[openssl] new upstream release fixing multiple moderate security issues
Tomáš Mráz
tmraz at fedoraproject.org
Thu Aug 7 14:00:52 UTC 2014
commit a78828f786d4146ceb375a675f9fd6ec4975b5a4
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Aug 7 16:00:47 2014 +0200
new upstream release fixing multiple moderate security issues
- for now disable only SSLv2 by default
.gitignore | 1 +
openssl-1.0.0c-fips-md5-allow.patch | 20 -
openssl-1.0.0e-doc-noeof.patch | 23 -
openssl-1.0.1e-ssl2-no-ec.patch | 17 -
openssl-1.0.1g-3des-strength.patch | 168 --------
openssl-1.0.1h-disable-sslv2v3.patch | 4 +-
openssl-1.0.1h-manfix.patch | 135 ------
openssl-1.0.1h-session-resumption.patch | 11 -
...algo-doc.patch => openssl-1.0.1i-algo-doc.patch | 18 +-
openssl-1.0.1i-manfix.patch | 86 ++++
...eqs.patch => openssl-1.0.1i-new-fips-reqs.patch | 445 +++-----------------
...rst.patch => openssl-1.0.1i-trusted-first.patch | 134 +++---
openssl.spec | 24 +-
sources | 2 +-
14 files changed, 240 insertions(+), 848 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index ded4230..80ca99a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.1e-hobbled.tar.xz
/openssl-1.0.1g-hobbled.tar.xz
/openssl-1.0.1h-hobbled.tar.xz
+/openssl-1.0.1i-hobbled.tar.xz
diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch
index 83afda0..7a028aa 100644
--- a/openssl-1.0.1h-disable-sslv2v3.patch
+++ b/openssl-1.0.1h-disable-sslv2v3.patch
@@ -5,8 +5,8 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
*/
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
-+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++ /* Disable SSLv2 by default (affects the SSLv23_method() only) */
++ ret->options |= SSL_OP_NO_SSLv2;
+
return(ret);
err:
diff --git a/openssl-1.0.1a-algo-doc.patch b/openssl-1.0.1i-algo-doc.patch
similarity index 80%
rename from openssl-1.0.1a-algo-doc.patch
rename to openssl-1.0.1i-algo-doc.patch
index c4aaa89..a19877d 100644
--- a/openssl-1.0.1a-algo-doc.patch
+++ b/openssl-1.0.1i-algo-doc.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
+diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200
@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
@@ -10,9 +10,9 @@ diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/do
If B<impl> is NULL then the default implementation of digest B<type> is used.
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
- EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
- size in bytes.
+@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u
+ EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
+ EVP_MD_CTX_block_size() return the digest or block size in bytes.
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
@@ -20,9 +20,9 @@ diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/do
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
corresponding EVP_MD structures.
-diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
+diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
diff --git a/openssl-1.0.1i-manfix.patch b/openssl-1.0.1i-manfix.patch
new file mode 100644
index 0000000..f2f8be7
--- /dev/null
+++ b/openssl-1.0.1i-manfix.patch
@@ -0,0 +1,86 @@
+diff -up openssl-1.0.1i/doc/apps/ec.pod.manfix openssl-1.0.1i/doc/apps/ec.pod
+--- openssl-1.0.1i/doc/apps/ec.pod.manfix 2014-07-22 21:41:23.000000000 +0200
++++ openssl-1.0.1i/doc/apps/ec.pod 2014-08-07 11:21:57.258887741 +0200
+@@ -93,10 +93,6 @@ prints out the public, private key compo
+
+ this option prevents output of the encoded version of the key.
+
+-=item B<-modulus>
+-
+-this option prints out the value of the public key component of the key.
+-
+ =item B<-pubin>
+
+ by default a private key is read from the input file: with this option a
+diff -up openssl-1.0.1i/doc/apps/openssl.pod.manfix openssl-1.0.1i/doc/apps/openssl.pod
+--- openssl-1.0.1i/doc/apps/openssl.pod.manfix 2014-07-22 21:43:11.000000000 +0200
++++ openssl-1.0.1i/doc/apps/openssl.pod 2014-08-07 11:21:57.259887746 +0200
+@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+
+ Online Certificate Status Protocol utility.
+
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+
+ Generation of hashed passwords.
+
+@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+
+ Public key algorithm cryptographic operation utility.
+
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+
+ Generate pseudo-random bytes.
