From 7012f6a5705c6d5ac1a7bf8dad6ebb2ed2261019 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] Moved to Fedora. --- openssl/Makefile.certificate | 74 ---- openssl/hobble-openssl | 45 -- openssl/make-dummy-cert | 28 -- openssl/mingw32-openssl-0.9.8g-global.patch | 16 - openssl/mingw32-openssl-0.9.8g-sfx.patch | 14 - openssl/mingw32-openssl-0.9.8j-configure.patch | 16 - openssl/mingw32-openssl-0.9.8j-header-files.patch | 141 ------ openssl/mingw32-openssl-0.9.8j-shared.patch | 20 - openssl/mingw32-openssl.spec | 342 --------------- openssl/openssl-0.9.6-x509.patch | 29 -- openssl/openssl-0.9.8a-defaults.patch | 50 --- openssl/openssl-0.9.8a-link-krb5.patch | 11 - openssl/openssl-0.9.8a-no-rpath.patch | 11 - openssl/openssl-0.9.8a-reuse-cipher-change.patch | 20 - openssl/openssl-0.9.8b-aliasing-bug.patch | 24 - openssl/openssl-0.9.8b-test-use-localhost.patch | 24 - openssl/openssl-0.9.8b-x509-name-cmp.patch | 18 - openssl/openssl-0.9.8g-default-paths.patch | 77 ---- openssl/openssl-0.9.8g-ia64.patch | 19 - openssl/openssl-0.9.8g-ipv6-apps.patch | 507 ---------------------- openssl/openssl-0.9.8g-no-extssl.patch | 27 -- openssl/openssl-0.9.8j-bad-mime.patch | 14 - openssl/openssl-0.9.8j-ca-dir.patch | 36 -- openssl/openssl-0.9.8j-eap-fast.patch | 378 ---------------- openssl/openssl-0.9.8j-enginesdir.patch | 40 -- openssl/openssl-0.9.8j-env-nozlib.patch | 13 - openssl/openssl-0.9.8j-evp-nonfips.patch | 127 ------ openssl/openssl-0.9.8j-fips-no-pairwise.patch | 24 - openssl/openssl-0.9.8j-fipscheck-hmac.patch | 125 ------ openssl/openssl-0.9.8j-kernel-fipsmode.patch | 62 --- openssl/openssl-0.9.8j-nocanister.patch | 31 -- openssl/openssl-0.9.8j-readme-warning.patch | 35 -- openssl/openssl-0.9.8j-redhat.patch | 53 --- openssl/openssl-0.9.8j-shlib-version.patch | 12 - openssl/openssl-0.9.8j-soversion.patch | 49 --- openssl/openssl-0.9.8j-use-fipscheck.patch | 384 ---------------- openssl/openssl-0.9.8j-version-add-engines.patch | 48 -- openssl/openssl-thread-test.c | 400 ----------------- openssl/opensslconf-new-warning.h | 7 - openssl/opensslconf-new.h | 34 -- 40 files changed, 3385 deletions(-) delete mode 100644 openssl/Makefile.certificate delete mode 100755 openssl/hobble-openssl delete mode 100755 openssl/make-dummy-cert delete mode 100644 openssl/mingw32-openssl-0.9.8g-global.patch delete mode 100644 openssl/mingw32-openssl-0.9.8g-sfx.patch delete mode 100644 openssl/mingw32-openssl-0.9.8j-configure.patch delete mode 100644 openssl/mingw32-openssl-0.9.8j-header-files.patch delete mode 100644 openssl/mingw32-openssl-0.9.8j-shared.patch delete mode 100644 openssl/mingw32-openssl.spec delete mode 100644 openssl/openssl-0.9.6-x509.patch delete mode 100644 openssl/openssl-0.9.8a-defaults.patch delete mode 100644 openssl/openssl-0.9.8a-link-krb5.patch delete mode 100644 openssl/openssl-0.9.8a-no-rpath.patch delete mode 100644 openssl/openssl-0.9.8a-reuse-cipher-change.patch delete mode 100644 openssl/openssl-0.9.8b-aliasing-bug.patch delete mode 100644 openssl/openssl-0.9.8b-test-use-localhost.patch delete mode 100644 openssl/openssl-0.9.8b-x509-name-cmp.patch delete mode 100644 openssl/openssl-0.9.8g-default-paths.patch delete mode 100644 openssl/openssl-0.9.8g-ia64.patch delete mode 100644 openssl/openssl-0.9.8g-ipv6-apps.patch delete mode 100644 openssl/openssl-0.9.8g-no-extssl.patch delete mode 100644 openssl/openssl-0.9.8j-bad-mime.patch delete mode 100644 openssl/openssl-0.9.8j-ca-dir.patch delete mode 100644 openssl/openssl-0.9.8j-eap-fast.patch delete mode 100644 openssl/openssl-0.9.8j-enginesdir.patch delete mode 100644 openssl/openssl-0.9.8j-env-nozlib.patch delete mode 100644 openssl/openssl-0.9.8j-evp-nonfips.patch delete mode 100644 openssl/openssl-0.9.8j-fips-no-pairwise.patch delete mode 100644 openssl/openssl-0.9.8j-fipscheck-hmac.patch delete mode 100644 openssl/openssl-0.9.8j-kernel-fipsmode.patch delete mode 100644 openssl/openssl-0.9.8j-nocanister.patch delete mode 100644 openssl/openssl-0.9.8j-readme-warning.patch delete mode 100644 openssl/openssl-0.9.8j-redhat.patch delete mode 100644 openssl/openssl-0.9.8j-shlib-version.patch delete mode 100644 openssl/openssl-0.9.8j-soversion.patch delete mode 100644 openssl/openssl-0.9.8j-use-fipscheck.patch delete mode 100644 openssl/openssl-0.9.8j-version-add-engines.patch delete mode 100644 openssl/openssl-thread-test.c delete mode 100644 openssl/opensslconf-new-warning.h delete mode 100644 openssl/opensslconf-new.h diff --git a/openssl/Makefile.certificate b/openssl/Makefile.certificate deleted file mode 100644 index bf3dc21..0000000 --- a/openssl/Makefile.certificate +++ /dev/null @@ -1,74 +0,0 @@ -UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) -SERIAL=0 - -.PHONY: usage -.SUFFIXES: .key .csr .crt .pem -.PRECIOUS: %.key %.csr %.crt %.pem - -usage: - @echo "This makefile allows you to create:" - @echo " o public/private key pairs" - @echo " o SSL certificate signing requests (CSRs)" - @echo " o self-signed SSL test certificates" - @echo - @echo "To create a key pair, run \"make SOMETHING.key\"." - @echo "To create a CSR, run \"make SOMETHING.csr\"." - @echo "To create a test certificate, run \"make SOMETHING.crt\"." - @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." - @echo - @echo "To create a key for use with Apache, run \"make genkey\"." - @echo "To create a CSR for use with Apache, run \"make certreq\"." - @echo "To create a test certificate for use with Apache, run \"make testcert\"." - @echo - @echo "To create a test certificate with serial number other than zero, add SERIAL=num" - @echo - @echo Examples: - @echo " make server.key" - @echo " make server.csr" - @echo " make server.crt" - @echo " make stunnel.pem" - @echo " make genkey" - @echo " make certreq" - @echo " make testcert" - @echo " make server.crt SERIAL=1" - @echo " make stunnel.pem SERIAL=2" - @echo " make testcert SERIAL=3" - -%.pem: - umask 77 ; \ - PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ - cat $$PEM1 > $@ ; \ - echo "" >> $@ ; \ - cat $$PEM2 >> $@ ; \ - $(RM) $$PEM1 $$PEM2 - -%.key: - umask 77 ; \ - /usr/bin/openssl genrsa -des3 1024 > $@ - -%.csr: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ - -%.crt: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL) - -TLSROOT=/etc/pki/tls -KEY=$(TLSROOT)/private/localhost.key -CSR=$(TLSROOT)/certs/localhost.csr -CRT=$(TLSROOT)/certs/localhost.crt - -genkey: $(KEY) -certreq: $(CSR) -testcert: $(CRT) - -$(CSR): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) - -$(CRT): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL) diff --git a/openssl/hobble-openssl b/openssl/hobble-openssl deleted file mode 100755 index de0490f..0000000 --- a/openssl/hobble-openssl +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e - -# Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 -# IDEA: 5,214,703 25/05/2010 -# RC5: 5,724,428 03/03/2015 -# EC: ????????? ??/??/2015 - -# Remove assembler portions of IDEA, MDC2, and RC5. -(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv) - -# IDEA, MDC2, RC5, EC. -for a in idea mdc2 rc5 ec ecdh ecdsa; do - for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do - echo Destroying $c - > $c - done -done - -for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do - echo Destroying $c - > $c -done - -for h in `find crypto ssl apps test -name "*.h"` ; do - echo Removing IDEA, MDC2, RC5, and EC references from $h - cat $h | \ - awk 'BEGIN {ech=1;} \ - /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \ - /^#[ \t]*if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ - mv $h.hobbled $h -done - -# Make the makefiles happy. -touch crypto/rc5/asm/rc5-586.pl diff --git a/openssl/make-dummy-cert b/openssl/make-dummy-cert deleted file mode 100755 index 3aff5be..0000000 --- a/openssl/make-dummy-cert +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -umask 077 - -answers() { - echo -- - echo SomeState - echo SomeCity - echo SomeOrganization - echo SomeOrganizationalUnit - echo localhost.localdomain - echo root@localhost.localdomain -} - -if [ $# -eq 0 ] ; then - echo $"Usage: `basename $0` filename [...]" - exit 0 -fi - -for target in $@ ; do - PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` - PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` - trap "rm -f $PEM1 $PEM2" SIGINT - answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null - cat $PEM1 > ${target} - echo "" >> ${target} - cat $PEM2 >> ${target} - rm -f $PEM1 $PEM2 -done diff --git a/openssl/mingw32-openssl-0.9.8g-global.patch b/openssl/mingw32-openssl-0.9.8g-global.patch deleted file mode 100644 index 814fb46..0000000 --- a/openssl/mingw32-openssl-0.9.8g-global.patch +++ /dev/null @@ -1,16 +0,0 @@ -Fix global variable macros. - - - RWMJ 2008-09-30 - -diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h ---- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000 -+++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100 -@@ -264,7 +264,7 @@ - # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ - extern type _hide_##name; \ - type *_shadow_##name(void) { return &_hide_##name; } \ -- static type _hide_##name -+ type _hide_##name - # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) - # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) - #else diff --git a/openssl/mingw32-openssl-0.9.8g-sfx.patch b/openssl/mingw32-openssl-0.9.8g-sfx.patch deleted file mode 100644 index 332a926..0000000 --- a/openssl/mingw32-openssl-0.9.8g-sfx.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- openssl-0.9.8g.orig/engines/Makefile 2006-02-04 01:49:34.000000000 +0000 -+++ openssl-0.9.8g.mingw/engines/Makefile 2008-09-30 20:05:30.000000000 +0100 -@@ -91,7 +91,10 @@ - set -e; \ - for l in $(LIBNAMES); do \ - ( echo installing $$l; \ -- if [ "$(PLATFORM)" != "Cygwin" ]; then \ -+ if [ "$(PLATFORM)" = "mingw" ]; then \ -+ sfx=dll; \ -+ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ -+ elif [ "$(PLATFORM)" != "Cygwin" ]; then \ - case "$(CFLAGS)" in \ - *DSO_DLFCN*) sfx="so";; \ - *DSO_DL*) sfx="sl";; \ diff --git a/openssl/mingw32-openssl-0.9.8j-configure.patch b/openssl/mingw32-openssl-0.9.8j-configure.patch deleted file mode 100644 index 73feff1..0000000 --- a/openssl/mingw32-openssl-0.9.8j-configure.patch +++ /dev/null @@ -1,16 +0,0 @@ -The 'mingw' target to Configure has some problems with cross-compilation. - - - RWMJ 2008-09-30 - -diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure ---- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100 -+++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100 -@@ -468,7 +468,7 @@ - "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", - - # MinGW --"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a", -+"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB", - - # UWIN - "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", diff --git a/openssl/mingw32-openssl-0.9.8j-header-files.patch b/openssl/mingw32-openssl-0.9.8j-header-files.patch deleted file mode 100644 index 55d1203..0000000 --- a/openssl/mingw32-openssl-0.9.8j-header-files.patch +++ /dev/null @@ -1,141 +0,0 @@ ---- ./crypto/seed/seed_ecb.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 -+++ ./crypto/seed/seed_ecb.c 2009-02-02 18:28:55.000000000 +0100 -@@ -49,7 +49,7 @@ - * - */ - --#include -+#include "seed.h" - - void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) - { ---- ./crypto/seed/seed_locl.h.mingw-header-files 2009-02-02 18:28:48.000000000 +0100 -+++ ./crypto/seed/seed_locl.h 2009-02-02 18:28:55.000000000 +0100 -@@ -27,7 +27,7 @@ - #define HEADER_SEED_LOCL_H - - #include "openssl/e_os2.h" --#include -+#include "seed.h" - - - #ifdef SEED_LONG /* need 32-bit type */ ---- ./crypto/seed/seed.