From 354ff9f60c1a33ff88724d67ed19434710dc329a Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: May 18 2010 16:24:02 +0000 Subject: - make CA dir readable - the private keys are in private subdir (#584810) - do not move the libcrypto to /lib in the F12 package --- diff --git a/openssl-1.0.0-dtls1-backports.patch b/openssl-1.0.0-dtls1-backports.patch new file mode 100644 index 0000000..99518cd --- /dev/null +++ b/openssl-1.0.0-dtls1-backports.patch @@ -0,0 +1,53 @@ +diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c +--- openssl-1.0.0/ssl/d1_lib.c.dtls1 2009-12-08 12:38:17.000000000 +0100 ++++ openssl-1.0.0/ssl/d1_lib.c 2010-04-09 16:29:49.000000000 +0200 +@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s + timeleft->tv_usec += 1000000; + } + ++ /* If remaining time is less than 15 ms, set it to 0 ++ * to prevent issues because of small devergences with ++ * socket timeouts. ++ */ ++ if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) ++ { ++ memset(timeleft, 0, sizeof(struct timeval)); ++ } ++ ++ + return timeleft; + } + +diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c +--- openssl-1.0.0/ssl/d1_pkt.c.dtls1 2009-10-04 18:52:35.000000000 +0200 ++++ openssl-1.0.0/ssl/d1_pkt.c 2010-04-09 16:30:49.000000000 +0200 +@@ -667,14 +667,14 @@ again: + if (rr->length == 0) goto again; + + /* If this record is from the next epoch (either HM or ALERT), +- * buffer it since it cannot be processed at this time. Records +- * from the next epoch are marked as received even though they +- * are not processed, so as to prevent any potential resource +- * DoS attack */ ++ * and a handshake is currently in progress, buffer it since it ++ * cannot be processed at this time. */ + if (is_next_epoch) + { +- dtls1_record_bitmap_update(s, bitmap); +- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); ++ if (SSL_in_init(s) || s->in_handshake) ++ { ++ dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); ++ } + rr->length = 0; + s->packet_length = 0; + goto again; +@@ -809,7 +809,7 @@ start: + * buffer the application data for later processing rather + * than dropping the connection. + */ +- dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0); ++ dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); + rr->length = 0; + goto start; + } diff --git a/openssl-1.0.0-init-sha256.patch b/openssl-1.0.0-init-sha256.patch new file mode 100644 index 0000000..115722c --- /dev/null +++ b/openssl-1.0.0-init-sha256.patch @@ -0,0 +1,79 @@ +diff -up openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 openssl-1.0.0/doc/ssl/SSL_library_init.pod +--- openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 2006-03-12 01:37:55.000000000 +0100 ++++ openssl-1.0.0/doc/ssl/SSL_library_init.pod 2010-04-09 16:33:11.000000000 +0200 +@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algori + + =head1 DESCRIPTION + +-SSL_library_init() registers the available ciphers and digests. ++SSL_library_init() registers the available SSL/TLS ciphers and digests. + + OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms + for SSL_library_init(). +@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant. + + =head1 WARNING + +-SSL_library_init() only registers ciphers. Another important initialization +-is the seeding of the PRNG (Pseudo Random Number Generator), which has to +-be performed separately. ++SSL_library_init() adds ciphers and digests used directly and indirectly by ++SSL/TLS. + + =head1 EXAMPLES + + A typical TLS/SSL application will start with the library initialization, +-will provide readable error messages and will seed the PRNG. ++and provide readable error messages. + + SSL_load_error_strings(); /* readable error messages */ + SSL_library_init(); /* initialize library */ +- actions_to_seed_PRNG(); + + =head1 RETURN VALUES + + SSL_library_init() always returns "1", so it is safe to discard the return + value. + ++=head1 NOTES ++ ++OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). ++Applications which need to use SHA2 in earlier versions of OpenSSL should call ++OpenSSL_add_all_algorithms() as well. ++ + =head1 SEE ALSO + + L, L, +diff -up openssl-1.0.0/ssl/ssl_algs.c.sha256 openssl-1.0.0/ssl/ssl_algs.c +--- openssl-1.0.0/ssl/ssl_algs.c.sha256 2010-04-06 12:52:38.000000000 +0200 ++++ openssl-1.0.0/ssl/ssl_algs.c 2010-04-09 16:34:41.000000000 +0200 +@@ -111,6 +111,14 @@ int SSL_library_init(void) + EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); + #endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif + #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) + EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); +@@ -148,6 +156,14 @@ int SSL_library_init(void) + EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); + #endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif + #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) + EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); diff --git a/openssl-1.0.0-name-hash.patch b/openssl-1.0.0-name-hash.patch new file mode 100644 index 0000000..9098c0a --- /dev/null +++ b/openssl-1.0.0-name-hash.patch @@ -0,0 +1,22 @@ +diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c +--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100 ++++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200 +@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA + { + unsigned long ret=0; + unsigned char md[16]; ++ EVP_MD_CTX ctx; + + /* Make sure X509_NAME structure contains valid cached encoding */ + i2d_X509_NAME(x,NULL); +- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); ++ ++ EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL) ++ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length) ++ && EVP_DigestFinal_ex(&ctx, md, NULL); ++ EVP_MD_CTX_cleanup(&ctx); + + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/openssl-1.0.0-timezone.patch b/openssl-1.0.0-timezone.patch new file mode 100644 index 0000000..b1d6682 --- /dev/null +++ b/openssl-1.0.0-timezone.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org +--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200 ++++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200 +@@ -609,7 +609,7 @@ install_docs: + sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ +- sh -c "$$pod2man \ ++ sh -c "TZ=UTC $$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ +@@ -626,7 +626,7 @@ install_docs: + sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ +- sh -c "$$pod2man \ ++ sh -c "TZ=UTC $$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ diff --git a/openssl.spec b/openssl.spec index e946180..9a72fd4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0 -Release: 1%{?dist} +Release: 4%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -39,6 +39,7 @@ Patch3: openssl-1.0.0-beta3-soversion.patch Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch +Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch Patch24: openssl-0.9.8j-bad-mime.patch @@ -59,7 +60,10 @@ Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch Patch51: openssl-1.0.0-version.patch Patch52: openssl-1.0.0-beta4-aesni.patch +Patch53: openssl-1.0.0-name-hash.patch # Backported fixes including security fixes +Patch60: openssl-1.0.0-dtls1-backports.patch +Patch61: openssl-1.0.0-init-sha256.patch License: OpenSSL Group: System Environment/Libraries @@ -118,6 +122,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch4 -p1 -b .enginesdir %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost +%patch7 -p1 -b .timezone %patch23 -p1 -b .default-paths %patch24 -p1 -b .bad-mime @@ -138,7 +143,10 @@ from other formats to the formats used by the OpenSSL toolkit. %patch50 -p1 -b .dtls1-abi %patch51 -p1 -b .version %patch52 -p1 -b .aesni +%patch53 -p1 -b .name-hash +%patch60 -p1 -b .dtls1 +%patch61 -p1 -b .sha256 # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -281,8 +289,11 @@ pushd $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc mv CA.sh CA popd -mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts # Ensure the openssl.cnf timestamp is identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade @@ -345,6 +356,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %{_sysconfdir}/pki/tls/misc/CA %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private +%dir %{_sysconfdir}/pki/CA/certs +%dir %{_sysconfdir}/pki/CA/crl +%dir %{_sysconfdir}/pki/CA/newcerts %{_sysconfdir}/pki/tls/misc/c_* %{_sysconfdir}/pki/tls/private @@ -383,6 +397,18 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Tue May 18 2010 Tomas Mraz 1.0.0-4 +- make CA dir readable - the private keys are in private subdir (#584810) +- do not move the libcrypto to /lib in the F12 package + +* Fri Apr 9 2010 Tomas Mraz 1.0.0-3 +- a few fixes from upstream CVS +- move libcrypto to /lib (#559953) + +* Tue Apr 6 2010 Tomas Mraz 1.0.0-2 +- set UTC timezone on pod2man run (#578842) +- make X509_NAME_hash_old work in FIPS mode + * Tue Mar 30 2010 Tomas Mraz 1.0.0-1 - update to final 1.0.0 upstream release