From 360a4bb67c524b4c6992af3132b9219933ba9caa Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jun 05 2014 13:05:17 +0000 Subject: new upstream release 1.0.1h --- diff --git a/.gitignore b/.gitignore index 097821a..ded4230 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1e-usa.tar.xz /openssl-1.0.1e-hobbled.tar.xz /openssl-1.0.1g-hobbled.tar.xz +/openssl-1.0.1h-hobbled.tar.xz diff --git a/openssl-1.0.1c-ipv6-apps.patch b/openssl-1.0.1c-ipv6-apps.patch deleted file mode 100644 index 41e0b36..0000000 --- a/openssl-1.0.1c-ipv6-apps.patch +++ /dev/null @@ -1,516 +0,0 @@ -diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h ---- openssl-1.0.1c/apps/s_apps.h.ipv6-apps 2012-07-11 22:46:02.409221206 +0200 -+++ openssl-1.0.1c/apps/s_apps.h 2012-07-11 22:46:02.451222165 +0200 -@@ -148,7 +148,7 @@ typedef fd_mask fd_set; - #define PORT_STR "4433" - #define PROTOCOL "tcp" - --int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); -+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); - #ifdef HEADER_X509_H - int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); - #endif -@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, - int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); - int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); - #endif --int init_client(int *sock, char *server, int port, int type); -+int init_client(int *sock, char *server, char *port, int type); - int should_retry(int i); --int extract_port(char *str, short *port_ptr); --int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); -+int extract_host_port(char *str,char **host_ptr,char **port_ptr); - - long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret); -diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c ---- openssl-1.0.1c/apps/s_client.c.ipv6-apps 2012-07-11 22:46:02.433221754 +0200 -+++ openssl-1.0.1c/apps/s_client.c 2012-07-11 22:46:02.452222187 +0200 -@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv) - int cbuf_len,cbuf_off; - int sbuf_len,sbuf_off; - fd_set readfds,writefds; -- short port=PORT; -+ char *port_str = PORT_STR; - int full_log=1; - char *host=SSL_HOST_NAME; - char *cert_file=NULL,*key_file=NULL; -@@ -664,13 +664,12 @@ int MAIN(int argc, char **argv) - else if (strcmp(*argv,"-port") == 0) - { - if (--argc < 1) goto bad; -- port=atoi(*(++argv)); -- if (port == 0) goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-connect") == 0) - { - if (--argc < 1) goto bad; -- if (!extract_host_port(*(++argv),&host,NULL,&port)) -+ if (!extract_host_port(*(++argv),&host,&port_str)) - goto bad; - } - else if (strcmp(*argv,"-verify") == 0) -@@ -1253,7 +1252,7 @@ bad: - - re_start: - -- if (init_client(&s,host,port,socket_type) == 0) -+ if (init_client(&s,host,port_str,socket_type) == 0) - { - BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); - SHUTDOWN(s); -diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c ---- openssl-1.0.1c/apps/s_server.c.ipv6-apps 2012-07-11 22:46:02.434221777 +0200 -+++ openssl-1.0.1c/apps/s_server.c 2012-07-11 22:46:02.453222210 +0200 -@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[]) - { - X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; -- short port=PORT; -+ char *port_str = PORT_STR; - char *CApath=NULL,*CAfile=NULL; - unsigned char *context = NULL; - char *dhfile = NULL; -@@ -1000,8 +1000,7 @@ int MAIN(int argc, char *argv[]) - (strcmp(*argv,"-accept") == 0)) - { - if (--argc < 1) goto bad; -- if (!extract_port(*(++argv),&port)) -- goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-verify") == 0) - { -@@ -1878,9 +1877,9 @@ bad: - BIO_printf(bio_s_out,"ACCEPT\n"); - (void)BIO_flush(bio_s_out); - if (www) -- do_server(port,socket_type,&accept_socket,www_body, context); -+ do_server(port_str,socket_type,&accept_socket,www_body, context); - else -- do_server(port,socket_type,&accept_socket,sv_body, context); -+ do_server(port_str,socket_type,&accept_socket,sv_body, context); - print_stats(bio_s_out,ctx); - ret=0; - end: -diff -up openssl-1.0.1c/apps/s_socket.c.ipv6-apps openssl-1.0.1c/apps/s_socket.c ---- openssl-1.0.1c/apps/s_socket.c.ipv6-apps 2011-12-02 15:39:40.000000000 +0100 -+++ openssl-1.0.1c/apps/s_socket.c 2012-07-11 22:49:05.411400450 +0200 -@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha - static void ssl_sock_cleanup(void); - #endif - static int ssl_sock_init(void); --static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); --static int init_server(int *sock, int port, int type); --static int init_server_long(int *sock, int port,char *ip, int type); -+static int init_server(int *sock, char *port, int type); - static int do_accept(int acc_sock, int *sock, char **host); - static int host_ip(char *str, unsigned char ip[4]); - -@@ -234,57 +232,70 @@ static int ssl_sock_init(void) - return(1); - } - --int init_client(int *sock, char *host, int port, int type) -+int init_client(int *sock, char *host, char *port, int type) - { -- unsigned char ip[4]; -- -- memset(ip, '\0', sizeof ip); -- if (!host_ip(host,&(ip[0]))) -- return 0; -- return init_client_ip(sock,ip,port,type); -- } -- --static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) -- { -- unsigned long addr; -- struct sockaddr_in them; -- int s,i; -+ struct addrinfo *res, *res0, hints; -+ char * failed_call = NULL; -+ int s; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&them,0,sizeof(them)); -- them.sin_family=AF_INET; -- them.sin_port=htons((unsigned short)port); -- addr=(unsigned long) -- ((unsigned long)ip[0]<<24L)| -- ((unsigned long)ip[1]<<16L)| -- ((unsigned long)ip[2]<< 8L)| -- ((unsigned