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 -+++ ./crypto/seed/seed.c 2009-02-02 18:28:55.000000000 +0100 -@@ -32,7 +32,7 @@ - #include - #endif - --#include -+#include "seed.h" - #include "seed_locl.h" - - static seed_word SS[4][256] = { { ---- ./crypto/camellia/cmll_cbc.c.mingw-header-files 2006-12-02 13:00:27.000000000 +0100 -+++ ./crypto/camellia/cmll_cbc.c 2009-02-02 18:28:54.000000000 +0100 -@@ -58,7 +58,7 @@ - #include - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, ---- ./crypto/camellia/cmll_cfb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_cfb.c 2009-02-02 18:28:54.000000000 +0100 -@@ -113,7 +113,7 @@ - #include - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - #include "e_os.h" - ---- ./crypto/camellia/cmll_ofb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ofb.c 2009-02-02 18:28:55.000000000 +0100 -@@ -111,7 +111,7 @@ - # endif - #endif - #include --#include -+#include "camellia.h" - #include "cmll_locl.h" - - /* The input and output encrypted as though 128bit ofb mode is being ---- ./crypto/camellia/cmll_misc.c.mingw-header-files 2009-02-02 18:29:19.000000000 +0100 -+++ ./crypto/camellia/cmll_misc.c 2009-02-02 18:29:32.000000000 +0100 -@@ -50,7 +50,7 @@ - */ - - #include --#include -+#include "camellia.h" - #include "cmll_locl.h" - #include - #ifdef OPENSSL_FIPS ---- ./crypto/camellia/cmll_ecb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ecb.c 2009-02-02 18:28:54.000000000 +0100 -@@ -56,7 +56,7 @@ - #endif - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, ---- ./crypto/camellia/cmll_ctr.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ctr.c 2009-02-02 18:28:54.000000000 +0100 -@@ -56,7 +56,7 @@ - #endif - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code ---- ./crypto/evp/e_seed.c.mingw-header-files 2007-07-04 14:56:32.000000000 +0200 -+++ ./crypto/evp/e_seed.c 2009-02-02 18:28:55.000000000 +0100 -@@ -59,7 +59,7 @@ - #include - #include - #ifndef OPENSSL_NO_SEED --#include -+#include "../seed/seed.h" - #include "evp_locl.h" - - static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); ---- ./crypto/evp/e_camellia.c.mingw-header-files 2008-09-21 12:24:08.000000000 +0200 -+++ ./crypto/evp/e_camellia.c 2009-02-02 18:28:55.000000000 +0100 -@@ -59,7 +59,7 @@ - #include - #include - #include --#include -+#include "../camellia/camellia.h" - #include "evp_locl.h" - - static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ---- ./apps/speed.c.mingw-header-files 2009-01-07 11:48:22.000000000 +0100 -+++ ./apps/speed.c 2009-02-02 18:28:54.000000000 +0100 -@@ -165,7 +165,7 @@ - #include - #endif - #ifndef OPENSSL_NO_CAMELLIA --#include -+#include "../crypto/camellia/camellia.h" - #endif - #ifndef OPENSSL_NO_MD2 - #include -@@ -202,7 +202,7 @@ - #include - #endif - #ifndef OPENSSL_NO_SEED --#include -+#include "../crypto/seed/seed.h" - #endif - #ifndef OPENSSL_NO_BF - #include diff --git a/openssl/mingw32-openssl-0.9.8j-shared.patch b/openssl/mingw32-openssl-0.9.8j-shared.patch deleted file mode 100644 index c1ea4bf..0000000 --- a/openssl/mingw32-openssl-0.9.8j-shared.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100 -+++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100 -@@ -238,7 +238,7 @@ - SHLIB=cyg$(LIBNAME); \ - base=-Wl,--enable-auto-image-base; \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ -- SHLIB=$(LIBNAME)eay32; base=; \ -+ SHLIB=lib$(LIBNAME); base=; \ - fi; \ - SHLIB_SUFFIX=.dll; \ - LIBVERSION="$(LIBVERSION)"; \ -@@ -253,7 +253,7 @@ - SHLIB=cyg$(LIBNAME); \ - base=-Wl,--enable-auto-image-base; \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ -- SHLIB=$(LIBNAME)eay32; \ -+ SHLIB=lib$(LIBNAME); \ - base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ - fi; \ - SHLIB_SUFFIX=.dll; \ diff --git a/openssl/mingw32-openssl.spec b/openssl/mingw32-openssl.spec deleted file mode 100644 index bc1b081..0000000 --- a/openssl/mingw32-openssl.spec +++ /dev/null @@ -1,342 +0,0 @@ -%define __strip %{_mingw32_strip} -%define __objdump %{_mingw32_objdump} -%define _use_internal_dependency_generator 0 -%define __find_requires %{_mingw32_findrequires} -%define __find_provides %{_mingw32_findprovides} - -# For the curious: -# 0.9.5a soversion = 0 -# 0.9.6 soversion = 1 -# 0.9.6a soversion = 2 -# 0.9.6c soversion = 3 -# 0.9.7a soversion = 4 -# 0.9.7ef soversion = 5 -# 0.9.8ab soversion = 6 -# 0.9.8g soversion = 7 -# 0.9.8j + EAP-FAST soversion = 8 -%define soversion 8 - -# Enable the tests. -# These only work some of the time, but fail randomly at other times -# (although I have had them complete a few times, so I don't think -# there is any actual problem with the binaries). -%define run_tests 0 - -# Number of threads to spawn when testing some threading fixes. -%define thread_test_threads %{?threads:%{threads}}%{!?threads:1} - -Name: mingw32-openssl -Version: 0.9.8j -Release: 2%{?dist} -Summary: MinGW port of the OpenSSL toolkit - -License: OpenSSL -Group: Development/Libraries -URL: http://www.openssl.org/ - -# Use the hobble-openssl script to create the source file. -Source0: openssl-%{version}-usa.tar.bz2 - -Source1: hobble-openssl -Source2: Makefile.certificate -Source6: make-dummy-cert -Source8: openssl-thread-test.c -Source9: opensslconf-new.h -Source10: opensslconf-new-warning.h - -# Patches from Fedora native package. -# Build changes -Patch0: openssl-0.9.8j-redhat.patch -Patch1: openssl-0.9.8a-defaults.patch -Patch2: openssl-0.9.8a-link-krb5.patch -Patch3: openssl-0.9.8j-soversion.patch -Patch4: openssl-0.9.8j-enginesdir.patch -Patch5: openssl-0.9.8a-no-rpath.patch -Patch6: openssl-0.9.8b-test-use-localhost.patch -Patch7: openssl-0.9.8j-shlib-version.patch -# Bug fixes -Patch21: openssl-0.9.8b-aliasing-bug.patch -Patch22: openssl-0.9.8b-x509-name-cmp.patch -Patch23: openssl-0.9.8g-default-paths.patch -Patch24: openssl-0.9.8g-no-extssl.patch -# Functionality changes -Patch32: openssl-0.9.8g-ia64.patch -Patch33: openssl-0.9.8j-ca-dir.patch -Patch34: openssl-0.9.6-x509.patch -Patch35: openssl-0.9.8j-version-add-engines.patch -Patch38: openssl-0.9.8a-reuse-cipher-change.patch -# Disabled this because it uses getaddrinfo which is lacking on Windows. -#Patch39: openssl-0.9.8g-ipv6-apps.patch -Patch40: openssl-0.9.8j-nocanister.patch -Patch41: openssl-0.9.8j-use-fipscheck.patch -Patch42: openssl-0.9.8j-fipscheck-hmac.patch -Patch43: openssl-0.9.8j-evp-nonfips.patch -Patch44: openssl-0.9.8j-kernel-fipsmode.patch -Patch45: openssl-0.9.8j-env-nozlib.patch -Patch46: openssl-0.9.8j-eap-fast.patch -Patch47: openssl-0.9.8j-readme-warning.patch -Patch48: openssl-0.9.8j-bad-mime.patch -Patch49: openssl-0.9.8j-fips-no-pairwise.patch -# Backported fixes including security fixes - -# MinGW-specific patches. -Patch100: mingw32-openssl-0.9.8j-header-files.patch -Patch101: mingw32-openssl-0.9.8j-configure.patch -Patch102: mingw32-openssl-0.9.8j-shared.patch -Patch103: mingw32-openssl-0.9.8g-global.patch -Patch104: mingw32-openssl-0.9.8g-sfx.patch - -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - -BuildArch: noarch - -BuildRequires: mingw32-filesystem >= 40 -BuildRequires: mingw32-gcc -BuildRequires: mingw32-binutils - -BuildRequires: mingw32-zlib -BuildRequires: mingw32-pthreads - -BuildRequires: mktemp -#BuildRequires: krb5-devel -BuildRequires: perl -BuildRequires: sed -BuildRequires: /usr/bin/cmp -BuildRequires: /usr/bin/rename - -# XXX Not really sure about this one. The build script uses -# /usr/bin/makedepend which comes from imake. -BuildRequires: imake - -%if %{run_tests} -# Required both to build, and to run the tests. -# XXX This needs to be fixed - cross-compilation should not -# require running executables. -BuildRequires: wine - -# Required to run the tests. -BuildRequires: xorg-x11-server-Xvfb -%endif - -#Requires: ca-certificates >= 2008-5 -Requires: pkgconfig - - -%description -The OpenSSL toolkit provides support for secure communications between -machines. OpenSSL includes a certificate management tool and shared -libraries which provide various cryptographic algorithms and -protocols. - -This package contains Windows (MinGW) libraries and development tools. - - -%prep -%setup -q -n openssl-%{version} - -%{SOURCE1} > /dev/null -%patch0 -p1 -b .redhat -%patch1 -p1 -b .defaults -# Fix link line for libssl (bug #111154). -%patch2 -p1 -b .krb5 -%patch3 -p1 -b .soversion -%patch4 -p1 -b .enginesdir -%patch5 -p1 -b .no-rpath -%patch6 -p1 -b .use-localhost -%patch7 -p1 -b .shlib-version - -%patch21 -p1 -b .aliasing-bug -%patch22 -p1 -b .name-cmp -%patch23 -p1 -b .default-paths -%patch24 -p1 -b .no-extssl - -%patch32 -p1 -b .ia64 -#patch33 is applied after make test -%patch34 -p1 -b .x509 -%patch35 -p1 -b .version-add-engines -%patch38 -p1 -b .cipher-change -#%patch39 -p1 -b .ipv6-apps -%patch40 -p1 -b .nocanister -%patch41 -p1 -b .use-fipscheck -%patch42 -p1 -b .fipscheck-hmac -%patch43 -p1 -b .evp-nonfips -%patch44 -p1 -b .fipsmode -%patch45 -p1 -b .env-nozlib -%patch46 -p1 -b .eap-fast -%patch47 -p1 -b .warning -%patch48 -p1 -b .bad-mime -%patch49 -p1 -b .no-pairwise - -%patch100 -p1 -b .mingw-header-files -%patch101 -p1 -b .mingw-configure -%patch102 -p1 -b .mingw-shared -%patch103 -p1 -b .mingw-global -%patch104 -p1 -b .mingw-sfx - -# Modify the various perl scripts to reference perl in the right location. -perl util/perlpath.pl `dirname %{__perl}` - -# Generate a table with the compile settings for my perusal. -touch Makefile -make TABLE PERL=%{__perl} - -%build -# NB: 'no-hw' is vital. MinGW cannot build the hardware drivers -# and if you don't have this you'll get an obscure link error. -%{_mingw32_env}; \ -sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \ -./Configure \ - --prefix=%{_mingw32_prefix} \ - --openssldir=%{_mingw32_sysconfdir}/pki/tls \ - zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \ - --enginesdir=%{_mingw32_libdir}/openssl/engines \ - mingw -# --with-krb5-flavor=MIT -# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} -%{_mingw32_make} depend -%{_mingw32_make} all build-shared - -# Generate hashes for the included certs. -%{_mingw32_make} rehash build-shared - -%if %{run_tests} -#---------------------------------------------------------------------- -# Run some tests. I don't know why this isn't in a %-check section -# but this is how it is in the native RPM. - -# This is a bit of a hack, but the test scripts look for 'openssl' -# by name. -pushd apps -ln -s openssl.exe openssl -popd - -# This is useful for diagnosing Wine problems. -WINEDEBUG=+loaddll -export WINEDEBUG - -# Make sure we can find the installed DLLs. -WINEDLLPATH=%{_mingw32_bindir} -export WINEDLLPATH - -# The tests run Wine and require an X server (but don't really use -# it). Therefore we create a virtual framebuffer for the duration of -# the tests. -# XXX There is no good way to choose a random, unused display. -# XXX Setting depth to 24 bits avoids bug 458219. -unset DISPLAY -display=:21 -Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$! -trap "kill -TERM $xpid ||:" EXIT -sleep 3 -DISPLAY=$display -export DISPLAY - -%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests - -# Disable this thread test, because we don't have pthread on Windows. -%{_mingw32_cc} -o openssl-thread-test \ - -I./include \ - %-{_mingw32_cflags} \ - %-{SOURCE8} \ - -L. \ - -lssl -lcrypto \ - -lpthread -lz -ldl - -## `krb5-config --cflags` -## `krb5-config --libs` -# -./openssl-thread-test --threads %{thread_test_threads} - -#---------------------------------------------------------------------- -%endif - -# Patch33 must be patched after tests otherwise they will fail -patch -p1 -b -z .ca-dir < %{PATCH33} - -# Add generation of HMAC checksum of the final stripped library -#%define __spec_install_post \ -# %{?