+
+@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
+ L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
+ L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+-L<passwd(1)|passwd(1)>,
++L<sslpasswd(1)|sslpasswd(1)>,
+ L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
++L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
+ L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+ L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_client.pod
+--- openssl-1.0.1i/doc/apps/s_client.pod.manfix 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 11:24:28.736604443 +0200
+@@ -34,9 +34,14 @@ B<openssl> B<s_client>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
++[B<-dtls1>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
++[B<-no_tls1_1>]
++[B<-no_tls1_2>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
+ [B<-serverpref>]
+@@ -196,7 +201,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+diff -up openssl-1.0.1i/doc/apps/s_server.pod.manfix openssl-1.0.1i/doc/apps/s_server.pod
+--- openssl-1.0.1i/doc/apps/s_server.pod.manfix 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 11:21:57.259887746 +0200
+@@ -216,7 +216,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
diff --git a/openssl-1.0.1g-new-fips-reqs.patch b/openssl-1.0.1i-new-fips-reqs.patch
similarity index 82%
rename from openssl-1.0.1g-new-fips-reqs.patch
rename to openssl-1.0.1i-new-fips-reqs.patch
index 335cf43..b577177 100644
--- a/openssl-1.0.1g-new-fips-reqs.patch
+++ b/openssl-1.0.1i-new-fips-reqs.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1g/crypto/bn/bn_rand.c
---- openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/crypto/bn/bn_rand.c 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1i/crypto/bn/bn_rand.c
+--- openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs 2014-07-22 21:43:11.000000000 +0200
++++ openssl-1.0.1i/crypto/bn/bn_rand.c 2014-08-07 11:25:28.835889145 +0200
@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
}
@@ -17,9 +17,9 @@ diff -up openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1g/crypto/bn/b
if (pseudorand)
{
-diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_gen.c
---- openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs 2014-05-06 16:22:21.253536145 +0200
-+++ openssl-1.0.1g/crypto/dh/dh_gen.c 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_gen.c
+--- openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs 2014-08-07 11:25:28.586887965 +0200
++++ openssl-1.0.1i/crypto/dh/dh_gen.c 2014-08-07 11:25:28.835889145 +0200
@@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret,
return 0;
}
@@ -29,9 +29,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1g/crypto/dh/dh
{
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err;
-diff -up openssl-1.0.1g/crypto/dh/dh.h.fips-reqs openssl-1.0.1g/crypto/dh/dh.h
---- openssl-1.0.1g/crypto/dh/dh.h.fips-reqs 2014-05-06 16:22:21.253536145 +0200
-+++ openssl-1.0.1g/crypto/dh/dh.h 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/dh/dh.h.fips-reqs openssl-1.0.1i/crypto/dh/dh.h
+--- openssl-1.0.1i/crypto/dh/dh.h.fips-reqs 2014-08-07 11:25:28.586887965 +0200
++++ openssl-1.0.1i/crypto/dh/dh.h 2014-08-07 11:25:28.836889150 +0200
@@ -78,6 +78,7 @@
#endif
@@ -40,9 +40,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh.h.fips-reqs openssl-1.0.1g/crypto/dh/dh.h
#define DH_FLAG_CACHE_MONT_P 0x01
#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_check.c
---- openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/crypto/dh/dh_check.c 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_check.c
+--- openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/crypto/dh/dh_check.c 2014-08-07 11:25:28.836889150 +0200
@@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const
BN_sub_word(q,1);
if (BN_cmp(pub_key,q)>=0)
@@ -77,9 +77,9 @@ diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/
ok = 1;
err:
if (q != NULL) BN_free(q);
-diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_gen.c
---- openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs 2014-05-06 16:22:21.254536168 +0200
-+++ openssl-1.0.1g/crypto/dsa/dsa_gen.c 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_gen.c
+--- openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs 2014-08-07 11:25:28.587887969 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa_gen.c 2014-08-07 11:25:28.836889150 +0200
@@ -159,7 +159,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
}
@@ -89,9 +89,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa
(bits != 2048 || qbits != 224) &&
(bits != 2048 || qbits != 256) &&
(bits != 3072 || qbits != 256))
-diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa.h
---- openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs 2014-05-06 16:22:21.254536168 +0200
-+++ openssl-1.0.1g/crypto/dsa/dsa.h 2014-05-06 16:22:21.432540283 +0200
+diff -up openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1i/crypto/dsa/dsa.h
+--- openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs 2014-08-07 11:25:28.588887974 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa.h 2014-08-07 11:25:28.837889154 +0200
@@ -89,6 +89,7 @@
#endif
@@ -113,9 +113,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa
#define DSA_is_prime(n, callback, cb_arg) \
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_key.c
---- openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs 2014-05-06 16:22:21.427540169 +0200
-+++ openssl-1.0.1g/crypto/dsa/dsa_key.c 2014-05-06 16:22:21.433540307 +0200
+diff -up openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_key.c
+--- openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs 2014-08-07 11:25:28.833889135 +0200
++++ openssl-1.0.1i/crypto/dsa/dsa_key.c 2014-08-07 11:25:28.837889154 +0200
@@ -127,7 +127,7 @@ static int dsa_builtin_keygen(DSA *dsa)
#ifdef OPENSSL_FIPS
@@ -125,9 +125,9 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1g/crypto/dsa
{
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err;
-diff -up openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
---- openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-05-06 16:22:21.433540307 +0200
-+++ openssl-1.0.1g/crypto/fips/fips_dh_selftest.c 2014-05-06 16:22:21.433540307 +0200
+diff -up openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_dh_selftest.c
+--- openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-08-07 11:25:28.837889154 +0200
++++ openssl-1.0.1i/crypto/fips/fips_dh_selftest.c 2014-08-07 11:25:28.837889154 +0200
@@ -0,0 +1,162 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -291,92 +291,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1g/
+ return ret;
+ }
+#endif
-diff -up openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
---- openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs 2014-05-06 16:22:21.263536376 +0200
-+++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c 2014-05-06 16:22:21.433540307 +0200
-@@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char
- int rv = 0;
- unsigned char *adin = NULL;
- size_t adinlen = 0;
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- do
- {
- size_t rcnt;
-@@ -109,7 +110,8 @@ static int fips_drbg_bytes(unsigned char
- while (count);
- rv = 1;
- err:
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- return rv;
- }
-
-@@ -124,35 +126,51 @@ static int fips_drbg_status(void)
- {
- DRBG_CTX *dctx = &ossl_dctx;
- int rv;
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- return rv;
- }
-
- static void fips_drbg_cleanup(void)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- FIPS_drbg_uninstantiate(dctx);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- }
-
- static int fips_drbg_seed(const void *seed, int seedlen)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-+ int locked;
-+ int ret = 1;
-+
-+ locked = private_RAND_lock(1);
- if (dctx->rand_seed_cb)
-- return dctx->rand_seed_cb(dctx, seed, seedlen);
-- return 1;
-+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
-+ if (locked)
-+ private_RAND_lock(0);
-+ return ret;
- }
-
- static int fips_drbg_add(const void *seed, int seedlen,
- double add_entropy)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-+ int locked;
-+ int ret = 1;
-+
-+ locked = private_RAND_lock(1);
- if (dctx->rand_add_cb)
-- return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-- return 1;
-+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ if (locked)
-+ private_RAND_lock(0);
-+ return ret;
- }
-
- static const RAND_METHOD rand_drbg_meth =
-diff -up openssl-1.0.1g/crypto/fips/fips.h.fips-reqs openssl-1.0.1g/crypto/fips/fips.h
---- openssl-1.0.1g/crypto/fips/fips.h.fips-reqs 2014-05-06 16:22:21.421540031 +0200
-+++ openssl-1.0.1g/crypto/fips/fips.h 2014-05-06 16:22:21.433540307 +0200
+diff -up openssl-1.0.1i/crypto/fips/fips.h.fips-reqs openssl-1.0.1i/crypto/fips/fips.h
+--- openssl-1.0.1i/crypto/fips/fips.h.fips-reqs 2014-08-07 11:25:28.828889111 +0200
++++ openssl-1.0.1i/crypto/fips/fips.h 2014-08-07 11:25:28.838889159 +0200
@@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void);
