import mingw-openssl-1.0.2k-2.el8

c8 imports/c8/mingw-openssl-1.0.2k-2.el8
CentOS Sources 5 years ago committed by MSVSphere Packaging Team
commit afa1dad01a

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/openssl-1.0.2k-hobbled.tar.xz

@ -0,0 +1 @@
06ae179d01fcde6a4594bf4023f863290a7f050c SOURCES/openssl-1.0.2k-hobbled.tar.xz

@ -0,0 +1,82 @@
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)

@ -0,0 +1,75 @@
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
=================================================================
This package contains libraries which comprise the FIPS 140-2
Red Hat Enterprise Linux - OPENSSL Module.
The module files
================
/usr/lib[64]/libcrypto.so.1.0.2j
/usr/lib[64]/libssl.so.1.0.2j
/usr/lib[64]/.libcrypto.so.1.0.2j.hmac
/usr/lib[64]/.libssl.so.1.0.2j.hmac
Dependencies
============
The approved mode of operation requires kernel with /dev/urandom RNG running
with properties as defined in the security policy of the module. This is
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
Crytographic Module.
Installation
============
The RPM package of the module can be installed by standard tools recommended
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
rpm, RHN remote management tool).
For proper operation of the in-module integrity verification the prelink has to
be disabled. This can be done with setting PRELINKING=no in the
/etc/sysconfig/prelink configuration file. If the libraries were already
prelinked the prelink should be undone on all the system files with the
'prelink -u -a' command.
Usage and API
=============
The module respects kernel command line FIPS setting. If the kernel command
line contains option fips=1 the module will initialize in the FIPS approved
mode of operation automatically. To allow for the automatic initialization the
application using the module has to call one of the following API calls:
- void OPENSSL_init_library(void) - this will do only a basic initialization
of the library and does initialization of the FIPS approved mode without setting
up EVP API with supported algorithms.
- void OPENSSL_add_all_algorithms(void) - this API function calls
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
in the approved mode
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
adds algorithms which are necessary for TLS protocol support and initializes
the SSL library.
To explicitely put the library to the approved mode the application can call
the following function:
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
the library from the non-approved to the approved mode. If any of the selftests
and integrity verification tests fail, the library is put into the error state
and 0 is returned. If they succeed the return value is 1.
To query the module whether it is in the approved mode or not:
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
0 otherwise.
To query whether the module is in the error state:
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
state, 0 otherwise.
To zeroize the FIPS RNG key and internal state the application calls:
- void RAND_cleanup(void)

@ -0,0 +1,455 @@
/* crypto/ec/ec_curve.c */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
* Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
* The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
#include <string.h>
#include "ec_lcl.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
#endif
typedef struct {
int field_type, /* either NID_X9_62_prime_field or
* NID_X9_62_characteristic_two_field */
seed_len, param_len;
unsigned int cofactor; /* promoted to BN_ULONG */
} EC_CURVE_DATA;
/* the nist prime curves */
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 48 * 6];
} _EC_NIST_PRIME_384 = {
{
NID_X9_62_prime_field, 20, 48, 1
},
{
/* seed */
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
/* p */
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
/* a */
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
/* b */
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
/* x */
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
/* y */
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
/* order */
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
}
};
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 66 * 6];
} _EC_NIST_PRIME_521 = {
{
NID_X9_62_prime_field, 20, 66, 1
},
{
/* seed */
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
/* p */
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
/* a */
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
/* b */
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
/* x */
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
/* y */
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
/* order */
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
}
};
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 32 * 6];
} _EC_X9_62_PRIME_256V1 = {
{
NID_X9_62_prime_field, 20, 32, 1
},
{
/* seed */
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
/* p */
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
/* a */
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
/* b */
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
/* x */
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
/* y */
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
/* order */
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
}
};
typedef struct _ec_list_element_st {
int nid;
const EC_CURVE_DATA *data;
const EC_METHOD *(*meth) (void);
const char *comment;
} ec_list_element;
static const ec_list_element curve_list[] = {
/* prime field curves */
/* secg curves */
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
"NIST/SECG curve over a 384 bit prime field"},
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
{NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
"NIST/SECG curve over a 521 bit prime field"},
#else
{NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
"NIST/SECG curve over a 521 bit prime field"},
#endif
/* X9.62 curves */
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
#if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
EC_GFp_nistp256_method,
#else
0,
#endif
"X9.62/SECG curve over a 256 bit prime field"},
};
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
{
EC_GROUP *group = NULL;
EC_POINT *P = NULL;
BN_CTX *ctx = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
NULL;
int ok = 0;
int seed_len, param_len;
const EC_METHOD *meth;
const EC_CURVE_DATA *data;
const unsigned char *params;
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
goto err;
}
data = curve.data;
seed_len = data->seed_len;
param_len = data->param_len;
params = (const unsigned char *)(data + 1); /* skip header */
params += seed_len; /* skip seed */
if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL))
|| !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL))
|| !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
goto err;
}
if (curve.meth != 0) {
meth = curve.meth();
if (((group = EC_GROUP_new(meth)) == NULL) ||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
} else if (data->field_type == NID_X9_62_prime_field) {
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* field_type ==
* NID_X9_62_characteristic_two_field */
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
}
#endif
if ((P = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL))
|| !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
goto err;
}
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
goto err;
}
if (!EC_GROUP_set_generator(group, P, order, x)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
if (seed_len) {
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
}
ok = 1;
err:
if (!ok) {
EC_GROUP_free(group);
group = NULL;
}
if (P)
EC_POINT_free(P);
if (ctx)
BN_CTX_free(ctx);
if (p)
BN_free(p);
if (a)
BN_free(a);
if (b)
BN_free(b);
if (order)
BN_free(order);
if (x)
BN_free(x);
if (y)
BN_free(y);
return group;
}
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
{
size_t i;
EC_GROUP *ret = NULL;
if (nid <= 0)
return NULL;
for (i = 0; i < curve_list_length; i++)
if (curve_list[i].nid == nid) {
ret = ec_group_new_from_data(curve_list[i]);
break;
}
if (ret == NULL) {
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
return NULL;
}
EC_GROUP_set_curve_name(ret, nid);
return ret;
}
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
{
size_t i, min;
if (r == NULL || nitems == 0)
return curve_list_length;
min = nitems < curve_list_length ? nitems : curve_list_length;
for (i = 0; i < min; i++) {
r[i].nid = curve_list[i].nid;
r[i].comment = curve_list[i].comment;
}
return curve_list_length;
}
/* Functions to translate between common NIST curve names and NIDs */
typedef struct {
const char *name; /* NIST Name of curve */
int nid; /* Curve NID */
} EC_NIST_NAME;
static EC_NIST_NAME nist_curves[] = {
{"B-163", NID_sect163r2},
{"B-233", NID_sect233r1},
{"B-283", NID_sect283r1},
{"B-409", NID_sect409r1},
{"B-571", NID_sect571r1},
{"K-163", NID_sect163k1},
{"K-233", NID_sect233k1},
{"K-283", NID_sect283k1},
{"K-409", NID_sect409k1},
{"K-571", NID_sect571k1},
{"P-192", NID_X9_62_prime192v1},
{"P-224", NID_secp224r1},
{"P-256", NID_X9_62_prime256v1},
{"P-384", NID_secp384r1},
{"P-521", NID_secp521r1}
};
const char *EC_curve_nid2nist(int nid)
{
size_t i;
for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
if (nist_curves[i].nid == nid)
return nist_curves[i].name;
}
return NULL;
}
int EC_curve_nist2nid(const char *name)
{
size_t i;
for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
if (!strcmp(nist_curves[i].name, name))
return nist_curves[i].nid;
}
return NID_undef;
}

@ -0,0 +1,994 @@
/* crypto/ec/ectest.c */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
* Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
* The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
#include <stdio.h>
#include <stdlib.h>
#ifdef FLAT_INC
# include "e_os.h"
#else
# include "../e_os.h"
#endif
#include <string.h>
#include <time.h>
#ifdef OPENSSL_NO_EC
int main(int argc, char *argv[])
{
puts("Elliptic curves are disabled.");
return 0;
}
#else
# include <openssl/ec.h>
# ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
# endif
# include <openssl/err.h>
# include <openssl/obj_mac.h>
# include <openssl/objects.h>
# include <openssl/rand.h>
# include <openssl/bn.h>
# include <openssl/opensslconf.h>
# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
/* suppress "too big too optimize" warning */
# pragma warning(disable:4959)
# endif
# define ABORT do { \
fflush(stdout); \
fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
ERR_print_errors_fp(stderr); \
EXIT(1); \
} while (0)
# define TIMING_BASE_PT 0
# define TIMING_RAND_PT 1
# define TIMING_SIMUL 2
# if 0
static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
{
clock_t clck;
int i, j;
BIGNUM *s;
BIGNUM *r[10], *r0[10];
EC_POINT *P;
s = BN_new();
if (s == NULL)
ABORT;
fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
if (!EC_GROUP_get_order(group, s, ctx))
ABORT;
fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
fflush(stdout);
P = EC_POINT_new(group);
if (P == NULL)
ABORT;
EC_POINT_copy(P, EC_GROUP_get0_generator(group));
for (i = 0; i < 10; i++) {
if ((r[i] = BN_new()) == NULL)
ABORT;
if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0))
ABORT;
if (type != TIMING_BASE_PT) {
if ((r0[i] = BN_new()) == NULL)
ABORT;
if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0))
ABORT;
}
}
clck = clock();
for (i = 0; i < 10; i++) {
for (j = 0; j < 10; j++) {
if (!EC_POINT_mul
(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
(type != TIMING_BASE_PT) ? P : NULL,
(type != TIMING_BASE_PT) ? r0[i] : NULL, ctx))
ABORT;
}
}
clck = clock() - clck;
fprintf(stdout, "\n");
# ifdef CLOCKS_PER_SEC
/*
* "To determine the time in seconds, the value returned by the clock
* function should be divided by the value of the macro CLOCKS_PER_SEC."
* -- ISO/IEC 9899
*/
# define UNIT "s"
# else
/*
* "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on
* NeXTstep/OpenStep
*/
# define UNIT "units"
# define CLOCKS_PER_SEC 1
# endif
if (type == TIMING_BASE_PT) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
"base point multiplications", (double)clck / CLOCKS_PER_SEC);
} else if (type == TIMING_RAND_PT) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
"random point multiplications",
(double)clck / CLOCKS_PER_SEC);
} else if (type == TIMING_SIMUL) {
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
"s*P+t*Q operations", (double)clck / CLOCKS_PER_SEC);
}
fprintf(stdout, "average: %.4f " UNIT "\n",
(double)clck / (CLOCKS_PER_SEC * i * j));
EC_POINT_free(P);
BN_free(s);
for (i = 0; i < 10; i++) {
BN_free(r[i]);
if (type != TIMING_BASE_PT)
BN_free(r0[i]);
}
}
# endif
/* test multiplication with group order, long and negative scalars */
static void group_order_tests(EC_GROUP *group)
{
BIGNUM *n1, *n2, *order;
EC_POINT *P = EC_POINT_new(group);
EC_POINT *Q = EC_POINT_new(group);
BN_CTX *ctx = BN_CTX_new();
int i;
n1 = BN_new();
n2 = BN_new();
order = BN_new();
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, order, ctx))
ABORT;
if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, Q))
ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx))
ABORT;
if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, Q))
ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "long/negative scalar tests ");
for (i = 1; i <= 2; i++) {
const BIGNUM *scalars[6];
const EC_POINT *points[6];
fprintf(stdout, i == 1 ?
"allowing precomputation ... " :
"without precomputation ... ");
if (!BN_set_word(n1, i))
ABORT;
/*
* If i == 1, P will be the predefined generator for which
* EC_GROUP_precompute_mult has set up precomputation.
*/
if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
ABORT;
if (!BN_one(n1))
ABORT;
/* n1 = 1 - order */
if (!BN_sub(n1, n1, order))
ABORT;
if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx))
ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx))
ABORT;
/* n2 = 1 + order */
if (!BN_add(n2, order, BN_value_one()))
ABORT;
if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx))
ABORT;
/* n2 = (1 - order) * (1 + order) = 1 - order^2 */
if (!BN_mul(n2, n1, n2, ctx))
ABORT;
if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx))
ABORT;
/* n2 = order^2 - 1 */
BN_set_negative(n2, 0);
if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
ABORT;
/* Add P to verify the result. */
if (!EC_POINT_add(group, Q, Q, P, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, Q))
ABORT;
/* Exercise EC_POINTs_mul, including corner cases. */
if (EC_POINT_is_at_infinity(group, P))
ABORT;
scalars[0] = n1;
points[0] = Q; /* => infinity */
scalars[1] = n2;
points[1] = P; /* => -P */
scalars[2] = n1;
points[2] = Q; /* => infinity */
scalars[3] = n2;
points[3] = Q; /* => infinity */
scalars[4] = n1;
points[4] = P; /* => P */
scalars[5] = n2;
points[5] = Q; /* => infinity */
if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, P))
ABORT;
}
fprintf(stdout, "ok\n");
EC_POINT_free(P);
EC_POINT_free(Q);
BN_free(n1);
BN_free(n2);
BN_free(order);
BN_CTX_free(ctx);
}
static void prime_field_tests(void)
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 =
NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z;
unsigned char buf[100];
size_t i, len;
int k;
# if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx)
ABORT;
# endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b)
ABORT;
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use
* EC_GROUP_new_curve_GFp so
* that the library gets to
* choose the EC_METHOD */
if (!group)
ABORT;
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R)
ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
if (!x || !y || !z)
ABORT;
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn
(&p,
"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"))
ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
ABORT;
if (!BN_hex2bn
(&a,
"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"))
ABORT;
if (!BN_hex2bn
(&b,
"5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"))
ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
ABORT;
if (!BN_hex2bn
(&x,
"6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"))
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT;
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551"))
ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
ABORT;
fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn
(&z,
"4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"))
ABORT;
if (0 != BN_cmp(y, z))
ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 256)
ABORT;
fprintf(stdout, " ok\n");
group_order_tests(group);
if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))))
ABORT;
if (!EC_GROUP_copy(P_256, group))
ABORT;
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"))
ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC"))
ABORT;
if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
"120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF"))
ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
ABORT;
if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
"9859F741E082542A385502F25DBF55296C3A545E3872760AB7"))
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT;
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
ABORT;
fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"))
ABORT;
if (0 != BN_cmp(y, z))
ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 384)
ABORT;
fprintf(stdout, " ok\n");
group_order_tests(group);
if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))))
ABORT;
if (!EC_GROUP_copy(P_384, group))
ABORT;
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
ABORT;
if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
ABORT;
if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
"315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
"DF883D2C34F1EF451FD46B503F00"))
ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
ABORT;
if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
"B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
"3C1856A429BF97E7E31C2E5BD66"))
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
ABORT;
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
"C9B8899C47AEBB6FB71E91386409"))
ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
ABORT;
fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
"B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
"7086A272C24088BE94769FD16650"))
ABORT;
if (0 != BN_cmp(y, z))
ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 521)
ABORT;
fprintf(stdout, " ok\n");
group_order_tests(group);
if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))))
ABORT;
if (!EC_GROUP_copy(P_521, group))
ABORT;
/* more tests using the last curve */
if (!EC_POINT_copy(Q, P))
ABORT;
if (EC_POINT_is_at_infinity(group, Q))
ABORT;
if (!EC_POINT_dbl(group, P, P, ctx))
ABORT;
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!EC_POINT_invert(group, Q, ctx))
ABORT; /* P = -2Q */
if (!EC_POINT_add(group, R, P, Q, ctx))
ABORT;
if (!EC_POINT_add(group, R, R, Q, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, R))
ABORT; /* R = P + 2Q */
{
const EC_POINT *points[4];
const BIGNUM *scalars[4];
BIGNUM scalar3;
if (EC_POINT_is_at_infinity(group, Q))
ABORT;
points[0] = Q;
points[1] = Q;
points[2] = Q;
points[3] = Q;
if (!EC_GROUP_get_order(group, z, ctx))
ABORT;
if (!BN_add(y, z, BN_value_one()))
ABORT;
if (BN_is_odd(y))
ABORT;
if (!BN_rshift1(y, y))
ABORT;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
fprintf(stdout, "combined multiplication ...");
fflush(stdout);
/* z is still the group order */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
ABORT;
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx))
ABORT;
if (0 != EC_POINT_cmp(group, R, Q, ctx))
ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0))
ABORT;
if (!BN_add(z, z, y))
ABORT;
BN_set_negative(z, 1);
scalars[0] = y;
scalars[1] = z; /* z = -(order + y) */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, P))
ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0))
ABORT;
if (!BN_add(z, x, y))
ABORT;
BN_set_negative(z, 1);
scalars[0] = x;
scalars[1] = y;
scalars[2] = z; /* z = -(x+y) */
BN_init(&scalar3);
BN_zero(&scalar3);
scalars[3] = &scalar3;
if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
ABORT;
if (!EC_POINT_is_at_infinity(group, P))
ABORT;
fprintf(stdout, " ok\n\n");
BN_free(&scalar3);
}
# if 0
timings(P_256, TIMING_BASE_PT, ctx);
timings(P_256, TIMING_RAND_PT, ctx);
timings(P_256, TIMING_SIMUL, ctx);
timings(P_384, TIMING_BASE_PT, ctx);
timings(P_384, TIMING_RAND_PT, ctx);
timings(P_384, TIMING_SIMUL, ctx);
timings(P_521, TIMING_BASE_PT, ctx);
timings(P_521, TIMING_RAND_PT, ctx);
timings(P_521, TIMING_SIMUL, ctx);
# endif
if (ctx)
BN_CTX_free(ctx);
BN_free(p);
BN_free(a);
BN_free(b);
EC_GROUP_free(group);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x);
BN_free(y);
BN_free(z);
if (P_160)
EC_GROUP_free(P_160);
if (P_192)
EC_GROUP_free(P_192);
if (P_224)
EC_GROUP_free(P_224);
if (P_256)
EC_GROUP_free(P_256);
if (P_384)
EC_GROUP_free(P_384);
if (P_521)
EC_GROUP_free(P_521);
}
static void internal_curve_test(void)
{
EC_builtin_curve *curves = NULL;
size_t crv_len = 0, n = 0;
int ok = 1;
crv_len = EC_get_builtin_curves(NULL, 0);
curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
if (curves == NULL)
return;
if (!EC_get_builtin_curves(curves, crv_len)) {
OPENSSL_free(curves);
return;
}
fprintf(stdout, "testing internal curves: ");
for (n = 0; n < crv_len; n++) {
EC_GROUP *group = NULL;
int nid = curves[n].nid;
if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
ok = 0;
fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
" curve %s\n", OBJ_nid2sn(nid));
/* try next curve */
continue;
}
if (!EC_GROUP_check(group, NULL)) {
ok = 0;
fprintf(stdout, "\nEC_GROUP_check() failed with"
" curve %s\n", OBJ_nid2sn(nid));
EC_GROUP_free(group);
/* try the next curve */
continue;
}
fprintf(stdout, ".");
fflush(stdout);
EC_GROUP_free(group);
}
if (ok)
fprintf(stdout, " ok\n\n");
else {
fprintf(stdout, " failed\n\n");
ABORT;
}
OPENSSL_free(curves);
return;
}
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
/*
* nistp_test_params contains magic numbers for testing our optimized
* implementations of several NIST curves with characteristic > 3.
*/
struct nistp_test_params {
const EC_METHOD *(*meth) ();
int degree;
/*
* Qx, Qy and D are taken from
* http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
* Otherwise, values are standard curve parameters from FIPS 180-3
*/
const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
};
static const struct nistp_test_params nistp_tests_params[] = {
{
/* P-256 */
EC_GFp_nistp256_method,
256,
/* p */
"ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
/* a */
"ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
/* b */
"5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
/* Qx */
"b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
/* Qy */
"3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
/* Gx */
"6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
/* Gy */
"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
/* order */
"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
/* d */
"c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
},
{
/* P-521 */
EC_GFp_nistp521_method,
521,
/* p */
"1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
/* a */
"1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
/* b */
"051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
/* Qx */
"0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
/* Qy */
"0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
/* Gx */
"c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
/* Gy */
"11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
/* order */
"1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
/* d */
"0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
},
};
static void nistp_single_test(const struct nistp_test_params *test)
{
BN_CTX *ctx;
BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
EC_GROUP *NISTP;
EC_POINT *G, *P, *Q, *Q_CHECK;
fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n",
test->degree);
ctx = BN_CTX_new();
p = BN_new();
a = BN_new();
b = BN_new();
x = BN_new();
y = BN_new();
m = BN_new();
n = BN_new();
order = BN_new();
NISTP = EC_GROUP_new(test->meth());
if (!NISTP)
ABORT;
if (!BN_hex2bn(&p, test->p))
ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
ABORT;
if (!BN_hex2bn(&a, test->a))
ABORT;
if (!BN_hex2bn(&b, test->b))
ABORT;
if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
ABORT;
G = EC_POINT_new(NISTP);
P = EC_POINT_new(NISTP);
Q = EC_POINT_new(NISTP);
Q_CHECK = EC_POINT_new(NISTP);
if (!BN_hex2bn(&x, test->Qx))
ABORT;
if (!BN_hex2bn(&y, test->Qy))
ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx))
ABORT;
if (!BN_hex2bn(&x, test->Gx))
ABORT;
if (!BN_hex2bn(&y, test->Gy))
ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
ABORT;
if (!BN_hex2bn(&order, test->order))
ABORT;
if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
ABORT;
fprintf(stdout, "verify degree ... ");
if (EC_GROUP_get_degree(NISTP) != test->degree)
ABORT;
fprintf(stdout, "ok\n");
fprintf(stdout, "NIST test vectors ... ");
if (!BN_hex2bn(&n, test->d))
ABORT;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* set generator to P = 2*G, where G is the standard generator */
if (!EC_POINT_dbl(NISTP, P, G, ctx))
ABORT;
if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
ABORT;
/* set the scalar to m=n/2, where n is the NIST test scalar */
if (!BN_rshift(m, n, 1))
ABORT;
/* test the non-standard generator */
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/*
* We have not performed precomputation so have_precompute mult should be
* false
*/
if (EC_GROUP_have_precompute_mult(NISTP))
ABORT;
/* now repeat all tests with precomputation */
if (!EC_GROUP_precompute_mult(NISTP, ctx))
ABORT;
if (!EC_GROUP_have_precompute_mult(NISTP))
ABORT;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* reset generator */
if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
ABORT;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
ABORT;
fprintf(stdout, "ok\n");
group_order_tests(NISTP);
# if 0
timings(NISTP, TIMING_BASE_PT, ctx);
timings(NISTP, TIMING_RAND_PT, ctx);
# endif
EC_GROUP_free(NISTP);
EC_POINT_free(G);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(Q_CHECK);
BN_free(n);
BN_free(m);
BN_free(p);
BN_free(a);
BN_free(b);
BN_free(x);
BN_free(y);
BN_free(order);
BN_CTX_free(ctx);
}
static void nistp_tests()
{
unsigned i;
for (i = 0;
i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params);
i++) {
nistp_single_test(&nistp_tests_params[i]);
}
}
# endif
static const char rnd_seed[] =
"string to make the random number generator think it has entropy";
int main(int argc, char *argv[])
{
/* enable memory leak checking unless explicitly disabled */
if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL)
&& (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) {
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
} else {
/* OPENSSL_DEBUG_MEMORY=off */
CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
prime_field_tests();
puts("");
# ifndef OPENSSL_NO_EC2M
char2_field_tests();
# endif
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
nistp_tests();
# endif
/* test the internal curves */
internal_curve_test();
# ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
# endif
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_thread_state(NULL);
CRYPTO_mem_leaks_fp(stderr);
return 0;
}
#endif