__debug_package:%{__debug_install_post}} \ -# %{__arch_install_post} \ -# %{__os_install_post} \ -# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \ -# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \ -#%{nil} - -if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then - iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \ - mv -f CHANGES.utf8 CHANGES -fi - - -%install -rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir} -mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl -mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir} -mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir} -mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir} -make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared - -# Install the actual DLLs. -install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} -install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} - -# Remove static libraries but DON'T remove *.dll.a files. -rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a -rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a - -# I have no idea why it installs the manpages in /etc, but -# we remove them anyway. -rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man - -# Set permissions on lib*.dll.a so that strip works. -chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a -chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a - -# Install a makefile for generating keys and self-signed certs, and a script -# for generating them on the fly. -mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs -install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile -install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert - -# Pick a CA script. -pushd $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc -mv CA.sh CA -popd - -mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA -mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private - -%clean -rm -rf $RPM_BUILD_ROOT - - -%files -%defattr(-,root,root) -%doc LICENSE -%{_mingw32_bindir}/openssl.exe -%{_mingw32_bindir}/c_rehash -%{_mingw32_bindir}/libcrypto-%{soversion}.dll -%{_mingw32_bindir}/libssl-%{soversion}.dll -#{_mingw32_bindir}/.libcrypto*.hmac -%{_mingw32_libdir}/libcrypto.dll.a -%{_mingw32_libdir}/libssl.dll.a -%{_mingw32_libdir}/engines -%{_mingw32_libdir}/pkgconfig/*.pc -%{_mingw32_includedir}/openssl -%config(noreplace) %{_mingw32_sysconfdir}/pki - - -%changelog -* Mon Feb 2 2009 Levente Farkas - 0.9.8j-2 -- Various build fixes. - -* Wed Jan 28 2009 Levente Farkas - 0.9.8j-1 -- update to new upstream version. - -* Mon Dec 29 2008 Levente Farkas - 0.9.8g-2 -- minor cleanup. - -* Tue Sep 30 2008 Richard W.M. Jones - 0.9.8g-1 -- Initial RPM release. diff --git a/openssl/openssl-0.9.6-x509.patch b/openssl/openssl-0.9.6-x509.patch deleted file mode 100644 index 7b3f49f..0000000 --- a/openssl/openssl-0.9.6-x509.patch +++ /dev/null @@ -1,29 +0,0 @@ -Do not treat duplicate certs as an error. - ---- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000 -+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000 -@@ -163,8 +163,12 @@ - } - } - i=X509_STORE_add_cert(ctx->store_ctx,x); -- if (!i) goto err; -- count++; -+ /* ignore any problems with current certificate -+ and continue with the next one */ -+ if (i) -+ count++; -+ else -+ ERR_clear_error(); - X509_free(x); - x=NULL; - } -@@ -179,7 +183,8 @@ - goto err; - } - i=X509_STORE_add_cert(ctx->store_ctx,x); -- if (!i) goto err; -+ if (!i) -+ ERR_clear_error(); - ret=i; - } - else diff --git a/openssl/openssl-0.9.8a-defaults.patch b/openssl/openssl-0.9.8a-defaults.patch deleted file mode 100644 index 5a4db7b..0000000 --- a/openssl/openssl-0.9.8a-defaults.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 -+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 -@@ -99,6 +99,7 @@ - #################################################################### - [ req ] - default_bits = 1024 -+default_md = sha1 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -116,23 +117,26 @@ - # MASK:XXXX a literal mask value. - # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings - # so use this option with caution! --string_mask = nombstr -+# we use PrintableString+UTF8String mask so if pure ASCII texts are used -+# the resulting certificates are compatible with Netscape -+string_mask = MASK:0x2002 - - # req_extensions = v3_req # The extensions to add to a certificate request - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = GB - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+stateOrProvinceName_default = Berkshire - - localityName = Locality Name (eg, city) -+localityName_default = Newbury - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = My Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -141,7 +145,7 @@ - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (eg, YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address diff --git a/openssl/openssl-0.9.8a-link-krb5.patch b/openssl/openssl-0.9.8a-link-krb5.patch deleted file mode 100644 index f34b1e5..0000000 --- a/openssl/openssl-0.9.8a-link-krb5.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200 -+++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100 -@@ -266,7 +266,7 @@ - - do_$(SHLIB_TARGET): - @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ -- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ -+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl/openssl-0.9.8a-no-rpath.patch b/openssl/openssl-0.9.8a-no-rpath.patch deleted file mode 100644 index 8f8fb91..0000000 --- a/openssl/openssl-0.9.8a-no-rpath.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 -+++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100 -@@ -153,7 +153,7 @@ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" - --DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" -+DO_GNU_APP=LDFLAGS="$(CFLAGS)" - - #This is rather special. It's a special target with which one can link - #applications without bothering with any features that have anything to diff --git a/openssl/openssl-0.9.8a-reuse-cipher-change.patch b/openssl/openssl-0.9.8a-reuse-cipher-change.patch deleted file mode 100644 index 666688b..0000000 --- a/openssl/openssl-0.9.8a-reuse-cipher-change.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100 -+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100 -@@ -477,7 +477,7 @@ - - #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L - #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L --#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -@@ -494,7 +494,7 @@ - - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. - * This used to be 0x000FFFFFL before 0.9.7. */ --#define SSL_OP_ALL 0x00000FFFL -+#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */ - - /* DTLS options */ - #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl/openssl-0.9.8b-aliasing-bug.patch b/openssl/openssl-0.9.8b-aliasing-bug.patch deleted file mode 100644 index 8d3b36a..0000000 --- a/openssl/openssl-0.9.8b-aliasing-bug.patch +++ /dev/null @@ -1,24 +0,0 @@ - -This patch fixes a violation of the C aliasing rules that can cause -miscompilation with some compiler versions. - ---- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100 -+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100 -@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co - static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) - { - void *ptr; -- DSO_FUNC_TYPE sym, *tsym = &sym; -+ DSO_FUNC_TYPE sym; - - if((dso == NULL) || (symname == NULL)) - { -@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO - DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); - return(NULL); - } -- *(void **)(tsym) = dlsym(ptr, symname); -+ sym = dlsym(ptr, symname); - if(sym == NULL) - { - DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); diff --git a/openssl/openssl-0.9.8b-test-use-localhost.patch b/openssl/openssl-0.9.8b-test-use-localhost.patch deleted file mode 100644 index 08adf1c..0000000 --- a/openssl/openssl-0.9.8b-test-use-localhost.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c ---- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100 -+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200 -@@ -839,19 +839,8 @@ bad: - #ifndef OPENSSL_NO_KRB5 - if (c_ssl && c_ssl->kssl_ctx) - { -- char localhost[MAXHOSTNAMELEN+2]; -- -- if (gethostname(localhost, sizeof localhost-1) == 0) -- { -- localhost[sizeof localhost-1]='\0'; -- if(strlen(localhost) == sizeof localhost-1) -- { -- BIO_printf(bio_err,"localhost name too long\n"); -- goto end; -- } - kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, -- localhost); -- } -+ "localhost"); - } - #endif /* OPENSSL_NO_KRB5 */ - diff --git a/openssl/openssl-0.9.8b-x509-name-cmp.patch b/openssl/openssl-0.9.8b-x509-name-cmp.patch deleted file mode 100644 index c7e8848..0000000 --- a/openssl/openssl-0.9.8b-x509-name-cmp.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 -+++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 -@@ -282,14 +282,7 @@ - nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->type-nb->value->type; - if (j) -- { -- nabit = ASN1_tag2bit(na->value->type); -- nbbit = ASN1_tag2bit(nb->value->type); -- if (!(nabit & STR_TYPE_CMP) || -- !(nbbit & STR_TYPE_CMP)) -- return j; -- j = asn1_string_memcmp(na->value, nb->value); -- } -+ return j; - else if (na->value->type == V_ASN1_PRINTABLESTRING) - j=nocase_spacenorm_cmp(na->value, nb->value); - else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl/openssl-0.9.8g-default-paths.patch b/openssl/openssl-0.9.8g-default-paths.patch deleted file mode 100644 index 23fa4e1..0000000 --- a/openssl/openssl-0.9.8g-default-paths.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c ---- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 -+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 -@@ -1077,12 +1077,13 @@ bad: - } - #endif - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); -@@ -1132,8 +1133,11 @@ bad: - - SSL_CTX_sess_set_cache_size(ctx2,128); - -- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx2))) -+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx2)) - { - ERR_print_errors(bio_err); - } -diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c ---- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 -+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 -@@ -673,12 +673,13 @@ bad: - if (!set_cert_key_stuff(ctx,cert,key)) - goto end; - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - store = SSL_CTX_get_cert_store(ctx); -diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c ---- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 -+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 -@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) - - SSL_load_error_strings(); - -- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(tm_ctx))) -+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - if (tm_cipher == NULL) diff --git a/openssl/openssl-0.9.8g-ia64.patch b/openssl/openssl-0.9.8g-ia64.patch deleted file mode 100644 index ec982d2..0000000 --- a/openssl/openssl-0.9.8g-ia64.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h ---- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200 -+++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200 -@@ -279,6 +279,15 @@ extern "C" { - # define BN_UMULT_HIGH(a,b) __umulh((a),(b)) - # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high))) - # endif -+# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG) -+# if defined(__GNUC__) -+# define BN_UMULT_HIGH(a,b) ({ \ -+ register BN_ULONG ret; \ -+ asm ("xmpy.hu %0 = %1, %2" \ -+ : "=f"(ret) \ -+ : "f"(a), "f"(b)); \ -+ ret; }) -+# endif /* compiler */ - # endif /* cpu */ - #endif /* OPENSSL_NO_ASM */ - diff --git a/openssl/openssl-0.9.8g-ipv6-apps.patch b/openssl/openssl-0.9.8g-ipv6-apps.patch deleted file mode 100644 index 588cf4e..0000000 --- a/openssl/openssl-0.9.8g-ipv6-apps.patch +++ /dev/null @@ -1,507 +0,0 @@ -diff -up openssl-0.9.8g/apps/s_socket.c.ipv6-apps openssl-0.9.8g/apps/s_socket.c ---- openssl-0.9.8g/apps/s_socket.c.ipv6-apps 2005-06-13 05:21:00.000000000 +0200 -+++ openssl-0.9.8g/apps/s_socket.c 2007-12-03 13:28:42.000000000 +0100 -@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha - static void ssl_sock_cleanup(void); - #endif - static int ssl_sock_init(void); --static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); --static int init_server(int *sock, int port, int type); --static int init_server_long(int *sock, int port,char *ip, int type); -+static int init_server(int *sock, char *port, int type); - static int do_accept(int acc_sock, int *sock, char **host); - static int host_ip(char *str, unsigned char ip[4]); - -@@ -228,60 +226,69 @@ static int ssl_sock_init(void) - return(1); - } - --int init_client(int *sock, char *host, int port, int type) -+int init_client(int *sock, char *host, char *port, int type) - { -- unsigned char ip[4]; -- short p=0; -- -- if (!host_ip(host,&(ip[0]))) -- { -- return(0); -- } -- if (p != 0) port=p; -- return(init_client_ip(sock,ip,port,type)); -- } -- --static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) -- { -- unsigned long addr; -- struct sockaddr_in them; -- int s,i; -+ struct addrinfo *res, *res0, hints; -+ char * failed_call = NULL; -+ int s; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&them,0,sizeof(them)); -- them.sin_family=AF_INET; -- them.sin_port=htons((unsigned short)port); -- addr=(unsigned long) -- ((unsigned