long)ip[3]); -- them.sin_addr.s_addr=htonl(addr); -- -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* ( type == SOCK_DGRAM) */ -- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); -- -- if (s == INVALID_SOCKET) { perror("socket"); return(0); } -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_ADDRCONFIG; -+ -+ e = getaddrinfo(host, port, &hints, &res); -+ if (e) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } - -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } - #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) - if (type == SOCK_STREAM) - { -- i=0; -- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); -- if (i < 0) { perror("keepalive"); return(0); } -+ int i=0; -+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, -+ (char *)&i,sizeof(i)); -+ if (i < 0) { -+ failed_call = "keepalive"; -+ goto nextres; -+ } - } - #endif -- -- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) -- { closesocket(s); perror("connect"); return(0); } -+ if (connect(s,(struct sockaddr *)res->ai_addr, -+ res->ai_addrlen) == 0) -+ { -+ freeaddrinfo(res0); - *sock=s; - return(1); - } - --int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) -+ failed_call = "socket"; -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; -+ } -+ freeaddrinfo(res0); -+ -+ perror(failed_call); -+ return(0); -+ } -+ -+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) - { - int sock; - char *name = NULL; -@@ -322,33 +333,50 @@ int do_server(int port, int type, int *r - } - } - --static int init_server_long(int *sock, int port, char *ip, int type) -+static int init_server(int *sock, char *port, int type) - { -- int ret=0; -- struct sockaddr_in server; -- int s= -1; -+ struct addrinfo *res, *res0 = NULL, hints; -+ char * failed_call = NULL; -+ int s = INVALID_SOCKET; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&server,0,sizeof(server)); -- server.sin_family=AF_INET; -- server.sin_port=htons((unsigned short)port); -- if (ip == NULL) -- server.sin_addr.s_addr=INADDR_ANY; -- else --/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ --#ifndef BIT_FIELD_LIMITS -- memcpy(&server.sin_addr.s_addr,ip,4); --#else -- memcpy(&server.sin_addr,ip,4); --#endif -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_family = AF_INET6; -+tryipv4: -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_PASSIVE; - -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* type == SOCK_DGRAM */ -- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); -+ e = getaddrinfo(NULL, port, &hints, &res); -+ if (e) -+ { -+ if (hints.ai_family == AF_INET) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } -+ else -+ res = NULL; -+ } - -- if (s == INVALID_SOCKET) goto err; -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } -+ if (hints.ai_family == AF_INET6) -+ { -+ int j = 0; -+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, -+ (void *) &j, sizeof j); -+ } - #if defined SOL_SOCKET && defined SO_REUSEADDR - { - int j = 1; -@@ -356,35 +384,49 @@ static int init_server_long(int *sock, i - (void *) &j, sizeof j); - } - #endif -- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) -+ -+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) - { --#ifndef OPENSSL_SYS_WINDOWS -- perror("bind"); --#endif -- goto err; -+ failed_call = "bind"; -+ goto nextres; - } -- /* Make it 128 for linux */ -- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; -- *sock=s; -- ret=1; --err: -- if ((ret == 0) && (s != -1)) -+ if (type==SOCK_STREAM && listen(s,128) == -1) - { -- SHUTDOWN(s); -+ failed_call = "listen"; -+ goto nextres; - } -- return(ret); -+ -+ *sock=s; -+ return(1); -+ -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; - } -+ if (res0) -+ freeaddrinfo(res0); - --static int init_server(int *sock, int port, int type) -+ if (s == INVALID_SOCKET) - { -- return(init_server_long(sock, port, NULL, type)); -+ if (hints.ai_family == AF_INET6) -+ { -+ hints.ai_family = AF_INET; -+ goto tryipv4; -+ } -+ perror("socket"); -+ return(0); -+ } -+ -+ perror(failed_call); -+ return(0); - } - - static int do_accept(int acc_sock, int *sock, char **host) - { -+ static struct sockaddr_storage from; -+ char buffer[NI_MAXHOST]; - int ret; -- struct hostent *h1,*h2; -- static struct sockaddr_in from; - int len; - /* struct linger ling; */ - -@@ -431,135 +473,58 @@ redoit: - */ - - if (host == NULL) goto end; --#ifndef BIT_FIELD_LIMITS -- /* I should use WSAAsyncGetHostByName() under windows */ -- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, -- sizeof(from.sin_addr.s_addr),AF_INET); --#else -- h1=gethostbyaddr((char *)&from.sin_addr, -- sizeof(struct in_addr),AF_INET); --#endif -- if (h1 == NULL) -+ -+ if (getnameinfo((struct sockaddr *)&from, sizeof(from), -+ buffer, sizeof(buffer), -+ NULL, 0, 0)) - { -- BIO_printf(bio_err,"bad gethostbyaddr\n"); -+ BIO_printf(bio_err,"getnameinfo failed\n"); - *host=NULL; - /* return(0); */ - } - else - { -- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) -+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) - { - perror("OPENSSL_malloc"); - return(0); - } -- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); -- -- h2=GetHostByName(*host); -- if (h2 == NULL) -- { -- BIO_printf(bio_err,"gethostbyname failure\n"); -- return(0); -- } -- if (h2->h_addrtype != AF_INET) -- { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -- return(0); -- } -+ strcpy(*host, buffer); - } - end: - *sock=ret; - return(1); - } - --int extract_host_port(char *str, char **host_ptr, unsigned char *ip, -- short *port_ptr) -+int extract_host_port(char *str, char **host_ptr, -+ char **port_ptr) - { -- char *h,*p; -+ char *h,*p,*x; - -- h=str; -- p=strchr(str,':'); -+ x=h=str; -+ if (*h == '[') -+ { -+ h++; -+ p=strchr(h,']'); - if (p == NULL) - { -- BIO_printf(bio_err,"no port defined\n"); -+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); - return(0); - } - *(p++)='\0'; -- -- if ((ip != NULL) && !host_ip(str,ip)) -- goto err; -- if (host_ptr != NULL) *host_ptr=h; -- -- if (!extract_port(p,port_ptr)) -- goto err; -- return(1); --err: -- return(0); -+ x = p; - } -- --static int host_ip(char *str, unsigned char ip[4]) -- { -- unsigned int in[4]; -- int i; -- -- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) -- { -- for (i=0; i<4; i++) -- if (in[i] > 255) -- { -- BIO_printf(bio_err,"invalid IP address\n"); -- goto err; -- } -- ip[0]=in[0]; -- ip[1]=in[1]; -- ip[2]=in[2]; -- ip[3]=in[3]; -- } -- else -- { /* do a gethostbyname */ -- struct hostent *he; -- -- if (!ssl_sock_init()) return(0); -- -- he=GetHostByName(str); -- if (he == NULL) -- { -- BIO_printf(bio_err,"gethostbyname failure\n"); -- goto err; -- } -- /* cast to short because of win16 winsock definition */ -- if ((short)he->h_addrtype != AF_INET) -+ p=strchr(x,':'); -+ if (p == NULL) - { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -- return(0); -- } -- ip[0]=he->h_addr_list[0][0]; -- ip[1]=he->h_addr_list[0][1]; -- ip[2]=he->h_addr_list[0][2]; -- ip[3]=he->h_addr_list[0][3]; -- } -- return(1); --err: -+ BIO_printf(bio_err,"no port defined\n"); - return(0); - } -+ *(p++)='\0'; - --int extract_port(char *str, short *port_ptr) -- { -- int i; -- struct servent *s; -+ if (host_ptr != NULL) *host_ptr=h; -+ if (port_ptr != NULL) *port_ptr=p; - -- i=atoi(str); -- if (i != 0) -- *port_ptr=(unsigned short)i; -- else -- { -- s=getservbyname(str,"tcp"); -- if (s == NULL) -- { -- BIO_printf(bio_err,"getservbyname failure for %s\n",str); -- return(0); -- } -- *port_ptr=ntohs((unsigned short)s->s_port); -- } - return(1); - } - diff --git a/openssl-1.0.1e-manfix.patch b/openssl-1.0.1e-manfix.patch deleted file mode 100644 index 4ba2abb..0000000 --- a/openssl-1.0.1e-manfix.patch +++ /dev/null @@ -1,555 +0,0 @@ -diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod ---- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/cms.pod 2013-09-12 11:17:42.147092310 +0200 -@@ -450,28 +450,28 @@ remains DER. - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the CMS file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod ---- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/ec.pod 2013-09-12 11:17:42.147092310 +0200 -@@ -93,10 +93,6 @@ prints out the public, private key compo - - this option prevents output of the encoded version of the key. - --=item B<-modulus> -- --this option prints out the value of the public key component of the key. -- - =item B<-pubin> - - by default a private key is read from the input file: with this option a -diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod ---- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-09-12 11:17:42.148092331 +0200 -@@ -163,7 +163,7 @@ Create or examine a netscape certificate - - Online Certificate Status Protocol utility. - --=item L|passwd(1)> -+=item L|sslpasswd(1)> - - Generation of hashed passwords. - -@@ -187,7 +187,7 @@ Public key algorithm parameter managemen - - Public key algorithm cryptographic operation utility. - --=item L|rand(1)> -+=item L|sslrand(1)> - - Generate pseudo-random bytes. - -@@ -401,9 +401,9 @@ L, L, L, L, - L, L, L, - L, L, L, --L, -+L, - L, L, L, --L, L, L, -+L, L, L, - L, L, - L, L, - L, L, -diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod ---- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-09-12 11:17:41.517078502 +0200 -+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-09-12 11:17:42.149092353 +0200 -@@ -32,9 +32,14 @@ B B - [B<-ssl2>] - [B<-ssl3>] - [B<-tls1>] -+[B<-tls1_1>] -+[B<-tls1_2>] -+[B<-dtls1>] - [B<-no_ssl2>] - [B<-no_ssl3>] - [B<-no_tls1>] -+[B<-no_tls1_1>] -+[B<-no_tls1_2>] - [B<-bugs>] - [B<-cipher cipherlist>] - [B<-starttls protocol>] -@@ -44,6 +49,7 @@ B B - [B<-sess_out filename>] - [B<-sess_in filename>] - [B<-rand file(s)>] -+[B<-nextprotoneg protocols>] - - =head1 DESCRIPTION - -@@ -182,7 +188,7 @@ Use the PSK key B when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all -@@ -243,6 +249,17 @@ Multiple files can be specified separate - The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for - all others. - -+=item B<-nextprotoneg protocols> -+ -+enable Next Protocol Negotiation TLS extension and provide a list of -+comma-separated protocol names that the client should advertise -+support for. The list should contain most wanted protocols first. -+Protocol names are printable ASCII strings, for example "http/1.1" or -+"spdy/3". -+Empty list of protocols is treated specially and will cause the client to -+advertise support for the TLS extension but disconnect just after -+reciving ServerHello with a list of server supported protocols. -+ - =back - - =head1 CONNECTED COMMANDS -diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod ---- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/smime.pod 2013-09-12 11:17:42.150092375 +0200 -@@ -308,28 +308,28 @@ remains DER. - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the PKCS#7 file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod ---- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-09-12 11:17:42.150092375 +0200 -@@ -40,10 +40,16 @@ B B - [B<-ssl2>] - [B<-ssl3>] - [B<-tls1>] -+[B<-tls1_1>] -+[B<-tls1_2>] -+[B<-dtls1>] - [B<-no_ssl2>] - [B<-no_ssl3>] - [B<-no_tls1>] -+[B<-no_tls1_1>] -+[B<-no_tls1_2>] - [B<-no_dhe>] -+[B<-no_ecdhe>] - [B<-bugs>] - [B<-hack>] - [B<-www>] -@@ -54,6 +60,7 @@ B B - [B<-no_ticket>] - [B<-id_prefix