openkylin
/
openssl3
mirror of https://gitee.com/openkylin/openssl3.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
luoyaoming 2023-01-06 23:08:26 +08:00
parent 3a57eed964
commit d02da937df
13 changed files with 1 additions and 1356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch vendored
View File

@ -1,46 +0,0 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Thu, 1 Apr 2021 21:46:17 +0200
Subject: Configure: allow to enable ktls if target does not start with Linux
The Debian build system uses a `debian' target which sets CFLAGS and
then we have for instance debian-amd64 which inherits from
linux-x86_64 and debian. So far so good.
Since the target name does not start with `linux', the build system does not
enable ktls. So in order to get enabled, I
added a
`enable => [ "ktls" ],'
to the generic linux config which sets it explicit). Having this set, we can
check for it instead matching the target name.
This commit is based on changes for afalgeng in commit
9e381e8a01859 ("Configure: allow to enable afalgeng if target does not start with Linux")
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
Configurations/10-main.conf | 2 +-
Configure | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -697,7 +697,7 @@
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
- enable => [ "afalgeng" ],
+ enable => [ "afalgeng", "ktls" ],
},
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
--- a/Configure
+++ b/Configure
@@ -1714,7 +1714,7 @@
unless ($disabled{ktls}) {
$config{ktls}="";
- if ($target =~ m/^linux/) {
+ if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $usr = "/usr/$config{cross_compile_prefix}";
chop($usr);
if ($config{cross_compile_prefix} eq "") {

43
debian/patches/Set-systemwide-default-settings-for-libssl-users.patch vendored
View File

@ -1,43 +0,0 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue, 20 Mar 2018 22:07:30 +0100
Subject: Set systemwide default settings for libssl users
This config change enforeces a TLS1.2 protocol version as minimum. It
can be overwritten by the system administrator.
It also changes the default security level from 1 to 2, moving from the 80 bit
security level to the 112 bit security level.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
apps/openssl.cnf | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 97567a67be6d..38ff63d1d49b 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -24,6 +24,9 @@ config_diagnostics = 1
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
+# System default
+openssl_conf = default_conf
+
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
@@ -381,3 +384,13 @@ oldcert = $insta::certout # insta.cert.pem
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2

381
debian/patches/TEST-Provide-a-default-openssl.cnf-for-tests.patch vendored
View File

@ -1,381 +0,0 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 17 Jun 2020 21:47:15 +0200
Subject: TEST: Provide a default openssl.cnf for tests
The modified .cnf leads to failure of tests which expect <TLS1.2.
Provide the original .cnf file for running the tests.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
test/openssl.cnf | 353 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
test/run_tests.pl | 2 +-
2 files changed, 354 insertions(+), 1 deletion(-)
create mode 100644 test/openssl.cnf
--- /dev/null
+++ b/test/openssl.cnf
@@ -0,0 +1,353 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # potentially needed quirk
+unprotected_errors = 1 # potentially needed quirk
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = insta.ca.crt
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = insta.ca.crt # does not include keyUsage digitalSignature
+
+# Client authentication
+secret = # disable PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--- a/test/run_tests.pl
+++ b/test/run_tests.pl
@@ -33,7 +33,7 @@
my $libdir = rel2abs(catdir($srctop, "util", "perl"));
my $jobs = $ENV{HARNESS_JOBS} // 1;
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "test", "openssl.cnf"));
$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));

