Hello community, here is the log from the commit of package openssl-1_1_0 for openSUSE:Factory checked in at 2017-05-18 20:46:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1_0" Thu May 18 20:46:44 2017 rev:1 rq:494106 version:1.1.0e Changes: -------- New Changes file: --- /dev/null 2017-03-01 00:40:19.279048016 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-1_1_0.new/openssl-1_1_0.changes 2017-05-18 20:46:47.780163434 +0200 @@ -0,0 +1,2497 @@ +------------------------------------------------------------------- +Wed May 10 11:11:33 UTC 2017 - [email protected] + +- Add conflict for any libopenssl-devel that is not in our version + +------------------------------------------------------------------- +Wed May 10 10:40:53 UTC 2017 - [email protected] + +- Avoid the requires conflict between 1.1 and 1.0 openssl + +------------------------------------------------------------------- +Fri May 5 07:42:41 UTC 2017 - [email protected] + +- Add conflict on docu packages + +------------------------------------------------------------------- +Wed May 3 12:48:11 UTC 2017 - [email protected] + +- drop unnecessary README.SUSE + +------------------------------------------------------------------- +Wed May 3 11:46:58 UTC 2017 - [email protected] + +- add openssl-1.1-fix-ppc64.patch from Marcus Meissner to fix build + on ppc64 + +------------------------------------------------------------------- +Wed May 3 09:06:06 UTC 2017 - [email protected] + +- Fix build on aarch64 + +------------------------------------------------------------------- +Wed May 3 08:50:07 UTC 2017 - [email protected] + +- Remove libpadlock conditional, no longer present + +------------------------------------------------------------------- +Tue May 2 10:28:38 UTC 2017 - [email protected] + +- Update baselibs.conf to contain all the renamed packages + +------------------------------------------------------------------- +Wed Apr 26 12:43:47 UTC 2017 - [email protected] + +- re-enable tests on SLE-12 and below despite current failure, so + they are automatically run once the issue is resolved + +------------------------------------------------------------------- +Wed Apr 26 12:37:14 UTC 2017 - [email protected] + +- Filter out the pkgconfig provides to force usage of the main + openssl package provides + +------------------------------------------------------------------- +Fri Apr 21 13:04:42 UTC 2017 - [email protected] + +- disable tests on SLE-12 and its derivates + * they fail because of glibc bug bsc#1035445 +- remove README-FIPS.txt (outdated) + +------------------------------------------------------------------- +Thu Apr 20 15:08:43 UTC 2017 - [email protected] + +- drop openssl-fipslocking.patch + The locking in 1.1.0 has been rewritten and converted to the new + threading API. The fips deadlock (at least bsc#991193) can't be + reproduced anymore. +- don't ship useless INSTALL* files + +------------------------------------------------------------------- +Thu Apr 20 10:16:43 UTC 2017 - [email protected] + +- simplify openssl-fips-dont-fall-back-to-default-digest.patch + The -non-fips-allow option was dropped in OpenSSL 1.1.0 +- drop openssl-no-egd.patch as OpenSSL 1.1.0 disables EGD at compile + time by default +- renumber the patches so the numbers are consequent + +------------------------------------------------------------------- +Tue Apr 18 19:51:39 UTC 2017 - [email protected] + +- Update showciphers.c to work with new openssl + +------------------------------------------------------------------- +Tue Apr 18 19:17:42 UTC 2017 - [email protected] + +- Add patch openssl-static-deps.patch to allow dependencies on + statically build libraries +- Refresh openssl-1-1.0-fips.patch to take in use the above approach +- Silence the install manpage rename phase + +------------------------------------------------------------------- +Thu Apr 13 12:17:53 UTC 2017 - [email protected] + +- Start update to 1.1.0e basing of the 1.0.0 split release +- Drop patch merge_from_0.9.8k.patch the ppc64 should work out of the + box +- Drop patch openssl-engines-path.patch converted to configure option +- Drop patch openssl-1.0.2a-padlock64.patch code behind was redone + does not apply at all +- Drop patch openssl-fix-pod-syntax.diff mostly merged upstream or + not applicable +- Drop patch compression_methods_switch.patch as we do not need + to keep the compat on this release anymore +- Drop patch openssl-1.0.2a-ipv6-apps.patch which was upstreamed +- Drop upstreamed patch openssl-1.0.2a-default-paths.patch +- Drop obsolete patch openssl-1.0.0-c_rehash-compat.diff +- Drop obsolete patch openssl-missing_FIPS_ec_group_new_by_curve_name.patch +- Drop obsolete patch openssl-print_notice-NULL_crash.patch +- Drop obsolete patch openssl-randfile_fread_interrupt.patch +- Refresh patch openssl-truststore.patch +- Refresh baselibs.conf to correctly reflect soname +- Add patch openssl-1.1.0-fips.patch obsoleting bunch of older: + * openssl-1.0.2i-fips.patch + * openssl-1.0.2a-fips-ec.patch + * openssl-1.0.2a-fips-ctor.patch + * openssl-1.0.2i-new-fips-reqs.patch + * openssl-fips_disallow_x931_rand_method.patch +- Add new patch for upstream: + * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch +- Refresh patch openssl-pkgconfig.patch +- Drop patch openssl-gcc-attributes.patch as the code was redone +- Rebase patch 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +- Rebase patch openssl-no-egd.patch +- Rebase patch openssl-1.0.1e-add-suse-default-cipher.patch and + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch +- Rebase patch openssl-fips_disallow_ENGINE_loading.patch +- Rebase patch openssl-urandom-reseeding.patch +- Rebase patch openssl-fips-rsagen-d-bits.patch +- Rebase patch openssl-fips-selftests_in_nonfips_mode.patch +- Remove switch for ssl2 - no longer present +- Remve the buildinf.h parsing, should no longer be needed +- Drop the rehash in build, no longer needed +- Drop openssl-fips-hidden.patch as it is not really needed +- Do not sed in secure_getenv upstream does it in code on their own +- Do not install html converted manpages + * openssl-1.1.0-no-html.patch + +------------------------------------------------------------------- +Thu Apr 13 12:09:22 UTC 2017 - [email protected] + +- Drop the symbol hiding patches to ease maintenance updates: + * 0005-libssl-Hide-library-private-symbols.patch + * 0001-libcrypto-Hide-library-private-symbols.patch + +------------------------------------------------------------------- +Thu Apr 13 11:52:35 UTC 2017 - [email protected] + +- Add new patch for engines folders to allow co-installation + * openssl-engines-path.patch + +------------------------------------------------------------------- +Thu Apr 13 11:43:41 UTC 2017 - [email protected] + +- Drop openssl-ocloexec.patch as it causes additional maintenance + burden we would like to avoid + +------------------------------------------------------------------- +Thu Apr 13 11:41:13 UTC 2017 - [email protected] + +- Drop bug610223.patch as we moved to libdir + +------------------------------------------------------------------- +Thu Apr 13 11:37:37 UTC 2017 - [email protected] + +- Move check to %check phase +- Split showciphers to separate file + +------------------------------------------------------------------- +Wed Apr 12 13:06:59 UTC 2017 - [email protected] + +- Move openssl to /usr/lib64 from /lib64 + +------------------------------------------------------------------- +Wed Apr 12 13:04:04 UTC 2017 - [email protected] + +- Remove some of the DSO setting code that is not needed +- Fix the showciphers binary + +------------------------------------------------------------------- +Wed Apr 12 12:05:32 UTC 2017 - [email protected] + +- Rename to openssl-1_0_0 to allow instalation of multiple versions + +------------------------------------------------------------------- +Tue Apr 4 11:41:40 UTC 2017 - [email protected] + +- Remove O3 from optflags, no need to not rely on distro wide settings +- Remove conditions for sle10 and sle11, we care only about sle12+ +- USE SUSE instead of SuSE in readme +- Pass over with spec-cleaner + +------------------------------------------------------------------- +Thu Feb 2 15:19:15 UTC 2017 - [email protected] + +- fix X509_CERT_FILE path (bsc#1022271) and rename + updated openssl-1.0.1e-truststore.diff to openssl-truststore.patch ++++ 2300 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Factory/.openssl-1_1_0.new/openssl-1_1_0.changes New: ---- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch baselibs.conf openssl-1.0.1e-add-suse-default-cipher.patch openssl-1.0.1e-add-test-suse-default-cipher-suite.patch openssl-1.1.0-fips.patch openssl-1.1.0-no-html.patch openssl-1.1.0e.tar.gz openssl-1.1.0e.tar.gz.asc openssl-1_1_0.changes openssl-1_1_0.spec openssl-fips-clearerror.patch openssl-fips-dont-fall-back-to-default-digest.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-fix-odd-rsakeybits.patch openssl-fips-rsagen-d-bits.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_disallow_ENGINE_loading.patch openssl-pkgconfig.patch openssl-ppc64-config.patch openssl-rsakeygen-minimum-distance.patch openssl-static-deps.patch openssl-truststore.patch openssl-urandom-reseeding.patch openssl.keyring showciphers.c ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1_0.spec ++++++ # # spec file for package openssl # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # Exclude pkgconfig deps we take them only from the main empty pkg that # pulls in the correct version. %global __provides_exclude_from ^%{_libdir}/pkgconfig/.*\\.pc$ %global __requires_exclude_from ^%{_libdir}/pkgconfig/.