From a9e5f01ef5fcb34789769b5d6b5b57c927831586 Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Mar 25 2009 21:12:41 +0000 Subject: - update to new upstream release (minor bug fixes, security fixes and machine code optimizations only) --- diff --git a/.cvsignore b/.cvsignore index 6dba667..d39bc0a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssl-0.9.8j-usa.tar.bz2 +openssl-0.9.8k-usa.tar.bz2 diff --git a/openssl-0.9.8b-x509-name-cmp.patch b/openssl-0.9.8b-x509-name-cmp.patch deleted file mode 100644 index c7e8848..0000000 --- a/openssl-0.9.8b-x509-name-cmp.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 -+++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 -@@ -282,14 +282,7 @@ - nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->type-nb->value->type; - if (j) -- { -- nabit = ASN1_tag2bit(na->value->type); -- nbbit = ASN1_tag2bit(nb->value->type); -- if (!(nabit & STR_TYPE_CMP) || -- !(nbbit & STR_TYPE_CMP)) -- return j; -- j = asn1_string_memcmp(na->value, nb->value); -- } -+ return j; - else if (na->value->type == V_ASN1_PRINTABLESTRING) - j=nocase_spacenorm_cmp(na->value, nb->value); - else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl-0.9.8j-fipscheck-hmac.patch b/openssl-0.9.8j-fipscheck-hmac.patch deleted file mode 100644 index 3ba459b..0000000 --- a/openssl-0.9.8j-fipscheck-hmac.patch +++ /dev/null @@ -1,125 +0,0 @@ -Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary. -We use the binary just during the OpenSSL build to checksum the libcrypto. -diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile ---- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 -+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100 -@@ -46,7 +46,7 @@ lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - - ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o -- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ -+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM - - files: -diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c ---- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200 -+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100 -@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) - - #ifdef OPENSSL_FIPS - --static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, -+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, - const char *key) - { - int len=strlen(key); -@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - if (len > SHA_CBLOCK) - { -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,key,len); -- SHA1_Final(keymd,md_ctx); -- len=20; -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,key,len); -+ SHA256_Final(keymd,md_ctx); -+ len=SHA256_DIGEST_LENGTH; - } - else - memcpy(keymd,key,len); -@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x36^keymd[i]; -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x5c^keymd[i]; -- SHA1_Init(o_ctx); -- SHA1_Update(o_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(o_ctx); -+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); - } - --static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) -+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) - { -- unsigned char buf[20]; -+ unsigned char buf[SHA256_DIGEST_LENGTH]; - -- SHA1_Final(buf,md_ctx); -- SHA1_Update(o_ctx,buf,sizeof buf); -- SHA1_Final(md,o_ctx); -+ SHA256_Final(buf,md_ctx); -+ SHA256_Update(o_ctx,buf,sizeof buf); -+ SHA256_Final(md,o_ctx); - } - - #endif -@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md - int main(int argc,char **argv) - { - #ifdef OPENSSL_FIPS -- static char key[]="etaonrishdlcupfm"; -+ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; - int n,binary=0; - - if(argc < 2) -@@ -125,8 +125,8 @@ int main(int argc,char **argv) - for(; n < argc ; ++n) - { - FILE *f=fopen(argv[n],"rb"); -- SHA_CTX md_ctx,o_ctx; -- unsigned char md[20]; -+ SHA256_CTX md_ctx,o_ctx; -+ unsigned char md[SHA256_DIGEST_LENGTH]; - int i; - - if(!f) -@@ -139,7 +139,7 @@ int main(int argc,char **argv) - for( ; ; ) - { - char buf[1024]; -- int l=fread(buf,1,sizeof buf,f); -+ size_t l=fread(buf,1,sizeof buf,f); - - if(l == 0) - { -@@ -151,18 +151,18 @@ int main(int argc,char **argv) - else - break; - } -- SHA1_Update(&md_ctx,buf,l); -+ SHA256_Update(&md_ctx,buf,l); - } - hmac_final(md,&md_ctx,&o_ctx); - - if (binary) - { -- fwrite(md,20,1,stdout); -+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); - break; /* ... for single(!) file */ - } - -- printf("HMAC-SHA1(%s)= ",argv[n]); -- for(i=0 ; i < 20 ; ++i) -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) - printf("%02x",md[i]); - printf("\n"); - } diff --git a/openssl-0.9.8j-use-fipscheck.patch b/openssl-0.9.8j-use-fipscheck.patch deleted file mode 100644 index c21075a..0000000 --- a/openssl-0.9.8j-use-fipscheck.patch +++ /dev/null @@ -1,384 +0,0 @@ -diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile ---- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 -+++ openssl-0.9.8j/test/Makefile 2009-02-02 13:24:36.000000000 +0100 -@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ - if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - LIBRARIES="-L$(TOP) -lfips"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ -+ LIBRARIES="$(LIBCRYPTO)"; \ - fi; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if - shlib_target="$(SHLIB_TARGET)"; \ - fi; \ - LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ -- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- fi; \ - [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org ---- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-02-02 13:24:36.000000000 +0100 -+++ openssl-0.9.8j/Makefile.org 2009-02-02 13:24:36.000000000 +0100 -@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA - $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ - $(AR) libcrypto.a fips/fipscanister.o ; \ - else \ -- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; \ -- export CC FIPSLD_CC; \ -- fi; \ - $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ - fi \ - else \ -@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT - fips/fipscanister.o: build_fips - libfips$(SHLIB_EXT): fips/fipscanister.o - @if [ "$(SHLIB_TARGET)" != "" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ - $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- CC=$${CC} LIBNAME=fips THIS=$@ \ -+ CC=$(CC) LIBNAME=fips THIS=$@ \ - LIBEXTRAS=fips/fipscanister.o \ - LIBDEPS="$(EX_LIBS)" \ - LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -@@ -469,7 +464,7 @@ openssl.pc: Makefile - echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc - - Makefile: Makefile.org Configure config -diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c ---- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 -+++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:31:53.000000000 +0100 -@@ -47,6 +47,7 @@ - * - */ - -+#define _GNU_SOURCE - - #include - #include -@@ -56,6 +57,9 @@ - #include - #include - #include -+#include -+#include -+#include - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -165,6 +169,7 @@ int FIPS_selftest() - && FIPS_selftest_dsa(); - } - -+#if 0 - extern const void *FIPS_text_start(), *FIPS_text_end(); - extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; - unsigned char FIPS_signature [20] = { 0 }; -@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) - - return 1; - } -+#else -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char * -+bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+#define HMAC_PREFIX "." -+#define HMAC_SUFFIX ".hmac" -+#define READ_BUFFER_LENGTH 16384 -+ -+static char * -+make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if(path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn-origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int -+compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX c; -+ -+ HMAC_CTX_init(&c); -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); -+ -+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ HMAC_Update(&c, rbuf, len); -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ HMAC_Final(&c, rbuf, &hlen); -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+end: -+ HMAC_CTX_cleanup(&c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int -+FIPSCHECK_verify(const char *libname, const char *symbolname) -+{ -+ char path[PATH_MAX+1]; -+ int rv; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ rv = get_library_path(libname, symbolname, path, sizeof(path)); -+ -+ if (rv < 0) -+ return 0; -+ -+ hmacpath = make_hmac_path(path); -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p=strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex=bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } -+ -+end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+#endif - - int FIPS_mode_set(int onoff) - { -@@ -280,16 +485,17 @@ int FIPS_mode_set(int onoff) - } - #endif - -- if(fips_signature_witness() != FIPS_signature) -+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) - { -- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - -- if(!FIPS_check_incore_fingerprint()) -+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) - { -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; -@@ -405,11 +611,13 @@ int fips_clear_owning_thread(void) - return ret; - } - -+#if 0 - unsigned char *fips_signature_witness(void) - { - extern unsigned char FIPS_signature[]; - return FIPS_signature; - } -+#endif - - /* Generalized public key test routine. Signs and verifies the data - * supplied in tbs using mesage digest md and setting option digest -diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile ---- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-02-02 13:24:36.000000000 +0100 -+++ openssl-0.9.8j/fips/Makefile 2009-02-02 13:24:36.000000000 +0100 -@@ -62,9 +62,9 @@ testapps: - - all: - @if [ -z "$(FIPSLIBDIR)" ]; then \ -- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ -+ $(MAKE) -e subdirs lib; \ - else \ -- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ -+ $(MAKE) -e lib; \ - fi - - # Idea behind fipscanister.o is to "seize" the sequestered code between -@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ - HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ - *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ - esac fi -- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 - - # If another exception is immediately required, assign approprite - # site-specific ld command to FIPS_SITE_LD environment variable. -@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) - $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. - @touch lib - --shared: lib subdirs fips_premain_dso$(EXE_EXT) -+shared: lib subdirs - - libs: - @target=lib; $(RECURSIVE_MAKE) -@@ -195,10 +194,6 @@ install: - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; - @target=install; $(RECURSIVE_MAKE) -- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ -- fips_premain.c.sha1 \ -- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ -- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* - - lint: - @target=lint; $(RECURSIVE_MAKE) -diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h ---- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 -+++ openssl-0.9.8j/fips/fips_locl.h 2009-02-02 13:24:36.000000000 +0100 -@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); - int fips_set_owning_thread(void); - void fips_set_selftest_fail(void); - int fips_clear_owning_thread(void); -+#if 0 - unsigned char *fips_signature_witness(void); -+#endif - - #define FIPS_MAX_CIPHER_TEST_SIZE 16 - diff --git a/openssl-0.9.8k-fipscheck-hmac.patch b/openssl-0.9.8k-fipscheck-hmac.patch new file mode 100644 index 0000000..c47cb82 --- /dev/null +++ b/openssl-0.9.8k-fipscheck-hmac.patch @@ -0,0 +1,114 @@ +diff -up openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8k/fips/sha/Makefile +--- openssl-0.9.8k/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 ++++ openssl-0.9.8k/fips/sha/Makefile 2009-03-25 20:18:08.000000000 +0100 +@@ -46,7 +46,7 @@ lib: $(LIBOBJ) + @echo $(LIBOBJ) > lib + + ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o +- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ ++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ + $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM + + files: +diff -up openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8k/fips/sha/fips_standalone_sha1.c +--- openssl-0.9.8k/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2009-01-15 13:34:54.000000000 +0100 ++++ openssl-0.9.8k/fips/sha/fips_standalone_sha1.c 2009-03-25 20:18:08.000000000 +0100 +@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) + + #ifdef OPENSSL_FIPS + +-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, ++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, + const char *key) + { + size_t len=strlen(key); +@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + if (len > SHA_CBLOCK) + { +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,key,len); +- SHA1_Final(keymd,md_ctx); +- len=20; ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,key,len); ++ SHA256_Final(keymd,md_ctx); ++ len=SHA256_DIGEST_LENGTH; + } + else + memcpy(keymd,key,len); +@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x36^keymd[i]; +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x5c^keymd[i]; +- SHA1_Init(o_ctx); +- SHA1_Update(o_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(o_ctx); ++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); + } + +-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) ++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) + { +- unsigned char buf[20]; ++ unsigned char buf[SHA256_DIGEST_LENGTH]; + +- SHA1_Final(buf,md_ctx); +- SHA1_Update(o_ctx,buf,sizeof buf); +- SHA1_Final(md,o_ctx); ++ SHA256_Final(buf,md_ctx); ++ SHA256_Update(o_ctx,buf,sizeof buf); ++ SHA256_Final(md,o_ctx); + } + + #endif +@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md + int main(int argc,char **argv) + { + #ifdef OPENSSL_FIPS +- static char key[]="etaonrishdlcupfm"; ++ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; + int n,binary=0; + + if(argc < 2) +@@ -125,8 +125,8 @@ int main(int argc,char **argv) + for(; n < argc ; ++n) + { + FILE *f=fopen(argv[n],"rb"); +- SHA_CTX md_ctx,o_ctx; +- unsigned char md[20]; ++ SHA256_CTX md_ctx,o_ctx; ++ unsigned char md[SHA256_DIGEST_LENGTH]; + int i; + + if(!f) +@@ -151,18 +151,18 @@ int main(int argc,char **argv) + else + break; + } +- SHA1_Update(&md_ctx,buf,l); ++ SHA256_Update(&md_ctx,buf,l); + } + hmac_final(md,&md_ctx,&o_ctx); + + if (binary) + { +- fwrite(md,20,1,stdout); ++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); + break; /* ... for single(!) file */ + } + +- printf("HMAC-SHA1(%s)= ",argv[n]); +- for(i=0 ; i < 20 ; ++i) ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) + printf("%02x",md[i]); + printf("\n"); + } diff --git a/openssl-0.9.8k-use-fipscheck.patch b/openssl-0.9.8k-use-fipscheck.patch new file mode 100644 index 0000000..e8298ff --- /dev/null +++ b/openssl-0.9.8k-use-fipscheck.patch @@ -0,0 +1,391 @@ +diff -up openssl-0.9.8k/test/Makefile.use-fipscheck openssl-0.9.8k/test/Makefile +--- openssl-0.9.8k/test/Makefile.use-fipscheck 2009-03-25 11:59:22.000000000 +0100 ++++ openssl-0.9.8k/test/Makefile 2009-03-25 20:14:10.000000000 +0100 +@@ -401,9 +401,6 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ + fi; \ + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + LIBRARIES="-L$(TOP) -lfips"; \ +- elif [ -n "$(FIPSCANLIB)" ]; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ + else \ + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ +@@ -416,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ +- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- fi; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ +diff -up openssl-0.9.8k/Makefile.org.use-fipscheck openssl-0.9.8k/Makefile.org +--- openssl-0.9.8k/Makefile.org.use-fipscheck 2009-03-25 20:10:37.000000000 +0100 ++++ openssl-0.9.8k/Makefile.org 2009-03-25 20:10:37.000000000 +0100 +@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA + $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ + $(AR) libcrypto.a fips/fipscanister.o ; \ + else \ +- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; \ +- export CC FIPSLD_CC; \ +- fi; \ + $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ + fi \ + else \ +@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT + fips/fipscanister.o: build_fips + libfips$(SHLIB_EXT): fips/fipscanister.o + @if [ "$(SHLIB_TARGET)" != "" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ + $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- CC=$${CC} LIBNAME=fips THIS=$@ \ ++ CC=$(CC) LIBNAME=fips THIS=$@ \ + LIBEXTRAS=fips/fipscanister.o \ + LIBDEPS="$(EX_LIBS)" \ + LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ +@@ -469,7 +464,7 @@ openssl.pc: Makefile + echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: '; \ +- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ ++ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc + + Makefile: Makefile.org Configure config +diff -up openssl-0.9.8k/fips/fips.c.use-fipscheck openssl-0.9.8k/fips/fips.c +--- openssl-0.9.8k/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 ++++ openssl-0.9.8k/fips/fips.c 2009-03-25 20:10:37.000000000 +0100 +@@ -47,6 +47,7 @@ + * + */ + ++#define _GNU_SOURCE + + #include + #include +@@ -56,6 +57,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -165,6 +169,7 @@ int FIPS_selftest() + && FIPS_selftest_dsa(); + } + ++#if 0 + extern const void *FIPS_text_start(), *FIPS_text_end(); + extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; + unsigned char FIPS_signature [20] = { 0 }; +@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) + + return 1; + } ++#else ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen-1); ++ path[pathlen-1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char * ++bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++#define HMAC_PREFIX "." ++#define HMAC_SUFFIX ".hmac" ++#define READ_BUFFER_LENGTH 16384 ++ ++static char * ++make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if(path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn-origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int ++compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX c; ++ ++ HMAC_CTX_init(&c); ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); ++ ++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ HMAC_Update(&c, rbuf, len); ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ HMAC_Final(&c, rbuf, &hlen); ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++end: ++ HMAC_CTX_cleanup(&c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int ++FIPSCHECK_verify(const char *libname, const char *symbolname) ++{ ++ char path[PATH_MAX+1]; ++ int rv; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ rv = get_library_path(libname, symbolname, path, sizeof(path)); ++ ++ if (rv < 0) ++ return 0; ++ ++ hmacpath = make_hmac_path(path); ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p=strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex=bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } ++ ++end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ ++#endif + + int FIPS_mode_set(int onoff) + { +@@ -280,16 +485,17 @@ int FIPS_mode_set(int onoff) + } + #endif + +- if(fips_signature_witness() != FIPS_signature) ++ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) + { +- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if(!FIPS_check_incore_fingerprint()) ++ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) + { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; +@@ -405,11 +611,13 @@ int fips_clear_owning_thread(void) + return ret; + } + ++#if 0 + unsigned char *fips_signature_witness(void) + { + extern unsigned char FIPS_signature[]; + return FIPS_signature; + } ++#endif + + /* Generalized public key test routine. Signs and verifies the data + * supplied in tbs using mesage digest md and setting option digest +diff -up openssl-0.9.8k/fips/Makefile.use-fipscheck openssl-0.9.8k/fips/Makefile +--- openssl-0.9.8k/fips/Makefile.use-fipscheck 2009-03-25 