new upstream release fixing multiple security issues

This commit is contained in:
Tomas Mraz 2014-10-16 13:50:08 +02:00
parent 1f162bf2ee
commit 613f664141
6 changed files with 511 additions and 548 deletions

View File

@ -1,33 +0,0 @@
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6a33b9d..76a5f9e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3177,15 +3177,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
+ CERT *ocert = ssl->cert;
if (ssl->ctx == ctx)
return ssl->ctx;
#ifndef OPENSSL_NO_TLSEXT
if (ctx == NULL)
ctx = ssl->initial_ctx;
#endif
- if (ssl->cert != NULL)
- ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
+ if (ocert)
+ {
+ int i;
+ /* Copy negotiated digests from original */
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ CERT_PKEY *cpk = ocert->pkeys + i;
+ CERT_PKEY *rpk = ssl->cert->pkeys + i;
+ rpk->digest = cpk->digest;
+ }
+ ssl_cert_free(ocert);
+ }
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
if (ssl->ctx != NULL)
SSL_CTX_free(ssl->ctx); /* decrement reference count */

View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.1e/apps/s_apps.h.ephemeral openssl-1.0.1e/apps/s_apps.h diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
--- openssl-1.0.1e/apps/s_apps.h.ephemeral 2014-02-12 14:49:14.333513753 +0100 --- openssl-1.0.1j/apps/s_apps.h.ephemeral 2014-10-16 13:32:30.772817591 +0200
+++ openssl-1.0.1e/apps/s_apps.h 2014-02-12 14:49:14.417515629 +0100 +++ openssl-1.0.1j/apps/s_apps.h 2014-10-16 13:32:30.865819691 +0200
@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok, @@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
@ -9,9 +9,9 @@ diff -up openssl-1.0.1e/apps/s_apps.h.ephemeral openssl-1.0.1e/apps/s_apps.h
int init_client(int *sock, char *server, char *port, int type); int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i); int should_retry(int i);
int extract_host_port(char *str,char **host_ptr,char **port_ptr); int extract_host_port(char *str,char **host_ptr,char **port_ptr);
diff -up openssl-1.0.1e/apps/s_cb.c.ephemeral openssl-1.0.1e/apps/s_cb.c diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
--- openssl-1.0.1e/apps/s_cb.c.ephemeral 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/apps/s_cb.c.ephemeral 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/apps/s_cb.c 2014-02-12 14:56:25.584142499 +0100 +++ openssl-1.0.1j/apps/s_cb.c 2014-10-16 13:32:30.865819691 +0200
@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback( @@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
} }
} }
@ -51,10 +51,10 @@ diff -up openssl-1.0.1e/apps/s_cb.c.ephemeral openssl-1.0.1e/apps/s_cb.c
void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
{ {
diff -up openssl-1.0.1e/apps/s_client.c.ephemeral openssl-1.0.1e/apps/s_client.c diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
--- openssl-1.0.1e/apps/s_client.c.ephemeral 2014-02-12 14:49:14.407515406 +0100 --- openssl-1.0.1j/apps/s_client.c.ephemeral 2014-10-16 13:32:30.860819578 +0200
+++ openssl-1.0.1e/apps/s_client.c 2014-02-12 14:49:14.418515652 +0100 +++ openssl-1.0.1j/apps/s_client.c 2014-10-16 13:32:30.865819691 +0200
@@ -2032,6 +2032,8 @@ static void print_stuff(BIO *bio, SSL *s @@ -2044,6 +2044,8 @@ static void print_stuff(BIO *bio, SSL *s
BIO_write(bio,"\n",1); BIO_write(bio,"\n",1);
} }