long)ip[0]<<24L)| -- ((unsigned long)ip[1]<<16L)| -- ((unsigned long)ip[2]<< 8L)| -- ((unsigned long)ip[3]); -- them.sin_addr.s_addr=htonl(addr); -- -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* ( type == SOCK_DGRAM) */ -- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); -- -- if (s == INVALID_SOCKET) { perror("socket"); return(0); } -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_ADDRCONFIG; -+ -+ e = getaddrinfo(host, port, &hints, &res); -+ if (e) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } - -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } - #ifndef OPENSSL_SYS_MPE - if (type == SOCK_STREAM) - { -- i=0; -- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); -- if (i < 0) { perror("keepalive"); return(0); } -+ int i=0; -+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, -+ (char *)&i,sizeof(i)); -+ if (i < 0) { -+ failed_call = "keepalive"; -+ goto nextres; -+ } - } - #endif -- -- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) -- { close(s); perror("connect"); return(0); } -+ if (connect(s,(struct sockaddr *)res->ai_addr, -+ res->ai_addrlen) == 0) -+ { -+ freeaddrinfo(res0); - *sock=s; - return(1); - } -+ failed_call = "socket"; -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; -+ } -+ freeaddrinfo(res0); - --int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) -+ perror(failed_call); -+ return(0); -+ } -+ -+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) - { - int sock; - char *name = NULL; -@@ -319,33 +326,38 @@ int do_server(int port, int type, int *r - } - } - --static int init_server_long(int *sock, int port, char *ip, int type) -+static int init_server(int *sock, char *port, int type) - { -- int ret=0; -- struct sockaddr_in server; -- int s= -1,i; -+ struct addrinfo *res, *res0, hints; -+ char * failed_call = NULL; -+ char port_name[8]; -+ int s; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&server,0,sizeof(server)); -- server.sin_family=AF_INET; -- server.sin_port=htons((unsigned short)port); -- if (ip == NULL) -- server.sin_addr.s_addr=INADDR_ANY; -- else --/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ --#ifndef BIT_FIELD_LIMITS -- memcpy(&server.sin_addr.s_addr,ip,4); --#else -- memcpy(&server.sin_addr,ip,4); --#endif -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; - -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* type == SOCK_DGRAM */ -- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); -+ e = getaddrinfo(NULL, port, &hints, &res); -+ if (e) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } - -- if (s == INVALID_SOCKET) goto err; -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } - #if defined SOL_SOCKET && defined SO_REUSEADDR - { - int j = 1; -@@ -353,36 +365,39 @@ static int init_server_long(int *sock, i - (void *) &j, sizeof j); - } - #endif -- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) -+ -+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) - { --#ifndef OPENSSL_SYS_WINDOWS -- perror("bind"); --#endif -- goto err; -+ failed_call = "bind"; -+ goto nextres; - } -- /* Make it 128 for linux */ -- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; -- i=0; -- *sock=s; -- ret=1; --err: -- if ((ret == 0) && (s != -1)) -+ if (type==SOCK_STREAM && listen(s,128) == -1) - { -- SHUTDOWN(s); -+ failed_call = "listen"; -+ goto nextres; - } -- return(ret); -+ -+ *sock=s; -+ return(1); -+ -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; - } -+ freeaddrinfo(res0); - --static int init_server(int *sock, int port, int type) -- { -- return(init_server_long(sock, port, NULL, type)); -+ if (s == INVALID_SOCKET) { perror("socket"); return(0); } -+ -+ perror(failed_call); -+ return(0); - } - - static int do_accept(int acc_sock, int *sock, char **host) - { -- int ret,i; -- struct hostent *h1,*h2; -- static struct sockaddr_in from; -+ static struct sockaddr_storage from; -+ char buffer[NI_MAXHOST]; -+ int ret; - int len; - /* struct linger ling; */ - -@@ -427,137 +442,62 @@ redoit: - if (i < 0) { perror("keepalive"); return(0); } - */ - -- if (host == NULL) goto end; --#ifndef BIT_FIELD_LIMITS -- /* I should use WSAAsyncGetHostByName() under windows */ -- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, -- sizeof(from.sin_addr.s_addr),AF_INET); --#else -- h1=gethostbyaddr((char *)&from.sin_addr, -- sizeof(struct in_addr),AF_INET); --#endif -- if (h1 == NULL) -- { -- BIO_printf(bio_err,"bad gethostbyaddr\n"); -- *host=NULL; -- /* return(0); */ -- } -- else -+ if (host == NULL) - { -- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) -- { -- perror("OPENSSL_malloc"); -+ *sock=ret; - return(0); - } -- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); - -- h2=GetHostByName(*host); -- if (h2 == NULL) -+ if (getnameinfo((struct sockaddr *)&from, sizeof(from), -+ buffer, sizeof(buffer), -+ NULL, 0, 0)) - { -- BIO_printf(bio_err,"gethostbyname failure\n"); -+ BIO_printf(bio_err,"getnameinfo failed\n"); -+ *host=NULL; - return(0); - } -- i=0; -- if (h2->h_addrtype != AF_INET) -+ else - { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) -+ { -+ perror("OPENSSL_malloc"); - return(0); - } -- } --end: -+ strcpy(*host, buffer); - *sock=ret; - return(1); - } -+ } - --int extract_host_port(char *str, char **host_ptr, unsigned char *ip, -- short *port_ptr) -+int extract_host_port(char *str, char **host_ptr, -+ char **port_ptr) - { -- char *h,*p; -+ char *h,*p,*x; - -- h=str; -- p=strchr(str,':'); -+ x=h=str; -+ if (*h == '[') -+ { -+ h++; -+ p=strchr(h,']'); - if (p == NULL) - { -- BIO_printf(bio_err,"no port defined\n"); -+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); - return(0); - } - *(p++)='\0'; -- -- if ((ip != NULL) && !host_ip(str,ip)) -- goto err; -- if (host_ptr != NULL) *host_ptr=h; -- -- if (!extract_port(p,port_ptr)) -- goto err; -- return(1); --err: -- return(0); -+ x = p; - } -- --static int host_ip(char *str, unsigned char ip[4]) -- { -- unsigned int in[4]; -- int i; -- -- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) -- { -- for (i=0; i<4; i++) -- if (in[i] > 255) -- { -- BIO_printf(bio_err,"invalid IP address\n"); -- goto err; -- } -- ip[0]=in[0]; -- ip[1]=in[1]; -- ip[2]=in[2]; -- ip[3]=in[3]; -- } -- else -- { /* do a gethostbyname */ -- struct hostent *he; -- -- if (!ssl_sock_init()) return(0); -- -- he=GetHostByName(str); -- if (he == NULL) -- { -- BIO_printf(bio_err,"gethostbyname failure\n"); -- goto err; -- } -- /* cast to short because of win16 winsock definition */ -- if ((short)he->h_addrtype != AF_INET) -+ p=strchr(x,':'); -+ if (p == NULL) - { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -- return(0); -- } -- ip[0]=he->h_addr_list[0][0]; -- ip[1]=he->h_addr_list[0][1]; -- ip[2]=he->h_addr_list[0][2]; -- ip[3]=he->h_addr_list[0][3]; -- } -- return(1); --err: -+ BIO_printf(bio_err,"no port defined\n"); - return(0); - } -+ *(p++)='\0'; - --int extract_port(char *str, short *port_ptr) -- { -- int i; -- struct servent *s; -+ if (host_ptr != NULL) *host_ptr=h; -+ if (port_ptr != NULL) *port_ptr=p; - -- i=atoi(str); -- if (i != 0) -- *port_ptr=(unsigned short)i; -- else -- { -- s=getservbyname(str,"tcp"); -- if (s == NULL) -- { -- BIO_printf(bio_err,"getservbyname failure for %s\n",str); -- return(0); -- } -- *port_ptr=ntohs((unsigned short)s->s_port); -- } - return(1); - } - -diff -up openssl-0.9.8g/apps/s_server.c.ipv6-apps openssl-0.9.8g/apps/s_server.c ---- openssl-0.9.8g/apps/s_server.c.ipv6-apps 2007-08-23 14:16:02.000000000 +0200 -+++ openssl-0.9.8g/apps/s_server.c 2007-12-03 13:31:14.000000000 +0100 -@@ -592,7 +592,7 @@ int MAIN(int argc, char *argv[]) - { - X509_STORE *store = NULL; - int vflags = 0; -- short port=PORT; -+ char *port_str = PORT_STR; - char *CApath=NULL,*CAfile=NULL; - unsigned char *context = NULL; - char *dhfile = NULL; -@@ -662,8 +662,7 @@ int MAIN(int argc, char *argv[]) - (strcmp(*argv,"-accept") == 0)) - { - if (--argc < 1) goto bad; -- if (!extract_port(*(++argv),&port)) -- goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-verify") == 0) - { -@@ -1332,9 +1331,9 @@ bad: - } - BIO_printf(bio_s_out,"ACCEPT\n"); - if (www) -- do_server(port,socket_type,&accept_socket,www_body, context); -+ do_server(port_str,socket_type,&accept_socket,www_body, context); - else -- do_server(port,socket_type,&accept_socket,sv_body, context); -+ do_server(port_str,socket_type,&accept_socket,sv_body, context); - print_stats(bio_s_out,ctx); - ret=0; - end: -diff -up openssl-0.9.8g/apps/s_client.c.ipv6-apps openssl-0.9.8g/apps/s_client.c ---- openssl-0.9.8g/apps/s_client.c.ipv6-apps 2007-08-23 14:20:56.000000000 +0200 -+++ openssl-0.9.8g/apps/s_client.c 2007-12-03 13:28:42.000000000 +0100 -@@ -285,7 +285,7 @@ int MAIN(int argc, char **argv) - int cbuf_len,cbuf_off; - int sbuf_len,sbuf_off; - fd_set readfds,writefds; -- short port=PORT; -+ char *port_str = PORT_STR; - int full_log=1; - char *host=SSL_HOST_NAME; - char *cert_file=NULL,*key_file=NULL; -@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv) - else if (strcmp(*argv,"-port") == 0) - { - if (--argc < 1) goto bad; -- port=atoi(*(++argv)); -- if (port == 0) goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-connect") == 0) - { - if (--argc < 1) goto bad; -- if (!extract_host_port(*(++argv),&host,NULL,&port)) -+ if (!extract_host_port(*(++argv),&host,&port_str)) - goto bad; - } - else if (strcmp(*argv,"-verify") == 0) -@@ -739,7 +738,7 @@ bad: - - re_start: - -- if (init_client(&s,host,port,sock_type) == 0) -+ if (init_client(&s,host,port_str,sock_type) == 0) - { - BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); - SHUTDOWN(s); -diff -up openssl-0.9.8g/apps/s_apps.h.ipv6-apps openssl-0.9.8g/apps/s_apps.h ---- openssl-0.9.8g/apps/s_apps.h.ipv6-apps 2007-12-03 13:28:42.000000000 +0100 -+++ openssl-0.9.8g/apps/s_apps.h 2007-12-03 13:28:42.000000000 +0100 -@@ -148,7 +148,7 @@ typedef fd_mask fd_set; - #define PORT_STR "4433" - #define PROTOCOL "tcp" - --int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); -+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); - #ifdef HEADER_X509_H - int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); - #endif -@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, - int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); - int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); - #endif --int init_client(int *sock, char *server, int port, int type); -+int init_client(int *sock, char *server, char *port, int type); - int should_retry(int i); --int extract_port(char *str, short *port_ptr); --int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); -+int extract_host_port(char *str,char **host_ptr,char **port_ptr); - - long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret); diff --git a/openssl/openssl-0.9.8g-no-extssl.patch b/openssl/openssl-0.9.8g-no-extssl.patch deleted file mode 100644 index de00d0c..0000000 --- a/openssl/openssl-0.9.8g-no-extssl.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c ---- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 -+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 -@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - - if (ret>=limit) return NULL; /* this really never occurs, but ... */ -@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ - diff --git a/openssl/openssl-0.9.8j-bad-mime.patch b/openssl/openssl-0.9.8j-bad-mime.patch deleted file mode 100644 index a990911..0000000 --- a/openssl/openssl-0.9.8j-bad-mime.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c ---- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200 -+++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100 -@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER - static int mime_hdr_cmp(const MIME_HEADER * const *a, - const MIME_HEADER * const *b) - { -+ if ((*a)->name == NULL || (*b)->name == NULL) -+ return (*a)->name - (*b)->name < 0 ? -1 : -+ (*a)->name - (*b)->name > 0 ? 1 : 0; -+ - return(strcmp((*a)->name, (*b)->name)); - } - diff --git a/openssl/openssl-0.9.8j-ca-dir.patch b/openssl/openssl-0.9.8j-ca-dir.patch deleted file mode 100644 index 52c0025..0000000 --- a/openssl/openssl-0.9.8j-ca-dir.