rpms/openssl/F-11 openssl-0.9.8k-kernel-fipsmode.patch, NONE, 1.1 openssl-0.9.8k-multi-crl.patch, NONE, 1.1 openssl.spec, 1.127, 1.128 openssl-0.9.8j-evp-nonfips.patch, 1.1, NONE openssl-0.9.8j-kernel-fipsmode.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Fri Apr 17 16:15:54 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5776
Modified Files:
openssl.spec
Added Files:
openssl-0.9.8k-kernel-fipsmode.patch
openssl-0.9.8k-multi-crl.patch
Removed Files:
openssl-0.9.8j-evp-nonfips.patch
openssl-0.9.8j-kernel-fipsmode.patch
Log Message:
- sync with devel
openssl-0.9.8k-kernel-fipsmode.patch:
--- NEW FILE openssl-0.9.8k-kernel-fipsmode.patch ---
diff -up openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode openssl-0.9.8k/crypto/engine/eng_all.c
--- openssl-0.9.8k/crypto/engine/eng_all.c.fipsmode 2008-06-04 20:01:39.000000000 +0200
+++ openssl-0.9.8k/crypto/engine/eng_all.c 2009-04-15 14:31:32.000000000 +0200
@@ -58,9 +58,23 @@
#include "cryptlib.h"
#include "eng_int.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
void ENGINE_load_builtin_engines(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+ if (FIPS_mode()) {
+ /* We allow loading dynamic engine as a third party
+ engine might be FIPS validated.
+ User is disallowed to load non-validated engines
+ by security policy. */
+ ENGINE_load_dynamic();
+ return;
+ }
+#endif
/* There's no longer any need for an "openssl" ENGINE unless, one day,
* it is the *only* way for standard builtin implementations to be be
* accessed (ie. it would be possible to statically link binaries with
diff -up openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode openssl-0.9.8k/crypto/evp/c_allc.c
--- openssl-0.9.8k/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:50:04.000000000 +0200
+++ openssl-0.9.8k/crypto/evp/c_allc.c 2009-03-26 15:53:42.000000000 +0100
@@ -65,6 +65,11 @@
void OpenSSL_add_all_ciphers(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+ if(!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede_cfb());
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede_ofb());
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+ }
+#endif
PKCS12_PBE_add();
PKCS5_PBE_add();
diff -up openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode openssl-0.9.8k/crypto/evp/c_alld.c
--- openssl-0.9.8k/crypto/evp/c_alld.c.fipsmode 2005-04-30 23:51:40.000000000 +0200
+++ openssl-0.9.8k/crypto/evp/c_alld.c 2009-03-26 15:53:42.000000000 +0100
@@ -64,6 +64,11 @@
void OpenSSL_add_all_digests(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+ if (!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_MD2
EVP_add_digest(EVP_md2());
#endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+ EVP_add_digest(EVP_dss1());
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+ }
+#endif
}
diff -up openssl-0.9.8k/crypto/o_init.c.fipsmode openssl-0.9.8k/crypto/o_init.c
--- openssl-0.9.8k/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
+++ openssl-0.9.8k/crypto/o_init.c 2009-03-26 15:53:42.000000000 +0100
@@ -59,6 +59,45 @@
#include <e_os.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+ {
+ char buf[2] = "0";
+ int fd;
+
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ {
+ buf[0] = '1';
+ }
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+ {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise.
+ */
+
+ if (buf[0] == '1')
+ {
+ FIPS_mode_set(1);
+ }
+ }
+#endif
+
/* Perform any essential OpenSSL initialization operations.