@ -63,19 +63,18 @@ diff -up openssl-1.0.1e/apps/s_client.c.ephemeral openssl-1.0.1e/apps/s_client.c
BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
BIO_number_read(SSL_get_rbio(s)), BIO_number_read(SSL_get_rbio(s)),
BIO_number_written(SSL_get_wbio(s))); BIO_number_written(SSL_get_wbio(s)));
diff -up openssl-1.0.1e/ssl/ssl.h.ephemeral openssl-1.0.1e/ssl/ssl.h diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
--- openssl-1.0.1e/ssl/ssl.h.ephemeral 2014-02-12 14:49:14.391515049 +0100 --- openssl-1.0.1j/ssl/ssl.h.ephemeral 2014-10-16 13:32:30.851819375 +0200
+++ openssl-1.0.1e/ssl/ssl.h 2014-02-12 14:49:14.418515652 +0100 +++ openssl-1.0.1j/ssl/ssl.h 2014-10-16 13:33:23.233001903 +0200
@@ -1563,6 +1563,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) @@ -1585,6 +1585,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
+#define SSL_CTRL_GET_SERVER_TMP_KEY 109 +#define SSL_CTRL_GET_SERVER_TMP_KEY 109
+ #define SSL_CTRL_CHECK_PROTO_VERSION 119
#define DTLSv1_get_timeout(ssl, arg) \ #define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1628,6 +1629,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define DTLSv1_handle_timeout(ssl) \
@@ -1604,6 +1606,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTX_clear_extra_chain_certs(ctx) \ #define SSL_CTX_clear_extra_chain_certs(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
@ -85,13 +84,13 @@ diff -up openssl-1.0.1e/ssl/ssl.h.ephemeral openssl-1.0.1e/ssl/ssl.h
#ifndef OPENSSL_NO_BIO #ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void); BIO_METHOD *BIO_f_ssl(void);
BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
diff -up openssl-1.0.1e/ssl/s3_lib.c.ephemeral openssl-1.0.1e/ssl/s3_lib.c diff -up openssl-1.0.1j/ssl/s3_lib.c.ephemeral openssl-1.0.1j/ssl/s3_lib.c
--- openssl-1.0.1e/ssl/s3_lib.c.ephemeral 2014-02-12 14:49:14.412515518 +0100 --- openssl-1.0.1j/ssl/s3_lib.c.ephemeral 2014-10-16 13:32:30.866819713 +0200
+++ openssl-1.0.1e/ssl/s3_lib.c 2014-02-12 14:49:14.418515652 +0100 +++ openssl-1.0.1j/ssl/s3_lib.c 2014-10-16 13:34:08.918033262 +0200
@@ -3350,6 +3350,44 @@ long ssl3_ctrl(SSL *s, int cmd, long lar @@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
#endif
#endif /* !OPENSSL_NO_TLSEXT */ #endif /* !OPENSSL_NO_TLSEXT */
+ case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_SERVER_TMP_KEY:
+ if (s->server || !s->session || !s->session->sess_cert) + if (s->server || !s->session || !s->session->sess_cert)
+ return 0; + return 0;
@ -130,6 +129,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.ephemeral openssl-1.0.1e/ssl/s3_lib.c
+ EVP_PKEY_free(ptmp); + EVP_PKEY_free(ptmp);
+ return 0; + return 0;
+ } + }
default: +
break; case SSL_CTRL_CHECK_PROTO_VERSION:
} /* For library-internal use; checks that the current protocol
* is the highest enabled version (according to s->ctx->method,

View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.1i/crypto/aes/aes_wrap.c.wrap openssl-1.0.1i/crypto/aes/aes_wrap.c diff -up openssl-1.0.1j/crypto/aes/aes_wrap.c.wrap openssl-1.0.1j/crypto/aes/aes_wrap.c
--- openssl-1.0.1i/crypto/aes/aes_wrap.c.wrap 2014-08-06 23:10:56.000000000 +0200 --- openssl-1.0.1j/crypto/aes/aes_wrap.c.wrap 2014-10-15 13:15:29.000000000 +0200
+++ openssl-1.0.1i/crypto/aes/aes_wrap.c 2014-09-08 15:07:27.331994490 +0200 +++ openssl-1.0.1j/crypto/aes/aes_wrap.c 2014-10-16 13:30:10.679654927 +0200