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf ---- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100 -+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100 -@@ -34,7 +34,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = ../../CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh ---- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200 -+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100 -@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG" - VERIFY="$OPENSSL verify" - X509="$OPENSSL x509" - --CATOP=./demoCA -+CATOP=../../CA - CAKEY=./cakey.pem - CAREQ=./careq.pem - CACERT=./cacert.pem -diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in ---- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200 -+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100 -@@ -53,7 +53,7 @@ $VERIFY="$openssl verify"; - $X509="$openssl x509"; - $PKCS12="$openssl pkcs12"; - --$CATOP="./demoCA"; -+$CATOP="../../CA"; - $CAKEY="cakey.pem"; - $CAREQ="careq.pem"; - $CACERT="cacert.pem"; diff --git a/openssl/openssl-0.9.8j-eap-fast.patch b/openssl/openssl-0.9.8j-eap-fast.patch deleted file mode 100644 index 1e77f00..0000000 --- a/openssl/openssl-0.9.8j-eap-fast.patch +++ /dev/null @@ -1,378 +0,0 @@ -diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c ---- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100 -@@ -106,6 +106,12 @@ int tls1_new(SSL *s) - - void tls1_free(SSL *s) - { -+#ifndef OPENSSL_NO_TLSEXT -+ if (s && s->tlsext_session_ticket) -+ { -+ OPENSSL_free(s->tlsext_session_ticket); -+ } -+#endif /* OPENSSL_NO_TLSEXT */ - ssl3_free(s); - } - -@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex - int ticklen; - if (s->session && s->session->tlsext_tick) - ticklen = s->session->tlsext_ticklen; -+ else if (s->session && s->tlsext_session_ticket && -+ s->tlsext_session_ticket->data) -+ { -+ ticklen = s->tlsext_session_ticket->length; -+ s->session->tlsext_tick = OPENSSL_malloc(ticklen); -+ if (!s->session->tlsext_tick) -+ return NULL; -+ memcpy(s->session->tlsext_tick, -+ s->tlsext_session_ticket->data, -+ ticklen); -+ s->session->tlsext_ticklen = ticklen; -+ } - else - ticklen = 0; -+ if (ticklen == 0 && s->tlsext_session_ticket && -+ s->tlsext_session_ticket->data == NULL) -+ goto skip_ext; - /* Check for enough room 2 for extension type, 2 for len - * rest for ticket - */ -@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex - ret += ticklen; - } - } -+ skip_ext: - - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) - { -@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s, - } - - } -+ else if (type == TLSEXT_TYPE_session_ticket) -+ { -+ if (s->tls_session_ticket_ext_cb && -+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) -+ { -+ *al = TLS1_AD_INTERNAL_ERROR; -+ return 0; -+ } -+ } - else if (type == TLSEXT_TYPE_status_request - && s->ctx->tlsext_status_cb) - { -@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - else if (type == TLSEXT_TYPE_session_ticket) - { -+ if (s->tls_session_ticket_ext_cb && -+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) -+ { -+ *al = TLS1_AD_INTERNAL_ERROR; -+ return 0; -+ } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) - { -@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned - s->tlsext_ticket_expected = 1; - return 0; /* Cache miss */ - } -+ if (s->tls_session_secret_cb) -+ { -+ /* Indicate cache miss here and instead of -+ * generating the session from ticket now, -+ * trigger abbreviated handshake based on -+ * external mechanism to calculate the master -+ * secret later. */ -+ return 0; -+ } - return tls_decrypt_ticket(s, p, size, session_id, len, - ret); - } -diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c ---- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 -+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100 -@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s) - goto f_err; - } - -+#ifndef OPENSSL_NO_TLSEXT -+ /* check if we want to resume the session based on external pre-shared secret */ -+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) -+ { -+ SSL_CIPHER *pref_cipher=NULL; -+ s->session->master_key_length=sizeof(s->session->master_key); -+ if (s->tls_session_secret_cb(s, s->session->master_key, -+ &s->session->master_key_length, -+ NULL, &pref_cipher, -+ s->tls_session_secret_cb_arg)) -+ { -+ s->session->cipher = pref_cipher ? -+ pref_cipher : ssl_get_cipher_by_char(s, p+j); -+ } -+ } -+#endif /* OPENSSL_NO_TLSEXT */ -+ - if (j != 0 && j == s->session->session_id_length - && memcmp(p,s->session->session_id,j) == 0) - { -@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s) - { - int ok; - long n; -- /* If we have no ticket or session ID is non-zero length (a match of -- * a non-zero session length would never reach here) it cannot be a -- * resumed session. -- */ -- if (!s->session->tlsext_tick || s->session->session_id_length) -+ /* If we have no ticket it cannot be a resumed session. */ -+ if (!s->session->tlsext_tick) - return 1; - /* this function is called when we really expect a Certificate - * message, so permit appropriate message length */ -diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c ---- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200 -+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100 -@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX * - return(s->session_timeout); - } - -+#ifndef OPENSSL_NO_TLSEXT -+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, -+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) -+ { -+ if (s == NULL) return(0); -+ s->tls_session_secret_cb = tls_session_secret_cb; -+ s->tls_session_secret_cb_arg = arg; -+ return(1); -+ } -+ -+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, -+ void *arg) -+ { -+ if (s == NULL) return(0); -+ s->tls_session_ticket_ext_cb = cb; -+ s->tls_session_ticket_ext_cb_arg = arg; -+ return(1); -+ } -+ -+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) -+ { -+ if (s->version >= TLS1_VERSION) -+ { -+ if (s->tlsext_session_ticket) -+ { -+ OPENSSL_free(s->tlsext_session_ticket); -+ s->tlsext_session_ticket = NULL; -+ } -+ -+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); -+ if (!s->tlsext_session_ticket) -+ { -+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (ext_data) -+ { -+ s->tlsext_session_ticket->length = ext_len; -+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; -+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); -+ } -+ else -+ { -+ s->tlsext_session_ticket->length = 0; -+ s->tlsext_session_ticket->data = NULL; -+ } -+ -+ return 1; -+ } -+ -+ return 0; -+ } -+#endif /* OPENSSL_NO_TLSEXT */ -+ - typedef struct timeout_param_st - { - SSL_CTX *ctx; -diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c ---- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 -+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100 -@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s) - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } -+ -+ /* Check if we want to use external pre-shared secret for this -+ * handshake for not reused session only. We need to generate -+ * server_random before calling tls_session_secret_cb in order to allow -+ * SessionTicket processing to use it in key derivation. */ -+ { -+ unsigned long Time; -+ unsigned char *pos; -+ Time=(unsigned long)time(NULL); /* Time */ -+ pos=s->s3->server_random; -+ l2n(Time,pos); -+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ goto f_err; -+ } -+ } -+ -+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) -+ { -+ SSL_CIPHER *pref_cipher=NULL; -+ -+ s->session->master_key_length=sizeof(s->session->master_key); -+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, -+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) -+ { -+ s->hit=1; -+ s->session->ciphers=ciphers; -+ s->session->verify_result=X509_V_OK; -+ -+ ciphers=NULL; -+ -+ /* check if some cipher was preferred by call back */ -+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); -+ if (pref_cipher == NULL) -+ { -+ al=SSL_AD_HANDSHAKE_FAILURE; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); -+ goto f_err; -+ } -+ -+ s->session->cipher=pref_cipher; -+ -+ if (s->cipher_list) -+ sk_SSL_CIPHER_free(s->cipher_list); -+ -+ if (s->cipher_list_by_id) -+ sk_SSL_CIPHER_free(s->cipher_list_by_id); -+ -+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); -+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); -+ } -+ } - #endif - /* Worst case, we will use the NULL compression, but if we have other - * options, we will now look for them. We have i-1 compression -@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s) - unsigned char *buf; - unsigned char *p,*d; - int i,sl; -- unsigned long l,Time; -+ unsigned long l; -+#ifdef OPENSSL_NO_TLSEXT -+ unsigned long Time; -+#endif - - if (s->state == SSL3_ST_SW_SRVR_HELLO_A) - { - buf=(unsigned char *)s->init_buf->data; -+#ifdef OPENSSL_NO_TLSEXT - p=s->s3->server_random; -+ /* Generate server_random if it was not needed previously */ - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) - return -1; -+#endif - /* Do the message type and length last */ - d=p= &(buf[4]); - -diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h ---- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100 -@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T - #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ - #endif - -+/* TLS Session Ticket extension struct */ -+struct tls_session_ticket_ext_st -+ { -+ unsigned short length; -+ void *data; -+ }; -+ - #ifdef __cplusplus - } - #endif -diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c ---- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200 -+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100 -@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]= - {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, - {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, - {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, -+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, - {0,NULL} - }; - -diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h ---- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100 -@@ -344,6 +344,7 @@ extern "C" { - * 'struct ssl_st *' function parameters used to prototype callbacks - * in SSL_CTX. */ - typedef struct ssl_st *ssl_crock_st; -+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; - - /* used to hold info on the particular ciphers used */ - typedef struct ssl_cipher_st -@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st - - DECLARE_STACK_OF(SSL_CIPHER) - -+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); -+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); -+ - /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ - typedef struct ssl_method_st - { -@@ -1034,6 +1038,18 @@ struct ssl_st - - /* RFC4507 session ticket expected to be received or sent */ - int tlsext_ticket_expected; -+ -+ /* TLS Session Ticket extension override */ -+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; -+ -+ /* TLS Session Ticket extension callback */ -+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; -+ void *tls_session_ticket_ext_cb_arg; -+ -+ /* TLS pre-shared secret session resumption */ -+ tls_session_secret_cb_fn tls_session_secret_cb; -+ void *tls_session_secret_cb_arg; -+ - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ - #define session_ctx initial_ctx - #else -@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v - int SSL_COMP_add_compression_method(int id,void *cm); - #endif - -+/* TLS extensions functions */ -+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); -+ -+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, -+ void *arg); -+ -+/* Pre-shared secret session resumption functions */ -+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); -+ - /* BEGIN ERROR CODES */ - /* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. -@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void); - #define SSL_F_TLS1_ENC 210 - #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 - #define SSL_F_WRITE_PENDING 212 -+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 - - /* Reason codes. */ - #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff --git a/openssl/openssl-0.9.8j-enginesdir.patch b/openssl/openssl-0.9.8j-enginesdir.patch deleted file mode 100644 index 3834fe8..0000000 --- a/openssl/openssl-0.9.8j-enginesdir.