@ -0,0 +1,47 @@
#!/bin/sh
# Quit out if anything fails.
set -e
# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
# EC: ????????? ??/??/2020
# SRP: ????????? ??/??/20??
# Remove assembler portions of IDEA, MDC2, and RC5.
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
# SRP.
for a in srp; do
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
echo Destroying $c
> $c
done
done
for c in `find crypto/bn -name "*gf2m.c"`; do
echo Destroying $c
> $c
done
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
echo Destroying $c
> $c
done
for h in `find crypto ssl apps test -name "*.h"` ; do
echo Removing SRP and EC2M references from $h
cat $h | \
awk 'BEGIN {ech=1;} \
/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
/^#[ \t]*if/ {if(ech < 1) ech--;} \
{if(ech>0) {;print $0};} \
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
mv $h.hobbled $h
done
# Make the makefiles happy.
# touch crypto/rc5/asm/rc5-586.pl

@ -0,0 +1,28 @@
#!/bin/sh
umask 077
answers() {
echo --
echo SomeState
echo SomeCity
echo SomeOrganization
echo SomeOrganizationalUnit
echo localhost.localdomain
echo root@localhost.localdomain
}
if [ $# -eq 0 ] ; then
echo $"Usage: `basename $0` filename [...]"
exit 0
fi
for target in $@ ; do
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
trap "rm -f $PEM1 $PEM2" SIGINT
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
cat $PEM1 > ${target}
echo "" >> ${target}
cat $PEM2 >> ${target}
rm -f $PEM1 $PEM2
done

@ -0,0 +1,10 @@
--- crypto/fips/fips.c.orig 2010-10-07 23:33:08.293664062 +0200
+++ crypto/fips/fips.c 2010-10-07 23:33:20.723360688 +0200
@@ -57,7 +57,6 @@
#include <openssl/rsa.h>
#include <string.h>
#include <limits.h>
-#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include "fips_locl.h"

@ -0,0 +1,97 @@
--- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.orig 2012-11-03 18:59:03.620066556 +0100
+++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c 2012-11-03 19:57:33.156686682 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
#include <string.h>
#include <openssl/err.h>
#include <openssl/fips.h>
@@ -54,8 +56,6 @@
#include <openssl/fips_rand.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
typedef struct {
unsigned char DT[16];
unsigned char V[16];
--- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig 2012-11-03 20:03:20.546180631 +0100
+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-11-03 20:03:46.069328396 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/dsa.h>
@@ -56,8 +58,6 @@
#include <openssl/bn.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
static const unsigned char dsa_test_2048_p[] = {
0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
--- openssl-1.0.1c/crypto/fips/fips_rand.c.orig 2012-11-03 20:07:49.956891942 +0100
+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-11-03 20:08:14.260048118 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
/*
* This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
*/
@@ -82,8 +84,6 @@
#include <openssl/fips.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
void *OPENSSL_stderr(void);
# define AES_BLOCK_LENGTH 16
--- openssl-1.0.1c/crypto/rand/md_rand.c.orig 2012-11-03 20:19:31.461754618 +0100
+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-11-03 20:20:58.294282662 +0100
@@ -394,7 +394,11 @@
/* always poll for external entropy in FIPS mode, drbg provides the
* expansion
*/
+#ifdef OPENSSL_FIPS
if (!initialized || FIPS_module_mode()) {
+#else
+ if (!initialized) {
+#endif
RAND_poll();
initialized = 1;
}
--- openssl-1.0.1c/crypto/opensslconf.h.in 2012-11-09 20:34:03.434391630 +0100
+++ openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
@@ -1,20 +1,5 @@
/* crypto/opensslconf.h.in */
-#ifdef OPENSSL_DOING_MAKEDEPEND
-
-/* Include any symbols here that have to be explicitly set to enable a feature
- * that should be visible to makedepend.
- *
- * [Our "make depend" doesn't actually look at this, we use actual build settings
- * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
- */
-
-#ifndef OPENSSL_FIPS
-#define OPENSSL_FIPS
-#endif
-
-#endif
-
/* Generate 80386 code? */
#undef I386_ONLY

@ -0,0 +1,50 @@
diff -up openssl-1.0.0-beta3/Makefile.org.mingw-libversion openssl-1.0.0-beta3/Makefile.org
--- openssl-1.0.0-beta3/Makefile.org.mingw-libversion 2009-08-29 22:44:10.000000000 +0300
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-29 22:45:42.000000000 +0300
@@ -542,8 +542,8 @@ install_sw:
fi ); \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
( case $$i in \
- *crypto*) i=libeay32.dll;; \
- *ssl*) i=ssleay32.dll;; \
+ *crypto*) i=libcrypto-$(SHLIB_SONAMEVER).dll;; \
+ *ssl*) i=libssl-$(SHLIB_SONAMEVER).dll;; \
esac; \
echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta3/Makefile.shared
--- openssl-1.0.0-beta3/Makefile.shared.mingw-libversion 2009-08-29 22:33:22.000000000 +0300
+++ openssl-1.0.0-beta3/Makefile.shared 2009-08-29 22:33:22.000000000 +0300
@@ -47,7 +47,7 @@ LIBEXTRAS=
# LIBVERSION contains the current version of the library.
# For example, to build libfoo.so.1.2, you need to do the following:
#LIBVERSION=1.2
-LIBVERSION=
+LIBVERSION=10
# LIBCOMPATVERSIONS contains the compatibility versions (a list) of
# the library. They MUST be in decreasing order.
@@ -250,7 +250,7 @@ link_o.cygwin:
base=-Wl,--enable-auto-image-base; \
deffile=; \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
- SHLIB=$(LIBNAME)eay32; base=; \
+ SHLIB=lib$(LIBNAME); base=; \
if test -f $(LIBNAME)eay32.def; then \
deffile=$(LIBNAME)eay32.def; \
fi; \
@@ -282,13 +282,7 @@
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \
base=-Wl,--enable-auto-image-base; \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
- case $(LIBNAME) in \
- crypto) SHLIB=libeay;; \
- ssl) SHLIB=ssleay;; \
- esac; \
- SHLIB_SOVER=32; \
- extras="$(LIBNAME).def"; \
- $(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
+ SHLIB=lib$(LIBNAME); \
base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
fi; \
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \

@ -0,0 +1,14 @@
--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-03-19 14:31:14.000000000 +0100
+++ openssl-1.0.2a/engines/Makefile 2015-04-24 18:27:12.875788913 +0200
@@ -111,7 +111,10 @@
for l in $(LIBNAMES); do \
( echo installing $$l; \
pfx=lib; \
- if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+ if [ "$(PLATFORM)" = "mingw" ]; then \
+ sfx=.dll; \
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
+ elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
sfx=".so"; \
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
else \

@ -0,0 +1,36 @@
diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200
+++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+$CATOP="/etc/pki/CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200
+++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100
@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100
+++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100
@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.

@ -0,0 +1,21 @@
diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200
+++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200
@@ -609,7 +609,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
@@ -626,7 +626,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \

@ -0,0 +1,12 @@
diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
--- openssl-1.0.1c/crypto/modes/Makefile.aliasing 2011-08-12 00:36:17.000000000 +0200
+++ openssl-1.0.1c/crypto/modes/Makefile 2012-07-13 11:32:10.767829077 +0200
@@ -12,7 +12,7 @@ AR= ar r
MODES_ASM_OBJ=
-CFLAGS= $(INCLUDES) $(CFLAG)
+CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
ASFLAGS= $(INCLUDES) $(ASFLAG)
AFLAGS= $(ASFLAGS)

@ -0,0 +1,16 @@
diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl
--- openssl-1.0.1c/util/perlpath.pl.perlfind 2012-07-11 22:57:33.000000000 +0200
+++ openssl-1.0.1c/util/perlpath.pl 2012-07-12 00:31:12.102156275 +0200
@@ -4,10 +4,10 @@
# line in all scripts that rely on perl.
#
-require "find.pl";
+use File::Find;
$#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n";
-&find(".");
+find(\&wanted, ".");
sub wanted
{

@ -0,0 +1,77 @@
diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
+++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200
@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
+function. B<type> will typically be supplied by a function such as EVP_sha1().
If B<impl> is NULL then the default implementation of digest B<type> is used.
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u
EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
EVP_MD_CTX_block_size() return the digest or block size in bytes.
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
+EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
corresponding EVP_MD structures.
diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
+++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ const EVP_CIPHER *EVP_des_ede3(void);
+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
+ const EVP_CIPHER *EVP_aes_128_ecb(void);
+ const EVP_CIPHER *EVP_aes_128_cbc(void);
+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
+ const EVP_CIPHER *EVP_aes_128_ofb(void);
+ const EVP_CIPHER *EVP_aes_192_ecb(void);
+ const EVP_CIPHER *EVP_aes_192_cbc(void);
+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
+ const EVP_CIPHER *EVP_aes_192_ofb(void);
+ const EVP_CIPHER *EVP_aes_256_ecb(void);
+ const EVP_CIPHER *EVP_aes_256_cbc(void);
+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
+ const EVP_CIPHER *EVP_aes_256_ofb(void);
+
=head1 DESCRIPTION
The EVP cipher routines are a high level interface to certain
@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
DESX algorithm in CBC mode.
+=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
+
+AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
+
+=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
+
+AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
+
+=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
+
+AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
+
=item EVP_rc4(void)
RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.

@ -0,0 +1,110 @@
diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c
--- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200
@@ -157,7 +157,7 @@ static const char *ca_usage[] = {
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
" -days arg - number of days to certify the certificate for\n",
- " -md arg - md to use, one of md2, md5, sha or sha1\n",
+ " -md arg - md to use, see openssl dgst -h for list\n",
" -policy arg - The CA 'policy' to support\n",
" -keyfile arg - private key file\n",
" -keyform arg - private key file format (PEM or ENGINE)\n",
diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c
--- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200
@@ -294,7 +294,7 @@ int MAIN(int argc, char **argv)
"%-14s the next argument is the md to use to create a key\n",
"-md");
BIO_printf(bio_err,
- "%-14s from a passphrase. One of md2, md5, sha or sha1\n",
+ "%-14s from a passphrase. See openssl dgst -h for list.\n",
"");
BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
"-S");
diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c
--- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200
@@ -414,7 +414,7 @@ int MAIN(int argc, char **argv)
" -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
#endif
BIO_printf(bio_err,
- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
+ " -[digest] Digest to sign with (see openssl dgst -h for list)\n");
BIO_printf(bio_err, " -config file request template file.\n");
BIO_printf(bio_err,
" -subj arg set or modify request subject\n");
diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c
--- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200
@@ -337,7 +337,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "usage:\n"
"ts -query [-rand file%cfile%c...] [-config configfile] "
"[-data file_to_hash] [-digest digest_bytes]"
- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
+ "[-<hashalg>] "
"[-policy object_id] [-no_nonce] [-cert] "
"[-in request.tsq] [-out request.tsq] [-text]\n",
LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c
--- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200
@@ -141,7 +141,7 @@ static const char *x509_usage[] = {
" -set_serial - serial number to use\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
- " -md2/-md5/-sha1/-mdc2 - digest to use\n",
+ " -<dgst> - digest to use, see openssl dgst -h output for list\n",
" -extfile - configuration file with X509V3 extensions to add\n",
" -extensions - section from config file with X509V3 extensions to add\n",
" -clrext - delete extensions before signing and input certificate\n",
diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod
--- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100
+++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200
@@ -168,7 +168,8 @@ the number of days to certify the certif
=item B<-md alg>
the message digest to use. Possible values include md5, sha1 and mdc2.
-This option also applies to CRLs.
+For full list of digests see openssl dgst -h output. This option also
+applies to CRLs.
=item B<-policy arg>
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod
--- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200
@@ -219,7 +219,8 @@ check is not performed.
=item B<-md5|-sha1|-sha256|-ripemod160|...>
this option sets digest algorithm to use for certificate identification
-in the OCSP request. By default SHA-1 is used.
+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
+the list of available algorithms.
=back
diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod
--- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200
@@ -201,7 +201,8 @@ will not be encrypted.
this specifies the message digest to sign the request with (such as
B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
-the configuration file.
+the configuration file. For full list of possible digests see openssl
+dgst -h output.
Some public key algorithms may override this choice. For instance, DSA
signatures always use SHA1, GOST R 34.10 signatures always use
diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod
--- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200
@@ -107,6 +107,7 @@ the digest to use. This affects any sign
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
specified then SHA1 is used. If the key being used to sign with is a DSA key
then this option has no effect: SHA1 is always used with DSA keys.
+For full list of digests see openssl dgst -h output.
=item B<-engine id>

@ -0,0 +1,46 @@
diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c
--- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200
+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200
@@ -68,6 +68,11 @@
# include <openssl/fips.h>
# include <openssl/evp.h>
+/* just a compatibility symbol - no-op */
+void FIPS_corrupt_dsa_keygen(void)
+{
+}
+
static int fips_check_dsa(DSA *dsa)
{
EVP_PKEY *pk;
diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c
--- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200
+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200
@@ -63,6 +63,11 @@
# include <openssl/fips.h>
#endif
+/* just backwards compatibility symbol - no-op */
+void ENGINE_load_aesni(void)
+{
+}
+
void ENGINE_load_builtin_engines(void)
{
/* Some ENGINEs need this */
diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c
--- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200
@@ -113,6 +113,12 @@ int FIPS_module_mode(void)
return ret;
}
+/* just a compat symbol - return NULL */
+const void *FIPS_rand_check(void)
+{
+ return NULL;
+}
+
int FIPS_selftest_failed(void)
{
int ret = 0;

@ -0,0 +1,60 @@
diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf
--- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
+default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -104,6 +104,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
+default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -126,17 +127,18 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
+localityName_default = Default City
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = md5, sha1 # Acceptable message digests (mandatory)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?

@ -0,0 +1,23 @@
diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h
--- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200
+++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200
@@ -214,9 +214,6 @@ typedef struct dtls1_state_st {
* loss.
*/
record_pqueue buffered_app_data;
- /* Is set when listening for new connections with dtls1_listen() */
- unsigned int listen;
- unsigned int link_mtu; /* max on-the-wire DTLS packet size */
unsigned int mtu; /* max DTLS packet size */
struct hm_header_st w_msg_hdr;
struct hm_header_st r_msg_hdr;
@@ -241,6 +238,9 @@ typedef struct dtls1_state_st {
* Cleared after the message has been processed.
*/
unsigned int change_cipher_spec_ok;
+ /* Is set when listening for new connections with dtls1_listen() */
+ unsigned int listen;
+ unsigned int link_mtu; /* max on-the-wire DTLS packet size */
# ifndef OPENSSL_NO_SCTP
/* used when SSL_ST_XX_FLUSH is entered */
int next_state;

@ -0,0 +1,39 @@
diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
@@ -47,6 +47,13 @@ Once the identities of the compression m
been standardized, the compression API will most likely be changed. Using
it in the current state is not recommended.
+It is also not recommended to use compression if data transfered contain
+untrusted parts that can be manipulated by an attacker as he could then
+get information about the encrypted data. See the CRIME attack. For
+that reason the default loading of the zlib compression method is
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
+is present during the library initialization.
+
=head1 RETURN VALUES
SSL_COMP_add_compression_method() may return the following values:
diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
@@ -140,6 +140,8 @@
* OTHERWISE.
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <openssl/objects.h>
#ifndef OPENSSL_NO_COMP
@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL) {
+ if (ssl_comp_methods != NULL
+ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();

@ -0,0 +1,21 @@
diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c
--- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200
+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200
@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
-nonfips_md_init(MD5)
+int MD5_Init(MD5_CTX *c)
+#ifdef OPENSSL_FIPS
+{
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
+ return private_MD5_Init(c);
+}
+
+int private_MD5_Init(MD5_CTX *c)
+#endif
{
memset(c, 0, sizeof(*c));
c->A = INIT_DATA_A;

@ -0,0 +1,11 @@
diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c
--- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200
+++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200
@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has
char *f;
EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
goto err;

@ -0,0 +1,12 @@
diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared
--- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200
+++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200
@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to

@ -0,0 +1,198 @@
diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
@@ -101,7 +101,10 @@
*/
# undef COMPILE_HW_PADLOCK
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
# endif
# elif defined(__GNUC__)
# ifndef alloca
-# define alloca(s) __builtin_alloca(s)
+# define alloca(s) __builtin_alloca((s))
# endif
# endif
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
# if defined(__GNUC__) && __GNUC__>=2
+# if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -379,22 +383,6 @@ static int padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-# ifndef OPENSSL_NO_AES
-# ifndef AES_ASM
-/* Our own htonl()/ntohl() */
-static inline void padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0":"+r" (*key));
- key++;
- }
-}
-# endif
-# endif
-
/*
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
* stack clears EFLAGS[30] which does the trick.
@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
asm volatile ("pushfl; popfl");
}
-# ifndef OPENSSL_NO_AES
+# ifndef OPENSSL_NO_AES
/*
* This is heuristic key context tracing. At first one
* believes that one should use atomic swap instructions,
@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
: "edx", "cc", "memory"); \
return iv; \
}
+# endif
+
+# elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile ("cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
+ "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
+ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+# ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile ("pushfq\n"
+ " btl $30,(%%rsp)\n"
+ " jnc 1f\n"
+ " cmpq %2,%1\n"
+ " je 1f\n"
+ " popfq\n"
+ " subq $8,%%rsp\n"
+ "1: addq $8,%%rsp\n"
+ " movq %2,%0":"+m" (padlock_saved_context)
+ :"r"(padlock_saved_context), "r"(cdata):"cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+# endif
+
+# endif /* cpu */
+
+# ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
/* rep xcryptecb */
@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
/* rep xcryptofb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
+
+# ifndef AES_ASM
+/* Our own htonl()/ntohl() */
+static inline void padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0":"+r" (*key));
+ key++;
+ }
+}
+# endif
# endif
/* The RNG call itself */
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
static inline unsigned char *padlock_memcpy(void *dst, const void *src,
size_t n)
{
- long *d = dst;
- const long *s = src;
+ size_t *d = dst;
+ const size_t *s = src;
n /= sizeof(*d);
do {

@ -0,0 +1,50 @@
diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
+++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
@@ -5,6 +5,46 @@
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
+ WARNING
+ -------
+
+ This version of OpenSSL is built in a way that supports operation in
+ the so called FIPS mode. Note though that the library as we build it
+ is not FIPS 140-2 validated and the FIPS mode is present for testing
+ purposes only.
+
+ This version also contains a few differences from the upstream code
+ some of which are:
+ * The FIPS validation support is significantly different from the
+ upstream FIPS support. For example the FIPS integrity verification
+ check is implemented differently as the FIPS module is built inside
+ the shared library. The HMAC-SHA256 checksums of the whole shared
+ libraries are verified. Also note that the FIPS integrity
+ verification check requires that the libcrypto and libssl shared
+ library files are unmodified which means that it will fail if these
+ files are changed for example by prelink.
+ * If the file /etc/system-fips is present the integrity verification
+ and selftests of the crypto algorithms are run inside the library
+ constructor code.
+ * With the /etc/system-fips present the module respects the kernel
+ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
+ if it is set to 1 aborting if the FIPS mode could not be initialized.
+ With the /etc/system-fips present it is also possible to force the
+ OpenSSL library to FIPS mode especially for debugging purposes by
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
+ will not automatically load the built in compression method ZLIB
+ when initialized. Applications can still explicitely ask for ZLIB
+ compression method.
+ * The library was patched so the certificates, CRLs and other objects
+ signed with use of MD5 fail verification as the MD5 is too insecure
+ to be used for signatures. If the environment variable
+ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
+ normally.
+ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
+ the library will not allow generation of DSA and RSA keys with
+ other lengths than specified in the FIPS 186-4 standard.
+
DESCRIPTION
-----------

@ -0,0 +1,21 @@
diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c
--- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200
+++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200
@@ -1516,16 +1516,7 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_KRB5
if (c_ssl && c_ssl->kssl_ctx) {
- char localhost[MAXHOSTNAMELEN + 2];
-
- if (gethostname(localhost, sizeof localhost - 1) == 0) {
- localhost[sizeof localhost - 1] = '\0';
- if (strlen(localhost) == sizeof localhost - 1) {
- BIO_printf(bio_err, "localhost name too long\n");
- goto end;
- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
- }
+ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost");
}
#endif /* OPENSSL_NO_KRB5 */

@ -0,0 +1,47 @@
diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c
--- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200
+++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200
@@ -131,6 +131,7 @@
#ifndef OPENSSL_NO_BF
# include <openssl/blowfish.h>
#endif
+#include <openssl/engine.h>
#undef PROG
#define PROG version_main
@@ -140,7 +141,8 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int i, ret = 0;
- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
+ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir =
+ 0, engines = 0;
apps_startup();
@@ -164,7 +166,7 @@ int MAIN(int argc, char **argv)
else if (strcmp(argv[i], "-d") == 0)
dir = 1;
else if (strcmp(argv[i], "-a") == 0)
- date = version = cflags = options = platform = dir = 1;
+ date = version = cflags = options = platform = dir = engines = 1;
else {
BIO_printf(bio_err, "usage:version -[avbofpd]\n");
ret = 1;
@@ -208,6 +210,16 @@ int MAIN(int argc, char **argv)
printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
if (dir)
printf("%s\n", SSLeay_version(SSLEAY_DIR));
+ if (engines) {
+ ENGINE *e;
+ printf("engines: ");
+ e = ENGINE_get_first();
+ while (e) {
+ printf("%s ", ENGINE_get_id(e));
+ e = ENGINE_get_next(e);
+ }
+ printf("\n");
+ }
end:
apps_shutdown();
OPENSSL_EXIT(ret);

@ -0,0 +1,28 @@
diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c
--- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200
+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200
@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP *ctx
}
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
- if (!i)
- goto err;
- count++;
+ /* ignore any problems with current certificate
+ and continue with the next one */
+ if (i)
+ count++;
+ else
+ ERR_clear_error();
X509_free(x);
x = NULL;
}
@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
- goto err;
+ ERR_clear_error();
ret = i;
} else {
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);

@ -0,0 +1,63 @@
diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
ERR_print_errors(bio_err);
}
if (vpm)
diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)

