From: Richard W.M. Jones <"Richard W.M. Jones "> Date: Tue, 30 Sep 2008 17:02:21 +0000 (+0100) Subject: Mostly working, but not complete, port of openssl X-Git-Url: http://git.annexia.org/?a=commitdiff_plain;h=3a8181459ea2c1a6b62ce60be2f43c052f040799;p=fedora-mingw.git Mostly working, but not complete, port of openssl --- diff --git a/.hgignore b/.hgignore index d53d19a..a41d693 100644 --- a/.hgignore +++ b/.hgignore @@ -35,6 +35,7 @@ libxml2/libxml2-2.6.32.tar.gz libxml2/libxml2-2.7.1.tar.gz nsis/nsis-2.19-src.tar.bz2 nsis/nsis-2.39-src.tar.bz2 +openssl/openssl-0.9.8g-usa.tar.bz2 pango/pango-1.21.6.tar.bz2 pdcurses/PDCurses-3.4.tar.gz pixman/pixman-0.11.10.tar.gz diff --git a/openssl/hobble-openssl b/openssl/hobble-openssl new file mode 100755 index 0000000..de0490f --- /dev/null +++ b/openssl/hobble-openssl @@ -0,0 +1,45 @@ +#!/bin/sh + +# Quit out if anything fails. +set -e + +# Clean out patent-or-otherwise-encumbered code. +# MDC-2: 4,908,861 13/03/2007 +# IDEA: 5,214,703 25/05/2010 +# RC5: 5,724,428 03/03/2015 +# EC: ????????? ??/??/2015 + +# Remove assembler portions of IDEA, MDC2, and RC5. +(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv) + +# IDEA, MDC2, RC5, EC. +for a in idea mdc2 rc5 ec ecdh ecdsa; do + for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do + echo Destroying $c + > $c + done +done + +for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do + echo Destroying $c + > $c +done + +for h in `find crypto ssl apps test -name "*.h"` ; do + echo Removing IDEA, MDC2, RC5, and EC references from $h + cat $h | \ + awk 'BEGIN {ech=1;} \ + /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \ + /^#[ \t]*if/ {if(ech < 1) ech--;} \ + {if(ech>0) {;print $0};} \ + /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ + mv $h.hobbled $h +done + +# Make the makefiles happy. +touch crypto/rc5/asm/rc5-586.pl diff --git a/openssl/make-dummy-cert b/openssl/make-dummy-cert new file mode 100755 index 0000000..3aff5be --- /dev/null +++ b/openssl/make-dummy-cert @@ -0,0 +1,28 @@ +#!/bin/sh +umask 077 + +answers() { + echo -- + echo SomeState + echo SomeCity + echo SomeOrganization + echo SomeOrganizationalUnit + echo localhost.localdomain + echo root@localhost.localdomain +} + +if [ $# -eq 0 ] ; then + echo $"Usage: `basename $0` filename [...]" + exit 0 +fi + +for target in $@ ; do + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` + trap "rm -f $PEM1 $PEM2" SIGINT + answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null + cat $PEM1 > ${target} + echo "" >> ${target} + cat $PEM2 >> ${target} + rm -f $PEM1 $PEM2 +done diff --git a/openssl/mingw32-openssl-0.9.8g-configure.patch b/openssl/mingw32-openssl-0.9.8g-configure.patch new file mode 100644 index 0000000..cfd214e --- /dev/null +++ b/openssl/mingw32-openssl-0.9.8g-configure.patch @@ -0,0 +1,16 @@ +The 'mingw' target to Configure has some problems with cross-compilation. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure +--- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100 ++++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100 +@@ -468,7 +468,7 @@ + "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", + + # MinGW +-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a", ++"mingw", "i686-pc-mingw32-gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:i686-pc-mingw32-ranlib", + + # UWIN + "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", diff --git a/openssl/mingw32-openssl-0.9.8g-global.patch b/openssl/mingw32-openssl-0.9.8g-global.patch new file mode 100644 index 0000000..814fb46 --- /dev/null +++ b/openssl/mingw32-openssl-0.9.8g-global.patch @@ -0,0 +1,16 @@ +Fix global variable macros. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h +--- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000 ++++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100 +@@ -264,7 +264,7 @@ + # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ + extern type _hide_##name; \ + type *_shadow_##name(void) { return &_hide_##name; } \ +- static type _hide_##name ++ type _hide_##name + # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) + # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) + #else diff --git a/openssl/mingw32-openssl-0.9.8g-header-files.patch b/openssl/mingw32-openssl-0.9.8g-header-files.patch new file mode 100644 index 0000000..a69da5c --- /dev/null +++ b/openssl/mingw32-openssl-0.9.8g-header-files.patch @@ -0,0 +1,157 @@ +Fix the location of certain header files. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/apps/speed.c openssl-0.9.8g.mingw/apps/speed.c +--- openssl-0.9.8g.orig/apps/speed.c 2008-09-30 14:16:16.000000000 +0100 ++++ openssl-0.9.8g.mingw/apps/speed.c 2008-09-30 14:53:25.000000000 +0100 +@@ -165,7 +165,7 @@ + #include + #endif + #ifndef OPENSSL_NO_CAMELLIA +-#include ++#include "../crypto/camellia/camellia.h" + #endif + #ifndef OPENSSL_NO_MD2 + #include +@@ -202,7 +202,7 @@ + #include + #endif + #ifndef OPENSSL_NO_SEED +-#include ++#include "../crypto/seed/seed.h" + #endif + #ifndef OPENSSL_NO_BF + #include +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_cbc.c openssl-0.9.8g.mingw/crypto/camellia/cmll_cbc.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_cbc.c 2006-12-02 12:00:27.000000000 +0000 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_cbc.c 2008-09-30 14:29:02.000000000 +0100 +@@ -58,7 +58,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_cfb.c openssl-0.9.8g.mingw/crypto/camellia/cmll_cfb.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_cfb.c 2006-06-09 23:31:05.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_cfb.c 2008-09-30 14:29:25.000000000 +0100 +@@ -113,7 +113,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + #include "e_os.h" + +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_ctr.c openssl-0.9.8g.mingw/crypto/camellia/cmll_ctr.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_ctr.c 2006-06-09 23:31:05.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_ctr.c 2008-09-30 14:29:36.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_ecb.c openssl-0.9.8g.mingw/crypto/camellia/cmll_ecb.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_ecb.c 2006-06-09 23:31:05.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_ecb.c 2008-09-30 14:28:50.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_misc.c openssl-0.9.8g.mingw/crypto/camellia/cmll_misc.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_misc.c 2007-01-21 13:16:21.000000000 +0000 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_misc.c 2008-09-30 14:28:37.000000000 +0100 +@@ -50,7 +50,7 @@ + */ + + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT; +diff -ur openssl-0.9.8g.orig/crypto/camellia/cmll_ofb.c openssl-0.9.8g.mingw/crypto/camellia/cmll_ofb.c +--- openssl-0.9.8g.orig/crypto/camellia/cmll_ofb.c 2006-06-09 23:31:05.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/camellia/cmll_ofb.c 2008-09-30 14:29:14.000000000 +0100 +@@ -111,7 +111,7 @@ + # endif + #endif + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* The input and output encrypted as though 128bit ofb mode is being +diff -ur openssl-0.9.8g.orig/crypto/evp/e_camellia.c openssl-0.9.8g.mingw/crypto/evp/e_camellia.c +--- openssl-0.9.8g.orig/crypto/evp/e_camellia.c 2006-08-31 21:56:52.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/evp/e_camellia.c 2008-09-30 14:31:31.