- update to new upstream version.
ocaml-libvirt/ocaml-libvirt-0.4.4.2.tar.gz
ocaml-xml-light/xml-light-2.2.cvs20070817.tar.gz
openssl/openssl-0.9.8g-usa.tar.bz2
+openssl/openssl-0.9.8j-usa.tar.bz2
pango/pango-1.21.6.tar.bz2
pango/pango-1.22.1.tar.bz2
pangomm/pangomm-2.14.0.tar.bz2
+++ /dev/null
-Fix build of shared libraries on MinGW cross-compilation target.
-
- - RWMJ 2008-09-30
-
-diff -ur openssl-0.9.8g.orig/Makefile.shared openssl-0.9.8g.mingw/Makefile.shared
---- openssl-0.9.8g.orig/Makefile.shared 2008-09-30 14:16:16.000000000 +0100
-+++ openssl-0.9.8g.mingw/Makefile.shared 2008-09-30 15:19:51.000000000 +0100
-@@ -101,7 +101,7 @@
- LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
- SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
- SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-- nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
-+ i686-pc-mingw32-nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
- LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
- LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-@@ -238,7 +238,7 @@
- SHLIB=cyg$(LIBNAME); \
- base=-Wl,--enable-auto-image-base; \
- if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-- SHLIB=$(LIBNAME)eay32; base=; \
-+ SHLIB=lib$(LIBNAME); base=; \
- fi; \
- SHLIB_SUFFIX=.dll; \
- LIBVERSION="$(LIBVERSION)"; \
-@@ -253,7 +253,7 @@
- SHLIB=cyg$(LIBNAME); \
- base=-Wl,--enable-auto-image-base; \
- if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-- SHLIB=$(LIBNAME)eay32; \
-+ SHLIB=lib$(LIBNAME); \
- base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
- fi; \
- SHLIB_SUFFIX=.dll; \
--- /dev/null
+--- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100
++++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100
+@@ -238,7 +238,7 @@
+ SHLIB=cyg$(LIBNAME); \
+ base=-Wl,--enable-auto-image-base; \
+ if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+- SHLIB=$(LIBNAME)eay32; base=; \
++ SHLIB=lib$(LIBNAME); base=; \
+ fi; \
+ SHLIB_SUFFIX=.dll; \
+ LIBVERSION="$(LIBVERSION)"; \
+@@ -253,7 +253,7 @@
+ SHLIB=cyg$(LIBNAME); \
+ base=-Wl,--enable-auto-image-base; \
+ if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+- SHLIB=$(LIBNAME)eay32; \
++ SHLIB=lib$(LIBNAME); \
+ base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+ fi; \
+ SHLIB_SUFFIX=.dll; \
%define __find_requires %{_mingw32_findrequires}
%define __find_provides %{_mingw32_findprovides}
+# For the curious:
+# 0.9.5a soversion = 0
+# 0.9.6 soversion = 1
+# 0.9.6a soversion = 2
+# 0.9.6c soversion = 3
+# 0.9.7a soversion = 4
+# 0.9.7ef soversion = 5
+# 0.9.8ab soversion = 6
+# 0.9.8g soversion = 7
+# 0.9.8j + EAP-FAST soversion = 8
+%define soversion 8
+
# Enable the tests.
# These only work some of the time, but fail randomly at other times
# (although I have had them complete a few times, so I don't think
# there is any actual problem with the binaries).
-%define with_tests 0
+%define run_tests 0
+
+# Number of threads to spawn when testing some threading fixes.
+%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
Name: mingw32-openssl
-Version: 0.9.8g
+Version: 0.9.8j
Release: 1%{?dist}
Summary: MinGW port of the OpenSSL toolkit
Source10: opensslconf-new-warning.h
# Patches from Fedora native package.
-Patch0: openssl-0.9.8g-redhat.patch
+# Build changes
+Patch0: openssl-0.9.8j-redhat.patch
Patch1: openssl-0.9.8a-defaults.patch
Patch2: openssl-0.9.8a-link-krb5.patch
-Patch3: openssl-0.9.8g-soversion.patch
-Patch4: openssl-0.9.8a-enginesdir.patch
+Patch3: openssl-0.9.8j-soversion.patch
+Patch4: openssl-0.9.8j-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
-Patch7: openssl-0.9.8g-shlib-version.patch
+Patch7: openssl-0.9.8j-shlib-version.patch
+# Bug fixes
Patch21: openssl-0.9.8b-aliasing-bug.patch
Patch22: openssl-0.9.8b-x509-name-cmp.patch
Patch23: openssl-0.9.8g-default-paths.patch
Patch24: openssl-0.9.8g-no-extssl.patch
+# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
-Patch33: openssl-0.9.7f-ca-dir.patch
+Patch33: openssl-0.9.8j-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
-Patch35: openssl-0.9.7-beta5-version-add-engines.patch
+Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-0.9.8a-reuse-cipher-change.patch
