diff --git a/openssl-1.0.1k-secp256k1.patch b/openssl-1.0.1k-secp256k1.patch new file mode 100644 index 0000000..4ad95ca --- /dev/null +++ b/openssl-1.0.1k-secp256k1.patch @@ -0,0 +1,59 @@ +diff -up openssl-1.0.1k/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.1k/crypto/ec/ec_curve.c +--- openssl-1.0.1k/crypto/ec/ec_curve.c.secp256k1 2015-08-13 07:47:37.890966462 -0400 ++++ openssl-1.0.1k/crypto/ec/ec_curve.c 2015-08-13 08:01:31.697866786 -0400 +@@ -82,6 +82,36 @@ typedef struct { + unsigned int cofactor; /* promoted to BN_ULONG */ + } EC_CURVE_DATA; + ++static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; } ++ _EC_SECG_PRIME_256K1 = { ++ { NID_X9_62_prime_field,0,32,1 }, ++ { /* no seed */ ++ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */ ++ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, ++ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF, ++ 0xFC,0x2F, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */ ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */ ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x07, ++ 0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0, /* x */ ++ 0x62,0x95,0xCE,0x87,0x0B,0x07,0x02,0x9B,0xFC,0xDB, ++ 0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8, ++ 0x17,0x98, ++ 0x48,0x3a,0xda,0x77,0x26,0xa3,0xc4,0x65,0x5d,0xa4, /* y */ ++ 0xfb,0xfc,0x0e,0x11,0x08,0xa8,0xfd,0x17,0xb4,0x48, ++ 0xa6,0x85,0x54,0x19,0x9c,0x47,0xd0,0x8f,0xfb,0x10, ++ 0xd4,0xb8, ++ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */ ++ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6, ++ 0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,0x8C,0xD0,0x36, ++ 0x41,0x41 } ++ }; ++ + static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; } + _EC_NIST_PRIME_384 = { + { NID_X9_62_prime_field,20,48,1 }, +@@ -212,6 +242,7 @@ typedef struct _ec_list_element_st { + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ ++ { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" }, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ + { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" }, + #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +diff -up openssl-1.0.1k/ssl/t1_lib.c.secp256k1 openssl-1.0.1k/ssl/t1_lib.c +--- openssl-1.0.1k/ssl/t1_lib.c.secp256k1 2015-08-13 08:03:17.401589785 -0400 ++++ openssl-1.0.1k/ssl/t1_lib.c 2015-08-13 08:05:44.283292971 -0400 +@@ -218,6 +218,7 @@ static int pref_list[] = + NID_sect283k1, /* sect283k1 (9) */ + NID_sect283r1, /* sect283r1 (10) */ + #endif ++ NID_secp256k1, /* secp256k1 (22) */ + NID_X9_62_prime256v1, /* secp256r1 (23) */ + #ifndef OPENSSL_NO_EC2M + NID_sect239k1, /* sect239k1 (8) */ diff --git a/openssl.spec b/openssl.spec index a441667..6b234ba 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1k -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -83,6 +83,7 @@ Patch77: openssl-1.0.1e-weak-ciphers.patch Patch90: openssl-1.0.1e-enc-fail.patch Patch92: openssl-1.0.1h-system-cipherlist.patch Patch93: openssl-1.0.1h-disable-sslv2v3.patch +Patch94: openssl-1.0.1k-secp256k1.patch # Backported fixes including security fixes Patch80: openssl-1.0.1j-evp-wrap.patch Patch81: openssl-1.0.1k-padlock64.patch @@ -218,6 +219,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch90 -p1 -b .enc-fail %patch92 -p1 -b .system %patch93 -p1 -b .v2v3 +%patch94 -p1 -b .secp256k1 %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 @@ -504,6 +506,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Aug 13 2015 Tom Callaway 1.0.1k-12 +- enable secp256k1 (bz1021898) + * Thu Jul 9 2015 Tomáš Mráz 1.0.1k-11 - fix CVE-2015-1793 - certificate verification forgery