From e443a79334446ac0dc14fdf7c062386f92bbc7a0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Nov 22 2016 09:39:55 +0000 Subject: Add back EC NIST P-224 and revert SSL_read() change - revert SSL_read() behavior change - patch from upstream (#1394677) - EC curve NIST P-224 is now allowed, still kept disabled in TLS due to less than optimal security --- diff --git a/ec_curve.c b/ec_curve.c index 0a1ca3d..abee205 100644 --- a/ec_curve.c +++ b/ec_curve.c @@ -38,6 +38,44 @@ typedef struct { /* the nist prime curves */ static const struct { EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; +} _EC_NIST_PRIME_224 = { + { + NID_X9_62_prime_field, 20, 28, 1 + }, + { + /* seed */ + 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F, + 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, + /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, + /* a */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, + /* b */ + 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, + 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, + 0x23, 0x55, 0xFF, 0xB4, + /* x */ + 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, + 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, + 0x11, 0x5C, 0x1D, 0x21, + /* y */ + 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, + 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, + 0x85, 0x00, 0x7e, 0x34, + /* order */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, + 0x5C, 0x5C, 0x2A, 0x3D + } +}; + +static const struct { + EC_CURVE_DATA h; unsigned char data[20 + 48 * 6]; } _EC_NIST_PRIME_384 = { { @@ -220,6 +258,13 @@ typedef struct _ec_list_element_st { static const ec_list_element curve_list[] = { /* prime field curves */ /* secg curves */ +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +#else + {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, + "NIST/SECG curve over a 224 bit prime field"}, +#endif {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field"}, /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ diff --git a/ectest.c b/ectest.c index af0f7f3..e91c252 100644 --- a/ectest.c +++ b/ectest.c @@ -236,6 +236,70 @@ static void prime_field_tests(void) if (x == NULL || y == NULL || z == NULL || yplusone == NULL) ABORT; + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + + if (!BN_hex2bn + (&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) + ABORT; + if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + ABORT; + if (!BN_hex2bn + (&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) + ABORT; + if (!BN_hex2bn + (&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) + ABORT; + if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) + ABORT; + + if (!BN_hex2bn + (&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) + ABORT; + if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) + ABORT; + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) + ABORT; + if (!BN_hex2bn + (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) + ABORT; + if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) + ABORT; + + if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) + ABORT; + fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x"); + BN_print_fp(stdout, x); + fprintf(stdout, "\n y = 0x"); + BN_print_fp(stdout, y); + fprintf(stdout, "\n"); + /* G_y value taken from the standard: */ + if (!BN_hex2bn + (&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) + ABORT; + if (0 != BN_cmp(y, z)) + ABORT; + + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + + fprintf(stdout, "verify degree ..."); + if (EC_GROUP_get_degree(group) != 224) + ABORT; + fprintf(stdout, " ok\n"); + + group_order_tests(group); + + if ((P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) + ABORT; + if (!EC_GROUP_copy(P_224, group)) + ABORT; + /* Curve P-256 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn @@ -556,6 +620,7 @@ static void prime_field_tests(void) BN_free(z); BN_free(yplusone); + EC_GROUP_free(P_224); EC_GROUP_free(P_256); EC_GROUP_free(P_384); EC_GROUP_free(P_521); diff --git a/hobble-openssl b/hobble-openssl index 6c4c21c..e830942 100755 --- a/hobble-openssl +++ b/hobble-openssl @@ -26,7 +26,7 @@ for c in `find crypto/bn -name "*gf2m.c"`; do > $c done -for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c"`; do +for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do echo Destroying $c > $c done diff --git a/openssl-1.1.0-ec-curves.patch b/openssl-1.1.0-ec-curves.patch