# Disabled this because it uses getaddrinfo which is lacking on Windows.
#Patch39: openssl-0.9.8g-ipv6-apps.patch
-Patch50: openssl-0.9.8g-speed-bug.patch
-Patch51: openssl-0.9.8g-bn-mul-bug.patch
-Patch52: openssl-0.9.8g-cve-2008-0891.patch
-Patch53: openssl-0.9.8g-cve-2008-1671.patch
+Patch40: openssl-0.9.8j-nocanister.patch
+Patch41: openssl-0.9.8j-use-fipscheck.patch
+Patch42: openssl-0.9.8j-fipscheck-hmac.patch
+Patch43: openssl-0.9.8j-evp-nonfips.patch
+Patch44: openssl-0.9.8j-kernel-fipsmode.patch
+Patch45: openssl-0.9.8j-env-nozlib.patch
+Patch46: openssl-0.9.8j-eap-fast.patch
+Patch47: openssl-0.9.8j-readme-warning.patch
+Patch48: openssl-0.9.8j-bad-mime.patch
+Patch49: openssl-0.9.8j-fips-no-pairwise.patch
+# Backported fixes including security fixes
# MinGW-specific patches.
Patch100: mingw32-openssl-0.9.8g-header-files.patch
Patch101: mingw32-openssl-0.9.8g-configure.patch
-Patch102: mingw32-openssl-0.9.8g-shared.patch
+Patch102: mingw32-openssl-0.9.8j-shared.patch
Patch103: mingw32-openssl-0.9.8g-global.patch
Patch104: mingw32-openssl-0.9.8g-sfx.patch
BuildArch: noarch
-BuildRequires: mingw32-filesystem >= 26
+BuildRequires: mingw32-filesystem >= 40
BuildRequires: mingw32-gcc
BuildRequires: mingw32-binutils
BuildRequires: mingw32-zlib
+BuildRequires: mingw32-pthreads
BuildRequires: mktemp
#BuildRequires: krb5-devel
# /usr/bin/makedepend which comes from imake.
BuildRequires: imake
+%if %{run_tests}
# Required both to build, and to run the tests.
# XXX This needs to be fixed - cross-compilation should not
# require running executables.
BuildRequires: wine
-%if %{with_tests}
# Required to run the tests.
BuildRequires: xorg-x11-server-Xvfb
%endif
%patch35 -p1 -b .version-add-engines
%patch38 -p1 -b .cipher-change
#%patch39 -p1 -b .ipv6-apps
-%patch50 -p1 -b .speed-bug
-%patch51 -p1 -b .bn-mul-bug
-%patch52 -p0 -b .srvname-crash
-%patch53 -p0 -b .srv-kex-crash
+%patch40 -p1 -b .nocanister
+%patch41 -p1 -b .use-fipscheck
+%patch42 -p1 -b .fipscheck-hmac
+%patch43 -p1 -b .evp-nonfips
+%patch44 -p1 -b .fipsmode
+%patch45 -p1 -b .env-nozlib
+%patch46 -p1 -b .eap-fast
+%patch47 -p1 -b .warning
+%patch48 -p1 -b .bad-mime
+%patch49 -p1 -b .no-pairwise
%patch100 -p1 -b .mingw-header-files
%patch101 -p1 -b .mingw-configure
touch Makefile
make TABLE PERL=%{__perl}
-
%build
-
-cat > gcc <<EOS
-#!/bin/sh -
-%{_bindir}/i686-pc-mingw32-gcc -m32 "$@"
-EOS
-export PATH=.:$PATH
-
# NB: 'no-hw' is vital. MinGW cannot build the hardware drivers
# and if you don't have this you'll get an obscure link error.
+%{_mingw32_env}; \
+sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \
./Configure \
--prefix=%{_mingw32_prefix} \
--openssldir=%{_mingw32_sysconfdir}/pki/tls \
mingw
# --with-krb5-flavor=MIT
# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
-make depend
-make all build-shared
-make rehash build-shared
+%{_mingw32_make} depend
+%{_mingw32_make} all build-shared
+
+# Generate hashes for the included certs.
+%{_mingw32_make} rehash build-shared
-%if %{with_tests}
+%if %{run_tests}
#----------------------------------------------------------------------
# Run some tests. I don't know why this isn't in a %-check section
# but this is how it is in the native RPM.
DISPLAY=$display
export DISPLAY
-make LDCMD=%{_mingw32_cc} -C test apps tests
+%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests
# Disable this thread test, because we don't have pthread on Windows.
-#%-{_mingw32_cc} -o openssl-thread-test \
-# -I./include \
-# %-{_mingw32_cflags} \
-# %-{SOURCE8} \
-# -L. \
-# -lssl -lcrypto \
-# -lpthread -lz -ldl
-#
+%{_mingw32_cc} -o openssl-thread-test \
+ -I./include \
+ %-{_mingw32_cflags} \
+ %-{SOURCE8} \
+ -L. \
+ -lssl -lcrypto \
+ -lpthread -lz -ldl
+
## `krb5-config --cflags`
## `krb5-config --libs`
#
-#./openssl-thread-test --threads %{thread_test_threads}
+./openssl-thread-test --threads %{thread_test_threads}
#----------------------------------------------------------------------
%endif
# Patch33 must be patched after tests otherwise they will fail
patch -p1 -b -z .ca-dir < %{PATCH33}
+# Add generation of HMAC checksum of the final stripped library
+#%define __spec_install_post \
+# %{?__debug_package:%{__debug_install_post}} \
+# %{__arch_install_post} \
+# %{__os_install_post} \
+# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
+# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
+#%{nil}
+
if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
mv -f CHANGES.utf8 CHANGES
make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared
# Install the actual DLLs.
-install libcrypto-7.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
-install libssl-7.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
+install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
+install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir}
# Remove static libraries but DON'T remove *.dll.a files.
rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a
chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a
chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a
+# Install a makefile for generating keys and self-signed certs, and a script
+# for generating them on the fly.
+mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile
+install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert
+
+# Pick a CA script.
