commit
fb1a323c80
@ -0,0 +1,55 @@
|
|||||||
|
.build*.log
|
||||||
|
clog
|
||||||
|
000*.patch
|
||||||
|
*.src.rpm
|
||||||
|
openssl-1.0.0a-usa.tar.bz2
|
||||||
|
/openssl-1.0.0b-usa.tar.bz2
|
||||||
|
/openssl-1.0.0c-usa.tar.bz2
|
||||||
|
/openssl-1.0.0d-usa.tar.bz2
|
||||||
|
/openssl-1.0.0e-usa.tar.bz2
|
||||||
|
/openssl-1.0.0f-usa.tar.bz2
|
||||||
|
/openssl-1.0.0g-usa.tar.xz
|
||||||
|
/openssl-1.0.1-beta2-usa.tar.xz
|
||||||
|
/openssl-1.0.1-beta3-usa.tar.xz
|
||||||
|
/openssl-1.0.1-usa.tar.xz
|
||||||
|
/openssl-1.0.1a-usa.tar.xz
|
||||||
|
/openssl-1.0.1b-usa.tar.xz
|
||||||
|
/openssl-1.0.1c-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1g-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1h-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1i-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1j-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1k-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2a-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2c-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2d-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2e-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2f-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2g-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2h-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2i-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2j-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0b-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0c-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0d-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0e-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0f-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0g-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0h-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1a-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1b-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1c-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1d-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1e-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1f-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1g-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1h-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1i-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1j-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1k-hobbled.tar.xz
|
||||||
|
/openssl-3.0.0-hobbled.tar.xz
|
@ -0,0 +1,33 @@
|
|||||||
|
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:01:41 +0200
|
||||||
|
Subject: Aarch64 and ppc64le use lib64
|
||||||
|
|
||||||
|
(Was openssl-1.1.1-build.patch)
|
||||||
|
---
|
||||||
|
Configurations/10-main.conf | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
|
||||||
|
index d7580bf3e1..a7dbfd7f40 100644
|
||||||
|
--- a/Configurations/10-main.conf
|
||||||
|
+++ b/Configurations/10-main.conf
|
||||||
|
@@ -723,6 +723,7 @@ my %targets = (
|
||||||
|
lib_cppflags => add("-DL_ENDIAN"),
|
||||||
|
asm_arch => 'ppc64',
|
||||||
|
perlasm_scheme => "linux64le",
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
|
||||||
|
"linux-armv4" => {
|
||||||
|
@@ -765,6 +766,7 @@ my %targets = (
|
||||||
|
inherit_from => [ "linux-generic64" ],
|
||||||
|
asm_arch => 'aarch64',
|
||||||
|
perlasm_scheme => "linux64",
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||||
|
inherit_from => [ "linux-generic32" ],
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,68 @@
|
|||||||
|
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:03:40 +0200
|
||||||
|
Subject: Use more general default values in openssl.cnf
|
||||||
|
|
||||||
|
Also set sha256 as default hash, although that should not be
|
||||||
|
necessary anymore.
|
||||||
|
|
||||||
|
(was openssl-1.1.1-defaults.patch)
|
||||||
|
---
|
||||||
|
apps/openssl.cnf | 12 +++++++-----
|
||||||
|
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||||
|
index 97567a67be..eb25a0ac48 100644
|
||||||
|
--- a/apps/openssl.cnf
|
||||||
|
+++ b/apps/openssl.cnf
|
||||||
|
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
|
||||||
|
|
||||||
|
default_days = 365 # how long to certify for
|
||||||
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
-default_md = default # use public key default MD
|
||||||
|
+default_md = sha256 # use SHA-256 by default
|
||||||
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
|
# A few difference way of specifying how similar the request should look
|
||||||
|
@@ -136,6 +136,7 @@ emailAddress = optional
|
||||||
|
####################################################################
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048
|
||||||
|
+default_md = sha256
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
attributes = req_attributes
|
||||||
|
@@ -158,17 +159,18 @@ string_mask = utf8only
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = Country Name (2 letter code)
|
||||||
|
-countryName_default = AU
|
||||||
|
+countryName_default = XX
|
||||||
|
countryName_min = 2
|
||||||
|
countryName_max = 2
|
||||||
|
|
||||||
|
stateOrProvinceName = State or Province Name (full name)
|
||||||
|
-stateOrProvinceName_default = Some-State
|
||||||
|
+#stateOrProvinceName_default = Default Province
|
||||||
|
|
||||||
|
localityName = Locality Name (eg, city)
|
||||||
|
+localityName_default = Default City
|
||||||
|
|
||||||
|
0.organizationName = Organization Name (eg, company)
|
||||||
|
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||||
|
+0.organizationName_default = Default Company Ltd
|
||||||
|
|
||||||
|
# we can do this but it is not needed normally :-)
|
||||||
|
#1.organizationName = Second Organization Name (eg, company)
|
||||||
|
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
|
||||||
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
|
#organizationalUnitName_default =
|
||||||
|
|
||||||
|
-commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||||
|
+commonName = Common Name (eg, your name or your server\'s hostname)
|
||||||
|
commonName_max = 64
|
||||||
|
|
||||||
|
emailAddress = Email Address
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:05:55 +0200
|
||||||
|
Subject: Do not install html docs
|
||||||
|
|
||||||
|
(was openssl-1.1.1-no-html.patch)
|
||||||
|
---
|
||||||
|
Configurations/unix-Makefile.tmpl | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||||
|
index 342e46d24d..9f369edf0e 100644
|
||||||
|
--- a/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ b/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||||
|
|
||||||
|
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
||||||
|
|
||||||
|
-install_docs: install_man_docs install_html_docs
|
||||||
|
+install_docs: install_man_docs
|
||||||
|
|
||||||
|
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||||
|
$(RM) -r $(DESTDIR)$(DOCDIR)
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:17:26 +0200
|
||||||
|
Subject: Override default paths for the CA directory tree
|
||||||
|
|
||||||
|
Also add default section to load crypto-policies configuration
|
||||||
|
for TLS.
|
||||||
|
|
||||||
|
It needs to be reverted before running tests.
|
||||||
|
|
||||||
|
(was openssl-1.1.1-conf-paths.patch)
|
||||||
|
---
|
||||||
|
apps/CA.pl.in | 2 +-
|
||||||
|
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||||
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
||||||
|
index c0afb96716..d6a5fabd16 100644
|
||||||
|
--- a/apps/CA.pl.in
|
||||||
|
+++ b/apps/CA.pl.in
|
||||||
|
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
||||||
|
my $PKCS12 = "$openssl pkcs12";
|
||||||
|
|
||||||
|
# Default values for various configuration settings.
|
||||||
|
-my $CATOP = "./demoCA";
|
||||||
|
+my $CATOP = "/etc/pki/CA";
|
||||||
|
my $CAKEY = "cakey.pem";
|
||||||
|
my $CAREQ = "careq.pem";
|
||||||
|
my $CACERT = "cacert.pem";
|
||||||
|
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
||||||
|
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
||||||
|
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
||||||
|
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||||
|
|
||||||
|
[openssl_init]
|
||||||
|
providers = provider_sect
|
||||||
|
+# Load default TLS policy configuration
|
||||||
|
+ssl_conf = ssl_module
|
||||||
|
|
||||||
|
# List of providers to load
|
||||||
|
[provider_sect]
|
||||||
|
@@ -64,6 +66,13 @@ default = default_sect
|
||||||
|
[default_sect]
|
||||||
|
# activate = 1
|
||||||
|
|
||||||
|
+[ ssl_module ]
|
||||||
|
+
|
||||||
|
+system_default = crypto_policy
|
||||||
|
+
|
||||||
|
+[ crypto_policy ]
|
||||||
|
+
|
||||||
|
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ ca ]
|
||||||
|
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
-dir = ./demoCA # Where everything is kept
|
||||||
|
+dir = /etc/pki/CA # Where everything is kept
|
||||||
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
||||||
|
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
||||||
|
[ tsa_config1 ]