*\\.pc$ %define ssletcdir %{_sysconfdir}/ssl %define maj_min 1.1 %define _rname openssl Name: openssl-1_1_0 Version: 1.1.0e Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Url: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz # to get mtime of file: Source1: %{name}.changes Source2: baselibs.conf Source42: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc # https://www.openssl.org/about/ # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring Source43: %{_rname}.keyring Source99: showciphers.c # https://github.com/openssl/openssl/pull/2045 Patch0: 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch # PATCH-FIX-OPENSUSE: upstream won't use glibc Patch1: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch # PATCH-FIX-OPENSUSE: do not install html mans it takes ages Patch2: openssl-1.1.0-no-html.patch # PATCH-FIX-UPSTREAM: patch to allow deps and linking to static libs # needed for fips and taken from upstream Patch3: openssl-static-deps.patch Patch4: openssl-truststore.patch Patch5: openssl-pkgconfig.patch Patch6: openssl-1.0.1e-add-suse-default-cipher.patch Patch7: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch8: openssl-ppc64-config.patch # FIPS patches: Patch51: openssl-1.1.0-fips.patch Patch52: openssl-fips-dont_run_FIPS_module_installed.patch Patch53: openssl-fips_disallow_ENGINE_loading.patch Patch54: openssl-rsakeygen-minimum-distance.patch Patch55: openssl-urandom-reseeding.patch Patch56: openssl-fips-rsagen-d-bits.patch Patch57: openssl-fips-selftests_in_nonfips_mode.patch Patch58: openssl-fips-fix-odd-rsakeybits.patch Patch59: openssl-fips-clearerror.patch Patch60: openssl-fips-dont-fall-back-to-default-digest.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Provides: ssl Conflicts: otherproviders(ssl) BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl1_1_0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla %description -n libopenssl1_1_0 The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl-1_1_0-devel Summary: Include Files and Libraries mandatory for Development License: OpenSSL Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: libopenssl1_1_0 = %{version} Requires: pkgconfig(zlib) Provides: ssl-devel Conflicts: otherproviders(ssl-devel) # we need to have around only the exact version we are able to operate with Conflicts: libopenssl-devel < %{version} Conflicts: libopenssl-devel > %{version} %description -n libopenssl-1_1_0-devel This package contains all necessary include files and libraries needed to develop applications that require these. %package -n libopenssl1_1_0-hmac Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries License: BSD-3-Clause Group: Productivity/Networking/Security Requires: libopenssl1_1_0 = %{version}-%{release} %description -n libopenssl1_1_0-hmac The FIPS compliant operation of the openssl shared libraries is NOT possible without the HMAC hashes contained in this package! %package doc Summary: Additional Package Documentation License: OpenSSL Group: Productivity/Networking/Security Provides: openssl-doc = %{version} Obsoletes: openssl-doc < %{version} Conflicts: otherproviders(openssl-doc) BuildArch: noarch %description doc This package contains optional documentation provided in addition to this package's base documentation. %prep %setup -q -n %{_rname}-%{version} %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 # FIPS patches %patch51 -p1 %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch56 -p1 %patch57 -p1 %patch58 -p1 %patch59 -p1 %patch60 -p1 %build %ifarch armv5el armv5tel export MACHINE=armv5el %endif %ifarch armv6l armv6hl export MACHINE=armv6l %endif # afalgeng fails on aarch64 error: '__NR_eventfd' undeclared ./config \ no-rc5 no-idea \ fips \ no-ssl3 \ enable-rfc3779 \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif %ifarch aarch64 no-afalgeng \ %endif enable-camellia \ zlib \ no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ %{optflags} -std=gnu99 \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ -DTERMIO \ -DPURIFY \ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -Wall util/mkdef.pl crypto update make depend -j1 make all %{?_smp_mflags} %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) #2017-04-26: Tests fail on SLE-12 because of glibc bug bsc#1035445 LD_LIBRARY_PATH=`pwd` make test -j1 # show cyphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE99} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install %make_install %{?_smp_mflags} # kill static libs rm -f %{buildroot}%{_libdir}/lib*.a # remove the cnf.dist rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ # avoid file conflicts with man pages from other packages # set +x pushd %{buildroot}/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl ln -sf ${LDEST}ssl ${i}ssl else mv $i ${i}ssl fi case "$i" in *.1) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; esac done popd set -x # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; # Place showciphers.c for %doc macro cp %{SOURCE99} . # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' %{expand:%%global __os_install_post {%__os_install_post %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac }} %post -n libopenssl1_1_0 -p /sbin/ldconfig %postun -n libopenssl1_1_0 -p /sbin/ldconfig %files -n libopenssl1_1_0 %defattr(-, root, root) %{_libdir}/libssl.so.%{maj_min} %{_libdir}/libcrypto.so.%{maj_min} %{_libdir}/engines-%{maj_min} %files -n libopenssl1_1_0-hmac %defattr(-, root, root) %{_libdir}/.libssl.so.%{maj_min}.hmac %{_libdir}/.libcrypto.so.