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100 -+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100 -@@ -577,6 +577,7 @@ my $idx_arflags = $idx++; - - my $prefix=""; - my $openssldir=""; -+my $enginesdir=""; - my $exe_ext=""; - my $install_prefix=""; - my $fipslibdir="/usr/local/ssl/fips-1.0/lib/"; -@@ -815,6 +816,10 @@ PROCESS_ARGS: - { - $openssldir=$1; - } -+ elsif (/^--enginesdir=(.*)$/) -+ { -+ $enginesdir=$1; -+ } - elsif (/^--install.prefix=(.*)$/) - { - $install_prefix=$1; -@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/; - - $openssldir=$prefix . "/ssl" if $openssldir eq ""; - $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; -- -+$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; - - print "IsMK1MF=$IsMK1MF\n"; - -@@ -1635,7 +1640,7 @@ while () - if (/^#define\s+OPENSSLDIR/) - { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } - elsif (/^#define\s+ENGINESDIR/) -- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } -+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; } - elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) - { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" - if $export_var_as_fn; diff --git a/openssl/openssl-0.9.8j-env-nozlib.patch b/openssl/openssl-0.9.8j-env-nozlib.patch deleted file mode 100644 index 65af5a8..0000000 --- a/openssl/openssl-0.9.8j-env-nozlib.patch +++ /dev/null @@ -1,13 +0,0 @@ -Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set. -diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c ---- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100 -+++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100 -@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo - - MemCheck_off(); - ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); -- if (ssl_comp_methods != NULL) -+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) - { - comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); - if (comp != NULL) diff --git a/openssl/openssl-0.9.8j-evp-nonfips.patch b/openssl/openssl-0.9.8j-evp-nonfips.patch deleted file mode 100644 index c25cf38..0000000 --- a/openssl/openssl-0.9.8j-evp-nonfips.patch +++ /dev/null @@ -1,127 +0,0 @@ -diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c ---- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200 -+++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100 -@@ -64,6 +64,11 @@ - - void OpenSSL_add_all_digests(void) - { -+#ifdef OPENSSL_FIPS -+ OPENSSL_init(); -+ if (!FIPS_mode()) -+ { -+#endif - #ifndef OPENSSL_NO_MD2 - EVP_add_digest(EVP_md2()); - #endif -@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void) - EVP_add_digest(EVP_sha384()); - EVP_add_digest(EVP_sha512()); - #endif -+#ifdef OPENSSL_FIPS -+ } -+ else -+ { -+#ifndef OPENSSL_NO_SHA -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); -+#ifndef OPENSSL_NO_DSA -+ EVP_add_digest(EVP_dss1()); -+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); -+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); -+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); -+#endif -+#ifndef OPENSSL_NO_ECDSA -+ EVP_add_digest(EVP_ecdsa()); -+#endif -+#endif -+#ifndef OPENSSL_NO_SHA256 -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+#endif -+#ifndef OPENSSL_NO_SHA512 -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+#endif -+ } -+#endif - } -diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c ---- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200 -+++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100 -@@ -65,6 +65,11 @@ - void OpenSSL_add_all_ciphers(void) - { - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init(); -+ if(!FIPS_mode()) -+ { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); - EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); - #endif -+#ifdef OPENSSL_FIPS -+ } -+ else -+ { -+#ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede_cfb()); -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede_ofb()); -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede_cbc()); -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); -+ -+ EVP_add_cipher(EVP_des_ede()); -+ EVP_add_cipher(EVP_des_ede3()); -+#endif -+ -+#ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_128_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_192_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_256_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); -+#endif -+ } -+#endif - - PKCS12_PBE_add(); - PKCS5_PBE_add(); diff --git a/openssl/openssl-0.9.8j-fips-no-pairwise.patch b/openssl/openssl-0.9.8j-fips-no-pairwise.patch deleted file mode 100644 index e6c2f73..0000000 --- a/openssl/openssl-0.9.8j-fips-no-pairwise.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c ---- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100 -+++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100 -@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, - if (fips_rsa_pairwise_fail) - BN_add_word(rsa->n, 1); - -- if(!fips_check_rsa(rsa)) -+ if(FIPS_mode() && !fips_check_rsa(rsa)) - goto err; - - ok=1; -diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c ---- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200 -+++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100 -@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa) - dsa->pub_key=pub_key; - if (fips_dsa_pairwise_fail) - BN_add_word(dsa->pub_key, 1); -- if(!fips_check_dsa(dsa)) -+ if(FIPS_mode() && !fips_check_dsa(dsa)) - goto err; - ok=1; - diff --git a/openssl/openssl-0.9.8j-fipscheck-hmac.patch b/openssl/openssl-0.9.8j-fipscheck-hmac.patch deleted file mode 100644 index 3ba459b..0000000 --- a/openssl/openssl-0.9.8j-fipscheck-hmac.patch +++ /dev/null @@ -1,125 +0,0 @@ -Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary. -We use the binary just during the OpenSSL build to checksum the libcrypto. -diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile ---- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 -+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100 -@@ -46,7 +46,7 @@ lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - - ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o -- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ -+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM - - files: -diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c ---- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200 -+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100 -@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) - - #ifdef OPENSSL_FIPS - --static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, -+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, - const char *key) - { - int len=strlen(key); -@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - if (len > SHA_CBLOCK) - { -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,key,len); -- SHA1_Final(keymd,md_ctx); -- len=20; -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,key,len); -+ SHA256_Final(keymd,md_ctx); -+ len=SHA256_DIGEST_LENGTH; - } - else - memcpy(keymd,key,len); -@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x36^keymd[i]; -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x5c^keymd[i]; -- SHA1_Init(o_ctx); -- SHA1_Update(o_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(o_ctx); -+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); - } - --static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) -+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) - { -- unsigned char buf[20]; -+ unsigned char buf[SHA256_DIGEST_LENGTH]; - -- SHA1_Final(buf,md_ctx); -- SHA1_Update(o_ctx,buf,sizeof buf); -- SHA1_Final(md,o_ctx); -+ SHA256_Final(buf,md_ctx); -+ SHA256_Update(o_ctx,buf,sizeof buf); -+ SHA256_Final(md,o_ctx); - } - - #endif -@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md - int main(int argc,char **argv) - { - #ifdef OPENSSL_FIPS -- static char key[]="etaonrishdlcupfm"; -+ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; - int n,binary=0; - - if(argc < 2) -@@ -125,8 +125,8 @@ int main(int argc,char **argv) - for(; n < argc ; ++n) - { - FILE *f=fopen(argv[n],"rb"); -- SHA_CTX md_ctx,o_ctx; -- unsigned char md[20]; -+ SHA256_CTX md_ctx,o_ctx; -+ unsigned char md[SHA256_DIGEST_LENGTH]; - int i; - - if(!f) -@@ -139,7 +139,7 @@ int main(int argc,char **argv) - for( ; ; ) - { - char buf[1024]; -- int l=fread(buf,1,sizeof buf,f); -+ size_t l=fread(buf,1,sizeof buf,f); - - if(l == 0) - { -@@ -151,18 +151,18 @@ int main(int argc,char **argv) - else - break; - } -- SHA1_Update(&md_ctx,buf,l); -+ SHA256_Update(&md_ctx,buf,l); - } - hmac_final(md,&md_ctx,&o_ctx); - - if (binary) - { -- fwrite(md,20,1,stdout); -+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); - break; /* ... for single(!) file */ - } - -- printf("HMAC-SHA1(%s)= ",argv[n]); -- for(i=0 ; i < 20 ; ++i) -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) - printf("%02x",md[i]); - printf("\n"); - } diff --git a/openssl/openssl-0.9.8j-kernel-fipsmode.patch b/openssl/openssl-0.9.8j-kernel-fipsmode.patch deleted file mode 100644 index fed04c3..0000000 --- a/openssl/openssl-0.9.8j-kernel-fipsmode.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c ---- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100 -+++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100 -@@ -59,6 +59,45 @@ - #include - #include - -+#ifdef OPENSSL_FIPS -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static void init_fips_mode(void) -+ { -+ char buf[2] = "0"; -+ int fd; -+ -+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) -+ { -+ buf[0] = '1'; -+ } -+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) -+ { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); -+ close(fd); -+ } -+ /* Failure reading the fips mode switch file means just not -+ * switching into FIPS mode. We would break too many things -+ * otherwise. -+ */ -+ -+ if (buf[0] == '1') -+ { -+ FIPS_mode_set(1); -+ } -+ } -+#endif -+ - /* Perform any essential OpenSSL initialization operations. - * Currently only sets FIPS callbacks - */ -@@ -73,11 +112,10 @@ void OPENSSL_init(void) - #ifdef CRYPTO_MDEBUG - CRYPTO_malloc_debug_init(); - #endif --#ifdef OPENSSL_ENGINE -+ init_fips_mode(); - int_EVP_MD_init_engine_callbacks(); - int_EVP_CIPHER_init_engine_callbacks(); - int_RAND_init_engine_callbacks(); --#endif - done = 1; - } - #endif diff --git a/openssl/openssl-0.9.8j-nocanister.patch b/openssl/openssl-0.9.8j-nocanister.patch deleted file mode 100644 index f5e1272..0000000 --- a/openssl/openssl-0.9.8j-nocanister.patch +++ /dev/null @@ -1,31 +0,0 @@ -Do not create a fipscanister.o, add the objects directly. -diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile ---- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100 -+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100 -@@ -142,8 +142,24 @@ lib: $(LIB) - if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi - @touch lib - --$(LIB): $(FIPSLIBDIR)fipscanister.o -- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o -+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS) -+ FIPS_ASM=""; \ -+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ -+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ -+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ -+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ -+ if [ -n "$(CPUID_OBJ)" ]; then \ -+ CPUID=../crypto/$(CPUID_OBJ) ; \ -+ else \ -+ CPUID="" ; \ -+ fi ; \ -+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ -+ for i in $(FIPS_OBJ_LISTS); do \ -+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ -+ objs="$$objs `sed "$$script" $$i`"; \ -+ done; \ -+ objs="$$objs" ; \ -+ $(AR) $(LIB) $$objs - $(RANLIB) $(LIB) || echo Never mind. - - $(FIPSCANLIB): $(FIPSCANLOC) diff --git a/openssl/openssl-0.9.8j-readme-warning.patch b/openssl/openssl-0.9.8j-readme-warning.patch deleted file mode 100644 index 411e6bd..0000000 --- a/openssl/openssl-0.9.8j-readme-warning.