|
||||||
|
|
||||||
|
# These are used by the TSA reply generation only.
|
||||||
|
-dir = ./demoCA # TSA root directory
|
||||||
|
+dir = /etc/pki/CA # TSA root directory
|
||||||
|
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||||
|
crypto_device = builtin # OpenSSL engine to use for signing
|
||||||
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
@ -0,0 +1,28 @@
|
|||||||
|
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:27:18 +0200
|
||||||
|
Subject: apps/ca: fix md option help text
|
||||||
|
|
||||||
|
upstreamable
|
||||||
|
|
||||||
|
(was openssl-1.1.1-apps-dgst.patch)
|
||||||
|
---
|
||||||
|
apps/ca.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/apps/ca.c b/apps/ca.c
|
||||||
|
index 0f21b4fa1c..3d4b2c1673 100755
|
||||||
|
--- a/apps/ca.c
|
||||||
|
+++ b/apps/ca.c
|
||||||
|
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
|
||||||
|
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
||||||
|
|
||||||
|
OPT_SECTION("Signing"),
|
||||||
|
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
||||||
|
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
||||||
|
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
||||||
|
{"keyform", OPT_KEYFORM, 'f',
|
||||||
|
"Private key file format (ENGINE, other values ignored)"},
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,29 @@
|
|||||||
|
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:51:34 +0200
|
||||||
|
Subject: Disable signature verification with totally unsafe hash algorithms
|
||||||
|
|
||||||
|
(was openssl-1.1.1-no-weak-verify.patch)
|
||||||
|
---
|
||||||
|
crypto/asn1/a_verify.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
||||||
|
index b7eed914b0..af62f0ef08 100644
|
||||||
|
--- a/crypto/asn1/a_verify.c
|
||||||
|
+++ b/crypto/asn1/a_verify.c
|
||||||
|
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
||||||
|
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
||||||
|
if (ret <= 1)
|
||||||
|
goto err;
|
||||||
|
+ } else if ((mdnid == NID_md5
|
||||||
|
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
||||||
|
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
||||||
|
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||||
|
+ goto err;
|
||||||
|
} else {
|
||||||
|
const EVP_MD *type = NULL;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,331 @@
|
|||||||
|
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 10:16:46 +0200
|
||||||
|
Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||||
|
|
||||||
|
(was openssl-1.1.1-system-cipherlist.patch)
|
||||||
|
---
|
||||||
|
Configurations/unix-Makefile.tmpl | 5 ++
|
||||||
|
Configure | 10 +++-
|
||||||
|
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||||
|
include/openssl/ssl.h.in | 5 ++
|
||||||
|
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
|
||||||
|
ssl/ssl_lib.c | 4 +-
|
||||||
|
test/cipherlist_test.c | 2 +
|
||||||
|
util/libcrypto.num | 1 +
|
||||||
|
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||||
|
index 9f369edf0e..c52389f831 100644
|
||||||
|
--- a/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ b/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||||
|
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||||
|
HTMLDIR=$(DOCDIR)/html
|
||||||
|
|
||||||
|
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||||
|
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+
|
||||||
|
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||||
|
# appended after the manpage file section number. "ssl" is popular,
|
||||||
|
# resulting in files such as config.5ssl rather than config.5.
|
||||||
|
@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||||
|
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||||
|
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||||
|
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||||
|
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||||
|
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||||
|
@{$config{CPPFLAGS}}) -}
|
||||||
|
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||||
|
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
|
||||||
|
index b4ed3e51d5..2122e6bdfd 100644
|
||||||
|
--- a/doc/man1/openssl-ciphers.pod.in
|
||||||
|
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||||
|
@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||||
|
|
||||||
|
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||||
|
|
||||||
|
+=item B<PROFILE=SYSTEM>
|
||||||
|
+
|
||||||
|
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||||
|
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||||
|
+See also L<update-crypto-policies(8)>.
|
||||||
|
+This is the default behavior unless an application explicitly sets a cipher
|
||||||
|
+list. If used in a cipher list configuration value this string must be at the
|
||||||
|
+beginning of the cipher list, otherwise it will not be recognized.
|
||||||
|
+
|
||||||
|
=item B<HIGH>
|
||||||
|
|
||||||
|
"High" encryption cipher suites. This currently means those with key lengths
|
||||||
|
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||||
|
index f9a61609e4..c6f95fed3f 100644
|
||||||
|
--- a/include/openssl/ssl.h.in
|
||||||
|
+++ b/include/openssl/ssl.h.in
|
||||||
|
@@ -209,6 +209,11 @@ extern "C" {
|
||||||
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
|
*/
|
||||||
|
+# ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||||
|
+# else
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||||
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
|
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||||
|
index b1d3f7919e..f7cc7fed48 100644
|
||||||
|
--- a/ssl/ssl_ciph.c
|
||||||
|
+++ b/ssl/ssl_ciph.c
|
||||||
|
@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+static char *load_system_str(const char *suffix)
|
||||||
|
+{
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char buf[1024];
|
||||||
|
+ char *new_rules;
|
||||||
|
+ const char *ciphers_path;
|
||||||
|
+ unsigned len, slen;
|
||||||
|
+
|
||||||
|
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||||
|
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||||
|
+ fp = fopen(ciphers_path, "r");
|
||||||
|
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ /* cannot open or file is empty */
|
||||||
|
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fp)
|
||||||
|
+ fclose(fp);
|
||||||
|
+
|
||||||
|
+ slen = strlen(suffix);
|
||||||
|
+ len = strlen(buf);
|
||||||
|
+
|
||||||
|
+ if (buf[len - 1] == '\n') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+ if (buf[len - 1] == '\r') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||||
|
+ if (new_rules == 0)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ memcpy(new_rules, buf, len);
|
||||||
|
+ if (slen > 0) {
|
||||||
|
+ memcpy(&new_rules[len], suffix, slen);
|
||||||
|
+ len += slen;
|
||||||
|
+ }
|
||||||
|
+ new_rules[len] = 0;
|
||||||
|
+
|
||||||
|
+ return new_rules;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
|
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||||
|
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
|
const SSL_METHOD *ssl_method = ctx->method;
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ char *new_rules = NULL;
|
||||||
|
+
|
||||||
|
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||||
|
+ char *p = rule_str + 14;
|
||||||
|
+
|
||||||
|
+ new_rules = load_system_str(p);
|
||||||
|
+ rule_str = new_rules;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return with error if nothing to do.
|
||||||
|
*/
|
||||||
|
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To reduce the work to do we only want to process the compiled
|
||||||
|
@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||||
|
if (co_list == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return NULL; /* Failure */
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
|
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
* in force within each class
|
||||||
|
*/
|
||||||
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
|
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||||
|
if (ca_list == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return NULL; /* Failure */
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
|
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
|
if (!ok) { /* Rule processing failure */
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
* if we cannot get one.
|
||||||
|
*/
|
||||||
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||||
|
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||||
|
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||||
|
@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
|
||||||
|
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
|
||||||
|
sk_SSL_CIPHER_free(cipherstack);
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
*cipher_list = cipherstack;
|
||||||
|
|
||||||
|
return cipherstack;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules);
|
||||||
|
+#endif
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
|
index d14d5819ba..48d491219a 100644
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
|
||||||
|
ctx->tls13_ciphersuites,
|
||||||
|
&(ctx->cipher_list),
|
||||||
|
&(ctx->cipher_list_by_id),
|
||||||
|
- OSSL_default_cipher_list(), ctx->cert);
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
return 0;
|
||||||
|
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||||
|
if (!ssl_create_cipher_list(ret,
|
||||||
|
ret->tls13_ciphersuites,
|
||||||
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
|
- OSSL_default_cipher_list(), ret->cert)
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
goto err2;
|
||||||
|
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
|
||||||
|
index 380f0727fc..6922a87c30 100644
|
||||||
|
--- a/test/cipherlist_test.c
|
||||||
|
+++ b/test/cipherlist_test.c
|
||||||
|
@@ -244,7 +244,9 @@ end:
|
||||||
|
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
+#ifndef SYSTEM_CIPHERS_FILE
|
||||||
|
ADD_TEST(test_default_cipherlist_implicit);
|
||||||
|
+#endif
|
||||||
|
ADD_TEST(test_default_cipherlist_explicit);
|
||||||
|
ADD_TEST(test_default_cipherlist_clear);
|
||||||
|
return 1;
|
||||||
|
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||||
|
index 404a706fab..e81fa9ec3e 100644
|
||||||
|
--- a/util/libcrypto.num
|
||||||
|
+++ b/util/libcrypto.num
|
||||||
|
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||||
|
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
||||||
|
diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
|
||||||
|
--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200
|
||||||
|
+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200
|
||||||
|
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||||
|
my $orig_death_handler = $SIG{__DIE__};
|
||||||
|
$SIG{__DIE__} = \&death_handler;
|
||||||
|
|
||||||
|
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
|
||||||
|
my $banner = <<"EOF";
|
||||||
|
|
||||||
|
@@ -61,6 +61,10 @@ EOF
|
||||||
|
# given with --prefix.
|
||||||
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||||
|
# (Default: PREFIX/ssl)
|
||||||
|
+#
|
||||||
|
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||||
|
+# cipher is specified (default).