70
debian/patches/c_rehash-compat.patch vendored
View File

@ -1,70 +0,0 @@
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
---
tools/c_rehash.in | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -17,8 +17,6 @@
my $errorcount = 0;
my $openssl = $ENV{OPENSSL} || "openssl";
my $pwd;
-my $x509hash = "-subject_hash";
-my $crlhash = "-hash";
my $verbose = 0;
my $symlink_exists=eval {symlink("",""); 1};
my $removelinks = 1;
@@ -27,10 +25,7 @@
while ( $ARGV[0] =~ /^-/ ) {
my $flag = shift @ARGV;
last if ( $flag eq '--');
- if ( $flag eq '-old') {
- $x509hash = "-subject_hash_old";
- $crlhash = "-hash_old";
- } elsif ( $flag eq '-h' || $flag eq '-help' ) {
+ if ( $flag eq '-h' || $flag eq '-help' ) {
help();
} elsif ( $flag eq '-n' ) {
$removelinks = 0;
@@ -128,7 +123,9 @@
next;
}
link_hash_cert($fname) if ($cert);
+ link_hash_cert_old($fname) if ($cert);
link_hash_crl($fname) if ($crl);
+ link_hash_crl_old($fname) if ($crl);
}
}
@@ -161,6 +158,7 @@
sub link_hash_cert {
my $fname = $_[0];
+ my $x509hash = $_[1] || '-subject_hash';
$fname =~ s/\"/\\\"/g;
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
chomp $hash;
@@ -198,10 +196,20 @@
$hashlist{$hash} = $fprint;
}
+sub link_hash_cert_old {
+ link_hash_cert($_[0], '-subject_hash_old');
+}
+
+sub link_hash_crl_old {
+ link_hash_crl($_[0], '-hash_old');
+}
+
+
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
my $fname = $_[0];
+ my $crlhash = $_[1] || "-hash";
$fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
chomp $hash;