%{maj_min}.hmac %files -n libopenssl-1_1_0-devel %defattr(-, root, root) %{_includedir}/%{_rname}/ %{_includedir}/ssl %{_libdir}/libssl.so %{_libdir}/libcrypto.so %{_libdir}/pkgconfig/libcrypto.pc %{_libdir}/pkgconfig/libssl.pc %{_libdir}/pkgconfig/openssl.pc %files doc -f filelist.doc %defattr(-, root, root) %doc doc/* demos %doc showciphers.c %files -f filelist %defattr(-, root, root) %doc CHANGE* %doc LICENSE NEWS README %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash %{_bindir}/fips_standalone_hmac %{_bindir}/%{_rname} %changelog ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ ++++ 977 lines (skipped) ++++++ 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch ++++++ >From c5ac41de1511f898301c298b2b28d05372cba817 Mon Sep 17 00:00:00 2001 From: Vitezslav Cizek <[email protected]> Date: Thu, 8 Dec 2016 13:10:33 +0100 Subject: [PATCH] Resume reading from randfile when interrupted by a signal. It was regularly observed with openssh: sshd: fatal: cannot read from /dev/urandom, Interrupted system call --- crypto/rand/randfile.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index c96383a..6e39e86 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -104,6 +104,12 @@ static __FILE_ptr32 (*const vms_fopen)(const char *, const char *, ...) = #define RFILE ".rnd" +#ifdef EINTR +# define INTERRUPTED(in) (ferror(in) && errno == EINTR) +#else +# define INTERRUPTED (0) +#endif + /* * Note that these functions are intended for seed files only. Entropy * devices and EGD sockets are handled in rand_unix.c @@ -162,9 +168,16 @@ int RAND_load_file(const char *file, long bytes) n = (bytes < BUFSIZE) ? (int)bytes : BUFSIZE; else n = BUFSIZE; + i = fread(buf, 1, n, in); - if (i <= 0) + if (i <= 0) { + if (INTERRUPTED(in)) { + /* Interrupted by a signal, resume reading */ + clearerr(in); + continue; + } break; + } RAND_add(buf, i, (double)i); ret += i; -- 2.10.2 ++++++ baselibs.conf ++++++ openssl-1_1_0 libopenssl1_1_0 libopenssl-1_1_0-devel requires "openssl-1_1_0-<targettype>" requires "libopenssl1_1_0-<targettype> = <version>" libopenssl1_1_0-hmac requires "libopenssl1_1_0-<targettype> = <version>-%release" ++++++ openssl-1.0.1e-add-suse-default-cipher.patch ++++++ Index: openssl-1.1.0c/ssl/ssl_ciph.c =================================================================== --- openssl-1.1.0c.orig/ssl/ssl_ciph.c 2016-12-08 16:13:39.990850602 +0100 +++ openssl-1.1.0c/ssl/ssl_ciph.c 2016-12-08 16:13:40.022851089 +0100 @@ -1468,7 +1468,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str, "DEFAULT", 7) == 0) { + if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + &head, &tail, ca_list, c); + rule_p += 12; + if (*rule_p == ':') + rule_p++; + } + else if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, ca_list, c); rule_p += 7; Index: openssl-1.1.0c/include/openssl/ssl.h =================================================================== --- openssl-1.1.0c.orig/include/openssl/ssl.h 2016-11-10 15:03:46.000000000 +0100 +++ openssl-1.1.0c/include/openssl/ssl.h 2016-12-08 16:13:40.022851089 +0100 @@ -195,6 +195,9 @@ extern "C" { * an application-defined cipher list string starts with 'DEFAULT'. */ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is ++++++ openssl-1.0.1e-add-test-suse-default-cipher-suite.patch ++++++ Index: openssl-1.1.0c/test/recipes/99-test_suse_default_ciphers.t =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.0c/test/recipes/99-test_suse_default_ciphers.t 2016-12-19 13:59:16.662066548 +0100 @@ -0,0 +1,22 @@ +#! /usr/bin/env perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT/; +use OpenSSL::Test::Utils; + + +setup("test_default_ciphersuites"); + +plan tests => 4; + +my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); + +foreach my $cipherlist (@cipher_suites) { + ok(run(app(["openssl", "ciphers", $cipherlist])), + "openssl ciphers works with ciphersuite $cipherlist"); + ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "DEFAULT_SUSE"]), capture => 1)), + "$cipherlist shouldn't contain MD5, DES or RC4\n"); +} + ++++++ openssl-1.1.0-fips.patch ++++++ ++++ 12296 lines (skipped) ++++++ openssl-1.1.0-no-html.patch ++++++ diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl --- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200 +++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200 @@ -288,7 +288,7 @@ install_sw: all install_dev install_engi uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev -install_docs: install_man_docs install_html_docs +install_docs: install_man_docs uninstall_docs: uninstall_man_docs uninstall_html_docs $(RM) -r -v $(DESTDIR)$(DOCDIR) ++++++ openssl-fips-clearerror.patch ++++++ Index: openssl-1.0.2g/crypto/o_init.c =================================================================== --- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:54:05.763929573 +0200 +++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:59:08.366168879 +0200 @@ -91,6 +91,7 @@ static void init_fips_mode(void) NONFIPS_selftest_check(); /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); + ERR_clear_error(); } else { /* abort if selftest failed */ FIPS_selftest_check(); ++++++ openssl-fips-dont-fall-back-to-default-digest.patch ++++++ Index: openssl-1.1.0e/apps/dgst.c =================================================================== --- openssl-1.1.0e.orig/apps/dgst.c 