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #include +-#include ++#include "../camellia/camellia.h" + #include "evp_locl.h" + + static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, +diff -ur openssl-0.9.8g.orig/crypto/evp/e_seed.c openssl-0.9.8g.mingw/crypto/evp/e_seed.c +--- openssl-0.9.8g.orig/crypto/evp/e_seed.c 2007-07-04 13:56:32.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/evp/e_seed.c 2008-09-30 14:31:46.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #ifndef OPENSSL_NO_SEED +-#include ++#include "../seed/seed.h" + #include "evp_locl.h" + + static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); +diff -ur openssl-0.9.8g.orig/crypto/seed/seed.c openssl-0.9.8g.mingw/crypto/seed/seed.c +--- openssl-0.9.8g.orig/crypto/seed/seed.c 2007-04-24 00:50:10.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/seed/seed.c 2008-09-30 14:29:58.000000000 +0100 +@@ -32,7 +32,7 @@ + #include + #endif + +-#include ++#include "seed.h" + #include "seed_locl.h" + + static seed_word SS[4][256] = { { +diff -ur openssl-0.9.8g.orig/crypto/seed/seed_ecb.c openssl-0.9.8g.mingw/crypto/seed/seed_ecb.c +--- openssl-0.9.8g.orig/crypto/seed/seed_ecb.c 2007-04-24 00:50:10.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/seed/seed_ecb.c 2008-09-30 14:30:21.000000000 +0100 +@@ -49,7 +49,7 @@ + * + */ + +-#include ++#include "seed.h" + + void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) + { +diff -ur openssl-0.9.8g.orig/crypto/seed/seed_locl.h openssl-0.9.8g.mingw/crypto/seed/seed_locl.h +--- openssl-0.9.8g.orig/crypto/seed/seed_locl.h 2008-09-30 14:16:15.000000000 +0100 ++++ openssl-0.9.8g.mingw/crypto/seed/seed_locl.h 2008-09-30 14:30:10.000000000 +0100 +@@ -27,7 +27,7 @@ + #define HEADER_SEED_LOCL_H + + #include "openssl/e_os2.h" +-#include ++#include "seed.h" + + + #ifdef SEED_LONG /* need 32-bit type */ diff --git a/openssl/mingw32-openssl-0.9.8g-shared.patch b/openssl/mingw32-openssl-0.9.8g-shared.patch new file mode 100644 index 0000000..05ed6fb --- /dev/null +++ b/openssl/mingw32-openssl-0.9.8g-shared.patch @@ -0,0 +1,34 @@ +Fix build of shared libraries on MinGW cross-compilation target. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/Makefile.shared openssl-0.9.8g.mingw/Makefile.shared +--- openssl-0.9.8g.orig/Makefile.shared 2008-09-30 14:16:16.000000000 +0100 ++++ openssl-0.9.8g.mingw/Makefile.shared 2008-09-30 15:19:51.000000000 +0100 +@@ -101,7 +101,7 @@ + LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \ + SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \ + SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ +- nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \ ++ i686-pc-mingw32-nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \ + LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \ + LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ + LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ +@@ -238,7 +238,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; base=; \ ++ SHLIB=lib$(LIBNAME); base=; \ + fi; \ + SHLIB_SUFFIX=.dll; \ + LIBVERSION="$(LIBVERSION)"; \ +@@ -253,7 +253,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; \ ++ SHLIB=lib$(LIBNAME); \ + base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ + fi; \ + SHLIB_SUFFIX=.dll; \ diff --git a/openssl/mingw32-openssl.spec b/openssl/mingw32-openssl.spec new file mode 100644 index 0000000..fb6e28b --- /dev/null +++ b/openssl/mingw32-openssl.spec @@ -0,0 +1,232 @@ +%define __strip %{_mingw32_strip} +%define __objdump %{_mingw32_objdump} +%define _use_internal_dependency_generator 0 +%define __find_requires %{_mingw32_findrequires} +%define __find_provides %{_mingw32_findprovides} + +Name: mingw32-openssl +Version: 0.9.8g +Release: 1%{?dist} +Summary: MinGW port of the OpenSSL toolkit + +License: OpenSSL +Group: Development/Libraries +URL: http://www.openssl.org/ + +# Use the hobble-openssl script to create the source file. +Source0: openssl-%{version}-usa.tar.bz2 + +Source1: hobble-openssl +Source2: Makefile.certificate +Source6: make-dummy-cert +Source8: openssl-thread-test.c +Source9: opensslconf-new.h +Source10: opensslconf-new-warning.h + +# Patches from Fedora native package. +Patch0: openssl-0.9.8g-redhat.patch +Patch1: openssl-0.9.8a-defaults.patch +Patch2: openssl-0.9.8a-link-krb5.patch +Patch3: openssl-0.9.8g-soversion.patch +Patch4: openssl-0.9.8a-enginesdir.patch +Patch5: openssl-0.9.8a-no-rpath.patch +Patch6: openssl-0.9.8b-test-use-localhost.patch +Patch7: openssl-0.9.8g-shlib-version.patch +Patch21: openssl-0.9.8b-aliasing-bug.patch +Patch22: openssl-0.9.8b-x509-name-cmp.patch +Patch23: openssl-0.9.8g-default-paths.patch +Patch24: openssl-0.9.8g-no-extssl.patch +Patch32: openssl-0.9.8g-ia64.patch +Patch33: openssl-0.9.7f-ca-dir.patch +Patch34: openssl-0.9.6-x509.patch +Patch35: openssl-0.9.7-beta5-version-add-engines.patch +Patch38: openssl-0.9.8a-reuse-cipher-change.patch +# Disabled this because it uses getaddrinfo which is lacking on Windows. +#Patch39: openssl-0.9.8g-ipv6-apps.patch +Patch50: openssl-0.9.8g-speed-bug.patch +Patch51: openssl-0.9.8g-bn-mul-bug.patch +Patch52: openssl-0.9.8g-cve-2008-0891.patch +Patch53: openssl-0.9.8g-cve-2008-1671.patch + +# MinGW-specific patches. +Patch100: mingw32-openssl-0.9.8g-header-files.patch +Patch101: mingw32-openssl-0.9.8g-configure.patch +Patch102: mingw32-openssl-0.9.8g-shared.patch +Patch103: mingw32-openssl-0.9.8g-global.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildArch: noarch + +BuildRequires: mingw32-filesystem >= 26 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-binutils + +BuildRequires: mingw32-zlib + +BuildRequires: mktemp +#BuildRequires: krb5-devel +BuildRequires: perl +BuildRequires: sed +BuildRequires: /usr/bin/cmp +BuildRequires: /usr/bin/rename + +# Required to run the tests. +BuildRequires: wine +BuildRequires: xorg-x11-server-Xvfb + +#Requires: ca-certificates >= 2008-5 +Requires: pkgconfig + + +%description +The OpenSSL toolkit provides support for secure communications between +machines. OpenSSL includes a certificate management tool and shared +libraries which provide various cryptographic algorithms and +protocols. + +This package contains Windows (MinGW) libraries and development tools. + + +%prep +%setup -q -n openssl-%{version} + +%{SOURCE1} > /dev/null +%patch0 -p1 -b .redhat +%patch1 -p1 -b .defaults +# Fix link line for libssl (bug #111154). +%patch2 -p1 -b .krb5 +%patch3 -p1 -b .soversion +%patch4 -p1 -b .enginesdir +%patch5 -p1 -b .no-rpath +%patch6 -p1 -b .use-localhost +%patch7 -p1 -b .shlib-version + +%patch21 -p1 -b .aliasing-bug +%patch22 -p1 -b .name-cmp +%patch23 -p1 -b .default-paths +%patch24 -p1 -b .no-extssl + +%patch32 -p1 -b .ia64 +#patch33 is applied after make test +%patch34 -p1 -b .x509 +%patch35 -p1 -b .version-add-engines +%patch38 -p1 -b .cipher-change +#%patch39 -p1 -b .ipv6-apps +%patch50 -p1 -b .speed-bug +%patch51 -p1 -b .bn-mul-bug +%patch52 -p0 -b .srvname-crash +%patch53 -p0 -b .srv-kex-crash + +%patch100 -p1 -b .mingw-header-files +%patch101 -p1 -b .mingw-configure +%patch102 -p1 -b .mingw-shared +%patch103 -p1 -b .mingw-global + +# Modify the various perl scripts to reference perl in the right location. +perl util/perlpath.pl `dirname %{__perl}` + +# Generate a table with the compile settings for my perusal. +touch Makefile +make TABLE PERL=%{__perl} + + +%build + +cat > gcc </dev/null 2>&1 ; then + iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \ + mv -f CHANGES.utf8 CHANGES +fi + + +%install +rm -rf $RPM_BUILD_ROOT +exit 1 +make DESTDIR=$RPM_BUILD_ROOT install + +# Remove static libraries but DON'T remove *.dll.a files. +rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libfoo.a + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root) +%{_mingw32_bindir}/foo.dll +%{_mingw32_libdir}/foo.dll.a +# etc. + + +%changelog +* Wed Sep 24 2008 Your Name - 1.2.3-1 +- Initial RPM release. diff --git a/openssl/openssl-0.9.6-x509.patch b/openssl/openssl-0.9.6-x509.patch new file mode 100644 index 0000000..7b3f49f --- /dev/null +++ b/openssl/openssl-0.9.6-x509.patch @@ -0,0 +1,29 @@ +Do not treat duplicate certs as an error. + +--- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000 ++++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000 +@@ -163,8 +163,12 @@ + } + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; +- count++; ++ /* ignore any problems with current certificate ++ and continue with the next one */ ++ if (i) ++ count++; ++ else ++ ERR_clear_error(); + X509_free(x); + x=NULL; + } +@@ -179,7 +183,8 @@ + goto err; + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; ++ if (!i) ++ ERR_clear_error(); + ret=i; + } + else diff --git a/openssl/openssl-0.9.7-beta5-version-add-engines.patch b/openssl/openssl-0.9.7-beta5-version-add-engines.patch new file mode 100644 index 0000000..24889b1 --- /dev/null +++ b/openssl/openssl-0.9.7-beta5-version-add-engines.patch @@ -0,0 +1,49 @@ +List the compiled-in hardware support when passed the -a flag. + +--- openssl-0.9.7-beta5/apps/version.c 2002-12-03 11:34:28.000000000 -0500 ++++ openssl-0.9.7-beta5/apps/version.c 2002-12-11 19:29:10.000000000 -0500 +@@ -130,6 +130,7 @@ + #ifndef OPENSSL_NO_BF + # include + #endif ++#include + + #undef PROG + #define PROG version_main +@@ -139,7 +140,7 @@ + int MAIN(int argc, char **argv) + { + int i,ret=0; +- int cflags=0,version=0,date=0,options=0,platform=0,dir=0; ++ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0; + + apps_startup(); + +@@ -163,7 +164,7 @@ + else if (strcmp(argv[i],"-d") == 0) + dir=1; + else if (strcmp(argv[i],"-a") == 0) +- date=version=cflags=options=platform=dir=1; ++ date=version=cflags=options=platform=dir=engines=1; + else + { + BIO_printf(bio_err,"usage:version -[avbofp]\n"); +@@ -198,6 +199,18 @@ + } + if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS)); + if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR)); ++ if (engines) ++ { ++ ENGINE *e; ++ printf("engines: "); ++ e = ENGINE_get_first(); ++ while (e) ++ { ++ printf("%s ", ENGINE_get_id(e)); ++ e = ENGINE_get_next(e); ++ } ++ printf("\n"); ++ } + end: + apps_shutdown(); + OPENSSL_EXIT(ret); diff --git a/openssl/openssl-0.9.7f-ca-dir.patch b/openssl/openssl-0.9.7f-ca-dir.patch new file mode 100644 index 0000000..540109b --- /dev/null +++ b/openssl/openssl-0.9.7f-ca-dir.patch @@ -0,0 +1,33 @@ +--- openssl-0.9.7f/apps/CA.sh.ca-dir 2005-02-02 00:45:38.000000000 +0100 ++++ openssl-0.9.7f/apps/CA.sh 2005-04-21 21:08:09.270233699 +0200 +@@ -38,7 +38,7 @@ + VERIFY="$OPENSSL verify" + X509="$OPENSSL x509" + +-CATOP=./demoCA ++CATOP=../../CA + CAKEY=./cakey.pem + CACERT=./cacert.pem + +--- openssl-0.9.7f/apps/CA.pl.ca-dir 2005-02-02 00:45:38.000000000 +0100 ++++ openssl-0.9.7f/apps/CA.pl 2005-04-21 21:07:52.307995284 +0200 +@@ -52,7 +52,7 @@ + $X509="$openssl x509"; + $PKCS12="$openssl pkcs12"; + +-$CATOP="./demoCA"; ++$CATOP="../../CA"; + $CAKEY="cakey.pem"; + $CACERT="cacert.pem"; + +--- openssl-0.9.7f/apps/openssl.cnf.ca-dir 2005-03-30 12:20:17.000000000 +0200 ++++ openssl-0.9.7f/apps/openssl.cnf 2005-04-21 21:08:29.581927172 +0200 +@@ -34,7 +34,7 @@ + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = ../../CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. diff --git a/openssl/openssl-0.9.8a-defaults.patch b/openssl/openssl-0.9.8a-defaults.patch new file mode 100644 index 0000000..5a4db7b --- /dev/null +++ b/openssl/openssl-0.9.8a-defaults.patch @@ -0,0 +1,50 @@ +--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 ++++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 +@@ -99,6 +99,7 @@ + #################################################################### + [ req ] + default_bits = 1024 ++default_md = sha1 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -116,23 +117,26 @@ + # MASK:XXXX a literal mask value. + # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings + # so use this option with caution! +-string_mask = nombstr ++# we use PrintableString+UTF8String mask so if pure ASCII texts are used ++# the resulting certificates are compatible with Netscape ++string_mask = MASK:0x2002 + + # req_extensions = v3_req # The extensions to add to a certificate request + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = GB + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++stateOrProvinceName_default = Berkshire + + localityName = Locality Name (eg, city) ++localityName_default = Newbury + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = My Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -141,7 +145,7 @@ + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (eg, YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address diff --git a/openssl/openssl-0.9.8a-enginesdir.patch b/openssl/openssl-0.9.8a-enginesdir.patch new file mode 100644 index 0000000..0c33b74 --- /dev/null +++ b/openssl/openssl-0.9.8a-enginesdir.patch @@ -0,0 +1,39 @@ +--- openssl-0.9.8a/Configure.enginesdir 2005-11-04 15:06:37.000000000 +0100 ++++ openssl-0.9.8a/Configure 2005-11-07 14:15:12.000000000 +0100 +@@ -560,6 +560,7 @@ + + my $prefix=""; + my $openssldir=""; ++my $enginesdir=""; + my $exe_ext=""; + my $install_prefix=""; + my $no_threads=0; +@@ -739,6 +740,10 @@ + { + $openssldir=$1; + } ++ elsif (/^--enginesdir=(.*)$/) ++ { ++ $enginesdir=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -923,7 +928,7 @@ + + $openssldir=$prefix . "/ssl" if $openssldir eq ""; + $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +- ++$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; + + print "IsMK1MF=$IsMK1MF\n"; + +@@ -1430,7 +1435,7 @@ + if (/^#define\s+OPENSSLDIR/) + { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } + elsif (/^#define\s+ENGINESDIR/) +- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } ++ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; } + elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) + { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" + if $export_var_as_fn; diff --git a/openssl/openssl-0.9.8a-link-krb5.patch b/openssl/openssl-0.9.8a-link-krb5.patch new file mode 100644 index 0000000..f34b1e5 --- /dev/null +++ b/openssl/openssl-0.9.8a-link-krb5.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200 ++++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100 +@@ -266,7 +266,7 @@ + + do_$(SHLIB_TARGET): + @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ ++ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl/openssl-0.9.8a-no-rpath.patch b/openssl/openssl-0.9.8a-no-rpath.patch new file mode 100644 index 0000000..8f8fb91 --- /dev/null +++ b/openssl/openssl-0.9.8a-no-rpath.