|
||||||
|
+#
|
||||||
|
# --banner=".." Output specified text instead of default completion banner
|
||||||
|
#
|
||||||
|
# -w Don't wait after showing a Configure warning
|
||||||
|
@@ -385,6 +389,7 @@ $config{prefix}="";
|
||||||
|
$config{openssldir}="";
|
||||||
|
$config{processor}="";
|
||||||
|
$config{libdir}="";
|
||||||
|
+$config{system_ciphers_file}="";
|
||||||
|
my $auto_threads=1; # enable threads automatically? true by default
|
||||||
|
my $default_ranlib;
|
||||||
|
|
||||||
|
@@ -987,6 +992,10 @@ while (@argvcopy)
|
||||||
|
die "FIPS key too long (64 bytes max)\n"
|
||||||
|
if length $1 > 64;
|
||||||
|
}
|
||||||
|
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||||
|
+ {
|
||||||
|
+ $config{system_ciphers_file}=$1;
|
||||||
|
+ }
|
||||||
|
elsif (/^--banner=(.*)$/)
|
||||||
|
{
|
||||||
|
$banner = $1 . "\n";
|
@ -0,0 +1,87 @@
|
|||||||
|
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 26 Nov 2020 14:00:16 +0100
|
||||||
|
Subject: Add FIPS_mode() compatibility macro
|
||||||
|
|
||||||
|
The macro calls EVP_default_properties_is_fips_enabled() on the
|
||||||
|
default context.
|
||||||
|
---
|
||||||
|
include/openssl/crypto.h.in | 1 +
|
||||||
|
include/openssl/fips.h | 25 +++++++++++++++++++++++++
|
||||||
|
test/property_test.c | 13 +++++++++++++
|
||||||
|
3 files changed, 39 insertions(+)
|
||||||
|
create mode 100644 include/openssl/fips.h
|
||||||
|
|
||||||
|
diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
|
||||||
|
index 1036da9a2b..9d4896fcaf 100644
|
||||||
|
--- a/include/openssl/crypto.h.in
|
||||||
|
+++ b/include/openssl/crypto.h.in
|
||||||
|
@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros);
|
||||||
|
# include <openssl/opensslconf.h>
|
||||||
|
# include <openssl/cryptoerr.h>
|
||||||
|
# include <openssl/core.h>
|
||||||
|
+# include <openssl/fips.h>
|
||||||
|
|
||||||
|
# ifdef CHARSET_EBCDIC
|
||||||
|
# include <openssl/ebcdic.h>
|
||||||
|
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..c64f0f8e8f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/openssl/fips.h
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ *
|
||||||
|
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
+ * this file except in compliance with the License. You can obtain a copy
|
||||||
|
+ * in the file LICENSE in the source distribution or at
|
||||||
|
+ * https://www.openssl.org/source/license.html
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_FIPS_H
|
||||||
|
+# define OPENSSL_FIPS_H
|
||||||
|
+# pragma once
|
||||||
|
+
|
||||||
|
+# include <openssl/macros.h>
|
||||||
|
+
|
||||||
|
+# ifdef __cplusplus
|
||||||
|
+extern "C" {
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||||
|
+
|
||||||
|
+# ifdef __cplusplus
|
||||||
|
+}
|
||||||
|
+# endif
|
||||||
|
+#endif
|
||||||
|
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
|
||||||
|
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
|
||||||
|
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
|
||||||
|
@@ -488,6 +488,18 @@ static int test_property_list_to_string(
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int test_downstream_FIPS_mode(void)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
||||||
|
+ && TEST_true(FIPS_mode())
|
||||||
|
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
||||||
|
+ && TEST_false(FIPS_mode());
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
ADD_TEST(test_property_string);
|
||||||
|
@@ -500,6 +512,7 @@ int setup_tests(void)
|
||||||
|
ADD_TEST(test_property);
|
||||||
|
ADD_TEST(test_query_cache_stochastic);
|
||||||
|
ADD_TEST(test_fips_mode);
|
||||||
|
+ ADD_TEST(test_downstream_FIPS_mode);
|
||||||
|
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||||
|
return 1;
|
||||||
|
}
|
@ -0,0 +1,79 @@
|
|||||||
|
diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
|
||||||
|
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
||||||
|
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
||||||
|
@@ -12,11 +12,54 @@
|
||||||
|
#include "internal/bio.h"
|
||||||
|
#include "internal/provider.h"
|
||||||
|
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+# include <sys/types.h>
|
||||||
|
+# include <sys/stat.h>
|
||||||
|
+# include <fcntl.h>
|
||||||
|
+# include <unistd.h>
|
||||||
|
+# include <openssl/evp.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
struct ossl_lib_ctx_onfree_list_st {
|
||||||
|
ossl_lib_ctx_onfree_fn *fn;
|
||||||
|
struct ossl_lib_ctx_onfree_list_st *next;
|
||||||
|
};
|
||||||
|
|
||||||
|
+# ifndef FIPS_MODULE
|
||||||
|
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||||
|
+
|
||||||
|
+static int kernel_fips_flag;
|
||||||
|
+
|
||||||
|
+static void read_kernel_fips_flag(void)
|
||||||
|
+{
|
||||||
|
+ char buf[2] = "0";
|
||||||
|
+ int fd;
|
||||||
|
+
|
||||||
|
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||||
|
+ buf[0] = '1';
|
||||||
|
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||||
|
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||||
|
+ close(fd);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (buf[0] == '1') {
|
||||||
|
+ kernel_fips_flag = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int apply_kernel_fips_flag(OSSL_LIB_CTX *ctx)
|
||||||
|
+{
|
||||||
|
+ if (kernel_fips_flag) {
|
||||||
|
+ return EVP_default_properties_enable_fips(ctx, 1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
struct ossl_lib_ctx_st {
|
||||||
|
CRYPTO_RWLOCK *lock;
|
||||||
|
CRYPTO_EX_DATA data;
|
||||||
|
@@ -74,6 +117,12 @@ static int context_init(OSSL_LIB_CTX *ct
|
||||||
|
if (!ossl_property_parse_init(ctx))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+# ifndef FIPS_MODULE
|
||||||
|
+ /* Preset the fips=yes default property with kernel FIPS mode */
|
||||||
|
+ if (!apply_kernel_fips_flag(ctx))
|
||||||
|
+ goto err;
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
err:
|
||||||
|
if (exdata_done)
|
||||||
|
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
|
||||||
|
|
||||||
|
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||||
|
{
|
||||||
|
+ read_kernel_fips_flag();
|
||||||
|
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
||||||
|
&& context_init(&default_context_int);
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,75 @@
|
|||||||
|
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
||||||
|
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
||||||
|
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
||||||
|
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
|
||||||
|
tsa_policy2 = 1.2.3.4.5.6
|
||||||
|
tsa_policy3 = 1.2.3.4.5.7
|
||||||
|
|
||||||
|
-# For FIPS
|
||||||
|
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
||||||
|
-# application. This file contains configuration data required by the OpenSSL
|
||||||
|
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
||||||
|
-# referenced from the [provider_sect] below.
|
||||||
|
-# Refer to the OpenSSL security policy for more information.
|
||||||
|
-# .include fipsmodule.cnf
|
||||||
|
-
|
||||||
|
[openssl_init]
|
||||||
|
providers = provider_sect
|
||||||
|
# Load default TLS policy configuration
|
||||||
|
ssl_conf = ssl_module
|
||||||
|
|
||||||
|
-# List of providers to load
|
||||||
|
-[provider_sect]
|
||||||
|
-default = default_sect
|
||||||
|
-# The fips section name should match the section name inside the
|
||||||
|
-# included fipsmodule.cnf.
|
||||||
|
-# fips = fips_sect
|
||||||
|
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||||
|
+# Loading the legacy provider enables support for the following algorithms:
|
||||||
|
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||||
|
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
||||||
|
+# Key Derivation Function (KDF): PBKDF1
|
||||||
|
+# In general it is not recommended to use the above mentioned algorithms for
|
||||||
|
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||||
|
+# to side-channel attacks and as such have been deprecated.
|
||||||
|
|
||||||
|
-# If no providers are activated explicitly, the default one is activated implicitly.
|
||||||
|
-# See man 7 OSSL_PROVIDER-default for more details.
|
||||||
|
-#
|
||||||
|
-# If you add a section explicitly activating any other provider(s), you most
|
||||||
|
-# probably need to explicitly activate the default provider, otherwise it
|
||||||
|
-# becomes unavailable in openssl. As a consequence applications depending on
|
||||||
|
-# OpenSSL may not work correctly which could lead to significant system
|
||||||
|
-# problems including inability to remotely access the system.
|
||||||
|
-[default_sect]
|
||||||
|
-# activate = 1
|
||||||
|
+[provider_sect]
|
||||||
|
+##default = default_sect
|
||||||
|
+##legacy = legacy_sect
|
||||||
|
+##
|
||||||
|
+##[default_sect]
|
||||||
|
+##activate = 1
|
||||||
|
+##
|
||||||
|
+##[legacy_sect]
|
||||||
|
+##activate = 1
|
||||||
|
|
||||||
|
[ ssl_module ]
|
||||||
|
|
||||||
|
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
||||||
|
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
||||||
|
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
||||||
|
@@ -273,6 +273,14 @@ significant.
|
||||||
|
All parameters in the section as well as sub-sections are made
|
||||||
|
available to the provider.
|
||||||
|
|
||||||
|
+=head3 Loading the legacy provider
|
||||||
|
+
|
||||||
|
+Uncomment the sections that start with ## in openssl.cnf
|
||||||
|
+to enable the legacy provider.