arg>] - [B<-rand file(s)>] -+[B<-nextprotoneg protocols>] - - =head1 DESCRIPTION - -@@ -131,6 +138,10 @@ a static set of parameters hard coded in - if this option is set then no DH parameters will be loaded effectively - disabling the ephemeral DH cipher suites. - -+=item B<-no_ecdhe> -+ -+if this option is set then ephemeral ECDH cipher suites will be disabled. -+ - =item B<-no_tmp_rsa> - - certain export cipher suites sometimes use a temporary RSA key, this option -@@ -201,7 +212,7 @@ Use the PSK key B when using a PSK - given as a hexadecimal number without leading 0x, for example -psk - 1a2b3c4d. - --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all -@@ -276,6 +287,14 @@ Multiple files can be specified separate - The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for - all others. - -+=item B<-nextprotoneg protocols> -+ -+enable Next Protocol Negotiation TLS extension and provide a -+comma-separated list of supported protocol names. -+The list should contain most wanted protocols first. -+Protocol names are printable ASCII strings, for example "http/1.1" or -+"spdy/3". -+ - =back - - =head1 CONNECTED COMMANDS -diff -up openssl-1.0.1e/doc/apps/verify.pod.manfix openssl-1.0.1e/doc/apps/verify.pod ---- openssl-1.0.1e/doc/apps/verify.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/apps/verify.pod 2013-09-12 11:25:13.994994992 +0200 -@@ -25,6 +25,7 @@ B B - [B<-untrusted file>] - [B<-help>] - [B<-issuer_checks>] -+[B<-attime timestamp>] - [B<-verbose>] - [B<->] - [certificates] -@@ -80,6 +81,12 @@ rejected. The presence of rejection mess - anything is wrong; during the normal verification process, several - rejections may take place. - -+=item B<-attime timestamp> -+ -+Perform validation checks using the time specified by B and not -+the current system time. B is the number of seconds since -+01.01.1970 (UNIX time). -+ - =item B<-policy arg> - - Enable policy processing and add B to the user-initial-policy-set (see -diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod ---- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-09-12 11:17:42.129091915 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-09-12 11:17:42.156092507 +0200 -@@ -44,13 +44,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod ---- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-09-12 11:17:42.158092551 +0200 -@@ -56,12 +56,12 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The SSL_clear() operation could not be performed. Check the error stack to - find out the reason. - --=item 1 -+=item C<1> - - The SSL_clear() operation was successful. - -diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod ---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-09-12 11:17:42.049090162 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-09-12 11:17:42.159092573 +0200 -@@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re - - =over 4 - --=item 0 -+=item C<0> - - The operation succeeded. - --=item 1 -+=item C<1> - - The operation failed. Check the error queue to find out the reason. - -diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod ---- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-09-12 11:17:42.130091937 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-09-12 11:17:42.161092616 +0200 -@@ -41,13 +41,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-09-12 11:17:42.162092638 +0200 -@@ -52,13 +52,13 @@ The following values are returned by all - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. In case of the add operation, it was tried to add - the same (identical) session twice. In case of the remove operation, the - session was not found in the cache. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-09-12 11:17:42.163092660 +0200 -@@ -100,13 +100,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The operation failed because B and B are NULL or the - processing at one of the locations specified failed. Check the error - stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-09-12 11:17:42.132091981 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-09-12 11:17:42.164092682 +0200 -@@ -66,13 +66,13 @@ values: - - =over 4 - --=item 0 -+=item C<0> - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-09-12 11:17:42.166092726 +0200 -@@ -64,13 +64,13 @@ return the following values: - - =over 4 - --=item 0 -+=item C<0> - - The length B of the session id context B exceeded - the maximum allowed length of B. The error - is logged to the error stack. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-09-12 11:17:42.167092748 +0200 -@@ -42,11 +42,11 @@ and SSL_set_ssl_method(): - - =over 4 - --=item 0 -+=item C<0> - - The new choice failed, check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-09-12 11:17:42.133092003 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-09-12 11:17:42.168092770 +0200 -@@ -96,7 +96,7 @@ data to B and return the length of - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -+=item C<0> - - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. -diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod ---- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-09-12 11:17:42.135092047 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-09-12 11:17:42.170092814 +0200 -@@ -45,13 +45,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod ---- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-09-12 11:17:42.171092836 +0200 -@@ -86,7 +86,7 @@ The following return values can occur: - The read operation was successful; the return value is the number of - bytes actually read from the TLS/SSL connection. - --=item 0 -+=item C<0> - - The read operation was not successful. The reason may either be a clean - shutdown due to a "close notify" alert sent by the peer (in which case -diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod ---- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-09-12 11:17:42.172092857 +0200 -@@ -27,11 +27,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - A new session was negotiated. - --=item 1 -+=item C<1> - - A session was reused. - -diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod ---- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-09-12 11:17:42.174092901 +0200 -@@ -35,11 +35,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. Check the error stack to find out why. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod ---- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-09-12 11:17:42.175092923 +0200 -@@ -37,11 +37,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The operation failed; check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod ---- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-09-12 11:17:42.137092090 +0200 -+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-09-12 11:17:42.177092967 +0200 -@@ -92,14 +92,14 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item C<0> - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, - if a bidirectional shutdown shall be performed. - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - --=item 1 -+=item C<1> - - The shutdown was successfully completed. The "close notify" alert was sent - and the peer's "close notify" alert was received. -diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod ---- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-09-12 11:17:42.177092967 +0200 -@@ -79,7 +79,7 @@ The following return values can occur: - The write operation was successful, the return value is the number of - bytes actually written to the TLS/SSL connection. - --=item 0 -+=item C<0> - - The write operation was not successful. Probably the underlying connection - was closed. Call SSL_get_error() with the return value B to find out, diff --git a/openssl-1.0.1g-ssl-op-all.patch b/openssl-1.0.1g-ssl-op-all.patch deleted file mode 100644 index f6473d6..0000000 --- a/openssl-1.0.1g-ssl-op-all.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up openssl-1.0.1g/ssl/ssl.h.op-all openssl-1.0.1g/ssl/ssl.h ---- openssl-1.0.1g/ssl/ssl.h.op-all 2014-05-06 16:03:37.400554125 +0200 -+++ openssl-1.0.1g/ssl/ssl.h 2014-05-06 16:06:21.688352245 +0200 -@@ -549,7 +549,7 @@ struct ssl_session_st - #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L - /* Allow initial connection to servers that don't support RI */ - #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L --#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L -@@ -569,7 +569,7 @@ struct ssl_session_st - - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. - * This used to be 0x000FFFFFL before 0.9.7. */ --#define SSL_OP_ALL 0x80000BFFL -+#define SSL_OP_ALL 0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */ - - /* DTLS options */ - #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl-1.0.1h-ipv6-apps.patch b/openssl-1.0.1h-ipv6-apps.patch new file mode 100644 index 0000000..db6b543 --- /dev/null +++ b/openssl-1.0.1h-ipv6-apps.patch @@ -0,0 +1,529 @@ +diff -up openssl-1.0.1h/apps/s_apps.h.ipv6-apps openssl-1.0.1h/apps/s_apps.h +--- openssl-1.0.1h/apps/s_apps.h.ipv6-apps 2014-06-05 14:33:38.515668750 +0200 ++++ openssl-1.0.1h/apps/s_apps.h 2014-06-05 14:33:38.540669335 +0200 +@@ -148,7 +148,7 @@ typedef fd_mask fd_set; + #define PORT_STR "4433" + #define PROTOCOL "tcp" + +-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); ++int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); + #ifdef HEADER_X509_H + int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); + #endif +@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, + int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); + int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); + #endif +-int init_client(int *sock, char *server, int port, int type); ++int init_client(int *sock, char *server, char *port, int type); + int should_retry(int i); +-int extract_port(char *str, short *port_ptr); +-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); ++int extract_host_port(char *str,char **host_ptr,char **port_ptr); + + long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret); +diff -up openssl-1.0.1h/apps/s_client.c.ipv6-apps openssl-1.0.1h/apps/s_client.c +--- openssl-1.0.1h/apps/s_client.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200 ++++ openssl-1.0.1h/apps/s_client.c 2014-06-05 14:33:38.540669335 +0200 +@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv) + int cbuf_len,cbuf_off; + int sbuf_len,sbuf_off; + fd_set readfds,writefds; +- short port=PORT; ++ char *port_str = PORT_STR; + int full_log=1; + char *host=SSL_HOST_NAME; + char *cert_file=NULL,*key_file=NULL; +@@ -668,13 +668,12 @@ int MAIN(int argc, char **argv) + else if (strcmp(*argv,"-port") == 0) + { + if (--argc < 1) goto bad; +- port=atoi(*(++argv)); +- if (port == 0) goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-connect") == 0) + { + if (--argc < 1) goto bad; +- if (!extract_host_port(*(++argv),&host,NULL,&port)) ++ if (!extract_host_port(*(++argv),&host,&port_str)) + goto bad; + } + else if (strcmp(*argv,"-verify") == 0) +@@ -1267,7 +1266,7 @@ bad: + + re_start: + +- if (init_client(&s,host,port,socket_type) == 0) ++ if (init_client(&s,host,port_str,socket_type) == 0) + { + BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); + SHUTDOWN(s); +diff -up openssl-1.0.1h/apps/s_server.c.ipv6-apps openssl-1.0.1h/apps/s_server.c +--- openssl-1.0.1h/apps/s_server.