int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void);
@@ -385,9 +302,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips.h.fips-reqs openssl-1.0.1g/crypto/fips/
void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_post.c
---- openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs 2014-05-06 16:22:21.420540008 +0200
-+++ openssl-1.0.1g/crypto/fips/fips_post.c 2014-05-06 16:22:21.433540307 +0200
+diff -up openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_post.c
+--- openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs 2014-08-07 11:25:28.822889083 +0200
++++ openssl-1.0.1i/crypto/fips/fips_post.c 2014-08-07 11:25:28.838889159 +0200
@@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_dsa())
@@ -397,9 +314,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1g/crypto/
if (!FIPS_selftest_ecdh())
rv = 0;
return rv;
-diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-05-06 16:22:21.267536469 +0200
-+++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c 2014-05-06 16:22:21.434540330 +0200
+diff -up openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-08-07 11:25:28.783888898 +0200
++++ openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c 2014-08-07 11:25:28.838889159 +0200
@@ -60,69 +60,113 @@
#ifdef OPENSSL_FIPS
@@ -1130,9 +1047,9 @@ diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1g
RSA_free(key);
return ret;
}
-diff -up openssl-1.0.1g/crypto/fips/Makefile.fips-reqs openssl-1.0.1g/crypto/fips/Makefile
---- openssl-1.0.1g/crypto/fips/Makefile.fips-reqs 2014-05-06 16:22:21.420540008 +0200
-+++ openssl-1.0.1g/crypto/fips/Makefile 2014-05-06 16:22:21.434540330 +0200
+diff -up openssl-1.0.1i/crypto/fips/Makefile.fips-reqs openssl-1.0.1i/crypto/fips/Makefile
+--- openssl-1.0.1i/crypto/fips/Makefile.fips-reqs 2014-08-07 11:25:28.823889088 +0200
++++ openssl-1.0.1i/crypto/fips/Makefile 2014-08-07 11:25:28.838889159 +0200
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@@ -1151,9 +1068,9 @@ diff -up openssl-1.0.1g/crypto/fips/Makefile.fips-reqs openssl-1.0.1g/crypto/fip
LIBCRYPTO=-L.. -lcrypto
-diff -up openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1g/crypto/modes/gcm128.c
---- openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs 2014-04-06 17:55:01.000000000 +0200
-+++ openssl-1.0.1g/crypto/modes/gcm128.c 2014-05-06 16:22:21.434540330 +0200
+diff -up openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1i/crypto/modes/gcm128.c
+--- openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/crypto/modes/gcm128.c 2014-08-07 11:25:28.839889164 +0200
@@ -906,6 +906,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT
# endif
#endif
@@ -1176,9 +1093,9 @@ diff -up openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1g/crypto/mo
mlen += len;
if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
return -1;
-diff -up openssl-1.0.1g/crypto/modes/modes_lcl.h.fips-reqs openssl-1.0.1g/crypto/modes/modes_lcl.h
---- openssl-1.0.1g/crypto/modes/modes_lcl.h.fips-reqs 2014-05-06 16:22:20.903528054 +0200
-+++ openssl-1.0.1g/crypto/modes/modes_lcl.h 2014-05-06 16:22:21.435540353 +0200
+diff -up openssl-1.0.1i/crypto/modes/modes_lcl.h.fips-reqs openssl-1.0.1i/crypto/modes/modes_lcl.h
+--- openssl-1.0.1i/crypto/modes/modes_lcl.h.fips-reqs 2014-08-07 11:25:28.365886918 +0200
++++ openssl-1.0.1i/crypto/modes/modes_lcl.h 2014-08-07 11:25:28.839889164 +0200
@@ -112,6 +112,7 @@ struct gcm128_context {
unsigned int mres, ares;
block128_f block;
@@ -1187,209 +1104,9 @@ diff -up openssl-1.0.1g/crypto/modes/modes_lcl.h.fips-reqs openssl-1.0.1g/crypto
};
struct xts128_context {
-diff -up openssl-1.0.1g/crypto/rand/md_rand.c.fips-reqs openssl-1.0.1g/crypto/rand/md_rand.c
---- openssl-1.0.1g/crypto/rand/md_rand.c.fips-reqs 2014-05-06 16:22:21.269536515 +0200
-+++ openssl-1.0.1g/crypto/rand/md_rand.c 2014-05-06 16:26:53.776836535 +0200
-@@ -143,12 +143,6 @@ static long md_count[2]={0,0};
- static double entropy=0;
- static int initialized=0;
-
--static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
-- * holds CRYPTO_LOCK_RAND
-- * (to prevent double locking) */
--/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
--static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */
--
-
- #ifdef PREDICT
- int rand_predictable=0;
-@@ -196,7 +190,7 @@ static void ssleay_rand_add(const void *
- long md_c[2];
- unsigned char local_md[MD_DIGEST_LENGTH];
- EVP_MD_CTX m;
-- int do_not_lock;
-+ int locked;
-
- if (!num)
- return;
-@@ -216,19 +210,8 @@ static void ssleay_rand_add(const void *
- * hash function.