|
||||||
|
+Note: In general it is not recommended to use the above mentioned algorithms for
|
||||||
|
+security critical operations, as they are cryptographically weak or vulnerable
|
||||||
|
+to side-channel attacks and as such have been deprecated.
|
||||||
|
+
|
||||||
|
=head3 Default provider and its activation
|
||||||
|
|
||||||
|
If no providers are activated explicitly, the default one is activated implicitly.
|
@ -0,0 +1,18 @@
|
|||||||
|
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
|
||||||
|
index 173c99ce1732..7a4b780bb469 100644
|
||||||
|
--- a/providers/implementations/rands/seed_src.c
|
||||||
|
+++ b/providers/implementations/rands/seed_src.c
|
||||||
|
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
|
||||||
|
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- *pout = p;
|
||||||
|
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
|
||||||
|
- adin, adin_len) != 0)
|
||||||
|
+ adin, adin_len) != 0) {
|
||||||
|
+ *pout = p;
|
||||||
|
return bytes_needed;
|
||||||
|
+ }
|
||||||
|
OPENSSL_secure_clear_free(p, bytes_needed);
|
||||||
|
return 0;
|
||||||
|
}
|
@ -0,0 +1,40 @@
|
|||||||
|
diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t
|
||||||
|
--- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200
|
||||||
|
+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200
|
||||||
|
@@ -40,7 +40,7 @@ unless ($no_fips) {
|
||||||
|
srctop_file("test", "recipes", "90-test_sslapi_data",
|
||||||
|
"passwd.txt"), $tmpfilename, "fips",
|
||||||
|
srctop_file("test", "fips-and-base.cnf")])),
|
||||||
|
- "running sslapitest");
|
||||||
|
+ "running sslapitest - FIPS");
|
||||||
|
}
|
||||||
|
|
||||||
|
unlink $tmpfilename;
|
||||||
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||||
|
index e95d2657f46c..7af0eab3fce0 100644
|
||||||
|
--- a/test/sslapitest.c
|
||||||
|
+++ b/test/sslapitest.c
|
||||||
|
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||||
|
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Create a session based on SHA-256 */
|
||||||
|
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||||
|
TLS_client_method(),
|
||||||
|
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||||
|
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Create a session based on SHA-256 */
|
||||||
|
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||||
|
TLS_client_method(),
|
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c
|
||||||
|
--- openssl-3.0.0/apps/s_client.c.coverity 2021-10-07 16:59:37.938432118 +0200
|
||||||
|
+++ openssl-3.0.0/apps/s_client.c 2021-10-07 17:00:52.994075755 +0200
|
||||||
|
@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv)
|
||||||
|
#endif
|
||||||
|
OPENSSL_free(connectstr);
|
||||||
|
OPENSSL_free(bindstr);
|
||||||
|
+ OPENSSL_free(bindhost);
|
||||||
|
+ OPENSSL_free(bindport);
|
||||||
|
OPENSSL_free(host);
|
||||||
|
OPENSSL_free(port);
|
||||||
|
OPENSSL_free(thost);
|
@ -0,0 +1,82 @@
|
|||||||
|
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||||
|
DAYS=365
|
||||||
|
KEYLEN=2048
|
||||||
|
TYPE=rsa:$(KEYLEN)
|
||||||
|
EXTRA_FLAGS=
|
||||||
|
ifdef SERIAL
|
||||||
|
EXTRA_FLAGS+=-set_serial $(SERIAL)
|
||||||
|
endif
|
||||||
|
|
||||||
|
.PHONY: usage
|
||||||
|
.SUFFIXES: .key .csr .crt .pem
|
||||||
|
.PRECIOUS: %.key %.csr %.crt %.pem
|
||||||
|
|
||||||
|
usage:
|
||||||
|
@echo "This makefile allows you to create:"
|
||||||
|
@echo " o public/private key pairs"
|
||||||
|
@echo " o SSL certificate signing requests (CSRs)"
|
||||||
|
@echo " o self-signed SSL test certificates"
|
||||||
|
@echo
|
||||||
|
@echo "To create a key pair, run \"make SOMETHING.key\"."
|
||||||
|
@echo "To create a CSR, run \"make SOMETHING.csr\"."
|
||||||
|
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
|
||||||
|
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
|
||||||
|
@echo
|
||||||
|
@echo "To create a key for use with Apache, run \"make genkey\"."
|
||||||
|
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
||||||
|
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||||
|
@echo
|
||||||
|
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
|
||||||
|
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||||
|
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
|
||||||
|
@echo
|
||||||
|
@echo Examples:
|
||||||
|
@echo " make server.key"
|
||||||
|
@echo " make server.csr"
|
||||||
|
@echo " make server.crt"
|
||||||
|
@echo " make stunnel.pem"
|
||||||
|
@echo " make genkey"
|
||||||
|
@echo " make certreq"
|
||||||
|
@echo " make testcert"
|
||||||
|
@echo " make server.crt SERIAL=1"
|
||||||
|
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
|
||||||
|
@echo " make testcert DAYS=600"
|
||||||
|
|
||||||
|
%.pem:
|
||||||
|
umask 77 ; \
|
||||||
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
|
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
|
||||||
|
cat $$PEM1 > $@ ; \
|
||||||
|
echo "" >> $@ ; \
|
||||||
|
cat $$PEM2 >> $@ ; \
|
||||||
|
$(RM) $$PEM1 $$PEM2
|
||||||
|
|
||||||
|
%.key:
|
||||||
|
umask 77 ; \
|
||||||
|
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
||||||
|
|
||||||
|
%.csr: %.key
|
||||||
|
umask 77 ; \
|
||||||
|
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
|
||||||
|
|
||||||
|
%.crt: %.key
|
||||||
|
umask 77 ; \
|
||||||
|
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
|
||||||
|
|
||||||
|
TLSROOT=/etc/pki/tls
|
||||||
|
KEY=$(TLSROOT)/private/localhost.key
|
||||||
|
CSR=$(TLSROOT)/certs/localhost.csr
|
||||||
|
CRT=$(TLSROOT)/certs/localhost.crt
|
||||||
|
|
||||||
|
genkey: $(KEY)
|
||||||
|
certreq: $(CSR)
|
||||||
|
testcert: $(CRT)
|
||||||
|
|
||||||
|
$(CSR): $(KEY)
|
||||||
|
umask 77 ; \
|
||||||
|
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
|
||||||
|
|
||||||
|
$(CRT): $(KEY)
|
||||||
|
umask 77 ; \
|
||||||
|
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
@ -0,0 +1,7 @@
|
|||||||
|
/* Prepended at openssl package build-time. Don't include this file directly,
|
||||||
|
* use <openssl/opensslconf.h> instead. */
|
||||||
|
|
||||||
|
#ifndef openssl_conf_multilib_redirection_h
|
||||||
|
#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
|
||||||
|
#endif
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
/* This file is here to prevent a file conflict on multiarch systems. A
|
||||||
|
* conflict will frequently occur because arch-specific build-time
|
||||||
|
* configuration options are stored (and used, so they can't just be stripped
|
||||||
|
* out) in configuration.h. The original configuration.h has been renamed.
|
||||||
|
* DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
|
||||||
|
|
||||||
|
#ifdef openssl_conf_multilib_redirection_h
|
||||||
|
#error "Do not define openssl_conf_multilib_redirection_h!"
|
||||||
|
#endif
|
||||||
|
#define openssl_conf_multilib_redirection_h
|
||||||
|
|
||||||
|
#if defined(__i386__)
|
||||||
|
#include "configuration-i386.h"
|
||||||
|
#elif defined(__ia64__)
|
||||||
|
#include "configuration-ia64.h"
|
||||||
|
#elif defined(__mips64) && defined(__MIPSEL__)
|
||||||
|
#include "configuration-mips64el.h"
|
||||||
|
#elif defined(__mips64)
|
||||||
|
#include "configuration-mips64.h"
|
||||||
|
#elif defined(__mips) && defined(__MIPSEL__)
|
||||||
|
#include "configuration-mipsel.h"
|
||||||
|
#elif defined(__mips)
|
||||||
|
#include "configuration-mips.h"
|
||||||
|
#elif defined(__powerpc64__)
|
||||||
|
#include <endian.h>
|
||||||
|
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
||||||
|
#include "configuration-ppc64.h"
|
||||||
|
#else
|
||||||
|
#include "configuration-ppc64le.h"
|
||||||
|
#endif
|
||||||
|
#elif defined(__powerpc__)
|
||||||
|
#include "configuration-ppc.h"
|
||||||
|
#elif defined(__s390x__)
|
||||||
|
#include "configuration-s390x.h"
|
||||||
|
#elif defined(__s390__)
|
||||||
|
#include "configuration-s390.h"
|
||||||
|
#elif defined(__sparc__) && defined(__arch64__)
|
||||||
|
#include "configuration-sparc64.h"
|
||||||
|
#elif defined(__sparc__)
|
||||||
|
#include "configuration-sparc.h"
|
||||||
|
#elif defined(__x86_64__)
|
||||||
|
#include "configuration-x86_64.h"
|
||||||
|
#else
|
||||||
|
#error "The openssl-devel package does not work your architecture?"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#undef openssl_conf_multilib_redirection_h
|
@ -0,0 +1,628 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* ECDSA low level APIs are deprecated for public use, but still ok for
|
||||||
|
* internal use.
