+++ /dev/null
-UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
-SERIAL=0
-
-.PHONY: usage
-.SUFFIXES: .key .csr .crt .pem
-.PRECIOUS: %.key %.csr %.crt %.pem
-
-usage:
- @echo "This makefile allows you to create:"
- @echo " o public/private key pairs"
- @echo " o SSL certificate signing requests (CSRs)"
- @echo " o self-signed SSL test certificates"
- @echo
- @echo "To create a key pair, run \"make SOMETHING.key\"."
- @echo "To create a CSR, run \"make SOMETHING.csr\"."
- @echo "To create a test certificate, run \"make SOMETHING.crt\"."
- @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
- @echo
- @echo "To create a key for use with Apache, run \"make genkey\"."
- @echo "To create a CSR for use with Apache, run \"make certreq\"."
- @echo "To create a test certificate for use with Apache, run \"make testcert\"."
- @echo
- @echo "To create a test certificate with serial number other than zero, add SERIAL=num"
- @echo
- @echo Examples:
- @echo " make server.key"
- @echo " make server.csr"
- @echo " make server.crt"
- @echo " make stunnel.pem"
- @echo " make genkey"
- @echo " make certreq"
- @echo " make testcert"
- @echo " make server.crt SERIAL=1"
- @echo " make stunnel.pem SERIAL=2"
- @echo " make testcert SERIAL=3"
-
-%.pem:
- umask 77 ; \
- PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
- cat $$PEM1 > $@ ; \
- echo "" >> $@ ; \
- cat $$PEM2 >> $@ ; \
- $(RM) $$PEM1 $$PEM2
-
-%.key:
- umask 77 ; \
- /usr/bin/openssl genrsa -des3 1024 > $@
-
-%.csr: %.key
- umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $^ -out $@
-
-%.crt: %.key
- umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
-
-TLSROOT=/etc/pki/tls
-KEY=$(TLSROOT)/private/localhost.key
-CSR=$(TLSROOT)/certs/localhost.csr
-CRT=$(TLSROOT)/certs/localhost.crt
-
-genkey: $(KEY)
-certreq: $(CSR)
-testcert: $(CRT)
-
-$(CSR): $(KEY)
- umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
-
-$(CRT): $(KEY)
- umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
+++ /dev/null
-#!/bin/sh
-
-# Quit out if anything fails.
-set -e
-
-# Clean out patent-or-otherwise-encumbered code.
-# MDC-2: 4,908,861 13/03/2007
-# IDEA: 5,214,703 25/05/2010
-# RC5: 5,724,428 03/03/2015
-# EC: ????????? ??/??/2015
-
-# Remove assembler portions of IDEA, MDC2, and RC5.
-(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv)
-
-# IDEA, MDC2, RC5, EC.
-for a in idea mdc2 rc5 ec ecdh ecdsa; do
- for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
- echo Destroying $c
- > $c
- done
-done
-
-for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do
- echo Destroying $c
- > $c
-done
-
-for h in `find crypto ssl apps test -name "*.h"` ; do
- echo Removing IDEA, MDC2, RC5, and EC references from $h
- cat $h | \
- awk 'BEGIN {ech=1;} \
- /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
- /^#[ \t]*if/ {if(ech < 1) ech--;} \
- {if(ech>0) {;print $0};} \
- /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
- mv $h.hobbled $h
-done
-
-# Make the makefiles happy.
-touch crypto/rc5/asm/rc5-586.pl
+++ /dev/null
-#!/bin/sh
-umask 077
-
-answers() {
- echo --
- echo SomeState
- echo SomeCity
- echo SomeOrganization
- echo SomeOrganizationalUnit
- echo localhost.localdomain
- echo root@localhost.localdomain
-}
-
-if [ $# -eq 0 ] ; then
- echo $"Usage: `basename $0` filename [...]"
- exit 0
-fi
-
-for target in $@ ; do
- PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
- PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
- trap "rm -f $PEM1 $PEM2" SIGINT
- answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
- cat $PEM1 > ${target}
- echo "" >> ${target}
- cat $PEM2 >> ${target}
- rm -f $PEM1 $PEM2
-done
+++ /dev/null
-Fix global variable macros.
-
- - RWMJ 2008-09-30
-
-diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h
---- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000
-+++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100
-@@ -264,7 +264,7 @@
- # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \
- extern type _hide_##name; \
- type *_shadow_##name(void) { return &_hide_##name; } \
-- static type _hide_##name
-+ type _hide_##name
- # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void)
- # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name()))
- #else
+++ /dev/null
---- openssl-0.9.8g.orig/engines/Makefile 2006-02-04 01:49:34.000000000 +0000
-+++ openssl-0.9.8g.mingw/engines/Makefile 2008-09-30 20:05:30.000000000 +0100
-@@ -91,7 +91,10 @@
- set -e; \
- for l in $(LIBNAMES); do \
- ( echo installing $$l; \
-- if [ "$(PLATFORM)" != "Cygwin" ]; then \
-+ if [ "$(PLATFORM)" = "mingw" ]; then \
-+ sfx=dll; \
-+ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
-+ elif [ "$(PLATFORM)" != "Cygwin" ]; then \
- case "$(CFLAGS)" in \
- *DSO_DLFCN*) sfx="so";; \
- *DSO_DL*) sfx="sl";; \
+++ /dev/null
-The 'mingw' target to Configure has some problems with cross-compilation.
-
- - RWMJ 2008-09-30
-
-diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure
---- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100
-+++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100
-@@ -468,7 +468,7 @@
- "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
-
- # MinGW
--"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a",
-+"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB",
-
- # UWIN
- "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
+++ /dev/null
---- ./crypto/seed/seed_ecb.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200
-+++ ./crypto/seed/seed_ecb.c 2009-02-02 18:28:55.000000000 +0100
-@@ -49,7 +49,7 @@
- *
- */
-
--#include <openssl/seed.h>
-+#include "seed.h"
-
- void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc)
- {
---- ./crypto/seed/seed_locl.h.mingw-header-files 2009-02-02 18:28:48.000000000 +0100
-+++ ./crypto/seed/seed_locl.h 2009-02-02 18:28:55.000000000 +0100
-@@ -27,7 +27,7 @@
- #define HEADER_SEED_LOCL_H
-
- #include "openssl/e_os2.h"
--#include <openssl/seed.h>
-+#include "seed.h"
-
-
- #ifdef SEED_LONG /* need 32-bit type */
---- ./crypto/seed/seed.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200
-+++ ./crypto/seed/seed.c 2009-02-02 18:28:55.000000000 +0100
-@@ -32,7 +32,7 @@
- #include <memory.h>
- #endif
-
--#include <openssl/seed.h>
-+#include "seed.h"
- #include "seed_locl.h"
-
- static seed_word SS[4][256] = { {
---- ./crypto/camellia/cmll_cbc.c.mingw-header-files 2006-12-02 13:00:27.000000000 +0100
-+++ ./crypto/camellia/cmll_cbc.c 2009-02-02 18:28:54.000000000 +0100
-@@ -58,7 +58,7 @@
- #include <stdio.h>
- #include <string.h>
-
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
-
- void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out,
---- ./crypto/camellia/cmll_cfb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200
-+++ ./crypto/camellia/cmll_cfb.c 2009-02-02 18:28:54.000000000 +0100
-@@ -113,7 +113,7 @@
- #include <assert.h>
- #include <string.h>
-
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
- #include "e_os.h"
-
---- ./crypto/camellia/cmll_ofb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200
-+++ ./crypto/camellia/cmll_ofb.c 2009-02-02 18:28:55.000000000 +0100
-@@ -111,7 +111,7 @@
- # endif
- #endif
- #include <assert.h>
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
-
- /* The input and output encrypted as though 128bit ofb mode is being
---- ./crypto/camellia/cmll_misc.c.mingw-header-files 2009-02-02 18:29:19.000000000 +0100
-+++ ./crypto/camellia/cmll_misc.c 2009-02-02 18:29:32.000000000 +0100
-@@ -50,7 +50,7 @@
- */
-
- #include <openssl/opensslv.h>
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
- #include <openssl/crypto.h>
- #ifdef OPENSSL_FIPS
---- ./crypto/camellia/cmll_ecb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200
-+++ ./crypto/camellia/cmll_ecb.c 2009-02-02 18:28:54.000000000 +0100
-@@ -56,7 +56,7 @@
- #endif
- #include <assert.h>
-
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
-
- void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
---- ./crypto/camellia/cmll_ctr.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200
-+++ ./crypto/camellia/cmll_ctr.c 2009-02-02 18:28:54.000000000 +0100
-@@ -56,7 +56,7 @@
- #endif
- #include <assert.h>
-
--#include <openssl/camellia.h>
-+#include "camellia.h"
- #include "cmll_locl.h"
-
- /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code
---- ./crypto/evp/e_seed.c.mingw-header-files 2007-07-04 14:56:32.000000000 +0200
-+++ ./crypto/evp/e_seed.c 2009-02-02 18:28:55.000000000 +0100
-@@ -59,7 +59,7 @@
- #include <string.h>
- #include <assert.h>
- #ifndef OPENSSL_NO_SEED
--#include <openssl/seed.h>
-+#include "../seed/seed.h"
- #include "evp_locl.h"
-
- static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc);
---- ./crypto/evp/e_camellia.c.mingw-header-files 2008-09-21 12:24:08.000000000 +0200
-+++ ./crypto/evp/e_camellia.c 2009-02-02 18:28:55.000000000 +0100
-@@ -59,7 +59,7 @@
- #include <openssl/err.h>
- #include <string.h>
- #include <assert.h>
--#include <openssl/camellia.h>
-+#include "../camellia/camellia.h"
- #include "evp_locl.h"
-
- static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
---- ./apps/speed.c.mingw-header-files 2009-01-07 11:48:22.000000000 +0100
-+++ ./apps/speed.c 2009-02-02 18:28:54.000000000 +0100
-@@ -165,7 +165,7 @@
- #include <openssl/aes.h>
- #endif
- #ifndef OPENSSL_NO_CAMELLIA
--#include <openssl/camellia.h>
-+#include "../crypto/camellia/camellia.h"
- #endif
- #ifndef OPENSSL_NO_MD2
- #include <openssl/md2.h>
-@@ -202,7 +202,7 @@
- #include <openssl/idea.h>
- #endif
- #ifndef OPENSSL_NO_SEED
--#include <openssl/seed.h>
-+#include "../crypto/seed/seed.h"
- #endif
- #ifndef OPENSSL_NO_BF
- #include <openssl/blowfish.h>
+++ /dev/null
---- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100
-+++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100
-@@ -238,7 +238,7 @@
- SHLIB=cyg$(LIBNAME); \
- base=-Wl,--enable-auto-image-base; \
- if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-- SHLIB=$(LIBNAME)eay32; base=; \
-+ SHLIB=lib$(LIBNAME); base=; \
- fi; \
- SHLIB_SUFFIX=.dll; \
- LIBVERSION="$(LIBVERSION)"; \
-@@ -253,7 +253,7 @@
- SHLIB=cyg$(LIBNAME); \
- base=-Wl,--enable-auto-image-base; \
- if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-- SHLIB=$(LIBNAME)eay32; \
-+ SHLIB=lib$(LIBNAME); \
- base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
- fi; \
- SHLIB_SUFFIX=.dll; \
+++ /dev/null
-%define __strip %{_mingw32_strip}
-%define __objdump %{_mingw32_objdump}
-%define _use_internal_dependency_generator 0
-%define __find_requires %{_mingw32_findrequires}
-%define __find_provides %{_mingw32_findprovides}
-
-# For the curious:
-# 0.9.5a soversion = 0
-# 0.9.6 soversion = 1
-# 0.9.6a soversion = 2
-# 0.9.6c soversion = 3
-# 0.9.7a soversion = 4
-# 0.9.7ef soversion = 5
-# 0.9.8ab soversion = 6
-# 0.9.8g soversion = 7
-# 0.9.8j + EAP-FAST soversion = 8
-%define soversion 8
-
-# Enable the tests.