@@ -53,207 +53,18 @@ @@ -53,207 +53,18 @@
#include "cryptlib.h" #include "cryptlib.h"
@ -212,9 +212,9 @@ diff -up openssl-1.0.1i/crypto/aes/aes_wrap.c.wrap openssl-1.0.1i/crypto/aes/aes
- -
- -
-#endif -#endif
diff -up openssl-1.0.1i/crypto/evp/c_allc.c.wrap openssl-1.0.1i/crypto/evp/c_allc.c diff -up openssl-1.0.1j/crypto/evp/c_allc.c.wrap openssl-1.0.1j/crypto/evp/c_allc.c
--- openssl-1.0.1i/crypto/evp/c_allc.c.wrap 2014-09-08 15:07:27.254992717 +0200 --- openssl-1.0.1j/crypto/evp/c_allc.c.wrap 2014-10-16 13:30:10.583652760 +0200
+++ openssl-1.0.1i/crypto/evp/c_allc.c 2014-09-08 15:07:27.331994490 +0200 +++ openssl-1.0.1j/crypto/evp/c_allc.c 2014-10-16 13:30:10.679654927 +0200
@@ -98,6 +98,7 @@ void OpenSSL_add_all_ciphers(void) @@ -98,6 +98,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_des_ecb()); EVP_add_cipher(EVP_des_ecb());
EVP_add_cipher(EVP_des_ede()); EVP_add_cipher(EVP_des_ede());
@ -285,9 +285,9 @@ diff -up openssl-1.0.1i/crypto/evp/c_allc.c.wrap openssl-1.0.1i/crypto/evp/c_all
EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
#endif #endif
diff -up openssl-1.0.1i/crypto/evp/e_aes.c.wrap openssl-1.0.1i/crypto/evp/e_aes.c diff -up openssl-1.0.1j/crypto/evp/e_aes.c.wrap openssl-1.0.1j/crypto/evp/e_aes.c
--- openssl-1.0.1i/crypto/evp/e_aes.c.wrap 2014-09-08 15:07:27.255992740 +0200 --- openssl-1.0.1j/crypto/evp/e_aes.c.wrap 2014-10-16 13:30:10.584652782 +0200
+++ openssl-1.0.1i/crypto/evp/e_aes.c 2014-09-08 15:07:27.331994490 +0200 +++ openssl-1.0.1j/crypto/evp/e_aes.c 2014-10-16 13:30:10.679654927 +0200
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* ==================================================================== /* ====================================================================
- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. - * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
@ -476,9 +476,9 @@ diff -up openssl-1.0.1i/crypto/evp/e_aes.c.wrap openssl-1.0.1i/crypto/evp/e_aes.
+ } + }
+ +
#endif #endif
diff -up openssl-1.0.1i/crypto/evp/e_des3.c.wrap openssl-1.0.1i/crypto/evp/e_des3.c diff -up openssl-1.0.1j/crypto/evp/e_des3.c.wrap openssl-1.0.1j/crypto/evp/e_des3.c
--- openssl-1.0.1i/crypto/evp/e_des3.c.wrap 2014-09-08 15:07:27.255992740 +0200 --- openssl-1.0.1j/crypto/evp/e_des3.c.wrap 2014-10-16 13:30:10.584652782 +0200
+++ openssl-1.0.1i/crypto/evp/e_des3.c 2014-09-08 15:07:27.332994513 +0200 +++ openssl-1.0.1j/crypto/evp/e_des3.c 2014-10-16 13:30:10.679654927 +0200
@@ -310,4 +310,112 @@ const EVP_CIPHER *EVP_des_ede3(void) @@ -310,4 +310,112 @@ const EVP_CIPHER *EVP_des_ede3(void)
{ {
return &des_ede3_ecb; return &des_ede3_ecb;
@ -592,10 +592,10 @@ diff -up openssl-1.0.1i/crypto/evp/e_des3.c.wrap openssl-1.0.1i/crypto/evp/e_des
+ +
+# endif +# endif
#endif #endif
diff -up openssl-1.0.1i/crypto/evp/evp_enc.c.wrap openssl-1.0.1i/crypto/evp/evp_enc.c diff -up openssl-1.0.1j/crypto/evp/evp_enc.c.wrap openssl-1.0.1j/crypto/evp/evp_enc.c
--- openssl-1.0.1i/crypto/evp/evp_enc.c.wrap 2014-09-08 15:07:27.255992740 +0200 --- openssl-1.0.1j/crypto/evp/evp_enc.c.wrap 2014-10-16 13:30:10.584652782 +0200
+++ openssl-1.0.1i/crypto/evp/evp_enc.c 2014-09-08 15:07:27.332994513 +0200 +++ openssl-1.0.1j/crypto/evp/evp_enc.c 2014-10-16 13:30:10.680654949 +0200
@@ -233,7 +233,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct @@ -234,7 +234,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