- */
-
-- /* check if we already have the lock */
-- if (crypto_lock_rand)
-- {
-- CRYPTO_THREADID cur;
-- CRYPTO_THREADID_current(&cur);
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-- }
-- else
-- do_not_lock = 0;
-+ locked = private_RAND_lock(1);
-
-- if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- st_idx=state_index;
-
- /* use our own copies of the counters so that even
-@@ -260,7 +243,8 @@ static void ssleay_rand_add(const void *
-
- md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
-
-- if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- EVP_MD_CTX_init(&m);
- for (i=0; i<num; i+=MD_DIGEST_LENGTH)
-@@ -311,7 +295,7 @@ static void ssleay_rand_add(const void *
- }
- EVP_MD_CTX_cleanup(&m);
-
-- if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ locked = private_RAND_lock(1);
- /* Don't just copy back local_md into md -- this could mean that
- * other thread's seeding remains without effect (except for
- * the incremented counter). By XORing it we keep at least as
-@@ -322,7 +306,8 @@ static void ssleay_rand_add(const void *
- }
- if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
- entropy += add;
-- if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
- assert(md_c[1] == md_count[1]);
-@@ -347,6 +332,7 @@ static int ssleay_rand_bytes(unsigned ch
- pid_t curr_pid = getpid();
- #endif
- int do_stir_pool = 0;
-+ int locked;
-
- #ifdef PREDICT
- if (rand_predictable)
-@@ -383,17 +369,8 @@ static int ssleay_rand_bytes(unsigned ch
- * are fed into the hash function and the results are kept in the
- * global 'md'.
- */
--#ifdef OPENSSL_FIPS
-- /* NB: in FIPS mode we are already under a lock */
-- if (!FIPS_mode())
--#endif
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-
-- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-- CRYPTO_THREADID_current(&locking_threadid);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-- crypto_lock_rand = 1;
-+ locked = private_RAND_lock(1);
-
- /* always poll for external entropy in FIPS mode, drbg provides the
- * expansion
-@@ -467,12 +444,8 @@ static int ssleay_rand_bytes(unsigned ch
-
- md_count[0] += 1;
-
-- /* before unlocking, we must clear 'crypto_lock_rand' */
-- crypto_lock_rand = 0;
--#ifdef OPENSSL_FIPS
-- if (!FIPS_mode())
--#endif
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- while (num > 0)
- {
-@@ -524,16 +497,11 @@ static int ssleay_rand_bytes(unsigned ch
- MD_Init(&m);
- MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
- MD_Update(&m,local_md,MD_DIGEST_LENGTH);
--#ifdef OPENSSL_FIPS
-- if (!FIPS_mode())
--#endif
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ locked = private_RAND_lock(1);
- MD_Update(&m,md,MD_DIGEST_LENGTH);
- MD_Final(&m,md);
--#ifdef OPENSSL_FIPS
-- if (!FIPS_mode())
--#endif
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- EVP_MD_CTX_cleanup(&m);
- if (ok)
-@@ -563,32 +531,10 @@ static int ssleay_rand_pseudo_bytes(unsi
-
- static int ssleay_rand_status(void)
- {
-- CRYPTO_THREADID cur;
- int ret;
-- int do_not_lock;
-+ int locked;
-
-- CRYPTO_THREADID_current(&cur);
-- /* check if we already have the lock
-- * (could happen if a RAND_poll() implementation calls RAND_status()) */
-- if (crypto_lock_rand)
-- {
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-- }
-- else
-- do_not_lock = 0;
--
-- if (!do_not_lock)
-- {
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
--
-- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-- CRYPTO_THREADID_cpy(&locking_threadid, &cur);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-- crypto_lock_rand = 1;
-- }
-+ locked = private_RAND_lock(1);
-
- if (!initialized)
- {
-@@ -598,13 +544,8 @@ static int ssleay_rand_status(void)
-
- ret = entropy >= ENTROPY_NEEDED;
-
-- if (!do_not_lock)
-- {
-- /* before unlocking, we must clear 'crypto_lock_rand' */
-- crypto_lock_rand = 0;
--
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-- }
-+ if (locked)
-+ private_RAND_lock(0);
-
- return ret;
- }
-diff -up openssl-1.0.1g/crypto/rand/rand.h.fips-reqs openssl-1.0.1g/crypto/rand/rand.h
---- openssl-1.0.1g/crypto/rand/rand.h.fips-reqs 2014-05-06 16:22:21.269536515 +0200
-+++ openssl-1.0.1g/crypto/rand/rand.h 2014-05-06 16:22:21.435540353 +0200
-@@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i
- int RAND_init_fips(void);
- #endif
-
-+int private_RAND_lock(int lock);
-+
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
-diff -up openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1g/crypto/rand/rand_lcl.h
---- openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs 2014-05-06 16:22:21.021530782 +0200
-+++ openssl-1.0.1g/crypto/rand/rand_lcl.h 2014-05-06 16:22:21.435540353 +0200
+diff -up openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1i/crypto/rand/rand_lcl.h
+--- openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs 2014-08-07 11:25:28.418887169 +0200
++++ openssl-1.0.1i/crypto/rand/rand_lcl.h 2014-08-07 11:25:28.840889168 +0200
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
@@ -1399,57 +1116,19 @@ diff -up openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1g/crypto/r
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-diff -up openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1g/crypto/rand/rand_lib.c
---- openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/crypto/rand/rand_lib.c 2014-05-06 16:22:21.435540353 +0200
-@@ -181,6 +181,41 @@ int RAND_status(void)
- return 0;
- }
-
-+int private_RAND_lock(int lock)
-+ {
-+ static int crypto_lock_rand;
-+ static CRYPTO_THREADID locking_threadid;
-+ int do_lock;
-+
-+ if (!lock)
-+ {
-+ crypto_lock_rand = 0;
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return 0;
-+ }
-+
-+ /* check if we already have the lock */
-+ if (crypto_lock_rand)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-+ do_lock = !!CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-+ }
-+ else
-+ do_lock = 1;