+pushd $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc
+mv CA.sh CA
+popd
+
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA
+mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
+%doc LICENSE
%{_mingw32_bindir}/openssl.exe
%{_mingw32_bindir}/c_rehash
-%{_mingw32_bindir}/libcrypto-7.dll
-%{_mingw32_bindir}/libssl-7.dll
+%{_mingw32_bindir}/libcrypto-%{soversion}.dll
+%{_mingw32_bindir}/libssl-%{soversion}.dll
+#{_mingw32_bindir}/.libcrypto*.hmac
%{_mingw32_libdir}/libcrypto.dll.a
%{_mingw32_libdir}/libssl.dll.a
%{_mingw32_libdir}/engines
%changelog
+* Wed Jan 28 2009 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8j-1
+- update to new upstream version.
+
+* Mon Dec 29 2008 Levente Farkas <lfarkas@lfarkas.org> - 0.9.8g-2
+- minor cleanup.
+
* Tue Sep 30 2008 Richard W.M. Jones <rjones@redhat.com> - 0.9.8g-1
- Initial RPM release.
+++ /dev/null
---- openssl-0.9.7f/apps/CA.sh.ca-dir 2005-02-02 00:45:38.000000000 +0100
-+++ openssl-0.9.7f/apps/CA.sh 2005-04-21 21:08:09.270233699 +0200
-@@ -38,7 +38,7 @@
- VERIFY="$OPENSSL verify"
- X509="$OPENSSL x509"
-
--CATOP=./demoCA
-+CATOP=../../CA
- CAKEY=./cakey.pem
- CACERT=./cacert.pem
-
---- openssl-0.9.7f/apps/CA.pl.ca-dir 2005-02-02 00:45:38.000000000 +0100
-+++ openssl-0.9.7f/apps/CA.pl 2005-04-21 21:07:52.307995284 +0200
-@@ -52,7 +52,7 @@
- $X509="$openssl x509";
- $PKCS12="$openssl pkcs12";
-
--$CATOP="./demoCA";
-+$CATOP="../../CA";
- $CAKEY="cakey.pem";
- $CACERT="cacert.pem";
-
---- openssl-0.9.7f/apps/openssl.cnf.ca-dir 2005-03-30 12:20:17.000000000 +0200
-+++ openssl-0.9.7f/apps/openssl.cnf 2005-04-21 21:08:29.581927172 +0200
-@@ -34,7 +34,7 @@
- ####################################################################
- [ CA_default ]
-
--dir = ./demoCA # Where everything is kept
-+dir = ../../CA # Where everything is kept
- certs = $dir/certs # Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt # database index file.
+++ /dev/null
-openssl/crypto/bn/bn_mul.c 1.36.2.1 -> 1.36.2.2
-
---- openssl/crypto/bn/bn_mul.c 2007/07/08 18:54:30 1.36.2.1
-+++ openssl/crypto/bn/bn_mul.c 2007/11/03 20:09:29 1.36.2.2
-@@ -389,6 +389,7 @@
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-+/* dnX may not be positive, but n2/2+dnX has to be */
- void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
- int dna, int dnb, BN_ULONG *t)
- {
-@@ -398,7 +399,7 @@
- BN_ULONG ln,lo,*p;
-
- # ifdef BN_COUNT
-- fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
-+ fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb);
- # endif
- # ifdef BN_MUL_COMBA
- # if 0
-@@ -545,6 +546,7 @@
-
- /* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-+/* tnX may not be negative but less than n */
- void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
- int tna, int tnb, BN_ULONG *t)
- {
-@@ -553,8 +555,8 @@
- BN_ULONG ln,lo,*p;
-
- # ifdef BN_COUNT
-- fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
-- tna, n, tnb, n);
-+ fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n",
-+ n, tna, n, tnb);
- # endif
- if (n < 8)
- {
-@@ -655,16 +657,19 @@
- for (;;)
- {
- i/=2;
-- if (i <= tna && tna == tnb)
-+ /* these simplified conditions work
-+ * exclusively because difference
-+ * between tna and tnb is 1 or 0 */
-+ if (i < tna || i < tnb)
- {
-- bn_mul_recursive(&(r[n2]),
-+ bn_mul_part_recursive(&(r[n2]),
- &(a[n]),&(b[n]),
- i,tna-i,tnb-i,p);
- break;
- }
-- else if (i < tna || i < tnb)
-+ else if (i == tna || i == tnb)
- {
-- bn_mul_part_recursive(&(r[n2]),
-+ bn_mul_recursive(&(r[n2]),
- &(a[n]),&(b[n]),
- i,tna-i,tnb-i,p);
- break;
+++ /dev/null
-*) Fix double free in TLS server name extensions which could lead to a remote
-crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton]
-Index: ssl/t1_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v
-retrieving revision 1.13.2.8
-diff -u -r1.13.2.8 ssl/t1_lib.c
---- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000
-+++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000
-@@ -381,6 +381,7 @@
- s->session->tlsext_hostname[len]='\0';
- if (strlen(s->session->tlsext_hostname) != len) {
- OPENSSL_free(s->session->tlsext_hostname);
-+ s->session->tlsext_hostname = NULL;
- *al = TLS1_AD_UNRECOGNIZED_NAME;
- return 0;
- }
+++ /dev/null
-*) Fix flaw if 'Server Key exchange message' is omitted from a TLS
-Handshake which could lead to a cilent crash as found using the
-Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox]
-Index: ssl/s3_clnt.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
-retrieving revision 1.88.2.12
-diff -u -r1.88.2.12 ssl/s3_clnt.c
---- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000
-+++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000
-@@ -2061,6 +2061,13 @@
- {
- DH *dh_srvr,*dh_clnt;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_dh_tmp != NULL)
- dh_srvr=s->session->sess_cert->peer_dh_tmp;
- else
+++ /dev/null
-diff -up openssl-0.9.8g/crypto/opensslv.h.shlib-version openssl-0.9.8g/crypto/opensslv.h
---- openssl-0.9.8g/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100
-+++ openssl-0.9.8g/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100
-@@ -83,7 +83,7 @@
- * should only keep the versions that are binary compatible with the current.