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200 ++++ openssl-1.0.1h/apps/s_server.c 2014-06-05 14:33:38.541669358 +0200 +@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[]) + { + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; +- short port=PORT; ++ char *port_str = PORT_STR; + char *CApath=NULL,*CAfile=NULL; + unsigned char *context = NULL; + char *dhfile = NULL; +@@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[]) + (strcmp(*argv,"-accept") == 0)) + { + if (--argc < 1) goto bad; +- if (!extract_port(*(++argv),&port)) +- goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-verify") == 0) + { +@@ -1892,9 +1891,9 @@ bad: + BIO_printf(bio_s_out,"ACCEPT\n"); + (void)BIO_flush(bio_s_out); + if (www) +- do_server(port,socket_type,&accept_socket,www_body, context); ++ do_server(port_str,socket_type,&accept_socket,www_body, context); + else +- do_server(port,socket_type,&accept_socket,sv_body, context); ++ do_server(port_str,socket_type,&accept_socket,sv_body, context); + print_stats(bio_s_out,ctx); + ret=0; + end: +diff -up openssl-1.0.1h/apps/s_socket.c.ipv6-apps openssl-1.0.1h/apps/s_socket.c +--- openssl-1.0.1h/apps/s_socket.c.ipv6-apps 2014-06-05 11:44:33.000000000 +0200 ++++ openssl-1.0.1h/apps/s_socket.c 2014-06-05 14:39:53.226442195 +0200 +@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha + static void ssl_sock_cleanup(void); + #endif + static int ssl_sock_init(void); +-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); +-static int init_server(int *sock, int port, int type); +-static int init_server_long(int *sock, int port,char *ip, int type); ++static int init_server(int *sock, char *port, int type); + static int do_accept(int acc_sock, int *sock, char **host); + static int host_ip(char *str, unsigned char ip[4]); + +@@ -234,57 +232,71 @@ static int ssl_sock_init(void) + return(1); + } + +-int init_client(int *sock, char *host, int port, int type) ++int init_client(int *sock, char *host, char *port, int type) + { +- unsigned char ip[4]; +- +- memset(ip, '\0', sizeof ip); +- if (!host_ip(host,&(ip[0]))) +- return 0; +- return init_client_ip(sock,ip,port,type); +- } +- +-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) +- { +- unsigned long addr; +- struct sockaddr_in them; +- int s,i; ++ struct addrinfo *res, *res0, hints; ++ char * failed_call = NULL; ++ int s; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&them,0,sizeof(them)); +- them.sin_family=AF_INET; +- them.sin_port=htons((unsigned short)port); +- addr=(unsigned long) +- ((unsigned long)ip[0]<<24L)| +- ((unsigned long)ip[1]<<16L)| +- ((unsigned long)ip[2]<< 8L)| +- ((unsigned long)ip[3]); +- them.sin_addr.s_addr=htonl(addr); +- +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* ( type == SOCK_DGRAM) */ +- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); +- +- if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_ADDRCONFIG; ++ ++ e = getaddrinfo(host, port, &hints, &res); ++ if (e) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } + ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } + #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) + if (type == SOCK_STREAM) + { +- i=0; +- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); +- if (i < 0) { closesocket(s); perror("keepalive"); return(0); } ++ int i=0; ++ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, ++ (char *)&i,sizeof(i)); ++ if (i < 0) { ++ failed_call = "keepalive"; ++ goto nextres; ++ } + } + #endif +- +- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) +- { closesocket(s); perror("connect"); return(0); } ++ if (connect(s,(struct sockaddr *)res->ai_addr, ++ res->ai_addrlen) == 0) ++ { ++ freeaddrinfo(res0); + *sock=s; + return(1); + } + +-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) ++ failed_call = "socket"; ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; ++ } ++ freeaddrinfo(res0); ++ closesocket(s); ++ ++ perror(failed_call); ++ return(0); ++ } ++ ++int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) + { + int sock; + char *name = NULL; +@@ -322,33 +334,50 @@ int do_server(int port, int type, int *r + } + } + +-static int init_server_long(int *sock, int port, char *ip, int type) ++static int init_server(int *sock, char *port, int type) + { +- int ret=0; +- struct sockaddr_in server; +- int s= -1; ++ struct addrinfo *res, *res0 = NULL, hints; ++ char * failed_call = NULL; ++ int s = INVALID_SOCKET; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&server,0,sizeof(server)); +- server.sin_family=AF_INET; +- server.sin_port=htons((unsigned short)port); +- if (ip == NULL) +- server.sin_addr.s_addr=INADDR_ANY; +- else +-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ +-#ifndef BIT_FIELD_LIMITS +- memcpy(&server.sin_addr.s_addr,ip,4); +-#else +- memcpy(&server.sin_addr,ip,4); +-#endif ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_family = AF_INET6; ++tryipv4: ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_PASSIVE; + +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* type == SOCK_DGRAM */ +- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); ++ e = getaddrinfo(NULL, port, &hints, &res); ++ if (e) ++ { ++ if (hints.ai_family == AF_INET) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } ++ else ++ res = NULL; ++ } + +- if (s == INVALID_SOCKET) goto err; ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } ++ if (hints.ai_family == AF_INET6) ++ { ++ int j = 0; ++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, ++ (void *) &j, sizeof j); ++ } + #if defined SOL_SOCKET && defined SO_REUSEADDR + { + int j = 1; +@@ -356,35 +385,49 @@ static int init_server_long(int *sock, i + (void *) &j, sizeof j); + } + #endif +- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) ++ ++ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) + { +-#ifndef OPENSSL_SYS_WINDOWS +- perror("bind"); +-#endif +- goto err; ++ failed_call = "bind"; ++ goto nextres; + } +- /* Make it 128 for linux */ +- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; +- *sock=s; +- ret=1; +-err: +- if ((ret == 0) && (s != -1)) ++ if (type==SOCK_STREAM && listen(s,128) == -1) + { +- SHUTDOWN(s); ++ failed_call = "listen"; ++ goto nextres; + } +- return(ret); ++ ++ *sock=s; ++ return(1); ++ ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; + } ++ if (res0) ++ freeaddrinfo(res0); + +-static int init_server(int *sock, int port, int type) ++ if (s == INVALID_SOCKET) + { +- return(init_server_long(sock, port, NULL, type)); ++ if (hints.ai_family == AF_INET6) ++ { ++ hints.ai_family = AF_INET; ++ goto tryipv4; ++ } ++ perror("socket"); ++ return(0); ++ } ++ ++ perror(failed_call); ++ return(0); + } + + static int do_accept(int acc_sock, int *sock, char **host) + { ++ static struct sockaddr_storage from; ++ char buffer[NI_MAXHOST]; + int ret; +- struct hostent *h1,*h2; +- static struct sockaddr_in from; + int len; + /* struct linger ling; */ + +@@ -424,145 +467,66 @@ redoit: + ling.l_onoff=1; + ling.l_linger=0; + i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling)); +- if (i < 0) { perror("linger"); return(0); } ++ if (i < 0) { closesocket(ret); perror("linger"); return(0); } + i=0; + i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); +- if (i < 0) { perror("keepalive"); return(0); } ++ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); } + */ + + if (host == NULL) goto end; +-#ifndef BIT_FIELD_LIMITS +- /* I should use WSAAsyncGetHostByName() under windows */ +- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, +- sizeof(from.sin_addr.s_addr),AF_INET); +-#else +- h1=gethostbyaddr((char *)&from.sin_addr, +- sizeof(struct in_addr),AF_INET); +-#endif +- if (h1 == NULL) ++ ++ if (getnameinfo((struct sockaddr *)&from, sizeof(from), ++ buffer, sizeof(buffer), ++ NULL, 0, 0)) + { +- BIO_printf(bio_err,"bad gethostbyaddr\n"); ++ BIO_printf(bio_err,"getnameinfo failed\n"); + *host=NULL; + /* return(0); */ + } + else + { +- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) ++ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) + { + perror("OPENSSL_malloc"); + closesocket(ret); + return(0); + } +- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); +- +- h2=GetHostByName(*host); +- if (h2 == NULL) +- { +- BIO_printf(bio_err,"gethostbyname failure\n"); +- closesocket(ret); +- return(0); +- } +- if (h2->h_addrtype != AF_INET) +- { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); +- closesocket(ret); +- return(0); +- } ++ strcpy(*host, buffer); + } + end: + *sock=ret; + return(1); + } + +-int extract_host_port(char *str, char **host_ptr, unsigned char *ip, +- short *port_ptr) ++int extract_host_port(char *str, char **host_ptr, ++ char **port_ptr) + { +- char *h,*p; ++ char *h,*p,*x; + +- h=str; +- p=strchr(str,':'); ++ x=h=str; ++ if (*h == '[') ++ { ++ h++; ++ p=strchr(h,']'); + if (p == NULL) + { +- BIO_printf(bio_err,"no port defined\n"); ++ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); + return(0); + } + *(p++)='\0'; +- +- if ((ip != NULL) && !host_ip(str,ip)) +- goto err; +- if (host_ptr != NULL) *host_ptr=h; +- +- if (!extract_port(p,port_ptr)) +- goto err; +- return(1); +-err: +- return(0); ++ x = p; + } +- +-static int host_ip(char *str, unsigned char ip[4]) +- { +- unsigned int in[4]; +- int i; +- +- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) +- { +- for (i=0; i<4; i++) +- if (in[i] > 255) +- { +- BIO_printf(bio_err,"invalid IP address\n"); +- goto err; +- } +- ip[0]=in[0]; +- ip[1]=in[1]; +- ip[2]=in[2]; +- ip[3]=in[3]; +- } +- else +- { /* do a gethostbyname */ +- struct hostent *he; +- +- if (!ssl_sock_init()) return(0); +- +- he=GetHostByName(str); +- if (he == NULL) +- { +- BIO_printf(bio_err,"gethostbyname failure\n"); +- goto err; +- } +- /* cast to short because of win16 winsock definition */ +- if ((short)he->h_addrtype != AF_INET) ++ p=strchr(x,':'); ++ if (p == NULL) + { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); +- return(0); +- } +- ip[0]=he->h_addr_list[0][0]; +- ip[1]=he->h_addr_list[0][1]; +- ip[2]=he->h_addr_list[0][2]; +- ip[3]=he->h_addr_list[0][3]; +- } +- return(1); +-err: ++ BIO_printf(bio_err,"no port defined\n"); + return(0); + } ++ *(p++)='\0'; + +-int extract_port(char *str, short *port_ptr) +- { +- int i; +- struct servent *s; ++ if (host_ptr != NULL) *host_ptr=h; ++ if (port_ptr != NULL) *port_ptr=p; + +- i=atoi(str); +- if (i != 0) +- *port_ptr=(unsigned short)i; +- else +- { +- s=getservbyname(str,"tcp"); +- if (s == NULL) +- { +- BIO_printf(bio_err,"getservbyname failure for %s\n",str); +- return(0); +- } +- *port_ptr=ntohs((unsigned short)s->s_port); +- } + return(1); + } + diff --git a/openssl-1.0.1h-manfix.patch b/openssl-1.0.1h-manfix.patch new file mode 100644 index 0000000..836f58f --- /dev/null +++ b/openssl-1.0.1h-manfix.patch @@ -0,0 +1,135 @@ +diff -up openssl-1.0.1h/doc/apps/ec.pod.manfix openssl-1.0.1h/doc/apps/ec.pod +--- openssl-1.0.1h/doc/apps/ec.pod.manfix 2014-06-05 11:41:31.000000000 +0200 ++++ openssl-1.0.1h/doc/apps/ec.pod 2014-06-05 14:41:11.501274915 +0200 +@@ -93,10 +93,6 @@ prints out the public, private key compo + + this option prevents output of the encoded version of the key. + +-=item B<-modulus> +- +-this