From 301c642c7f619370e1ff199216736e172e86f8c9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jan 15 2019 14:07:49 +0000 Subject: update to the 1.1.1a release --- diff --git a/.gitignore b/.gitignore index 8683d76..794e00b 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1-pre8-hobbled.tar.xz /openssl-1.1.1-pre9-hobbled.tar.xz /openssl-1.1.1-hobbled.tar.xz +/openssl-1.1.1a-hobbled.tar.xz diff --git a/openssl-1.1.0-defaults.patch b/openssl-1.1.0-defaults.patch deleted file mode 100644 index 347749a..0000000 --- a/openssl-1.1.0-defaults.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf ---- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200 -+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200 -@@ -10,7 +10,7 @@ - # This definition stops the following lines choking if HOME isn't - # defined. - HOME = . --RANDFILE = $ENV::HOME/.rnd -+#RANDFILE = $ENV::HOME/.rnd - - # Extra OBJECT IDENTIFIER info: - #oid_file = $ENV::HOME/.oid -@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi - - default_days = 365 # how long to certify for - default_crl_days= 30 # how long before next CRL --default_md = default # use public key default MD -+default_md = sha256 # use SHA-256 by default - preserve = no # keep passed DN ordering - - # A few difference way of specifying how similar the request should look -@@ -104,6 +104,7 @@ emailAddress = optional - #################################################################### - [ req ] - default_bits = 2048 -+default_md = sha256 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -126,17 +127,18 @@ string_mask = utf8only - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = XX - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+#stateOrProvinceName_default = Default Province - - localityName = Locality Name (eg, city) -+localityName_default = Default City - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = Default Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (e.g. server FQDN or YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address diff --git a/openssl-1.1.1-coverity.patch b/openssl-1.1.1-coverity.patch deleted file mode 100644 index ae78b9d..0000000 --- a/openssl-1.1.1-coverity.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.1/apps/speed.c.coverity openssl-1.1.1/apps/speed.c ---- openssl-1.1.1/apps/speed.c.coverity 2018-10-09 16:32:44.912051009 +0200 -+++ openssl-1.1.1/apps/speed.c 2018-10-09 16:29:55.518851544 +0200 -@@ -2852,7 +2852,7 @@ int speed_main(int argc, char **argv) - - if (rsa_count <= 1) { - /* if longer than 10s, don't do any more */ -- for (testnum++; testnum < EC_NUM; testnum++) -+ for (testnum++; testnum < ECDSA_NUM; testnum++) - ecdsa_doit[testnum] = 0; - } - } diff --git a/openssl-1.1.1-defaults.patch b/openssl-1.1.1-defaults.patch new file mode 100644 index 0000000..291ed88 --- /dev/null +++ b/openssl-1.1.1-defaults.patch @@ -0,0 +1,51 @@ +diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf +--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100 ++++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100 +@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi + + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL +-default_md = default # use public key default MD ++default_md = sha256 # use SHA-256 by default + preserve = no # keep passed DN ordering + + # A few difference way of specifying how similar the request should look +@@ -106,6 +106,7 @@ emailAddress = optional + #################################################################### + [ req ] + default_bits = 2048 ++default_md = sha256 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -128,17 +129,18 @@ string_mask = utf8only + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = XX + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++#stateOrProvinceName_default = Default Province + + localityName = Locality Name (eg, city) ++localityName_default = Default City + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = Default Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (e.g. server FQDN or YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch index 3852859..6e714bc 100644 --- a/openssl-1.1.1-fips-post-rand.patch +++ b/openssl-1.1.1-fips-post-rand.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1/crypto/fips/fips.c.fips-post-rand openssl-1.1.1/crypto/fips/fips.c ---- openssl-1.1.1/crypto/fips/fips.c.fips-post-rand 2018-10-12 17:40:50.631506976 +0200 -+++ openssl-1.1.1/crypto/fips/fips.c 2018-11-08 17:49:08.091064655 +0100 +diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c +--- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100 ++++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100 @@ -68,6 +68,7 @@ # include @@ -51,9 +51,9 @@ diff -up openssl-1.1.1/crypto/fips/fips.c.fips-post-rand openssl-1.1.1/crypto/fi ret = 1; goto end; } -diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1/crypto/include/internal/fips_int.h ---- openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand 2018-11-08 17:32:50.806526458 +0100 -+++ openssl-1.1.1/crypto/include/internal/fips_int.h 2018-11-08 17:32:20.533828167 +0100 +diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h +--- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100 ++++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100 @@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); @@ -63,9 +63,9 @@ diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand openssl int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, -diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/crypto/rand/rand_unix.c ---- openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand 2018-09-11 14:48:21.000000000 +0200 -+++ openssl-1.1.1/crypto/rand/rand_unix.c 2018-11-09 14:03:48.504301170 +0100 +diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c +--- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100 ++++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100 @@ -16,10 +16,12 @@ #include #include "rand_lcl.h" @@ -79,16 +79,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp #endif #if defined(__FreeBSD__) # include -@@ -86,7 +88,7 @@ static uint64_t get_timer_bits(void); - || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ - || defined(OPENSSL_SYS_UEFI)) - --static ssize_t syscall_random(void *buf, size_t buflen); -+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock); - - # if defined(OPENSSL_SYS_VOS) - -@@ -248,7 +250,7 @@ static ssize_t sysctl_random(char *buf, +@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ @@ -97,7 +88,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp { /* * Note: 'buflen' equals the size of the buffer which is used by the -@@ -270,6 +272,7 @@ static ssize_t syscall_random(void *buf, +@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf, * - Linux since 3.17 with glibc 2.25 * - FreeBSD since 12.0 (1200061) */ @@ -105,7 +96,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -@@ -291,10 +294,10 @@ static ssize_t syscall_random(void *buf, +@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif @@ -118,19 +109,19 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else -@@ -456,8 +459,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO size_t bytes_needed; size_t entropy_available = 0; unsigned char *buffer; - - # ifdef OPENSSL_RAND_SEED_GETRANDOM + # if defined(OPENSSL_RAND_SEED_GETRANDOM) + int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { { ssize_t bytes; /* Maximum allowed number of consecutive unsuccessful attempts */ -@@ -466,7 +471,7 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -139,7 +130,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; -@@ -498,8 +503,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); @@ -151,7 +142,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -559,7 +566,9 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO } } # endif diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 069cfde..d24242b 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -316,9 +316,9 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_err.c.fips openssl-1.1.1/crypto/dsa/dsa_er {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_gen.c ---- openssl-1.1.1/crypto/dsa/dsa_gen.c.fips 2018-09-11 14:48:21.000000000 +0200 -+++ openssl-1.1.1/crypto/dsa/dsa_gen.c 2018-09-13 08:51:22.102521110 +0200 +diff -up openssl-1.1.1a/crypto/dsa/dsa_gen.c.fips openssl-1.1.1a/crypto/dsa/dsa_gen.c +--- openssl-1.1.1a/crypto/dsa/dsa_gen.c.fips 2018-11-20 14:35:38.000000000 +0100 ++++ openssl-1.1.1a/crypto/dsa/dsa_gen.c 2019-01-15 14:05:46.719672088 +0100 @@ -22,12 +22,22 @@ #include #include @@ -367,9 +367,9 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge unsigned char *seed = NULL, *seed_tmp = NULL; unsigned char md[EVP_MAX_MD_SIZE]; int mdsize; -@@ -327,6 +343,20 @@ int dsa_builtin_paramgen2(DSA *ret, size - if (mctx == NULL) +@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; + } +# ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { @@ -388,7 +388,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); -@@ -427,9 +457,10 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; /* Provided seed didn't produce a prime: error */ if (seed_in) { @@ -402,7 +402,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge } /* do a callback call */ -@@ -515,11 +546,14 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size if (counter >= (int)(4 * L)) break; } @@ -417,7 +417,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge } end: if (!BN_GENCB_call(cb, 2, 1)) -@@ -590,7 +624,7 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size BN_free(ret->g); ret->g = BN_dup(g); if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { @@ -426,7 +426,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge goto err; } if (counter_ret != NULL) -@@ -608,3 +642,53 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX_free(mctx); return ok; } diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch new file mode 100644 index 0000000..bbda9ef --- /dev/null +++ b/openssl-1.1.1-no-brainpool.patch @@ -0,0 +1,124 @@ +diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in +--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2018-11-20 14:35:42.000000000 +0100 ++++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in 2019-01-15 14:55:03.898065698 +0100 +@@ -141,22 +141,23 @@ our @tests = ( + { + name => "ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), ++# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++# "Groups" => "brainpoolP256r1", ++ "CipherString" => "aNULL", + }, + client => { + #We don't restrict this to TLSv1.2, although use of brainpool + #should force this anyway so that this should succeed + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++# "Groups" => "brainpoolP256r1", + }, + test => { +- "ExpectedServerCertType" =>, "brainpoolP256r1", +- "ExpectedServerSignType" =>, "EC", ++# "ExpectedServerCertType" =>, "brainpoolP256r1", ++# "ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 +- "ExpectedServerCANames" =>, "empty", ++# "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, +@@ -787,18 +788,19 @@ my @tests_tls_1_3 = ( + { + name => "TLS 1.3 ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), ++# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++# "Groups" => "brainpoolP256r1", ++ "CipherString" => "aNULL", + }, + client => { + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++# "Groups" => "brainpoolP256r1", + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }, + test => { +- "ExpectedResult" => "ServerFail" ++ "ExpectedResult" => "Success" + }, + }, + ); +diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf +--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool 2018-11-20 14:35:42.000000000 +0100 ++++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf 2019-01-15 14:58:24.420416659 +0100 +@@ -233,23 +233,23 @@ server = 5-ECDSA with brainpool-server + client = 5-ECDSA with brainpool-client + + [5-ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem +-CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++CipherString = aNULL ++#Groups = brainpoolP256r1 ++#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem + + [5-ECDSA with brainpool-client] + CipherString = aECDSA +-Groups = brainpoolP256r1 ++#Groups = brainpoolP256r1 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + + [test-5] +-ExpectedResult = Success +-ExpectedServerCANames = empty +-ExpectedServerCertType = brainpoolP256r1 +-ExpectedServerSignType = EC ++ExpectedResult = ServerFail ++#ExpectedServerCANames = empty ++#ExpectedServerCertType = brainpoolP256r1 ++#ExpectedServerSignType = EC + + + # =========================================================== +@@ -1577,14 +1577,14 @@ server = 47-TLS 1.3 ECDSA with brainpool + client = 47-TLS 1.3 ECDSA with brainpool-client + + [47-TLS 1.3 ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem +-CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++CipherString = aNULL ++#Groups = brainpoolP256r1 ++#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem + + [47-TLS 1.3 ECDSA with brainpool-client] + CipherString = DEFAULT +-Groups = brainpoolP256r1 ++#Groups = brainpoolP256r1 + MaxProtocol = TLSv1.3 + MinProtocol = TLSv1.3 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +@@ -1592,7 +1592,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro + VerifyMode = Peer + + [test-47] +-ExpectedResult = ServerFail ++ExpectedResult = Success + + + # =========================================================== diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch index 8b6a77a..fe6c6bb 100644 --- a/openssl-1.1.1-seclevel.patch +++ b/openssl-1.1.1-seclevel.patch @@ -39,17 +39,6 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl- diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c --- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200 -@@ -951,8 +951,8 @@ static int ssl_security_default_callback - if (level >= 2 && c->algorithm_enc == SSL_RC4) - return 0; - /* Level 3: forward secure ciphersuites only */ -- if (level >= 3 && (c->min_tls != TLS1_3_VERSION || -- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))) -+ if (level >= 3 && c->min_tls != TLS1_3_VERSION && -+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) - return 0; - break; - } @@ -983,6 +983,9 @@ static int ssl_security_default_callback return 0; break; diff --git a/openssl-1.1.1-secure-getenv.patch b/openssl-1.1.1-secure-getenv.patch deleted file mode 100644 index c3d14a1..0000000 --- a/openssl-1.1.1-secure-getenv.patch +++ /dev/null @@ -1,173 +0,0 @@ -diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c ---- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200 -@@ -9,6 +9,8 @@ - - /* Part of the code in here was originally in conf.c, which is now removed */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "e_os.h" - #include - #include -@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf, - if (v != NULL) - return v->value; - if (strcmp(section, "ENV") == 0) { -- p = getenv(name); -+ p = secure_getenv(name); - if (p != NULL) - return p; - } -diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c ---- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "internal/cryptlib.h" - #include - #include -@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void - int len; - - if (!OPENSSL_issetugid()) { -- file = getenv("OPENSSL_CONF"); -+ file = secure_getenv("OPENSSL_CONF"); - if (file) - return OPENSSL_strdup(file); - } -diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c ---- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - -@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c - - int CTLOG_STORE_load_default_file(CTLOG_STORE *store) - { -- const char *fpath = getenv(CTLOG_FILE_EVP); -+ const char *fpath = secure_getenv(CTLOG_FILE_EVP); - - if (fpath == NULL) - fpath = CTLOG_FILE; -diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c ---- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200 -@@ -8,6 +8,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "eng_int.h" - - /* -@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id) - */ - if (strcmp(id, "dynamic")) { - if (OPENSSL_issetugid() -- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL) -+ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL) - load_dir = ENGINESDIR; - iterator = ENGINE_by_id("dynamic"); - if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || -diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c ---- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "e_os.h" - #include "internal/cryptlib.h" - #include "internal/cryptlib_int.h" -@@ -180,11 +182,11 @@ static int shouldfail(void) - - void ossl_malloc_setup_failures(void) - { -- const char *cp = getenv("OPENSSL_MALLOC_FAILURES"); -+ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES"); - - if (cp != NULL && (md_failstring = strdup(cp)) != NULL) - parseit(); -- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL) -+ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL) - md_tracefd = atoi(cp); - } - #endif -diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c ---- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "internal/cryptlib.h" - - #include -@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si - #else - if (OPENSSL_issetugid() != 0) { - use_randfile = 0; -- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') { -+ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') { - use_randfile = 0; - s = getenv("HOME"); - } -diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c ---- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "e_os.h" - #include "internal/cryptlib.h" - #include -@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- const char *dir = getenv(X509_get_default_cert_dir_env()); -+ const char *dir = secure_getenv(X509_get_default_cert_dir_env()); - - if (dir) - ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); -diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c ---- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 -+++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = getenv(X509_get_default_cert_file_env()); -+ file = secure_getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 513f27e..229d48d 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -1,12 +1,12 @@ -diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h ---- openssl-1.1.1/include/openssl/opensslv.h.version-override 2018-09-13 08:54:38.247940128 +0200 -+++ openssl-1.1.1/include/openssl/opensslv.h 2018-09-13 08:56:10.757779555 +0200 +diff -up openssl-1.1.1a/include/openssl/opensslv.h.version-override openssl-1.1.1a/include/openssl/opensslv.h +--- openssl-1.1.1a/include/openssl/opensslv.h.version-override 2019-01-15 14:09:04.591995174 +0100 ++++ openssl-1.1.1a/include/openssl/opensslv.h 2019-01-15 14:11:31.976256442 +0100 @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010100fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 FIPS 11 Sep 2018" + # define OPENSSL_VERSION_NUMBER 0x1010101fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a 20 Nov 2018" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a FIPS 20 Nov 2018" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index c2f8699..3465038 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,8 +21,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.1 -Release: 7%{?dist} +Version: 1.1.1a +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -39,7 +39,7 @@ Source12: ec_curve.c Source13: ectest.c # Build changes Patch1: openssl-1.1.1-build.patch -Patch2: openssl-1.1.0-defaults.patch +Patch2: openssl-1.1.1-defaults.patch Patch3: openssl-1.1.0-no-html.patch Patch4: openssl-1.1.1-man-rename.patch # Bug fixes @@ -48,7 +48,7 @@ Patch21: openssl-1.1.0-issuer-hash.patch Patch31: openssl-1.1.1-conf-paths.patch Patch32: openssl-1.1.1-version-add-engines.patch Patch33: openssl-1.1.0-apps-dgst.patch -Patch36: openssl-1.1.1-secure-getenv.patch +Patch36: openssl-1.1.1-no-brainpool.patch Patch37: openssl-1.1.1-ec-curves.patch Patch38: openssl-1.1.0-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch @@ -58,7 +58,6 @@ Patch43: openssl-1.1.1-ignore-bound.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch -Patch47: openssl-1.1.1-coverity.patch Patch48: openssl-1.1.1-fips-post-rand.patch # Backported fixes including security fixes @@ -153,7 +152,7 @@ cp %{SOURCE13} test/ %patch31 -p1 -b .conf-paths %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst -%patch36 -p1 -b .secure-getenv +%patch36 -p1 -b .no-brainpool %patch37 -p1 -b .curves %patch38 -p1 -b .no-weak-verify %patch40 -p1 -b .disable-ssl3 @@ -163,7 +162,6 @@ cp %{SOURCE13} test/ %patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel -%patch47 -p1 -b .coverity %patch48 -p1 -b .fips-post-rand @@ -453,6 +451,9 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Tue Jan 15 2019 Tomáš Mráz 1.1.1a-1 +- update to the 1.1.1a release + * Fri Nov 9 2018 Tomáš Mráz 1.1.1-7 - use /dev/urandom for seeding the RNG in FIPS POST diff --git a/sources b/sources index 9e249a8..43aa399 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1-hobbled.tar.xz) = a593ea9b4b11745e1a4fa8be91c0dbb5ee7c4c1089410ad6e6501212e838573bcf7e78e843444de3f9ba0beccc7db138deef243a22cafe480c040c696e80b0b3 +SHA512 (openssl-1.1.1a-hobbled.tar.xz) = 17d2703b2169f36b2ecd50d014103f31e22bbd42807b4688a3cd6140911e0aa9a2fa2bb1d4dda4eae000913a1551d85ac9c441a69c053a8ad10b593ec2a588b5