@ -0,0 +1,195 @@
diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
+++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
} else
# endif
# ifndef OPENSSL_NO_ECDSA
- if (strcmp(*argv, "ecdsap160") == 0)
- ecdsa_doit[R_EC_P160] = 2;
- else if (strcmp(*argv, "ecdsap192") == 0)
- ecdsa_doit[R_EC_P192] = 2;
- else if (strcmp(*argv, "ecdsap224") == 0)
- ecdsa_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdsap256") == 0)
+ if (strcmp(*argv, "ecdsap256") == 0)
ecdsa_doit[R_EC_P256] = 2;
else if (strcmp(*argv, "ecdsap384") == 0)
ecdsa_doit[R_EC_P384] = 2;
else if (strcmp(*argv, "ecdsap521") == 0)
ecdsa_doit[R_EC_P521] = 2;
- else if (strcmp(*argv, "ecdsak163") == 0)
- ecdsa_doit[R_EC_K163] = 2;
- else if (strcmp(*argv, "ecdsak233") == 0)
- ecdsa_doit[R_EC_K233] = 2;
- else if (strcmp(*argv, "ecdsak283") == 0)
- ecdsa_doit[R_EC_K283] = 2;
- else if (strcmp(*argv, "ecdsak409") == 0)
- ecdsa_doit[R_EC_K409] = 2;
- else if (strcmp(*argv, "ecdsak571") == 0)
- ecdsa_doit[R_EC_K571] = 2;
- else if (strcmp(*argv, "ecdsab163") == 0)
- ecdsa_doit[R_EC_B163] = 2;
- else if (strcmp(*argv, "ecdsab233") == 0)
- ecdsa_doit[R_EC_B233] = 2;
- else if (strcmp(*argv, "ecdsab283") == 0)
- ecdsa_doit[R_EC_B283] = 2;
- else if (strcmp(*argv, "ecdsab409") == 0)
- ecdsa_doit[R_EC_B409] = 2;
- else if (strcmp(*argv, "ecdsab571") == 0)
- ecdsa_doit[R_EC_B571] = 2;
else if (strcmp(*argv, "ecdsa") == 0) {
- for (i = 0; i < EC_NUM; i++)
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
ecdsa_doit[i] = 1;
} else
# endif
# ifndef OPENSSL_NO_ECDH
- if (strcmp(*argv, "ecdhp160") == 0)
- ecdh_doit[R_EC_P160] = 2;
- else if (strcmp(*argv, "ecdhp192") == 0)
- ecdh_doit[R_EC_P192] = 2;
- else if (strcmp(*argv, "ecdhp224") == 0)
- ecdh_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdhp256") == 0)
+ if (strcmp(*argv, "ecdhp256") == 0)
ecdh_doit[R_EC_P256] = 2;
else if (strcmp(*argv, "ecdhp384") == 0)
ecdh_doit[R_EC_P384] = 2;
else if (strcmp(*argv, "ecdhp521") == 0)
ecdh_doit[R_EC_P521] = 2;
- else if (strcmp(*argv, "ecdhk163") == 0)
- ecdh_doit[R_EC_K163] = 2;
- else if (strcmp(*argv, "ecdhk233") == 0)
- ecdh_doit[R_EC_K233] = 2;
- else if (strcmp(*argv, "ecdhk283") == 0)
- ecdh_doit[R_EC_K283] = 2;
- else if (strcmp(*argv, "ecdhk409") == 0)
- ecdh_doit[R_EC_K409] = 2;
- else if (strcmp(*argv, "ecdhk571") == 0)
- ecdh_doit[R_EC_K571] = 2;
- else if (strcmp(*argv, "ecdhb163") == 0)
- ecdh_doit[R_EC_B163] = 2;
- else if (strcmp(*argv, "ecdhb233") == 0)
- ecdh_doit[R_EC_B233] = 2;
- else if (strcmp(*argv, "ecdhb283") == 0)
- ecdh_doit[R_EC_B283] = 2;
- else if (strcmp(*argv, "ecdhb409") == 0)
- ecdh_doit[R_EC_B409] = 2;
- else if (strcmp(*argv, "ecdhb571") == 0)
- ecdh_doit[R_EC_B571] = 2;
else if (strcmp(*argv, "ecdh") == 0) {
- for (i = 0; i < EC_NUM; i++)
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
ecdh_doit[i] = 1;
} else
# endif
@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
# endif
# ifndef OPENSSL_NO_ECDSA
- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
- "ecdsap256 ecdsap384 ecdsap521\n");
- BIO_printf(bio_err,
- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
- BIO_printf(bio_err,
- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
+ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
BIO_printf(bio_err, "ecdsa\n");
# endif
# ifndef OPENSSL_NO_ECDH
- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
- "ecdhp256 ecdhp384 ecdhp521\n");
- BIO_printf(bio_err,
- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
- BIO_printf(bio_err,
- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
+ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
BIO_printf(bio_err, "ecdh\n");
# endif
@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
if (!FIPS_mode() || i != R_DSA_512)
dsa_doit[i] = 1;
# ifndef OPENSSL_NO_ECDSA
- for (i = 0; i < EC_NUM; i++)
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
ecdsa_doit[i] = 1;
# endif
# ifndef OPENSSL_NO_ECDH
- for (i = 0; i < EC_NUM; i++)
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
ecdh_doit[i] = 1;
# endif
}
diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
+++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
0, 23, /* secp256r1 (23) */
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */
- 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */
- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
0, 23, /* secp256r1 (23) */
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */
- 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */
- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
* Remaining curves disabled by default but still permitted if set
* via an explicit callback or parameters.
*/
- 0, 20, /* secp224k1 (20) */
- 0, 21, /* secp224r1 (21) */
- 0, 18, /* secp192k1 (18) */
- 0, 19, /* secp192r1 (19) */
- 0, 15, /* secp160k1 (15) */
- 0, 16, /* secp160r1 (16) */
- 0, 17, /* secp160r2 (17) */
# ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */
0, 6, /* sect233k1 (6) */
@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */
# endif
- 0, 22, /* secp256k1 (22) */
0, 23, /* secp256r1 (23) */
# ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */
0, 6, /* sect233k1 (6) */
0, 7, /* sect233r1 (7) */
# endif
- 0, 20, /* secp224k1 (20) */
- 0, 21, /* secp224r1 (21) */
# ifndef OPENSSL_NO_EC2M
0, 4, /* sect193r1 (4) */
0, 5, /* sect193r2 (5) */
# endif
- 0, 18, /* secp192k1 (18) */
- 0, 19, /* secp192r1 (19) */
# ifndef OPENSSL_NO_EC2M
0, 1, /* sect163k1 (1) */
0, 2, /* sect163r1 (2) */
0, 3, /* sect163r2 (3) */
# endif
- 0, 15, /* secp160k1 (15) */
- 0, 16, /* secp160r1 (16) */
- 0, 17, /* secp160r2 (17) */
};
# endif

@ -0,0 +1,82 @@
diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c
--- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400
+++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400
@@ -86,6 +86,42 @@ typedef struct {
unsigned int cofactor; /* promoted to BN_ULONG */
} EC_CURVE_DATA;
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[0 + 32 * 6];
+} _EC_SECG_PRIME_256K1 = {
+ {
+ NID_X9_62_prime_field, 0, 32, 1
+ },
+ {
+ /* no seed */
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
+ /* a */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ /* b */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
+ /* x */
+ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
+ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
+ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
+ /* y */
+ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
+ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
+ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
+ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
+ }
+};
+
/* the nist prime curves */
static const struct {
EC_CURVE_DATA h;
@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st {
static const ec_list_element curve_list[] = {
/* prime field curves */
/* secg curves */
+ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+ "SECG curve over a 256 bit prime field"},
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
"NIST/SECG curve over a 384 bit prime field"},
diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c
--- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400
+++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400
@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
0, 24, /* secp384r1 (24) */
+ 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
0, 24, /* secp384r1 (24) */
+ 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d
0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */
# endif
+ 0, 22, /* secp256k1 (22) */
0, 23, /* secp256r1 (23) */
# ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */

@ -0,0 +1,15 @@
diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h
--- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100
+++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100
@@ -149,11 +149,6 @@ const EC_METHOD *EC_GFp_mont_method(void
const EC_METHOD *EC_GFp_nist_method(void);
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-/** Returns 64-bit optimized methods for nistp224
- * \return EC_METHOD object
- */
-const EC_METHOD *EC_GFp_nistp224_method(void);
-
/** Returns 64-bit optimized methods for nistp256
* \return EC_METHOD object
*/

@ -0,0 +1,115 @@
diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
@@ -365,8 +365,8 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
#######################################################################
# Note that -march is not among compiler options in below linux-armv4
@@ -395,31 +395,31 @@ my %table=(
#
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
#
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
# Configure script adds minimally required -march for assembly support,
# if no -march was specified at command line. mips32 and mips64 below
# refer to contemporary MIPS Architecture specifications, MIPS32 and
# MIPS64, rather than to kernel bitness.
-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
+"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### IA-32 targets...
"linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
####
-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -437,12 +437,12 @@ my %table=(
#### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# GCC 3.1 is a requirement
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -1767,7 +1767,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
+SHLIB_SONAMEVER=10
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
@@ -341,10 +342,9 @@ clean-shared:
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
symlink.$(SHLIB_TARGET); \
- libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \

@ -0,0 +1,58 @@
diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c
--- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100
+++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100
@@ -648,10 +648,6 @@ int MAIN(int argc, char **argv)
# endif
int multiblock = 0;
-# ifndef TIMES
- usertime = -1;
-# endif
-
apps_startup();
memset(results, 0, sizeof(results));
# ifndef OPENSSL_NO_DSA
@@ -1145,10 +1141,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "\n");
BIO_printf(bio_err, "Available options:\n");
-# if defined(TIMES) || defined(USE_TOD)
BIO_printf(bio_err, "-elapsed "
"measure time in real time instead of CPU user time.\n");
-# endif
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e "
diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod
--- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100
+++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100
@@ -8,6 +8,9 @@ speed - test library performance
B<openssl speed>
[B<-engine id>]
+[B<-elapsed>]
+[B<-evp algo>]
+[B<-decrypt>]
[B<md2>]
[B<mdc2>]
[B<md5>]
@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+=item B<-elapsed>
+
+Measure time in real time instead of CPU time. It can be useful when testing
+speed of hardware engines.
+
+=item B<-evp algo>
+
+Use the specified cipher or message digest algorithm via the EVP interface.
+
+=item B<-decrypt>
+
+Time the decryption instead of encryption. Affects only the EVP testing.
+
=item B<[zero or more test algorithms]>
If any options are given, B<speed> tests those algorithms, otherwise all of

@ -0,0 +1,541 @@
diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c
--- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100
+++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100
@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_128_xts());
EVP_add_cipher(EVP_aes_128_ccm());
EVP_add_cipher(EVP_aes_128_wrap());
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
EVP_add_cipher(EVP_aes_192_ecb());
@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_192_gcm());
EVP_add_cipher(EVP_aes_192_ccm());
EVP_add_cipher(EVP_aes_192_wrap());
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
EVP_add_cipher(EVP_aes_256_ecb());
@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_256_xts());
EVP_add_cipher(EVP_aes_256_ccm());
EVP_add_cipher(EVP_aes_256_wrap());
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_des_ede());
EVP_add_cipher(EVP_des_ede3());
+ EVP_add_cipher(EVP_des_ede3_wrap());
# endif
# ifndef OPENSSL_NO_AES
@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_128_xts());
EVP_add_cipher(EVP_aes_128_ccm());
EVP_add_cipher(EVP_aes_128_wrap());
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
EVP_add_cipher(EVP_aes_192_ecb());
@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_192_gcm());
EVP_add_cipher(EVP_aes_192_ccm());
EVP_add_cipher(EVP_aes_192_wrap());
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
EVP_add_cipher(EVP_aes_256_ecb());
@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_256_xts());
EVP_add_cipher(EVP_aes_256_ccm());
EVP_add_cipher(EVP_aes_256_wrap());
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
# endif
diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c
--- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100
@@ -1,5 +1,5 @@
/* ====================================================================
- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
wctx->iv = NULL;
}
if (iv) {
- memcpy(ctx->iv, iv, 8);
+ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
wctx->iv = ctx->iv;
}
return 1;
@@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
{
EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
size_t rv;
+ /* AES wrap with padding has IV length of 4, without padding 8 */
+ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
+ /* No final operation so always return zero length */
if (!in)
return 0;
- if (inlen % 8)
+ /* Input length must always be non-zero */
+ if (!inlen)
return -1;
- if (ctx->encrypt && inlen < 8)
+ /* If decrypting need at least 16 bytes and multiple of 8 */
+ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
return -1;
- if (!ctx->encrypt && inlen < 16)
+ /* If not padding input must be multiple of 8 */
+ if (!pad && inlen & 0x7)
return -1;
if (!out) {
- if (ctx->encrypt)
+ if (ctx->encrypt) {
+ /* If padding round up to multiple of 8 */
+ if (pad)
+ inlen = (inlen + 7) / 8 * 8;
+ /* 8 byte prefix */
return inlen + 8;
- else
+ } else {
+ /* If not padding output will be exactly 8 bytes
+ * smaller than input. If padding it will be at
+ * least 8 bytes smaller but we don't know how
+ * much.
+ */
return inlen - 8;
}
+ }
+ if (pad) {
if (ctx->encrypt)
- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
+ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
+ out, in, inlen,
(block128_f) AES_encrypt);
else
- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
+ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
+ out, in, inlen,
(block128_f) AES_decrypt);
+ } else {
+ if (ctx->encrypt)
+ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
+ out, in, inlen, (block128_f) AES_encrypt);
+ else
+ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
+ out, in, inlen, (block128_f) AES_decrypt);
+ }
return rv ? (int)rv : -1;
}
-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
+# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
@@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
{
return &aes_256_wrap;
}
+
+static const EVP_CIPHER aes_128_wrap_pad = {
+ NID_id_aes128_wrap_pad,
+ 8, 16, 4, WRAP_FLAGS,
+ aes_wrap_init_key, aes_wrap_cipher,
+ NULL,
+ sizeof(EVP_AES_WRAP_CTX),
+ NULL, NULL, NULL, NULL
+};
+
+const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
+{
+ return &aes_128_wrap_pad;
+}
+
+static const EVP_CIPHER aes_192_wrap_pad = {
+ NID_id_aes192_wrap_pad,
+ 8, 24, 4, WRAP_FLAGS,
+ aes_wrap_init_key, aes_wrap_cipher,
+ NULL,
+ sizeof(EVP_AES_WRAP_CTX),
+ NULL, NULL, NULL, NULL
+};
+
+const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
+{
+ return &aes_192_wrap_pad;
+}
+
+static const EVP_CIPHER aes_256_wrap_pad = {
+ NID_id_aes256_wrap_pad,
+ 8, 32, 4, WRAP_FLAGS,
+ aes_wrap_init_key, aes_wrap_cipher,
+ NULL,
+ sizeof(EVP_AES_WRAP_CTX),
+ NULL, NULL, NULL, NULL
+};
+
+const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
+{
+ return &aes_256_wrap_pad;
+}
diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c
--- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100
@@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = {
NID_id_smime_alg_CMS3DESwrap,
8, 24, 0,
EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
- | EVP_CIPH_FLAG_DEFAULT_ASN1,
+ | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_FIPS,
des_ede3_init_key, des_ede3_wrap_cipher,
NULL,
sizeof(DES_EDE_KEY),
diff -up openssl-1.0.2e/crypto/evp/evp.h.wrap openssl-1.0.2e/crypto/evp/evp.h
--- openssl-1.0.2e/crypto/evp/evp.h.wrap 2015-12-04 13:33:42.120550083 +0100
+++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:33:42.191551745 +0100
@@ -834,6 +834,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_128_wrap(void);
+const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void);
const EVP_CIPHER *EVP_aes_192_cfb1(void);
@@ -845,6 +846,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
const EVP_CIPHER *EVP_aes_192_ccm(void);
const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_192_wrap(void);
+const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
const EVP_CIPHER *EVP_aes_256_ecb(void);
const EVP_CIPHER *EVP_aes_256_cbc(void);
const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -857,6 +859,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void);
const EVP_CIPHER *EVP_aes_256_wrap(void);
+const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
diff -up openssl-1.0.2e/crypto/evp/evptests.txt.wrap openssl-1.0.2e/crypto/evp/evptests.txt
--- openssl-1.0.2e/crypto/evp/evptests.txt.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/crypto/evp/evptests.txt 2015-12-04 13:33:42.191551745 +0100
@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
+# AES wrap tests from RFC5649
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
+
diff -up openssl-1.0.2e/crypto/modes/modes.h.wrap openssl-1.0.2e/crypto/modes/modes.h
--- openssl-1.0.2e/crypto/modes/modes.h.wrap 2015-12-04 13:33:41.770541886 +0100
+++ openssl-1.0.2e/crypto/modes/modes.h 2015-12-04 13:33:42.191551745 +0100
@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
unsigned char *out,
const unsigned char *in, size_t inlen,
block128_f block);
+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
+ unsigned char *out, const unsigned char *in,
+ size_t inlen, block128_f block);
+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
+ unsigned char *out, const unsigned char *in,
+ size_t inlen, block128_f block);
#ifdef __cplusplus
}
diff -up openssl-1.0.2e/crypto/modes/wrap128.c.wrap openssl-1.0.2e/crypto/modes/wrap128.c
--- openssl-1.0.2e/crypto/modes/wrap128.c.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/crypto/modes/wrap128.c 2015-12-04 13:37:51.486366984 +0100
@@ -2,6 +2,7 @@
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
+ * Mode with padding contributed by Petr Spacek (pspacek@redhat.com).
*/
/* ====================================================================
* Copyright (c) 2013 The OpenSSL Project. All rights reserved.
@@ -52,19 +53,44 @@
* ====================================================================
*/
+/** Beware!
+ *
+ * Following wrapping modes were designed for AES but this implementation
+ * allows you to use them for any 128 bit block cipher.
+ */
+
#include "cryptlib.h"
#include <openssl/modes.h>
+/** RFC 3394 section 2.2.3.1 Default Initial Value */
static const unsigned char default_iv[] = {
0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
};
-/*
- * Input size limit: lower than maximum of standards but far larger than
+/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
+static const unsigned char default_aiv[] = {
+ 0xA6, 0x59, 0x59, 0xA6
+};
+
+/** Input size limit: lower than maximum of standards but far larger than
* anything that will be used in practice.
*/
#define CRYPTO128_WRAP_MAX (1UL << 31)
+/** Wrapping according to RFC 3394 section 2.2.1.
+ *
+ * @param[in] key Key value.
+ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
+ * @param[in] inlen Length of in.
+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
+ * Input and output buffers can overlap if block function
+ * supports that.
+ * @param[in] block Block processing function.
+ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
+ * or if inlen > CRYPTO128_WRAP_MAX.
+ * Output length if wrapping succeeded.
+ */
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
unsigned char *out,
const unsigned char *in, size_t inlen,
@@ -72,7 +98,7 @@ size_t CRYPTO_128_wrap(void *key, const
{
unsigned char *A, B[16], *R;
size_t i, j, t;
- if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
return 0;
A = B;
t = 1;
@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
return inlen + 8;
}
-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
+/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
+ * IV check (step 3) is responsibility of the caller.
+ *
+ * @param[in] key Key value.
+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
+ * @param[out] out Plain text without IV.
+ * Minimal buffer length = (inlen - 8) bytes.
+ * Input and output buffers can overlap if block function
+ * supports that.
+ * @param[in] in Ciphertext text as n 64-bit blocks
+ * @param[in] inlen Length of in.
+ * @param[in] block Block processing function.
+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
+ * or if inlen is not multiply of 8.
+ * Output length otherwise.
+ */
+static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
unsigned char *out,
const unsigned char *in, size_t inlen,
block128_f block)
@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
memcpy(R, B + 8, 8);
}
}
+ memcpy(iv, A, 8);
+ return inlen;
+}
+
+/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
+ * First block of plain text have to match supplied IV otherwise an error is
+ * returned.
+ *
+ * @param[in] key Key value.
+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
+ * @param[out] out Plain text without IV.
+ * Minimal buffer length = (inlen - 8) bytes.
+ * Input and output buffers can overlap if block function
+ * supports that.
+ * @param[in] in Ciphertext text as n 64-bit blocks
+ * @param[in] inlen Length of in.
+ * @param[in] block Block processing function.
+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
+ * or if inlen is not multiply of 8
+ * or if IV doesn't match expected value.
+ * Output length otherwise.
+ */
+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
+ unsigned char *out, const unsigned char *in,
+ size_t inlen, block128_f block)
+{
+ size_t ret;
+ unsigned char got_iv[8];
+
+ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
+ if (ret == 0)
+ return 0;
+
if (!iv)
iv = default_iv;
- if (memcmp(A, iv, 8)) {
+ if (CRYPTO_memcmp(got_iv, iv, 8)) {
+ OPENSSL_cleanse(out, ret);
+ return 0;
+ }
+ return ret;
+}
+
+/** Wrapping according to RFC 5649 section 4.1.
+ *
+ * @param[in] key Key value.
+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
+ * Input and output buffers can overlap if block function
+ * supports that.
+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
+ * @param[in] inlen Length of in.
+ * @param[in] block Block processing function.
+ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
+ * Output length if wrapping succeeded.
+ */
+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block)
+{
+ /* n: number of 64-bit blocks in the padded key data */
+ const size_t blocks_padded = (inlen + 7) / 8;
+ const size_t padded_len = blocks_padded * 8;
+ const size_t padding_len = padded_len - inlen;
+ /* RFC 5649 section 3: Alternative Initial Value */
+ unsigned char aiv[8];
+ int ret;
+
+ /* Section 1: use 32-bit fixed field for plaintext octet length */
+ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
+ return 0;
+
+ /* Section 3: Alternative Initial Value */
+ if (!icv)
+ memcpy(aiv, default_aiv, 4);
+ else
+ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
+
+ aiv[4] = (inlen >> 24) & 0xFF;
+ aiv[5] = (inlen >> 16) & 0xFF;
+ aiv[6] = (inlen >> 8) & 0xFF;
+ aiv[7] = inlen & 0xFF;
+
+ if (padded_len == 8) {
+ /* Section 4.1 - special case in step 2:
+ * If the padded plaintext contains exactly eight octets, then
+ * prepend the AIV and encrypt the resulting 128-bit block
+ * using AES in ECB mode. */
+ memmove(out + 8, in, inlen);
+ memcpy(out, aiv, 8);
+ memset(out + 8 + inlen, 0, padding_len);
+ block(out, out, key);
+ ret = 16; /* AIV + padded input */
+ } else {
+ memmove(out, in, inlen);
+ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
+ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
+ }
+
+ return ret;
+}
+
+/** Unwrapping according to RFC 5649 section 4.2.
+ *
+ * @param[in] key Key value.
+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
+ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
+ * Input and output buffers can overlap if block function
+ * supports that.
+ * @param[in] in Ciphertext text as n 64-bit blocks
+ * @param[in] inlen Length of in.
+ * @param[in] block Block processing function.
+ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
+ * or if inlen is not multiply of 8
+ * or if IV and message length indicator doesn't match.
+ * Output length if unwrapping succeeded and IV matches.
+ */
+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block)
+{
+ /* n: number of 64-bit blocks in the padded key data */
+ size_t n = inlen / 8 - 1;
+ size_t padded_len;
+ size_t padding_len;
+ size_t ptext_len;
+ /* RFC 5649 section 3: Alternative Initial Value */
+ unsigned char aiv[8];
+ static unsigned char zeros[8] = { 0x0 };
+ size_t ret;
+
+ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
+ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
+ return 0;
+
+ memmove(out, in, inlen);
+ if (inlen == 16) {
+ /* Section 4.2 - special case in step 1:
+ * When n=1, the ciphertext contains exactly two 64-bit
+ * blocks and they are decrypted as a single AES
+ * block using AES in ECB mode:
+ * AIV | P[1] = DEC(K, C[0] | C[1])
+ */
+ block(out, out, key);
+ memcpy(aiv, out, 8);
+ /* Remove AIV */
+ memmove(out, out + 8, 8);
+ padded_len = 8;
+ } else {
+ padded_len = inlen - 8;
+ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
+ if (padded_len != ret) {
OPENSSL_cleanse(out, inlen);
return 0;
}
- return inlen;
+ }
+
+ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
+ * Optionally a user-supplied value can be used
+ * (even if standard doesn't mention this). */
+ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
+ || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
+ OPENSSL_cleanse(out, inlen);
+ return 0;
+ }
+
+ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
+ * If so, let ptext_len = LSB(32,AIV). */
+
+ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
+ if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
+ OPENSSL_cleanse(out, inlen);
+ return 0;
+ }
+
+ /* Check that the rightmost padding_len octets of the output data
+ * are zero. */
+ padding_len = padded_len - ptext_len;
+ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
+ OPENSSL_cleanse(out, inlen);
+ return 0;
+ }
+
+ /* Section 4.2 step 3: Remove padding */
+ return ptext_len;
}