|
||||||
|
*/
|
||||||
|
#include "internal/deprecated.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include "ec_local.h"
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/objects.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int field_type, /* either NID_X9_62_prime_field or
|
||||||
|
* NID_X9_62_characteristic_two_field */
|
||||||
|
seed_len, param_len;
|
||||||
|
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||||
|
} EC_CURVE_DATA;
|
||||||
|
|
||||||
|
/* the nist prime curves */
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 28 * 6];
|
||||||
|
} _EC_NIST_PRIME_224 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 28, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
||||||
|
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x01,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE,
|
||||||
|
/* b */
|
||||||
|
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
||||||
|
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
||||||
|
0x23, 0x55, 0xFF, 0xB4,
|
||||||
|
/* x */
|
||||||
|
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
||||||
|
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
||||||
|
0x11, 0x5C, 0x1D, 0x21,
|
||||||
|
/* y */
|
||||||
|
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
||||||
|
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
||||||
|
0x85, 0x00, 0x7e, 0x34,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
||||||
|
0x5C, 0x5C, 0x2A, 0x3D
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 48 * 6];
|
||||||
|
} _EC_NIST_PRIME_384 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 48, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||||
|
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||||
|
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||||
|
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||||
|
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||||
|
/* x */
|
||||||
|
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||||
|
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||||
|
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||||
|
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||||
|
/* y */
|
||||||
|
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||||
|
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||||
|
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||||
|
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||||
|
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 66 * 6];
|
||||||
|
} _EC_NIST_PRIME_521 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 66, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||||
|
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||||
|
/* p */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||||
|
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||||
|
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||||
|
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||||
|
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||||
|
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||||
|
/* x */
|
||||||
|
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||||
|
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||||
|
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||||
|
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||||
|
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||||
|
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||||
|
/* y */
|
||||||
|
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||||
|
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||||
|
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||||
|
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||||
|
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||||
|
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||||
|
/* order */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||||
|
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||||
|
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||||
|
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 32 * 6];
|
||||||
|
} _EC_X9_62_PRIME_256V1 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 32, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||||
|
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||||
|
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||||
|
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||||
|
/* x */
|
||||||
|
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||||
|
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||||
|
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||||
|
/* y */
|
||||||
|
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||||
|
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||||
|
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||||
|
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[0 + 32 * 6];
|
||||||
|
} _EC_SECG_PRIME_256K1 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 0, 32, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* no seed */
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
||||||
|
/* a */
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
/* b */
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
||||||
|
/* x */
|
||||||
|
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
||||||
|
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
||||||
|
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
||||||
|
/* y */
|
||||||
|
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
||||||
|
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
||||||
|
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
||||||
|
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct _ec_list_element_st {
|
||||||
|
int nid;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_METHOD *(*meth) (void);
|
||||||
|
const char *comment;
|
||||||
|
} ec_list_element;
|
||||||
|
|
||||||
|
#ifdef FIPS_MODULE
|
||||||
|
static const ec_list_element curve_list[] = {
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
{NID_secp224r1, &_EC_NIST_PRIME_224.h,
|
||||||
|
# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp224_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp384_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
|
|
||||||
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp521_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp521_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
|
||||||
|
/* X9.62 curves */
|
||||||
|
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
# if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
# elif defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp256_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp256_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"X9.62/SECG curve over a 256 bit prime field"},
|
||||||
|
};
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
|
static const ec_list_element curve_list[] = {
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
# else
|
||||||
|
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
# endif
|
||||||
|
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
"SECG curve over a 256 bit prime field"},
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp384_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp521_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp521_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
/* X9.62 curves */
|
||||||
|
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
# if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
# elif defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp256_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp256_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"X9.62/SECG curve over a 256 bit prime field"},
|
||||||
|
};
|
||||||
|
#endif /* FIPS_MODULE */
|
||||||
|
|
||||||
|
#define curve_list_length OSSL_NELEM(curve_list)
|
||||||
|
|
||||||
|
static const ec_list_element *ec_curve_nid2curve(int nid)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
if (nid <= 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++) {
|
||||||
|
if (curve_list[i].nid == nid)
|
||||||
|
return &curve_list[i];
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx,
|
||||||
|
const char *propq,
|
||||||
|
const ec_list_element curve)
|
||||||
|
{
|
||||||
|
EC_GROUP *group = NULL;
|
||||||
|
EC_POINT *P = NULL;
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||||
|
NULL;
|
||||||
|
int ok = 0;
|
||||||
|
int seed_len, param_len;
|
||||||
|
const EC_METHOD *meth;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const unsigned char *params;
|
||||||
|
|
||||||
|
/* If no curve data curve method must handle everything */
|
||||||
|
if (curve.data == NULL)
|
||||||
|
return ossl_ec_group_new_ex(libctx, propq,
|
||||||
|
curve.meth != NULL ? curve.meth() : NULL);
|
||||||
|
|
||||||
|
if ((ctx = BN_CTX_new_ex(libctx)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
data = curve.data;
|
||||||
|
seed_len = data->seed_len;
|
||||||
|
param_len = data->param_len;
|
||||||
|
params = (const unsigned char *)(data + 1); /* skip header */
|
||||||
|
params += seed_len; /* skip seed */
|
||||||
|
|
||||||
|
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (curve.meth != 0) {
|
||||||
|
meth = curve.meth();
|
||||||
|
if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) ||
|
||||||
|
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||||
|
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifndef OPENSSL_NO_EC2M
|
||||||
|
else { /* field_type ==
|
||||||
|
* NID_X9_62_characteristic_two_field */
|
||||||
|
|
||||||
|
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
EC_GROUP_set_curve_name(group, curve.nid);
|
||||||
|
|
||||||
|
if ((P = EC_POINT_new(group)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (seed_len) {
|
||||||
|
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||||
|
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ok = 1;
|
||||||
|
err:
|
||||||
|
if (!ok) {
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
group = NULL;
|
||||||
|
}
|
||||||
|
EC_POINT_free(P);
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
BN_free(p);
|
||||||
|
BN_free(a);
|
||||||
|
BN_free(b);
|
||||||
|
BN_free(order);
|
||||||
|
BN_free(x);
|
||||||
|
BN_free(y);
|
||||||
|
return group;
|
||||||
|
}
|
||||||
|
|
||||||
|
EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||||
|
int nid)
|
||||||
|
{
|
||||||
|
EC_GROUP *ret = NULL;
|
||||||
|
const ec_list_element *curve;
|
||||||
|
|
||||||
|
if ((curve = ec_curve_nid2curve(nid)) == NULL
|
||||||
|
|| (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) {
|
||||||
|
#ifndef FIPS_MODULE
|
||||||
|
ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP,
|
||||||
|
"name=%s", OBJ_nid2sn(nid));
|
||||||
|
#else
|
||||||
|
ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||||
|
#endif
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef FIPS_MODULE
|
||||||
|
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||||
|
{
|
||||||
|
return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
|
{
|
||||||
|
size_t i, min;
|
||||||
|
|
||||||
|
if (r == NULL || nitems == 0)
|
||||||
|
return curve_list_length;
|
||||||
|
|
||||||
|
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
|
||||||
|
for (i = 0; i < min; i++) {
|
||||||
|
r[i].nid = curve_list[i].nid;
|
||||||
|
r[i].comment = curve_list[i].comment;
|
||||||
|
}
|
||||||
|
|
||||||
|
return curve_list_length;
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *EC_curve_nid2nist(int nid)
|
||||||
|
{
|
||||||
|
return ossl_ec_curve_nid2nist_int(nid);
|
||||||
|
}
|
||||||
|
|
||||||
|
int EC_curve_nist2nid(const char *name)
|
||||||
|
{
|
||||||
|
return ossl_ec_curve_nist2nid_int(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define NUM_BN_FIELDS 6
|
||||||
|
/*
|
||||||
|
* Validates EC domain parameter data for known named curves.
|
||||||
|
* This can be used when a curve is loaded explicitly (without a curve
|
||||||
|
* name) or to validate that domain parameters have not been modified.
|
||||||
|
*
|
||||||
|
* Returns: The nid associated with the found named curve, or NID_undef
|
||||||
|
* if not found. If there was an error it returns -1.