227
debian/patches/debian-targets.patch vendored
View File

@ -1,227 +0,0 @@
From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Date: Sun, 5 Nov 2017 15:09:09 +0100
Subject: debian-targets
---
Configurations/20-debian.conf | 215 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 215 insertions(+)
create mode 100644 Configurations/20-debian.conf
--- /dev/null
+++ b/Configurations/20-debian.conf
@@ -0,0 +1,215 @@
+my %targets = (
+ "debian" => {
+ cflags => add("-Wa,--noexecstack -Wall"),
+ },
+ "debian-alpha" => {
+ inherit_from => [ "linux-alpha-gcc", "debian" ],
+ },
+ "debian-alpha-ev4" => {
+ inherit_from => [ "debian-alpha" ],
+ cflags => add("-mcpu=ev4"),
+ },
+ "debian-alpha-ev5" => {
+ inherit_from => [ "debian-alpha" ],
+ cflags => add("-mcpu=ev5"),
+ },
+ "debian-arm64" => {
+ inherit_from => [ "linux-aarch64", "debian" ],
+ },
+ "debian-arm64ilp32" => {
+ inherit_from => [ "linux-arm64ilp32", "debian" ],
+ },
+ "debian-armel" => {
+ inherit_from => [ "linux-armv4", "debian" ],
+ },
+ "debian-armhf" => {
+ inherit_from => [ "linux-armv4", "debian" ],
+ },
+ "debian-amd64" => {
+ inherit_from => [ "linux-x86_64", "debian" ],
+ },
+ "debian-i386" => {
+ inherit_from => [ "linux-elf", "debian" ],
+ },
+ "debian-avr32" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-kfreebsd-amd64" => {
+ inherit_from => [ "debian-amd64" ],
+ enable => [ ],
+ },
+ "debian-kfreebsd-i386" => {
+ inherit_from => [ "debian-i386" ],
+ enable => [ ],
+ },
+ "debian-hppa" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-hurd-i386" => {
+ inherit_from => [ "hurd-x86", "debian" ],
+ },
+ "debian-ia64" => {
+ inherit_from => [ "linux-ia64", "debian" ],
+ },
+ "debian-m68k" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mips" => {
+ inherit_from => [ "linux-mips32", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsel" => {
+ inherit_from => [ "linux-mips32", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mipsn32" => {
+ inherit_from => [ "linux-mips64", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsn32el" => {
+ inherit_from => [ "linux-mips64", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mips64" => {
+ inherit_from => [ "linux64-mips64", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mips64el" => {
+ inherit_from => [ "linux64-mips64", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+
+ # Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because
+ # aes-mips.pl creates proper R6 ASM code. After that, we can inherit from
+ # the linux*-mips* targets.
+ "linux-mips32r6" => {
+ # Configure script adds minimally required -march for assembly
+ # support, if no -march was specified at command line.
+ inherit_from => [ "linux-generic32"],
+ cflags => add("-mabi=32"),
+ perlasm_scheme => "o32",
+ shared_ldflag => add("-mabi=32"),
+ },
+ # mips32 and mips64 below refer to contemporary MIPS Architecture
+ # specifications, MIPS32 and MIPS64, rather than to kernel bitness.
+ "linux-mips64r6" => {
+ inherit_from => [ "linux-generic32"],
+ cflags => add("-mabi=n32"),
+ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
+ perlasm_scheme => "n32",
+ shared_ldflag => add("-mabi=n32"),
+ multilib => "32",
+ },
+ "linux64-mips64r6" => {
+ inherit_from => [ "linux-generic64"],
+ cflags => add("-mabi=64"),
+ perlasm_scheme => "64",
+ shared_ldflag => add("-mabi=64"),
+ multilib => "64",
+ },
+ "debian-mipsr6" => {
+ inherit_from => [ "linux-mips32r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsr6el" => {
+ inherit_from => [ "linux-mips32r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mipsn32r6" => {
+ inherit_from => [ "linux-mips64r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsn32r6el" => {
+ inherit_from => [ "linux-mips64r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mips64r6" => {
+ inherit_from => [ "linux64-mips64r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mips64r6el" => {
+ inherit_from => [ "linux64-mips64r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+
+ "debian-musl-linux-arm64" => {
+ inherit_from => [ "linux-aarch64", "debian" ],
+ },
+ "debian-musl-linux-armhf" => {
+ inherit_from => [ "linux-armv4", "debian" ],
+ },
+ "debian-musl-linux-i386" => {
+ inherit_from => [ "linux-elf", "debian" ],
+ },
+ "debian-musl-linux-mips" => {
+ inherit_from => [ "linux-mips32", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-musl-linux-mipsel" => {
+ inherit_from => [ "linux-mips32", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+
+ "debian-nios2" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-powerpc" => {
+ inherit_from => [ "linux-ppc", "debian" ],
+ },
+ "debian-powerpcspe" => {
+ inherit_from => [ "linux-ppc", "debian" ],
+ },
+ "debian-ppc64" => {
+ inherit_from => [ "linux-generic64", "debian", ],
+ asm_arch => 'ppc64',
+ cflags => add("-DB_ENDIAN"),
+ perlasm_scheme => "linux64",
+ },
+ "debian-ppc64el" => {
+ inherit_from => [ "linux-ppc64le", "debian" ],
+ },
+ "debian-riscv64" => {
+ inherit_from => [ "linux-generic64", "debian" ],
+ },
+ "debian-s390" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-s390x" => {
+ inherit_from => [ "linux64-s390x", "debian" ],
+ },
+ "debian-sh3" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-sh3eb" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-sh4" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-sh4eb" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-m32r" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ },
+ "debian-sparc" => {
+ inherit_from => [ "linux-generic32", "debian", ],
+ asm_arch => 'sparcv9',
+ cflags => add("-DB_ENDIAN -DBN_DIV2W"),
+ },
+ "debian-sparc64" => {
+ inherit_from => [ "linux-generic64", "debian" ],
+ asm_arch => 'sparcv9',
+ cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"),
+ bn_ops => "BN_LLONG RC4_CHAR",
+ ex_libs => add("-latomic"),
+ },
+ "debian-tilegx" => {
+ inherit_from => [ "linux-generic64", "debian" ],
+ },
+ "debian-x32" => {
+ inherit_from => [ "linux-x32", "debian" ],
+ },
+);

29
debian/patches/man-section.patch vendored
View File

@ -1,29 +0,0 @@
From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Date: Sun, 5 Nov 2017 15:09:09 +0100
Subject: man-section
---
Configurations/unix-Makefile.tmpl | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -324,7 +324,8 @@
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
-MANSUFFIX=ossl
+MANSUFFIX=ssl
+MANSECTION=SSL
HTMLSUFFIX=html
# For "optional" echo messages, to get "real" silence
@@ -1514,7 +1515,7 @@
my $pod = $gen0;
return <<"EOF";
$args{src}: $pod
- pod2man --name=$name --section=$section\$(MANSUFFIX) --center=OpenSSL \\
+ pod2man --name=$name --section=$section\$(MANSECTION) --center=OpenSSL \\
--release=\$(VERSION) $pod >\$\@
EOF
} elsif (platform->isdef($args{src})) {