- */
- #define SHLIB_VERSION_HISTORY ""
--#define SHLIB_VERSION_NUMBER "0.9.8"
-+#define SHLIB_VERSION_NUMBER "0.9.8g"
-
-
- #endif /* HEADER_OPENSSLV_H */
+++ /dev/null
-openssl/apps/speed.c 1.126.2.8 -> 1.126.2.9
-
---- openssl/apps/speed.c 2007/05/13 15:04:14 1.126.2.8
-+++ openssl/apps/speed.c 2007/11/15 13:33:47 1.126.2.9
-@@ -577,7 +577,7 @@
- #define MAX_BLOCK_SIZE 64
- #endif
- unsigned char DES_iv[8];
-- unsigned char iv[MAX_BLOCK_SIZE/8];
-+ unsigned char iv[2*MAX_BLOCK_SIZE/8];
- #ifndef OPENSSL_NO_DES
- DES_cblock *buf_as_des_cblock = NULL;
- static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
--- /dev/null
+diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
+--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200
++++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100
+@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
+ static int mime_hdr_cmp(const MIME_HEADER * const *a,
+ const MIME_HEADER * const *b)
+ {
++ if ((*a)->name == NULL || (*b)->name == NULL)
++ return (*a)->name - (*b)->name < 0 ? -1 :
++ (*a)->name - (*b)->name > 0 ? 1 : 0;
++
+ return(strcmp((*a)->name, (*b)->name));
+ }
+
--- /dev/null
+diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
+--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
++++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
+@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
+ ####################################################################
+ [ CA_default ]
+
+-dir = ./demoCA # Where everything is kept
++dir = ../../CA # Where everything is kept
+ certs = $dir/certs # Where the issued certs are kept
+ crl_dir = $dir/crl # Where the issued crl are kept
+ database = $dir/index.txt # database index file.
+diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
+--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
++++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
+@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
+ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+
+-CATOP=./demoCA
++CATOP=../../CA
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
+--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
++++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+
+-$CATOP="./demoCA";
++$CATOP="../../CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";
--- /dev/null
+diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
+--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
+@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
+
+ void tls1_free(SSL *s)
+ {
++#ifndef OPENSSL_NO_TLSEXT
++ if (s && s->tlsext_session_ticket)
++ {
++ OPENSSL_free(s->tlsext_session_ticket);
++ }
++#endif /* OPENSSL_NO_TLSEXT */
+ ssl3_free(s);
+ }
+
+@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
+ int ticklen;
+ if (s->session && s->session->tlsext_tick)
+ ticklen = s->session->tlsext_ticklen;
++ else if (s->session && s->tlsext_session_ticket &&
++ s->tlsext_session_ticket->data)
++ {
++ ticklen = s->tlsext_session_ticket->length;
++ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
++ if (!s->session->tlsext_tick)
++ return NULL;
++ memcpy(s->session->tlsext_tick,
++ s->tlsext_session_ticket->data,
++ ticklen);
++ s->session->tlsext_ticklen = ticklen;
++ }
+ else
+ ticklen = 0;
++ if (ticklen == 0 && s->tlsext_session_ticket &&
++ s->tlsext_session_ticket->data == NULL)
++ goto skip_ext;
+ /* Check for enough room 2 for extension type, 2 for len
+ * rest for ticket
+ */
+@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
+ ret += ticklen;
+ }
+ }
++ skip_ext:
+
+ if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+ {
+@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ }
+
+ }
++ else if (type == TLSEXT_TYPE_session_ticket)
++ {
++ if (s->tls_session_ticket_ext_cb &&
++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
++ {
++ *al = TLS1_AD_INTERNAL_ERROR;
++ return 0;
++ }
++ }
+ else if (type == TLSEXT_TYPE_status_request
+ && s->ctx->tlsext_status_cb)
+ {
+@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ }
+ else if (type == TLSEXT_TYPE_session_ticket)
+ {
++ if (s->tls_session_ticket_ext_cb &&
++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
++ {
++ *al = TLS1_AD_INTERNAL_ERROR;
++ return 0;
++ }
+ if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
+ || (size > 0))
+ {
+@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
+ s->tlsext_ticket_expected = 1;
+ return 0; /* Cache miss */
+ }
++ if (s->tls_session_secret_cb)
++ {
++ /* Indicate cache miss here and instead of
++ * generating the session from ticket now,
++ * trigger abbreviated handshake based on
++ * external mechanism to calculate the master
++ * secret later. */
++ return 0;
++ }
+ return tls_decrypt_ticket(s, p, size, session_id, len,
+ ret);
+ }
+diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
+--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
+@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
+ goto f_err;
+ }
+
++#ifndef OPENSSL_NO_TLSEXT
++ /* check if we want to resume the session based on external pre-shared secret */
++ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
++ {
++ SSL_CIPHER *pref_cipher=NULL;
++ s->session->master_key_length=sizeof(s->session->master_key);
++ if (s->tls_session_secret_cb(s, s->session->master_key,
++ &s->session->master_key_length,
++ NULL, &pref_cipher,
++ s->tls_session_secret_cb_arg))
++ {
++ s->session->cipher = pref_cipher ?