20:10:37.000000000 +0100 ++++ openssl-0.9.8k/fips/Makefile 2009-03-25 20:16:09.000000000 +0100 +@@ -62,9 +62,9 @@ testapps: + + all: + @if [ -z "$(FIPSLIBDIR)" ]; then \ +- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ ++ $(MAKE) -e subdirs lib; \ + else \ +- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ ++ $(MAKE) -e lib; \ + fi + + # Idea behind fipscanister.o is to "seize" the sequestered code between +@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ + HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ + *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ + esac fi +- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + + # If another exception is immediately required, assign approprite + # site-specific ld command to FIPS_SITE_LD environment variable. +@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) + $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. + @touch lib + +-shared: lib subdirs fips_premain_dso$(EXE_EXT) ++shared: lib subdirs + + libs: + @target=lib; $(RECURSIVE_MAKE) +@@ -195,17 +194,6 @@ install: + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + @target=install; $(RECURSIVE_MAKE) +- for i in $(EXE) ; \ +- do \ +- echo "installing $$i"; \ +- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ +- chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ +- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \ +- done +- cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \ +- $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \ +- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ +- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* + + lint: + @target=lint; $(RECURSIVE_MAKE) +diff -up openssl-0.9.8k/fips/fips_locl.h.use-fipscheck openssl-0.9.8k/fips/fips_locl.h +--- openssl-0.9.8k/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 ++++ openssl-0.9.8k/fips/fips_locl.h 2009-03-25 20:10:37.000000000 +0100 +@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); + int fips_set_owning_thread(void); + void fips_set_selftest_fail(void); + int fips_clear_owning_thread(void); ++#if 0 + unsigned char *fips_signature_witness(void); ++#endif + + #define FIPS_MAX_CIPHER_TEST_SIZE 16 + diff --git a/openssl-0.9.8k-x509-name-cmp.patch b/openssl-0.9.8k-x509-name-cmp.patch new file mode 100644 index 0000000..d5fa16b --- /dev/null +++ b/openssl-0.9.8k-x509-name-cmp.patch @@ -0,0 +1,20 @@ +diff -up openssl-0.9.8k/crypto/x509/x509_cmp.c.name-cmp openssl-0.9.8k/crypto/x509/x509_cmp.c +--- openssl-0.9.8k/crypto/x509/x509_cmp.c.name-cmp 2009-02-15 13:10:39.000000000 +0100 ++++ openssl-0.9.8k/crypto/x509/x509_cmp.c 2009-03-25 20:04:41.000000000 +0100 +@@ -282,15 +282,7 @@ int X509_NAME_cmp(const X509_NAME *a, co + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + j=na->value->type-nb->value->type; + if (j) +- { +- nabit = ASN1_tag2bit(na->value->type); +- nbbit = ASN1_tag2bit(nb->value->type); +- if (!(nabit & STR_TYPE_CMP) || +- !(nbbit & STR_TYPE_CMP)) +- return j; +- if (!asn1_string_memcmp(na->value, nb->value)) +- j = 0; +- } ++ return j; + else if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl.spec b/openssl.spec index 1412a7f..107081d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -7,7 +7,7 @@ # 0.9.7ef soversion = 5 # 0.9.8ab soversion = 6 # 0.9.8g soversion = 7 -# 0.9.8j + EAP-FAST soversion = 8 +# 0.9.8jk + EAP-FAST soversion = 8 %define soversion 8 # Number of threads to spawn when testing some threading fixes. @@ -22,8 +22,8 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl -Version: 0.9.8j -Release: 10%{?dist} +Version: 0.9.8k +Release: 1%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -44,7 +44,7 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch Patch7: openssl-0.9.8j-shlib-version.patch # Bug fixes Patch21: openssl-0.9.8b-aliasing-bug.patch -Patch22: openssl-0.9.8b-x509-name-cmp.patch +Patch22: openssl-0.9.8k-x509-name-cmp.patch Patch23: openssl-0.9.8g-default-paths.patch Patch24: openssl-0.9.8g-no-extssl.patch # Functionality changes @@ -55,8 +55,8 @@ Patch35: openssl-0.9.8j-version-add-engines.patch Patch38: openssl-0.9.8a-reuse-cipher-change.patch Patch39: openssl-0.9.8g-ipv6-apps.patch Patch40: openssl-0.9.8j-nocanister.patch -Patch41: openssl-0.9.8j-use-fipscheck.patch -Patch42: openssl-0.9.8j-fipscheck-hmac.patch +Patch41: openssl-0.9.8k-use-fipscheck.patch +Patch42: openssl-0.9.8k-fipscheck-hmac.patch Patch43: openssl-0.9.8j-evp-nonfips.patch Patch44: openssl-0.9.8j-kernel-fipsmode.patch Patch45: openssl-0.9.8j-env-nozlib.patch @@ -408,6 +408,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Thu Mar 25 2009 Tomas Mraz 0.9.8k-1 +- update to new upstream release (minor bug fixes, security + fixes and machine code optimizations only) + * Thu Mar 19 2009 Tomas Mraz 0.9.8j-10 - move libraries to /usr/lib (#239375) diff --git a/sources b/sources index f0e2eb7..a5840e3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -573353d8cb4330b71e9985cea4785d61 openssl-0.9.8j-usa.tar.bz2 +de4f31dd6546e8e11b4ffd4332b3c162 openssl-0.9.8k-usa.tar.bz2