@ -0,0 +1,90 @@
diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
--- openssl-1.0.2g/doc/apps/ec.pod.manfix 2016-03-01 14:35:05.000000000 +0100
+++ openssl-1.0.2g/doc/apps/ec.pod 2016-03-01 16:47:35.331568290 +0100
@@ -93,10 +93,6 @@ prints out the public, private key compo
this option prevents output of the encoded version of the key.
-=item B<-modulus>
-
-this option prints out the value of the public key component of the key.
-
=item B<-pubin>
by default a private key is read from the input file: with this option a
diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/openssl.pod
--- openssl-1.0.2g/doc/apps/openssl.pod.manfix 2016-03-01 14:35:05.000000000 +0100
+++ openssl-1.0.2g/doc/apps/openssl.pod 2016-03-01 16:47:35.331568290 +0100
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
Online Certificate Status Protocol utility.
-=item L<B<passwd>|passwd(1)>
+=item L<B<passwd>|sslpasswd(1)>
Generation of hashed passwords.
@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
Public key algorithm cryptographic operation utility.
-=item L<B<rand>|rand(1)>
+=item L<B<rand>|sslrand(1)>
Generate pseudo-random bytes.
@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
-L<passwd(1)|passwd(1)>,
+L<sslpasswd(1)|sslpasswd(1)>,
L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_client.pod
--- openssl-1.0.2g/doc/apps/s_client.pod.manfix 2016-03-01 14:35:53.000000000 +0100
+++ openssl-1.0.2g/doc/apps/s_client.pod 2016-03-01 16:47:35.358568902 +0100
@@ -35,6 +35,9 @@ B<openssl> B<s_client>
[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-dtls1>]
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
@@ -201,7 +204,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
These options require or disable the use of the specified SSL or TLS protocols.
By default the initial handshake uses a I<version-flexible> method which will
diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_server.pod
--- openssl-1.0.2g/doc/apps/s_server.pod.manfix 2016-03-01 14:35:53.000000000 +0100
+++ openssl-1.0.2g/doc/apps/s_server.pod 2016-03-01 16:47:35.359568925 +0100
@@ -42,6 +42,8 @@ B<openssl> B<s_server>
[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
@@ -217,7 +219,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
These options require or disable the use of the specified SSL or TLS protocols.
By default the initial handshake uses a I<version-flexible> method which will

@ -0,0 +1,24 @@
diff -up openssl-1.0.2h/Makefile.org.pkgconfig openssl-1.0.2h/Makefile.org
--- openssl-1.0.2h/Makefile.org.pkgconfig 2016-05-03 18:06:45.869834730 +0200
+++ openssl-1.0.2h/Makefile.org 2016-06-27 12:04:15.444245018 +0200
@@ -377,7 +377,7 @@ libcrypto.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -388,9 +388,9 @@ libssl.pc: Makefile
echo 'Name: OpenSSL-libssl'; \
echo 'Description: Secure Sockets Layer and cryptography libraries'; \
echo 'Version: '$(VERSION); \
- echo 'Requires.private: libcrypto'; \
+ echo 'Requires: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
- echo 'Libs.private: $(EX_LIBS)'; \
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile

@ -0,0 +1,15 @@
diff -up openssl-1.0.2i/engines/e_chil.c.chil openssl-1.0.2i/engines/e_chil.c
--- openssl-1.0.2i/engines/e_chil.c.chil 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/e_chil.c 2016-09-22 13:49:32.532017102 +0200
@@ -1274,6 +1274,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx) {
if (cactx->ui_method)

@ -0,0 +1,25 @@
diff -up openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2i/crypto/evp/bio_enc.c
--- openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/bio_enc.c 2016-09-22 13:58:24.592381002 +0200
@@ -307,8 +307,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
case BIO_CTRL_RESET:
ctx->ok = 1;
ctx->finished = 0;
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
- ctx->cipher.encrypt);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+ ctx->cipher.encrypt))
+ ctx->ok = 0;
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
case BIO_CTRL_EOF: /* More to read */
@@ -430,7 +431,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
b->init = 1;
ctx = (BIO_ENC_CTX *)b->ptr;
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
+ ctx->ok = 0;
if (b->callback != NULL)
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);

@ -0,0 +1,83 @@
diff --git a/Configure b/Configure
index c39f71a..7f3d905 100755
--- a/Configure
+++ b/Configure
@@ -727,6 +727,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $libdir="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
my $cross_compile_prefix="";
@@ -956,6 +957,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1207,7 +1212,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1709,6 +1714,7 @@ while (<IN>)
s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
s/^MULTILIB=.*$/MULTILIB=$multilib/;
s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
+ s/^ENGINESDIR=.*$/ENGINESDIR=$enginesdir/;
s/^LIBDIR=.*$/LIBDIR=$libdir/;
s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
s/^PLATFORM=.*$/PLATFORM=$target/;
@@ -1915,7 +1921,7 @@ while (<IN>)
}
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
+ my $foo = "$enginesdir";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
diff --git a/Makefile.org b/Makefile.org
index 2377f50..fe8d54c 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl
# Do not edit this manually. Use Configure --openssldir=DIR do change this!
OPENSSLDIR=/usr/local/ssl
+ENGINESDIR=$${libdir}/engines
# NO_IDEA - Define to build without the IDEA algorithm
# NO_RC4 - Define to build without the RC4 algorithm
@@ -368,7 +369,7 @@ libcrypto.pc: Makefile
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
- echo 'enginesdir=$${libdir}/engines'; \
+ echo 'enginesdir=$(ENGINESDIR)'; \
echo ''; \
echo 'Name: OpenSSL-libcrypto'; \
echo 'Description: OpenSSL cryptography library'; \
diff --git a/engines/Makefile b/engines/Makefile
index 2058ff4..a2c407b 100644
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -124,7 +124,7 @@ install:
esac; \
cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi

File diff suppressed because it is too large Load Diff

@ -0,0 +1,286 @@
diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-VAfile file validator certificates file\n");
diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
+++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
@@ -330,6 +330,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err,
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
+++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
@@ -571,6 +571,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err,
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
+++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
@@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\
-CAfile arg - PEM format file of CA's\n\
+-trusted_first - Use trusted CA's first when building the trust chain\n\
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
+++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] "
"-in response.tsr [-token_in] "
- "-CApath ca_path -CAfile ca_file.pem "
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
"-untrusted cert_file.pem\n");
cleanup:
/* Clean up. */
diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
+++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
usage:
if (ret == 1) {
BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>]
[B<-CAfile file>]
[B<-CApath dir>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-md digest>]
[B<-[cipher]>]
@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before untrusted certificates
+from the message when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
+++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>]
[B<-CApath dir>]
[B<-CAfile file>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-VAfile file>]
[B<-validity_period n>]
@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the response or residing in other certificates file when building the trust
+chain to verify responder certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-no_alt_chains>
See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-reconnect>]
[B<-pause>]
@@ -125,7 +126,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>]
[B<-[cipher]>]
[B<-in file>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-certfile file>]
[B<-signer file>]
@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the message when building the trust chain to verify a certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-nocert>]
[B<-cipher cipherlist>]
@@ -178,6 +179,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before other certificates
+when building the trust chain to verify client certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-no_alt_chains>
See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-trusted_first>]
[B<-reuse>]
[B<-new>]
[B<-verify depth>]
@@ -76,6 +77,12 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over the certificates provided
+by the server when building the trust chain to verify server certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-new>
performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
@@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>]
[B<-CApath> trusted_cert_path]
[B<-CAfile> trusted_certs.pem]
+[B<-trusted_first>]
[B<-untrusted> cert_file.pem]
=head1 DESCRIPTION
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
or B<-CApath> must be specified.
(Optional)
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before other certificates
+when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify>
[B<-CApath directory>]
[B<-CAfile file>]
+[B<-trusted_first>]
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before the certificates in the untrusted
+file when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
=item B<-purpose purpose>
The intended use for the certificate. If this option is not specified,

@ -0,0 +1,229 @@
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 3ffd934..23271be 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -56,6 +56,9 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
+
#include <stdio.h>
#include <time.h>
@@ -133,6 +136,30 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
#endif
+static int legacy_mds[] = { NID_md5, NID_sha, NID_md4, NID_md2, 0 };
+extern int private_ossl_allowed_legacy_mds[];
+
+static int is_md_legacy_disallowed(int mdnid)
+{
+ int i;
+
+ if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
+ return 0;
+
+ for (i = 0; legacy_mds[i] != 0; ++i) {
+ if (mdnid == legacy_mds[i]) {
+ int j;
+
+ for (j = 0; private_ossl_allowed_legacy_mds[j] != 0; ++j) {
+ if (mdnid == private_ossl_allowed_legacy_mds[j])
+ return 0;
+ }
+ return 1;
+ }
+ }
+ return 0;
+}
+
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
{
@@ -174,6 +201,10 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
if (ret != 2)
goto err;
ret = -1;
+ } else if (is_md_legacy_disallowed(mdnid)) {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
} else {
const EVP_MD *type;
type = EVP_get_digestbynid(mdnid);
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 2f754ef..59439c2 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -55,6 +55,12 @@
#include <e_os.h>
#include <openssl/err.h>
+# include <stdio.h>
+# include <string.h>
+# include <strings.h>
+# include <ctype.h>
+# include <openssl/dh.h>
+# include <openssl/objects.h>
#ifdef OPENSSL_FIPS
# include <sys/types.h>
# include <sys/stat.h>
@@ -89,6 +95,121 @@ static void init_fips_mode(void)
}
#endif
+# define LEGACY_SETTINGS_FILE "/etc/pki/tls/legacy-settings"
+
+# define NUM_MAX_LEGACY_MDS 8
+
+int private_ossl_allowed_legacy_mds[NUM_MAX_LEGACY_MDS + 1]; /* zero terminated */
+
+int private_ossl_minimum_dh_bits;
+
+#if !defined(_WIN32)
+static void parse_legacy_mds(char *p)
+{
+ int idx = 0;
+ char *e = p;
+
+ while (p[0] != '\0') {
+ while (e[0] != '\0' && !isspace(e[0]) && e[0] != ',') {
+ ++e;
+ }
+ if (e[0] != '\0') {
+ e[0] = '\0';
+ ++e;
+ }
+
+ if (strcasecmp(p, "md5") == 0) {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md5;
+ } else if (strcasecmp(p, "md4") == 0) {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md4;
+ } else if (strcasecmp(p, "sha") == 0) {
+ private_ossl_allowed_legacy_mds[idx++] = NID_sha;
+ } else if (strcasecmp(p, "md2") == 0) {
+ private_ossl_allowed_legacy_mds[idx++] = NID_md2;
+ }
+
+ if (idx >=
+ sizeof(private_ossl_allowed_legacy_mds) /
+ sizeof(private_ossl_allowed_legacy_mds[0])) {
+ break;
+ }
+
+ while (e[0] == ',' || isspace(e[0])) {
+ ++e;
+ }
+
+ p = e;
+ }
+}
+
+static void parse_minimum_dh_bits(char *p)
+{
+ private_ossl_minimum_dh_bits = strtol(p, NULL, 10);
+ if (private_ossl_minimum_dh_bits < 512
+ || private_ossl_minimum_dh_bits > OPENSSL_DH_MAX_MODULUS_BITS) {
+ /* use default */
+ private_ossl_minimum_dh_bits = 0;
+ }
+}
+
+static void load_legacy_settings(void)
+{
+ FILE *f;
+ char *line = NULL;
+ size_t len = 0;
+
+ if ((f = fopen(LEGACY_SETTINGS_FILE, "r")) == NULL) {
+ return;
+ }
+
+ while (getline(&line, &len, f) > 0) {
+ char *p = line, *e, *val;
+
+ /* skip initial whitespace */
+ while (isspace(p[0])) {
+ ++p;
+ }
+
+ e = p;
+
+ while (e[0] != '\0' && !isspace(e[0])) {
+ ++e;
+ }
+
+ /* terminate name, skip whitespace between name and value */
+ if (e[0] != '\0') {
+ e[0] = '\0';
+ ++e;
+ while (isspace(e[0])) {
+ ++e;
+ }
+ }
+
+ val = e;
+
+ e = e + strlen(val);
+
+ /* trim terminating whitespace */
+ while (e > val) {
+ --e;
+ if (isspace(e[0])) {
+ e[0] = '\0';
+ } else {
+ break;
+ }
+ }
+
+ if (strcasecmp(p, "LegacySigningMDs") == 0) {
+ parse_legacy_mds(val);
+ } else if (strcasecmp(line, "MinimumDHBits") == 0) {
+ parse_minimum_dh_bits(val);
+ }
+ /* simply skip other unrecognized lines */
+ }
+ (void)fclose(f);
+}
+#endif
+
/*
* Perform any essential OpenSSL initialization operations. Currently only
* sets FIPS callbacks
@@ -100,6 +221,10 @@ void OPENSSL_init_library(void)
if (done)
return;
done = 1;
+
+#if !defined(_WIN32)
+ load_legacy_settings();
+#endif
#ifdef OPENSSL_FIPS
RAND_init_fips();
init_fips_mode();
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 32f2f1a..6734e8a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3500,6 +3500,8 @@ int ssl3_send_client_certificate(SSL *s)
#define has_bits(i,m) (((i)&(m)) == (m))
+extern int private_ossl_minimum_dh_bits;
+
int ssl3_check_cert_and_algorithm(SSL *s)
{
int i, idx;
@@ -3630,8 +3632,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
DH_free(dh_srvr);
}
- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ if (dh_size < (private_ossl_minimum_dh_bits ? private_ossl_minimum_dh_bits : 1024)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
goto f_err;
}

@ -0,0 +1,138 @@
diff -up openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength openssl-1.0.2j/ssl/s3_lib.c
--- openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength 2017-01-05 17:23:21.091203023 +0100
+++ openssl-1.0.2j/ssl/s3_lib.c 2017-01-05 17:36:37.250194225 +0100
@@ -227,7 +227,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -243,7 +243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -278,7 +278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
#endif
@@ -575,7 +575,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -730,7 +730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -746,7 +746,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -796,7 +796,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -1429,7 +1429,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
#endif
@@ -1714,7 +1714,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -2106,7 +2106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -2186,7 +2186,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -2266,7 +2266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -2346,7 +2346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},
@@ -2426,7 +2426,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
+ 112,
128,
},

@ -0,0 +1,172 @@
diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.c
--- openssl-1.0.2j/apps/s_client.c.krb5keytab 2017-01-05 17:02:05.481441088 +0100
+++ openssl-1.0.2j/apps/s_client.c 2017-01-05 17:08:28.311073180 +0100
@@ -171,6 +171,10 @@ typedef unsigned int u_int;
#include "s_apps.h"
#include "timeouts.h"
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc = NULL;
+#endif
+
#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
# undef FIONBIO
@@ -400,6 +404,9 @@ static void sc_usage(void)
BIO_printf(bio_err,
" only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
BIO_printf(bio_err, " are supported.\n");
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
+#endif
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
" -engine id - Initialise and use the specified engine\n");
@@ -1069,6 +1076,13 @@ int MAIN(int argc, char **argv)
c_nbio = 1;
}
#endif
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv, "-krb5svc") == 0) {
+ if (--argc < 1)
+ goto bad;
+ krb5svc= *(++argv);
+ }
+#endif
else if (strcmp(*argv, "-starttls") == 0) {
if (--argc < 1)
goto bad;
@@ -1435,6 +1449,8 @@ int MAIN(int argc, char **argv)
if (con && (kctx = kssl_ctx_new()) != NULL) {
SSL_set0_kssl_ctx(con, kctx);
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
+ if (krb5svc != NULL)
+ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.c
--- openssl-1.0.2j/apps/s_server.c.krb5keytab 2017-01-05 17:02:05.482441111 +0100
+++ openssl-1.0.2j/apps/s_server.c 2017-01-05 17:16:36.458078609 +0100
@@ -206,6 +206,11 @@ typedef unsigned int u_int;
# include <fcntl.h>
#endif
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc = NULL;
+static char *keytab = NULL;
+#endif
+
#ifndef OPENSSL_NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
@@ -579,6 +584,10 @@ static void sv_usage(void)
BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
BIO_printf(bio_err, " -quiet - No server output\n");
BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
+ BIO_printf(bio_err, " -keytab arg - Kerberos keytab filename\n");
+#endif
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
@@ -1326,6 +1335,17 @@ int MAIN(int argc, char *argv[])
goto bad;
vfyCAfile = *(++argv);
}
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv, "-krb5svc") == 0) {
+ if (--argc < 1)
+ goto bad;
+ krb5svc = *(++argv);
+ } else if (strcmp(*argv, "-keytab") == 0) {
+ if (--argc < 1)
+ goto bad;
+ keytab = *(++argv);
+ }
+#endif
#ifdef FIONBIO
else if (strcmp(*argv, "-nbio") == 0) {
s_nbio = 1;
@@ -2226,8 +2246,10 @@ static int sv_body(char *hostname, int s
#ifndef OPENSSL_NO_KRB5
if ((kctx = kssl_ctx_new()) != NULL) {
SSL_set0_kssl_ctx(con, kctx);
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
+ krb5svc == NULL ? KRB5SVC : krb5svc);
+ if (keytab != NULL)
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
}
#endif /* OPENSSL_NO_KRB5 */
if (context)
@@ -2836,8 +2858,11 @@ static int www_body(char *hostname, int
#endif
#ifndef OPENSSL_NO_KRB5
if ((kctx = kssl_ctx_new()) != NULL) {
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
+ SSL_set0_kssl_ctx(con, kctx);
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
+ krb5svc == NULL ? KRB5SVC : krb5svc);
+ if (keytab != NULL)
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
}
#endif /* OPENSSL_NO_KRB5 */
if (context)
diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps/s_client.pod
--- openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab 2016-09-26 11:49:07.000000000 +0200
+++ openssl-1.0.2j/doc/apps/s_client.pod 2017-01-05 17:21:30.562709291 +0100
@@ -43,6 +43,7 @@ B<openssl> B<s_client>
[B<-fallback_scsv>]
[B<-bugs>]
[B<-cipher cipherlist>]
+[B<-krb5svc service>]
[B<-serverpref>]
[B<-starttls protocol>]
[B<-engine id>]
@@ -228,6 +229,12 @@ command for more information.
use the server's cipher preferences; only used for SSLV2.
+=item B<-krb5svc service>
+
+the Kerberos service name to use (default "host"). This means s_server
+will expect a ticket for the principal I<service>/hostname@REALM, and will
+need keys for that principal in its keytab.
+
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.
diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps/s_server.pod
--- openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab 2017-01-05 17:02:05.482441111 +0100
+++ openssl-1.0.2j/doc/apps/s_server.pod 2017-01-05 17:20:54.769902331 +0100
@@ -37,6 +37,8 @@ B<openssl> B<s_server>
[B<-nocert>]
[B<-cipher cipherlist>]
[B<-serverpref>]
+[B<-krb5svc service>]
+[B<-keytab filename>]
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl2>]
@@ -246,6 +248,17 @@ the B<ciphers> command for more informat
use the server's cipher preferences, rather than the client's preferences.
+=item B<-krb5svc service>
+
+the Kerberos service name to use (default "host"). This means s_server
+will expect a ticket for the principal I<service>/hostname@REALM, and will
+need keys for that principal in its keytab.
+
+=item B<-keytab filename>
+
+the Kerberos "keytab" (key table) file, containing keys for the s_server
+service principal (Kerberos identity; see -krb5svc).
+
=item B<-tlsextdebug>
print out a hex dump of any TLS extensions received from the server.