++ pref_cipher : ssl_get_cipher_by_char(s, p+j);
++ }
++ }
++#endif /* OPENSSL_NO_TLSEXT */
++
+ if (j != 0 && j == s->session->session_id_length
+ && memcmp(p,s->session->session_id,j) == 0)
+ {
+@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
+ {
+ int ok;
+ long n;
+- /* If we have no ticket or session ID is non-zero length (a match of
+- * a non-zero session length would never reach here) it cannot be a
+- * resumed session.
+- */
+- if (!s->session->tlsext_tick || s->session->session_id_length)
++ /* If we have no ticket it cannot be a resumed session. */
++ if (!s->session->tlsext_tick)
+ return 1;
+ /* this function is called when we really expect a Certificate
+ * message, so permit appropriate message length */
+diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
+--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
++++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
+@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
+ return(s->session_timeout);
+ }
+
++#ifndef OPENSSL_NO_TLSEXT
++int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
++ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
++ {
++ if (s == NULL) return(0);
++ s->tls_session_secret_cb = tls_session_secret_cb;
++ s->tls_session_secret_cb_arg = arg;
++ return(1);
++ }
++
++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
++ void *arg)
++ {
++ if (s == NULL) return(0);
++ s->tls_session_ticket_ext_cb = cb;
++ s->tls_session_ticket_ext_cb_arg = arg;
++ return(1);
++ }
++
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
++ {
++ if (s->version >= TLS1_VERSION)
++ {
++ if (s->tlsext_session_ticket)
++ {
++ OPENSSL_free(s->tlsext_session_ticket);
++ s->tlsext_session_ticket = NULL;
++ }
++
++ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
++ if (!s->tlsext_session_ticket)
++ {
++ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++
++ if (ext_data)
++ {
++ s->tlsext_session_ticket->length = ext_len;
++ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
++ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
++ }
++ else
++ {
++ s->tlsext_session_ticket->length = 0;
++ s->tlsext_session_ticket->data = NULL;
++ }
++
++ return 1;
++ }
++
++ return 0;
++ }
++#endif /* OPENSSL_NO_TLSEXT */
++
+ typedef struct timeout_param_st
+ {
+ SSL_CTX *ctx;
+diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
+--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
+@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+ goto err;
+ }
++
++ /* Check if we want to use external pre-shared secret for this
++ * handshake for not reused session only. We need to generate
++ * server_random before calling tls_session_secret_cb in order to allow
++ * SessionTicket processing to use it in key derivation. */
++ {
++ unsigned long Time;
++ unsigned char *pos;
++ Time=(unsigned long)time(NULL); /* Time */
++ pos=s->s3->server_random;
++ l2n(Time,pos);
++ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
++ {
++ al=SSL_AD_INTERNAL_ERROR;
++ goto f_err;
++ }
++ }
++
++ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
++ {
++ SSL_CIPHER *pref_cipher=NULL;
++
++ s->session->master_key_length=sizeof(s->session->master_key);
++ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
++ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
++ {
++ s->hit=1;
++ s->session->ciphers=ciphers;
++ s->session->verify_result=X509_V_OK;
++
++ ciphers=NULL;
++
++ /* check if some cipher was preferred by call back */
++ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
++ if (pref_cipher == NULL)
++ {
++ al=SSL_AD_HANDSHAKE_FAILURE;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
++ goto f_err;
++ }
++
++ s->session->cipher=pref_cipher;
++
++ if (s->cipher_list)
++ sk_SSL_CIPHER_free(s->cipher_list);
++
++ if (s->cipher_list_by_id)
++ sk_SSL_CIPHER_free(s->cipher_list_by_id);
++
++ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
++ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
++ }
++ }
+ #endif
+ /* Worst case, we will use the NULL compression, but if we have other
+ * options, we will now look for them. We have i-1 compression
+@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
+ unsigned char *buf;
+ unsigned char *p,*d;
+ int i,sl;
+- unsigned long l,Time;
++ unsigned long l;
++#ifdef OPENSSL_NO_TLSEXT
++ unsigned long Time;
++#endif
+
+ if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
+ {
+ buf=(unsigned char *)s->init_buf->data;
++#ifdef OPENSSL_NO_TLSEXT
+ p=s->s3->server_random;
++ /* Generate server_random if it was not needed previously */
+ Time=(unsigned long)time(NULL); /* Time */
+ l2n(Time,p);
+ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ return -1;
++#endif
+ /* Do the message type and length last */
+ d=p= &(buf[4]);
+
+diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
+--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
+@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
+ #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
+ #endif
+
++/* TLS Session Ticket extension struct */
++struct tls_session_ticket_ext_st
++ {
++ unsigned short length;
++ void *data;
++ };
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
+--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
++++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
+@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
+ {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
+ {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
++{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
+ {0,NULL}
+ };
+
+diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
+--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
++++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
+@@ -344,6 +344,7 @@ extern "C" {
+ * 'struct ssl_st *' function parameters used to prototype callbacks
+ * in SSL_CTX. */
+ typedef struct ssl_st *ssl_crock_st;
++typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
+
+ /* used to hold info on the particular ciphers used */
+ typedef struct ssl_cipher_st
+@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
+
+ DECLARE_STACK_OF(SSL_CIPHER)
+
++typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
++typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
++
+ /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+ typedef struct ssl_method_st
+ {
+@@ -1034,6 +1038,18 @@ struct ssl_st
+
+ /* RFC4507 session ticket expected to be received or sent */
+ int tlsext_ticket_expected;
++
++ /* TLS Session Ticket extension override */
++ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
++
++ /* TLS Session Ticket extension callback */
++ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
++ void *tls_session_ticket_ext_cb_arg;
++
++ /* TLS pre-shared secret session resumption */
++ tls_session_secret_cb_fn tls_session_secret_cb;
++ void *tls_session_secret_cb_arg;
++
+ SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
+ #define session_ctx initial_ctx
+ #else
+@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
+ int SSL_COMP_add_compression_method(int id,void *cm);
+ #endif
+
++/* TLS extensions functions */
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
++
++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
++ void *arg);
++
++/* Pre-shared secret session resumption functions */
++int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_TLS1_ENC 210
+ #define SSL_F_TLS1_SETUP_KEY_BLOCK 211
+ #define SSL_F_WRITE_PENDING 212
++#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
+
+ /* Reason codes. */
+ #define SSL_R_APP_DATA_IN_HANDSHAKE 100
---- openssl-0.9.8a/Configure.enginesdir 2005-11-04 15:06:37.000000000 +0100
-+++ openssl-0.9.8a/Configure 2005-11-07 14:15:12.000000000 +0100
-@@ -560,6 +560,7 @@
+diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100
++++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100
+@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
my $prefix="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix="";
- my $no_threads=0;
-@@ -739,6 +740,10 @@
+ my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
+@@ -815,6 +816,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
-@@ -923,7 +928,7 @@
+@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
print "IsMK1MF=$IsMK1MF\n";
-@@ -1430,7 +1435,7 @@
+@@ -1635,7 +1640,7 @@ while (<IN>)
if (/^#define\s+OPENSSLDIR/)
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
elsif (/^#define\s+ENGINESDIR/)
--- /dev/null
+Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set.
+diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c
+--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100
++++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100
+@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo
+
+ MemCheck_off();
+ ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL)
++ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+ {
+ comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL)
--- /dev/null
+diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
+--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200
++++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100
+@@ -64,6 +64,11 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init();
++ if (!FIPS_mode())
++ {
++#endif
+ #ifndef OPENSSL_NO_MD2
+ EVP_add_digest(EVP_md2());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ #endif
++#ifdef OPENSSL_FIPS
++ }
++ else
++ {
++#ifndef OPENSSL_NO_SHA
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#ifndef OPENSSL_NO_DSA
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++#endif
++#endif
++#ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++#endif
++ }
++#endif
+ }
+diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
+--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200
++++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init();
++ if(!FIPS_mode())
++ {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++ }
++ else
++ {
++#ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede_cfb());
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede_ofb());
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede_cbc());
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
++
++ EVP_add_cipher(EVP_des_ede());
++ EVP_add_cipher(EVP_des_ede3());
++#endif
++
++#ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_128_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_192_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_256_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
++#endif
++ }
++#endif
+
+ PKCS12_PBE_add();
+ PKCS5_PBE_add();
--- /dev/null
+diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c
+--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100
++++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100
+@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (fips_rsa_pairwise_fail)
+ BN_add_word(rsa->n, 1);
+
+- if(!fips_check_rsa(rsa))
++ if(FIPS_mode() && !fips_check_rsa(rsa))
+ goto err;
+
+ ok=1;
+diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c
+--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200
++++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100
+@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
+ dsa->pub_key=pub_key;
+ if (fips_dsa_pairwise_fail)
+ BN_add_word(dsa->pub_key, 1);
+- if(!fips_check_dsa(dsa))
++ if(FIPS_mode() && !fips_check_dsa(dsa))
+ goto err;
+ ok=1;
+
--- /dev/null
+Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
+We use the binary just during the OpenSSL build to checksum the libcrypto.
+diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
+--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
++++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100
+@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
+ @echo $(LIBOBJ) > lib
+
+ ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
+- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
+ $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
+
+ files:
+diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
+--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200
++++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100
+@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
+
+ #ifdef OPENSSL_FIPS
+
+-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
+ const char *key)
+ {
+ int len=strlen(key);
+@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+
+ if (len > SHA_CBLOCK)
+ {
+- SHA1_Init(md_ctx);
+- SHA1_Update(md_ctx,key,len);
+- SHA1_Final(keymd,md_ctx);
+- len=20;
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx,key,len);
++ SHA256_Final(keymd,md_ctx);
++ len=SHA256_DIGEST_LENGTH;
+ }
+ else
+ memcpy(keymd,key,len);
+@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+
+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ pad[i]=0x36^keymd[i];
+- SHA1_Init(md_ctx);
+- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
+
+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ pad[i]=0x5c^keymd[i];
+- SHA1_Init(o_ctx);
+- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
++ SHA256_Init(o_ctx);
++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
+ }
+
+-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
+ {
+- unsigned char buf[20];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+
+- SHA1_Final(buf,md_ctx);
+- SHA1_Update(o_ctx,buf,sizeof buf);
+- SHA1_Final(md,o_ctx);
++ SHA256_Final(buf,md_ctx);
++ SHA256_Update(o_ctx,buf,sizeof buf);
++ SHA256_Final(md,o_ctx);
+ }
+
+ #endif
+@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
+ int main(int argc,char **argv)
+ {
+ #ifdef OPENSSL_FIPS
+- static char key[]="etaonrishdlcupfm";
++ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
+ int n,binary=0;
+
+ if(argc < 2)
+@@ -125,8 +125,8 @@ int main(int argc,char **argv)
+ for(; n < argc ; ++n)
+ {
+ FILE *f=fopen(argv[n],"rb");
+- SHA_CTX md_ctx,o_ctx;
+- unsigned char md[20];
++ SHA256_CTX md_ctx,o_ctx;
++ unsigned char md[SHA256_DIGEST_LENGTH];
+ int i;
+
+ if(!f)
+@@ -139,7 +139,7 @@ int main(int argc,char **argv)
+ for( ; ; )
+ {
+ char buf[1024];
+- int l=fread(buf,1,sizeof buf,f);
++ size_t l=fread(buf,1,sizeof buf,f);
+
+ if(l == 0)
+ {
+@@ -151,18 +151,18 @@ int main(int argc,char **argv)
+ else
+ break;
+ }
+- SHA1_Update(&md_ctx,buf,l);
++ SHA256_Update(&md_ctx,buf,l);
+ }
+ hmac_final(md,&md_ctx,&o_ctx);
+
+ if (binary)
+ {
+- fwrite(md,20,1,stdout);
++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
+ break; /* ... for single(!) file */
+ }
+
+- printf("HMAC-SHA1(%s)= ",argv[n]);
+- for(i=0 ; i < 20 ; ++i)
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
+ printf("%02x",md[i]);
+ printf("\n");
+ }
--- /dev/null
+diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
+--- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
++++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100
+@@ -59,6 +59,45 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+
++#ifdef OPENSSL_FIPS
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <openssl/fips.h>
++#include <openssl/evp.h>
++#include <openssl/rand.h>
++
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++ {
++ char buf[2] = "0";
++ int fd;
++
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++ {
++ buf[0] = '1';
++ }
++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
++ {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise.