index c5058b3..0730fe9 100644 --- a/openssl-1.1.0-ec-curves.patch +++ b/openssl-1.1.0-ec-curves.patch @@ -1,13 +1,13 @@ diff -up openssl-1.1.0/apps/speed.c.curves openssl-1.1.0/apps/speed.c --- openssl-1.1.0/apps/speed.c.curves 2016-09-08 11:03:15.550585422 +0200 +++ openssl-1.1.0/apps/speed.c 2016-09-08 11:05:17.287315488 +0200 -@@ -536,42 +536,16 @@ static OPT_PAIR rsa_choices[] = { +@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = { #define R_EC_X25519 16 #ifndef OPENSSL_NO_EC static OPT_PAIR ecdsa_choices[] = { - {"ecdsap160", R_EC_P160}, - {"ecdsap192", R_EC_P192}, -- {"ecdsap224", R_EC_P224}, + {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, {"ecdsap521", R_EC_P521}, @@ -27,7 +27,7 @@ diff -up openssl-1.1.0/apps/speed.c.curves openssl-1.1.0/apps/speed.c static OPT_PAIR ecdh_choices[] = { - {"ecdhp160", R_EC_P160}, - {"ecdhp192", R_EC_P192}, -- {"ecdhp224", R_EC_P224}, + {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, {"ecdhp521", R_EC_P521}, @@ -44,21 +44,21 @@ diff -up openssl-1.1.0/apps/speed.c.curves openssl-1.1.0/apps/speed.c {"ecdhx25519", R_EC_X25519}, {NULL} }; -diff -up openssl-1.1.0/include/openssl/ec.h.curves openssl-1.1.0/include/openssl/ec.h ---- openssl-1.1.0/include/openssl/ec.h.curves 2016-08-25 17:29:22.000000000 +0200 -+++ openssl-1.1.0/include/openssl/ec.h 2016-09-08 11:03:15.550585422 +0200 -@@ -80,11 +80,6 @@ const EC_METHOD *EC_GFp_mont_method(void - const EC_METHOD *EC_GFp_nist_method(void); +diff -up openssl-1.1.0c/crypto/ec/ecp_smpl.c.curves openssl-1.1.0c/crypto/ec/ecp_smpl.c +--- openssl-1.1.0c/crypto/ec/ecp_smpl.c.curves 2016-11-10 15:03:44.000000000 +0100 ++++ openssl-1.1.0c/crypto/ec/ecp_smpl.c 2016-11-11 13:31:51.329603626 +0100 +@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO + return 0; + } - # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 --/** Returns 64-bit optimized methods for nistp224 -- * \return EC_METHOD object -- */ --const EC_METHOD *EC_GFp_nistp224_method(void); -- - /** Returns 64-bit optimized methods for nistp256 - * \return EC_METHOD object - */ ++ if (BN_num_bits(p) < 224) { ++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); ++ return 0; ++ } ++ + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) diff -up openssl-1.1.0/ssl/t1_lib.c.curves openssl-1.1.0/ssl/t1_lib.c --- openssl-1.1.0/ssl/t1_lib.c.curves 2016-09-08 11:03:15.551585445 +0200 +++ openssl-1.1.0/ssl/t1_lib.c 2016-09-08 11:06:58.072575697 +0200 diff --git a/openssl-1.1.0-fips.patch b/openssl-1.1.0-fips.patch index 81c6d7b..c7009ed 100644 --- a/openssl-1.1.0-fips.patch +++ b/openssl-1.1.0-fips.patch @@ -786,21 +786,6 @@ diff -up openssl-1.1.0c/crypto/ec/ec_key.c.fips openssl-1.1.0c/crypto/ec/ec_key. ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -diff -up openssl-1.1.0c/crypto/ec/ecp_smpl.c.fips openssl-1.1.0c/crypto/ec/ecp_smpl.c ---- openssl-1.1.0c/crypto/ec/ecp_smpl.c.fips 2016-11-10 15:03:44.000000000 +0100 -+++ openssl-1.1.0c/crypto/ec/ecp_smpl.c 2016-11-11 13:31:51.329603626 +0100 -@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO - return 0; - } - -+ if (BN_num_bits(p) < 256) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) diff -up openssl-1.1.0c/crypto/err/err_all.c.fips openssl-1.1.0c/crypto/err/err_all.c --- openssl-1.1.0c/crypto/err/err_all.c.fips 2016-11-10 15:03:44.000000000 +0100 +++ openssl-1.1.0c/crypto/err/err_all.c 2016-11-11 13:31:51.329603626 +0100 diff --git a/openssl-1.1.0-sslread-revert.patch b/openssl-1.1.0-sslread-revert.patch new file mode 100644 index 0000000..aa2af9a --- /dev/null +++ b/openssl-1.1.0-sslread-revert.patch @@ -0,0 +1,270 @@ +From 11f1fd4b0d1b3aef5c79b843d081dbb9bcd0b85f Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx +Date: Tue, 15 Nov 2016 18:58:52 +0100 +Subject: [PATCH] Make SSL_read and SSL_write return the old behaviour and + document it. + +Backport of beacb0f0c1ae7b0542fe053b95307f515b578eb7, revert of +122580ef71e4e5f355a1a104c9bfb36feee43759 + +Fixes: #1903 + +Reviewed-by: Matt Caswell + +GH: #1966 +--- + doc/ssl/SSL_get_error.pod | 22 +++++++++--------- + doc/ssl/SSL_read.pod | 29 +++++++++--------------- + doc/ssl/SSL_write.pod | 19 +++++++--------- + ssl/record/rec_layer_s3.c | 14 ++++-------- + test/asynciotest.c | 57 ++++++++++++++++++++++++++++++++++------------- + 5 files changed, 75 insertions(+), 66 deletions(-) + +diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod +index ddd72f7..47d2358 100644 +--- a/doc/ssl/SSL_get_error.pod ++++ b/doc/ssl/SSL_get_error.pod +@@ -38,12 +38,13 @@ if and only if B 0>. + + =item SSL_ERROR_ZERO_RETURN + +-The TLS/SSL connection has been closed. If the protocol version is SSL 3.0 +-or TLS 1.0, this result code is returned only if a closure +-alert has occurred in the protocol, i.e. if the connection has been +-closed cleanly. Note that in this case B +-does not necessarily indicate that the underlying transport +-has been closed. ++The TLS/SSL connection has been closed. ++If the protocol version is SSL 3.0 or higher, this result code is returned only ++if a closure alert has occurred in the protocol, i.e. if the connection has been ++closed cleanly. ++Note that in this case B does not necessarily ++indicate that the underlying transport has been closed. ++ + + =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE + +@@ -111,12 +112,9 @@ thread has completed. + + =item SSL_ERROR_SYSCALL + +-Some I/O error occurred. The OpenSSL error queue may contain more +-information on the error. If the error queue is empty +-(i.e. ERR_get_error() returns 0), B can be used to find out more +-about the error: If B, an EOF was observed that violates +-the protocol. If B, the underlying B reported an +-I/O error (for socket I/O on Unix systems, consult B for details). ++Some non-recoverable I/O error occurred. ++The OpenSSL error queue may contain more information on the error. ++For socket I/O on Unix systems, consult B for details. + + =item SSL_ERROR_SSL + +diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod +index 8dff244..20ccf40 100644 +--- a/doc/ssl/SSL_read.pod ++++ b/doc/ssl/SSL_read.pod +@@ -81,28 +81,21 @@ The following return values can occur: + + =over 4 + +-=item E0 ++=item E 0 + +-The read operation was successful; the return value is the number of +-bytes actually read from the TLS/SSL connection. ++The read operation was successful. ++The return value is the number of bytes actually read from the TLS/SSL ++connection. + +-=item Z<>0 ++=item Z<><= 0 + +-The read operation was not successful. The reason may either be a clean +-shutdown due to a "close notify" alert sent by the peer (in which case +-the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set +-(see L, +-L). It is also possible, that +-the peer simply shut down the underlying transport and the shutdown is +-incomplete. Call SSL_get_error() with the return value B to find out, +-whether an error occurred or the connection was shut down cleanly +-(SSL_ERROR_ZERO_RETURN). ++The read operation was not successful, because either the connection was closed, ++an error occurred or action must be taken by the calling process. ++Call L with the return value B to find out the reason. + +-=item E0 +- +-The read operation was not successful, because either an error occurred +-or action must be taken by the calling process. Call SSL_get_error() with the +-return value B to find out the reason. ++Old documentation indicated a difference between 0 and -1, and that -1 was ++retryable. ++You should instead call SSL_get_error() to find out if it's retryable. + + =back + +diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod +index 5ab0790..ef3b92a 100644 +--- a/doc/ssl/SSL_write.pod ++++ b/doc/ssl/SSL_write.pod +@@ -74,23 +74,20 @@ The following return values can occur: + + =over 4 + +-=item E0 ++=item E 0 + + The write operation was successful, the return value is the number of + bytes actually written to the TLS/SSL connection. + +-=item Z<>0 ++=item Z<><= 0 + +-The write operation was not successful. Probably the underlying connection +-was closed. Call SSL_get_error() with the return value B to find out, +-whether an error occurred or the connection was shut down cleanly +-(SSL_ERROR_ZERO_RETURN). ++The write operation was not successful, because either the connection was ++closed, an error occurred or action must be taken by the calling process. ++Call SSL_get_error() with the return value B to find out the reason. + +-=item E0 +- +-The write operation was not successful, because either an error occurred +-or action must be taken by the calling process. Call SSL_get_error() with the +-return value B to find out the reason. ++Old documentation indicated a difference between 0 and -1, and that -1 was ++retryable. ++You should instead call SSL_get_error() to find out if it's retryable. + + =back + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 28de7c3..1270a5f 