+--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv	2011-09-23 15:39:35.000000000 +0200
++++ openssl-1.0.1c/crypto/x509/x509_vfy.c	2012-07-13 13:34:37.280433102 +0200
+@@ -456,7 +456,7 @@ static int check_chain_extensions(X509_S
+ 	int (*cb)(int xok,X509_STORE_CTX *xctx);
+ 	int proxy_path_length = 0;
+ 	int purpose;
+-	int allow_proxy_certs;
++	int allow_proxy_certs = 0;
+ 	cb=ctx->verify_cb;
+ 
+ 	/* must_be_ca can have 1 of 3 values:
+@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S
+ 			!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+ 		/* A hack to keep people who don't want to modify their
+ 		   software happy */
+-		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
++		if (!OPENSSL_issetugid() && getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ 			allow_proxy_certs = 1;
+ 		purpose = ctx->param->purpose;
+ 		}
+diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
+--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv	2008-03-16 22:05:44.000000000 +0100
++++ openssl-1.0.1c/engines/ccgost/gost_ctl.c	2012-07-13 13:34:37.280433102 +0200
+@@ -59,13 +59,14 @@ int gost_control_func(ENGINE *e,int cmd,
+ 
+ const char *get_gost_engine_param(int param) 
+ 	{
+-	char *tmp;
++	char *tmp = NULL;
+ 	if (param <0 || param >GOST_PARAM_MAX) return NULL;
+ 	if (gost_params[param]!=NULL) 
+ 		{
+ 		return gost_params[param];
+ 		}
+-	tmp = getenv(gost_envnames[param]);
++	if (!OPENSSL_issetugid())
++		tmp = getenv(gost_envnames[param]);
+ 	if (tmp) 
+ 		{
+ 		if (gost_params[param]) OPENSSL_free(gost_params[param]);
+@@ -77,9 +78,10 @@ const char *get_gost_engine_param(int pa
+ 
+ int gost_set_default_param(int param, const char *value) 
+ 	{
+-	const char *tmp;
++	const char *tmp = NULL;
+ 	if (param <0 || param >GOST_PARAM_MAX) return 0;
+-	tmp = getenv(gost_envnames[param]);
++	if (!OPENSSL_issetugid())
++		tmp = getenv(gost_envnames[param]);
+ 	/* if there is value in the environment, use it, else -passed string * */
+ 	if (!tmp) tmp=value;
+ 	if (gost_params[param]) OPENSSL_free(gost_params[param]);
diff --git a/openssl.spec b/openssl.spec
index ea4c8d0..1b4a5dd 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -43,6 +43,7 @@ Patch5: openssl-0.9.8a-no-rpath.patch
 Patch6: openssl-0.9.8b-test-use-localhost.patch
 Patch7: openssl-1.0.0-timezone.patch
 Patch8: openssl-1.0.1c-perlfind.patch
+Patch9: openssl-1.0.1c-aliasing.patch
 # Bug fixes
 Patch23: openssl-1.0.0-beta4-default-paths.patch
 # Functionality changes
@@ -65,6 +66,7 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch
 Patch65: openssl-1.0.0e-chil-fixes.patch
 Patch66: openssl-1.0.1-pkgconfig-krb5.patch
 Patch67: openssl-1.0.0-fips-pkcs8.patch
+Patch68: openssl-1.0.1c-secure-getenv.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1c-backports.patch
@@ -143,6 +145,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch6 -p1 -b .use-localhost
 %patch7 -p1 -b .timezone
 %patch8 -p1 -b .perlfind
+%patch9 -p1 -b .aliasing
 
 %patch23 -p1 -b .default-paths
 
@@ -165,6 +168,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch65 -p1 -b .chil
 %patch66 -p1 -b .krb5
 %patch67 -p1 -b .pkcs8
+%patch68 -p1 -b .secure-getenv
 
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backports
@@ -260,8 +264,8 @@ make -C test apps tests
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
-    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
-    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
+    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
     crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
     ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
 %{nil}
@@ -279,17 +283,11 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
 rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
 rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
 mkdir $RPM_BUILD_ROOT/%{_lib}
-mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} $RPM_BUILD_ROOT/%{_lib}
 for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
 	chmod 755 ${lib}
 	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
 	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
 done
-for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
-	chmod 755 ${lib}
-	ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
-	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
-done
 
 # Install a makefile for generating keys and self-signed certs, and a script
 # for generating them on the fly.
@@ -396,11 +394,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %dir %{_sysconfdir}/pki/tls/misc
 %dir %{_sysconfdir}/pki/tls/private
 %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
-%attr(0755,root,root) /%{_lib}/libcrypto.so.%{version}
-%attr(0755,root,root) /%{_lib}/libcrypto.so.%{soversion}
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
 %attr(0755,root,root) %{_libdir}/libssl.so.%{version}
 %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
-%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac
+%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
 %attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
 %attr(0755,root,root) %{_libdir}/openssl
 
@@ -427,6 +425,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Jul 13 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-4
+- do not move libcrypto to /lib
+- do not use environment variables if __libc_enable_secure is on
+- fix strict aliasing problems in modes
+
 * Thu Jul 12 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-3
 - fix DSA key generation in FIPS mode (#833866)
 - allow duplicate FIPS_mode_set(1)


More information about the scm-commits mailing list