++ */
++
++ if (buf[0] == '1')
++ {
++ FIPS_mode_set(1);
++ }
++ }
++#endif
++
+ /* Perform any essential OpenSSL initialization operations.
+ * Currently only sets FIPS callbacks
+ */
+@@ -73,11 +112,10 @@ void OPENSSL_init(void)
+ #ifdef CRYPTO_MDEBUG
+ CRYPTO_malloc_debug_init();
+ #endif
+-#ifdef OPENSSL_ENGINE
++ init_fips_mode();
+ int_EVP_MD_init_engine_callbacks();
+ int_EVP_CIPHER_init_engine_callbacks();
+ int_RAND_init_engine_callbacks();
+-#endif
+ done = 1;
+ }
+ #endif
--- /dev/null
+Do not create a fipscanister.o, add the objects directly.
+diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
+--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100
+@@ -142,8 +142,24 @@ lib: $(LIB)
+ if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
+ @touch lib
+
+-$(LIB): $(FIPSLIBDIR)fipscanister.o
+- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
++$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
++ FIPS_ASM=""; \
++ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
++ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
++ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
++ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
++ if [ -n "$(CPUID_OBJ)" ]; then \
++ CPUID=../crypto/$(CPUID_OBJ) ; \
++ else \
++ CPUID="" ; \
++ fi ; \
++ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
++ for i in $(FIPS_OBJ_LISTS); do \
++ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
++ objs="$$objs `sed "$$script" $$i`"; \
++ done; \
++ objs="$$objs" ; \
++ $(AR) $(LIB) $$objs
+ $(RANLIB) $(LIB) || echo Never mind.
+
+ $(FIPSCANLIB): $(FIPSCANLOC)
--- /dev/null
+diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
+--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100
++++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100
+@@ -5,6 +5,31 @@
+ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+ All rights reserved.
+
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS validated and the FIPS mode is present for testing purposes
++ only.
++
++ This version also contains a few differences from the upstream code
++ some of which are:
++ * The FIPS integrity verification check is implemented differently
++ from the upstream FIPS validated OpenSSL module. It verifies
++ HMAC-SHA256 checksum of the whole libcrypto shared library.
++ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
++ tries to initialize the FIPS mode if it is set to 1 aborting if the
++ FIPS mode could not be initialized. It is also possible to force the
++ OpenSSL library to FIPS mode especially for debugging purposes by
++ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++ will not automatically load the built in compression method ZLIB
++ when initialized. Applications can still explicitely ask for ZLIB
++ compression method.
++ * There is added a support for EAP-FAST through TLS extension. This code
++ is backported from OpenSSL upstream development branch.
++
+ DESCRIPTION
+ -----------
+
-diff -up openssl-0.9.8g/Configure.redhat openssl-0.9.8g/Configure
---- openssl-0.9.8g/Configure.redhat 2007-09-16 14:24:17.000000000 +0200
-+++ openssl-0.9.8g/Configure 2007-12-03 13:16:08.000000000 +0100
-@@ -313,28 +313,28 @@ my %table=(
+diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
++++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
+@@ -320,28 +320,28 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
#### IA-32 targets...
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+ "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
####
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -348,8 +348,8 @@ my %table=(
+@@ -355,8 +355,8 @@ my %table=(
#
# <appro@fy.chalmers.se>
#
--- /dev/null
+diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h
+--- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100
++++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100
+@@ -83,7 +83,7 @@
+ * should only keep the versions that are binary compatible with the current.
+ */
+ #define SHLIB_VERSION_HISTORY ""
+-#define SHLIB_VERSION_NUMBER "0.9.8"
++#define SHLIB_VERSION_NUMBER "0.9.8j"
+
+
+ #endif /* HEADER_OPENSSLV_H */
this version to co-exist with another versions and have everything
work right.
-diff -up openssl-0.9.8g/Configure.soversion openssl-0.9.8g/Configure
---- openssl-0.9.8g/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
-+++ openssl-0.9.8g/Configure 2007-12-03 14:41:19.000000000 +0100
+diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
+--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
++++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100
@@ -1371,7 +1371,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
-diff -up openssl-0.9.8g/Makefile.org.soversion openssl-0.9.8g/Makefile.org
---- openssl-0.9.8g/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
-+++ openssl-0.9.8g/Makefile.org 2007-12-03 14:41:19.000000000 +0100
+diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
+--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
++++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
-+SHLIB_SONAMEVER=7
++SHLIB_SONAMEVER=8
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
--- /dev/null
+Use fipscheck compatible way of verification of the integrity of the libcrypto
+shared library.
+diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
+--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
++++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
+@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ LIBRARIES="-L$(TOP) -lfips"; \
+ elif [ -n "$(FIPSCANLIB)" ]; then \
+- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
++ LIBRARIES="$(LIBCRYPTO)"; \
+ fi; \
+ $(MAKE) -f $(TOP)/Makefile.shared -e \
+ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
+ shlib_target="$(SHLIB_TARGET)"; \
+ fi; \
+ LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
+- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
+- fi; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
+ $(MAKE) -f $(TOP)/Makefile.shared -e \
+ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
+--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
++++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
+@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips/fipscanister.o ; \
+ else \
+- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
+- FIPSLD_CC=$(CC); CC=fips/fipsld; \
+- export CC FIPSLD_CC; \
+- fi; \
+ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
+ fi \
+ else \
+@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
+ fips/fipscanister.o: build_fips
+ libfips$(SHLIB_EXT): fips/fipscanister.o
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+ $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- CC=$${CC} LIBNAME=fips THIS=$@ \
++ CC=$(CC) LIBNAME=fips THIS=$@ \
+ LIBEXTRAS=fips/fipscanister.o \
+ LIBDEPS="$(EX_LIBS)" \
+ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+@@ -469,7 +464,7 @@ openssl.pc: Makefile
+ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+ echo 'Version: '$(VERSION); \
+ echo 'Requires: '; \
+- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
++ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
+ Makefile: Makefile.org Configure config
+diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
+--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
++++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
+@@ -47,6 +47,7 @@
+ *
+ */
+
++#define _GNU_SOURCE
+
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+@@ -56,6 +57,9 @@
+ #include <openssl/rsa.h>
+ #include <string.h>
+ #include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -165,6 +169,7 @@ int FIPS_selftest()
+ && FIPS_selftest_dsa();
+ }
+
++#if 0
+ extern const void *FIPS_text_start(), *FIPS_text_end();
+ extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
+ unsigned char FIPS_signature [20] = { 0 };
+@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
+
+ return 1;
+ }
++#else
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen-1);
++ path[pathlen-1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *
++bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++#define HMAC_PREFIX "."
++#define HMAC_SUFFIX ".hmac"
++#define READ_BUFFER_LENGTH 16384
++
++static char *
++make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if(path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn-origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int
++compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
++
++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int
++FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX+1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p=strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ }
++
++end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++#endif
+
+ int FIPS_mode_set(int onoff)
+ {
+@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
+ }
+ #endif
+
+- if(fips_signature_witness() != FIPS_signature)
+- {
+- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if(!FIPS_check_incore_fingerprint())
++ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
+ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
+ return ret;
+ }
+
++#if 0
+ unsigned char *fips_signature_witness(void)
+ {
+ extern unsigned char FIPS_signature[];
+ return FIPS_signature;
+ }
++#endif
+
+ /* Generalized public key test routine. Signs and verifies the data
+ * supplied in tbs using mesage digest md and setting option digest
+diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
+--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
++++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
+@@ -62,9 +62,9 @@ testapps:
+
+ all:
+ @if [ -z "$(FIPSLIBDIR)" ]; then \
+- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
++ $(MAKE) -e subdirs lib; \
+ else \
+- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
++ $(MAKE) -e lib; \
+ fi
+
+ # Idea behind fipscanister.o is to "seize" the sequestered code between
+@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
+ HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
+ *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
+ esac fi
+- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
+ # If another exception is immediately required, assign approprite
+ # site-specific ld command to FIPS_SITE_LD environment variable.
+@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
+ $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
+ @touch lib
+
+-shared: lib subdirs fips_premain_dso$(EXE_EXT)
++shared: lib subdirs
+
+ libs:
+ @target=lib; $(RECURSIVE_MAKE)
+@@ -195,10 +194,6 @@ install:
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+ @target=install; $(RECURSIVE_MAKE)
+- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
+- fips_premain.c.sha1 \
+- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
+- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
+
+ lint:
+ @target=lint; $(RECURSIVE_MAKE)
+diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
+--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
++++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
+@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
+ int fips_set_owning_thread(void);
+ void fips_set_selftest_fail(void);
+ int fips_clear_owning_thread(void);
++#if 0
+ unsigned char *fips_signature_witness(void);
++#endif
+
+ #define FIPS_MAX_CIPHER_TEST_SIZE 16
+
-List the compiled-in hardware support when passed the -a flag.
-
---- openssl-0.9.7-beta5/apps/version.c 2002-12-03 11:34:28.000000000 -0500
-+++ openssl-0.9.7-beta5/apps/version.c 2002-12-11 19:29:10.000000000 -0500
-@@ -130,6 +130,7 @@
+diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
+--- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
++++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
+@@ -131,6 +131,7 @@
#ifndef OPENSSL_NO_BF
# include <openssl/blowfish.h>
#endif
#undef PROG
#define PROG version_main
-@@ -139,7 +140,7 @@
+@@ -140,7 +141,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int i,ret=0;
apps_startup();
-@@ -163,7 +164,7 @@
+@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
else if (strcmp(argv[i],"-d") == 0)
dir=1;
else if (strcmp(argv[i],"-a") == 0)
+ date=version=cflags=options=platform=dir=engines=1;
else
{
- BIO_printf(bio_err,"usage:version -[avbofp]\n");
-@@ -198,6 +199,18 @@
+ BIO_printf(bio_err,"usage:version -[avbofpd]\n");
+@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
}
if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
git.annexia.org / fedora-mingw.git / commitdiff