2017-04-20 12:31:52.471544178 +0200 +++ openssl-1.1.0e/apps/dgst.c 2017-04-20 12:38:46.669771843 +0200 @@ -94,6 +94,10 @@ int dgst_main(int argc, char **argv) prog = opt_progname(argv[0]); buf = app_malloc(BUFSIZE, "I/O buffer"); md = EVP_get_digestbyname(prog); + if (md == NULL && strcmp(prog, "dgst") != 0) { + BIO_printf(bio_err, "%s is not a known digest\n", prog); + goto end; + } prog = opt_init(argc, argv, dgst_options); while ((o = opt_next()) != OPT_EOF) { ++++++ openssl-fips-dont_run_FIPS_module_installed.patch ++++++ Index: openssl-1.0.2h/crypto/o_init.c =================================================================== --- openssl-1.0.2h.orig/crypto/o_init.c 2016-06-01 15:26:25.026937000 +0200 +++ openssl-1.0.2h/crypto/o_init.c 2016-06-01 16:23:24.980858697 +0200 @@ -111,9 +111,9 @@ void __attribute__ ((constructor)) OPENS return; done = 1; #ifdef OPENSSL_FIPS - if (!FIPS_module_installed()) { + /*if (!FIPS_module_installed()) { return; - } + }*/ RAND_init_fips(); init_fips_mode(); if (!FIPS_mode()) { ++++++ openssl-fips-fix-odd-rsakeybits.patch ++++++ Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c =================================================================== --- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-14 10:52:34.187646539 +0200 +++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-14 10:53:39.335559301 +0200 @@ -465,7 +465,8 @@ static int rsa_builtin_keygen(RSA *rsa, goto err; bitsp = (bits + 1) / 2; - bitsq = bits - bitsp; + /* Use the same number of bits for p and q, our checks assume it. */ + bitsq = bitsp; /* prepare a maximum for p and q */ /* 0xB504F334 is (sqrt(2)/2)*2^32 */ ++++++ openssl-fips-rsagen-d-bits.patch ++++++ Index: openssl-1.1.0c/crypto/rsa/rsa_gen.c =================================================================== --- openssl-1.1.0c.orig/crypto/rsa/rsa_gen.c 2016-12-08 17:55:15.968669184 +0100 +++ openssl-1.1.0c/crypto/rsa/rsa_gen.c 2016-12-08 17:55:15.976669308 +0100 @@ -173,6 +173,12 @@ static int fips_rsa_builtin_keygen(RSA * goto err; } + BN_copy(rsa->e, e_value); + + if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) + test = 1; + +retry: /* prepare approximate minimum p and q */ if (!BN_set_word(r0, 0xB504F334)) goto err; @@ -185,12 +191,6 @@ static int fips_rsa_builtin_keygen(RSA * if (!BN_lshift(r3, r3, pbits - 100)) goto err; - BN_copy(rsa->e, e_value); - - if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) - test = 1; - - retry: /* generate p and q */ for (i = 0; i < 5 * pbits; i++) { ploop: @@ -323,6 +323,8 @@ static int fips_rsa_builtin_keygen(RSA * BN_free(pr0); } + /* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */ + /* the LCM part is covered due to the generation by modulo above */ if (BN_num_bits(rsa->d) < pbits) goto retry; /* d is too small */ ++++++ openssl-fips-selftests_in_nonfips_mode.patch ++++++ Index: openssl-1.1.0c/crypto/fips/fips.c =================================================================== --- openssl-1.1.0c.orig/crypto/fips/fips.c 2016-12-09 11:34:28.778291575 +0100 +++ openssl-1.1.0c/crypto/fips/fips.c 2016-12-09 11:37:18.192847119 +0100 @@ -472,6 +472,44 @@ int FIPS_module_mode_set(int onoff) return ret; } +/* In non-FIPS mode, the selftests must succeed if the + * checksum files are present + */ +void NONFIPS_selftest_check(void) +{ + int rv; + char *hmacpath; + char path[PATH_MAX+1]; + + if (fips_selftest_fail) + { + /* check if the checksum files are installed */ + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + + hmacpath = make_hmac_path(path); + if (hmacpath == NULL) + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + + if (access(hmacpath, F_OK)) + { + /* no hmac file is present, ignore the failed selftests */ + if (errno == ENOENT) + { + free(hmacpath); + return; + } + /* we fail on any other error */ + } + /* if the file exists, but the selftests failed + (eg wrong checksum), we fail too */ + free(hmacpath); + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + } + /* otherwise ok, selftests were successful */ +} + static CRYPTO_THREAD_ID fips_threadid; static int fips_thread_set = 0; Index: openssl-1.1.0c/crypto/o_init.c =================================================================== --- openssl-1.1.0c.orig/crypto/o_init.c 2016-12-09 11:34:28.726290785 +0100 +++ openssl-1.1.0c/crypto/o_init.c 2016-12-09 11:34:28.778291575 +0100 @@ -44,6 +44,8 @@ static void init_fips_mode(void) */ if (buf[0] != '1') { + /* abort if selftest failed and the module is complete */ + NONFIPS_selftest_check(); /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { Index: openssl-1.1.0c/include/openssl/fips.h =================================================================== --- openssl-1.1.0c.orig/include/openssl/fips.h 2016-12-09 11:34:28.654289692 +0100 +++ openssl-1.1.0c/include/openssl/fips.h 2016-12-09 11:38:18.553750517 +0100 @@ -65,6 +65,7 @@ extern "C" { int FIPS_selftest(void); int FIPS_selftest_failed(void); int FIPS_selftest_drbg_all(void); + void NONFIPS_selftest_check(void); int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, const EVP_MD *evpmd, const unsigned