-# These only work some of the time, but fail randomly at other times
-# (although I have had them complete a few times, so I don't think
-# there is any actual problem with the binaries).
-%define run_tests 0
-
-# Number of threads to spawn when testing some threading fixes.
-%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
-
-Name: mingw32-openssl
-Version: 0.9.8j
-Release: 2%{?dist}
-Summary: MinGW port of the OpenSSL toolkit
-
-License: OpenSSL
-Group: Development/Libraries
-URL: http://www.openssl.org/
-
-# Use the hobble-openssl script to create the source file.
-Source0: openssl-%{version}-usa.tar.bz2
-
-Source1: hobble-openssl
-Source2: Makefile.certificate
-Source6: make-dummy-cert
-Source8: openssl-thread-test.c
-Source9: opensslconf-new.h
-Source10: opensslconf-new-warning.h
-
-# Patches from Fedora native package.
-# Build changes
-Patch0: openssl-0.9.8j-redhat.patch
-Patch1: openssl-0.9.8a-defaults.patch
-Patch2: openssl-0.9.8a-link-krb5.patch
-Patch3: openssl-0.9.8j-soversion.patch
-Patch4: openssl-0.9.8j-enginesdir.patch
-Patch5: openssl-0.9.8a-no-rpath.patch
-Patch6: openssl-0.9.8b-test-use-localhost.patch
-Patch7: openssl-0.9.8j-shlib-version.patch
-# Bug fixes
-Patch21: openssl-0.9.8b-aliasing-bug.patch
-Patch22: openssl-0.9.8b-x509-name-cmp.patch
-Patch23: openssl-0.9.8g-default-paths.patch
-Patch24: openssl-0.9.8g-no-extssl.patch
-# Functionality changes
-Patch32: openssl-0.9.8g-ia64.patch
-Patch33: openssl-0.9.8j-ca-dir.patch
-Patch34: openssl-0.9.6-x509.patch
-Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch38: openssl-0.9.8a-reuse-cipher-change.patch
-# Disabled this because it uses getaddrinfo which is lacking on Windows.
-#Patch39: openssl-0.9.8g-ipv6-apps.patch
-Patch40: openssl-0.9.8j-nocanister.patch
-Patch41: openssl-0.9.8j-use-fipscheck.patch
-Patch42: openssl-0.9.8j-fipscheck-hmac.patch
-Patch43: openssl-0.9.8j-evp-nonfips.patch
-Patch44: openssl-0.9.8j-kernel-fipsmode.patch
-Patch45: openssl-0.9.8j-env-nozlib.patch
-Patch46: openssl-0.9.8j-eap-fast.patch
-Patch47: openssl-0.9.8j-readme-warning.patch
-Patch48: openssl-0.9.8j-bad-mime.patch
-Patch49: openssl-0.9.8j-fips-no-pairwise.patch
-# Backported fixes including security fixes
-
-# MinGW-specific patches.
-Patch100: mingw32-openssl-0.9.8j-header-files.patch
-Patch101: mingw32-openssl-0.9.8j-configure.patch
-Patch102: mingw32-openssl-0.9.8j-shared.patch
-Patch103: mingw32-openssl-0.9.8g-global.patch
-Patch104: mingw32-openssl-0.9.8g-sfx.patch
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-
-BuildArch: noarch
-
-BuildRequires: mingw32-filesystem >= 40
-BuildRequires: mingw32-gcc
-BuildRequires: mingw32-binutils
-
-BuildRequires: mingw32-zlib
-BuildRequires: mingw32-pthreads
-
-BuildRequires: mktemp
-#BuildRequires: krb5-devel
-BuildRequires: perl
-BuildRequires: sed
-BuildRequires: /usr/bin/cmp
-BuildRequires: /usr/bin/rename
-
-# XXX Not really sure about this one. The build script uses
-# /usr/bin/makedepend which comes from imake.
-BuildRequires: imake
-
-%if %{run_tests}
-# Required both to build, and to run the tests.
-# XXX This needs to be fixed - cross-compilation should not
-# require running executables.
-BuildRequires: wine
-
-# Required to run the tests.
-BuildRequires: xorg-x11-server-Xvfb
-%endif
-
-#Requires: ca-certificates >= 2008-5
-Requires: pkgconfig
-
-
-%description
-The OpenSSL toolkit provides support for secure communications between
-machines. OpenSSL includes a certificate management tool and shared
-libraries which provide various cryptographic algorithms and
-protocols.
-
-This package contains Windows (MinGW) libraries and development tools.
-
-
-%prep
-%setup -q -n openssl-%{version}
-
-%{SOURCE1} > /dev/null
-%patch0 -p1 -b .redhat
-%patch1 -p1 -b .defaults
-# Fix link line for libssl (bug #111154).
-%patch2 -p1 -b .krb5
-%patch3 -p1 -b .soversion
-%patch4 -p1 -b .enginesdir
-%patch5 -p1 -b .no-rpath
-%patch6 -p1 -b .use-localhost
-%patch7 -p1 -b .shlib-version
-
-%patch21 -p1 -b .aliasing-bug
-%patch22 -p1 -b .name-cmp
-%patch23 -p1 -b .default-paths
-%patch24 -p1 -b .no-extssl
-
-%patch32 -p1 -b .ia64
-#patch33 is applied after make test
-%patch34 -p1 -b .x509
-%patch35 -p1 -b .version-add-engines
-%patch38 -p1 -b .cipher-change
-#%patch39 -p1 -b .ipv6-apps
-%patch40 -p1 -b .nocanister
-%patch41 -p1 -b .use-fipscheck
-%patch42 -p1 -b .fipscheck-hmac
-%patch43 -p1 -b .evp-nonfips
-%patch44 -p1 -b .fipsmode
-%patch45 -p1 -b .env-nozlib
-%patch46 -p1 -b .eap-fast
-%patch47 -p1 -b .warning
-%patch48 -p1 -b .bad-mime
-%patch49 -p1 -b .no-pairwise
-
-%patch100 -p1 -b .mingw-header-files
-%patch101 -p1 -b .mingw-configure
-%patch102 -p1 -b .mingw-shared
-%patch103 -p1 -b .mingw-global
-%patch104 -p1 -b .mingw-sfx
-
-# Modify the various perl scripts to reference perl in the right location.
-perl util/perlpath.pl `dirname %{__perl}`
-
-# Generate a table with the compile settings for my perusal.
-touch Makefile
-make TABLE PERL=%{__perl}
-
-%build
-# NB: 'no-hw' is vital. MinGW cannot build the hardware drivers
-# and if you don't have this you'll get an obscure link error.
-%{_mingw32_env}; \
-sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \
-./Configure \
- --prefix=%{_mingw32_prefix} \
- --openssldir=%{_mingw32_sysconfdir}/pki/tls \
- zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \
- --enginesdir=%{_mingw32_libdir}/openssl/engines \
- mingw
-# --with-krb5-flavor=MIT
-# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
-%{_mingw32_make} depend
-%{_mingw32_make} all build-shared
-
-# Generate hashes for the included certs.
-%{_mingw32_make} rehash build-shared
-
-%if %{run_tests}
-#----------------------------------------------------------------------
-# Run some tests. I don't know why this isn't in a %-check section
-# but this is how it is in the native RPM.
-
-# This is a bit of a hack, but the test scripts look for 'openssl'
-# by name.
-pushd apps
-ln -s openssl.exe openssl
-popd
-
-# This is useful for diagnosing Wine problems.
-WINEDEBUG=+loaddll
-export WINEDEBUG
-
-# Make sure we can find the installed DLLs.
-WINEDLLPATH=%{_mingw32_bindir}
-export WINEDLLPATH
-
-# The tests run Wine and require an X server (but don't really use
-# it). Therefore we create a virtual framebuffer for the duration of
-# the tests.
-# XXX There is no good way to choose a random, unused display.
-# XXX Setting depth to 24 bits avoids bug 458219.
-unset DISPLAY
-display=:21
-Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$!
-trap "kill -TERM $xpid ||:" EXIT
-sleep 3
-DISPLAY=$display
-export DISPLAY
-
-%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests
-
-# Disable this thread test, because we don't have pthread on Windows.
-%{_mingw32_cc} -o openssl-thread-test \
- -I./include \
- %-{_mingw32_cflags} \
- %-{SOURCE8} \
- -L. \
- -lssl -lcrypto \
- -lpthread -lz -ldl
-
-## `krb5-config --cflags`
-## `krb5-config --libs`
-#
-./openssl-thread-test --threads %{thread_test_threads}
-
-#----------------------------------------------------------------------
-%endif
-
-# Patch33 must be patched after tests otherwise they will fail
-patch -p1 -b -z .ca-dir < %{PATCH33}
-
-# Add generation of HMAC checksum of the final stripped library
-#%define __spec_install_post \
-# %{?__debug_package:%{__debug_install_post}} \
-# %{__arch_install_post} \
-# %{__os_install_post} \
-# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
-# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
-#%{nil}
-
-if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
- iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
- mv -f CHANGES.utf8 CHANGES
-fi
-
-
-%install
-rm -rf $RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir}
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir}
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir}
-make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared
-
-# Install the actual DLLs.
-install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
-install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
-
-# Remove static libraries but DON'T remove *.dll.a files.
-rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a
-rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a
-
-# I have no idea why it installs the manpages in /etc, but
-# we remove them anyway.
-rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man
-
-# Set permissions on lib*.dll.a so that strip works.
-chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a
-chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a
-
-# Install a makefile for generating keys and self-signed certs, and a script
-# for generating them on the fly.
-mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs
-install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile
-install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert
-
-# Pick a CA script.
-pushd $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc
-mv CA.sh CA
-popd
-
-mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA
-mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-
-%files
-%defattr(-,root,root)
-%doc LICENSE
-%{_mingw32_bindir}/openssl.exe
-%{_mingw32_bindir}/c_rehash
-%{_mingw32_bindir}/libcrypto-%{soversion}.dll
-%{_mingw32_bindir}/libssl-%{soversion}.dll
-#{_mingw32_bindir}/.libcrypto*.hmac
-%{_mingw32_libdir}/libcrypto.dll.a
-%{_mingw32_libdir}/libssl.dll.a
-%{_mingw32_libdir}/engines
-%{_mingw32_libdir}/pkgconfig/*.pc
-%{_mingw32_includedir}/openssl
-%config(noreplace) %{_mingw32_sysconfdir}/pki
-
-
-%changelog
-* Mon Feb 2 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-2
-- Various build fixes.
-
-* Wed Jan 28 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-1
-- update to new upstream version.
-
-* Mon Dec 29 2008 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8g-2
-- minor cleanup.
-
-* Tue Sep 30 2008 Richard W.M. Jones <rjones@redhat.com> - 0.9.8g-1
-- Initial RPM release.
+++ /dev/null
-Do not treat duplicate certs as an error.
-
---- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000
-+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000
-@@ -163,8 +163,12 @@
- }
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-- count++;
-+ /* ignore any problems with current certificate
-+ and continue with the next one */
-+ if (i)
-+ count++;
-+ else
-+ ERR_clear_error();
- X509_free(x);
- x=NULL;
- }
-@@ -179,7 +183,8 @@
- goto err;
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-+ if (!i)
-+ ERR_clear_error();
- ret=i;
- }
- else
+++ /dev/null
---- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
-+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
-@@ -99,6 +99,7 @@
- ####################################################################
- [ req ]
- default_bits = 1024
-+default_md = sha1
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -116,23 +117,26 @@
- # MASK:XXXX a literal mask value.
- # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
- # so use this option with caution!
--string_mask = nombstr
-+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
-+# the resulting certificates are compatible with Netscape
-+string_mask = MASK:0x2002
-
- # req_extensions = v3_req # The extensions to add to a certificate request
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = GB
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+stateOrProvinceName_default = Berkshire
-
- localityName = Locality Name (eg, city)
-+localityName_default = Newbury
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = My Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -141,7 +145,7 @@
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (eg, YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
+++ /dev/null
---- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200
-+++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100
-@@ -266,7 +266,7 @@
-
- do_$(SHLIB_TARGET):
- @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+++ /dev/null
---- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200
-+++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
-@@ -153,7 +153,7 @@
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
- #This is rather special. It's a special target with which one can link
- #applications without bothering with any features that have anything to
+++ /dev/null
---- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100
-+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100
-@@ -477,7 +477,7 @@
-
- #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
- #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
--#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
-+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
- #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
- #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
- #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-@@ -494,7 +494,7 @@
-
- /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7. */
--#define SSL_OP_ALL 0x00000FFFL
-+#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */
-
- /* DTLS options */
- #define SSL_OP_NO_QUERY_MTU 0x00001000L
+++ /dev/null
-
-This patch fixes a violation of the C aliasing rules that can cause
-miscompilation with some compiler versions.
-
---- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100
-+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100
-@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
- static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
- {
- void *ptr;
-- DSO_FUNC_TYPE sym, *tsym = &sym;
-+ DSO_FUNC_TYPE sym;
-
- if((dso == NULL) || (symname == NULL))
- {
-@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
- DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
- return(NULL);
- }
-- *(void **)(tsym) = dlsym(ptr, symname);
-+ sym = dlsym(ptr, symname);
- if(sym == NULL)
- {
- DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
+++ /dev/null
-diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
---- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100
-+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200
-@@ -839,19 +839,8 @@ bad:
- #ifndef OPENSSL_NO_KRB5
- if (c_ssl && c_ssl->kssl_ctx)
- {
-- char localhost[MAXHOSTNAMELEN+2];
--
-- if (gethostname(localhost, sizeof localhost-1) == 0)
-- {
-- localhost[sizeof localhost-1]='\0';
-- if(strlen(localhost) == sizeof localhost-1)
-- {
-- BIO_printf(bio_err,"localhost name too long\n");
-- goto end;
-- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
-- localhost);
-- }
-+ "localhost");
- }
- #endif /* OPENSSL_NO_KRB5 */
-
+++ /dev/null
---- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100
-+++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100
-@@ -282,14 +282,7 @@
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=na->value->type-nb->value->type;
- if (j)
-- {
-- nabit = ASN1_tag2bit(na->value->type);
-- nbbit = ASN1_tag2bit(nb->value->type);
-- if (!(nabit & STR_TYPE_CMP) ||
-- !(nbbit & STR_TYPE_CMP))
-- return j;
-- j = asn1_string_memcmp(na->value, nb->value);
-- }
-+ return j;
- else if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
+++ /dev/null
-diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
---- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100
-+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100
-@@ -1077,12 +1077,13 @@ bad:
- }
- #endif
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
- {
-- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
- store = SSL_CTX_get_cert_store(ctx);
- X509_STORE_set_flags(store, vflags);
-@@ -1132,8 +1133,11 @@ bad:
-
- SSL_CTX_sess_set_cache_size(ctx2,128);
-
-- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx2)))
-+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx2))
- {
- ERR_print_errors(bio_err);
- }
-diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
---- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100
-+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100
-@@ -673,12 +673,13 @@ bad:
- if (!set_cert_key_stuff(ctx,cert,key))
- goto end;
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
-
- store = SSL_CTX_get_cert_store(ctx);
-diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
---- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100
-+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100
-@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
-
- SSL_load_error_strings();
-
-- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
-+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
-- /* goto end; */
- }
-
- if (tm_cipher == NULL)
+++ /dev/null
-diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
---- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200
-+++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200
-@@ -279,6 +279,15 @@ extern "C" {
- # define BN_UMULT_HIGH(a,b) __umulh((a),(b))
- # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
- # endif
-+# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
-+# if defined(__GNUC__)
-+# define BN_UMULT_HIGH(a,b) ({ \
-+ register BN_ULONG ret; \
-+ asm ("xmpy.hu %0 = %1, %2" \
-+ : "=f"(ret) \
-+ : "f"(a), "f"(b)); \
-+ ret; })
-+# endif /* compiler */
- # endif /* cpu */
- #endif /* OPENSSL_NO_ASM */
-
+++ /dev/null
-diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c
---- openssl-0.9.8g/apps/s_socket.c.ipv6-apps 2005-06-13 05:21:00.000000000 +0200
-+++ openssl-0.9.8g/apps/s_socket.c 2007-12-03 13:28:42.000000000 +0100
-@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
- static void ssl_sock_cleanup(void);
- #endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port,char *ip, int type);
-+static int init_server(int *sock, char *port, int type);
- static int do_accept(int acc_sock, int *sock, char **host);
- static int host_ip(char *str, unsigned char ip[4]);
-
-@@ -228,60 +226,69 @@ static int ssl_sock_init(void)
- return(1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, char *port, int type)
- {
-- unsigned char ip[4];
-- short p=0;
--
-- if (!host_ip(host,&(ip[0])))
-- {
-- return(0);
-- }
-- if (p != 0) port=p;
-- return(init_client_ip(sock,ip,port,type));
-- }
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-- {
-- unsigned long addr;
-- struct sockaddr_in them;
-- int s,i;
-+ struct addrinfo *res, *res0, hints;
-+ char * failed_call = NULL;
-+ int s;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&them,0,sizeof(them));
-- them.sin_family=AF_INET;
-- them.sin_port=htons((unsigned short)port);
-- addr=(unsigned long)
-- ((unsigned long)ip[0]<<24L)|
-- ((unsigned long)ip[1]<<16L)|
-- ((unsigned long)ip[2]<< 8L)|
-- ((unsigned long)ip[3]);
-- them.sin_addr.s_addr=htonl(addr);
--
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* ( type == SOCK_DGRAM) */
-- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
--
-- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_ADDRCONFIG;
-+
-+ e = getaddrinfo(host, port, &hints, &res);
-+ if (e)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
- #ifndef OPENSSL_SYS_MPE
- if (type == SOCK_STREAM)
- {
-- i=0;
-- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { perror("keepalive"); return(0); }
-+ int i=0;