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README ---- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100 -+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100 -@@ -5,6 +5,31 @@ - Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson - All rights reserved. - -+ WARNING -+ ------- -+ -+ This version of OpenSSL is built in a way that supports operation in -+ the so called FIPS mode. Note though that the library as we build it -+ is not FIPS validated and the FIPS mode is present for testing purposes -+ only. -+ -+ This version also contains a few differences from the upstream code -+ some of which are: -+ * The FIPS integrity verification check is implemented differently -+ from the upstream FIPS validated OpenSSL module. It verifies -+ HMAC-SHA256 checksum of the whole libcrypto shared library. -+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and -+ tries to initialize the FIPS mode if it is set to 1 aborting if the -+ FIPS mode could not be initialized. It is also possible to force the -+ OpenSSL library to FIPS mode especially for debugging purposes by -+ setting the environment variable OPENSSL_FORCE_FIPS_MODE. -+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module -+ will not automatically load the built in compression method ZLIB -+ when initialized. Applications can still explicitely ask for ZLIB -+ compression method. -+ * There is added a support for EAP-FAST through TLS extension. This code -+ is backported from OpenSSL upstream development branch. -+ - DESCRIPTION - ----------- - diff --git a/openssl/openssl-0.9.8j-redhat.patch b/openssl/openssl-0.9.8j-redhat.patch deleted file mode 100644 index 2e1153d..0000000 --- a/openssl/openssl-0.9.8j-redhat.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100 -+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100 -@@ -320,28 +320,28 @@ my %table=( - #### - # *-generic* is endian-neutral target, but ./config is free to - # throw in -D[BL]_ENDIAN, whichever appropriate... --"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### IA-32 targets... - "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", - #### --"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### SPARC Linux setups - # Ray Miller has patiently - # assisted with debugging of following two configs. --"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # it's a real mess with -mcpu=ultrasparc option under Linux, but - # -Wa,-Av8plus should do the trick no matter what. --"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # GCC 3.1 is a requirement --"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### Alpha Linux with GNU C and Compaq C setups - # Special notes: - # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -355,8 +355,8 @@ my %table=( - # - # - # --"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", - diff --git a/openssl/openssl-0.9.8j-shlib-version.patch b/openssl/openssl-0.9.8j-shlib-version.patch deleted file mode 100644 index 8182398..0000000 --- a/openssl/openssl-0.9.8j-shlib-version.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h ---- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100 -+++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100 -@@ -83,7 +83,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "0.9.8" -+#define SHLIB_VERSION_NUMBER "0.9.8j" - - - #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl/openssl-0.9.8j-soversion.patch b/openssl/openssl-0.9.8j-soversion.patch deleted file mode 100644 index 80ee5cd..0000000 --- a/openssl/openssl-0.9.8j-soversion.patch +++ /dev/null @@ -1,49 +0,0 @@ -Define and use a soname -- because we have to care about binary -compatibility, we have to increment the soname in order to allow -this version to co-exist with another versions and have everything -work right. - -diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100 -+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100 -@@ -1371,7 +1371,7 @@ while () - elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) - { - my $sotmp = $1; -- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; -+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; - } - elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) - { -diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org ---- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100 -+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100 -@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= - SHLIB_MAJOR= - SHLIB_MINOR= - SHLIB_EXT= -+SHLIB_SONAMEVER=8 - PLATFORM=dist - OPTIONS= - CONFIGURE_ARGS= -@@ -277,10 +278,9 @@ clean-shared: - link-shared: - @ set -e; for i in ${SHLIBDIRS}; do \ - $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ - LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ - symlink.$(SHLIB_TARGET); \ -- libs="$$libs -l$$i"; \ - done - - build-shared: do_$(SHLIB_TARGET) link-shared -@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET): - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ - LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ - LIBDEPS="$$libs $(EX_LIBS)" \ - link_a.$(SHLIB_TARGET); \ diff --git a/openssl/openssl-0.9.8j-use-fipscheck.patch b/openssl/openssl-0.9.8j-use-fipscheck.patch deleted file mode 100644 index 6f2eca1..0000000 --- a/openssl/openssl-0.9.8j-use-fipscheck.patch +++ /dev/null @@ -1,384 +0,0 @@ -Use fipscheck compatible way of verification of the integrity of the libcrypto -shared library. -diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile ---- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 -+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100 -@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ - if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - LIBRARIES="-L$(TOP) -lfips"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ -+ LIBRARIES="$(LIBCRYPTO)"; \ - fi; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if - shlib_target="$(SHLIB_TARGET)"; \ - fi; \ - LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ -- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- fi; \ - [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org ---- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100 -+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100 -@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA - $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ - $(AR) libcrypto.a fips/fipscanister.o ; \ - else \ -- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; \ -- export CC FIPSLD_CC; \ -- fi; \ - $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ - fi \ - else \ -@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT - fips/fipscanister.o: build_fips - libfips$(SHLIB_EXT): fips/fipscanister.o - @if [ "$(SHLIB_TARGET)" != "" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ - $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- CC=$${CC} LIBNAME=fips THIS=$@ \ -+ CC=$(CC) LIBNAME=fips THIS=$@ \ - LIBEXTRAS=fips/fipscanister.o \ - LIBDEPS="$(EX_LIBS)" \ - LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -@@ -469,7 +464,7 @@ openssl.pc: Makefile - echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc - - Makefile: Makefile.org Configure config -diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c ---- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 -+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100 -@@ -47,6 +47,7 @@ - * - */ - -+#define _GNU_SOURCE - - #include - #include -@@ -56,6 +57,9 @@ - #include - #include - #include -+#include -+#include -+#include - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -165,6 +169,7 @@ int FIPS_selftest() - && FIPS_selftest_dsa(); - } - -+#if 0 - extern const void *FIPS_text_start(), *FIPS_text_end(); - extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; - unsigned char FIPS_signature [20] = { 0 }; -@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) - - return 1; - } -+#else -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char * -+bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+#define HMAC_PREFIX "." -+#define HMAC_SUFFIX ".hmac" -+#define READ_BUFFER_LENGTH 16384 -+ -+static char * -+make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if(path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn-origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int -+compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX c; -+ -+ HMAC_CTX_init(&c); -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); -+ -+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ HMAC_Update(&c, rbuf, len); -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ HMAC_Final(&c, rbuf, &hlen); -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+end: -+ HMAC_CTX_cleanup(&c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int -+FIPSCHECK_verify(const char *libname, const char *symbolname) -+{ -+ char path[PATH_MAX+1]; -+ int rv; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ rv = get_library_path(libname, symbolname, path, sizeof(path)); -+ -+ if (rv < 0) -+ return 0; -+ -+ hmacpath = make_hmac_path(path); -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p=strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex=bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } -+ -+end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+#endif - - int FIPS_mode_set(int onoff) - { -@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff) - } - #endif - -- if(fips_signature_witness() != FIPS_signature) -- { -- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); -- fips_selftest_fail = 1; -- ret = 0; -- goto end; -- } -- -- if(!FIPS_check_incore_fingerprint()) -+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set")) - { -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; -@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void) - return ret; - } - -+#if 0 - unsigned char *fips_signature_witness(void) - { - extern unsigned char FIPS_signature[]; - return FIPS_signature; - } -+#endif - - /* Generalized public key test routine. Signs and verifies the data - * supplied in tbs using mesage digest md and setting option digest -diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile ---- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100 -+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100 -@@ -62,9 +62,9 @@ testapps: - - all: - @if [ -z "$(FIPSLIBDIR)" ]; then \ -- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ -+ $(MAKE) -e subdirs lib; \ - else \ -- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ -+ $(MAKE) -e lib; \ - fi - - # Idea behind fipscanister.o is to "seize" the sequestered code between -@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ - HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ - *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ - esac fi -- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 - - # If another exception is immediately required, assign approprite - # site-specific ld command to FIPS_SITE_LD environment variable. -@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) - $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. - @touch lib - --shared: lib subdirs fips_premain_dso$(EXE_EXT) -+shared: lib subdirs - - libs: - @target=lib; $(RECURSIVE_MAKE) -@@ -195,10 +194,6 @@ install: - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; - @target=install; $(RECURSIVE_MAKE) -- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ -- fips_premain.c.sha1 \ -- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ -- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* - - lint: - @target=lint; $(RECURSIVE_MAKE) -diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h ---- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 -+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100 -@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); - int fips_set_owning_thread(void); - void fips_set_selftest_fail(void); - int fips_clear_owning_thread(void); -+#if 0 - unsigned char *fips_signature_witness(void); -+#endif - - #define FIPS_MAX_CIPHER_TEST_SIZE 16 - diff --git a/openssl/openssl-0.9.8j-version-add-engines.patch b/openssl/openssl-0.9.8j-version-add-engines.patch deleted file mode 100644 index f54326c..0000000 --- a/openssl/openssl-0.9.8j-version-add-engines.