char *seed_in, ++++++ openssl-fips_disallow_ENGINE_loading.patch ++++++ Index: openssl-1.1.0c/crypto/init.c =================================================================== --- openssl-1.1.0c.orig/crypto/init.c 2016-12-08 17:36:03.170689184 +0100 +++ openssl-1.1.0c/crypto/init.c 2016-12-08 17:36:14.938873308 +0100 @@ -564,6 +564,9 @@ int OPENSSL_init_crypto(uint64_t opts, c && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) return 0; # endif +# ifdef OPENSSL_FIPS + if (!FIPS_mode()) +# endif if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC) && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) return 0; ++++++ openssl-pkgconfig.patch ++++++ Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl =================================================================== --- openssl-1.1.0c.orig/Configurations/unix-Makefile.tmpl 2016-11-10 15:03:43.000000000 +0100 +++ openssl-1.1.0c/Configurations/unix-Makefile.tmpl 2016-12-02 14:42:03.547865145 +0100 @@ -790,7 +790,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir}' ) > libcrypto.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ @@ -804,7 +804,7 @@ libssl.pc: echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir}' ) > libssl.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc openssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ ++++++ openssl-ppc64-config.patch ++++++ Index: openssl-1.1.0e/config =================================================================== --- openssl-1.1.0e.orig/config +++ openssl-1.1.0e/config @@ -550,7 +550,7 @@ case "$GUESSOS" in OUT="linux-ppc64" else OUT="linux-ppc" - (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32" + (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64" fi ;; ppc64le-*-linux2) OUT="linux-ppc64le" ;; ++++++ openssl-rsakeygen-minimum-distance.patch ++++++ Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c =================================================================== --- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:18:47.520016582 +0200 +++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:36:32.309233030 +0200 @@ -465,6 +465,19 @@ static int rsa_builtin_keygen(RSA *rsa, bitsp = (bits + 1) / 2; bitsq = bits - bitsp; + /* prepare a maximum for p and q */ + /* 0xB504F334 is (sqrt(2)/2)*2^32 */ + if (!BN_set_word(r0, 0xB504F334)) + goto err; + if (!BN_lshift(r0, r0, bitsp - 32)) + goto err; + + /* prepare minimum p and q difference */ + if (!BN_one(r3)) + goto err; + if (!BN_lshift(r3, r3, bitsp - 100)) + goto err; + /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) goto err; @@ -489,6 +502,8 @@ static int rsa_builtin_keygen(RSA *rsa, for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; + if (BN_cmp(rsa->p, r0) < 0) + continue; if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) @@ -501,21 +516,17 @@ static int rsa_builtin_keygen(RSA *rsa, if (!BN_GENCB_call(cb, 3, 0)) goto err; for (;;) { - /* - * When generating ridiculously small keys, we can get stuck - * continually regenerating the same prime values. Check for this and - * bail if it happens 3 times. - */ - unsigned int degenerate = 0; - do { - if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) - goto err; - } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); - if (degenerate == 3) { - ok = 0; /* we set our own err */ - RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); + /* This function will take care of setting the topmost bit via BN_rand(..,1,1), so + * the maximum distance between p and q is less than 2^bitsq */ + if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) + goto err; + if (BN_cmp(rsa->q, r0) < 0) + continue; + /* check for minimum distance between p and q, 2^(bitsp-100) */ + if (!BN_sub(r2, rsa->q, rsa->p)) goto err; - } + if (BN_ucmp(r2, r3) <= 0) + continue; if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) ++++++ openssl-static-deps.patch ++++++ >From 186a31e510d1326063cfeca17e58fadec236ad2a Mon Sep 17 00:00:00 2001 From: Richard Levitte <[email protected]> Date: Wed, 9 Nov 2016 20:01:51 +0100 Subject: [PATCH] Building: make it possible to force linking with static OpenSSL libs Very simply, support having the .a extension to denote depending on static libraries. Note that this is not supported on native Windows when building shared libraries, as there is not static library then, just an import library with the same name. Reviewed-by: Rich Salz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/1889) --- Configurations/common.tmpl | 14 +++++++++++--- Configurations/descrip.mms.tmpl | 23 ++++++++++++++--------- Configurations/unix-Makefile.tmpl | 19 ++++++++++++------- Configurations/windows-makefile.tmpl | 4 +++- Configure | 7 +++++++ 5 files changed, 47 insertions(+), 20 deletions(-) Index: openssl-1.1.0e/Configurations/common.tmpl =================================================================== --- openssl-1.1.0e.orig/Configurations/common.tmpl +++ openssl-1.1.0e/Configurations/common.tmpl @@ -9,15 +9,22 @@ # there are no duplicate dependencies and that they are in the # right order. This is especially used to sort the list of # libraries that a build depends on. + sub extensionlesslib { + my @result = map { $_ =~ /(\.a)?