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 ++++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/openssl/openssl-0.9.8a-reuse-cipher-change.patch b/openssl/openssl-0.9.8a-reuse-cipher-change.patch new file mode 100644 index 0000000..666688b --- /dev/null +++ b/openssl/openssl-0.9.8a-reuse-cipher-change.patch @@ -0,0 +1,20 @@ +--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100 ++++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100 +@@ -477,7 +477,7 @@ + + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L + #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L +-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L ++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ + #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L + #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L + #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +@@ -494,7 +494,7 @@ + + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +-#define SSL_OP_ALL 0x00000FFFL ++#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */ + + /* DTLS options */ + #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl/openssl-0.9.8b-aliasing-bug.patch b/openssl/openssl-0.9.8b-aliasing-bug.patch new file mode 100644 index 0000000..8d3b36a --- /dev/null +++ b/openssl/openssl-0.9.8b-aliasing-bug.patch @@ -0,0 +1,24 @@ + +This patch fixes a violation of the C aliasing rules that can cause +miscompilation with some compiler versions. + +--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100 ++++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100 +@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co + static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) + { + void *ptr; +- DSO_FUNC_TYPE sym, *tsym = &sym; ++ DSO_FUNC_TYPE sym; + + if((dso == NULL) || (symname == NULL)) + { +@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); + return(NULL); + } +- *(void **)(tsym) = dlsym(ptr, symname); ++ sym = dlsym(ptr, symname); + if(sym == NULL) + { + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); diff --git a/openssl/openssl-0.9.8b-test-use-localhost.patch b/openssl/openssl-0.9.8b-test-use-localhost.patch new file mode 100644 index 0000000..08adf1c --- /dev/null +++ b/openssl/openssl-0.9.8b-test-use-localhost.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c +--- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100 ++++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200 +@@ -839,19 +839,8 @@ bad: + #ifndef OPENSSL_NO_KRB5 + if (c_ssl && c_ssl->kssl_ctx) + { +- char localhost[MAXHOSTNAMELEN+2]; +- +- if (gethostname(localhost, sizeof localhost-1) == 0) +- { +- localhost[sizeof localhost-1]='\0'; +- if(strlen(localhost) == sizeof localhost-1) +- { +- BIO_printf(bio_err,"localhost name too long\n"); +- goto end; +- } + kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, +- localhost); +- } ++ "localhost"); + } + #endif /* OPENSSL_NO_KRB5 */ + diff --git a/openssl/openssl-0.9.8b-x509-name-cmp.patch b/openssl/openssl-0.9.8b-x509-name-cmp.patch new file mode 100644 index 0000000..c7e8848 --- /dev/null +++ b/openssl/openssl-0.9.8b-x509-name-cmp.patch @@ -0,0 +1,18 @@ +--- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 ++++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 +@@ -282,14 +282,7 @@ + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + j=na->value->type-nb->value->type; + if (j) +- { +- nabit = ASN1_tag2bit(na->value->type); +- nbbit = ASN1_tag2bit(nb->value->type); +- if (!(nabit & STR_TYPE_CMP) || +- !(nbbit & STR_TYPE_CMP)) +- return j; +- j = asn1_string_memcmp(na->value, nb->value); +- } ++ return j; + else if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl/openssl-0.9.8g-bn-mul-bug.patch b/openssl/openssl-0.9.8g-bn-mul-bug.patch new file mode 100644 index 0000000..dd3598d --- /dev/null +++ b/openssl/openssl-0.9.8g-bn-mul-bug.patch @@ -0,0 +1,64 @@ +openssl/crypto/bn/bn_mul.c 1.36.2.1 -> 1.36.2.2 + +--- openssl/crypto/bn/bn_mul.c 2007/07/08 18:54:30 1.36.2.1 ++++ openssl/crypto/bn/bn_mul.c 2007/11/03 20:09:29 1.36.2.2 +@@ -389,6 +389,7 @@ + * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0]) + * a[1]*b[1] + */ ++/* dnX may not be positive, but n2/2+dnX has to be */ + void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, + int dna, int dnb, BN_ULONG *t) + { +@@ -398,7 +399,7 @@ + BN_ULONG ln,lo,*p; + + # ifdef BN_COUNT +- fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2); ++ fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb); + # endif + # ifdef BN_MUL_COMBA + # if 0 +@@ -545,6 +546,7 @@ + + /* n+tn is the word length + * t needs to be n*4 is size, as does r */ ++/* tnX may not be negative but less than n */ + void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, + int tna, int tnb, BN_ULONG *t) + { +@@ -553,8 +555,8 @@ + BN_ULONG ln,lo,*p; + + # ifdef BN_COUNT +- fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n", +- tna, n, tnb, n); ++ fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n", ++ n, tna, n, tnb); + # endif + if (n < 8) + { +@@ -655,16 +657,19 @@ + for (;;) + { + i/=2; +- if (i <= tna && tna == tnb) ++ /* these simplified conditions work ++ * exclusively because difference ++ * between tna and tnb is 1 or 0 */ ++ if (i < tna || i < tnb) + { +- bn_mul_recursive(&(r[n2]), ++ bn_mul_part_recursive(&(r[n2]), + &(a[n]),&(b[n]), + i,tna-i,tnb-i,p); + break; + } +- else if (i < tna || i < tnb) ++ else if (i == tna || i == tnb) + { +- bn_mul_part_recursive(&(r[n2]), ++ bn_mul_recursive(&(r[n2]), + &(a[n]),&(b[n]), + i,tna-i,tnb-i,p); + break; diff --git a/openssl/openssl-0.9.8g-cve-2008-0891.patch b/openssl/openssl-0.9.8g-cve-2008-0891.patch new file mode 100644 index 0000000..eb9d1fd --- /dev/null +++ b/openssl/openssl-0.9.8g-cve-2008-0891.patch @@ -0,0 +1,17 @@ +*) Fix double free in TLS server name extensions which could lead to a remote +crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton] +Index: ssl/t1_lib.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v +retrieving revision 1.13.2.8 +diff -u -r1.13.2.8 ssl/t1_lib.c +--- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000 ++++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000 +@@ -381,6 +381,7 @@ + s->session->tlsext_hostname[len]='\0'; + if (strlen(s->session->tlsext_hostname) != len) { + OPENSSL_free(s->session->tlsext_hostname); ++ s->session->tlsext_hostname = NULL; + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } diff --git a/openssl/openssl-0.9.8g-cve-2008-1671.patch b/openssl/openssl-0.9.8g-cve-2008-1671.patch new file mode 100644 index 0000000..616271b --- /dev/null +++ b/openssl/openssl-0.9.8g-cve-2008-1671.patch @@ -0,0 +1,24 @@ +*) Fix flaw if 'Server Key exchange message' is omitted from a TLS +Handshake which could lead to a cilent crash as found using the +Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox] +Index: ssl/s3_clnt.