@ -0,0 +1,244 @@
diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl
--- openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports 2017-03-09 17:59:26.367233931 +0100
+++ openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl 2017-03-27 15:25:28.615014528 +0200
@@ -1702,6 +1702,7 @@ $code.=<<___;
mov 240($key),$rounds
sub $in0,$out
movups ($key),$rndkey0 # $key[0]
+ movups ($ivp),$iv # load IV
movups 16($key),$rndkey[0] # forward reference
lea 112($key),$key # size optimization
diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl
--- openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports 2017-03-09 17:59:26.369233978 +0100
+++ openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl 2017-03-27 15:25:28.618014599 +0200
@@ -1299,6 +1299,7 @@ $code.=<<___;
mov 240($key),$rounds
sub $in0,$out
movups ($key),$rndkey0 # $key[0]
+ movups ($ivp),$iv # load IV
movups 16($key),$rndkey[0] # forward reference
lea 112($key),$key # size optimization
diff -up openssl-1.0.2k/crypto/x86cpuid.pl.backports openssl-1.0.2k/crypto/x86cpuid.pl
--- openssl-1.0.2k/crypto/x86cpuid.pl.backports 2017-03-09 17:59:26.339233278 +0100
+++ openssl-1.0.2k/crypto/x86cpuid.pl 2017-03-27 15:26:06.833916588 +0200
@@ -20,10 +20,10 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&pop ("eax");
&xor ("ecx","eax");
&xor ("eax","eax");
+ &mov ("esi",&wparam(0));
+ &mov (&DWP(8,"esi"),"eax"); # clear extended feature flags
&bt ("ecx",21);
&jnc (&label("nocpuid"));
- &mov ("esi",&wparam(0));
- &mov (&DWP(8,"esi"),"eax"); # clear 3rd word
&cpuid ();
&mov ("edi","eax"); # max value for standard query level
@@ -81,26 +81,16 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&jmp (&label("generic"));
&set_label("intel");
- &cmp ("edi",7);
- &jb (&label("cacheinfo"));
-
- &mov ("esi",&wparam(0));
- &mov ("eax",7);
- &xor ("ecx","ecx");
- &cpuid ();
- &mov (&DWP(8,"esi"),"ebx");
-
-&set_label("cacheinfo");
&cmp ("edi",4);
- &mov ("edi",-1);
+ &mov ("esi",-1);
&jb (&label("nocacheinfo"));
&mov ("eax",4);
&mov ("ecx",0); # query L1D
&cpuid ();
- &mov ("edi","eax");
- &shr ("edi",14);
- &and ("edi",0xfff); # number of cores -1 per L1D
+ &mov ("esi","eax");
+ &shr ("esi",14);
+ &and ("esi",0xfff); # number of cores -1 per L1D
&set_label("nocacheinfo");
&mov ("eax",1);
@@ -118,7 +108,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&bt ("edx",28); # test hyper-threading bit
&jnc (&label("generic"));
&and ("edx",0xefffffff);
- &cmp ("edi",0);
+ &cmp ("esi",0);
&je (&label("generic"));
&or ("edx",0x10000000);
@@ -130,10 +120,19 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&set_label("generic");
&and ("ebp",1<<11); # isolate AMD XOP flag
&and ("ecx",0xfffff7ff); # force 11th bit to 0
- &mov ("esi","edx");
+ &mov ("esi","edx"); # %ebp:%esi is copy of %ecx:%edx
&or ("ebp","ecx"); # merge AMD XOP flag
- &bt ("ecx",27); # check OSXSAVE bit
+ &cmp ("edi",7);
+ &mov ("edi",&wparam(0));
+ &jb (&label("no_extended_info"));
+ &mov ("eax",7);
+ &xor ("ecx","ecx");
+ &cpuid ();
+ &mov (&DWP(8,"edi"),"ebx"); # save extended feature flag
+&set_label("no_extended_info");
+
+ &bt ("ebp",27); # check OSXSAVE bit
&jnc (&label("clear_avx"));
&xor ("ecx","ecx");
&data_byte(0x0f,0x01,0xd0); # xgetbv
@@ -147,7 +146,6 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&and ("esi",0xfeffffff); # clear FXSR
&set_label("clear_avx");
&and ("ebp",0xefffe7ff); # clear AVX, FMA and AMD XOP bits
- &mov ("edi",&wparam(0));
&and (&DWP(8,"edi"),0xffffffdf); # clear AVX2
&set_label("done");
&mov ("eax","esi");
diff -up openssl-1.0.2k/crypto/x86_64cpuid.pl.backports openssl-1.0.2k/crypto/x86_64cpuid.pl
--- openssl-1.0.2k/crypto/x86_64cpuid.pl.backports 2017-03-09 17:59:26.339233278 +0100
+++ openssl-1.0.2k/crypto/x86_64cpuid.pl 2017-03-27 15:26:06.833916588 +0200
@@ -59,7 +59,7 @@ OPENSSL_ia32_cpuid:
mov %rbx,%r8 # save %rbx
xor %eax,%eax
- mov %eax,8(%rdi) # clear 3rd word
+ mov %eax,8(%rdi) # clear extended feature flags
cpuid
mov %eax,%r11d # max value for standard query level
@@ -127,14 +127,6 @@ OPENSSL_ia32_cpuid:
shr \$14,%r10d
and \$0xfff,%r10d # number of cores -1 per L1D
- cmp \$7,%r11d
- jb .Lnocacheinfo
-
- mov \$7,%eax
- xor %ecx,%ecx
- cpuid
- mov %ebx,8(%rdi)
-
.Lnocacheinfo:
mov \$1,%eax
cpuid
@@ -164,6 +156,15 @@ OPENSSL_ia32_cpuid:
or %ecx,%r9d # merge AMD XOP flag
mov %edx,%r10d # %r9d:%r10d is copy of %ecx:%edx
+
+ cmp \$7,%r11d
+ jb .Lno_extended_info
+ mov \$7,%eax
+ xor %ecx,%ecx
+ cpuid
+ mov %ebx,8(%rdi) # save extended feature flags
+.Lno_extended_info:
+
bt \$27,%r9d # check OSXSAVE bit
jnc .Lclear_avx
xor %ecx,%ecx # XCR0
diff -up openssl-1.0.2k/ssl/ssl_locl.h.backports openssl-1.0.2k/ssl/ssl_locl.h
--- openssl-1.0.2k/ssl/ssl_locl.h.backports 2017-03-09 17:59:26.183229642 +0100
+++ openssl-1.0.2k/ssl/ssl_locl.h 2017-03-09 17:59:26.311232626 +0100
@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ex
long ssl_get_algorithm2(SSL *s);
int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
int tls1_process_sigalgs(SSL *s);
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
const unsigned char *sig, EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
diff -up openssl-1.0.2k/ssl/s3_lib.c.backports openssl-1.0.2k/ssl/s3_lib.c
--- openssl-1.0.2k/ssl/s3_lib.c.backports 2017-03-09 17:59:26.294232230 +0100
+++ openssl-1.0.2k/ssl/s3_lib.c 2017-03-09 17:59:26.311232626 +0100
@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsig
return (int)s->cert->ctype_num;
}
/* get configured sigalgs */
- siglen = tls12_get_psigalgs(s, &sig);
+ siglen = tls12_get_psigalgs(s, 1, &sig);
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
nostrict = 0;
for (i = 0; i < siglen; i += 2, sig += 2) {
diff -up openssl-1.0.2k/ssl/s3_srvr.c.backports openssl-1.0.2k/ssl/s3_srvr.c
--- openssl-1.0.2k/ssl/s3_srvr.c.backports 2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/ssl/s3_srvr.c 2017-03-09 17:59:26.311232626 +0100
@@ -2084,7 +2084,7 @@ int ssl3_send_certificate_request(SSL *s
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- nl = tls12_get_psigalgs(s, &psigs);
+ nl = tls12_get_psigalgs(s, 1, &psigs);
s2n(nl, p);
memcpy(p, psigs, nl);
p += nl;
diff -up openssl-1.0.2k/ssl/t1_lib.c.backports openssl-1.0.2k/ssl/t1_lib.c
--- openssl-1.0.2k/ssl/t1_lib.c.backports 2017-03-09 17:59:26.297232299 +0100
+++ openssl-1.0.2k/ssl/t1_lib.c 2017-03-09 17:59:26.312232649 +0100
@@ -1015,7 +1015,7 @@ static unsigned char suiteb_sigalgs[] =
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
# endif
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
{
/*
* If Suite B mode use Suite B sigalgs only, ignore any other
@@ -1037,7 +1037,7 @@ size_t tls12_get_psigalgs(SSL *s, const
}
# endif
/* If server use client authentication sigalgs if not NULL */
- if (s->server && s->cert->client_sigalgs) {
+ if (s->server == sent && s->cert->client_sigalgs) {
*psigs = s->cert->client_sigalgs;
return s->cert->client_sigalgslen;
} else if (s->cert->conf_sigalgs) {
@@ -1101,7 +1101,7 @@ int tls12_check_peer_sigalg(const EVP_MD
# endif
/* Check signature matches a type we sent */
- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
break;
@@ -1149,7 +1149,7 @@ void ssl_set_client_disabled(SSL *s)
* Now go through all signature algorithms seeing if we support any for
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
*/
- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
+ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
switch (sigalgs[1]) {
# ifndef OPENSSL_NO_RSA
@@ -1420,7 +1420,7 @@ unsigned char *ssl_add_clienthello_tlsex
if (SSL_CLIENT_USE_SIGALGS(s)) {
size_t salglen;
const unsigned char *salg;
- salglen = tls12_get_psigalgs(s, &salg);
+ salglen = tls12_get_psigalgs(s, 1, &salg);
/*-
* check for enough space.
@@ -3783,7 +3783,7 @@ static int tls1_set_shared_sigalgs(SSL *
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
} else
- conflen = tls12_get_psigalgs(s, &conf);
+ conflen = tls12_get_psigalgs(s, 0, &conf);
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
pref = conf;
preflen = conflen;

@ -0,0 +1,27 @@
diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2k/crypto/rsa/rsa_gen.c
--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs 2017-02-06 16:42:47.313963001 +0100
+++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2017-02-06 16:46:54.453628783 +0100
@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
goto err;
+ /* prepare minimum p and q difference */
+ if (!BN_one(r3))
+ goto err;
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
+ goto err;
+
if (BN_copy(rsa->e, e_value) == NULL)
goto err;
@@ -502,7 +508,9 @@ static int rsa_builtin_keygen(RSA *rsa,
do {
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
+ if (!BN_sub(r2, rsa->q, rsa->p))
+ goto err;
+ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
if (degenerate == 3) {
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);

@ -0,0 +1,20 @@
diff -up openssl-1.0.2k/crypto/x509v3/v3_addr.c.overread openssl-1.0.2k/crypto/x509v3/v3_addr.c
--- openssl-1.0.2k/crypto/x509v3/v3_addr.c.overread 2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/crypto/x509v3/v3_addr.c 2018-06-18 13:49:30.001625137 +0200
@@ -130,10 +130,12 @@ static int length_from_afi(const unsigne
*/
unsigned int v3_addr_get_afi(const IPAddressFamily *f)
{
- return ((f != NULL &&
- f->addressFamily != NULL && f->addressFamily->data != NULL)
- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
- : 0);
+ if (f == NULL
+ || f->addressFamily == NULL
+ || f->addressFamily->data == NULL
+ || f->addressFamily->length < 2)
+ return 0;
+ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
}
/*

@ -0,0 +1,43 @@
From 38d600147331d36e74174ebbd4008b63188b321b Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Thu, 17 Aug 2017 21:08:57 +0200
Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Credit to OSS-Fuzz for finding this.
CVE-2017-3736
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
crypto/bn/asm/x86_64-mont5.pl | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 3bb0cdf..42178e4 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -3090,11 +3090,19 @@ $code.=<<___;
.align 32
.Lsqrx8x_break:
- sub 16+8(%rsp),%r8 # consume last carry
+ xor $zero,$zero
+ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf
+ adcx $zero,%r8
mov 24+8(%rsp),$carry # initial $tptr, borrow $carry
+ adcx $zero,%r9
mov 0*8($aptr),%rdx # a[8], modulo-scheduled
- xor %ebp,%ebp # xor $zero,$zero
+ adc \$0,%r10
mov %r8,0*8($tptr)
+ adc \$0,%r11
+ adc \$0,%r12
+ adc \$0,%r13
+ adc \$0,%r14
+ adc \$0,%r15
cmp $carry,$tptr # cf=0, of=0
je .Lsqrx8x_outer_loop
--
2.9.5

@ -0,0 +1,232 @@
diff -up openssl-1.0.2k/ssl/fatalerrtest.c.ssl-err openssl-1.0.2k/ssl/fatalerrtest.c
--- openssl-1.0.2k/ssl/fatalerrtest.c.ssl-err 2017-12-13 14:17:46.730350538 +0100
+++ openssl-1.0.2k/ssl/fatalerrtest.c 2017-12-13 14:18:54.879940227 +0100
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include "ssltestlib.h"
+
+int main(int argc, char *argv[])
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *sssl = NULL, *cssl = NULL;
+ const char *msg = "Dummy";
+ BIO *err = NULL, *wbio = NULL;
+ int ret = 1, len;
+ char buf[80];
+ unsigned char dummyrec[] = {
+ 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
+ };
+
+ if (argc != 3) {
+ printf("Incorrect number of parameters\n");
+ return 1;
+ }
+
+ SSL_library_init();
+ SSL_load_error_strings();
+ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,
+ argv[1], argv[2])) {
+ printf("Failed to create SSL_CTX pair\n");
+ goto err;
+ }
+
+ /*
+ * Deliberately set the cipher lists for client and server to be different
+ * to force a handshake failure.
+ */
+ if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA")
+ || !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) {
+ printf("Failed to set cipher lists\n");
+ goto err;
+ }
+
+ if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) {
+ printf("Failed to create SSL objectx\n");
+ goto err;
+ }
+
+ wbio = SSL_get_wbio(cssl);
+ if (wbio == NULL) {
+ printf("Unexpected NULL bio received\n");
+ goto err;
+ }
+
+ if (create_ssl_connection(sssl, cssl)) {
+ printf("Unexpected success creating a connection\n");
+ goto err;
+ }
+
+ ERR_clear_error();
+
+ /* Inject a plaintext record from client to server */
+ if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) {
+ printf("Unexpected failure injecting dummy record\n");
+ goto err;
+ }
+
+ /* SSL_read()/SSL_write should fail because of a previous fatal error */
+ if ((len = SSL_read(sssl, buf, sizeof(buf) - 1)) > 0) {
+ buf[len] = '\0';
+ printf("Unexpected success reading data: %s\n", buf);
+ goto err;
+ }
+ if (SSL_write(sssl, msg, strlen(msg)) > 0) {
+ printf("Unexpected success writing data\n");
+ goto err;
+ }
+
+ ret = 0;
+ err:
+ SSL_free(sssl);
+ SSL_free(cssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ ERR_print_errors_fp(stderr);
+
+ if (ret) {
+ printf("Fatal err test: FAILED\n");
+ }
+
+ ERR_free_strings();
+ ERR_remove_thread_state(NULL);
+ EVP_cleanup();
+ CRYPTO_cleanup_all_ex_data();
+ CRYPTO_mem_leaks(err);
+ BIO_free(err);
+
+ return ret;
+}
diff -up openssl-1.0.2k/ssl/Makefile.ssl-err openssl-1.0.2k/ssl/Makefile
--- openssl-1.0.2k/ssl/Makefile.ssl-err 2017-03-09 17:59:42.832617740 +0100
+++ openssl-1.0.2k/ssl/Makefile 2017-12-13 14:17:46.729350514 +0100
@@ -15,7 +15,8 @@ KRB5_INCLUDES=
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile README ssl-lib.com install.com
-TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c bad_dtls_test.c
+TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c \
+ bad_dtls_test.c fatalerrtest.c
APPS=
LIB=$(TOP)/libssl.a
diff -up openssl-1.0.2k/ssl/ssl.h.ssl-err openssl-1.0.2k/ssl/ssl.h
--- openssl-1.0.2k/ssl/ssl.h.ssl-err 2017-03-09 17:59:26.177229502 +0100
+++ openssl-1.0.2k/ssl/ssl.h 2017-12-13 14:17:07.341431733 +0100
@@ -1683,7 +1683,7 @@ extern "C" {
# define SSL_ST_BEFORE 0x4000
# define SSL_ST_OK 0x03
# define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
-# define SSL_ST_ERR 0x05
+# define SSL_ST_ERR (0x05|SSL_ST_INIT)
# define SSL_CB_LOOP 0x01
# define SSL_CB_EXIT 0x02
diff -up openssl-1.0.2k/test/Makefile.ssl-err openssl-1.0.2k/test/Makefile
--- openssl-1.0.2k/test/Makefile.ssl-err 2017-03-09 17:59:45.580681798 +0100
+++ openssl-1.0.2k/test/Makefile 2017-12-13 14:17:46.731350561 +0100
@@ -73,6 +73,7 @@ CLIENTHELLOTEST= clienthellotest
BADDTLSTEST= bad_dtls_test
SSLV2CONFTEST = sslv2conftest
DTLSTEST = dtlstest
+FATALERRTEST = fatalerrtest
TESTS= alltests
@@ -87,7 +88,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_
$(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \
$(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
$(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) $(DTLSTEST)$(EXE_EXT) \
- $(BADDTLSTEST)$(EXE_EXT)
+ $(BADDTLSTEST)$(EXE_EXT) $(FATALERRTEST)$(EXE_EXT)
# $(METHTEST)$(EXE_EXT)
@@ -102,7 +103,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES
$(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \
$(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \
$(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o $(DTLSTEST).o ssltestlib.o \
- $(BADDTLSTEST).o
+ $(BADDTLSTEST).o $(FATALERRTEST).o
SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
$(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
@@ -114,7 +115,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES
$(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
$(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \
$(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c $(DTLSTEST).c ssltestlib.c \
- $(BADDTLSTEST).c
+ $(BADDTLSTEST).c $(FATALERRTEST).c
EXHEADER=
HEADER= testutil.h ssltestlib.h $(EXHEADER)
@@ -159,7 +160,7 @@ alltests: \
test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \
test_constant_time test_verify_extra test_clienthello test_sslv2conftest \
- test_dtls test_bad_dtls
+ test_dtls test_bad_dtls test_fatalerr
test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
@@ -372,6 +373,10 @@ test_bad_dtls: $(BADDTLSTEST)$(EXE_EXT)
@echo $(START) $@
../util/shlib_wrap.sh ./$(BADDTLSTEST)
+test_fatalerr: $(FATALERRTEST)$(EXE_EXT)
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(FATALERRTEST) ../apps/server.pem ../apps/server.pem
+
test_sslv2conftest: $(SSLV2CONFTEST)$(EXE_EXT)
@echo $(START) $@
../util/shlib_wrap.sh ./$(SSLV2CONFTEST)
@@ -560,6 +565,9 @@ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHE
$(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
@target=$(BADDTLSTEST) $(BUILD_CMD)
+$(FATALERRTEST)$(EXE_EXT): $(FATALERRTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
+ @target=$(FATALERRTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+
$(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
@target=$(SSLV2CONFTEST) $(BUILD_CMD)
@@ -779,6 +787,25 @@ exptest.o: ../include/openssl/opensslcon
exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
exptest.o: ../include/openssl/symhacks.h exptest.c
+fatalerrtest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+fatalerrtest.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+fatalerrtest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+fatalerrtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+fatalerrtest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+fatalerrtest.o: ../include/openssl/err.h ../include/openssl/evp.h
+fatalerrtest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+fatalerrtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+fatalerrtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+fatalerrtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+fatalerrtest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+fatalerrtest.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+fatalerrtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+fatalerrtest.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+fatalerrtest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+fatalerrtest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+fatalerrtest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+fatalerrtest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+fatalerrtest.o: fatalerrtest.c ssltestlib.h
heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h
heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h

@ -0,0 +1,80 @@
From ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Fri, 24 Nov 2017 11:35:50 +0100
Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
rsaz_1024_mul_avx2.
Credit to OSS-Fuzz for finding this.
CVE-2017-3738
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
index 712a77f..2b3f8b0 100755
--- a/crypto/bn/asm/rsaz-avx2.pl
+++ b/crypto/bn/asm/rsaz-avx2.pl
@@ -239,7 +239,7 @@ $code.=<<___;
vmovdqu 32*8-128($ap), $ACC8
lea 192(%rsp), $tp0 # 64+128=192
- vpbroadcastq .Land_mask(%rip), $AND_MASK
+ vmovdqu .Land_mask(%rip), $AND_MASK
jmp .LOOP_GRANDE_SQR_1024
.align 32
@@ -1070,10 +1070,10 @@ $code.=<<___;
vpmuludq 32*6-128($np),$Yi,$TEMP1
vpaddq $TEMP1,$ACC6,$ACC6
vpmuludq 32*7-128($np),$Yi,$TEMP2
- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
+ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
vpaddq $TEMP2,$ACC7,$ACC7
vpmuludq 32*8-128($np),$Yi,$TEMP0
- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
+ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
vpaddq $TEMP0,$ACC8,$ACC8
mov %rbx, %rax
@@ -1086,7 +1086,9 @@ $code.=<<___;
vmovdqu -8+32*2-128($ap),$TEMP2
mov $r1, %rax
+ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
imull $n0, %eax
+ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
and \$0x1fffffff, %eax
imulq 16-128($ap),%rbx
@@ -1322,15 +1324,12 @@ ___
# But as we underutilize resources, it's possible to correct in
# each iteration with marginal performance loss. But then, as
# we do it in each iteration, we can correct less digits, and
-# avoid performance penalties completely. Also note that we
-# correct only three digits out of four. This works because
-# most significant digit is subjected to less additions.
+# avoid performance penalties completely.
$TEMP0 = $ACC9;
$TEMP3 = $Bi;
$TEMP4 = $Yi;
$code.=<<___;
- vpermq \$0, $AND_MASK, $AND_MASK
vpaddq (%rsp), $TEMP1, $ACC0
vpsrlq \$29, $ACC0, $TEMP1
@@ -1763,7 +1762,7 @@ $code.=<<___;
.align 64
.Land_mask:
- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
+ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
.Lscatter_permd:
.long 0,2,4,6,7,7,7,7
.Lgather_permd:
--
2.9.5