19
debian/patches/no-symbolic.patch vendored
View File

@ -1,19 +0,0 @@
From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Date: Sun, 5 Nov 2017 15:09:09 +0100
Subject: no-symbolic
---
Configurations/shared-info.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Configurations/shared-info.pl
+++ b/Configurations/shared-info.pl
@@ -25,7 +25,7 @@
my %shared_info;
%shared_info = (
'gnu-shared' => {
- shared_ldflag => '-shared -Wl,-Bsymbolic',
+ shared_ldflag => '-shared',
shared_sonameflag => '-Wl,-soname=',
},
'linux-shared' => sub {

178
debian/patches/pic.patch vendored
View File

@ -1,178 +0,0 @@
From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Date: Sun, 5 Nov 2017 15:09:09 +0100
Subject: pic
---
crypto/des/asm/desboth.pl | 17 ++++++++++++++---
crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++----
crypto/perlasm/x86gas.pl | 16 ++++++++++++++++
crypto/x86cpuid.pl | 10 +++++-----
4 files changed, 55 insertions(+), 12 deletions(-)
--- a/crypto/des/asm/desboth.pl
+++ b/crypto/des/asm/desboth.pl
@@ -23,6 +23,11 @@
&push("edi");
+ &call (&label("pic_point0"));
+ &set_label("pic_point0");
+ &blindpop("ebp");
+ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
+
&comment("");
&comment("Load the data words");
&mov($L,&DWP(0,"ebx","",0));
@@ -54,15 +59,21 @@
&mov(&swtmp(2), (DWC(($enc)?"1":"0")));
&mov(&swtmp(1), "eax");
&mov(&swtmp(0), "ebx");
- &call("DES_encrypt2");
+ &exch("ebx", "ebp");
+ &call("DES_encrypt2\@PLT");
+ &exch("ebx", "ebp");
&mov(&swtmp(2), (DWC(($enc)?"0":"1")));
&mov(&swtmp(1), "edi");
&mov(&swtmp(0), "ebx");
- &call("DES_encrypt2");
+ &exch("ebx", "ebp");
+ &call("DES_encrypt2\@PLT");
+ &exch("ebx", "ebp");
&mov(&swtmp(2), (DWC(($enc)?"1":"0")));
&mov(&swtmp(1), "esi");
&mov(&swtmp(0), "ebx");
- &call("DES_encrypt2");
+ &exch("ebx", "ebp");
+ &call("DES_encrypt2\@PLT");
+ &exch("ebx", "ebp");
&stack_pop(3);
&mov($L,&DWP(0,"ebx","",0));
--- a/crypto/perlasm/cbc.pl
+++ b/crypto/perlasm/cbc.pl
@@ -129,7 +129,11 @@
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
- &call($enc_func);
+ &call (&label("pic_point0"));
+ &set_label("pic_point0");
+ &blindpop("ebx");
+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
+ &call("$enc_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
@@ -199,7 +203,11 @@
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
- &call($enc_func);
+ &call (&label("pic_point1"));
+ &set_label("pic_point1");
+ &blindpop("ebx");
+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
+ &call("$enc_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
@@ -232,7 +240,11 @@
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
- &call($dec_func);
+ &call (&label("pic_point2"));
+ &set_label("pic_point2");
+ &blindpop("ebx");
+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
+ &call("$dec_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
@@ -275,7 +287,11 @@
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
- &call($dec_func);
+ &call (&label("pic_point3"));
+ &set_label("pic_point3");
+ &blindpop("ebx");
+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
+ &call("$dec_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
--- a/crypto/perlasm/x86gas.pl
+++ b/crypto/perlasm/x86gas.pl
@@ -171,6 +171,7 @@
if ($::macosx) { push (@out,"$tmp,2\n"); }
elsif ($::elf) { push (@out,"$tmp,4\n"); }
else { push (@out,"$tmp\n"); }
+ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
}
push(@out,$initseg) if ($initseg);
if ($::elf) {
@@ -249,8 +250,23 @@
elsif ($::elf)
{ $initseg.=<<___;
.section .init
+___
+ if ($::pic)
+ { $initseg.=<<___;
+ pushl %ebx
+ call .pic_point0
+.pic_point0:
+ popl %ebx
+ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
+ call $f\@PLT
+ popl %ebx
+___
+ }
+ else
+ { $initseg.=<<___;
call $f
___
+ }
}
elsif ($::coff)
{ $initseg.=<<___; # applies to both Cygwin and Mingw
--- a/crypto/x86cpuid.pl
+++ b/crypto/x86cpuid.pl
@@ -16,6 +16,8 @@
for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+push(@out, ".hidden OPENSSL_ia32cap_P\n");
+
&function_begin("OPENSSL_ia32_cpuid");
&xor ("edx","edx");
&pushf ();
@@ -161,9 +163,7 @@
&set_label("nocpuid");
&function_end("OPENSSL_ia32_cpuid");
-&external_label("OPENSSL_ia32cap_P");
-
-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+&function_begin_B("OPENSSL_rdtsc");
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");
@@ -177,7 +177,7 @@
# This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
# but it's safe to call it on any [supported] 32-bit platform...
# Just check for [non-]zero return value...
-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+&function_begin_B("OPENSSL_instrument_halt");
&picmeup("ecx","OPENSSL_ia32cap_P");
&bt (&DWP(0,"ecx"),4);
&jnc (&label("nohalt")); # no TSC
@@ -244,7 +244,7 @@
&ret ();
&function_end_B("OPENSSL_far_spin");
-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+&function_begin_B("OPENSSL_wipe_cpu");
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");