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v +retrieving revision 1.88.2.12 +diff -u -r1.88.2.12 ssl/s3_clnt.c +--- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000 ++++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000 +@@ -2061,6 +2061,13 @@ + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else diff --git a/openssl/openssl-0.9.8g-default-paths.patch b/openssl/openssl-0.9.8g-default-paths.patch new file mode 100644 index 0000000..23fa4e1 --- /dev/null +++ b/openssl/openssl-0.9.8g-default-paths.patch @@ -0,0 +1,77 @@ +diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c +--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 +@@ -1077,12 +1077,13 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + store = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(store, vflags); +@@ -1132,8 +1133,11 @@ bad: + + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c +--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 +@@ -673,12 +673,13 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + store = SSL_CTX_get_cert_store(ctx); +diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c +--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 ++++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 +@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + if (tm_cipher == NULL) diff --git a/openssl/openssl-0.9.8g-ia64.patch b/openssl/openssl-0.9.8g-ia64.patch new file mode 100644 index 0000000..ec982d2 --- /dev/null +++ b/openssl/openssl-0.9.8g-ia64.patch @@ -0,0 +1,19 @@ +diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h +--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200 ++++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200 +@@ -279,6 +279,15 @@ extern "C" { + # define BN_UMULT_HIGH(a,b) __umulh((a),(b)) + # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high))) + # endif ++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG) ++# if defined(__GNUC__) ++# define BN_UMULT_HIGH(a,b) ({ \ ++ register BN_ULONG ret; \ ++ asm ("xmpy.hu %0 = %1, %2" \ ++ : "=f"(ret) \ ++ : "f"(a), "f"(b)); \ ++ ret; }) ++# endif /* compiler */ + # endif /* cpu */ + #endif /* OPENSSL_NO_ASM */ + diff --git a/openssl/openssl-0.9.8g-ipv6-apps.patch b/openssl/openssl-0.9.8g-ipv6-apps.patch new file mode 100644 index 0000000..588cf4e --- /dev/null +++ b/openssl/openssl-0.9.8g-ipv6-apps.patch @@ -0,0 +1,507 @@ +diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c +--- openssl-0.9.8g/apps/s_socket.c.ipv6-apps 2005-06-13 05:21:00.000000000 +0200 ++++ openssl-0.9.8g/apps/s_socket.c 2007-12-03 13:28:42.000000000 +0100 +@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha + static void ssl_sock_cleanup(void); + #endif + static int ssl_sock_init(void); +-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); +-static int init_server(int *sock, int port, int type); +-static int init_server_long(int *sock, int port,char *ip, int type); ++static int init_server(int *sock, char *port, int type); + static int do_accept(int acc_sock, int *sock, char **host); + static int host_ip(char *str, unsigned char ip[4]); + +@@ -228,60 +226,69 @@ static int ssl_sock_init(void) + return(1); + } + +-int init_client(int *sock, char *host, int port, int type) ++int init_client(int *sock, char *host, char *port, int type) + { +- unsigned char ip[4]; +- short p=0; +- +- if (!host_ip(host,&(ip[0]))) +- { +- return(0); +- } +- if (p != 0) port=p; +- return(init_client_ip(sock,ip,port,type)); +- } +- +-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) +- { +- unsigned long addr; +- struct sockaddr_in them; +- int s,i; ++ struct addrinfo *res, *res0, hints; ++ char * failed_call = NULL; ++ int s; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&them,0,sizeof(them)); +- them.sin_family=AF_INET; +- them.sin_port=htons((unsigned short)port); +- addr=(unsigned long) +- ((unsigned long)ip[0]<<24L)| +- ((unsigned long)ip[1]<<16L)| +- ((unsigned long)ip[2]<< 8L)| +- ((unsigned long)ip[3]); +- them.sin_addr.s_addr=htonl(addr); +- +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* ( type == SOCK_DGRAM) */ +- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); +- +- if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_ADDRCONFIG; ++ ++ e = getaddrinfo(host, port, &hints, &res); ++ if (e) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } + ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } + #ifndef OPENSSL_SYS_MPE + if (type == SOCK_STREAM) + { +- i=0; +- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); +- if (i < 0) { perror("keepalive"); return(0); } ++ int i=0; ++ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, ++ (char *)&i,sizeof(i)); ++ if (i < 0) { ++ failed_call = "keepalive"; ++ goto nextres; ++ } + } + #endif +- +- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) +- { close(s); perror("connect"); return(0); } ++ if (connect(s,(struct sockaddr *)res->ai_addr, ++ res->ai_addrlen) == 0) ++ { ++ freeaddrinfo(res0); + *sock=s; + return(1); + } ++ failed_call = "socket"; ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; ++ } ++ freeaddrinfo(res0); + +-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) ++ perror(failed_call); ++ return(0); ++ } ++ ++int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) + { + int sock; + char *name = NULL; +@@ -319,33 +326,38 @@ int do_server(int port, int type, int *r + } + } + +-static int init_server_long(int *sock, int port, char *ip, int type) ++static int init_server(int *sock, char *port, int type) + { +- int ret=0; +- struct sockaddr_in server; +- int s= -1,i; ++ struct addrinfo *res, *res0, hints; ++ char * failed_call = NULL; ++ char port_name[8]; ++ int s; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&server,0,sizeof(server)); +- server.sin_family=AF_INET; +- server.sin_port=htons((unsigned short)port); +- if (ip == NULL) +- server.sin_addr.s_addr=INADDR_ANY; +- else +-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ +-#ifndef BIT_FIELD_LIMITS +- memcpy(&server.sin_addr.s_addr,ip,4); +-#else +- memcpy(&server.sin_addr,ip,4); +-#endif ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* type == SOCK_DGRAM */ +- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); ++ e = getaddrinfo(NULL, port, &hints, &res); ++ if (e) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } + +- if (s == INVALID_SOCKET) goto err; ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } + #if defined SOL_SOCKET && defined SO_REUSEADDR + { + int j = 1; +@@ -353,36 +365,39 @@ static int init_server_long(int *sock, i + (void *) &j, sizeof j); + } + #endif +- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) ++ ++ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) + { +-#ifndef OPENSSL_SYS_WINDOWS +- perror("bind"); +-#endif +- goto err; ++ failed_call = "bind"; ++ goto nextres; + } +- /* Make it 128 for linux */ +- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; +- i=0; +- *sock=s; +- ret=1; +-err: +- if ((ret == 0) && (s != -1)) ++ if (type==SOCK_STREAM && listen(s,128) == -1) + { +- SHUTDOWN(s); ++ failed_call = "listen"; ++ goto nextres; + } +- return(ret); ++ ++ *sock=s; ++ return(1); ++ ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; + } ++ freeaddrinfo(res0); + +-static int init_server(int *sock, int port, int type) +- { +- return(init_server_long(sock, port, NULL, type)); ++ if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ ++ perror(failed_call); ++ return(0); + } + + static int do_accept(int acc_sock, int *sock, char **host) + { +- int ret,i; +- struct hostent *h1,*h2; +- static struct sockaddr_in from; ++ static struct sockaddr_storage from; ++ char buffer[NI_MAXHOST]; ++ int ret; + int len; + /* struct linger ling; */ + +@@ -427,137 +442,62 @@ redoit: + if (i < 0) { perror("keepalive"); return(0); } + */ + +- if (host == NULL) goto end; +-#ifndef BIT_FIELD_LIMITS +- /* I should use WSAAsyncGetHostByName() under windows */ +- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, +- sizeof(from.sin_addr.s_addr),AF_INET); +-#else +- h1=gethostbyaddr((char *)&from.sin_addr, +- sizeof(struct in_addr),AF_INET); +-#endif +- if (h1 == NULL) +- { +- BIO_printf(bio_err,"bad