ctx->cipher_data = NULL; ctx->cipher_data = NULL;
} }
ctx->key_len = cipher->key_len; ctx->key_len = cipher->key_len;
@ -605,7 +605,7 @@ diff -up openssl-1.0.1i/crypto/evp/evp_enc.c.wrap openssl-1.0.1i/crypto/evp/evp_
if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT) if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
{ {
if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
@@ -256,6 +257,13 @@ skip_to_init: @@ -257,6 +258,13 @@ skip_to_init:
|| ctx->cipher->block_size == 8 || ctx->cipher->block_size == 8
|| ctx->cipher->block_size == 16); || ctx->cipher->block_size == 16);
@ -619,9 +619,9 @@ diff -up openssl-1.0.1i/crypto/evp/evp_enc.c.wrap openssl-1.0.1i/crypto/evp/evp_
if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
switch(EVP_CIPHER_CTX_mode(ctx)) { switch(EVP_CIPHER_CTX_mode(ctx)) {
diff -up openssl-1.0.1i/crypto/evp/evp_err.c.wrap openssl-1.0.1i/crypto/evp/evp_err.c diff -up openssl-1.0.1j/crypto/evp/evp_err.c.wrap openssl-1.0.1j/crypto/evp/evp_err.c
--- openssl-1.0.1i/crypto/evp/evp_err.c.wrap 2014-08-06 23:10:56.000000000 +0200 --- openssl-1.0.1j/crypto/evp/evp_err.c.wrap 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1i/crypto/evp/evp_err.c 2014-09-08 15:07:27.332994513 +0200 +++ openssl-1.0.1j/crypto/evp/evp_err.c 2014-10-16 13:30:10.680654949 +0200
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */ /* crypto/evp/evp_err.c */
/* ==================================================================== /* ====================================================================
@ -638,9 +638,9 @@ diff -up openssl-1.0.1i/crypto/evp/evp_err.c.wrap openssl-1.0.1i/crypto/evp/evp_
{ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"}, {ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
{ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"}, {ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
{0,NULL} {0,NULL}
diff -up openssl-1.0.1i/crypto/evp/evp.h.wrap openssl-1.0.1i/crypto/evp/evp.h diff -up openssl-1.0.1j/crypto/evp/evp.h.wrap openssl-1.0.1j/crypto/evp/evp.h
--- openssl-1.0.1i/crypto/evp/evp.h.wrap 2014-09-08 15:07:27.256992763 +0200 --- openssl-1.0.1j/crypto/evp/evp.h.wrap 2014-10-16 13:30:10.585652805 +0200
+++ openssl-1.0.1i/crypto/evp/evp.h 2014-09-08 15:07:27.332994513 +0200 +++ openssl-1.0.1j/crypto/evp/evp.h 2014-10-16 13:30:10.680654949 +0200
@@ -336,6 +336,7 @@ struct evp_cipher_st @@ -336,6 +336,7 @@ struct evp_cipher_st
#define EVP_CIPH_GCM_MODE 0x6 #define EVP_CIPH_GCM_MODE 0x6
#define EVP_CIPH_CCM_MODE 0x7 #define EVP_CIPH_CCM_MODE 0x7
@ -706,9 +706,9 @@ diff -up openssl-1.0.1i/crypto/evp/evp.h.wrap openssl-1.0.1i/crypto/evp/evp.h
#define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 #define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
#define EVP_R_WRONG_PUBLIC_KEY_TYPE 110 #define EVP_R_WRONG_PUBLIC_KEY_TYPE 110
diff -up openssl-1.0.1i/crypto/evp/evp_lib.c.wrap openssl-1.0.1i/crypto/evp/evp_lib.c diff -up openssl-1.0.1j/crypto/evp/evp_lib.c.wrap openssl-1.0.1j/crypto/evp/evp_lib.c
--- openssl-1.0.1i/crypto/evp/evp_lib.c.wrap 2014-09-08 15:07:27.256992763 +0200 --- openssl-1.0.1j/crypto/evp/evp_lib.c.wrap 2014-10-16 13:30:10.585652805 +0200
+++ openssl-1.0.1i/crypto/evp/evp_lib.c 2014-09-08 15:07:27.332994513 +0200 +++ openssl-1.0.1j/crypto/evp/evp_lib.c 2014-10-16 13:30:10.680654949 +0200