@ -0,0 +1,905 @@
diff --git a/crypto/Makefile b/crypto/Makefile
index 8bc5850..3a2bc51 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -45,7 +45,7 @@ SRC= $(LIBSRC)
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
ossl_typ.h
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
- constant_time_locl.h $(EXHEADER)
+ constant_time_locl.h bn_int.h $(EXHEADER)
ALL= $(GENERAL) $(SRC) $(HEADER)
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index b37f6ec..0e6e30f 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -702,6 +702,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
/* We only need assert() when debugging */
# include <assert.h>
+/*
+ * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
+ * bn_correct_top, in other words such vectors are permitted to have zeros
+ * in most significant limbs. Such vectors are used internally to achieve
+ * execution time invariance for critical operations with private keys.
+ * It's BN_DEBUG-only flag, because user application is not supposed to
+ * observe it anyway. Moreover, optimizing compiler would actually remove
+ * all operations manipulating the bit in question in non-BN_DEBUG build.
+ */
+# define BN_FLG_FIXED_TOP 0x10000
# ifdef BN_DEBUG_RAND
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
# ifndef RAND_pseudo_bytes
@@ -734,8 +744,10 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
do { \
const BIGNUM *_bnum2 = (a); \
if (_bnum2 != NULL) { \
- assert((_bnum2->top == 0) || \
- (_bnum2->d[_bnum2->top - 1] != 0)); \
+ int _top = _bnum2->top; \
+ assert((_top == 0) || \
+ (_bnum2->flags & BN_FLG_FIXED_TOP) || \
+ (_bnum2->d[_top - 1] != 0)); \
bn_pollute(_bnum2); \
} \
} while(0)
@@ -753,6 +765,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
# else /* !BN_DEBUG */
+# define BN_FLG_FIXED_TOP 0
# define bn_pollute(a)
# define bn_check_top(a)
# define bn_fix_top(a) bn_correct_top(a)
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index bc37671..460d8b7 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
+ wnum.flags = BN_FLG_STATIC_DATA;
/*
* only needed when BN_ucmp messes up the values between top and max
*/
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 195a786..816a198 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -466,17 +466,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
ret = 1;
goto err;
}
- if (!BN_to_montgomery(val[0], aa, mont, ctx))
+ if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx))
goto err; /* 1 */
window = BN_window_bits_for_exponent_size(bits);
if (window > 1) {
- if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx))
+ if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx))
goto err; /* 2 */
j = 1 << (window - 1);
for (i = 1; i < j; i++) {
if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
- !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx))
+ !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx))
goto err;
}
}
@@ -498,19 +498,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
for (i = 1; i < j; i++)
r->d[i] = (~m->d[i]) & BN_MASK2;
r->top = j;
- /*
- * Upper words will be zero if the corresponding words of 'm' were
- * 0xfff[...], so decrement r->top accordingly.
- */
- bn_correct_top(r);
+ r->flags |= BN_FLG_FIXED_TOP;
} else
#endif
- if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
+ if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx))
goto err;
for (;;) {
if (BN_is_bit_set(p, wstart) == 0) {
if (!start) {
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
+ if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
goto err;
}
if (wstart == 0)
@@ -541,12 +537,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* add the 'bytes above' */
if (!start)
for (i = 0; i < j; i++) {
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
+ if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
goto err;
}
/* wvalue will be an odd number < 2^window */
- if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx))
+ if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx))
goto err;
/* move the 'window' down further */
@@ -556,6 +552,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
if (wstart < 0)
break;
}
+ /*
+ * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
+ * removes padding [if any] and makes return value suitable for public
+ * API consumer.
+ */
#if defined(SPARC_T4_MONT)
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
j = mont->N.top; /* borrow j */
@@ -674,7 +675,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
}
b->top = top;
- bn_correct_top(b);
+ b->flags |= BN_FLG_FIXED_TOP;
return 1;
}
@@ -841,16 +842,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
tmp.top = top;
} else
#endif
- if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
+ if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx))
goto err;
/* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) {
if (!BN_mod(&am, a, m, ctx))
goto err;
- if (!BN_to_montgomery(&am, &am, mont, ctx))
+ if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
goto err;
- } else if (!BN_to_montgomery(&am, a, mont, ctx))
+ } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
goto err;
#if defined(SPARC_T4_MONT)
@@ -1117,14 +1118,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
* performance advantage of sqr over mul).
*/
if (window > 1) {
- if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
+ if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx))
goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
window))
goto err;
for (i = 3; i < numPowers; i++) {
/* Calculate a^i = a^(i-1) * a */
- if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
+ if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx))
goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
window))
@@ -1148,7 +1149,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* Scan the window, squaring the result as we go */
for (i = 0; i < window; i++, bits--) {
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
+ if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx))
goto err;
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
}
@@ -1161,12 +1162,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
/* Multiply the result into the intermediate result */
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
+ if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx))
goto err;
}
}
- /* Convert the final result from montgomery to standard format */
+ /*
+ * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
+ * removes padding [if any] and makes return value suitable for public
+ * API consumer.
+ */
#if defined(SPARC_T4_MONT)
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
am.d[0] = 1; /* borrow am */
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 00f4f09..1aa7fe8 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -113,6 +113,7 @@
# define HEADER_BN_LCL_H
# include <openssl/bn.h>
+# include "bn_int.h"
#ifdef __cplusplus
extern "C" {
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 10b78f5..e42e3fb 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -290,8 +290,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
const BN_ULONG *B;
int i;
- bn_check_top(b);
-
if (words > (INT_MAX / (4 * BN_BITS2))) {
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
return NULL;
@@ -425,8 +423,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
BIGNUM *bn_expand2(BIGNUM *b, int words)
{
- bn_check_top(b);
-
if (words > b->dmax) {
BN_ULONG *a = bn_expand_internal(b, words);
if (!a)
@@ -460,7 +456,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
assert(A == &(b->d[b->dmax]));
}
#endif
- bn_check_top(b);
return b;
}
@@ -572,6 +567,7 @@ void BN_clear(BIGNUM *a)
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
a->top = 0;
a->neg = 0;
+ a->flags &= ~BN_FLG_FIXED_TOP;
}
BN_ULONG BN_get_word(const BIGNUM *a)
@@ -592,6 +588,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
a->neg = 0;
a->d[0] = w;
a->top = (w ? 1 : 0);
+ a->flags &= ~BN_FLG_FIXED_TOP;
bn_check_top(a);
return (1);
}
@@ -738,6 +735,7 @@ int BN_set_bit(BIGNUM *a, int n)
for (k = a->top; k < i + 1; k++)
a->d[k] = 0;
a->top = i + 1;
+ a->flags &= ~BN_FLG_FIXED_TOP;
}
a->d[i] |= (((BN_ULONG)1) << j);
diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c
index ffbce89..23ddd48 100644
--- a/crypto/bn/bn_mod.c
+++ b/crypto/bn/bn_mod.c
@@ -149,16 +149,71 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
/*
* BN_mod_add variant that may be used if both a and b are non-negative and
- * less than m
+ * less than m. The original algorithm was
+ *
+ * if (!BN_uadd(r, a, b))
+ * return 0;
+ * if (BN_ucmp(r, m) >= 0)
+ * return BN_usub(r, r, m);
+ *
+ * which is replaced with addition, subtracting modulus, and conditional
+ * move depending on whether or not subtraction borrowed.
*/
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m)
+{
+ size_t i, ai, bi, mtop = m->top;
+ BN_ULONG storage[1024 / BN_BITS2];
+ BN_ULONG carry, temp, mask, *rp, *tp = storage;
+ const BN_ULONG *ap, *bp;
+
+ if (bn_wexpand(r, m->top) == NULL)
+ return 0;
+
+ if (mtop > sizeof(storage) / sizeof(storage[0])
+ && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
+ return 0;
+
+ ap = a->d != NULL ? a->d : tp;
+ bp = b->d != NULL ? b->d : tp;
+
+ for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) {
+ mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
+ temp = ((ap[ai] & mask) + carry) & BN_MASK2;
+ carry = (temp < carry);
+
+ mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
+ tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2;
+ carry += (tp[i] < temp);
+
+ i++;
+ ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
+ bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
+ }
+ rp = r->d;
+ carry -= bn_sub_words(rp, tp, m->d, mtop);
+ for (i = 0; i < mtop; i++) {
+ rp[i] = (carry & tp[i]) | (~carry & rp[i]);
+ ((volatile BN_ULONG *)tp)[i] = 0;
+ }
+ r->top = mtop;
+ r->neg = 0;
+
+ if (tp != storage)
+ OPENSSL_free(tp);
+
+ return 1;
+}
+
int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m)
{
- if (!BN_uadd(r, a, b))
- return 0;
- if (BN_ucmp(r, m) >= 0)
- return BN_usub(r, r, m);
- return 1;
+ int ret = bn_mod_add_fixed_top(r, a, b, m);
+
+ if (ret)
+ bn_correct_top(r);
+
+ return ret;
}
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index be95bd5..d41434a 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -123,11 +123,22 @@
#define MONT_WORD /* use the faster word-based algorithm */
#ifdef MONT_WORD
-static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
+static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
#endif
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx)
+{
+ int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx);
+
+ bn_correct_top(r);
+ bn_check_top(r);
+
+ return ret;
+}
+
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ BN_MONT_CTX *mont, BN_CTX *ctx)
{
BIGNUM *tmp;
int ret = 0;
@@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
r->neg = a->neg ^ b->neg;
r->top = num;
- bn_correct_top(r);
- return (1);
+ r->flags |= BN_FLG_FIXED_TOP;
+ return 1;
}
}
#endif
@@ -161,13 +172,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
}
/* reduce from aRR to aR */
#ifdef MONT_WORD
- if (!BN_from_montgomery_word(r, tmp, mont))
+ if (!bn_from_montgomery_word(r, tmp, mont))
goto err;
#else
if (!BN_from_montgomery(r, tmp, mont, ctx))
goto err;
#endif
- bn_check_top(r);
ret = 1;
err:
BN_CTX_end(ctx);
@@ -175,7 +185,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
}
#ifdef MONT_WORD
-static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
+static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
{
BIGNUM *n;
BN_ULONG *ap, *np, *rp, n0, v, carry;
@@ -205,28 +215,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
# endif
r->top = max;
+ r->flags |= BN_FLG_FIXED_TOP;
n0 = mont->n0[0];
-# ifdef BN_COUNT
- fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl);
-# endif
+ /*
+ * Add multiples of |n| to |r| until R = 2^(nl * BN_BITS2) divides it. On
+ * input, we had |r| < |n| * R, so now |r| < 2 * |n| * R. Note that |r|
+ * includes |carry| which is stored separately.
+ */
for (carry = 0, i = 0; i < nl; i++, rp++) {
-# ifdef __TANDEM
- {
- long long t1;
- long long t2;
- long long t3;
- t1 = rp[0] * (n0 & 0177777);
- t2 = 037777600000l;
- t2 = n0 & t2;
- t3 = rp[0] & 0177777;
- t2 = (t3 * t2) & BN_MASK2;
- t1 = t1 + t2;
- v = bn_mul_add_words(rp, np, nl, (BN_ULONG)t1);
- }
-# else
v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
-# endif
v = (v + carry + rp[nl]) & BN_MASK2;
carry |= (v != rp[nl]);
carry &= (v <= rp[nl]);
@@ -236,52 +234,27 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
if (bn_wexpand(ret, nl) == NULL)
return (0);
ret->top = nl;
+ ret->flags |= BN_FLG_FIXED_TOP;
ret->neg = r->neg;
rp = ret->d;
+
+ /*
+ * Shift |nl| words to divide by R. We have |ap| < 2 * |n|. Note that |ap|
+ * includes |carry| which is stored separately.
+ */
ap = &(r->d[nl]);
-# define BRANCH_FREE 1
-# if BRANCH_FREE
- {
- BN_ULONG *nrp;
- size_t m;
-
- v = bn_sub_words(rp, ap, np, nl) - carry;
- /*
- * if subtraction result is real, then trick unconditional memcpy
- * below to perform in-place "refresh" instead of actual copy.
- */
- m = (0 - (size_t)v);
- nrp =
- (BN_ULONG *)(((PTR_SIZE_INT) rp & ~m) | ((PTR_SIZE_INT) ap & m));
-
- for (i = 0, nl -= 4; i < nl; i += 4) {
- BN_ULONG t1, t2, t3, t4;
-
- t1 = nrp[i + 0];
- t2 = nrp[i + 1];
- t3 = nrp[i + 2];
- ap[i + 0] = 0;
- t4 = nrp[i + 3];
- ap[i + 1] = 0;
- rp[i + 0] = t1;
- ap[i + 2] = 0;
- rp[i + 1] = t2;
- ap[i + 3] = 0;
- rp[i + 2] = t3;
- rp[i + 3] = t4;
- }
- for (nl += 4; i < nl; i++)
- rp[i] = nrp[i], ap[i] = 0;
+ carry -= bn_sub_words(rp, ap, np, nl);
+ /*
+ * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note
+ * |carry| cannot be 1. That would imply the subtraction did not fit in
+ * |nl| words, and we know at most one subtraction is needed.
+ */
+ for (i = 0; i < nl; i++) {
+ rp[i] = (carry & ap[i]) | (~carry & rp[i]);
+ ap[i] = 0;
}
-# else
- if (bn_sub_words(rp, ap, np, nl) - carry)
- memcpy(rp, ap, nl * sizeof(BN_ULONG));
-# endif
- bn_correct_top(r);
- bn_correct_top(ret);
- bn_check_top(ret);
return (1);
}
@@ -295,8 +268,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BIGNUM *t;
BN_CTX_start(ctx);
- if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
- retn = BN_from_montgomery_word(ret, t, mont);
+ if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
+ retn = bn_from_montgomery_word(ret, t, mont);
+ bn_correct_top(ret);
+ bn_check_top(ret);
+ }
BN_CTX_end(ctx);
#else /* !MONT_WORD */
BIGNUM *t1, *t2;
@@ -334,6 +310,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
return (retn);
}
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+ BN_CTX *ctx)
+{
+ return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx);
+}
+
BN_MONT_CTX *BN_MONT_CTX_new(void)
{
BN_MONT_CTX *ret;
@@ -370,7 +352,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
- int ret = 0;
+ int i, ret = 0;
BIGNUM *Ri, *R;
if (BN_is_zero(mod))
@@ -382,6 +364,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
R = &(mont->RR); /* grab RR as a temp */
if (!BN_copy(&(mont->N), mod))
goto err; /* Set N */
+ if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+ BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
mont->N.neg = 0;
#ifdef MONT_WORD
@@ -394,6 +378,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
tmod.dmax = 2;
tmod.neg = 0;
+ if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+ BN_set_flags(&tmod, BN_FLG_CONSTTIME);
+
mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
# if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
@@ -496,6 +483,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
goto err;
+ for (i = mont->RR.top, ret = mont->N.top; i < ret; i++)
+ mont->RR.d[i] = 0;
+ mont->RR.top = ret;
+ mont->RR.flags |= BN_FLG_FIXED_TOP;
+
ret = 1;
err:
BN_CTX_end(ctx);
diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c
index 256d26e..5e69297 100644
--- a/crypto/bn/bn_sqr.c
+++ b/crypto/bn/bn_sqr.c
@@ -135,14 +135,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
}
rr->neg = 0;
- /*
- * If the most-significant half of the top word of 'a' is zero, then the
- * square of 'a' will max-1 words.
- */
- if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
- rr->top = max - 1;
- else
- rr->top = max;
+ rr->top = max;
+ bn_correct_top(rr);
if (r != rr && BN_copy(r, rr) == NULL)
goto err;
diff -up openssl-1.0.2k/crypto/bn_int.h.rohnp-fix openssl-1.0.2k/crypto/bn_int.h
--- openssl-1.0.2k/crypto/bn_int.h.rohnp-fix 2018-08-14 10:57:21.597518822 +0200
+++ openssl-1.0.2k/crypto/bn_int.h 2018-08-14 10:57:21.599518871 +0200
@@ -0,0 +1,13 @@
+/*
+ * Some BIGNUM functions assume most significant limb to be non-zero, which
+ * is customarily arranged by bn_correct_top. Output from below functions
+ * is not processed with bn_correct_top, and for this reason it may not be
+ * returned out of public API. It may only be passed internally into other
+ * functions known to support non-minimal or zero-padded BIGNUMs.
+ */
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+ BN_CTX *ctx);
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+ const BIGNUM *m);
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index b5f67bd..894dff8 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -136,8 +136,7 @@ const DSA_METHOD *DSA_OpenSSL(void)
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
- BIGNUM m;
- BIGNUM xr;
+ BIGNUM *m, *blind, *blindm, *tmp;
BN_CTX *ctx = NULL;
int reason = ERR_R_BN_LIB;
DSA_SIG *ret = NULL;
@@ -156,9 +155,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
}
#endif
- BN_init(&m);
- BN_init(&xr);
-
if (!dsa->p || !dsa->q || !dsa->g) {
reason = DSA_R_MISSING_PARAMETERS;
goto err;
@@ -170,6 +166,14 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
+ BN_CTX_start(ctx);
+ m = BN_CTX_get(ctx);
+ blind = BN_CTX_get(ctx);
+ blindm = BN_CTX_get(ctx);
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL)
+ goto err;
+
redo:
if ((dsa->kinv == NULL) || (dsa->r == NULL)) {
if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
@@ -189,20 +193,52 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
* 4.2
*/
dlen = BN_num_bytes(dsa->q);
- if (BN_bin2bn(dgst, dlen, &m) == NULL)
+ if (BN_bin2bn(dgst, dlen, m) == NULL)
goto err;
- /* Compute s = inv(k) (m + xr) mod q */
- if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))
- goto err; /* s = xr */
- if (!BN_add(s, &xr, &m))
- goto err; /* s = m + xr */
- if (BN_cmp(s, dsa->q) > 0)
- if (!BN_sub(s, s, dsa->q))
+ /*
+ * The normal signature calculation is:
+ *
+ * s := k^-1 * (m + r * priv_key) mod q
+ *
+ * We will blind this to protect against side channel attacks
+ *
+ * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
+ */
+
+ /* Generate a blinding value */
+ do {
+ if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0))
goto err;
+ } while (BN_is_zero(blind));
+ BN_set_flags(blind, BN_FLG_CONSTTIME);
+ BN_set_flags(blindm, BN_FLG_CONSTTIME);
+ BN_set_flags(tmp, BN_FLG_CONSTTIME);
+
+ /* tmp := blind * priv_key * r mod q */
+ if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
+ goto err;
+ if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx))
+ goto err;
+
+ /* blindm := blind * m mod q */
+ if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
+ goto err;
+
+ /* s : = (blind * priv_key * r) + (blind * m) mod q */
+ if (!BN_mod_add_quick(s, tmp, blindm, dsa->q))
+ goto err;
+
+ /* s := s * k^-1 mod q */
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
goto err;
+ /* s:= s * blind^-1 mod q */
+ if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
+ goto err;
+ if (!BN_mod_mul(s, s, blind, dsa->q, ctx))
+ goto err;
+
/*
* Redo if r or s is zero as required by FIPS 186-3: this is very
* unlikely.
@@ -226,13 +262,12 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
BN_free(r);
BN_free(s);
}
- if (ctx != NULL)
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
- BN_clear_free(&m);
- BN_clear_free(&xr);
- if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
- BN_clear_free(kinv);
- return (ret);
+ }
+ BN_clear_free(kinv);
+ return ret;
}
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index dd76960..2b8f169 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -60,6 +60,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
+#include "bn_int.h"
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
const BIGNUM *, const BIGNUM *,
@@ -95,6 +96,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
+ int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
@@ -126,6 +128,13 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
goto err;
}
+ /* Preallocate space */
+ order_bits = BN_num_bits(order);
+ if (!BN_set_bit(k, order_bits)
+ || !BN_set_bit(r, order_bits)
+ || !BN_set_bit(X, order_bits))
+ goto err;
+
do {
/* get random k */
do
@@ -139,13 +148,19 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the order. This guarantees the code
+ * path used in the constant time implementations elsewhere.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(k, k, order))
+ if (!BN_add(r, k, order)
+ || !BN_add(X, r, order)
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
- if (BN_num_bits(k) <= BN_num_bits(order))
- if (!BN_add(k, k, order))
- goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
@@ -237,13 +252,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey)
{
int ok = 0, i;
- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
+ BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
const BIGNUM *ckinv;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
ECDSA_SIG *ret;
ECDSA_DATA *ecdsa;
const BIGNUM *priv_key;
+ BN_MONT_CTX *mont_data;
ecdsa = ecdsa_check(eckey);
group = EC_KEY_get0_group(eckey);
@@ -262,7 +278,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
s = ret->s;
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
+ (m = BN_new()) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -271,6 +287,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
+ mont_data = EC_GROUP_get_mont_data(group);
+
i = BN_num_bits(order);
/*
* Need to truncate digest if it is too long: first truncate whole bytes.
@@ -301,21 +319,33 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
}
}
- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+ /*
+ * With only one multiplicant being in Montgomery domain
+ * multiplication yields real result without post-conversion.
+ * Also note that all operations but last are performed with
+ * zero-padded vectors. Last operation, BN_mod_mul_montgomery
+ * below, returns user-visible value with removed zero padding.
+ */
+ if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
+ || !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
goto err;
}
- if (!BN_mod_add_quick(s, tmp, m, order)) {
+ if (!bn_mod_add_fixed_top(s, s, m, order)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
- if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+ /*
+ * |s| can still be larger than modulus, because |m| can be. In
+ * such case we count on Montgomery reduction to tie it up.
+ */
+ if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
+ || !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (BN_is_zero(s)) {
/*
- * if kinv and r have been supplied by the caller don't to
+ * if kinv and r have been supplied by the caller don't
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
@@ -339,8 +369,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
BN_CTX_free(ctx);
if (m)
BN_clear_free(m);
- if (tmp)
- BN_clear_free(tmp);
if (order)
BN_free(order);
if (kinv)

@ -0,0 +1,24 @@
diff -up openssl-1.0.2k/crypto/dh/dh_key.c.large-dh openssl-1.0.2k/crypto/dh/dh_key.c
--- openssl-1.0.2k/crypto/dh/dh_key.c.large-dh 2018-06-18 13:46:24.268137362 +0200
+++ openssl-1.0.2k/crypto/dh/dh_key.c 2018-06-18 13:59:04.605497462 +0200
@@ -133,7 +133,7 @@ static int generate_key(DH *dh)
int ok = 0;
int generate_new_key = 0;
unsigned l;
- BN_CTX *ctx;
+ BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
@@ -145,6 +145,11 @@ static int generate_key(DH *dh)
}
#endif
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;

@ -0,0 +1,96 @@
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index c7f1dc3..aa8a7c0 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -177,6 +177,17 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BIGNUM *pr0, *d, *p;
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
+ unsigned long error = 0;
+
+ /*
+ * When generating ridiculously small keys, we can get stuck
+ * continually regenerating the same prime values.
+ */
+ if (bits < 16) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
#ifdef OPENSSL_FIPS
if (FIPS_module_mode()) {
@@ -233,45 +244,55 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;) {
- /*
- * When generating ridiculously small keys, we can get stuck
- * continually regenerating the same prime values. Check for this and
- * bail if it happens 3 times.
- */
- unsigned int degenerate = 0;
do {
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2, rsa->q, rsa->p))
goto err;
- } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
- if (degenerate == 3) {
- ok = 0; /* we set our own err */
- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
- goto err;
- }
+ } while (BN_ucmp(r2, r3) <= 0);
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}

@ -0,0 +1,217 @@
diff -up openssl-1.0.2k/crypto/asn1/asn1_err.c.asn1-recursive openssl-1.0.2k/crypto/asn1/asn1_err.c
--- openssl-1.0.2k/crypto/asn1/asn1_err.c.asn1-recursive 2017-01-26 14:22:03.000000000 +0100
+++ openssl-1.0.2k/crypto/asn1/asn1_err.c 2018-06-18 15:08:18.333412753 +0200
@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},
{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"},
{ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"},
+ {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"},
{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"},
{ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},
{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},
diff -up openssl-1.0.2k/crypto/asn1/asn1.h.asn1-recursive openssl-1.0.2k/crypto/asn1/asn1.h
--- openssl-1.0.2k/crypto/asn1/asn1.h.asn1-recursive 2018-06-18 13:46:23.857127431 +0200
+++ openssl-1.0.2k/crypto/asn1/asn1.h 2018-06-18 15:07:53.915826715 +0200
@@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void);
# define ASN1_R_MSTRING_NOT_UNIVERSAL 139
# define ASN1_R_MSTRING_WRONG_TAG 140
# define ASN1_R_NESTED_ASN1_STRING 197
+# define ASN1_R_NESTED_TOO_DEEP 219
# define ASN1_R_NON_HEX_CHARACTERS 141
# define ASN1_R_NOT_ASCII_FORMAT 190
# define ASN1_R_NOT_ENOUGH_DATA 142
diff -up openssl-1.0.2k/crypto/asn1/tasn_dec.c.asn1-recursive openssl-1.0.2k/crypto/asn1/tasn_dec.c
--- openssl-1.0.2k/crypto/asn1/tasn_dec.c.asn1-recursive 2017-01-26 14:22:03.000000000 +0100
+++ openssl-1.0.2k/crypto/asn1/tasn_dec.c 2018-06-18 15:14:28.978308482 +0200
@@ -4,7 +4,7 @@
* 2000.
*/
/* ====================================================================
- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -65,6 +65,14 @@
#include <openssl/buffer.h>
#include <openssl/err.h>
+/*
+ * Constructed types with a recursive definition (such as can be found in PKCS7)
+ * could eventually exceed the stack given malicious input with excessive
+ * recursion. Therefore we limit the stack depth. This is the maximum number of
+ * recursive invocations of asn1_item_embed_d2i().
+ */
+#define ASN1_MAX_CONSTRUCTED_NEST 30
+
static int asn1_check_eoc(const unsigned char **in, long len);
static int asn1_find_end(const unsigned char **in, long len, char inf);
@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, i
static int asn1_template_ex_d2i(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx);
+ ASN1_TLC *ctx, int depth);
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx);
+ ASN1_TLC *ctx, int depth);
static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_ITEM *it,
@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval,
{
ASN1_TLC c;
asn1_tlc_clear_nc(&c);
- return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
+ return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0);
}
/*
* Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
* tag mismatch return -1 to handle OPTIONAL
*/
-
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
- const ASN1_ITEM *it,
- int tag, int aclass, char opt, ASN1_TLC *ctx)
+static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
+ long len, const ASN1_ITEM *it, int tag, int aclass,
+ char opt, ASN1_TLC *ctx, int depth)
{
const ASN1_TEMPLATE *tt, *errtt = NULL;
const ASN1_COMPAT_FUNCS *cf;
@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
else
asn1_cb = 0;
+ if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP);
+ goto err;
+ }
+
switch (it->itype) {
case ASN1_ITYPE_PRIMITIVE:
if (it->templates) {
@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
- it->templates, opt, ctx);
+ it->templates, opt, ctx, depth);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
/*
* We mark field as OPTIONAL so its absence can be recognised.
*/
- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
/* If field not present, try the next one */
if (ret == -1)
continue;
@@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
* attempt to read in field, allowing each to be OPTIONAL
*/
- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
+ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
+ depth);
if (!ret) {
errtt = seqtt;
goto err;
@@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
return 0;
}
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ const ASN1_ITEM *it,
+ int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
+}
+
/*
* Templates are handled with two separate functions. One handles any
* EXPLICIT tag and the other handles the rest.
@@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
static int asn1_template_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long inlen,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx)
+ ASN1_TLC *ctx, int depth)
{
int flags, aclass;
int ret;
@@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
return 0;
}
/* We've found the field so it can't be OPTIONAL now */
- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
+ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
return 0;
@@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
}
}
} else
- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
*in = p;
return 1;
@@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VAL
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
- ASN1_TLC *ctx)
+ ASN1_TLC *ctx, int depth)
{
int flags, aclass;
int ret;
@@ -665,14 +685,15 @@ static int asn1_template_noexp_d2i(ASN1_
break;
}
skfield = NULL;
- if (!ASN1_item_ex_d2i(&skfield, &p, len,
- ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+ if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
+ -1, 0, 0, ctx, depth)) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
}
len -= p - q;
if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
+ ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -683,9 +704,8 @@ static int asn1_template_noexp_d2i(ASN1_
}
} else if (flags & ASN1_TFLG_IMPTAG) {
/* IMPLICIT tagging */
- ret = ASN1_item_ex_d2i(val, &p, len,
- ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
- ctx);
+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
+ aclass, opt, ctx, depth);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
@@ -693,8 +713,9 @@ static int asn1_template_noexp_d2i(ASN1_
return -1;
} else {
/* Nothing special */
- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
+ depth);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;