-+ if (do_lock)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ crypto_lock_rand = 1;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-+ CRYPTO_THREADID_current(&locking_threadid);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-+ }
-+ return do_lock;
-+ }
-+
- #ifdef OPENSSL_FIPS
-
- /* FIPS DRBG initialisation code. This sets up the DRBG for use by the
-@@ -239,12 +274,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+diff -up openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1i/crypto/rand/rand_lib.c
+--- openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/crypto/rand/rand_lib.c 2014-08-07 13:45:51.240535446 +0200
+@@ -240,12 +240,24 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy)
{
RAND_SSLeay()->add(in, inlen, entropy);
+ if (FIPS_rand_status())
++ {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
return 1;
}
@@ -1457,13 +1136,17 @@ diff -up openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1g/crypto/r
{
RAND_SSLeay()->seed(in, inlen);
+ if (FIPS_rand_status())
++ {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
return 1;
}
-diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa/rsa_gen.c
---- openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs 2014-05-06 16:22:21.270536538 +0200
-+++ openssl-1.0.1g/crypto/rsa/rsa_gen.c 2014-05-06 16:22:21.436540376 +0200
+diff -up openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1i/crypto/rsa/rsa_gen.c
+--- openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs 2014-08-07 11:25:28.788888922 +0200
++++ openssl-1.0.1i/crypto/rsa/rsa_gen.c 2014-08-07 11:25:28.840889168 +0200
@@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
@@ -1713,7 +1396,7 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa
}
#endif
-@@ -301,17 +520,6 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -301,17 +513,6 @@ static int rsa_builtin_keygen(RSA *rsa,
p = rsa->p;
if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
@@ -1731,9 +1414,9 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa
ok=1;
err:
if (ok == -1)
-diff -up openssl-1.0.1g/ssl/t1_enc.c.fips-reqs openssl-1.0.1g/ssl/t1_enc.c
---- openssl-1.0.1g/ssl/t1_enc.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100
-+++ openssl-1.0.1g/ssl/t1_enc.c 2014-05-06 16:22:21.436540376 +0200
+diff -up openssl-1.0.1i/ssl/t1_enc.c.fips-reqs openssl-1.0.1i/ssl/t1_enc.c
+--- openssl-1.0.1i/ssl/t1_enc.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/ssl/t1_enc.c 2014-08-07 11:25:28.841889173 +0200
@@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask,
err:
return ret;
diff --git a/openssl-1.0.1e-trusted-first.patch b/openssl-1.0.1i-trusted-first.patch
similarity index 67%
rename from openssl-1.0.1e-trusted-first.patch
rename to openssl-1.0.1i-trusted-first.patch
index 08ab639..f11f36d 100644
--- a/openssl-1.0.1e-trusted-first.patch
+++ b/openssl-1.0.1i-trusted-first.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
---- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200
-@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
+diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
+--- openssl-1.0.1i/apps/apps.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/apps/apps.c 2014-08-07 13:54:27.751103405 +0200
+@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
flags |= X509_V_FLAG_NOTIFY_POLICY;
else if (!strcmp(arg, "-check_ss_sig"))
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
@@ -10,9 +10,9 @@ diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
else
return 0;
-diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
---- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200
+diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
+--- openssl-1.0.1i/apps/cms.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/apps/cms.c 2014-08-07 13:54:27.751103405 +0200
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
@@ -21,10 +21,10 @@ diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
#ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
---- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200
-@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv)
+diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c
+--- openssl-1.0.1i/apps/ocsp.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/apps/ocsp.c 2014-08-07 13:54:27.752103409 +0200
+@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-path path to use in OCSP request\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
@@ -32,20 +32,20 @@ diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
-diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c
---- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200
-@@ -298,6 +298,7 @@ static void sc_usage(void)
+diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c
+--- openssl-1.0.1i/apps/s_client.c.trusted-first 2014-08-07 13:54:27.752103409 +0200
++++ openssl-1.0.1i/apps/s_client.c 2014-08-07 15:06:28.443918055 +0200
+@@ -299,6 +299,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
- BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
-diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
---- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200
+ BIO_printf(bio_err," -prexit - print session information even on connection failure\n");
+diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
+--- openssl-1.0.1i/apps/smime.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/apps/smime.c 2014-08-07 13:54:27.753103414 +0200
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
@@ -54,10 +54,10 @@ diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
#ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c
---- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200
-@@ -501,6 +501,7 @@ static void sv_usage(void)
+diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c
+--- openssl-1.0.1i/apps/s_server.c.trusted-first 2014-08-07 13:54:27.718103241 +0200
++++ openssl-1.0.1i/apps/s_server.c 2014-08-07 13:54:27.753103414 +0200
+@@ -502,6 +502,7 @@ static void sv_usage(void)
BIO_printf(bio_err," -state - Print the SSL states\n");
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