$/; $` } @_; + return @result if wantarray; + return $result[0]; + } sub resolvedepends { my $thing = shift; + my $extensionlessthing = extensionlesslib($thing); my @listsofar = @_; # to check if we're looping - my @list = @{$unified_info{depends}->{$thing}}; + my @list = @{$unified_info{depends}->{$extensionlessthing}}; my @newlist = (); if (scalar @list) { foreach my $item (@list) { + my $extensionlessitem = extensionlesslib($item); # It's time to break off when the dependency list starts looping - next if grep { $_ eq $item } @listsofar; + next if grep { extensionlesslib($_) eq $extensionlessitem } @listsofar; push @newlist, $item, resolvedepends($item, @listsofar, $item); } } @@ -28,8 +35,9 @@ my @newlist = (); while (@list) { my $item = shift @list; + my $extensionlessitem = extensionlesslib($item); push @newlist, $item - unless grep { $item eq $_ } @list; + unless grep { $extensionlessitem eq extensionlesslib($_) } @list; } @newlist; } Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl =================================================================== --- openssl-1.1.0e.orig/Configurations/descrip.mms.tmpl +++ openssl-1.1.0e/Configurations/descrip.mms.tmpl @@ -524,6 +524,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC use File::Basename; use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/; + # Helper function to figure out dependencies on libraries + # It takes a list of library names and outputs a list of dependencies + sub compute_lib_depends { + if ($disabled{shared}) { + return map { $_ =~ /\.a$/ ? $`.".OLB" : $_.".OLB" } @_; + } + return map { $_ =~ /\.a$/ + ? $`.".OLB" + : $unified_info{sharednames}->{$_}.".EXE" } @_; + } + sub generatesrc { my %args = @_; my $generator = join(" ", @{$args{generator}}); @@ -619,9 +630,7 @@ EOF my $libd = dirname($lib); my $libn = basename($lib); (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib([^0-9]*)\d*/$1/i; - my @deps = map { - $disabled{shared} ? $_.".OLB" - : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}}; + my @deps = compute_lib_depends(@{$args{deps}}); my $deps = join(", -\n\t\t", @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : ""; @@ -667,9 +676,7 @@ EOF my $libn = basename($lib); (my $libn_nolib = $libn) =~ s/^lib//; my @objs = map { "$_.OBJ" } @{$args{objs}}; - my @deps = map { - $disabled{shared} ? $_.".OLB" - : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}}; + my @deps = compute_lib_depends(@{$args{deps}}); my $deps = join(", -\n\t\t", @objs, @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir}, @@ -719,9 +726,7 @@ EOF my $bind = dirname($bin); my $binn = basename($bin); my @objs = map { "$_.OBJ" } @{$args{objs}}; - my @deps = map { - $disabled{shared} ? $_.".OLB" - : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}}; + my @deps = compute_lib_depends(@{$args{deps}}); my $deps = join(", -\n\t\t", @objs, @deps); # The "[]" hack is because in .OPT files, each line inherits the # previous line's file spec as default, so if no directory spec Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl =================================================================== --- openssl-1.1.0e.orig/Configurations/unix-Makefile.tmpl +++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl @@ -837,13 +837,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { - return map { $_.$libext } @_; + return map { $_ =~ /\.a$/ ? $`.$libext : $_.$libext } @_; } # Depending on shared libraries: # On Windows POSIX layers, we depend on {libname}.dll.a # On Unix platforms, we depend on {shlibname}.so - return map { shlib_simple($_) } @_; + return map { $_ =~ /\.a$/ ? $`.$libext : shlib_simple($_) } @_; } sub generatesrc { @@ -1056,11 +1056,16 @@ EOF my $binn = basename($bin); my $objs = join(" ", map { $_.$objext } @{$args{objs}}); my $deps = join(" ",compute_lib_depends(@{$args{deps}})); - my $linklibs = join("", map { my $d = dirname($_); - my $f = basename($_); - $d = "." if $d eq $f; - (my $l = $f) =~ s/^lib//; - " -L$d -l$l" } @{$args{deps}}); + my $linklibs = join("", map { if ($_ =~ /\.a$/) { + " $_"; + } else { + my $d = dirname($_); + my $f = basename($_); + $d = "." if $d eq $f; + (my $l = $f) =~ s/^lib//; + " -L$d -l$l" + } + } @{$args{deps}}); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; return <<"EOF"; $bin$exeext: $objs $deps Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl =================================================================== --- openssl-1.1.0e.orig/Configurations/windows-makefile.tmpl +++ openssl-1.1.0e/Configurations/windows-makefile.tmpl @@ -342,8 +342,10 @@ configdata.pm: "$(SRCDIR)\Configure" {- # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { - return map { $_.$libext } @_; + return map { $_ =~ /\.a$/ ? $`.$libext : $_.