gethostbyaddr\n"); +- *host=NULL; +- /* return(0); */ +- } +- else ++ if (host == NULL) + { +- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) +- { +- perror("OPENSSL_malloc"); ++ *sock=ret; + return(0); + } +- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); + +- h2=GetHostByName(*host); +- if (h2 == NULL) ++ if (getnameinfo((struct sockaddr *)&from, sizeof(from), ++ buffer, sizeof(buffer), ++ NULL, 0, 0)) + { +- BIO_printf(bio_err,"gethostbyname failure\n"); ++ BIO_printf(bio_err,"getnameinfo failed\n"); ++ *host=NULL; + return(0); + } +- i=0; +- if (h2->h_addrtype != AF_INET) ++ else + { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); ++ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) ++ { ++ perror("OPENSSL_malloc"); + return(0); + } +- } +-end: ++ strcpy(*host, buffer); + *sock=ret; + return(1); + } ++ } + +-int extract_host_port(char *str, char **host_ptr, unsigned char *ip, +- short *port_ptr) ++int extract_host_port(char *str, char **host_ptr, ++ char **port_ptr) + { +- char *h,*p; ++ char *h,*p,*x; + +- h=str; +- p=strchr(str,':'); ++ x=h=str; ++ if (*h == '[') ++ { ++ h++; ++ p=strchr(h,']'); + if (p == NULL) + { +- BIO_printf(bio_err,"no port defined\n"); ++ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); + return(0); + } + *(p++)='\0'; +- +- if ((ip != NULL) && !host_ip(str,ip)) +- goto err; +- if (host_ptr != NULL) *host_ptr=h; +- +- if (!extract_port(p,port_ptr)) +- goto err; +- return(1); +-err: +- return(0); ++ x = p; + } +- +-static int host_ip(char *str, unsigned char ip[4]) +- { +- unsigned int in[4]; +- int i; +- +- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) +- { +- for (i=0; i<4; i++) +- if (in[i] > 255) +- { +- BIO_printf(bio_err,"invalid IP address\n"); +- goto err; +- } +- ip[0]=in[0]; +- ip[1]=in[1]; +- ip[2]=in[2]; +- ip[3]=in[3]; +- } +- else +- { /* do a gethostbyname */ +- struct hostent *he; +- +- if (!ssl_sock_init()) return(0); +- +- he=GetHostByName(str); +- if (he == NULL) +- { +- BIO_printf(bio_err,"gethostbyname failure\n"); +- goto err; +- } +- /* cast to short because of win16 winsock definition */ +- if ((short)he->h_addrtype != AF_INET) ++ p=strchr(x,':'); ++ if (p == NULL) + { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); +- return(0); +- } +- ip[0]=he->h_addr_list[0][0]; +- ip[1]=he->h_addr_list[0][1]; +- ip[2]=he->h_addr_list[0][2]; +- ip[3]=he->h_addr_list[0][3]; +- } +- return(1); +-err: ++ BIO_printf(bio_err,"no port defined\n"); + return(0); + } ++ *(p++)='\0'; + +-int extract_port(char *str, short *port_ptr) +- { +- int i; +- struct servent *s; ++ if (host_ptr != NULL) *host_ptr=h; ++ if (port_ptr != NULL) *port_ptr=p; + +- i=atoi(str); +- if (i != 0) +- *port_ptr=(unsigned short)i; +- else +- { +- s=getservbyname(str,"tcp"); +- if (s == NULL) +- { +- BIO_printf(bio_err,"getservbyname failure for %s\n",str); +- return(0); +- } +- *port_ptr=ntohs((unsigned short)s->s_port); +- } + return(1); + } + +diff -up openssl-0.9.8g/apps/s_server.c.ipv6-apps openssl-0.9.8g/apps/s_server.c +--- openssl-0.9.8g/apps/s_server.c.ipv6-apps 2007-08-23 14:16:02.000000000 +0200 ++++ openssl-0.9.8g/apps/s_server.c 2007-12-03 13:31:14.000000000 +0100 +@@ -592,7 +592,7 @@ int MAIN(int argc, char *argv[]) + { + X509_STORE *store = NULL; + int vflags = 0; +- short port=PORT; ++ char *port_str = PORT_STR; + char *CApath=NULL,*CAfile=NULL; + unsigned char *context = NULL; + char *dhfile = NULL; +@@ -662,8 +662,7 @@ int MAIN(int argc, char *argv[]) + (strcmp(*argv,"-accept") == 0)) + { + if (--argc < 1) goto bad; +- if (!extract_port(*(++argv),&port)) +- goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-verify") == 0) + { +@@ -1332,9 +1331,9 @@ bad: + } + BIO_printf(bio_s_out,"ACCEPT\n"); + if (www) +- do_server(port,socket_type,&accept_socket,www_body, context); ++ do_server(port_str,socket_type,&accept_socket,www_body, context); + else +- do_server(port,socket_type,&accept_socket,sv_body, context); ++ do_server(port_str,socket_type,&accept_socket,sv_body, context); + print_stats(bio_s_out,ctx); + ret=0; + end: +diff -up openssl-0.9.8g/apps/s_client.c.ipv6-apps openssl-0.9.8g/apps/s_client.c +--- openssl-0.9.8g/apps/s_client.c.ipv6-apps 2007-08-23 14:20:56.000000000 +0200 ++++ openssl-0.9.8g/apps/s_client.c 2007-12-03 13:28:42.000000000 +0100 +@@ -285,7 +285,7 @@ int MAIN(int argc, char **argv) + int cbuf_len,cbuf_off; + int sbuf_len,sbuf_off; + fd_set readfds,writefds; +- short port=PORT; ++ char *port_str = PORT_STR; + int full_log=1; + char *host=SSL_HOST_NAME; + char *cert_file=NULL,*key_file=NULL; +@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv) + else if (strcmp(*argv,"-port") == 0) + { + if (--argc < 1) goto bad; +- port=atoi(*(++argv)); +- if (port == 0) goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-connect") == 0) + { + if (--argc < 1) goto bad; +- if (!extract_host_port(*(++argv),&host,NULL,&port)) ++ if (!extract_host_port(*(++argv),&host,&port_str)) + goto bad; + } + else if (strcmp(*argv,"-verify") == 0) +@@ -739,7 +738,7 @@ bad: + + re_start: + +- if (init_client(&s,host,port,sock_type) == 0) ++ if (init_client(&s,host,port_str,sock_type) == 0) + { + BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); + SHUTDOWN(s); +diff -up openssl-0.9.8g/apps/s_apps.h.ipv6-apps openssl-0.9.8g/apps/s_apps.h +--- openssl-0.9.8g/apps/s_apps.h.ipv6-apps 2007-12-03 13:28:42.000000000 +0100 ++++ openssl-0.9.8g/apps/s_apps.h 2007-12-03 13:28:42.000000000 +0100 +@@ -148,7 +148,7 @@ typedef fd_mask fd_set; + #define PORT_STR "4433" + #define PROTOCOL "tcp" + +-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); ++int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); + #ifdef HEADER_X509_H + int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); + #endif +@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, + int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); + int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); + #endif +-int init_client(int *sock, char *server, int port, int type); ++int init_client(int *sock, char *server, char *port, int type); + int should_retry(int i); +-int extract_port(char *str, short *port_ptr); +-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); ++int extract_host_port(char *str,char **host_ptr,char **port_ptr); + + long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret); diff --git a/openssl/openssl-0.9.8g-no-extssl.patch b/openssl/openssl-0.9.8g-no-extssl.patch new file mode 100644 index 0000000..de00d0c --- /dev/null +++ b/openssl/openssl-0.9.8g-no-extssl.patch @@ -0,0 +1,27 @@ +diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c +--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 ++++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 +@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ + diff --git a/openssl/openssl-0.9.8g-redhat.patch b/openssl/openssl-0.9.8g-redhat.patch new file mode 100644 index 0000000..71b85c4 --- /dev/null +++ b/openssl/openssl-0.9.8g-redhat.patch @@ -0,0 +1,54 @@ +diff -up openssl-0.9.8g/Configure.redhat openssl-0.9.8g/Configure +--- openssl-0.9.8g/Configure.redhat 2007-09-16 14:24:17.000000000 +0200 ++++ openssl-0.9.8g/Configure 2007-12-03 13:16:08.000000000 +0100 +@@ -313,28 +313,28 @@ my %table=( + #### + # *-generic* is endian-neutral target, but ./config is free to + # throw in -D[BL]_ENDIAN, whichever