@@ -65,9 +65,9 @@ diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_serv
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
-diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
---- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200
+diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
+--- openssl-1.0.1i/apps/s_time.c.trusted-first 2014-08-07 13:54:27.432101823 +0200
++++ openssl-1.0.1i/apps/s_time.c 2014-08-07 13:54:27.753103414 +0200
@@ -179,6 +179,7 @@ static void s_time_usage(void)
file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\
@@ -76,9 +76,9 @@ diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf( "usage: s_time <args>\n\n" );
-diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
---- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200
+diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
+--- openssl-1.0.1i/apps/ts.c.trusted-first 2014-08-07 13:54:27.707103186 +0200
++++ openssl-1.0.1i/apps/ts.c 2014-08-07 13:54:27.753103414 +0200
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] "
@@ -88,9 +88,9 @@ diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
"-untrusted cert_file.pem\n");
cleanup:
/* Clean up. */
-diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
---- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200
+diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
+--- openssl-1.0.1i/apps/verify.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/apps/verify.c 2014-08-07 13:54:27.754103419 +0200
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
end:
@@ -100,9 +100,9 @@ diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
BIO_printf(bio_err," [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," [-engine e]");
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200
+diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c
+--- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first 2014-08-07 13:54:27.716103231 +0200
++++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2014-08-07 13:54:27.754103419 +0200
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
/* If we are self signed, we break */
@@ -125,9 +125,9 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/cryp
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
---- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200
+diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h
+--- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first 2014-08-07 13:54:27.360101466 +0200
++++ openssl-1.0.1i/crypto/x509/x509_vfy.h 2014-08-07 13:54:27.754103419 +0200
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
#define X509_V_FLAG_USE_DELTAS 0x2000
/* Check selfsigned CA signature */
@@ -137,9 +137,9 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/cryp
#define X509_VP_FLAG_DEFAULT 0x1
-diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod
---- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200
+diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod
+--- openssl-1.0.1i/doc/apps/cms.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/apps/cms.pod 2014-08-07 13:54:27.754103419 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>]
[B<-CAfile file>]
@@ -148,7 +148,7 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/c
[B<-md digest>]
[B<-[cipher]>]
[B<-nointern>]
-@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta
+@@ -243,6 +244,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
@@ -161,9 +161,9 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/c
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod
---- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200
+diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod
+--- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first 2014-08-07 13:54:27.708103191 +0200
++++ openssl-1.0.1i/doc/apps/ocsp.pod 2014-08-07 13:54:27.755103424 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>]
[B<-CApath dir>]
@@ -186,10 +186,10 @@ diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/
=item B<-verify_other file>
file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod
---- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200
-@@ -17,6 +17,7 @@ B<openssl> B<s_client>
+diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod
+--- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
++++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 13:54:27.755103424 +0200
+@@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>]
[B<-CApath directory>]
[B<-CAfile filename>]
@@ -197,7 +197,7 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/a
[B<-reconnect>]
[B<-pause>]
[B<-showcerts>]
-@@ -107,7 +108,7 @@ also used when building the client certi
+@@ -121,7 +122,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
@@ -206,9 +206,9 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/a
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod
---- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200
+diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod
+--- openssl-1.0.1i/doc/apps/smime.pod.trusted-first 2014-07-22 21:43:11.000000000 +0200
++++ openssl-1.0.1i/doc/apps/smime.pod 2014-08-07 13:54:27.755103424 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>]
[B<-[cipher]>]
@@ -232,9 +232,9 @@ diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod
---- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200
+diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod
+--- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
++++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 15:07:12.315099577 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>]
[B<-CApath directory>]
@@ -242,8 +242,8 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/a
+[B<-trusted_first>]
[B<-nocert>]
[B<-cipher cipherlist>]
- [B<-quiet>]
-@@ -168,6 +169,12 @@ and to use when attempting to build the
+ [B<-serverpref>]
+@@ -178,6 +179,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
@@ -256,9 +256,9 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/a
=item B<-state>
prints out the SSL session states.
-diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod
---- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200
+diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod
+--- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
++++ openssl-1.0.1i/doc/apps/s_time.pod 2014-08-07 13:54:27.755103424 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>]
[B<-CApath directory>]
@@ -280,9 +280,9 @@ diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/app
=item B<-new>
performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod
---- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200
+diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod
+--- openssl-1.0.1i/doc/apps/ts.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
++++ openssl-1.0.1i/doc/apps/ts.pod 2014-08-07 13:54:27.756103429 +0200
@@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>]
[B<-CApath> trusted_cert_path]
@@ -304,9 +304,9 @@ diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts
=item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod
---- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200
+diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod
+--- openssl-1.0.1i/doc/apps/verify.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/apps/verify.pod 2014-08-07 13:54:27.756103429 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify>
[B<-CApath directory>]
diff --git a/openssl.spec b/openssl.spec
index 88fca31..e58b9a7 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.0.1h
-Release: 6%{?dist}
+Version: 1.0.1i
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -56,12 +56,11 @@ Patch24: openssl-1.0.1e-issuer-hash.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch36: openssl-1.0.0e-doc-noeof.patch
Patch39: openssl-1.0.1h-ipv6-apps.patch
Patch40: openssl-1.0.1g-fips.patch
Patch45: openssl-1.0.1e-env-zlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
-Patch49: openssl-1.0.1a-algo-doc.patch
+Patch49: openssl-1.0.1i-algo-doc.patch
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
Patch51: openssl-1.0.1e-version.patch
Patch56: openssl-1.0.0c-rsa-x931.patch
@@ -73,22 +72,19 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch
Patch68: openssl-1.0.1e-secure-getenv.patch
Patch69: openssl-1.0.1c-dh-1024.patch
Patch70: openssl-1.0.1e-fips-ec.patch
-Patch71: openssl-1.0.1h-manfix.patch
+Patch71: openssl-1.0.1i-manfix.patch
Patch72: openssl-1.0.1e-fips-ctor.patch
Patch73: openssl-1.0.1e-ecc-suiteb.patch
Patch74: openssl-1.0.1e-no-md5-verify.patch
Patch75: openssl-1.0.1e-compat-symbols.patch
-Patch76: openssl-1.0.1g-new-fips-reqs.patch
+Patch76: openssl-1.0.1i-new-fips-reqs.patch
Patch77: openssl-1.0.1e-weak-ciphers.patch
-Patch78: openssl-1.0.1g-3des-strength.patch
Patch90: openssl-1.0.1e-enc-fail.patch
-Patch91: openssl-1.0.1e-ssl2-no-ec.patch
Patch92: openssl-1.0.1h-system-cipherlist.patch
Patch93: openssl-1.0.1h-disable-sslv2v3.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
-Patch82: openssl-1.0.1h-session-resumption.patch
-Patch84: openssl-1.0.1e-trusted-first.patch
+Patch84: openssl-1.0.1i-trusted-first.patch
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
Patch89: openssl-1.0.1e-ephemeral-key-size.patch
@@ -181,7 +177,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
-%patch36 -p1 -b .doc-noeof
%patch39 -p1 -b .ipv6-apps
%patch40 -p1 -b .fips
%patch45 -p1 -b .env-zlib
@@ -205,14 +200,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch75 -p1 -b .compat
%patch76 -p1 -b .fips-reqs
%patch77 -p1 -b .weak-ciphers
-%patch78 -p1 -b .3des-strength
%patch90 -p1 -b .enc-fail
-%patch91 -p1 -b .ssl2noec
%patch92 -p1 -b .system
%patch93 -p1 -b .v2v3
%patch81 -p1 -b .padlock64
-%patch82 -p1 -b .resumption
%patch84 -p1 -b .trusted-first
%patch85 -p1 -b .armcap
%patch89 -p1 -b .ephemeral
@@ -483,6 +475,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Aug 7 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1i-1
+- new upstream release fixing multiple moderate security issues
+- for now disable only SSLv2 by default
+
* Fri Jul 18 2014 Tom Callaway <spot at fedoraproject.org> 1.0.1h-6
- fix license handling
diff --git a/sources b/sources
index 5c377fa..b97a288 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-4ea0f231c61b9c66642176cdc033b386 openssl-1.0.1h-hobbled.tar.xz
+c152e5284765c3325301a62b01a48fc0 openssl-1.0.1i-hobbled.tar.xz
More information about the scm-commits
mailing list