$libext } @_; } + die "Linking with static OpenSSL libraries is not supported in this configuration\n" + if grep /\.a$/, @_; return map { shlib_import($_) } @_; } Index: openssl-1.1.0e/Configure =================================================================== --- openssl-1.1.0e.orig/Configure +++ openssl-1.1.0e/Configure @@ -1838,9 +1838,16 @@ EOF $d = cleanfile($buildd, $_, $blddir); } # Take note if the file to depend on is being renamed + # Take extra care with files ending with .a, they should + # be treated without that extension, and the extension + # should be added back after treatment. + $d =~ /(\.a)?$/; + my $e = $1 // ""; + $d = $`; if ($unified_info{rename}->{$d}) { $d = $unified_info{rename}->{$d}; } + $d .= $e; $unified_info{depends}->{$ddest}->{$d} = 1; # If we depend on a header file or a perl module, let's make # sure it can get included ++++++ openssl-truststore.patch ++++++ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) Index: openssl-1.1.0e/crypto/include/internal/cryptlib.h =================================================================== --- openssl-1.1.0e.orig/crypto/include/internal/cryptlib.h +++ openssl-1.1.0e/crypto/include/internal/cryptlib.h @@ -41,8 +41,8 @@ DEFINE_LHASH_OF(MEM); # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR -# define X509_CERT_DIR OPENSSLDIR "/certs" -# define X509_CERT_FILE OPENSSLDIR "/cert.pem" +# define X509_CERT_DIR "/var/lib/ca-certificates/openssl" +# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem" # define X509_PRIVATE_DIR OPENSSLDIR "/private" # define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf" # else ++++++ openssl-urandom-reseeding.patch ++++++ Index: openssl-1.1.0c/crypto/rand/rand_unix.c =================================================================== --- openssl-1.1.0c.orig/crypto/rand/rand_unix.c 2016-12-12 17:33:05.654295693 +0100 +++ openssl-1.1.0c/crypto/rand/rand_unix.c 2016-12-12 17:44:44.608814886 +0100 @@ -144,7 +144,8 @@ int RAND_poll(void) unsigned long l; pid_t curr_pid = getpid(); # if defined(DEVRANDOM) || (!defined(OPENSS_NO_EGD) && defined(DEVRANDOM_EGD)) - unsigned char tmpbuf[ENTROPY_NEEDED]; + /* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */ + unsigned char tmpbuf[1024]; int n = 0; # endif # ifdef DEVRANDOM @@ -166,7 +167,7 @@ int RAND_poll(void) * out of random entries. */ - for (i = 0; (i < OSSL_NELEM(randomfiles)) && (n < ENTROPY_NEEDED); i++) { + for (i = 0; (i < OSSL_NELEM(randomfiles)) && (n < sizeof(tmpbuf)); i++) { if ((fd = open(randomfiles[i], O_RDONLY # ifdef O_NONBLOCK | O_NONBLOCK @@ -246,7 +247,7 @@ int RAND_poll(void) if (try_read) { r = read(fd, (unsigned char *)tmpbuf + n, - ENTROPY_NEEDED - n); + sizeof(tmpbuf) - n); if (r > 0) n += r; } else @@ -263,7 +264,7 @@ int RAND_poll(void) } while ((r > 0 || (errno == EINTR || errno == EAGAIN)) && usec != 0 - && n < ENTROPY_NEEDED); + && n < sizeof(tmpbuf)); close(fd); } @@ -276,12 +277,12 @@ int RAND_poll(void) * collecting daemon. */ - for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED; + for (egdsocket = egdsockets; *egdsocket && n < sizeof(tmpbuf); egdsocket++) { int r; r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf + n, - ENTROPY_NEEDED - n); + sizeof(tmpbuf) - n); if (r > 0) n += r; } Index: openssl-1.1.0c/crypto/rand/md_rand.c =================================================================== --- openssl-1.1.0c.orig/crypto/rand/md_rand.c 2016-12-12 17:33:05.690296235 +0100 +++ openssl-1.1.0c/crypto/rand/md_rand.c 2016-12-12 18:01:49.036286763 +0100 @@ -318,6 +318,10 @@ static int rand_bytes(unsigned char *buf if (num <= 0) return 1; + /* special rule for /dev/urandom seeding ... seed with as much bytes + * from /dev/urandom as you get out */ + RAND_load_file("/dev/urandom", num); + m = EVP_MD_CTX_new(); if (m == NULL) goto err_mem; Index: openssl-1.1.0c/crypto/fips/fips_drbg_rand.c =================================================================== --- openssl-1.1.0c.orig/crypto/fips/fips_drbg_rand.c 2016-12-12 17:33:05.690296235 +0100 +++ openssl-1.1.0c/crypto/fips/fips_drbg_rand.c 2016-12-12 18:05:52.779971206 +0100 @@ -90,6 +90,11 @@ static int fips_drbg_bytes(unsigned char int rv = 0; unsigned char *adin = NULL; size_t adinlen = 0; + + /* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */ + if (count > dctx->min_entropy) + RAND_load_file("/dev/urandom", count - dctx->min_entropy); + CRYPTO_THREAD_write_lock(fips_rand_lock); do { size_t rcnt; Index: openssl-1.1.0c/crypto/rand/rand_lib.c =================================================================== --- openssl-1.1.0c.orig/crypto/rand/rand_lib.c 2016-12-12 17:33:05.690296235 +0100 +++ openssl-1.1.0c/crypto/rand/rand_lib.c 2016-12-12 18:05:01.499195179 +0100 @@ -188,7 +188,7 @@ static int drbg_rand_add(DRBG_CTX *ctx, { RAND_OpenSSL()->add(in, inlen, entropy); if (FIPS_rand_status()) { - FIPS_drbg_reseed(ctx, NULL, 0); + FIPS_drbg_reseed(ctx, in, inlen); } return 1; } ++++++ showciphers.c ++++++ #include <openssl/err.h> #include <openssl/ssl.h> int main() { SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk = NULL; const SSL_METHOD *meth = TLS_server_method(); int i; const char *p; ctx = SSL_CTX_new(meth); if (ctx == NULL) return 1; ssl = SSL_new(ctx); if (ssl == NULL) return 1; sk = SSL_get_ciphers(ssl); for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); p = SSL_CIPHER_get_name(c); if (p == NULL) break; printf("%s\n", p); } return 0; }
