From f550490681c4509e9dca7938789fe92648cbbe83 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jun 11 2014 13:07:06 +0000 Subject: use system profile for default cipher list --- diff --git a/openssl-1.0.1h-system-cipherlist.patch b/openssl-1.0.1h-system-cipherlist.patch new file mode 100644 index 0000000..0ac422c --- /dev/null +++ b/openssl-1.0.1h-system-cipherlist.patch @@ -0,0 +1,288 @@ +diff -up openssl-1.0.1h/Configure.system openssl-1.0.1h/Configure +--- openssl-1.0.1h/Configure.system 2014-06-05 14:47:37.509312875 +0200 ++++ openssl-1.0.1h/Configure 2014-06-11 14:05:28.560359069 +0200 +@@ -10,7 +10,7 @@ use strict; + + # see INSTALL for instructions. + +-my $usage="Usage: Configure [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; + + # Options: + # +@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no- + # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently + # supported values are "MIT" and "Heimdal". A value is required. + # ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --test-sanity Make a number of sanity checks on the data in this file. + # This is a debugging tool for OpenSSL developers. + # +@@ -663,6 +666,7 @@ my $prefix=""; + my $libdir=""; + my $openssldir=""; + my $enginesdir=""; ++my $system_ciphers_file=""; + my $exe_ext=""; + my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; + my $cross_compile_prefix=""; +@@ -895,6 +899,10 @@ PROCESS_ARGS: + { + $enginesdir=$1; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $system_ciphers_file=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -1053,6 +1061,7 @@ print "Configuring for $target\n"; + + &usage if (!defined($table{$target})); + ++chop $system_ciphers_file if $system_ciphers_file =~ /\/$/; + + foreach (sort (keys %disabled)) + { +@@ -1607,6 +1616,7 @@ while () + s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; + s/^MULTILIB=.*$/MULTILIB=$multilib/; + s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; ++ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/; + s/^LIBDIR=.*$/LIBDIR=$libdir/; + s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; + s/^PLATFORM=.*$/PLATFORM=$target/; +@@ -1812,6 +1822,14 @@ while () + $foo =~ s/\\/\\\\/g; + print OUT "#define ENGINESDIR \"$foo\"\n"; + } ++ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/) ++ { ++ my $foo = "$system_ciphers_file"; ++ if ($foo ne '') { ++ $foo =~ s/\\/\\\\/g; ++ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n"; ++ } ++ } + elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) + { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" + if $export_var_as_fn; +diff -up openssl-1.0.1h/crypto/opensslconf.h.in.system openssl-1.0.1h/crypto/opensslconf.h.in +--- openssl-1.0.1h/crypto/opensslconf.h.in.system 2014-06-05 14:47:37.437311188 +0200 ++++ openssl-1.0.1h/crypto/opensslconf.h.in 2014-06-11 13:31:44.497722345 +0200 +@@ -25,6 +25,8 @@ + #endif + #endif + ++#undef SYSTEM_CIPHERS_FILE ++ + #undef OPENSSL_UNISTD + #define OPENSSL_UNISTD + +diff -up openssl-1.0.1h/ssl/ssl_ciph.c.system openssl-1.0.1h/ssl/ssl_ciph.c +--- openssl-1.0.1h/ssl/ssl_ciph.c.system 2014-06-05 14:47:37.441311282 +0200 ++++ openssl-1.0.1h/ssl/ssl_ciph.c 2014-06-11 13:55:28.194381937 +0200 +@@ -1352,6 +1352,53 @@ static int ssl_cipher_process_rulestr(co + return(retval); + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char* load_system_str(const char* suffix) ++ { ++ FILE* fp; ++ char buf[1024]; ++ char *new_rules; ++ unsigned len, slen; ++ ++ fp = fopen(SYSTEM_CIPHERS_FILE, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) ++ { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len-1] == '\n') ++ { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len-1] == '\r') ++ { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) ++ { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++ } ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, +@@ -1359,16 +1406,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + { + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; + unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; +- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; ++ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list; + const char *rule_p; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) ++ { ++ char* p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ { ++ goto end; ++ } + + /* + * To reduce the work to do we only want to process the compiled +@@ -1389,7 +1449,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (co_list == NULL) + { + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); +- return(NULL); /* Failure */ ++ goto end; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1431,8 +1491,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * in force within each class */ + if (!ssl_cipher_strength_sort(&head, &tail)) + { +- OPENSSL_free(co_list); +- return NULL; ++ goto end; + } + + /* Now disable everything (maintaining the ordering!) */ +@@ -1452,9 +1511,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); + if (ca_list == NULL) + { +- OPENSSL_free(co_list); + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); +- return(NULL); /* Failure */ ++ goto end; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1482,8 +1540,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + + if (!ok) + { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return(NULL); ++ goto end; + } + + /* +@@ -1492,8 +1549,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) + { +- OPENSSL_free(co_list); +- return(NULL); ++ goto end; + } + + /* +@@ -1514,13 +1570,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + #endif + } + } +- OPENSSL_free(co_list); /* Not needed any longer */ + + tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); + if (tmp_cipher_list == NULL) + { + sk_SSL_CIPHER_free(cipherstack); +- return NULL; ++ cipherstack = NULL; ++ goto end; + } + if (*cipher_list != NULL) + sk_SSL_CIPHER_free(*cipher_list); +@@ -1531,6 +1587,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); + + sk_SSL_CIPHER_sort(*cipher_list_by_id); ++ ++end: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif + return(cipherstack); + } + +diff -up openssl-1.0.1h/ssl/ssl.h.system openssl-1.0.1h/ssl/ssl.h +--- openssl-1.0.1h/ssl/ssl.h.system 2014-06-05 14:47:37.000000000 +0200 ++++ openssl-1.0.1h/ssl/ssl.h 2014-06-11 14:08:35.243461447 +0200 +@@ -338,6 +338,11 @@ extern "C" { + * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable + * some of them.) + */ ++#ifdef SYSTEM_CIPHERS_FILE ++#define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++#else ++#define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST ++#endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + #define SSL_SENT_SHUTDOWN 1 +diff -up openssl-1.0.1h/ssl/ssl_lib.c.system openssl-1.0.1h/ssl/ssl_lib.c +--- openssl-1.0.1h/ssl/ssl_lib.c.system 2014-06-05 11:44:33.000000000 +0200 ++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-11 13:59:40.696578139 +0200 +@@ -263,7 +263,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx + + sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST); ++ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) + { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); +@@ -1767,7 +1767,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + + ssl_create_cipher_list(ret->method, + &ret->cipher_list,&ret->cipher_list_by_id, +- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST); ++ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST); + if (ret->cipher_list == NULL + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) + { diff --git a/openssl.spec b/openssl.spec index 9c6ea0d..61b584d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1h -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -83,6 +83,7 @@ Patch77: openssl-1.0.1e-weak-ciphers.patch Patch78: openssl-1.0.1g-3des-strength.patch Patch90: openssl-1.0.1e-enc-fail.patch Patch91: openssl-1.0.1e-ssl2-no-ec.patch +Patch92: openssl-1.0.1h-system-cipherlist.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch Patch82: openssl-1.0.1h-session-resumption.patch @@ -109,6 +110,7 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Group: System Environment/Libraries Requires: ca-certificates >= 2008-5 +Requires: crypto-policies # Needed obsoletes due to the base/lib subpackage split Obsoletes: openssl < 1:1.0.1-0.3.beta3 Obsoletes: openssl-fips < 1:1.0.1e-28 @@ -205,6 +207,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch78 -p1 -b .3des-strength %patch90 -p1 -b .enc-fail %patch91 -p1 -b .ssl2noec +%patch92 -p1 -b .system %patch81 -p1 -b .padlock64 %patch82 -p1 -b .resumption @@ -267,6 +270,7 @@ sslarch="linux-ppc64le" # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ @@ -474,6 +478,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Wed Jun 11 2014 Tomáš Mráz 1.0.1h-4 +- use system profile for default cipher list + * Tue Jun 10 2014 Tomáš Mráz 1.0.1h-3 - make FIPS mode keygen bit length restriction enforced only when OPENSSL_ENFORCE_MODULUS_BITS is set