|
||||||
|
*/
|
||||||
|
int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||||
|
{
|
||||||
|
int ret = -1, nid, len, field_type, param_len;
|
||||||
|
size_t i, seed_len;
|
||||||
|
const unsigned char *seed, *params_seed, *params;
|
||||||
|
unsigned char *param_bytes = NULL;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_POINT *generator = NULL;
|
||||||
|
const BIGNUM *cofactor = NULL;
|
||||||
|
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||||
|
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||||
|
|
||||||
|
/* Use the optional named curve nid as a search field */
|
||||||
|
nid = EC_GROUP_get_curve_name(group);
|
||||||
|
field_type = EC_GROUP_get_field_type(group);
|
||||||
|
seed_len = EC_GROUP_get_seed_len(group);
|
||||||
|
seed = EC_GROUP_get0_seed(group);
|
||||||
|
cofactor = EC_GROUP_get0_cofactor(group);
|
||||||
|
|
||||||
|
BN_CTX_start(ctx);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||||
|
* all zero-padded to be the same size. The size of the padding is
|
||||||
|
* determined by either the number of bytes in the field modulus (p) or the
|
||||||
|
* EC group order, whichever is larger.
|
||||||
|
*/
|
||||||
|
param_len = BN_num_bytes(group->order);
|
||||||
|
len = BN_num_bytes(group->field);
|
||||||
|
if (len > param_len)
|
||||||
|
param_len = len;
|
||||||
|
|
||||||
|
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||||
|
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||||
|
if (param_bytes == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
/* Create the bignums */
|
||||||
|
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||||
|
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
* Fill in the bn array with the same values as the internal curves
|
||||||
|
* i.e. the values are p, a, b, x, y, order.
|
||||||
|
*/
|
||||||
|
/* Get p, a & b */
|
||||||
|
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||||
|
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||||
|
/* Get x & y */
|
||||||
|
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||||
|
/* Get order */
|
||||||
|
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert the bignum array to bytes that are joined together to form
|
||||||
|
* a single buffer that contains data for all fields.
|
||||||
|
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||||
|
*/
|
||||||
|
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||||
|
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++) {
|
||||||
|
const ec_list_element curve = curve_list[i];
|
||||||
|
|
||||||
|
data = curve.data;
|
||||||
|
/* Get the raw order byte data */
|
||||||
|
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||||
|
params = params_seed + data->seed_len;
|
||||||
|
|
||||||
|
/* Look for unique fields in the fixed curve data */
|
||||||
|
if (data->field_type == field_type
|
||||||
|
&& param_len == data->param_len
|
||||||
|
&& (nid <= 0 || nid == curve.nid)
|
||||||
|
/* check the optional cofactor (ignore if its zero) */
|
||||||
|
&& (BN_is_zero(cofactor)
|
||||||
|
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||||
|
/* Check the optional seed (ignore if its not set) */
|
||||||
|
&& (data->seed_len == 0 || seed_len == 0
|
||||||
|
|| ((size_t)data->seed_len == seed_len
|
||||||
|
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||||
|
/* Check that the groups params match the built-in curve params */
|
||||||
|
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||||
|
== 0) {
|
||||||
|
ret = curve.nid;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* Gets here if the group was not found */
|
||||||
|
ret = NID_undef;
|
||||||
|
end:
|
||||||
|
OPENSSL_free(param_bytes);
|
||||||
|
BN_CTX_end(ctx);
|
||||||
|
return ret;
|
||||||
|
}
|
@ -0,0 +1,8 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-9
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ $# -ne 2 ] ; then
|
||||||
|
echo "Usage:"
|
||||||
|
echo " $0 <git-dir> <base-tag>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
git_dir="$1"
|
||||||
|
base_tag="$2"
|
||||||
|
|
||||||
|
target_dir="$(pwd)"
|
||||||
|
|
||||||
|
pushd "$git_dir" >/dev/null
|
||||||
|
git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
|
||||||
|
popd >/dev/null
|
||||||
|
|
||||||
|
echo "# Patches exported from source git"
|
||||||
|
|
||||||
|
i=1
|
||||||
|
for p in *.patch ; do
|
||||||
|
printf "# "
|
||||||
|
sed '/^Subject:/{s/^Subject: //;p};d' "$p"
|
||||||
|
printf "Patch%s: %s\n" $i "$p"
|
||||||
|
i=$(($i + 1))
|
||||||
|
done
|
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Quit out if anything fails.
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Clean out patent-or-otherwise-encumbered code.
|
||||||
|
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||||
|
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||||
|
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
||||||
|
# EC: ????????? ??/??/2020
|
||||||
|
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
||||||
|
|
||||||
|
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||||
|
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||||
|
|
||||||
|
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for c in `find test -name "ectest.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||||
|
echo Removing EC2M references from $h
|
||||||
|
cat $h | \
|
||||||
|
awk 'BEGIN {ech=1;} \
|
||||||
|
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||||
|
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||||
|
{if(ech>0) {;print $0};} \
|
||||||
|
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||||
|
mv $h.hobbled $h
|
||||||
|
done
|
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
answers() {
|
||||||
|
echo --
|
||||||
|
echo SomeState
|
||||||
|
echo SomeCity
|
||||||
|
echo SomeOrganization
|
||||||
|
echo SomeOrganizationalUnit
|
||||||
|
echo localhost.localdomain
|
||||||
|
echo root@localhost.localdomain
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# -eq 0 ] ; then
|
||||||
|
echo $"Usage: `basename $0` filename [...]"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
for target in $@ ; do
|
||||||
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
|
trap "rm -f $PEM1 $PEM2" SIGINT
|
||||||
|
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
|
||||||
|
cat $PEM1 > ${target}
|
||||||
|
echo "" >> ${target}
|
||||||
|
cat $PEM2 >> ${target}
|
||||||
|
rm -f $PEM1 $PEM2
|
||||||
|
done
|
@ -0,0 +1,506 @@
|
|||||||
|
# For the curious:
|
||||||
|
# 0.9.8jk + EAP-FAST soversion = 8
|
||||||
|
# 1.0.0 soversion = 10
|
||||||
|
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
|
||||||
|
# depends on build configuration options)
|
||||||
|
# 3.0.0 soversion = 3 (same as upstream)
|
||||||
|
%define soversion 3
|
||||||
|
|
||||||
|
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
||||||
|
# also be handled in opensslconf-new.h.
|
||||||
|
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
||||||
|
|
||||||
|
%global _performance_build 1
|
||||||
|
|
||||||
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
|
Name: openssl3
|
||||||
|
Version: 3.0.0
|
||||||
|
Release: 3%{?dist}.1
|
||||||
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
|
# tarball with the hobble-openssl script which is included below.
|
||||||
|
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||||
|
Source: openssl-%{version}-hobbled.tar.xz
|
||||||
|
Source1: hobble-openssl
|
||||||
|
Source2: Makefile.certificate
|
||||||
|
Source3: genpatches
|
||||||
|
Source6: make-dummy-cert
|
||||||
|
Source7: renew-dummy-cert
|
||||||
|
Source9: configuration-switch.h
|
||||||
|
Source10: configuration-prefix.h
|
||||||
|
Source12: ec_curve.c
|
||||||
|
Source13: ectest.c
|
||||||
|
|
||||||
|
# Patches exported from source git
|
||||||
|
# Aarch64 and ppc64le use lib64
|
||||||
|
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
|
||||||
|
# Use more general default values in openssl.cnf
|
||||||
|
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
|
||||||
|
# Do not install html docs
|
||||||
|
Patch3: 0003-Do-not-install-html-docs.patch
|
||||||
|
# Override default paths for the CA directory tree
|
||||||
|
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
|
# apps/ca: fix md option help text
|
||||||
|
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
|
||||||
|
# Disable signature verification with totally unsafe hash algorithms
|
||||||
|
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
|
||||||
|
# Add support for PROFILE=SYSTEM system default cipherlist
|
||||||
|
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
# Add FIPS_mode() compatibility macro
|
||||||
|
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||||
|
# Add check to see if fips flag is enabled in kernel
|
||||||
|
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
|
# remove unsupported EC curves
|
||||||
|
Patch11: 0011-Remove-EC-curves.patch
|
||||||
|
# Instructions to load legacy provider in openssl.cnf
|
||||||
|
Patch24: 0024-load-legacy-prov.patch
|
||||||
|
# Tmp: Upstream #16636
|
||||||
|
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
|
||||||
|
# Tmp: test name change
|
||||||
|
Patch31: 0031-tmp-Fix-test-names.patch
|
||||||
|
# Tmp: coverity
|
||||||
|
Patch100: 0100-coverity.patch
|
||||||
|
|
||||||
|
License: ASL 2.0
|
||||||
|
URL: http://www.openssl.org/
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||||
|
BuildRequires: lksctp-tools-devel
|
||||||
|
BuildRequires: /usr/bin/rename
|
||||||
|
BuildRequires: /usr/bin/pod2man
|
||||||
|
BuildRequires: /usr/sbin/sysctl
|
||||||
|
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||||
|
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||||
|
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
|
||||||
|
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
|
||||||
|
BuildRequires: git-core
|
||||||
|
Requires: coreutils
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description
|
||||||
|
The OpenSSL toolkit provides support for secure communications between
|
||||||
|
machines. OpenSSL includes a certificate management tool and shared
|
||||||
|
libraries which provide various cryptographic algorithms and
|
||||||
|
protocols.
|
||||||
|
|
||||||
|
%package libs
|
||||||
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
|
Requires: ca-certificates >= 2008-5
|
||||||
|
Requires: crypto-policies >= 20180730
|
||||||
|
Recommends: openssl-pkcs11%{?_isa}
|
||||||
|
|
||||||
|
%description libs
|
||||||
|
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
|
||||||
|
package contains the libraries that are used by various applications which
|
||||||
|
support cryptographic algorithms and protocols.