appropriate... +-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", ++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", + #### +-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### SPARC Linux setups + # Ray Miller has patiently + # assisted with debugging of following two configs. +-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # it's a real mess with -mcpu=ultrasparc option under Linux, but + # -Wa,-Av8plus should do the trick no matter what. +-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # GCC 3.1 is a requirement +-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### Alpha Linux with GNU C and Compaq C setups + # Special notes: + # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you +@@ -348,8 +348,8 @@ my %table=( + # + # + # +-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + diff --git a/openssl/openssl-0.9.8g-shlib-version.patch b/openssl/openssl-0.9.8g-shlib-version.patch new file mode 100644 index 0000000..98cc287 --- /dev/null +++ b/openssl/openssl-0.9.8g-shlib-version.patch @@ -0,0 +1,12 @@ +diff -up openssl-0.9.8g/crypto/opensslv.h.shlib-version openssl-0.9.8g/crypto/opensslv.h +--- openssl-0.9.8g/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100 ++++ openssl-0.9.8g/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100 +@@ -83,7 +83,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "0.9.8" ++#define SHLIB_VERSION_NUMBER "0.9.8g" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl/openssl-0.9.8g-soversion.patch b/openssl/openssl-0.9.8g-soversion.patch new file mode 100644 index 0000000..699fcae --- /dev/null +++ b/openssl/openssl-0.9.8g-soversion.patch @@ -0,0 +1,49 @@ +Define and use a soname -- because we have to care about binary +compatibility, we have to increment the soname in order to allow +this version to co-exist with another versions and have everything +work right. + +diff -up openssl-0.9.8g/Configure.soversion openssl-0.9.8g/Configure +--- openssl-0.9.8g/Configure.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8g/Configure 2007-12-03 14:41:19.000000000 +0100 +@@ -1371,7 +1371,7 @@ while () + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; +- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { +diff -up openssl-0.9.8g/Makefile.org.soversion openssl-0.9.8g/Makefile.org +--- openssl-0.9.8g/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8g/Makefile.org 2007-12-03 14:41:19.000000000 +0100 +@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= + SHLIB_MAJOR= + SHLIB_MINOR= + SHLIB_EXT= ++SHLIB_SONAMEVER=7 + PLATFORM=dist + OPTIONS= + CONFIGURE_ARGS= +@@ -277,10 +278,9 @@ clean-shared: + link-shared: + @ set -e; for i in ${SHLIBDIRS}; do \ + $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + symlink.$(SHLIB_TARGET); \ +- libs="$$libs -l$$i"; \ + done + + build-shared: do_$(SHLIB_TARGET) link-shared +@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET): + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + LIBDEPS="$$libs $(EX_LIBS)" \ + link_a.$(SHLIB_TARGET); \ diff --git a/openssl/openssl-0.9.8g-speed-bug.patch b/openssl/openssl-0.9.8g-speed-bug.patch new file mode 100644 index 0000000..939facc --- /dev/null +++ b/openssl/openssl-0.9.8g-speed-bug.patch @@ -0,0 +1,13 @@ +openssl/apps/speed.c 1.126.2.8 -> 1.126.2.9 + +--- openssl/apps/speed.c 2007/05/13 15:04:14 1.126.2.8 ++++ openssl/apps/speed.c 2007/11/15 13:33:47 1.126.2.9 +@@ -577,7 +577,7 @@ + #define MAX_BLOCK_SIZE 64 + #endif + unsigned char DES_iv[8]; +- unsigned char iv[MAX_BLOCK_SIZE/8]; ++ unsigned char iv[2*MAX_BLOCK_SIZE/8]; + #ifndef OPENSSL_NO_DES + DES_cblock *buf_as_des_cblock = NULL; + static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; diff --git a/openssl/openssl-thread-test.c b/openssl/openssl-thread-test.c new file mode 100644 index 0000000..3b90285 --- /dev/null +++ b/openssl/openssl-thread-test.c @@ -0,0 +1,400 @@ +/* Test program to verify that RSA signing is thread-safe in OpenSSL. */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +/* Just assume we want to do engine stuff if we're using 0.9.6b or + * higher. This assumption is only valid for versions bundled with RHL. */ +#if OPENSSL_VERSION_NUMBER >= 0x0090602fL +#include +#define USE_ENGINE +#endif + +#define MAX_THREAD_COUNT 10000 +#define ITERATION_COUNT 10 +#define MAIN_COUNT 100 + +/* OpenSSL requires us to provide thread ID and locking primitives. */ +pthread_mutex_t *mutex_locks = NULL; +static unsigned long +thread_id_cb(void) +{ + return (unsigned long) pthread_self(); +} +static void +lock_cb(int mode, int n, const char *file, int line) +{ + if (mode & CRYPTO_LOCK) { + pthread_mutex_lock(&mutex_locks[n]); + } else { + pthread_mutex_unlock(&mutex_locks[n]); + } +} + +struct thread_args { + RSA *rsa; + int digest_type; + unsigned char *digest; + unsigned int digest_len; + unsigned char *signature; + unsigned int signature_len; + pthread_t main_thread; +}; + +static int print = 0; + +pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_sign = 0; +static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);} +static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);} + +pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_verify = 0; +static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);} +static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);} + +pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER; +long failure_count = 0; +static void +failure() +{ + pthread_mutex_lock(&failure_count_lock); + failure_count++; + pthread_mutex_unlock(&failure_count_lock); +} + +static void * +thread_main(void *argp) +{ + struct thread_args *args = argp; + unsigned char *signature; + unsigned int signature_len, signature_alloc_len; + int ret, i; + + signature_alloc_len = args->signature_len; + if (RSA_size(args->rsa) > signature_alloc_len) { + signature_alloc_len = RSA_size(args->rsa); + } + signature = malloc(signature_alloc_len); + if (signature == NULL) { + fprintf(stderr, "Skipping checks in thread %lu -- %s.\n", + (unsigned long) pthread_self(), strerror(errno)); + pthread_exit(0); + return NULL; + } + for (i = 0; i < ITERATION_COUNT; i++) { + signature_len = signature_alloc_len; + SIGN_LOCK(); + ret = RSA_check_key(args->rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + ret = RSA_sign(args->digest_type, + args->digest, + args->digest_len, + signature, &signature_len, + args->rsa); + SIGN_UNLOCK(); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + + VERIFY_LOCK(); + ret = RSA_verify(args->digest_type, + args->digest, + args->digest_len, + signature, signature_len, + args->rsa); + VERIFY_UNLOCK(); + if (ret != 1) { + fprintf(stderr, + "Signature from thread %lu(%d) fails " + "verification (passed in thread #%lu)!\n", + (long) pthread_self(), i, + (long) args->main_thread); + ERR_print_errors_fp(stdout); + failure(); + continue; + } + if (print) { + fprintf(stderr, ">%d\n", i); + } + } + free(signature); + + pthread_exit(0); + + return NULL; +} + +unsigned char * +xmemdup(unsigned char *s, size_t len) +{ + unsigned char *r; + r = malloc(len); + if (r == NULL) { + fprintf(stderr, "Out of memory.\n"); + ERR_print_errors_fp(stdout); + assert(r != NULL); + } + memcpy(r, s, len); + return r; +} + +int +main(int argc, char **argv) +{ + RSA *rsa; + MD5_CTX md5; + int fd, i; + pthread_t threads[MAX_THREAD_COUNT]; + int thread_count = 1000; + unsigned char *message, *digest; + unsigned int message_len, digest_len; + unsigned char *correct_signature; + unsigned int correct_siglen, ret; + struct thread_args master_args, *args; + int sync = 0, seed = 0; + int again = 1; +#ifdef USE_ENGINE + char *engine = NULL; + ENGINE *e = NULL; +#endif + + pthread_mutex_init(&failure_count_lock, NULL); + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--seed") == 0) { + printf("Seeding PRNG.