13
debian/patches/series vendored
View File

@ -1,13 +0,0 @@
# Debian patches
debian-targets.patch
man-section.patch
no-symbolic.patch
pic.patch
c_rehash-compat.patch
# Remove Set-systemwide-default-settings-for-libssl-users.patch, this is done differently
TEST-Provide-a-default-openssl.cnf-for-tests.patch
Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
# Ubuntu patches
tests-use-seclevel-1.patch
tls1.2-min-seclevel2.patch
skip_tls1.1_seclevel3_tests.patch

51
debian/patches/skip_tls1.1_seclevel3_tests.patch vendored
View File

@ -1,51 +0,0 @@
Description: Skip TLS 1.1 tests on seclevel 3
In the Ubuntu package, we changed the semantics of seclevel 2 (and above) to
also disable TLS <= 1.2. This makes those tests fail.
Author: Simon Chopin <simon.chopin@canonical.com>
Forwarded: not-needed
Last-Update: 2022-03-21
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -583,32 +583,32 @@
if $no_tls1_1;
SKIP: {
- skip "skipping auto DHE PSK test at SECLEVEL 3", 1
- if ($no_dh || $no_psk);
+ skip "skipping auto DHE PSK test at SECLEVEL 3", 1;
+ # if ($no_dh || $no_psk);
ok(run(test(['ssl_old_test', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])),
'test auto DHE PSK meets security strength');
}
SKIP: {
- skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1
- if ($no_ec || $no_psk);
+ skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1;
+ # if ($no_ec || $no_psk);
ok(run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])),
'test auto ECDHE PSK meets security strength');
}
SKIP: {
- skip "skipping no RSA PSK at SECLEVEL 3 test", 1
- if ($no_rsa || $no_psk);
+ skip "skipping no RSA PSK at SECLEVEL 3 test", 1;
+ # if ($no_rsa || $no_psk);
ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])),
'test auto RSA PSK does not meet security level 3 requirements (PFS)');
}
SKIP: {
- skip "skipping no PSK at SECLEVEL 3 test", 1
- if ($no_psk);
+ skip "skipping no PSK at SECLEVEL 3 test", 1;
+ # if ($no_psk);
ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])),
'test auto PSK does not meet security level 3 requirements (PFS)');