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Files for development of applications which will use OpenSSL
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: pkgconfig
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
|
||||||
|
package contains include files needed to develop applications which
|
||||||
|
support various cryptographic algorithms and protocols.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -S git -n openssl-%{version}
|
||||||
|
|
||||||
|
# The hobble_openssl is called here redundantly, just to be sure.
|
||||||
|
# The tarball has already the sources removed.
|
||||||
|
%{SOURCE1} > /dev/null
|
||||||
|
|
||||||
|
cp %{SOURCE12} crypto/ec/
|
||||||
|
cp %{SOURCE13} test/
|
||||||
|
|
||||||
|
%build
|
||||||
|
# Figure out which flags we want to use.
|
||||||
|
# default
|
||||||
|
sslarch=%{_os}-%{_target_cpu}
|
||||||
|
%ifarch %ix86
|
||||||
|
sslarch=linux-elf
|
||||||
|
if ! echo %{_target} | grep -q i686 ; then
|
||||||
|
sslflags="no-asm 386"
|
||||||
|
fi
|
||||||
|
%endif
|
||||||
|
%ifarch x86_64
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
|
%endif
|
||||||
|
%ifarch sparcv9
|
||||||
|
sslarch=linux-sparcv9
|
||||||
|
sslflags=no-asm
|
||||||
|
%endif
|
||||||
|
%ifarch sparc64
|
||||||
|
sslarch=linux64-sparcv9
|
||||||
|
sslflags=no-asm
|
||||||
|
%endif
|
||||||
|
%ifarch alpha alphaev56 alphaev6 alphaev67
|
||||||
|
sslarch=linux-alpha-gcc
|
||||||
|
%endif
|
||||||
|
%ifarch s390 sh3eb sh4eb
|
||||||
|
sslarch="linux-generic32 -DB_ENDIAN"
|
||||||
|
%endif
|
||||||
|
%ifarch s390x
|
||||||
|
sslarch="linux64-s390x"
|
||||||
|
%endif
|
||||||
|
%ifarch %{arm}
|
||||||
|
sslarch=linux-armv4
|
||||||
|
%endif
|
||||||
|
%ifarch aarch64
|
||||||
|
sslarch=linux-aarch64
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
|
%endif
|
||||||
|
%ifarch sh3 sh4
|
||||||
|
sslarch=linux-generic32
|
||||||
|
%endif
|
||||||
|
%ifarch ppc64 ppc64p7
|
||||||
|
sslarch=linux-ppc64
|
||||||
|
%endif
|
||||||
|
%ifarch ppc64le
|
||||||
|
sslarch="linux-ppc64le"
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
|
%endif
|
||||||
|
%ifarch mips mipsel
|
||||||
|
sslarch="linux-mips32 -mips32r2"
|
||||||
|
%endif
|
||||||
|
%ifarch mips64 mips64el
|
||||||
|
sslarch="linux64-mips64 -mips64r2"
|
||||||
|
%endif
|
||||||
|
%ifarch mips64el
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
|
%endif
|
||||||
|
%ifarch riscv64
|
||||||
|
sslarch=linux-generic64
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
|
||||||
|
# marked as not requiring an executable stack.
|
||||||
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
||||||
|
# want to depend on the uninitialized memory as a source of entropy anyway.
|
||||||
|
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
||||||
|
|
||||||
|
export HASHBANGPERL=/usr/bin/perl
|
||||||
|
|
||||||
|
# ia64, x86_64, ppc are OK by default
|
||||||
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
||||||
|
# usable on all platforms. The Configure script already knows to use -fPIC and
|
||||||
|
# RPM_OPT_FLAGS, so we can skip specifiying them here.
|
||||||
|
./Configure \
|
||||||
|
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||||
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||||
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||||
|
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
||||||
|
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
||||||
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
||||||
|
|
||||||
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||||
|
#util/mkdef.pl crypto update
|
||||||
|
|
||||||
|
make -s %{?_smp_mflags} all
|
||||||
|
|
||||||
|
# Clean up the .pc files
|
||||||
|
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||||
|
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
|
||||||
|
done
|
||||||
|
|
||||||
|
%check
|
||||||
|
# Verify that what was compiled actually works.
|
||||||
|
|
||||||
|
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
|
||||||
|
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
|
||||||
|
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
|
||||||
|
sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
|
||||||
|
touch -r configdata.pm configdata.pm.new && \
|
||||||
|
mv -f configdata.pm.new configdata.pm)
|
||||||
|
|
||||||
|
# We must revert patch4 before tests otherwise they will fail
|
||||||
|
patch -p1 -R < %{PATCH4}
|
||||||
|
|
||||||
|
OPENSSL_ENABLE_MD5_VERIFY=
|
||||||
|
export OPENSSL_ENABLE_MD5_VERIFY
|
||||||
|
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||||
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||||
|
make test HARNESS_JOBS=8
|
||||||
|
|
||||||
|
# Add generation of HMAC checksum of the final stripped library
|
||||||
|
#%define __spec_install_post \
|
||||||
|
# %{?__debug_package:%{__debug_install_post}} \
|
||||||
|
# %{__arch_install_post} \
|
||||||
|
# %{__os_install_post} \
|
||||||
|
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
|
||||||
|
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
|
||||||
|
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||||
|
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
||||||
|
#%{nil}
|
||||||
|
|
||||||
|
%define __provides_exclude_from %{_libdir}/openssl
|
||||||
|
|
||||||
|
%install
|
||||||
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||||
|
# Install OpenSSL.
|
||||||
|
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
|
||||||
|
%make_install
|
||||||
|
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||||
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||||
|
chmod 755 ${lib}
|
||||||
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
|
||||||
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
|
||||||
|
done
|
||||||
|
|
||||||
|
# Remove static libraries
|
||||||
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do
|
||||||
|
rm -f ${lib}
|
||||||
|
done
|
||||||
|
|
||||||
|
# Install a makefile for generating keys and self-signed certs, and a script
|
||||||
|
# for generating them on the fly.
|
||||||
|
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
||||||
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
|
||||||
|
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
||||||
|
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
||||||
|
|
||||||
|
# Move runable perl scripts to bindir
|
||||||
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
|
||||||
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
|
||||||
|
|
||||||
|
# Rename man pages so that they don't conflict with other system man pages.
|
||||||
|
pushd $RPM_BUILD_ROOT%{_mandir}
|
||||||
|
mv man5/config.5ossl man5/openssl.cnf.5
|
||||||
|
popd
|
||||||
|
|
||||||
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
|
||||||
|
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
|
||||||
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
|
||||||
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
|
||||||
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
|
||||||
|
|
||||||
|
# Ensure the config file timestamps are identical across builds to avoid
|
||||||
|
# mulitlib conflicts and unnecessary renames on upgrade
|
||||||
|
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
|
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||||
|
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
||||||
|
%ifarch i686
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Determine which arch opensslconf.h is going to try to #include.
|
||||||
|
basearch=%{_arch}
|
||||||
|
%ifarch %{ix86}
|
||||||
|
basearch=i386
|
||||||
|
%endif
|
||||||
|
%ifarch sparcv9
|
||||||
|
basearch=sparc
|
||||||
|
%endif
|
||||||
|
%ifarch sparc64
|
||||||
|
basearch=sparc64
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Next step of gradual disablement of SSL3.