option prints out the value of the public key component of the key. +- + =item B<-pubin> + + by default a private key is read from the input file: with this option a +diff -up openssl-1.0.1h/doc/apps/openssl.pod.manfix openssl-1.0.1h/doc/apps/openssl.pod +--- openssl-1.0.1h/doc/apps/openssl.pod.manfix 2014-06-05 11:41:31.000000000 +0200 ++++ openssl-1.0.1h/doc/apps/openssl.pod 2014-06-05 14:41:11.501274915 +0200 +@@ -163,7 +163,7 @@ Create or examine a netscape certificate + + Online Certificate Status Protocol utility. + +-=item L|passwd(1)> ++=item L|sslpasswd(1)> + + Generation of hashed passwords. + +@@ -187,7 +187,7 @@ Public key algorithm parameter managemen + + Public key algorithm cryptographic operation utility. + +-=item L|rand(1)> ++=item L|sslrand(1)> + + Generate pseudo-random bytes. + +@@ -401,9 +401,9 @@ L, L, L, L, + L, L, L, + L, L, L, +-L, ++L, + L, L, L, +-L, L, L, ++L, L, L, + L, L, + L, L, + L, L, +diff -up openssl-1.0.1h/doc/apps/s_client.pod.manfix openssl-1.0.1h/doc/apps/s_client.pod +--- openssl-1.0.1h/doc/apps/s_client.pod.manfix 2014-06-05 14:41:11.445273605 +0200 ++++ openssl-1.0.1h/doc/apps/s_client.pod 2014-06-05 14:41:11.501274915 +0200 +@@ -33,9 +33,14 @@ B B + [B<-ssl2>] + [B<-ssl3>] + [B<-tls1>] ++[B<-tls1_1>] ++[B<-tls1_2>] ++[B<-dtls1>] + [B<-no_ssl2>] + [B<-no_ssl3>] + [B<-no_tls1>] ++[B<-no_tls1_1>] ++[B<-no_tls1_2>] + [B<-bugs>] + [B<-cipher cipherlist>] + [B<-starttls protocol>] +@@ -45,6 +50,7 @@ B B + [B<-sess_out filename>] + [B<-sess_in filename>] + [B<-rand file(s)>] ++[B<-nextprotoneg protocols>] + + =head1 DESCRIPTION + +@@ -188,7 +194,7 @@ Use the PSK key B when using a PSK + given as a hexadecimal number without leading 0x, for example -psk + 1a2b3c4d. + +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> ++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + + these options disable the use of certain SSL or TLS protocols. By default + the initial handshake uses a method which should be compatible with all +@@ -249,6 +255,17 @@ Multiple files can be specified separate + The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for + all others. + ++=item B<-nextprotoneg protocols> ++ ++enable Next Protocol Negotiation TLS extension and provide a list of ++comma-separated protocol names that the client should advertise ++support for. The list should contain most wanted protocols first. ++Protocol names are printable ASCII strings, for example "http/1.1" or ++"spdy/3". ++Empty list of protocols is treated specially and will cause the client to ++advertise support for the TLS extension but disconnect just after ++reciving ServerHello with a list of server supported protocols. ++ + =back + + =head1 CONNECTED COMMANDS +diff -up openssl-1.0.1h/doc/apps/s_server.pod.manfix openssl-1.0.1h/doc/apps/s_server.pod +--- openssl-1.0.1h/doc/apps/s_server.pod.manfix 2014-06-05 11:41:31.000000000 +0200 ++++ openssl-1.0.1h/doc/apps/s_server.pod 2014-06-05 14:41:11.502274939 +0200 +@@ -55,6 +55,7 @@ B B + [B<-no_ticket>] + [B<-id_prefix arg>] + [B<-rand file(s)>] ++[B<-nextprotoneg protocols>] + + =head1 DESCRIPTION + +@@ -207,7 +208,7 @@ Use the PSK key B when using a PSK + given as a hexadecimal number without leading 0x, for example -psk + 1a2b3c4d. + +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> ++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + + these options disable the use of certain SSL or TLS protocols. By default + the initial handshake uses a method which should be compatible with all +@@ -282,6 +283,14 @@ Multiple files can be specified separate + The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for + all others. + ++=item B<-nextprotoneg protocols> ++ ++enable Next Protocol Negotiation TLS extension and provide a ++comma-separated list of supported protocol names. ++The list should contain most wanted protocols first. ++Protocol names are printable ASCII strings, for example "http/1.1" or ++"spdy/3". ++ + =back + + =head1 CONNECTED COMMANDS diff --git a/openssl.spec b/openssl.spec index 3179494..7e808d3 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.1g -Release: 2%{?dist} +Version: 1.0.1h +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -57,8 +57,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch Patch36: openssl-1.0.0e-doc-noeof.patch -Patch38: openssl-1.0.1g-ssl-op-all.patch -Patch39: openssl-1.0.1c-ipv6-apps.patch +Patch39: openssl-1.0.1h-ipv6-apps.patch Patch40: openssl-1.0.1g-fips.patch Patch45: openssl-1.0.1e-env-zlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch @@ -74,7 +73,7 @@ Patch66: openssl-1.0.1-pkgconfig-krb5.patch Patch68: openssl-1.0.1e-secure-getenv.patch Patch69: openssl-1.0.1c-dh-1024.patch Patch70: openssl-1.0.1e-fips-ec.patch -Patch71: openssl-1.0.1e-manfix.patch +Patch71: openssl-1.0.1h-manfix.patch Patch72: openssl-1.0.1e-fips-ctor.patch Patch73: openssl-1.0.1e-ecc-suiteb.patch Patch74: openssl-1.0.1e-no-md5-verify.patch @@ -179,7 +178,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines %patch36 -p1 -b .doc-noeof -%patch38 -p1 -b .op-all %patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips %patch45 -p1 -b .env-zlib @@ -474,6 +472,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Jun 5 2014 Tomáš Mráz 1.0.1h-1 +- new upstream release 1.0.1h + * Sat May 31 2014 Peter Robinson 1.0.1g-2 - Drop obsolete and irrelevant docs - Move devel docs to appropriate package diff --git a/sources b/sources index 30690e0..5c377fa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3de4f91702dfa545d577912a065fb250 openssl-1.0.1g-hobbled.tar.xz +4ea0f231c61b9c66642176cdc033b386 openssl-1.0.1h-hobbled.tar.xz