235
debian/patches/tests-use-seclevel-1.patch vendored
View File

@ -1,235 +0,0 @@
Description: Change testsuite to use SECLEVEL 1 by default
By default the testsuite assumes that SECLEVEL is set to 1, and many
tests fail, when one raises security level to 2. Many test certs use
insecure hash algorithms and small key sizes.
Author: Dimitri John Ledkov <xnox@ubuntu.com>
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@@ -719,6 +719,11 @@
max_proto_version = TLS1_2_VERSION;
#endif
+ if (serverctx != NULL && SSL_CTX_get_security_level(serverctx) == 2)
+ SSL_CTX_set_security_level(serverctx, 1);
+ if (clientctx != NULL && SSL_CTX_get_security_level(clientctx) == 2)
+ SSL_CTX_set_security_level(clientctx, 1);
+
if (serverctx != NULL
&& ((min_proto_version > 0
&& !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
@@ -888,6 +893,11 @@
else if (!TEST_ptr(clientssl = SSL_new(clientctx)))
goto error;
+ if (SSL_get_security_level(serverssl) == 2)
+ SSL_set_security_level(serverssl, 1);
+ if (SSL_get_security_level(clientssl) == 2)
+ SSL_set_security_level(clientssl, 1);
+
if (SSL_is_dtls(clientssl)) {
if (!TEST_ptr(s_to_c_bio = BIO_new(bio_s_mempacket_test()))
|| !TEST_ptr(c_to_s_bio = BIO_new(bio_s_mempacket_test())))
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -409,6 +409,7 @@
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());
+ SSL_CTX_set_security_level(server_ctx, 1);
if (!TEST_true(SSL_CTX_set_options(server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION))
|| !TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
@@ -420,19 +421,23 @@
|| !TEST_true(SSL_CTX_set_options(server2_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
+ SSL_CTX_set_security_level(server2_ctx, 1);
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method());
+ SSL_CTX_set_security_level(client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_server_method());
+ SSL_CTX_set_security_level(resume_server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))
|| !TEST_true(SSL_CTX_set_options(resume_server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_client_method());
+ SSL_CTX_set_security_level(resume_client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
goto err;
if (!TEST_ptr(resume_server_ctx)
@@ -452,6 +457,7 @@
#endif
server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ SSL_CTX_set_security_level(server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))
|| !TEST_true(SSL_CTX_set_options(server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
@@ -464,17 +470,20 @@
|| !TEST_true(SSL_CTX_set_options(server2_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
+ SSL_CTX_set_security_level(server2_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
maxversion)))
goto err;
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
+ SSL_CTX_set_security_level(client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_server_method());
+ SSL_CTX_set_security_level(resume_server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
maxversion))
|| !TEST_true(SSL_CTX_set_options(resume_server_ctx,
@@ -482,6 +491,7 @@
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_client_method());
+ SSL_CTX_set_security_level(resume_client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
maxversion)))
goto err;
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -421,7 +421,7 @@
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
checkhandshake::DEFAULT_EXTENSIONS
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -129,7 +129,7 @@
# should succeed
$proxy->clear();
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
@@ -173,7 +173,7 @@
$proxy->clear();
$testtype = EMPTY_SIG_ALGS_EXT;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
@@ -181,7 +181,7 @@
$proxy->clear();
$testtype = NO_KNOWN_SIG_ALGS;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
@@ -190,7 +190,7 @@
$proxy->clear();
$testtype = NO_PSS_SIG_ALGS;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
@@ -198,7 +198,7 @@
$proxy->clear();
$testtype = PSS_ONLY_SIG_ALGS;
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
@@ -209,7 +209,7 @@
$proxy->clear();
$testtype = PSS_ONLY_SIG_ALGS;
$proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");
@@ -217,7 +217,7 @@
# matches the certificate should fail in TLSv1.2
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
--- a/test/recipes/70-test_sslsignature.t
+++ b/test/recipes/70-test_sslsignature.t
@@ -103,8 +103,8 @@
$proxy->clear();
$testtype = CORRUPT_TLS1_2_SERVER_KEY_EXCHANGE;
$proxy->clientflags("-no_tls1_3");
- $proxy->cipherc('DHE-RSA-AES128-SHA');
- $proxy->ciphers('DHE-RSA-AES128-SHA');
+ $proxy->cipherc('DHE-RSA-AES128-SHA:\@SECLEVEL=1');
+ $proxy->ciphers('DHE-RSA-AES128-SHA:\@SECLEVEL=1');
$proxy->start();
ok(TLSProxy::Message->fail, "Corrupt <=TLSv1.2 ServerKeyExchange");
}
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -97,9 +97,9 @@
execute => $execute,
cert => $cert,
debug => $debug,
- cipherc => "",
+ cipherc => "DEFAULT:\@SECLEVEL=1",
ciphersuitesc => "",
- ciphers => "AES128-SHA",
+ ciphers => "AES128-SHA:\@SECLEVEL=1",
ciphersuitess => "TLS_AES_128_GCM_SHA256",
flight => -1,
direction => -1,
@@ -145,7 +145,7 @@
{
my $self = shift;
- $self->{cipherc} = "";
+ $self->{cipherc} = "DEFAULT:\@SECLEVEL=1";
$self->{ciphersuitec} = "";
$self->{flight} = -1;
$self->{direction} = -1;
@@ -167,7 +167,7 @@
my $self = shift;
$self->clearClient;
- $self->{ciphers} = "AES128-SHA";
+ $self->{ciphers} = "AES128-SHA:\@SECLEVEL=1";
$self->{ciphersuitess} = "TLS_AES_128_GCM_SHA256";
$self->{serverflags} = "";
$self->{serverconnects} = 1;
--- a/test/bad_dtls_test.c
+++ b/test/bad_dtls_test.c
@@ -491,6 +491,8 @@
goto end;
ctx = SSL_CTX_new(DTLS_client_method());
+ if (TEST_ptr(ctx))
+ SSL_CTX_set_security_level(ctx, 1);
if (!TEST_ptr(ctx)
|| !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
|| !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))