|
||||||
|
# Make SSL3 disappear to newly built dependencies.
|
||||||
|
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
|
||||||
|
#ifndef OPENSSL_NO_SSL3\
|
||||||
|
# define OPENSSL_NO_SSL3\
|
||||||
|
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
|
||||||
|
|
||||||
|
%ifarch %{multilib_arches}
|
||||||
|
# Do an configuration.h switcheroo to avoid file conflicts on systems where you
|
||||||
|
# can have both a 32- and 64-bit version of the library, and they each need
|
||||||
|
# their own correct-but-different versions of opensslconf.h to be usable.
|
||||||
|
install -m644 %{SOURCE10} \
|
||||||
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
|
||||||
|
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
|
||||||
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
|
||||||
|
install -m644 %{SOURCE9} \
|
||||||
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Transformation for openssl3
|
||||||
|
# see openssl11.spec
|
||||||
|
mkdir -p $RPM_BUILD_ROOT{%{_libdir},%{_includedir}}/%{name}/
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.so
|
||||||
|
mv -f $RPM_BUILD_ROOT%{_includedir}/{openssl,%{name}/openssl}/
|
||||||
|
mv -f $RPM_BUILD_ROOT%{_bindir}/{openssl,%{name}}
|
||||||
|
|
||||||
|
for pc in libcrypto libssl openssl; do
|
||||||
|
sed -e 's@\(Libs: -L${libdir}\)@\1 -L${libdir}/%{name}@' \
|
||||||
|
-e 's@\(Cflags: -I${includedir}\)@\1 -I${includedir}/%{name}@' \
|
||||||
|
-e 's@\(Requires.*:.*\)\(libssl\)@\1\23@g' \
|
||||||
|
-e 's@\(Requires.*:.*\)\(libcrypto\)@\1\23@g' \
|
||||||
|
$RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc
|
||||||
|
touch -c -r $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc
|
||||||
|
done
|
||||||
|
|
||||||
|
ln -s ../libcrypto.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libcrypto.so
|
||||||
|
ln -s ../libssl.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libssl.so
|
||||||
|
|
||||||
|
pushd $RPM_BUILD_ROOT%{_mandir}
|
||||||
|
for manpage in man*/* ; do
|
||||||
|
[ "${manpage}" = "man1/%{name}.1" ] && continue
|
||||||
|
if [ -L ${manpage} ]; then
|
||||||
|
TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
|
||||||
|
ln -snf ${TARGET}11 ${manpage}
|
||||||
|
rm -f ${manpage}
|
||||||
|
else
|
||||||
|
mv -f ${manpage} ${manpage}3
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
popd
|
||||||
|
|
||||||
|
# No openssl3-perl, because it wouldn't be really different or newer
|
||||||
|
rm -rf $RPM_BUILD_ROOT{%{_sysconfdir}/pki/CA/,{%{_bindir},%{_mandir}/man1}/{CA.pl,c_rehash,*tsget}*}
|
||||||
|
|
||||||
|
# Remove dummy cert tools
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_bindir}/{make,renew}-dummy-cert
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
%license LICENSE.txt
|
||||||
|
%doc NEWS.md README.md
|
||||||
|
%{_bindir}/%{name}
|
||||||
|
%{_mandir}/man1/*
|
||||||
|
%{_mandir}/man5/*
|
||||||
|
%{_mandir}/man7/*
|
||||||
|
%{_pkgdocdir}/Makefile.certificate
|
||||||
|
|
||||||
|
%files libs
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
%license LICENSE.txt
|
||||||
|
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||||
|
%{_libdir}/libcrypto.so.%{soversion}
|
||||||
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||||
|
%{_libdir}/libssl.so.%{soversion}
|
||||||
|
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
||||||
|
%attr(0755,root,root) %{_libdir}/ossl-modules
|
||||||
|
%ifnarch i686
|
||||||
|
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
|
||||||
|
%{_prefix}/include/%{name}
|
||||||
|
%{_libdir}/%{name}/*.so
|
||||||
|
%{_mandir}/man3/*
|
||||||
|
%{_libdir}/pkgconfig/*.pc
|
||||||
|
|
||||||
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Nov 17 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 1:3.0.0-3.1
|
||||||
|
- Fork c9s' openssl to openssl3 for epel8 (and possibly Fedora <= 35)
|
||||||
|
|
||||||
|
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
|
||||||
|
- Fix memory leak in s_client
|
||||||
|
- Related: rhbz#1996092
|
||||||
|
|
||||||
|
* Mon Sep 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-2
|
||||||
|
- Avoid double-free on error seeding the RNG.
|
||||||
|
- KTLS and FIPS may interfere, so tests need to be tuned
|
||||||
|
- Resolves: rhbz#1952844, rhbz#1961643
|
||||||
|
|
||||||
|
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
|
||||||
|
- Rebase to upstream version 3.0.0
|
||||||
|
- Related: rhbz#1990814
|
||||||
|
|
||||||
|
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
|
||||||
|
- Removes the dual-abi build as it not required anymore. The mass rebuild
|
||||||
|
was completed and all packages are rebuilt against Beta version.
|
||||||
|
- Resolves: rhbz#1984097
|
||||||
|
|
||||||
|
* Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6
|
||||||
|
- Correctly process CMS reading from /dev/stdin
|
||||||
|
- Resolves: rhbz#1986315
|
||||||
|
|
||||||
|
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
|
||||||
|
- Add instruction for loading legacy provider in openssl.cnf
|
||||||
|
- Resolves: rhbz#1975836
|
||||||
|
|
||||||
|
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
|
||||||
|
- Adds support for IDEA encryption.
|
||||||
|
- Resolves: rhbz#1990602
|
||||||
|
|
||||||
|
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
|
||||||
|
- Fixes core dump in openssl req -modulus
|
||||||
|
- Fixes 'openssl req' to not ask for password when non-encrypted private key
|
||||||
|
is used
|
||||||
|
- cms: Do not try to check binary format on stdin and -rctform fix
|
||||||
|
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
|
||||||
|
- When signature_algorithm extension is omitted, use more relevant alerts
|
||||||
|
- Resolves: rhbz#1965017
|
||||||
|
|
||||||
|
* Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
|
||||||
|
- Rebase to upstream version beta2
|
||||||
|
- Related: rhbz#1903209
|
||||||
|
|
||||||
|
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
|
||||||
|
- Prevents creation of duplicate cert entries in PKCS #12 files
|
||||||
|
- Resolves: rhbz#1978670
|
||||||
|
|
||||||
|
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
|
||||||
|
- NVR bump to update to OpenSSL 3.0 Beta1
|
||||||
|
|
||||||
|
* Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3
|
||||||
|
- Update patch dual-abi.patch to add the #define macros in implementation
|
||||||
|
files instead of public header files
|
||||||
|
|
||||||
|
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2
|
||||||
|
- Removes unused patch dual-abi.patch
|
||||||
|
|
||||||
|
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1
|
||||||
|
- Update to Beta1 version
|
||||||
|
- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
|
||||||
|
|
||||||
|
* Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7
|
||||||
|
- Fixes override of openssl_conf in openssl.cnf
|
||||||
|
- Use AI_ADDRCONFIG only when explicit host name is given
|
||||||
|
- Temporarily remove fipsmodule.cnf for arch i686
|
||||||
|
- Fixes segmentation fault in BN_lebin2bn
|
||||||
|
- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
|
||||||
|
|
||||||
|
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6
|
||||||
|
- Adds FIPS mode compatibility patch (sahana@redhat.com)
|
||||||
|
- Related: rhbz#1977318
|
||||||
|
|
||||||
|
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5
|
||||||
|
- Fixes system hang issue when booted in FIPS mode (sahana@redhat.com)
|
||||||
|
- Temporarily disable downstream FIPS patches
|
||||||
|
- Related: rhbz#1977318
|
||||||
|
|
||||||
|
* Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4
|
||||||
|
- Speeding up building openssl (dbelyavs@redhat.com)
|
||||||
|
Resolves: rhbz#1903209
|
||||||
|
|
||||||
|
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
|
||||||
|
- Fix reading SPKAC data from stdin
|
||||||
|
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
|
||||||
|
- Return 0 after cleanup in OPENSSL_init_crypto()
|
||||||
|
- Cleanup the peer point formats on regotiation
|
||||||
|
- Fix default digest to SHA256
|
||||||
|
|
||||||
|
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
|
||||||
|
- Enable FIPS via config options
|
||||||
|
|
||||||
|
* Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1
|
||||||
|
- Update to alpha 16 version
|
||||||
|
Resolves: rhbz#1952901 openssl sends alert after orderly connection close
|
||||||
|
|
||||||
|
* Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1
|
||||||
|
- Update to alpha 15 version
|
||||||
|
Resolves: rhbz#1903209, rhbz#1952598,
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1
|
||||||
|
- Update to new major release OpenSSL 3.0.0 alpha 13
|
||||||
|
Resolves: rhbz#1903209
|
@ -0,0 +1,39 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ $# -eq 0 ]; then
|
||||||
|
echo $"Usage: `basename $0` filename" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
PEM=$1
|
||||||
|
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
|
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
|
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
|
NEW=${PEM}_
|
||||||
|
|
||||||
|
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
|
||||||
|
|
||||||
|
if [ ! -f $PEM ]; then
|
||||||
|
echo "$PEM: file not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
||||||
|
|
||||||
|
openssl rsa -inform pem -in $PEM -out $KEY
|
||||||
|
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
||||||
|
openssl x509 -req -in $REQ -signkey $KEY -days 365 \
|
||||||
|
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
||||||
|
|
||||||
|
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
||||||
|
|
||||||
|
chown $OWNER $NEW
|
||||||
|
|
||||||
|
mv -f $NEW $PEM
|
||||||
|
|
||||||
|
rm -f $REQ $KEY $CRT
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
Loading…
Reference in new issue