-+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
-+ (char *)&i,sizeof(i));
-+ if (i < 0) {
-+ failed_call = "keepalive";
-+ goto nextres;
-+ }
- }
- #endif
--
-- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
-- { close(s); perror("connect"); return(0); }
-+ if (connect(s,(struct sockaddr *)res->ai_addr,
-+ res->ai_addrlen) == 0)
-+ {
-+ freeaddrinfo(res0);
- *sock=s;
- return(1);
- }
-+ failed_call = "socket";
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
-+ }
-+ freeaddrinfo(res0);
-
--int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
-+ perror(failed_call);
-+ return(0);
-+ }
-+
-+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
- {
- int sock;
- char *name = NULL;
-@@ -319,33 +326,38 @@ int do_server(int port, int type, int *r
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server(int *sock, char *port, int type)
- {
-- int ret=0;
-- struct sockaddr_in server;
-- int s= -1,i;
-+ struct addrinfo *res, *res0, hints;
-+ char * failed_call = NULL;
-+ char port_name[8];
-+ int s;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&server,0,sizeof(server));
-- server.sin_family=AF_INET;
-- server.sin_port=htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr=INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--#ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr,ip,4);
--#else
-- memcpy(&server.sin_addr,ip,4);
--#endif
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
-
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* type == SOCK_DGRAM */
-- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
-+ e = getaddrinfo(NULL, port, &hints, &res);
-+ if (e)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-
-- if (s == INVALID_SOCKET) goto err;
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
- #if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
-@@ -353,36 +365,39 @@ static int init_server_long(int *sock, i
- (void *) &j, sizeof j);
- }
- #endif
-- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
-+
-+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
- {
--#ifndef OPENSSL_SYS_WINDOWS
-- perror("bind");
--#endif
-- goto err;
-+ failed_call = "bind";
-+ goto nextres;
- }
-- /* Make it 128 for linux */
-- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-- i=0;
-- *sock=s;
-- ret=1;
--err:
-- if ((ret == 0) && (s != -1))
-+ if (type==SOCK_STREAM && listen(s,128) == -1)
- {
-- SHUTDOWN(s);
-+ failed_call = "listen";
-+ goto nextres;
- }
-- return(ret);
-+
-+ *sock=s;
-+ return(1);
-+
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
- }
-+ freeaddrinfo(res0);
-
--static int init_server(int *sock, int port, int type)
-- {
-- return(init_server_long(sock, port, NULL, type));
-+ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
-+
-+ perror(failed_call);
-+ return(0);
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
-- int ret,i;
-- struct hostent *h1,*h2;
-- static struct sockaddr_in from;
-+ static struct sockaddr_storage from;
-+ char buffer[NI_MAXHOST];
-+ int ret;
- int len;
- /* struct linger ling; */
-
-@@ -427,137 +442,62 @@ redoit:
- if (i < 0) { perror("keepalive"); return(0); }
- */
-
-- if (host == NULL) goto end;
--#ifndef BIT_FIELD_LIMITS
-- /* I should use WSAAsyncGetHostByName() under windows */
-- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr),AF_INET);
--#else
-- h1=gethostbyaddr((char *)&from.sin_addr,
-- sizeof(struct in_addr),AF_INET);
--#endif
-- if (h1 == NULL)
-- {
-- BIO_printf(bio_err,"bad gethostbyaddr\n");
-- *host=NULL;
-- /* return(0); */
-- }
-- else
-+ if (host == NULL)
- {
-- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
-- {
-- perror("OPENSSL_malloc");
-+ *sock=ret;
- return(0);
- }
-- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
-
-- h2=GetHostByName(*host);
-- if (h2 == NULL)
-+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
-+ buffer, sizeof(buffer),
-+ NULL, 0, 0))
- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-+ BIO_printf(bio_err,"getnameinfo failed\n");
-+ *host=NULL;
- return(0);
- }
-- i=0;
-- if (h2->h_addrtype != AF_INET)
-+ else
- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
-+ {
-+ perror("OPENSSL_malloc");
- return(0);
- }
-- }
--end:
-+ strcpy(*host, buffer);
- *sock=ret;
- return(1);
- }
-+ }
-
--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-- short *port_ptr)
-+int extract_host_port(char *str, char **host_ptr,
-+ char **port_ptr)
- {
-- char *h,*p;
-+ char *h,*p,*x;
-
-- h=str;
-- p=strchr(str,':');
-+ x=h=str;
-+ if (*h == '[')
-+ {
-+ h++;
-+ p=strchr(h,']');
- if (p == NULL)
- {
-- BIO_printf(bio_err,"no port defined\n");
-+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
- return(0);
- }
- *(p++)='\0';
--
-- if ((ip != NULL) && !host_ip(str,ip))
-- goto err;
-- if (host_ptr != NULL) *host_ptr=h;
--
-- if (!extract_port(p,port_ptr))
-- goto err;
-- return(1);
--err:
-- return(0);
-+ x = p;
- }
--
--static int host_ip(char *str, unsigned char ip[4])
-- {
-- unsigned int in[4];
-- int i;
--
-- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
-- {
-- for (i=0; i<4; i++)
-- if (in[i] > 255)
-- {
-- BIO_printf(bio_err,"invalid IP address\n");
-- goto err;
-- }
-- ip[0]=in[0];
-- ip[1]=in[1];
-- ip[2]=in[2];
-- ip[3]=in[3];
-- }
-- else
-- { /* do a gethostbyname */
-- struct hostent *he;
--
-- if (!ssl_sock_init()) return(0);
--
-- he=GetHostByName(str);
-- if (he == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- goto err;
-- }
-- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET)
-+ p=strchr(x,':');
-+ if (p == NULL)
- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- return(0);
-- }
-- ip[0]=he->h_addr_list[0][0];
-- ip[1]=he->h_addr_list[0][1];
-- ip[2]=he->h_addr_list[0][2];
-- ip[3]=he->h_addr_list[0][3];
-- }
-- return(1);
--err:
-+ BIO_printf(bio_err,"no port defined\n");
- return(0);
- }
-+ *(p++)='\0';
-
--int extract_port(char *str, short *port_ptr)
-- {
-- int i;
-- struct servent *s;
-+ if (host_ptr != NULL) *host_ptr=h;
-+ if (port_ptr != NULL) *port_ptr=p;
-
-- i=atoi(str);
-- if (i != 0)
-- *port_ptr=(unsigned short)i;
-- else
-- {
-- s=getservbyname(str,"tcp");
-- if (s == NULL)
-- {
-- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
-- return(0);
-- }
-- *port_ptr=ntohs((unsigned short)s->s_port);
-- }
- return(1);
- }
-
-diff -up openssl-0.9.8g/apps/s_server.c.ipv6-apps openssl-0.9.8g/apps/s_server.c
---- openssl-0.9.8g/apps/s_server.c.ipv6-apps 2007-08-23 14:16:02.000000000 +0200
-+++ openssl-0.9.8g/apps/s_server.c 2007-12-03 13:31:14.000000000 +0100
-@@ -592,7 +592,7 @@ int MAIN(int argc, char *argv[])
- {
- X509_STORE *store = NULL;
- int vflags = 0;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- char *CApath=NULL,*CAfile=NULL;
- unsigned char *context = NULL;
- char *dhfile = NULL;
-@@ -662,8 +662,7 @@ int MAIN(int argc, char *argv[])
- (strcmp(*argv,"-accept") == 0))
- {
- if (--argc < 1) goto bad;
-- if (!extract_port(*(++argv),&port))
-- goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-verify") == 0)
- {
-@@ -1332,9 +1331,9 @@ bad:
- }
- BIO_printf(bio_s_out,"ACCEPT\n");
- if (www)
-- do_server(port,socket_type,&accept_socket,www_body, context);
-+ do_server(port_str,socket_type,&accept_socket,www_body, context);
- else
-- do_server(port,socket_type,&accept_socket,sv_body, context);
-+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
- print_stats(bio_s_out,ctx);
- ret=0;
- end:
-diff -up openssl-0.9.8g/apps/s_client.c.ipv6-apps openssl-0.9.8g/apps/s_client.c
---- openssl-0.9.8g/apps/s_client.c.ipv6-apps 2007-08-23 14:20:56.000000000 +0200
-+++ openssl-0.9.8g/apps/s_client.c 2007-12-03 13:28:42.000000000 +0100
-@@ -285,7 +285,7 @@ int MAIN(int argc, char **argv)
- int cbuf_len,cbuf_off;
- int sbuf_len,sbuf_off;
- fd_set readfds,writefds;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- int full_log=1;
- char *host=SSL_HOST_NAME;
- char *cert_file=NULL,*key_file=NULL;
-@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-port") == 0)
- {
- if (--argc < 1) goto bad;
-- port=atoi(*(++argv));
-- if (port == 0) goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-connect") == 0)
- {
- if (--argc < 1) goto bad;
-- if (!extract_host_port(*(++argv),&host,NULL,&port))
-+ if (!extract_host_port(*(++argv),&host,&port_str))
- goto bad;
- }
- else if (strcmp(*argv,"-verify") == 0)
-@@ -739,7 +738,7 @@ bad:
-
- re_start:
-
-- if (init_client(&s,host,port,sock_type) == 0)
-+ if (init_client(&s,host,port_str,sock_type) == 0)
- {
- BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
- SHUTDOWN(s);
-diff -up openssl-0.9.8g/apps/s_apps.h.ipv6-apps openssl-0.9.8g/apps/s_apps.h
---- openssl-0.9.8g/apps/s_apps.h.ipv6-apps 2007-12-03 13:28:42.000000000 +0100
-+++ openssl-0.9.8g/apps/s_apps.h 2007-12-03 13:28:42.000000000 +0100
-@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
- #define PORT_STR "4433"
- #define PROTOCOL "tcp"
-
--int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
-+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
--int extract_port(char *str, short *port_ptr);
--int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
-+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-
- long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
- int argi, long argl, long ret);
+++ /dev/null
-diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
---- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200
-+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200
-@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
- int extdatalen=0;
- unsigned char *ret = p;
-
-+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
-+ {
-+ return ret;
-+ }
-+
- ret+=2;
-
- if (ret>=limit) return NULL; /* this really never occurs, but ... */
-@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
- int extdatalen=0;
- unsigned char *ret = p;
-
-+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
-+ {
-+ return ret;
-+ }
-+
- ret+=2;
- if (ret>=limit) return NULL; /* this really never occurs, but ... */
-
+++ /dev/null
-diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
---- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200
-+++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100
-@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
- static int mime_hdr_cmp(const MIME_HEADER * const *a,
- const MIME_HEADER * const *b)
- {
-+ if ((*a)->name == NULL || (*b)->name == NULL)
-+ return (*a)->name - (*b)->name < 0 ? -1 :
-+ (*a)->name - (*b)->name > 0 ? 1 : 0;
-+
- return(strcmp((*a)->name, (*b)->name));
- }
-
+++ /dev/null
-diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
---- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
-+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
-@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
- ####################################################################
- [ CA_default ]
-
--dir = ./demoCA # Where everything is kept
-+dir = ../../CA # Where everything is kept
- certs = $dir/certs # Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt # database index file.
-diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
---- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
-+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
-@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
- VERIFY="$OPENSSL verify"
- X509="$OPENSSL x509"
-
--CATOP=./demoCA
-+CATOP=../../CA
- CAKEY=./cakey.pem
- CAREQ=./careq.pem
- CACERT=./cacert.pem
-diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
---- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
-+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
-@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
- $X509="$openssl x509";
- $PKCS12="$openssl pkcs12";
-
--$CATOP="./demoCA";
-+$CATOP="../../CA";
- $CAKEY="cakey.pem";
- $CAREQ="careq.pem";
- $CACERT="cacert.pem";
+++ /dev/null
-diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
---- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
-+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
-@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
-
- void tls1_free(SSL *s)
- {
-+#ifndef OPENSSL_NO_TLSEXT
-+ if (s && s->tlsext_session_ticket)
-+ {
-+ OPENSSL_free(s->tlsext_session_ticket);
-+ }
-+#endif /* OPENSSL_NO_TLSEXT */
- ssl3_free(s);
- }
-
-@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
- int ticklen;
- if (s->session && s->session->tlsext_tick)
- ticklen = s->session->tlsext_ticklen;
-+ else if (s->session && s->tlsext_session_ticket &&
-+ s->tlsext_session_ticket->data)
-+ {
-+ ticklen = s->tlsext_session_ticket->length;
-+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-+ if (!s->session->tlsext_tick)
-+ return NULL;
-+ memcpy(s->session->tlsext_tick,
-+ s->tlsext_session_ticket->data,
-+ ticklen);
-+ s->session->tlsext_ticklen = ticklen;
-+ }
- else
- ticklen = 0;
-+ if (ticklen == 0 && s->tlsext_session_ticket &&
-+ s->tlsext_session_ticket->data == NULL)
-+ goto skip_ext;
- /* Check for enough room 2 for extension type, 2 for len
- * rest for ticket
- */
-@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
- ret += ticklen;
- }
- }
-+ skip_ext:
-
- if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
- {
-@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- }
-
- }
-+ else if (type == TLSEXT_TYPE_session_ticket)
-+ {
-+ if (s->tls_session_ticket_ext_cb &&
-+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
-+ {
-+ *al = TLS1_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ }
- else if (type == TLSEXT_TYPE_status_request
- && s->ctx->tlsext_status_cb)
- {
-@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
- }
- else if (type == TLSEXT_TYPE_session_ticket)
- {
-+ if (s->tls_session_ticket_ext_cb &&
-+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
-+ {
-+ *al = TLS1_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
- if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
- || (size > 0))
- {
-@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
- s->tlsext_ticket_expected = 1;
- return 0; /* Cache miss */
- }
-+ if (s->tls_session_secret_cb)
-+ {
-+ /* Indicate cache miss here and instead of
-+ * generating the session from ticket now,
-+ * trigger abbreviated handshake based on
-+ * external mechanism to calculate the master
-+ * secret later. */
-+ return 0;
-+ }
- return tls_decrypt_ticket(s, p, size, session_id, len,
- ret);
- }
-diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
---- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
-+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
-@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
- goto f_err;
- }
-
-+#ifndef OPENSSL_NO_TLSEXT
-+ /* check if we want to resume the session based on external pre-shared secret */
-+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
-+ {
-+ SSL_CIPHER *pref_cipher=NULL;
-+ s->session->master_key_length=sizeof(s->session->master_key);
-+ if (s->tls_session_secret_cb(s, s->session->master_key,
-+ &s->session->master_key_length,
-+ NULL, &pref_cipher,
-+ s->tls_session_secret_cb_arg))
-+ {
-+ s->session->cipher = pref_cipher ?
-+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
-+ }
-+ }
-+#endif /* OPENSSL_NO_TLSEXT */
-+
- if (j != 0 && j == s->session->session_id_length
- && memcmp(p,s->session->session_id,j) == 0)
- {
-@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
- {
- int ok;
- long n;
-- /* If we have no ticket or session ID is non-zero length (a match of
-- * a non-zero session length would never reach here) it cannot be a
-- * resumed session.
-- */
-- if (!s->session->tlsext_tick || s->session->session_id_length)
-+ /* If we have no ticket it cannot be a resumed session. */
-+ if (!s->session->tlsext_tick)
- return 1;
- /* this function is called when we really expect a Certificate
- * message, so permit appropriate message length */
-diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
---- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
-+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
-@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
- return(s->session_timeout);
- }
-
-+#ifndef OPENSSL_NO_TLSEXT
-+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
-+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
-+ {
-+ if (s == NULL) return(0);
-+ s->tls_session_secret_cb = tls_session_secret_cb;
-+ s->tls_session_secret_cb_arg = arg;
-+ return(1);
-+ }
-+
-+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
-+ void *arg)
-+ {
-+ if (s == NULL) return(0);
-+ s->tls_session_ticket_ext_cb = cb;
-+ s->tls_session_ticket_ext_cb_arg = arg;
-+ return(1);
-+ }
-+
-+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
-+ {
-+ if (s->version >= TLS1_VERSION)
-+ {
-+ if (s->tlsext_session_ticket)
-+ {
-+ OPENSSL_free(s->tlsext_session_ticket);
-+ s->tlsext_session_ticket = NULL;
-+ }
-+
-+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
-+ if (!s->tlsext_session_ticket)
-+ {
-+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+
-+ if (ext_data)
-+ {
-+ s->tlsext_session_ticket->length = ext_len;
-+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
-+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
-+ }
-+ else
-+ {
-+ s->tlsext_session_ticket->length = 0;
-+ s->tlsext_session_ticket->data = NULL;
-+ }
-+
-+ return 1;
-+ }
-+
-+ return 0;
-+ }
-+#endif /* OPENSSL_NO_TLSEXT */
-+
- typedef struct timeout_param_st
- {
- SSL_CTX *ctx;
-diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
---- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
-+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
-@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
- goto err;
- }
-+
-+ /* Check if we want to use external pre-shared secret for this
-+ * handshake for not reused session only. We need to generate
-+ * server_random before calling tls_session_secret_cb in order to allow
-+ * SessionTicket processing to use it in key derivation. */
-+ {
-+ unsigned long Time;
-+ unsigned char *pos;
-+ Time=(unsigned long)time(NULL); /* Time */
-+ pos=s->s3->server_random;
-+ l2n(Time,pos);
-+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
-+ {
-+ al=SSL_AD_INTERNAL_ERROR;
-+ goto f_err;
-+ }
-+ }
-+
-+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
-+ {
-+ SSL_CIPHER *pref_cipher=NULL;
-+
-+ s->session->master_key_length=sizeof(s->session->master_key);
-+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
-+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
-+ {
-+ s->hit=1;
-+ s->session->ciphers=ciphers;
-+ s->session->verify_result=X509_V_OK;
-+
-+ ciphers=NULL;
-+
-+ /* check if some cipher was preferred by call back */
-+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
-+ if (pref_cipher == NULL)
-+ {
-+ al=SSL_AD_HANDSHAKE_FAILURE;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
-+ goto f_err;
-+ }
-+
-+ s->session->cipher=pref_cipher;
-+
-+ if (s->cipher_list)
-+ sk_SSL_CIPHER_free(s->cipher_list);
-+
-+ if (s->cipher_list_by_id)
-+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
-+
-+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
-+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
-+ }
-+ }
- #endif
- /* Worst case, we will use the NULL compression, but if we have other
- * options, we will now look for them. We have i-1 compression
-@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
- unsigned char *buf;
- unsigned char *p,*d;
- int i,sl;
-- unsigned long l,Time;
-+ unsigned long l;
-+#ifdef OPENSSL_NO_TLSEXT
-+ unsigned long Time;
-+#endif
-
- if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
- {
- buf=(unsigned char *)s->init_buf->data;
-+#ifdef OPENSSL_NO_TLSEXT
- p=s->s3->server_random;
-+ /* Generate server_random if it was not needed previously */
- Time=(unsigned long)time(NULL); /* Time */
- l2n(Time,p);
- if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
- return -1;
-+#endif
- /* Do the message type and length last */
- d=p= &(buf[4]);
-
-diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
---- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
-+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
-@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
- #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
- #endif
-
-+/* TLS Session Ticket extension struct */
-+struct tls_session_ticket_ext_st
-+ {
-+ unsigned short length;
-+ void *data;
-+ };
-+
- #ifdef __cplusplus
- }
- #endif
-diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
---- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
-+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
-@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
- {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
- {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
- {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
-+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
- {0,NULL}
- };
-
-diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
---- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
-+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
-@@ -344,6 +344,7 @@ extern "C" {
- * 'struct ssl_st *' function parameters used to prototype callbacks
- * in SSL_CTX. */
- typedef struct ssl_st *ssl_crock_st;
-+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
-
- /* used to hold info on the particular ciphers used */
- typedef struct ssl_cipher_st
-@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
-
- DECLARE_STACK_OF(SSL_CIPHER)
-
-+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
-+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
-+
- /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
- typedef struct ssl_method_st
- {
-@@ -1034,6 +1038,18 @@ struct ssl_st
-
- /* RFC4507 session ticket expected to be received or sent */
- int tlsext_ticket_expected;
-+
-+ /* TLS Session Ticket extension override */
-+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
-+
-+ /* TLS Session Ticket extension callback */
-+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
-+ void *tls_session_ticket_ext_cb_arg;
-+
-+ /* TLS pre-shared secret session resumption */
-+ tls_session_secret_cb_fn tls_session_secret_cb;
-+ void *tls_session_secret_cb_arg;
-+
- SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
- #define session_ctx initial_ctx
- #else
-@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
- int SSL_COMP_add_compression_method(int id,void *cm);
- #endif
-
-+/* TLS extensions functions */
-+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
-+
-+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
-+ void *arg);
-+
-+/* Pre-shared secret session resumption functions */
-+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
-+
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
-@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_F_TLS1_ENC 210
- #define SSL_F_TLS1_SETUP_KEY_BLOCK 211
- #define SSL_F_WRITE_PENDING 212
-+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
-
- /* Reason codes. */
- #define SSL_R_APP_DATA_IN_HANDSHAKE 100
+++ /dev/null
-diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
---- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100
-+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100
-@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
-
- my $prefix="";
- my $openssldir="";
-+my $enginesdir="";
- my $exe_ext="";
- my $install_prefix="";
- my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
-@@ -815,6 +816,10 @@ PROCESS_ARGS:
- {
- $openssldir=$1;
- }
-+ elsif (/^--enginesdir=(.*)$/)
-+ {
-+ $enginesdir=$1;
-+ }
- elsif (/^--install.prefix=(.*)$/)
- {
- $install_prefix=$1;
-@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
-
- $openssldir=$prefix . "/ssl" if $openssldir eq "";
- $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
--
-+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
-
- print "IsMK1MF=$IsMK1MF\n";
-
-@@ -1635,7 +1640,7 @@ while (<IN>)
- if (/^#define\s+OPENSSLDIR/)
- { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
- elsif (/^#define\s+ENGINESDIR/)
-- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
-+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
- elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
- { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
- if $export_var_as_fn;
+++ /dev/null
-Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
-diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
---- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100
-+++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100
-@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
+++ /dev/null
-diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
---- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100
-@@ -64,6 +64,11 @@
-
- void OpenSSL_add_all_digests(void)
- {
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init();
-+ if (!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_MD2
- EVP_add_digest(EVP_md2());
- #endif
-@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
- EVP_add_digest(EVP_sha384());
- EVP_add_digest(EVP_sha512());
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_SHA
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#ifndef OPENSSL_NO_DSA
-+ EVP_add_digest(EVP_dss1());
-+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+#endif
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+#endif
-+ }
-+#endif
- }
-diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
---- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200
-+++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100
-@@ -65,6 +65,11 @@
- void OpenSSL_add_all_ciphers(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init();
-+ if(!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
- EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede_cfb());
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede_ofb());
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede_cbc());
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-+
-+ EVP_add_cipher(EVP_des_ede());
-+ EVP_add_cipher(EVP_des_ede3());
-+#endif
-+
-+#ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+#if 0
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+#endif
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+#if 0
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+#endif
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+#if 0
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+#endif
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#endif
-+ }
-+#endif
-
- PKCS12_PBE_add();
- PKCS5_PBE_add();
+++ /dev/null
-diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c
---- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100
-+++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100
-@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa,
- if (fips_rsa_pairwise_fail)
- BN_add_word(rsa->n, 1);
-
-- if(!fips_check_rsa(rsa))
-+ if(FIPS_mode() && !fips_check_rsa(rsa))
- goto err;
-
- ok=1;
-diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c
---- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200
-+++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100
-@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
- dsa->pub_key=pub_key;
- if (fips_dsa_pairwise_fail)
- BN_add_word(dsa->pub_key, 1);
-- if(!fips_check_dsa(dsa))
-+ if(FIPS_mode() && !fips_check_dsa(dsa))
- goto err;
- ok=1;
-
+++ /dev/null
-Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
-We use the binary just during the OpenSSL build to checksum the libcrypto.
-diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
---- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
-+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100
-@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
- @echo $(LIBOBJ) > lib
-
- ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
-- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
-+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
- $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
-
- files:
-diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
---- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200
-+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100
-@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
-
- #ifdef OPENSSL_FIPS
-
--static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
-+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
- const char *key)
- {
- int len=strlen(key);
-@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
-
- if (len > SHA_CBLOCK)
- {
-- SHA1_Init(md_ctx);
-- SHA1_Update(md_ctx,key,len);
-- SHA1_Final(keymd,md_ctx);
-- len=20;
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,key,len);
-+ SHA256_Final(keymd,md_ctx);
-+ len=SHA256_DIGEST_LENGTH;
- }
- else
- memcpy(keymd,key,len);
-@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
-
- for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
- pad[i]=0x36^keymd[i];
-- SHA1_Init(md_ctx);
-- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
-
- for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
- pad[i]=0x5c^keymd[i];
-- SHA1_Init(o_ctx);
-- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
-+ SHA256_Init(o_ctx);
-+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
- }
-
--static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
-+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
- {
-- unsigned char buf[20];
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
-
-- SHA1_Final(buf,md_ctx);
-- SHA1_Update(o_ctx,buf,sizeof buf);
-- SHA1_Final(md,o_ctx);
-+ SHA256_Final(buf,md_ctx);
-+ SHA256_Update(o_ctx,buf,sizeof buf);
-+ SHA256_Final(md,o_ctx);
- }
-
- #endif
-@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
- int main(int argc,char **argv)
- {
- #ifdef OPENSSL_FIPS
-- static char key[]="etaonrishdlcupfm";
-+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
- int n,binary=0;
-
- if(argc < 2)
-@@ -125,8 +125,8 @@ int main(int argc,char **argv)
- for(; n < argc ; ++n)
- {
- FILE *f=fopen(argv[n],"rb");
-- SHA_CTX md_ctx,o_ctx;
-- unsigned char md[20];
-+ SHA256_CTX md_ctx,o_ctx;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
- int i;
-
- if(!f)
-@@ -139,7 +139,7 @@ int main(int argc,char **argv)
- for( ; ; )
- {
- char buf[1024];
-- int l=fread(buf,1,sizeof buf,f);
-+ size_t l=fread(buf,1,sizeof buf,f);
-
- if(l == 0)
- {
-@@ -151,18 +151,18 @@ int main(int argc,char **argv)
- else
- break;
- }
-- SHA1_Update(&md_ctx,buf,l);
-+ SHA256_Update(&md_ctx,buf,l);
- }
- hmac_final(md,&md_ctx,&o_ctx);
-
- if (binary)
- {
-- fwrite(md,20,1,stdout);
-+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
- break; /* ... for single(!) file */
- }
-
-- printf("HMAC-SHA1(%s)= ",argv[n]);
-- for(i=0 ; i < 20 ; ++i)
-+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
-+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
- printf("%02x",md[i]);
- printf("\n");
- }
+++ /dev/null
-diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
---- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
-+++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100
-@@ -59,6 +59,45 @@
- #include <e_os.h>
- #include <openssl/err.h>
-
-+#ifdef OPENSSL_FIPS
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdlib.h>
-+#include <openssl/fips.h>
-+#include <openssl/evp.h>
-+#include <openssl/rand.h>
-+
-+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+ {
-+ char buf[2] = "0";
-+ int fd;
-+
-+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ {
-+ buf[0] = '1';
-+ }
-+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
-+ {
-+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-+ close(fd);
-+ }
-+ /* Failure reading the fips mode switch file means just not
-+ * switching into FIPS mode. We would break too many things
-+ * otherwise.
-+ */
-+
-+ if (buf[0] == '1')
-+ {
-+ FIPS_mode_set(1);
-+ }
-+ }
-+#endif
-+
- /* Perform any essential OpenSSL initialization operations.
- * Currently only sets FIPS callbacks
- */
-@@ -73,11 +112,10 @@ void OPENSSL_init(void)
- #ifdef CRYPTO_MDEBUG
- CRYPTO_malloc_debug_init();
- #endif
--#ifdef OPENSSL_ENGINE
-+ init_fips_mode();
- int_EVP_MD_init_engine_callbacks();
- int_EVP_CIPHER_init_engine_callbacks();
- int_RAND_init_engine_callbacks();
--#endif
- done = 1;
- }
- #endif
+++ /dev/null
-Do not create a fipscanister.o, add the objects directly.
-diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
---- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100
-+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100
-@@ -142,8 +142,24 @@ lib: $(LIB)
- if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
- @touch lib
-
--$(LIB): $(FIPSLIBDIR)fipscanister.o
-- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
-+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
-+ FIPS_ASM=""; \
-+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
-+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
-+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
-+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
-+ if [ -n "$(CPUID_OBJ)" ]; then \
-+ CPUID=../crypto/$(CPUID_OBJ) ; \
-+ else \
-+ CPUID="" ; \
-+ fi ; \
-+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
-+ for i in $(FIPS_OBJ_LISTS); do \
-+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
-+ objs="$$objs `sed "$$script" $$i`"; \
-+ done; \
-+ objs="$$objs" ; \
-+ $(AR) $(LIB) $$objs
- $(RANLIB) $(LIB) || echo Never mind.
-
- $(FIPSCANLIB): $(FIPSCANLOC)
+++ /dev/null
-diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
---- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100
-+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100
-@@ -5,6 +5,31 @@
- Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
- All rights reserved.
-
-+ WARNING
-+ -------
-+
-+ This version of OpenSSL is built in a way that supports operation in
-+ the so called FIPS mode. Note though that the library as we build it
-+ is not FIPS validated and the FIPS mode is present for testing purposes
-+ only.
-+
-+ This version also contains a few differences from the upstream code
-+ some of which are:
-+ * The FIPS integrity verification check is implemented differently
-+ from the upstream FIPS validated OpenSSL module. It verifies
-+ HMAC-SHA256 checksum of the whole libcrypto shared library.
-+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
-+ tries to initialize the FIPS mode if it is set to 1 aborting if the
-+ FIPS mode could not be initialized. It is also possible to force the
-+ OpenSSL library to FIPS mode especially for debugging purposes by
-+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
-+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
-+ will not automatically load the built in compression method ZLIB
-+ when initialized. Applications can still explicitely ask for ZLIB
-+ compression method.
-+ * There is added a support for EAP-FAST through TLS extension. This code
-+ is backported from OpenSSL upstream development branch.
-+
- DESCRIPTION
- -----------
-
+++ /dev/null
-diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
---- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
-+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
-@@ -320,28 +320,28 @@ my %table=(
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
- ####
--"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
--"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # it's a real mess with -mcpu=ultrasparc option under Linux, but
- # -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### Alpha Linux with GNU C and Compaq C setups
- # Special notes:
- # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -355,8 +355,8 @@ my %table=(
- #
- # <appro@fy.chalmers.se>
- #
--"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
-
+++ /dev/null
-diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h
---- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100
-+++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100
-@@ -83,7 +83,7 @@
- * should only keep the versions that are binary compatible with the current.
- */
- #define SHLIB_VERSION_HISTORY ""
--#define SHLIB_VERSION_NUMBER "0.9.8"
-+#define SHLIB_VERSION_NUMBER "0.9.8j"
-
-
- #endif /* HEADER_OPENSSLV_H */
+++ /dev/null
-Define and use a soname -- because we have to care about binary
-compatibility, we have to increment the soname in order to allow
-this version to co-exist with another versions and have everything
-work right.
-
-diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
---- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
-+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100
-@@ -1371,7 +1371,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
---- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
-+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=8
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -277,10 +278,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in ${SHLIBDIRS}; do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
-+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
- LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
-+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
- LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
+++ /dev/null
-Use fipscheck compatible way of verification of the integrity of the libcrypto
-shared library.
-diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
---- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
-+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
-@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
- if [ "$(FIPSCANLIB)" = "libfips" ]; then \
- LIBRARIES="-L$(TOP) -lfips"; \
- elif [ -n "$(FIPSCANLIB)" ]; then \
-- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
-+ LIBRARIES="$(LIBCRYPTO)"; \
- fi; \
- $(MAKE) -f $(TOP)/Makefile.shared -e \
- CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
-@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
- shlib_target="$(SHLIB_TARGET)"; \
- fi; \
- LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
-- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
-- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-- fi; \
- [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
- $(MAKE) -f $(TOP)/Makefile.shared -e \
- CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
-diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
---- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
-+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
-@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
- $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
- $(AR) libcrypto.a fips/fipscanister.o ; \
- else \
-- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-- FIPSLD_CC=$(CC); CC=fips/fipsld; \
-- export CC FIPSLD_CC; \
-- fi; \
- $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
- fi \
- else \
-@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
- fips/fipscanister.o: build_fips
- libfips$(SHLIB_EXT): fips/fipscanister.o
- @if [ "$(SHLIB_TARGET)" != "" ]; then \
-- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
- $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- CC=$${CC} LIBNAME=fips THIS=$@ \
-+ CC=$(CC) LIBNAME=fips THIS=$@ \
- LIBEXTRAS=fips/fipscanister.o \
- LIBDEPS="$(EX_LIBS)" \
- LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
-@@ -469,7 +464,7 @@ openssl.pc: Makefile
- echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
-- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-
- Makefile: Makefile.org Configure config
-diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
---- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
-+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
-@@ -47,6 +47,7 @@
- *
- */
-
-+#define _GNU_SOURCE
-
- #include <openssl/rand.h>
- #include <openssl/fips_rand.h>
-@@ -56,6 +57,9 @@
- #include <openssl/rsa.h>
- #include <string.h>
- #include <limits.h>
-+#include <dlfcn.h>
-+#include <stdio.h>
-+#include <stdlib.h>
- #include "fips_locl.h"
-
- #ifdef OPENSSL_FIPS
-@@ -165,6 +169,7 @@ int FIPS_selftest()
- && FIPS_selftest_dsa();
- }
-
-+#if 0
- extern const void *FIPS_text_start(), *FIPS_text_end();
- extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
- unsigned char FIPS_signature [20] = { 0 };
-@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
-
- return 1;
- }
-+#else
-+/* we implement what libfipscheck does ourselves */
-+
-+static int
-+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
-+{
-+ Dl_info info;
-+ void *dl, *sym;
-+ int rv = -1;
-+
-+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
-+ if (dl == NULL) {
-+ return -1;
-+ }
-+
-+ sym = dlsym(dl, symbolname);
-+
-+ if (sym != NULL && dladdr(sym, &info)) {
-+ strncpy(path, info.dli_fname, pathlen-1);
-+ path[pathlen-1] = '\0';
-+ rv = 0;
-+ }
-+
-+ dlclose(dl);
-+
-+ return rv;
-+}
-+
-+static const char conv[] = "0123456789abcdef";
-+
-+static char *
-+bin2hex(void *buf, size_t len)
-+{
-+ char *hex, *p;
-+ unsigned char *src = buf;
-+
-+ hex = malloc(len * 2 + 1);
-+ if (hex == NULL)
-+ return NULL;
-+
-+ p = hex;
-+
-+ while (len > 0) {
-+ unsigned c;
-+
-+ c = *src;
-+ src++;
-+
-+ *p = conv[c >> 4];
-+ ++p;
-+ *p = conv[c & 0x0f];
-+ ++p;
-+ --len;
-+ }
-+ *p = '\0';
-+ return hex;
-+}
-+
-+#define HMAC_PREFIX "."
-+#define HMAC_SUFFIX ".hmac"
-+#define READ_BUFFER_LENGTH 16384
-+
-+static char *
-+make_hmac_path(const char *origpath)
-+{
-+ char *path, *p;
-+ const char *fn;
-+
-+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
-+ if(path == NULL) {
-+ return NULL;
-+ }
-+
-+ fn = strrchr(origpath, '/');
-+ if (fn == NULL) {
-+ fn = origpath;
-+ } else {
-+ ++fn;
-+ }
-+
-+ strncpy(path, origpath, fn-origpath);
-+ p = path + (fn - origpath);
-+ p = stpcpy(p, HMAC_PREFIX);
-+ p = stpcpy(p, fn);
-+ p = stpcpy(p, HMAC_SUFFIX);
-+
-+ return path;
-+}
-+
-+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
-+
-+static int
-+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
-+{
-+ FILE *f = NULL;
-+ int rv = -1;
-+ unsigned char rbuf[READ_BUFFER_LENGTH];
-+ size_t len;
-+ unsigned int hlen;
-+ HMAC_CTX c;
-+
-+ HMAC_CTX_init(&c);
-+
-+ f = fopen(path, "r");
-+
-+ if (f == NULL) {
-+ goto end;
-+ }
-+
-+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
-+
-+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
-+ HMAC_Update(&c, rbuf, len);
-+ }
-+
-+ len = sizeof(rbuf);
-+ /* reuse rbuf for hmac */
-+ HMAC_Final(&c, rbuf, &hlen);
-+
-+ *buf = malloc(hlen);
-+ if (*buf == NULL) {
-+ goto end;
-+ }
-+
-+ *hmaclen = hlen;
-+
-+ memcpy(*buf, rbuf, hlen);
-+
-+ rv = 0;
-+end:
-+ HMAC_CTX_cleanup(&c);
-+
-+ if (f)
-+ fclose(f);
-+
-+ return rv;
-+}
-+
-+static int
-+FIPSCHECK_verify(const char *libname, const char *symbolname)
-+{
-+ char path[PATH_MAX+1];
-+ int rv;
-+ FILE *hf;
-+ char *hmacpath, *p;
-+ char *hmac = NULL;
-+ size_t n;
-+
-+ rv = get_library_path(libname, symbolname, path, sizeof(path));
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ hmacpath = make_hmac_path(path);
-+
-+ hf = fopen(hmacpath, "r");
-+ if (hf == NULL) {
-+ free(hmacpath);
-+ return 0;
-+ }
-+
-+ if (getline(&hmac, &n, hf) > 0) {
-+ void *buf;
-+ size_t hmaclen;
-+ char *hex;
-+
-+ if ((p=strchr(hmac, '\n')) != NULL)
-+ *p = '\0';
-+
-+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
-+ rv = -4;
-+ goto end;
-+ }
-+
-+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
-+ free(buf);
-+ rv = -5;
-+ goto end;
-+ }
-+
-+ if (strcmp(hex, hmac) != 0) {
-+ rv = -1;
-+ }
-+ free(buf);
-+ free(hex);
-+ }
-+
-+end:
-+ free(hmac);
-+ free(hmacpath);
-+ fclose(hf);
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ /* check successful */
-+ return 1;
-+}
-+
-+#endif
-
- int FIPS_mode_set(int onoff)
- {
-@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
- }
- #endif
-
-- if(fips_signature_witness() != FIPS_signature)
-- {
-- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
-- fips_selftest_fail = 1;
-- ret = 0;
-- goto end;
-- }
--
-- if(!FIPS_check_incore_fingerprint())
-+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
- {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
-@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
- return ret;
- }
-
-+#if 0
- unsigned char *fips_signature_witness(void)
- {
- extern unsigned char FIPS_signature[];
- return FIPS_signature;
- }
-+#endif
-
- /* Generalized public key test routine. Signs and verifies the data
- * supplied in tbs using mesage digest md and setting option digest
-diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
---- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
-+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
-@@ -62,9 +62,9 @@ testapps:
-
- all:
- @if [ -z "$(FIPSLIBDIR)" ]; then \
-- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
-+ $(MAKE) -e subdirs lib; \
- else \
-- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
-+ $(MAKE) -e lib; \
- fi
-
- # Idea behind fipscanister.o is to "seize" the sequestered code between
-@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
- HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
- *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
- esac fi
-- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
-
- # If another exception is immediately required, assign approprite
- # site-specific ld command to FIPS_SITE_LD environment variable.
-@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
- $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
- @touch lib
-
--shared: lib subdirs fips_premain_dso$(EXE_EXT)
-+shared: lib subdirs
-
- libs:
- @target=lib; $(RECURSIVE_MAKE)
-@@ -195,10 +194,6 @@ install:
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
- @target=install; $(RECURSIVE_MAKE)
-- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
-- fips_premain.c.sha1 \
-- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
-- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
-
- lint:
- @target=lint; $(RECURSIVE_MAKE)
-diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
---- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
-+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
-@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
- int fips_set_owning_thread(void);
- void fips_set_selftest_fail(void);
- int fips_clear_owning_thread(void);
-+#if 0
- unsigned char *fips_signature_witness(void);
-+#endif
-
- #define FIPS_MAX_CIPHER_TEST_SIZE 16
-
+++ /dev/null
-diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
---- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
-+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
-@@ -131,6 +131,7 @@
- #ifndef OPENSSL_NO_BF
- # include <openssl/blowfish.h>
- #endif
-+#include <openssl/engine.h>
-
- #undef PROG
- #define PROG version_main
-@@ -140,7 +141,7 @@ int MAIN(int, char **);
- int MAIN(int argc, char **argv)
- {
- int i,ret=0;
-- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
-+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
-
- apps_startup();
-
-@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
- else if (strcmp(argv[i],"-d") == 0)
- dir=1;
- else if (strcmp(argv[i],"-a") == 0)
-- date=version=cflags=options=platform=dir=1;
-+ date=version=cflags=options=platform=dir=engines=1;
- else
- {
- BIO_printf(bio_err,"usage:version -[avbofpd]\n");
-@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
- }
- if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
- if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
-+ if (engines)
-+ {
-+ ENGINE *e;
-+ printf("engines: ");
-+ e = ENGINE_get_first();
-+ while (e)
-+ {
-+ printf("%s ", ENGINE_get_id(e));
-+ e = ENGINE_get_next(e);
-+ }
-+ printf("\n");
-+ }
- end:
- apps_shutdown();
- OPENSSL_EXIT(ret);
+++ /dev/null
-/* Test program to verify that RSA signing is thread-safe in OpenSSL. */
-
-#include <assert.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <pthread.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/md5.h>
-#include <openssl/ssl.h>
-
-/* Just assume we want to do engine stuff if we're using 0.9.6b or
- * higher. This assumption is only valid for versions bundled with RHL. */