63
debian/patches/tls1.2-min-seclevel2.patch vendored
View File

@ -1,63 +0,0 @@
Description: TLS versions below 1.2 are not permitted as security level 2.
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1012,18 +1012,12 @@
}
case SSL_SECOP_VERSION:
if (!SSL_IS_DTLS(s)) {
- /* SSLv3 not allowed at level 2 */
- if (nid <= SSL3_VERSION && level >= 2)
- return 0;
- /* TLS v1.1 and above only for level 3 */
- if (nid <= TLS1_VERSION && level >= 3)
- return 0;
- /* TLS v1.2 only for level 4 and above */
- if (nid <= TLS1_1_VERSION && level >= 4)
+ /* TLS v1.2 only for level 2 and above */
+ if (nid <= TLS1_1_VERSION && level >= 2)
return 0;
} else {
- /* DTLS v1.2 only for level 4 and above */
- if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4)
+ /* DTLS v1.2 only for level 2 and above */
+ if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 2)
return 0;
}
break;
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -84,22 +84,20 @@
Security level set to 112 bits of security. As a result RSA, DSA and DH keys
shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any cipher suite using RC4 is also
-prohibited. SSL version 3 is also not allowed. Compression is disabled.
+prohibited. On Ubuntu, TLS versions below 1.2 are not permitted. Compression is disabled.
=item B<Level 3>
Security level set to 128 bits of security. As a result RSA, DSA and DH keys
shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
In addition to the level 2 exclusions cipher suites not offering forward
-secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
-tickets are disabled.
+secrecy are prohibited. Session tickets are disabled.
=item B<Level 4>
Security level set to 192 bits of security. As a result RSA, DSA and
DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
-prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS
-versions below 1.2 are not permitted.
+prohibited. Cipher suites using SHA1 for the MAC are prohibited.
=item B<Level 5>
@@ -116,6 +114,7 @@
The default security level can be configured when OpenSSL is compiled by
setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
+On Ubuntu, 2 is used.
The security framework disables or reject parameters inconsistent with the
set security level. In the past this was difficult as applications had to set

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt)
3.0 (native)