\n"); + seed++; + } else + if (strcmp(argv[i], "--sync") == 0) { + printf("Running synchronized.\n"); + sync++; + } else + if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) { + i++; + thread_count = atol(argv[i]); + if (thread_count > MAX_THREAD_COUNT) { + thread_count = MAX_THREAD_COUNT; + } + printf("Starting %d threads.\n", thread_count); + sync++; + } else + if (strcmp(argv[i], "--sign") == 0) { + printf("Locking signing.\n"); + locked_sign++; + } else + if (strcmp(argv[i], "--verify") == 0) { + printf("Locking verifies.\n"); + locked_verify++; + } else + if (strcmp(argv[i], "--print") == 0) { + printf("Tracing.\n"); + print++; +#ifdef USE_ENGINE + } else + if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) { + printf("Using engine \"%s\".\n", argv[i + 1]); + engine = argv[i + 1]; + i++; +#endif + } else { + printf("Bad argument: %s\n", argv[i]); + return 1; + } + } + + /* Get some random data to sign. */ + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + fprintf(stderr, "Error opening /dev/urandom: %s\n", + strerror(errno)); + } + + if (print) { + fprintf(stderr, "Reading random data.\n"); + } + message = malloc(message_len = 9371); + read(fd, message, message_len); + close(fd); + + /* Initialize the SSL library and set up thread-safe locking. */ + ERR_load_crypto_strings(); + SSL_library_init(); + mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); + for (i = 0; i < CRYPTO_num_locks(); i++) { + pthread_mutex_init(&mutex_locks[i], NULL); + } + CRYPTO_set_id_callback(thread_id_cb); + CRYPTO_set_locking_callback(lock_cb); + ERR_print_errors_fp(stdout); + + /* Seed the PRNG if we were asked to do so. */ + if (seed) { + if (print) { + fprintf(stderr, "Seeding PRNG.\n"); + } + RAND_add(message, message_len, message_len); + ERR_print_errors_fp(stdout); + } + + /* Turn on a hardware crypto device if asked to do so. */ +#ifdef USE_ENGINE + if (engine) { +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + ENGINE_load_builtin_engines(); +#endif + if (print) { + fprintf(stderr, "Initializing \"%s\" engine.\n", + engine); + } + e = ENGINE_by_id(engine); + ERR_print_errors_fp(stdout); + if (e) { + i = ENGINE_init(e); + ERR_print_errors_fp(stdout); + i = ENGINE_set_default_RSA(e); + ERR_print_errors_fp(stdout); + } + } +#endif + + /* Compute the digest for the signature. */ + if (print) { + fprintf(stderr, "Computing digest.\n"); + } + digest = malloc(digest_len = MD5_DIGEST_LENGTH); + MD5_Init(&md5); + MD5_Update(&md5, message, message_len); + MD5_Final(digest, &md5); + + /* Generate a signing key. */ + if (print) { + fprintf(stderr, "Generating key.\n"); + } + rsa = RSA_generate_key(4096, 3, NULL, NULL); + ERR_print_errors_fp(stdout); + if (rsa == NULL) { + _exit(1); + } + + /* Sign the data. */ + correct_siglen = RSA_size(rsa); + correct_signature = malloc(correct_siglen); + for (i = 0; i < MAIN_COUNT; i++) { + if (print) { + fprintf(stderr, "Signing data (%d).\n", i); + } + ret = RSA_check_key(rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + } + correct_siglen = RSA_size(rsa); + ret = RSA_sign(NID_md5, digest, digest_len, + correct_signature, &correct_siglen, + rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + _exit(2); + } + if (print) { + fprintf(stderr, "Verifying data (%d).\n", i); + } + ret = RSA_verify(NID_md5, digest, digest_len, + correct_signature, correct_siglen, + rsa); + if (ret != 1) { + _exit(2); + } + } + + /* Collect up the inforamtion which other threads will need for + * comparing their signature results with ours. */ + master_args.rsa = rsa; + master_args.digest_type = NID_md5; + master_args.digest = digest; + master_args.digest_len = digest_len; + master_args.signature = correct_signature; + master_args.signature_len = correct_siglen; + master_args.main_thread = pthread_self(); + + fprintf(stdout, "Performing %d signatures in each of %d threads " + "(%d, %d).\n", ITERATION_COUNT, thread_count, + digest_len, correct_siglen); + fflush(NULL); + + /* Start up all of the threads. */ + for (i = 0; i < thread_count; i++) { + args = malloc(sizeof(struct thread_args)); + args->rsa = RSAPrivateKey_dup(master_args.rsa); + args->digest_type = master_args.digest_type; + args->digest_len = master_args.digest_len; + args->digest = xmemdup(master_args.digest, args->digest_len); + args->signature_len = master_args.signature_len; + args->signature = xmemdup(master_args.signature, + args->signature_len); + args->main_thread = pthread_self(); + ret = pthread_create(&threads[i], NULL, thread_main, args); + while ((ret != 0) && (errno == EAGAIN)) { + ret = pthread_create(&threads[i], NULL, + thread_main, &args); + fprintf(stderr, "Thread limit hit at %d.\n", i); + } + if (ret != 0) { + fprintf(stderr, "Unable to create thread %d: %s.\n", + i, strerror(errno)); + threads[i] = -1; + } else { + if (sync) { + ret = pthread_join(threads[i], NULL); + assert(ret == 0); + } + if (print) { + fprintf(stderr, "%d\n", i); + } + } + } + + /* Wait for all threads to complete. So long as we can find an + * unjoined thread, keep joining threads. */ + do { + again = 0; + for (i = 0; i < thread_count; i++) { + /* If we have an unterminated thread, join it. */ + if (threads[i] != -1) { + again = 1; + if (print) { + fprintf(stderr, "Joining thread %d.\n", + i); + } + pthread_join(threads[i], NULL); + threads[i] = -1; + break; + } + } + } while (again == 1); + + fprintf(stderr, "%ld failures\n", failure_count); + + return (failure_count != 0); +} diff --git a/openssl/opensslconf-new-warning.h b/openssl/opensslconf-new-warning.h new file mode 100644 index 0000000..de091c8 --- /dev/null +++ b/openssl/opensslconf-new-warning.h @@ -0,0 +1,7 @@ +/* Prepended at openssl package build-time. Don't include this file directly, + * use instead. */ + +#ifndef openssl_opensslconf_multilib_redirection_h +#error "Don't include this file directly, use instead!" +#endif + diff --git a/openssl/opensslconf-new.h b/openssl/opensslconf-new.h new file mode 100644 index 0000000..cf22738 --- /dev/null +++ b/openssl/opensslconf-new.h @@ -0,0 +1,34 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in opensslconf.h. The original opensslconf.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef openssl_opensslconf_multilib_redirection_h +#error "Do not define openssl_opensslconf_multilib_redirection_h!" +#endif +#define openssl_opensslconf_multilib_redirection_h + +#if defined(__i386__) +#include "opensslconf-i386.h" +#elif defined(__ia64__) +#include "opensslconf-ia64.h" +#elif defined(__powerpc64__) +#include "opensslconf-ppc64.h" +#elif defined(__powerpc__) +#include "opensslconf-ppc.h" +#elif defined(__s390x__) +#include "opensslconf-s390x.h" +#elif defined(__s390__) +#include "opensslconf-s390.h" +#elif defined(__sparc__) && defined(__arch64__) +#include "opensslconf-sparc64.h" +#elif defined(__sparc__) +#include "opensslconf-sparc.h" +#elif defined(__x86_64__) +#include "opensslconf-x86_64.h" +#else +#error "This openssl-devel package does not work your architecture?" +#endif + +#undef openssl_opensslconf_multilib_redirection_h