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -178,10 +178,7 @@ const char *SSL_rstate_string(const SSL *s) + } + + /* +- * Return values are as per SSL_read(), i.e. +- * >0 The number of read bytes +- * 0 Failure (not retryable) +- * <0 Failure (may be retryable) ++ * Return values are as per SSL_read() + */ + int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) + { +@@ -312,7 +309,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) + if (len + left == 0) + ssl3_release_read_buffer(s); +- return -1; ++ return i; + } + left += i; + /* +@@ -882,10 +879,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + + /* if s->s3->wbuf.left != 0, we need to call this + * +- * Return values are as per SSL_read(), i.e. +- * >0 The number of read bytes +- * 0 Failure (not retryable) +- * <0 Failure (may be retryable) ++ * Return values are as per SSL_write() + */ + int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, + unsigned int len) +@@ -936,7 +930,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, + */ + SSL3_BUFFER_set_left(&wb[currbuf], 0); + } +- return -1; ++ return i; + } + SSL3_BUFFER_add_offset(&wb[currbuf], i); + SSL3_BUFFER_add_left(&wb[currbuf], -i); +diff --git a/test/asynciotest.c b/test/asynciotest.c +index 0d382d7..133e3d5 100644 +--- a/test/asynciotest.c ++++ b/test/asynciotest.c +@@ -297,32 +297,59 @@ int main(int argc, char *argv[]) + * we hit at least one async event in both reading and writing + */ + for (j = 0; j < 2; j++) { ++ int len; ++ + /* + * Write some test data. It should never take more than 2 attempts +- * (the first one might be a retryable fail). A zero return from +- * SSL_write() is a non-retryable failure, so fail immediately if +- * we get that. ++ * (the first one might be a retryable fail). + */ +- for (ret = -1, i = 0; ret < 0 && i < 2 * sizeof(testdata); i++) +- ret = SSL_write(clientssl, testdata, sizeof(testdata)); +- if (ret <= 0) { +- printf("Test %d failed: Failed to write app data\n", test); ++ for (ret = -1, i = 0, len = 0; len != sizeof(testdata) && i < 2; ++ i++) { ++ ret = SSL_write(clientssl, testdata + len, ++ sizeof(testdata) - len); ++ if (ret > 0) { ++ len += ret; ++ } else { ++ int ssl_error = SSL_get_error(clientssl, ret); ++ ++ if (ssl_error == SSL_ERROR_SYSCALL || ++ ssl_error == SSL_ERROR_SSL) { ++ printf("Test %d failed: Failed to write app data\n", test); ++ err = -1; ++ goto end; ++ } ++ } ++ } ++ if (len != sizeof(testdata)) { ++ err = -1; ++ printf("Test %d failed: Failed to write all app data\n", test); + goto end; + } + /* + * Now read the test data. It may take more attemps here because + * it could fail once for each byte read, including all overhead +- * bytes from the record header/padding etc. Fail immediately if we +- * get a zero return from SSL_read(). ++ * bytes from the record header/padding etc. + */ +- for (ret = -1, i = 0; ret < 0 && i < MAX_ATTEMPTS; i++) +- ret = SSL_read(serverssl, buf, sizeof(buf)); +- if (ret <= 0) { +- printf("Test %d failed: Failed to read app data\n", test); +- goto end; ++ for (ret = -1, i = 0, len = 0; len != sizeof(testdata) && ++ i < MAX_ATTEMPTS; i++) ++ { ++ ret = SSL_read(serverssl, buf + len, sizeof(buf) - len); ++ if (ret > 0) { ++ len += ret; ++ } else { ++ int ssl_error = SSL_get_error(serverssl, ret); ++ ++ if (ssl_error == SSL_ERROR_SYSCALL || ++ ssl_error == SSL_ERROR_SSL) { ++ printf("Test %d failed: Failed to read app data\n", test); ++ err = -1; ++ goto end; ++ } ++ } + } +- if (ret != sizeof(testdata) ++ if (len != sizeof(testdata) + || memcmp(buf, testdata, sizeof(testdata)) != 0) { ++ err = -1; + printf("Test %d failed: Unexpected app data received\n", test); + goto end; + } +-- +2.5.5 + diff --git a/openssl.spec b/openssl.spec index 65128c5..065f9f3 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.0c -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -425,6 +425,11 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Tue Nov 22 2016 Tomáš Mráz 1.1.0c-2 +- revert SSL_read() behavior change - patch from upstream (#1394677) +- EC curve NIST P-224 is now allowed, still kept disabled in TLS due + to less than optimal security + * Fri Nov 11 2016 Tomáš Mráz 1.1.0c-1 - update to upstream version 1.1.0c diff --git a/sources b/sources index f9d378f..cd74e22 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1292a3e2bafa419cd61212cfd5e34d02 openssl-1.1.0c-hobbled.tar.xz +9e8c736f47938e0dc2f28893cd96c912 openssl-1.1.0c-hobbled.tar.xz