-#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
-#include <openssl/engine.h>
-#define USE_ENGINE
-#endif
-
-#define MAX_THREAD_COUNT 10000
-#define ITERATION_COUNT 10
-#define MAIN_COUNT 100
-
-/* OpenSSL requires us to provide thread ID and locking primitives. */
-pthread_mutex_t *mutex_locks = NULL;
-static unsigned long
-thread_id_cb(void)
-{
- return (unsigned long) pthread_self();
-}
-static void
-lock_cb(int mode, int n, const char *file, int line)
-{
- if (mode & CRYPTO_LOCK) {
- pthread_mutex_lock(&mutex_locks[n]);
- } else {
- pthread_mutex_unlock(&mutex_locks[n]);
- }
-}
-
-struct thread_args {
- RSA *rsa;
- int digest_type;
- unsigned char *digest;
- unsigned int digest_len;
- unsigned char *signature;
- unsigned int signature_len;
- pthread_t main_thread;
-};
-
-static int print = 0;
-
-pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER;
-static int locked_sign = 0;
-static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);}
-static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);}
-
-pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER;
-static int locked_verify = 0;
-static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);}
-static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);}
-
-pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER;
-long failure_count = 0;
-static void
-failure()
-{
- pthread_mutex_lock(&failure_count_lock);
- failure_count++;
- pthread_mutex_unlock(&failure_count_lock);
-}
-
-static void *
-thread_main(void *argp)
-{
- struct thread_args *args = argp;
- unsigned char *signature;
- unsigned int signature_len, signature_alloc_len;
- int ret, i;
-
- signature_alloc_len = args->signature_len;
- if (RSA_size(args->rsa) > signature_alloc_len) {
- signature_alloc_len = RSA_size(args->rsa);
- }
- signature = malloc(signature_alloc_len);
- if (signature == NULL) {
- fprintf(stderr, "Skipping checks in thread %lu -- %s.\n",
- (unsigned long) pthread_self(), strerror(errno));
- pthread_exit(0);
- return NULL;
- }
- for (i = 0; i < ITERATION_COUNT; i++) {
- signature_len = signature_alloc_len;
- SIGN_LOCK();
- ret = RSA_check_key(args->rsa);
- ERR_print_errors_fp(stdout);
- if (ret != 1) {
- failure();
- break;
- }
- ret = RSA_sign(args->digest_type,
- args->digest,
- args->digest_len,
- signature, &signature_len,
- args->rsa);
- SIGN_UNLOCK();
- ERR_print_errors_fp(stdout);
- if (ret != 1) {
- failure();
- break;
- }
-
- VERIFY_LOCK();
- ret = RSA_verify(args->digest_type,
- args->digest,
- args->digest_len,
- signature, signature_len,
- args->rsa);
- VERIFY_UNLOCK();
- if (ret != 1) {
- fprintf(stderr,
- "Signature from thread %lu(%d) fails "
- "verification (passed in thread #%lu)!\n",
- (long) pthread_self(), i,
- (long) args->main_thread);
- ERR_print_errors_fp(stdout);
- failure();
- continue;
- }
- if (print) {
- fprintf(stderr, ">%d\n", i);
- }
- }
- free(signature);
-
- pthread_exit(0);
-
- return NULL;
-}
-
-unsigned char *
-xmemdup(unsigned char *s, size_t len)
-{
- unsigned char *r;
- r = malloc(len);
- if (r == NULL) {
- fprintf(stderr, "Out of memory.\n");
- ERR_print_errors_fp(stdout);
- assert(r != NULL);
- }
- memcpy(r, s, len);
- return r;
-}
-
-int
-main(int argc, char **argv)
-{
- RSA *rsa;
- MD5_CTX md5;
- int fd, i;
- pthread_t threads[MAX_THREAD_COUNT];
- int thread_count = 1000;
- unsigned char *message, *digest;
- unsigned int message_len, digest_len;
- unsigned char *correct_signature;
- unsigned int correct_siglen, ret;
- struct thread_args master_args, *args;
- int sync = 0, seed = 0;
- int again = 1;
-#ifdef USE_ENGINE
- char *engine = NULL;
- ENGINE *e = NULL;
-#endif
-
- pthread_mutex_init(&failure_count_lock, NULL);
-
- for (i = 1; i < argc; i++) {
- if (strcmp(argv[i], "--seed") == 0) {
- printf("Seeding PRNG.\n");
- seed++;
- } else
- if (strcmp(argv[i], "--sync") == 0) {
- printf("Running synchronized.\n");
- sync++;
- } else
- if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) {
- i++;
- thread_count = atol(argv[i]);
- if (thread_count > MAX_THREAD_COUNT) {
- thread_count = MAX_THREAD_COUNT;
- }
- printf("Starting %d threads.\n", thread_count);
- sync++;
- } else
- if (strcmp(argv[i], "--sign") == 0) {
- printf("Locking signing.\n");
- locked_sign++;
- } else
- if (strcmp(argv[i], "--verify") == 0) {
- printf("Locking verifies.\n");
- locked_verify++;
- } else
- if (strcmp(argv[i], "--print") == 0) {
- printf("Tracing.\n");
- print++;
-#ifdef USE_ENGINE
- } else
- if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) {
- printf("Using engine \"%s\".\n", argv[i + 1]);
- engine = argv[i + 1];
- i++;
-#endif
- } else {
- printf("Bad argument: %s\n", argv[i]);
- return 1;
- }
- }
-
- /* Get some random data to sign. */
- fd = open("/dev/urandom", O_RDONLY);
- if (fd == -1) {
- fprintf(stderr, "Error opening /dev/urandom: %s\n",
- strerror(errno));
- }
-
- if (print) {
- fprintf(stderr, "Reading random data.\n");
- }
- message = malloc(message_len = 9371);
- read(fd, message, message_len);
- close(fd);
-
- /* Initialize the SSL library and set up thread-safe locking. */
- ERR_load_crypto_strings();
- SSL_library_init();
- mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
- for (i = 0; i < CRYPTO_num_locks(); i++) {
- pthread_mutex_init(&mutex_locks[i], NULL);
- }
- CRYPTO_set_id_callback(thread_id_cb);
- CRYPTO_set_locking_callback(lock_cb);
- ERR_print_errors_fp(stdout);
-
- /* Seed the PRNG if we were asked to do so. */
- if (seed) {
- if (print) {
- fprintf(stderr, "Seeding PRNG.\n");
- }
- RAND_add(message, message_len, message_len);
- ERR_print_errors_fp(stdout);
- }
-
- /* Turn on a hardware crypto device if asked to do so. */
-#ifdef USE_ENGINE
- if (engine) {
-#if OPENSSL_VERSION_NUMBER >= 0x0090700fL
- ENGINE_load_builtin_engines();
-#endif
- if (print) {
- fprintf(stderr, "Initializing \"%s\" engine.\n",
- engine);
- }
- e = ENGINE_by_id(engine);
- ERR_print_errors_fp(stdout);
- if (e) {
- i = ENGINE_init(e);
- ERR_print_errors_fp(stdout);
- i = ENGINE_set_default_RSA(e);
- ERR_print_errors_fp(stdout);
- }
- }
-#endif
-
- /* Compute the digest for the signature. */
- if (print) {
- fprintf(stderr, "Computing digest.\n");
- }
- digest = malloc(digest_len = MD5_DIGEST_LENGTH);
- MD5_Init(&md5);
- MD5_Update(&md5, message, message_len);
- MD5_Final(digest, &md5);
-
- /* Generate a signing key. */
- if (print) {
- fprintf(stderr, "Generating key.\n");
- }
- rsa = RSA_generate_key(4096, 3, NULL, NULL);
- ERR_print_errors_fp(stdout);
- if (rsa == NULL) {
- _exit(1);
- }
-
- /* Sign the data. */
- correct_siglen = RSA_size(rsa);
- correct_signature = malloc(correct_siglen);
- for (i = 0; i < MAIN_COUNT; i++) {
- if (print) {
- fprintf(stderr, "Signing data (%d).\n", i);
- }
- ret = RSA_check_key(rsa);
- ERR_print_errors_fp(stdout);
- if (ret != 1) {
- failure();
- }
- correct_siglen = RSA_size(rsa);
- ret = RSA_sign(NID_md5, digest, digest_len,
- correct_signature, &correct_siglen,
- rsa);
- ERR_print_errors_fp(stdout);
- if (ret != 1) {
- _exit(2);
- }
- if (print) {
- fprintf(stderr, "Verifying data (%d).\n", i);
- }
- ret = RSA_verify(NID_md5, digest, digest_len,
- correct_signature, correct_siglen,
- rsa);
- if (ret != 1) {
- _exit(2);
- }
- }
-
- /* Collect up the inforamtion which other threads will need for
- * comparing their signature results with ours. */
- master_args.rsa = rsa;
- master_args.digest_type = NID_md5;
- master_args.digest = digest;
- master_args.digest_len = digest_len;
- master_args.signature = correct_signature;
- master_args.signature_len = correct_siglen;
- master_args.main_thread = pthread_self();
-
- fprintf(stdout, "Performing %d signatures in each of %d threads "
- "(%d, %d).\n", ITERATION_COUNT, thread_count,
- digest_len, correct_siglen);
- fflush(NULL);
-
- /* Start up all of the threads. */
- for (i = 0; i < thread_count; i++) {
- args = malloc(sizeof(struct thread_args));
- args->rsa = RSAPrivateKey_dup(master_args.rsa);
- args->digest_type = master_args.digest_type;
- args->digest_len = master_args.digest_len;
- args->digest = xmemdup(master_args.digest, args->digest_len);
- args->signature_len = master_args.signature_len;
- args->signature = xmemdup(master_args.signature,
- args->signature_len);
- args->main_thread = pthread_self();
- ret = pthread_create(&threads[i], NULL, thread_main, args);
- while ((ret != 0) && (errno == EAGAIN)) {
- ret = pthread_create(&threads[i], NULL,
- thread_main, &args);
- fprintf(stderr, "Thread limit hit at %d.\n", i);
- }
- if (ret != 0) {
- fprintf(stderr, "Unable to create thread %d: %s.\n",
- i, strerror(errno));
- threads[i] = -1;
- } else {
- if (sync) {
- ret = pthread_join(threads[i], NULL);
- assert(ret == 0);
- }
- if (print) {
- fprintf(stderr, "%d\n", i);
- }
- }
- }
-
- /* Wait for all threads to complete. So long as we can find an
- * unjoined thread, keep joining threads. */
- do {
- again = 0;
- for (i = 0; i < thread_count; i++) {
- /* If we have an unterminated thread, join it. */
- if (threads[i] != -1) {
- again = 1;
- if (print) {
- fprintf(stderr, "Joining thread %d.\n",
- i);
- }
- pthread_join(threads[i], NULL);
- threads[i] = -1;
- break;
- }
- }
- } while (again == 1);
-
- fprintf(stderr, "%ld failures\n", failure_count);
-
- return (failure_count != 0);
-}
+++ /dev/null
-/* Prepended at openssl package build-time. Don't include this file directly,
- * use <openssl/opensslconf.h> instead. */
-
-#ifndef openssl_opensslconf_multilib_redirection_h
-#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
-#endif
-
+++ /dev/null
-/* This file is here to prevent a file conflict on multiarch systems. A
- * conflict will frequently occur because arch-specific build-time
- * configuration options are stored (and used, so they can't just be stripped
- * out) in opensslconf.h. The original opensslconf.h has been renamed.
- * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
-
-#ifdef openssl_opensslconf_multilib_redirection_h
-#error "Do not define openssl_opensslconf_multilib_redirection_h!"
-#endif
-#define openssl_opensslconf_multilib_redirection_h
-
-#if defined(__i386__)
-#include "opensslconf-i386.h"
-#elif defined(__ia64__)
-#include "opensslconf-ia64.h"
-#elif defined(__powerpc64__)
-#include "opensslconf-ppc64.h"
-#elif defined(__powerpc__)
-#include "opensslconf-ppc.h"
-#elif defined(__s390x__)
-#include "opensslconf-s390x.h"
-#elif defined(__s390__)
-#include "opensslconf-s390.h"
-#elif defined(__sparc__) && defined(__arch64__)
-#include "opensslconf-sparc64.h"
-#elif defined(__sparc__)
-#include "opensslconf-sparc.h"
-#elif defined(__x86_64__)
-#include "opensslconf-x86_64.h"
-#else
-#error "This openssl-devel package does not work your architecture?"
-#endif
-
-#undef openssl_opensslconf_multilib_redirection_h
git.annexia.org / fedora-mingw.git / commitdiff