@@ -68,7 +68,15 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ @@ -68,7 +68,15 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_
if (c->cipher->set_asn1_parameters != NULL) if (c->cipher->set_asn1_parameters != NULL)
ret=c->cipher->set_asn1_parameters(c,type); ret=c->cipher->set_asn1_parameters(c,type);
@ -738,9 +738,9 @@ diff -up openssl-1.0.1i/crypto/evp/evp_lib.c.wrap openssl-1.0.1i/crypto/evp/evp_
else else
ret=-1; ret=-1;
return(ret); return(ret);
diff -up openssl-1.0.1i/crypto/evp/evp_test.c.wrap openssl-1.0.1i/crypto/evp/evp_test.c diff -up openssl-1.0.1j/crypto/evp/evp_test.c.wrap openssl-1.0.1j/crypto/evp/evp_test.c
--- openssl-1.0.1i/crypto/evp/evp_test.c.wrap 2014-08-06 23:10:56.000000000 +0200 --- openssl-1.0.1j/crypto/evp/evp_test.c.wrap 2014-10-15 14:51:06.000000000 +0200
+++ openssl-1.0.1i/crypto/evp/evp_test.c 2014-09-08 15:07:27.333994536 +0200 +++ openssl-1.0.1j/crypto/evp/evp_test.c 2014-10-16 13:30:10.680654949 +0200
@@ -141,7 +141,7 @@ static void test1(const EVP_CIPHER *c,co @@ -141,7 +141,7 @@ static void test1(const EVP_CIPHER *c,co
{ {
EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX ctx;
@ -806,9 +806,9 @@ diff -up openssl-1.0.1i/crypto/evp/evp_test.c.wrap openssl-1.0.1i/crypto/evp/evp
/* Load up the software EVP_CIPHER and EVP_MD definitions */ /* Load up the software EVP_CIPHER and EVP_MD definitions */
OpenSSL_add_all_ciphers(); OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
diff -up openssl-1.0.1i/crypto/evp/evptests.txt.wrap openssl-1.0.1i/crypto/evp/evptests.txt diff -up openssl-1.0.1j/crypto/evp/evptests.txt.wrap openssl-1.0.1j/crypto/evp/evptests.txt
--- openssl-1.0.1i/crypto/evp/evptests.txt.wrap 2014-08-06 23:10:56.000000000 +0200 --- openssl-1.0.1j/crypto/evp/evptests.txt.wrap 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1i/crypto/evp/evptests.txt 2014-09-08 15:07:27.333994536 +0200 +++ openssl-1.0.1j/crypto/evp/evptests.txt 2014-10-16 13:30:10.681654972 +0200
@@ -332,3 +332,15 @@ SEED-ECB:0000000000000000000000000000000 @@ -332,3 +332,15 @@ SEED-ECB:0000000000000000000000000000000
SEED-ECB:000102030405060708090A0B0C0D0E0F::00000000000000000000000000000000:C11F22F20140505084483597E4370F43:1 SEED-ECB:000102030405060708090A0B0C0D0E0F::00000000000000000000000000000000:C11F22F20140505084483597E4370F43:1
SEED-ECB:4706480851E61BE85D74BFB3FD956185::83A2F8A288641FB9A4E9A5CC2F131C7D:EE54D13EBCAE706D226BC3142CD40D4A:1 SEED-ECB:4706480851E61BE85D74BFB3FD956185::83A2F8A288641FB9A4E9A5CC2F131C7D:EE54D13EBCAE706D226BC3142CD40D4A:1
@ -825,9 +825,9 @@ diff -up openssl-1.0.1i/crypto/evp/evptests.txt.wrap openssl-1.0.1i/crypto/evp/e
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
+ +
diff -up openssl-1.0.1i/crypto/modes/Makefile.wrap openssl-1.0.1i/crypto/modes/Makefile diff -up openssl-1.0.1j/crypto/modes/Makefile.wrap openssl-1.0.1j/crypto/modes/Makefile
--- openssl-1.0.1i/crypto/modes/Makefile.wrap 2014-09-08 15:07:27.233992233 +0200 --- openssl-1.0.1j/crypto/modes/Makefile.wrap 2014-10-16 13:30:10.560652240 +0200
+++ openssl-1.0.1i/crypto/modes/Makefile 2014-09-08 15:07:27.333994536 +0200 +++ openssl-1.0.1j/crypto/modes/Makefile 2014-10-16 13:30:10.681654972 +0200
@@ -22,9 +22,9 @@ APPS= @@ -22,9 +22,9 @@ APPS=
LIB=$(TOP)/libcrypto.a LIB=$(TOP)/libcrypto.a