@ -0,0 +1,36 @@
diff -up openssl-1.0.2k/ssl/s3_srvr.c.long-hello openssl-1.0.2k/ssl/s3_srvr.c
--- openssl-1.0.2k/ssl/s3_srvr.c.long-hello 2017-03-09 17:59:26.000000000 +0100
+++ openssl-1.0.2k/ssl/s3_srvr.c 2017-03-30 09:11:35.639338753 +0200
@@ -899,6 +899,23 @@ int ssl3_send_hello_request(SSL *s)
return ssl_do_write(s);
}
+/*
+ * Maximum size (excluding the Handshake header) of a ClientHello message,
+ * calculated as follows:
+ *
+ * 2 + # client_version
+ * 32 + # only valid length for random
+ * 1 + # length of session_id
+ * 32 + # maximum size for session_id
+ * 2 + # length of cipher suites
+ * 2^16-2 + # maximum length of cipher suites array
+ * 1 + # length of compression_methods
+ * 2^8-1 + # maximum length of compression methods
+ * 2 + # length of extensions
+ * 2^16-1 # maximum length of extensions
+ */
+#define CLIENT_HELLO_MAX_LENGTH 131396
+
int ssl3_get_client_hello(SSL *s)
{
int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1, cookie_valid = 0;
@@ -930,7 +947,7 @@ int ssl3_get_client_hello(SSL *s)
SSL3_ST_SR_CLNT_HELLO_B,
SSL3_ST_SR_CLNT_HELLO_C,
SSL3_MT_CLIENT_HELLO,
- SSL3_RT_MAX_PLAIN_LENGTH, &ok);
+ CLIENT_HELLO_MAX_LENGTH, &ok);
if (!ok)
return ((int)n);

@ -0,0 +1,57 @@
diff -up openssl-1.0.2k/ssl/ssl_cert.c.name-sensitive openssl-1.0.2k/ssl/ssl_cert.c
--- openssl-1.0.2k/ssl/ssl_cert.c.name-sensitive 2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/ssl/ssl_cert.c 2018-06-18 13:43:12.452502627 +0200
@@ -855,9 +855,33 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,
return (add_client_CA(&(ctx->client_CA), x));
}
-static int xname_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
+static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
{
- return (X509_NAME_cmp(*a, *b));
+ unsigned char *abuf = NULL, *bbuf = NULL;
+ int alen, blen, ret;
+
+ /* X509_NAME_cmp() itself casts away constness in this way, so
+ * assume it's safe:
+ */
+ alen = i2d_X509_NAME((X509_NAME *)a, &abuf);
+ blen = i2d_X509_NAME((X509_NAME *)b, &bbuf);
+
+ if (alen < 0 || blen < 0)
+ ret = -2;
+ else if (alen != blen)
+ ret = alen - blen;
+ else /* alen == blen */
+ ret = memcmp(abuf, bbuf, alen);
+
+ OPENSSL_free(abuf);
+ OPENSSL_free(bbuf);
+
+ return ret;
+}
+
+static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
+{
+ return xname_cmp(*a, *b);
}
#ifndef OPENSSL_NO_STDIO
@@ -876,7 +900,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL, *sk;
- sk = sk_X509_NAME_new(xname_cmp);
+ sk = sk_X509_NAME_new(xname_sk_cmp);
in = BIO_new(BIO_s_file_internal());
@@ -948,7 +972,7 @@ int SSL_add_file_cert_subjects_to_stack(
int ret = 1;
int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b);
- oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
+ oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
in = BIO_new(BIO_s_file_internal());

@ -0,0 +1,217 @@
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2 2017-01-26 14:22:03.000000000 +0100
+++ openssl-1.0.2k/apps/ciphers.c 2017-03-01 14:18:28.058046372 +0100
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
"usage: ciphers args\n",
" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
" -V - even more verbose\n",
+#ifndef OPENSSL_NO_SSL2
" -ssl2 - SSL2 mode\n",
+#endif
" -ssl3 - SSL3 mode\n",
" -tls1 - TLS1 mode\n",
NULL
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
--- openssl-1.0.2k/apps/s_client.c.no-ssl2 2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/apps/s_client.c 2017-03-01 14:17:42.368974209 +0100
@@ -380,7 +380,9 @@ static void sc_usage(void)
" -srp_strength int - minimal length in bits for N (default %d).\n",
SRP_MINIMAL_N);
#endif
+#ifndef OPENSSL_NO_SSL2
BIO_printf(bio_err, " -ssl2 - just use SSLv2\n");
+#endif
#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err, " -ssl3 - just use SSLv3\n");
#endif
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
--- openssl-1.0.2k/apps/s_server.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/apps/s_server.c 2017-03-01 14:13:54.154618822 +0100
@@ -598,7 +598,9 @@ static void sv_usage(void)
BIO_printf(bio_err,
" -srpuserseed string - A seed string for a default user salt.\n");
#endif
+#ifndef OPENSSL_NO_SSL2
BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
+#endif
#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
#endif
@@ -610,7 +612,7 @@ static void sv_usage(void)
BIO_printf(bio_err, " -timeout - Enable timeouts\n");
BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
BIO_printf(bio_err, " -chain - Read a certificate chain\n");
- BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
+ BIO_printf(bio_err, " -no_ssl2 - No-op, SSLv2 is always disabled\n");
BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
--- openssl-1.0.2k/apps/s_time.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/apps/s_time.c 2017-03-01 14:20:15.708572549 +0100
@@ -191,7 +191,9 @@ static void s_time_usage(void)
SSL_CONNECT_NAME);
#ifdef FIONBIO
printf("-nbio - Run with non-blocking IO\n");
+#ifndef OPENSSL_NO_SSL2
printf("-ssl2 - Just use SSLv2\n");
+#endif
printf("-ssl3 - Just use SSLv3\n");
printf("-bugs - Turn on SSL bug compatibility\n");
printf("-new - Just time new connections\n");
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/doc/apps/ciphers.pod 2017-03-01 14:02:51.275041593 +0100
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
B<openssl> B<ciphers>
[B<-v>]
[B<-V>]
-[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
[B<cipherlist>]
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
-=item B<-ssl2>
-
-Only include SSLv2 ciphers.
-
=item B<-h>, B<-?>
Print a brief usage message.
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-01 14:06:28.389146669 +0100
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-quiet>]
-[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-dtls1>]
-[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_tls1_1>]
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
These options require or disable the use of the specified SSL or TLS protocols.
By default the initial handshake uses a I<version-flexible> method which will
@@ -326,8 +324,8 @@ would typically be used (https uses port
then an HTTP command can be given such as "GET /" to retrieve a web page.
If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
+nothing obvious like no client certificate then the B<-bugs>,
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
@@ -349,10 +347,6 @@ on the command line is no guarantee that
If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show the whole chain.
-Since the SSLv23 client hello cannot include compression methods or extensions
-these will only be supported if its use is disabled, for example by using the
-B<-no_sslv2> option.
-
The B<s_client> utility is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
accept any certificate chain (trusted or not) sent by the peer. None test
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_server.pod 2017-03-01 14:04:17.871077754 +0100
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
[B<-keytab filename>]
[B<-quiet>]
[B<-no_tmp_rsa>]
-[B<-ssl2>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
-[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
These options require or disable the use of the specified SSL or TLS protocols.
By default the initial handshake uses a I<version-flexible> method which will
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_time.pod 2017-03-01 14:03:50.440432769 +0100
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
[B<-verify depth>]
[B<-nbio>]
[B<-time seconds>]
-[B<-ssl2>]
[B<-ssl3>]
[B<-bugs>]
[B<-cipher cipherlist>]
@@ -99,9 +98,9 @@ specified, they are both on by default a
turns on non-blocking I/O.
-=item B<-ssl2>, B<-ssl3>
+=item B<-ssl3>
-these options disable the use of certain SSL or TLS protocols. By default
+this option disables the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
The timing program is not as rich in options to turn protocols on and off as
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-ssl3> option; others
-will only support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off with the B<-ssl3> option.
=item B<-bugs>
@@ -144,7 +142,7 @@ which both client and server can agree,
for details.
If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+nothing obvious like no client certificate then the B<-bugs>,
B<-ssl3> options can be tried
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod 2017-03-01 14:09:12.981016773 +0100
@@ -123,13 +123,8 @@ used.
=item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
-A TLS/SSL connection established with these methods will only understand the
-SSLv2 protocol. A client will send out SSLv2 client hello messages and will
-also indicate that it only understand SSLv2. A server will only understand
-SSLv2 client hello messages. The SSLv2 protocol offers little to no security
-and should not be used.
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
-with SSLv2.
+These calls are provided only as stubs for keeping ABI compatibility. There
+is no support for SSLv2 built in the library.
=item DTLS_method(), DTLS_server_method(), DTLS_client_method()

File diff suppressed because it is too large Load Diff

@ -0,0 +1,30 @@
diff -up openssl-1.0.2k/apps/req.c.req-x509 openssl-1.0.2k/apps/req.c
--- openssl-1.0.2k/apps/req.c.req-x509 2017-03-09 17:59:26.269231647 +0100
+++ openssl-1.0.2k/apps/req.c 2017-05-17 13:23:31.236556216 +0200
@@ -331,7 +331,6 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-x509") == 0) {
- newreq = 1;
x509 = 1;
} else if (strcmp(*argv, "-asn1-kludge") == 0)
kludge = 1;
@@ -447,6 +446,9 @@ int MAIN(int argc, char **argv)
goto end;
}
+ if (x509 && infile == NULL)
+ newreq = 1;
+
ERR_load_crypto_strings();
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
@@ -753,7 +755,7 @@ int MAIN(int argc, char **argv)
}
}
- if (newreq) {
+ if (newreq || x509) {
if (pkey == NULL) {
BIO_printf(bio_err, "you need to specify a private key\n");
goto end;

File diff suppressed because it is too large Load Diff

@ -0,0 +1,11 @@
--- ssl/dtls1.h.orig 2014-12-22 19:03:22.442338471 +0100
+++ ssl/dtls1.h 2014-12-22 19:03:44.061694335 +0100
@@ -68,7 +68,7 @@
# endif
# ifdef OPENSSL_SYS_WIN32
/* Needed for struct timeval */
-# include <winsock.h>
+# include <time.h>
# elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
# include <sys/timeval.h>
# else

@ -0,0 +1,26 @@
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 23271be..f57ca72 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -143,7 +143,7 @@ static int is_md_legacy_disallowed(int mdnid)
{
int i;
- if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
+ if (mdnid == NID_md5 && getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
return 0;
for (i = 0; legacy_mds[i] != 0; ++i) {
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 732804f..8f845f7 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -486,7 +486,7 @@ static void load_builtin_compressions(void)
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
if (ssl_comp_methods != NULL
- && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();

@ -0,0 +1,400 @@
/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <pthread.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/md5.h>
#include <openssl/ssl.h>
/* Just assume we want to do engine stuff if we're using 0.9.6b or
* higher. This assumption is only valid for versions bundled with RHL. */
#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
#include <openssl/engine.h>
#define USE_ENGINE
#endif
#define MAX_THREAD_COUNT 10000
#define ITERATION_COUNT 10
#define MAIN_COUNT 100
/* OpenSSL requires us to provide thread ID and locking primitives. */
pthread_mutex_t *mutex_locks = NULL;
static unsigned long
thread_id_cb(void)
{
return (unsigned long) pthread_self();
}
static void
lock_cb(int mode, int n, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&mutex_locks[n]);
} else {
pthread_mutex_unlock(&mutex_locks[n]);
}
}
struct thread_args {
RSA *rsa;
int digest_type;
unsigned char *digest;
unsigned int digest_len;
unsigned char *signature;
unsigned int signature_len;
pthread_t main_thread;
};
static int print = 0;
pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
static int locked_sign = 0;
static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
static int locked_verify = 0;
static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
long failure_count = 0;
static void
failure()
{
pthread_mutex_lock(&failure_count_lock);
failure_count++;
pthread_mutex_unlock(&failure_count_lock);
}
static void *
thread_main(void *argp)
{
struct thread_args *args = argp;
unsigned char *signature;
unsigned int signature_len, signature_alloc_len;
int ret, i;
signature_alloc_len = args->signature_len;
if (RSA_size(args->rsa) > signature_alloc_len) {
signature_alloc_len = RSA_size(args->rsa);
}
signature = malloc(signature_alloc_len);
if (signature == NULL) {
fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
(unsigned long) pthread_self(), strerror(errno));
pthread_exit(0);
return NULL;
}
for (i = 0; i < ITERATION_COUNT; i++) {
signature_len = signature_alloc_len;
SIGN_LOCK();
ret = RSA_check_key(args->rsa);
ERR_print_errors_fp(stdout);
if (ret != 1) {
failure();
break;
}
ret = RSA_sign(args->digest_type,
args->digest,
args->digest_len,
signature, &signature_len,
args->rsa);
SIGN_UNLOCK();
ERR_print_errors_fp(stdout);
if (ret != 1) {
failure();
break;
}
VERIFY_LOCK();
ret = RSA_verify(args->digest_type,
args->digest,
args->digest_len,
signature, signature_len,
args->rsa);
VERIFY_UNLOCK();
if (ret != 1) {
fprintf(stderr,
"Signature from thread %lu(%d) fails "
"verification (passed in thread #%lu)!\n",
(long) pthread_self(), i,
(long) args->main_thread);
ERR_print_errors_fp(stdout);
failure();
continue;
}
if (print) {
fprintf(stderr, ">%d\n", i);
}
}
free(signature);
pthread_exit(0);
return NULL;
}
unsigned char *
xmemdup(unsigned char *s, size_t len)
{
unsigned char *r;
r = malloc(len);
if (r == NULL) {
fprintf(stderr, "Out of memory.\n");
ERR_print_errors_fp(stdout);
assert(r != NULL);
}
memcpy(r, s, len);
return r;
}
int
main(int argc, char **argv)
{
RSA *rsa;
MD5_CTX md5;
int fd, i;
pthread_t threads[MAX_THREAD_COUNT];
int thread_count = 1000;
unsigned char *message, *digest;
unsigned int message_len, digest_len;
unsigned char *correct_signature;
unsigned int correct_siglen, ret;
struct thread_args master_args, *args;
int sync = 0, seed = 0;
int again = 1;
#ifdef USE_ENGINE
char *engine = NULL;
ENGINE *e = NULL;
#endif
pthread_mutex_init(&failure_count_lock, NULL);
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "--seed") == 0) {
printf("Seeding PRNG.\n");
seed++;
} else
if (strcmp(argv[i], "--sync") == 0) {
printf("Running synchronized.\n");
sync++;
} else
if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
i++;
thread_count = atol(argv[i]);
if (thread_count > MAX_THREAD_COUNT) {
thread_count = MAX_THREAD_COUNT;
}
printf("Starting %d threads.\n", thread_count);
sync++;
} else
if (strcmp(argv[i], "--sign") == 0) {
printf("Locking signing.\n");
locked_sign++;
} else
if (strcmp(argv[i], "--verify") == 0) {
printf("Locking verifies.\n");
locked_verify++;
} else
if (strcmp(argv[i], "--print") == 0) {
printf("Tracing.\n");
print++;
#ifdef USE_ENGINE
} else
if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) {
printf("Using engine \"%s\".\n", argv[i + 1]);
engine = argv[i + 1];
i++;
#endif
} else {
printf("Bad argument: %s\n", argv[i]);
return 1;
}
}
/* Get some random data to sign. */
fd = open("/dev/urandom", O_RDONLY);
if (fd == -1) {
fprintf(stderr, "Error opening /dev/urandom: %s\n",
strerror(errno));
}
if (print) {
fprintf(stderr, "Reading random data.\n");
}
message = malloc(message_len = 9371);
read(fd, message, message_len);
close(fd);
/* Initialize the SSL library and set up thread-safe locking. */
ERR_load_crypto_strings();
SSL_library_init();
mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
for (i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_init(&mutex_locks[i], NULL);
}
CRYPTO_set_id_callback(thread_id_cb);
CRYPTO_set_locking_callback(lock_cb);
ERR_print_errors_fp(stdout);
/* Seed the PRNG if we were asked to do so. */
if (seed) {
if (print) {
fprintf(stderr, "Seeding PRNG.\n");
}
RAND_add(message, message_len, message_len);
ERR_print_errors_fp(stdout);
}
/* Turn on a hardware crypto device if asked to do so. */
#ifdef USE_ENGINE
if (engine) {
#if OPENSSL_VERSION_NUMBER >= 0x0090700fL
ENGINE_load_builtin_engines();
#endif
if (print) {
fprintf(stderr, "Initializing \"%s\" engine.\n",
engine);
}
e = ENGINE_by_id(engine);
ERR_print_errors_fp(stdout);
if (e) {
i = ENGINE_init(e);
ERR_print_errors_fp(stdout);
i = ENGINE_set_default_RSA(e);
ERR_print_errors_fp(stdout);
}
}
#endif
/* Compute the digest for the signature. */
if (print) {
fprintf(stderr, "Computing digest.\n");
}
digest = malloc(digest_len = MD5_DIGEST_LENGTH);
MD5_Init(&md5);
MD5_Update(&md5, message, message_len);
MD5_Final(digest, &md5);
/* Generate a signing key. */
if (print) {
fprintf(stderr, "Generating key.\n");
}
rsa = RSA_generate_key(4096, 3, NULL, NULL);
ERR_print_errors_fp(stdout);
if (rsa == NULL) {
_exit(1);
}
/* Sign the data. */
correct_siglen = RSA_size(rsa);
correct_signature = malloc(correct_siglen);
for (i = 0; i < MAIN_COUNT; i++) {
if (print) {
fprintf(stderr, "Signing data (%d).\n", i);
}
ret = RSA_check_key(rsa);
ERR_print_errors_fp(stdout);
if (ret != 1) {
failure();
}
correct_siglen = RSA_size(rsa);
ret = RSA_sign(NID_md5, digest, digest_len,
correct_signature, &correct_siglen,
rsa);
ERR_print_errors_fp(stdout);
if (ret != 1) {
_exit(2);
}
if (print) {
fprintf(stderr, "Verifying data (%d).\n", i);
}
ret = RSA_verify(NID_md5, digest, digest_len,
correct_signature, correct_siglen,
rsa);
if (ret != 1) {
_exit(2);
}
}
/* Collect up the inforamtion which other threads will need for
* comparing their signature results with ours. */
master_args.rsa = rsa;
master_args.digest_type = NID_md5;
master_args.digest = digest;
master_args.digest_len = digest_len;
master_args.signature = correct_signature;
master_args.signature_len = correct_siglen;
master_args.main_thread = pthread_self();
fprintf(stdout, "Performing %d signatures in each of %d threads "
"(%d, %d).\n", ITERATION_COUNT, thread_count,
digest_len, correct_siglen);
fflush(NULL);
/* Start up all of the threads. */
for (i = 0; i < thread_count; i++) {
args = malloc(sizeof(struct thread_args));
args->rsa = RSAPrivateKey_dup(master_args.rsa);
args->digest_type = master_args.digest_type;
args->digest_len = master_args.digest_len;
args->digest = xmemdup(master_args.digest, args->digest_len);
args->signature_len = master_args.signature_len;
args->signature = xmemdup(master_args.signature,
args->signature_len);
args->main_thread = pthread_self();
ret = pthread_create(&threads[i], NULL, thread_main, args);
while ((ret != 0) && (errno == EAGAIN)) {
ret = pthread_create(&threads[i], NULL,
thread_main, &args);
fprintf(stderr, "Thread limit hit at %d.\n", i);
}
if (ret != 0) {
fprintf(stderr, "Unable to create thread %d: %s.\n",
i, strerror(errno));
threads[i] = -1;
} else {
if (sync) {
ret = pthread_join(threads[i], NULL);
assert(ret == 0);
}
if (print) {
fprintf(stderr, "%d\n", i);
}
}
}
/* Wait for all threads to complete. So long as we can find an
* unjoined thread, keep joining threads. */
do {
again = 0;
for (i = 0; i < thread_count; i++) {
/* If we have an unterminated thread, join it. */
if (threads[i] != -1) {
again = 1;
if (print) {
fprintf(stderr, "Joining thread %d.\n",
i);
}
pthread_join(threads[i], NULL);
threads[i] = -1;
break;
}
}
} while (again == 1);
fprintf(stderr, "%ld failures\n", failure_count);
return (failure_count != 0);
}

@ -0,0 +1,11 @@
--- engines/Makefile.orig 2010-05-15 21:24:54.986089920 +0200
+++ engines/Makefile 2010-05-15 21:26:51.409085467 +0200
@@ -111,7 +111,7 @@
for l in $(LIBNAMES); do \
( echo installing $$l; \
pfx=lib; \
- if [ "$(PLATFORM)" = "mingw" ]; then \
+ if [ "$(PLATFORM)" = "mingw" -o "$(PLATFORM)" = "mingw64" ]; then \
sfx=.dll; \
cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \

@ -0,0 +1,7 @@
/* Prepended at openssl package build-time. Don't include this file directly,
* use <openssl/opensslconf.h> instead. */
#ifndef openssl_opensslconf_multilib_redirection_h
#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
#endif

@ -0,0 +1,47 @@
/* This file is here to prevent a file conflict on multiarch systems. A
* conflict will frequently occur because arch-specific build-time
* configuration options are stored (and used, so they can't just be stripped
* out) in opensslconf.h. The original opensslconf.h has been renamed.
* DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
#ifdef openssl_opensslconf_multilib_redirection_h
#error "Do not define openssl_opensslconf_multilib_redirection_h!"
#endif
#define openssl_opensslconf_multilib_redirection_h
#if defined(__i386__)
#include "opensslconf-i386.h"
#elif defined(__ia64__)
#include "opensslconf-ia64.h"
#elif defined(__mips64) && defined(__MIPSEL__)
#include "opensslconf-mips64el.h"
#elif defined(__mips64)
#include "opensslconf-mips64.h"
#elif defined(__mips) && defined(__MIPSEL__)
#include "opensslconf-mipsel.h"
#elif defined(__mips)
#include "opensslconf-mips.h"
#elif defined(__powerpc64__)
#include <endian.h>
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#include "opensslconf-ppc64.h"
#else
#include "opensslconf-ppc64le.h"
#endif
#elif defined(__powerpc__)
#include "opensslconf-ppc.h"
#elif defined(__s390x__)
#include "opensslconf-s390x.h"
#elif defined(__s390__)
#include "opensslconf-s390.h"
#elif defined(__sparc__) && defined(__arch64__)
#include "opensslconf-sparc64.h"
#elif defined(__sparc__)
#include "opensslconf-sparc.h"
#elif defined(__x86_64__)
#include "opensslconf-x86_64.h"
#else
#error "This openssl-devel package does not work your architecture?"
#endif
#undef openssl_opensslconf_multilib_redirection_h

@ -0,0 +1,42 @@
#!/bin/bash
if [ $# -eq 0 ]; then
echo $"Usage: `basename $0` filename" 1>&2
exit 1
fi
PEM=$1
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
NEW=${PEM}_
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
if [ ! -f $PEM ]; then
echo "$PEM: file not found" 1>&2
exit 1
fi
let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
let SERIAL++
umask 077
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
openssl rsa -inform pem -in $PEM -out $KEY
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
(cat $KEY ; echo "" ; cat $CRT) > $NEW
chown $OWNER $NEW
mv -f $NEW $PEM
rm -f $REQ $KEY $CRT
exit 0