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c ---- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200 -+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100 -@@ -131,6 +131,7 @@ - #ifndef OPENSSL_NO_BF - # include - #endif -+#include - - #undef PROG - #define PROG version_main -@@ -140,7 +141,7 @@ int MAIN(int, char **); - int MAIN(int argc, char **argv) - { - int i,ret=0; -- int cflags=0,version=0,date=0,options=0,platform=0,dir=0; -+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0; - - apps_startup(); - -@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv) - else if (strcmp(argv[i],"-d") == 0) - dir=1; - else if (strcmp(argv[i],"-a") == 0) -- date=version=cflags=options=platform=dir=1; -+ date=version=cflags=options=platform=dir=engines=1; - else - { - BIO_printf(bio_err,"usage:version -[avbofpd]\n"); -@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv) - } - if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS)); - if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR)); -+ if (engines) -+ { -+ ENGINE *e; -+ printf("engines: "); -+ e = ENGINE_get_first(); -+ while (e) -+ { -+ printf("%s ", ENGINE_get_id(e)); -+ e = ENGINE_get_next(e); -+ } -+ printf("\n"); -+ } - end: - apps_shutdown(); - OPENSSL_EXIT(ret); diff --git a/openssl/openssl-thread-test.c b/openssl/openssl-thread-test.c deleted file mode 100644 index 3b90285..0000000 --- a/openssl/openssl-thread-test.c +++ /dev/null @@ -1,400 +0,0 @@ -/* Test program to verify that RSA signing is thread-safe in OpenSSL. */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -/* Just assume we want to do engine stuff if we're using 0.9.6b or - * higher. This assumption is only valid for versions bundled with RHL. */ -#if OPENSSL_VERSION_NUMBER >= 0x0090602fL -#include -#define USE_ENGINE -#endif - -#define MAX_THREAD_COUNT 10000 -#define ITERATION_COUNT 10 -#define MAIN_COUNT 100 - -/* OpenSSL requires us to provide thread ID and locking primitives. */ -pthread_mutex_t *mutex_locks = NULL; -static unsigned long -thread_id_cb(void) -{ - return (unsigned long) pthread_self(); -} -static void -lock_cb(int mode, int n, const char *file, int line) -{ - if (mode & CRYPTO_LOCK) { - pthread_mutex_lock(&mutex_locks[n]); - } else { - pthread_mutex_unlock(&mutex_locks[n]); - } -} - -struct thread_args { - RSA *rsa; - int digest_type; - unsigned char *digest; - unsigned int digest_len; - unsigned char *signature; - unsigned int signature_len; - pthread_t main_thread; -}; - -static int print = 0; - -pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER; -static int locked_sign = 0; -static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);} -static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);} - -pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER; -static int locked_verify = 0; -static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);} -static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);} - -pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER; -long failure_count = 0; -static void -failure() -{ - pthread_mutex_lock(&failure_count_lock); - failure_count++; - pthread_mutex_unlock(&failure_count_lock); -} - -static void * -thread_main(void *argp) -{ - struct thread_args *args = argp; - unsigned char *signature; - unsigned int signature_len, signature_alloc_len; - int ret, i; - - signature_alloc_len = args->signature_len; - if (RSA_size(args->rsa) > signature_alloc_len) { - signature_alloc_len = RSA_size(args->rsa); - } - signature = malloc(signature_alloc_len); - if (signature == NULL) { - fprintf(stderr, "Skipping checks in thread %lu -- %s.\n", - (unsigned long) pthread_self(), strerror(errno)); - pthread_exit(0); - return NULL; - } - for (i = 0; i < ITERATION_COUNT; i++) { - signature_len = signature_alloc_len; - SIGN_LOCK(); - ret = RSA_check_key(args->rsa); - ERR_print_errors_fp(stdout); - if (ret != 1) { - failure(); - break; - } - ret = RSA_sign(args->digest_type, - args->digest, - args->digest_len, - signature, &signature_len, - args->rsa); - SIGN_UNLOCK(); - ERR_print_errors_fp(stdout); - if (ret != 1) { - failure(); - break; - } - - VERIFY_LOCK(); - ret = RSA_verify(args->digest_type, - args->digest, - args->digest_len, - signature, signature_len, - args->rsa); - VERIFY_UNLOCK(); - if (ret != 1) { - fprintf(stderr, - "Signature from thread %lu(%d) fails " - "verification (passed in thread #%lu)!\n", - (long) pthread_self(), i, - (long) args->main_thread); - ERR_print_errors_fp(stdout); - failure(); - continue; - } - if (print) { - fprintf(stderr, ">%d\n", i); - } - } - free(signature); - - pthread_exit(0); - - return NULL; -} - -unsigned char * -xmemdup(unsigned char *s, size_t len) -{ - unsigned char *r; - r = malloc(len); - if (r == NULL) { - fprintf(stderr, "Out of memory.\n"); - ERR_print_errors_fp(stdout); - assert(r != NULL); - } - memcpy(r, s, len); - return r; -} - -int -main(int argc, char **argv) -{ - RSA *rsa; - MD5_CTX md5; - int fd, i; - pthread_t threads[MAX_THREAD_COUNT]; - int thread_count = 1000; - unsigned char *message, *digest; - unsigned int message_len, digest_len; - unsigned char *correct_signature; - unsigned int correct_siglen, ret; - struct thread_args master_args, *args; - int sync = 0, seed = 0; - int again = 1; -#ifdef USE_ENGINE - char *engine = NULL; - ENGINE *e = NULL; -#endif - - pthread_mutex_init(&failure_count_lock, NULL); - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--seed") == 0) { - printf("Seeding PRNG.\n"); - seed++; - } else - if (strcmp(argv[i], "--sync") == 0) { - printf("Running synchronized.\n"); - sync++; - } else - if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) { - i++; - thread_count = atol(argv[i]); - if (thread_count > MAX_THREAD_COUNT) { - thread_count = MAX_THREAD_COUNT; - } - printf("Starting %d threads.\n", thread_count); - sync++; - } else - if (strcmp(argv[i], "--sign") == 0) { - printf("Locking signing.\n"); - locked_sign++; - } else - if (strcmp(argv[i], "--verify") == 0) { - printf("Locking verifies.\n"); - locked_verify++; - } else - if (strcmp(argv[i], "--print") == 0) { - printf("Tracing.\n"); - print++; -#ifdef USE_ENGINE - } else - if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) { - printf("Using engine \"%s\".\n", argv[i + 1]); - engine = argv[i + 1]; - i++; -#endif - } else { - printf("Bad argument: %s\n", argv[i]); - return 1; - } - } - - /* Get some random data to sign. */ - fd = open("/dev/urandom", O_RDONLY); - if (fd == -1) { - fprintf(stderr, "Error opening /dev/urandom: %s\n", - strerror(errno)); - } - - if (print) { - fprintf(stderr, "Reading random data.\n"); - } - message = malloc(message_len = 9371); - read(fd, message, message_len); - close(fd); - - /* Initialize the SSL library and set up thread-safe locking. */ - ERR_load_crypto_strings(); - SSL_library_init(); - mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); - for (i = 0; i < CRYPTO_num_locks(); i++) { - pthread_mutex_init(&mutex_locks[i], NULL); - } - CRYPTO_set_id_callback(thread_id_cb); - CRYPTO_set_locking_callback(lock_cb); - ERR_print_errors_fp(stdout); - - /* Seed the PRNG if we were asked to do so. */ - if (seed) { - if (print) { - fprintf(stderr, "Seeding PRNG.\n"); - } - RAND_add(message, message_len, message_len); - ERR_print_errors_fp(stdout); - } - - /* Turn on a hardware crypto device if asked to do so. */ -#ifdef USE_ENGINE - if (engine) { -#if OPENSSL_VERSION_NUMBER >= 0x0090700fL - ENGINE_load_builtin_engines(); -#endif - if (print) { - fprintf(stderr, "Initializing \"%s\" engine.\n", - engine); - } - e = ENGINE_by_id(engine); - ERR_print_errors_fp(stdout); - if (e) { - i = ENGINE_init(e); - ERR_print_errors_fp(stdout); - i = ENGINE_set_default_RSA(e); - ERR_print_errors_fp(stdout); - } - } -#endif - - /* Compute the digest for the signature. */ - if (print) { - fprintf(stderr, "Computing digest.\n"); - } - digest = malloc(digest_len = MD5_DIGEST_LENGTH); - MD5_Init(&md5); - MD5_Update(&md5, message, message_len); - MD5_Final(digest, &md5); - - /* Generate a signing key. */ - if (print) { - fprintf(stderr, "Generating key.\n"); - } - rsa = RSA_generate_key(4096, 3, NULL, NULL); - ERR_print_errors_fp(stdout); - if (rsa == NULL) { - _exit(1); - } - - /* Sign the data. */ - correct_siglen = RSA_size(rsa); - correct_signature = malloc(correct_siglen); - for (i = 0; i < MAIN_COUNT; i++) { - if (print) { - fprintf(stderr, "Signing data (%d).\n", i); - } - ret = RSA_check_key(rsa); - ERR_print_errors_fp(stdout); - if (ret != 1) { - failure(); - } - correct_siglen = RSA_size(rsa); - ret = RSA_sign(NID_md5, digest, digest_len, - correct_signature, &correct_siglen, - rsa); - ERR_print_errors_fp(stdout); - if (ret != 1) { - _exit(2); - } - if (print) { - fprintf(stderr, "Verifying data (%d).\n", i); - } - ret = RSA_verify(NID_md5, digest, digest_len, - correct_signature, correct_siglen, - rsa); - if (ret != 1) { - _exit(2); - } - } - - /* Collect up the inforamtion which other threads will need for - * comparing their signature results with ours. */ - master_args.rsa = rsa; - master_args.digest_type = NID_md5; - master_args.digest = digest; - master_args.digest_len = digest_len; - master_args.signature = correct_signature; - master_args.signature_len = correct_siglen; - master_args.main_thread = pthread_self(); - - fprintf(stdout, "Performing %d signatures in each of %d threads " - "(%d, %d).\n", ITERATION_COUNT, thread_count, - digest_len, correct_siglen); - fflush(NULL); - - /* Start up all of the threads. */ - for (i = 0; i < thread_count; i++) { - args = malloc(sizeof(struct thread_args)); - args->rsa = RSAPrivateKey_dup(master_args.rsa); - args->digest_type = master_args.digest_type; - args->digest_len = master_args.digest_len; - args->digest = xmemdup(master_args.digest, args->digest_len); - args->signature_len = master_args.signature_len; - args->signature = xmemdup(master_args.signature, - args->signature_len); - args->main_thread = pthread_self(); - ret = pthread_create(&threads[i], NULL, thread_main, args); - while ((ret != 0) && (errno == EAGAIN)) { - ret = pthread_create(&threads[i], NULL, - thread_main, &args); - fprintf(stderr, "Thread limit hit at %d.\n", i); - } - if (ret != 0) { - fprintf(stderr, "Unable to create thread %d: %s.\n", - i, strerror(errno)); - threads[i] = -1; - } else { - if (sync) { - ret = pthread_join(threads[i], NULL); - assert(ret == 0); - } - if (print) { - fprintf(stderr, "%d\n", i); - } - } - } - - /* Wait for all threads to complete. So long as we can find an - * unjoined thread, keep joining threads. */ - do { - again = 0; - for (i = 0; i < thread_count; i++) { - /* If we have an unterminated thread, join it. */ - if (threads[i] != -1) { - again = 1; - if (print) { - fprintf(stderr, "Joining thread %d.\n", - i); - } - pthread_join(threads[i], NULL); - threads[i] = -1; - break; - } - } - } while (again == 1); - - fprintf(stderr, "%ld failures\n", failure_count); - - return (failure_count != 0); -} diff --git a/openssl/opensslconf-new-warning.h b/openssl/opensslconf-new-warning.h deleted file mode 100644 index de091c8..0000000 --- a/openssl/opensslconf-new-warning.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Prepended at openssl package build-time. Don't include this file directly, - * use instead. */ - -#ifndef openssl_opensslconf_multilib_redirection_h -#error "Don't include this file directly, use instead!" -#endif - diff --git a/openssl/opensslconf-new.h b/openssl/opensslconf-new.h deleted file mode 100644 index cf22738..0000000 --- a/openssl/opensslconf-new.h +++ /dev/null @@ -1,34 +0,0 @@ -/* This file is here to prevent a file conflict on multiarch systems. A - * conflict will frequently occur because arch-specific build-time - * configuration options are stored (and used, so they can't just be stripped - * out) in opensslconf.h. The original opensslconf.h has been renamed. - * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ - -#ifdef openssl_opensslconf_multilib_redirection_h -#error "Do not define openssl_opensslconf_multilib_redirection_h!" -#endif -#define openssl_opensslconf_multilib_redirection_h - -#if defined(__i386__) -#include "opensslconf-i386.h" -#elif defined(__ia64__) -#include "opensslconf-ia64.h" -#elif defined(__powerpc64__) -#include "opensslconf-ppc64.h" -#elif defined(__powerpc__) -#include "opensslconf-ppc.h" -#elif defined(__s390x__) -#include "opensslconf-s390x.h" -#elif defined(__s390__) -#include "opensslconf-s390.h" -#elif defined(__sparc__) && defined(__arch64__) -#include "opensslconf-sparc64.h" -#elif defined(__sparc__) -#include "opensslconf-sparc.h" -#elif defined(__x86_64__) -#include "opensslconf-x86_64.h" -#else -#error "This openssl-devel package does not work your architecture?" -#endif - -#undef openssl_opensslconf_multilib_redirection_h -- 1.8.3.1