* Currently only sets FIPS callbacks
*/
@@ -73,11 +112,10 @@ void OPENSSL_init(void)
#ifdef CRYPTO_MDEBUG
CRYPTO_malloc_debug_init();
#endif
-#ifdef OPENSSL_ENGINE
+ init_fips_mode();
int_EVP_MD_init_engine_callbacks();
int_EVP_CIPHER_init_engine_callbacks();
int_RAND_init_engine_callbacks();
-#endif
done = 1;
}
#endif
diff -up openssl-0.9.8k/ssl/ssl_algs.c.fipsmode openssl-0.9.8k/ssl/ssl_algs.c
--- openssl-0.9.8k/ssl/ssl_algs.c.fipsmode 2007-04-24 01:50:21.000000000 +0200
+++ openssl-0.9.8k/ssl/ssl_algs.c 2009-04-15 14:32:13.000000000 +0200
@@ -64,6 +64,10 @@
int SSL_library_init(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init();
+#endif
+
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
openssl-0.9.8k-multi-crl.patch:
--- NEW FILE openssl-0.9.8k-multi-crl.patch ---
diff -up openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl openssl-0.9.8k/crypto/x509/x509_lu.c
--- openssl-0.9.8k/crypto/x509/x509_lu.c.multi-crl 2005-05-11 05:45:35.000000000 +0200
+++ openssl-0.9.8k/crypto/x509/x509_lu.c 2009-03-26 15:47:45.000000000 +0100
@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
return sk_X509_OBJECT_value(h, idx);
}
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
+{
+ if (a->signature == NULL || b->signature == NULL)
+ return a->signature != b->signature;
+
+ if (a->signature->length != b->signature->length)
+ return 0;
+
+ return memcmp(a->signature->data, b->signature->data, a->signature->length);
+}
+
X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
{
int idx, i;
X509_OBJECT *obj;
idx = sk_X509_OBJECT_find(h, x);
if (idx == -1) return NULL;
- if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+ if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
+ return sk_X509_OBJECT_value(h, idx);
for (i = idx; i < sk_X509_OBJECT_num(h); i++)
{
obj = sk_X509_OBJECT_value(h, i);
if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
return NULL;
- if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+ if (x->type == X509_LU_X509)
+ {
+ if (!X509_cmp(obj->data.x509, x->data.x509))
+ return obj;
+ }
+ else if (x->type == X509_LU_CRL)
+ {
+ if (!x509_crl_match(obj->data.crl, x->data.crl))
+ return obj;
+ }
+ else
return obj;
}
return NULL;
diff -up openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl openssl-0.9.8k/crypto/x509/x509_vfy.c
--- openssl-0.9.8k/crypto/x509/x509_vfy.c.multi-crl 2008-07-13 16:33:15.000000000 +0200
+++ openssl-0.9.8k/crypto/x509/x509_vfy.c 2009-03-26 15:47:45.000000000 +0100
@@ -725,7 +725,38 @@ static int get_crl(X509_STORE_CTX *ctx,
return 0;
}
- *pcrl = xobj.data.crl;
+ /* If CRL times not valid look through store */
+ if (!check_crl_time(ctx, xobj.data.crl, 0))
+ {
+ int idx, i;
+ X509_OBJECT *pobj;
+ X509_OBJECT_free_contents(&xobj);
+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
+ X509_LU_CRL, nm);
+ if (idx == -1)
+ return 0;
+ *pcrl = NULL;
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+ {
+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+ /* Check to see if it is a CRL and issuer matches */
+ if (pobj->type != X509_LU_CRL)
+ break;
+ if (X509_NAME_cmp(nm,
+ X509_CRL_get_issuer(pobj->data.crl)))
+ break;
+ /* Set *pcrl because the CRL will either be valid or
+ * a "best fit" CRL.
+ */
+ *pcrl = pobj->data.crl;
+ if (check_crl_time(ctx, *pcrl, 0))
+ break;
+ }
+ if (*pcrl)
+ CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
+ }
+ else
+ *pcrl = xobj.data.crl;
if (crl)
X509_CRL_free(crl);
return 1;
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/F-11/openssl.spec,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- openssl.spec 17 Apr 2009 16:04:52 -0000 1.127
+++ openssl.spec 17 Apr 2009 16:15:24 -0000 1.128
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 0.9.8k
-Release: 2%{?dist}
+Release: 3%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -57,14 +57,14 @@
Patch40: openssl-0.9.8j-nocanister.patch
Patch41: openssl-0.9.8k-use-fipscheck.patch
Patch42: openssl-0.9.8k-fipscheck-hmac.patch
-Patch43: openssl-0.9.8j-evp-nonfips.patch
-Patch44: openssl-0.9.8j-kernel-fipsmode.patch
+Patch44: openssl-0.9.8k-kernel-fipsmode.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch46: openssl-0.9.8j-eap-fast.patch
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
Patch50: openssl-0.9.8j-fips-rng-seed.patch
+Patch51: openssl-0.9.8k-multi-crl.patch
# Backported fixes including security fixes
License: OpenSSL
@@ -142,7 +142,6 @@
%patch40 -p1 -b .nocanister
%patch41 -p1 -b .use-fipscheck
%patch42 -p1 -b .fipscheck-hmac
-%patch43 -p1 -b .evp-nonfips
%patch44 -p1 -b .fipsmode
%patch45 -p1 -b .env-nozlib
%patch46 -p1 -b .eap-fast
@@ -150,6 +149,7 @@
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .no-pairwise
%patch50 -p1 -b .rng-seed
+%patch51 -p1 -b .multi-crl
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -408,8 +408,12 @@
%postun -p /sbin/ldconfig
%changelog
-* Fri Apr 17 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-2
-- update the SHLIB_VERSION to 0.9.8k
+* Fri Apr 17 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-3
+- correct the SHLIB_VERSION define
+
+* Wed Apr 15 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-2
+- add support for multiple CRLs with same subject
+- load only dynamic engine support in FIPS mode
* Thu Mar 25 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8k-1
- update to new upstream release (minor bug fixes, security
--- openssl-0.9.8j-evp-nonfips.patch DELETED ---
--- openssl-0.9.8j-kernel-fipsmode.patch DELETED ---
More information about the fedora-extras-commits
mailing list