@ -0,0 +1,745 @@
%?mingw_package_header
# For the curious:
# 0.9.5a soversion = 0
# 0.9.6 soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
%global soversion 10
# Enable the tests.
# These only work some of the time, but fail randomly at other times
# (although I have had them complete a few times, so I don't think
# there is any actual problem with the binaries).
%global run_tests 0
# Number of threads to spawn when testing some threading fixes.
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
Name: mingw-openssl
Version: 1.0.2k
Release: 2%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
Group: Development/Libraries
URL: http://www.openssl.org/
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source8: openssl-thread-test.c
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c
# Build changes
Patch1: openssl-1.0.2e-rpmbuild.patch
Patch2: openssl-1.0.2a-defaults.patch
Patch4: openssl-1.0.2i-enginesdir.patch
Patch5: openssl-1.0.2a-no-rpath.patch
Patch6: openssl-1.0.2a-test-use-localhost.patch
Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes
Patch23: openssl-1.0.2c-default-paths.patch
Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch
# Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2i-fips.patch
Patch43: openssl-1.0.2j-krb5keytab.patch
Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
Patch50: openssl-1.0.2a-dtls1-abi.patch
# Patch51: openssl-1.0.2a-version.patch
# Patch56: openssl-1.0.2a-rsa-x931.patch
Patch58: openssl-1.0.2a-fips-md5-allow.patch
Patch60: openssl-1.0.2a-apps-dgst.patch
# Patch63: openssl-1.0.2k-starttls.patch
Patch65: openssl-1.0.2i-chil-fixes.patch
Patch66: openssl-1.0.2h-pkgconfig.patch
# Patch68: openssl-1.0.2i-secure-getenv.patch
# Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2g-manfix.patch
# Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2j-deprecate-algos.patch
Patch75: openssl-1.0.2a-compat-symbols.patch
# Patch76: openssl-1.0.2j-new-fips-reqs.patch
Patch77: openssl-1.0.2j-downgrade-strength.patch
Patch78: openssl-1.0.2k-cc-reqs.patch
Patch90: openssl-1.0.2i-enc-fail.patch
Patch94: openssl-1.0.2d-secp256k1.patch
Patch95: openssl-1.0.2e-remove-nistp224.patch
Patch96: openssl-1.0.2e-speed-doc.patch
Patch97: openssl-1.0.2k-no-ssl2.patch
Patch98: openssl-1.0.2k-long-hello.patch
# Patch99: openssl-1.0.2k-fips-randlock.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2i-trusted-first-doc.patch
Patch83: openssl-1.0.2k-backports.patch
Patch84: openssl-1.0.2k-ppc-update.patch
Patch85: openssl-1.0.2k-req-x509.patch
Patch86: openssl-1.0.2k-cve-2017-3736.patch
Patch87: openssl-1.0.2k-cve-2017-3737.patch
Patch88: openssl-1.0.2k-cve-2017-3738.patch
Patch89: openssl-1.0.2k-s390x-update.patch
Patch100: openssl-1.0.2k-name-sensitive.patch
Patch101: openssl-1.0.2k-cve-2017-3735.patch
Patch102: openssl-1.0.2k-cve-2018-0732.patch
Patch103: openssl-1.0.2k-cve-2018-0737.patch
Patch104: openssl-1.0.2k-cve-2018-0739.patch
Patch105: openssl-1.0.2k-cve-2018-0495.patch
# MinGW-specific patches.
# Rename *eay32.dll to lib*.dll
Patch1001: mingw32-openssl-1.0.0-beta3-libversion.patch
# Fix engines/ install target after lib rename
Patch1002: mingw32-openssl-1.0.2a-sfx.patch
# Some .c file contains in #include <dlfcn.h> while it
# doesn't really use anything from that header
Patch1003: mingw-openssl-drop-unneeded-reference-to-dlfcn-h.patch
# Mingw-w64 compatibility patch
Patch1004: openssl_mingw64_install_fix.patch
# Prevent a build failure which occurs because we don't have FIPS enabled
Patch1005: mingw-openssl-fix-fips-build-failure.patch
# The function secure_getenv is a GNU extension which isn't available on Windows
Patch1006: openssl-mingw64-dont-use-secure-getenv.patch
# Don't include the old winsock.h as it will cause warnings/errors in packages
# using the openssl headers like: Please include winsock2.h before windows.h
Patch1007: openssl-dont-include-winsock-h.patch
BuildArch: noarch
ExclusiveArch: %{ix86} x86_64
BuildRequires: mingw32-filesystem >= 95
BuildRequires: mingw32-gcc
BuildRequires: mingw32-binutils
BuildRequires: mingw32-zlib
BuildRequires: mingw64-filesystem >= 95
BuildRequires: mingw64-gcc
BuildRequires: mingw64-binutils
BuildRequires: mingw64-zlib
BuildRequires: perl-interpreter
BuildRequires: sed
BuildRequires: /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
# XXX Not really sure about this one. The build script uses
# /usr/bin/makedepend which comes from imake.
BuildRequires: imake
%if %{run_tests}
# Required both to build, and to run the tests.
# XXX This needs to be fixed - cross-compilation should not
# require running executables.
BuildRequires: wine
# Required to run the tests.
BuildRequires: xorg-x11-server-Xvfb
%endif
%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
This package contains Windows (MinGW) libraries and development tools.
# Win32
%package -n mingw32-openssl
Summary: MinGW port of the OpenSSL toolkit
#Requires: ca-certificates >= 2008-5
Requires: pkgconfig
%description -n mingw32-openssl
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
This package contains Windows (MinGW) libraries and development tools.
%package -n mingw32-openssl-static
Summary: Static version of the MinGW port of the OpenSSL toolkit
Requires: mingw32-openssl = %{version}-%{release}
%description -n mingw32-openssl-static
Static version of the MinGW port of the OpenSSL toolkit.
# Win64
%package -n mingw64-openssl
Summary: MinGW port of the OpenSSL toolkit
#Requires: ca-certificates >= 2008-5
Requires: pkgconfig
%description -n mingw64-openssl
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
This package contains Windows (MinGW) libraries and development tools.
%package -n mingw64-openssl-static
Summary: Static version of the MinGW port of the OpenSSL toolkit
Requires: mingw64-openssl = %{version}-%{release}
%description -n mingw64-openssl-static
Static version of the MinGW port of the OpenSSL toolkit.
%?mingw_debug_package
%prep
%setup -q -n openssl-%{version}
# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
%{SOURCE1} > /dev/null
cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch1 -p1 -b .rpmbuild
%patch2 -p1 -b .defaults
%patch4 -p1 -b .enginesdir %{?_rawbuild}
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost
%patch7 -p1 -b .timezone
%patch8 -p1 -b .perlfind %{?_rawbuild}
%patch9 -p1 -b .aliasing
%patch23 -p1 -b .default-paths
%patch24 -p1 -b .issuer-hash
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
#patch39 -p1 -b .ipv6-apps
%patch40 -p1 -b .fips
%patch43 -p1 -b .krb5keytab
%patch45 -p1 -b .env-zlib
%patch47 -p1 -b .warning
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
#patch51 -p1 -b .version
#patch56 -p1 -b .x931
%patch58 -p1 -b .md5-allow
%patch60 -p1 -b .dgst
#patch63 -p1 -b .starttls
%patch65 -p1 -b .chil
%patch66 -p1 -b .pkgconfig
#patch68 -p1 -b .secure-getenv
#patch70 -p1 -b .fips-ec
%patch71 -p1 -b .manfix
#patch72 -p1 -b .fips-ctor
%patch73 -p1 -b .suiteb
%patch74 -p1 -b .deprecate-algos
%patch75 -p1 -b .compat
#patch76 -p1 -b .fips-reqs
%patch77 -p1 -b .strength
%patch78 -p1 -b .cc-reqs
%patch90 -p1 -b .enc-fail
%patch94 -p1 -b .secp256k1
%patch95 -p1 -b .nistp224
%patch96 -p1 -b .speed-doc
%patch97 -p1 -b .no-ssl2
%patch98 -p1 -b .long-hello
#patch99 -p1 -b .randlock
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first
%patch83 -p1 -b .backports
%patch84 -p1 -b .ppc-update
%patch85 -p1 -b .req-x509
%patch86 -p1 -b .mont5-carry
%patch87 -p1 -b .ssl-err
%patch88 -p1 -b .rsaz-overflow
%patch89 -p1 -b .s390x-update
%patch100 -p1 -b .name-sensitive
%patch101 -p1 -b .overread
%patch102 -p1 -b .large-dh
%patch103 -p1 -b .gen-timing
%patch104 -p1 -b .asn1-recursive
%patch105 -p1 -b .rohnp-fix
# MinGW specific patches
%patch1001 -p1 -b .mingw-libversion
%patch1002 -p1 -b .mingw-sfx
%patch1003 -p0 -b .dlfcn
%patch1004 -p0 -b .mingw64
%patch1005 -p1 -b .fips_mingw
%patch1006 -p1 -b .secure_getenv_mingw
%patch1007 -p0 -b .winsock
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
# Generate a table with the compile settings for my perusal.
touch Makefile
make TABLE PERL=%{__perl}
# Create two copies of the source folder as OpenSSL doesn't support out of source builds
mkdir ../build_win32
mv * ../build_win32
mv ../build_win32 .
mkdir build_win64
cp -Rp build_win32/* build_win64
# Use mingw cflags instead of hardcoded ones
sed -i -e '/^"mingw"/ s/-fomit-frame-pointer -O3 -march=i486 -Wall/%{mingw32_cflags}/' build_win32/Configure
sed -i -e '/^"mingw"/ s/-O3 -Wall/%{mingw64_cflags}/' build_win64/Configure
%build
###############################################################################
# Win32
###############################################################################
pushd build_win32
PERL=%{__perl} \
./Configure \
--prefix=%{mingw32_prefix} \
--openssldir=%{mingw32_sysconfdir}/pki/tls \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 enable-rc5 \
no-mdc2 no-ec2m no-gost no-srp \
no-fips no-hw \
--cross-compile-prefix=%{mingw32_target}- \
--enginesdir=%{mingw32_libdir}/openssl/engines \
shared mingw
# Regenerate def files as we disabled some algorithms above
perl util/mkdef.pl crypto ssl update
make depend
make all build-shared
# Generate hashes for the included certs.
make rehash build-shared
popd
###############################################################################
# Win64
###############################################################################
pushd build_win64
PERL=%{__perl} \
./Configure \
--prefix=%{mingw64_prefix} \
--openssldir=%{mingw64_sysconfdir}/pki/tls \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 \
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
no-fips no-hw \
--cross-compile-prefix=%{mingw64_target}- \
--enginesdir=%{mingw64_libdir}/openssl/engines \
shared mingw64
# Regenerate def files as we disabled some algorithms above
perl util/mkdef.pl crypto ssl update
make depend
make all build-shared
# Generate hashes for the included certs.
make rehash build-shared
popd
# Clean up the .pc files
for i in build_win{32,64}/libcrypto.pc build_win{32,64}/libssl.pc build_win{32,64}/openssl.pc ; do
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done
%if %{run_tests}
%check
#----------------------------------------------------------------------
# Run some tests.
# We must revert patch33 before tests otherwise they will fail
patch -p1 -R < %{PATCH33}
# This is a bit of a hack, but the test scripts look for 'openssl'
# by name.
pushd build_win32/apps
ln -s openssl.exe openssl
popd
# This is useful for diagnosing Wine problems.
WINEDEBUG=+loaddll
export WINEDEBUG
# Make sure we can find the installed DLLs.
WINEDLLPATH=%{mingw32_bindir}
export WINEDLLPATH
# The tests run Wine and require an X server (but don't really use
# it). Therefore we create a virtual framebuffer for the duration of
# the tests.
# XXX There is no good way to choose a random, unused display.
# XXX Setting depth to 24 bits avoids bug 458219.
unset DISPLAY
display=:21
Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$!
trap "kill -TERM $xpid ||:" EXIT
sleep 3
DISPLAY=$display
export DISPLAY
make LDCMD=%{mingw32_cc} -C build_win32/test apps tests
# Disable this thread test, because we don't have pthread on Windows.
%{mingw32_cc} -o openssl-thread-test \
-I./build_win32/include \
%-{_mingw32_cflags} \
%-{SOURCE8} \
-L./build_win32 \
-lssl -lcrypto \
-lpthread -lz -ldl
## `krb5-config --cflags`
## `krb5-config --libs`
#
./openssl-thread-test --threads %{thread_test_threads}
#----------------------------------------------------------------------
%endif
# Add generation of HMAC checksum of the final stripped library
##define __spec_install_post \
# #{?__debug_package:#{__debug_install_post}} \
# #{__arch_install_post} \
# #{__os_install_post} \
# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/#{_lib}/libcrypto.so.#{version} >$RPM_BUILD_ROOT/#{_lib}/.libcrypto.so.#{version}.hmac \
# ln -sf .libcrypto.so.#{version}.hmac $RPM_BUILD_ROOT/#{_lib}/.libcrypto.so.#{soversion}.hmac \
##{nil}
%install
mkdir -p $RPM_BUILD_ROOT%{mingw32_libdir}/openssl
mkdir -p $RPM_BUILD_ROOT%{mingw32_bindir}
mkdir -p $RPM_BUILD_ROOT%{mingw32_includedir}
mkdir -p $RPM_BUILD_ROOT%{mingw32_mandir}
mkdir -p $RPM_BUILD_ROOT%{mingw64_libdir}/openssl
mkdir -p $RPM_BUILD_ROOT%{mingw64_bindir}
mkdir -p $RPM_BUILD_ROOT%{mingw64_includedir}
mkdir -p $RPM_BUILD_ROOT%{mingw64_mandir}
%mingw_make_install INSTALL_PREFIX=$RPM_BUILD_ROOT build-shared
# Install the file applink.c (#499934)
install -m644 build_win32/ms/applink.c $RPM_BUILD_ROOT%{mingw32_includedir}/openssl/applink.c
install -m644 build_win64/ms/applink.c $RPM_BUILD_ROOT%{mingw64_includedir}/openssl/applink.c
# I have no idea why it installs the manpages in /etc, but
# we remove them anyway.
rm -r $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/man
rm -r $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/man
# Set permissions on lib*.dll.a so that strip works.
chmod 0755 $RPM_BUILD_ROOT%{mingw32_libdir}/libcrypto.dll.a
chmod 0755 $RPM_BUILD_ROOT%{mingw32_libdir}/libssl.dll.a
chmod 0755 $RPM_BUILD_ROOT%{mingw64_libdir}/libcrypto.dll.a
chmod 0755 $RPM_BUILD_ROOT%{mingw64_libdir}/libssl.dll.a
# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/renew-dummy-cert
mkdir -p $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/renew-dummy-cert
# Pick a CA script.
pushd $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/misc
mv CA.sh CA
popd
pushd $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/misc
mv CA.sh CA
popd
mkdir -m700 $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/CA/private
mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private
# Exclude debug files from the main files (note: the debug files are only created after %%install, so we can't search for them directly)
find %{buildroot}%{mingw32_prefix} | grep -E '.(exe|dll|pyd)$' | sed 's|^%{buildroot}\(.*\)$|%%exclude \1.debug|' > mingw32-openssl.debugfiles
find %{buildroot}%{mingw64_prefix} | grep -E '.(exe|dll|pyd)$' | sed 's|^%{buildroot}\(.*\)$|%%exclude \1.debug|' > mingw64-openssl.debugfiles
# Win32
%files -n mingw32-openssl -f mingw32-openssl.debugfiles
%doc build_win32/LICENSE
%{mingw32_bindir}/openssl.exe
%{mingw32_bindir}/c_rehash
%{mingw32_bindir}/libcrypto-%{soversion}.dll
%{mingw32_bindir}/libssl-%{soversion}.dll
%{mingw32_libdir}/libcrypto.dll.a
%{mingw32_libdir}/libssl.dll.a
%{mingw32_libdir}/engines
%{mingw32_libdir}/pkgconfig/*.pc
%{mingw32_includedir}/openssl
%config(noreplace) %{mingw32_sysconfdir}/pki
%files -n mingw32-openssl-static
%{mingw32_libdir}/libcrypto.a
%{mingw32_libdir}/libssl.a
# Win64
%files -n mingw64-openssl -f mingw64-openssl.debugfiles
%doc build_win64/LICENSE
%{mingw64_bindir}/openssl.exe
%{mingw64_bindir}/c_rehash
%{mingw64_bindir}/libcrypto-%{soversion}.dll
%{mingw64_bindir}/libssl-%{soversion}.dll
%{mingw64_libdir}/libcrypto.dll.a
%{mingw64_libdir}/libssl.dll.a
%{mingw64_libdir}/engines
%{mingw64_libdir}/pkgconfig/*.pc
%{mingw64_includedir}/openssl
%config(noreplace) %{mingw64_sysconfdir}/pki
%files -n mingw64-openssl-static
%{mingw64_libdir}/libcrypto.a
%{mingw64_libdir}/libssl.a
%changelog
* Mon Aug 19 2019 Victor Toso <victortoso@redhat.com> - 1.0.2k-2
- Remove not applied patchs from the source list
Related: rhbz#1704077
* Fri Aug 24 2018 Christophe Fergeau <cfergeau@redhat.com> - 1.0.2k-1
- Sync with rhel 7.6 OpenSSL 1.0.2k+patches in order to get the latest security
fixes
- Related: rhbz#1615874
* Tue Aug 14 2018 Victor Toso <victortoso@redhat.com> - 1.0.2h-7
- ExclusiveArch: i686, x86_64
- Related: rhbz#1615874
* Thu May 31 2018 Richard W.M. Jones <rjones@redhat.com> - 1.0.2h-6
- Remove mktemp build dependency, part of coreutils.
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2h-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Sep 09 2017 Sandro Mani <manisandro@gmail.com> - 1.0.2h-4
- Exclude *.debug files from non-debug packages
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2h-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2h-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Sat May 7 2016 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.2h-1
- Synced with native openssl-1.0.2h-1
- Fixes RHBZ #1332591 #1332589 #1330104 #1312861 #1312857 #1307773 #1302768
* Sat Feb 6 2016 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.2f-1
- Synced with native openssl-1.0.2f-2
- Fixes RHBZ #1239685 #1290334 #1302768
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2a-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.2a-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Apr 24 2015 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.2a-1
- Synced with native openssl-1.0.2a-1.fc23
- Fixes various CVE's (RHBZ #1203855 #1203856)
* Mon Dec 22 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1j-1
- Synced with native openssl-1.0.1j-3.fc22
- Add support for RFC 5649
- Prevent compiler warning "Please include winsock2.h before windows.h"
when using the OpenSSL headers
- Fixes various CVE's (RHBZ #1127889 #1127709 #1152851)
* Thu Aug 21 2014 Marc-André Lureau <marcandre.lureau@redhat.com> - 1.0.1i-1
- Synced with native openssl-1.0.1i-3.fc21
- Fixes various flaws (RHBZ#1096234 and RHBZ#1127705)
CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511
CVE-2014-3510 CVE-2014-3508 CVE-2014-3509 CVE-2014-0221
CVE-2014-0198 CVE-2014-0224 CVE-2014-0195 CVE-2010-5298
CVE-2014-3470
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1e-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed Apr 9 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-6
- Synced patches with native openssl-1.0.1e-44.fc21
- Fixes CVE-2014-0160 (RHBZ #1085066)
* Sat Jan 25 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-5
- Synced patches with native openssl-1.0.1e-38.fc21
- Enable ECC support (RHBZ #1037919)
- Fixes CVE-2013-6450 (RHBZ #1047844)
- Fixes CVE-2013-4353 (RHBZ #1049062)
- Fixes CVE-2013-6449 (RHBZ #1045444)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1e-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 10 2013 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-3
- Rebuild to resolve InterlockedCompareExchange regression in mingw32 libraries
* Fri May 10 2013 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-2
- Fix build of manual pages with current pod2man (#959439)
* Sun Mar 24 2013 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-1
- Update to 1.0.1e (RHBZ #920868)
- Synced patches with native openssl-1.0.1e-4.fc19
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1c-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jan 11 2013 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1c-2
- Fix FTBFS against latest pod2man
* Fri Nov 9 2012 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1c-1
- Update to 1.0.1c
- Synced patches with native openssl-1.0.1c-7.fc19
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0d-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sat Mar 10 2012 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0d-6
- Added win64 support
* Wed Mar 07 2012 Kalev Lember <kalevlember@gmail.com> - 1.0.0d-5
- Pass the path to perl interpreter to Configure
* Tue Mar 06 2012 Kalev Lember <kalevlember@gmail.com> - 1.0.0d-4
- Renamed the source package to mingw-openssl (#800443)
- Modernize the spec file
- Use mingw macros without leading underscore
* Mon Feb 27 2012 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0d-3
- Rebuild against the mingw-w64 toolchain
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0d-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Sat Apr 23 2011 Kalev Lember <kalev@smartlink.ee> - 1.0.0d-1
- Update to 1.0.0d
- Synced patches with Fedora native openssl-1.0.0d-2
* Fri Mar 04 2011 Kai Tietz <ktietz@redhat.com>
- Fixes for CVE-2011-0014 openssl: OCSP stapling vulnerability
* Thu Mar 3 2011 Kai Tietz <ktietz@redhat.com> - 1.0.0a-3
- Bump and rebuild.
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0a-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Sat Jun 19 2010 Kalev Lember <kalev@smartlink.ee> - 1.0.0a-1
- Updated to openssl 1.0.0a
- Synced patches with Fedora native openssl-1.0.0a-1
- Use sed to fix up cflags instead of unmaintainable patch
- Rebased mingw32 specific patches
- Disabled capieng to fix build
- Properly regenerate def files with mkdef.pl and drop linker-fix.patch
* Thu Nov 26 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.6.beta4
- Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4)
- Dropped the patch to fix non-fips mingw build,
as it's now merged into fips patch from native openssl
* Sun Nov 22 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.5.beta4
- Updated to version 1.0.0 beta 4
- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
- Added patch to fix build with fips disabled
* Fri Sep 18 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.4.beta3
- Rebuilt to fix debuginfo
* Sun Aug 30 2009 Kalev Lember <kalev@smartlink.ee> - 1.0.0-0.3.beta3
- Simplified the lib renaming patch
* Sun Aug 30 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0-0.2.beta3
- Fixed invalid RPM Provides
* Fri Aug 28 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.0-0.1.beta3
- Update to version 1.0.0 beta 3
- Use %%global instead of %%define
- Automatically generate debuginfo subpackage
- Merged various changes from the native Fedora package (up to 1.0.0-0.5.beta3)
- Don't use the %%{_mingw32_make} macro anymore as it's ugly and causes side-effects
- Added missing BuildRequires mingw32-dlfcn (Kalev Lember)
- Reworked patches to rename *eay32.dll to lib*.dll (Kalev Lember)
- Patch Configure script to use %%{_mingw32_cflags} (Kalev Lember)
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Sat May 9 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 0.9.8j-6
- Add the file include/openssl/applink.c to the package (BZ #499934)
* Tue Apr 14 2009 Erik van Pienbroek <epienbro@fedoraproject.org> - 0.9.8j-5
- Fixed %%defattr line
- Added -static subpackage
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Fri Feb 20 2009 Richard W.M. Jones <rjones@redhat.com> - 0.9.8j-3
- Rebuild for mingw32-gcc 4.4
* Mon Feb 2 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-2
- Various build fixes.
* Wed Jan 28 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-1
- update to new upstream version.
* Mon Dec 29 2008 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8g-2
- minor cleanup.
* Tue Sep 30 2008 Richard W.M. Jones <rjones@redhat.com> - 0.9.8g-1
- Initial RPM release.
Loading…
Cancel
Save