@ -840,10 +840,10 @@ diff -up openssl-1.0.1i/crypto/modes/Makefile.wrap openssl-1.0.1i/crypto/modes/M
SRC= $(LIBSRC) SRC= $(LIBSRC)
diff -up openssl-1.0.1i/crypto/modes/modes.h.wrap openssl-1.0.1i/crypto/modes/modes.h diff -up openssl-1.0.1j/crypto/modes/modes.h.wrap openssl-1.0.1j/crypto/modes/modes.h
--- openssl-1.0.1i/crypto/modes/modes.h.wrap 2014-09-08 15:07:26.865983757 +0200 --- openssl-1.0.1j/crypto/modes/modes.h.wrap 2014-10-16 13:30:10.681654972 +0200
+++ openssl-1.0.1i/crypto/modes/modes.h 2014-09-08 15:07:27.333994536 +0200 +++ openssl-1.0.1j/crypto/modes/modes.h 2014-10-16 13:31:01.232796186 +0200
@@ -133,3 +133,17 @@ typedef struct xts128_context XTS128_CON @@ -136,6 +136,20 @@ typedef struct xts128_context XTS128_CON
int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16], int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
const unsigned char *inp, unsigned char *out, size_t len, int enc); const unsigned char *inp, unsigned char *out, size_t len, int enc);
@ -861,9 +861,12 @@ diff -up openssl-1.0.1i/crypto/modes/modes.h.wrap openssl-1.0.1i/crypto/modes/mo
+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv, +size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
+ unsigned char *out, + unsigned char *out,
+ const unsigned char *in, size_t inlen, block128_f block); + const unsigned char *in, size_t inlen, block128_f block);
diff -up openssl-1.0.1i/crypto/modes/wrap128.c.wrap openssl-1.0.1i/crypto/modes/wrap128.c #ifdef __cplusplus
--- openssl-1.0.1i/crypto/modes/wrap128.c.wrap 2014-09-08 15:07:27.333994536 +0200 }
+++ openssl-1.0.1i/crypto/modes/wrap128.c 2014-09-08 15:07:27.333994536 +0200 #endif
diff -up openssl-1.0.1j/crypto/modes/wrap128.c.wrap openssl-1.0.1j/crypto/modes/wrap128.c
--- openssl-1.0.1j/crypto/modes/wrap128.c.wrap 2014-10-16 13:30:10.681654972 +0200
+++ openssl-1.0.1j/crypto/modes/wrap128.c 2014-10-16 13:30:10.681654972 +0200
@@ -0,0 +1,372 @@ @@ -0,0 +1,372 @@
+/* crypto/modes/wrap128.c */ +/* crypto/modes/wrap128.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.1e/crypto/ecdh/ecdh.h.fips-ec openssl-1.0.1e/crypto/ecdh/ecdh.h diff -up openssl-1.0.1j/crypto/ecdh/ecdh.h.fips-ec openssl-1.0.1j/crypto/ecdh/ecdh.h
--- openssl-1.0.1e/crypto/ecdh/ecdh.h.fips-ec 2013-11-08 17:59:42.755019363 +0100 --- openssl-1.0.1j/crypto/ecdh/ecdh.h.fips-ec 2014-10-16 13:25:20.248098308 +0200
+++ openssl-1.0.1e/crypto/ecdh/ecdh.h 2013-11-08 17:59:43.147028002 +0100 +++ openssl-1.0.1j/crypto/ecdh/ecdh.h 2014-10-16 13:25:20.730109190 +0200
@@ -85,6 +85,8 @@ @@ -85,6 +85,8 @@
extern "C" { extern "C" {
#endif #endif
@ -10,9 +10,9 @@ diff -up openssl-1.0.1e/crypto/ecdh/ecdh.h.fips-ec openssl-1.0.1e/crypto/ecdh/ec
const ECDH_METHOD *ECDH_OpenSSL(void); const ECDH_METHOD *ECDH_OpenSSL(void);
void ECDH_set_default_method(const ECDH_METHOD *); void ECDH_set_default_method(const ECDH_METHOD *);
diff -up openssl-1.0.1e/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.1e/crypto/ecdh/ecdhtest.c diff -up openssl-1.0.1j/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.1j/crypto/ecdh/ecdhtest.c
--- openssl-1.0.1e/crypto/ecdh/ecdhtest.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdh/ecdhtest.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdh/ecdhtest.c 2013-11-08 17:59:54.712282862 +0100 +++ openssl-1.0.1j/crypto/ecdh/ecdhtest.c 2014-10-16 13:25:20.730109190 +0200
@@ -323,8 +323,10 @@ int main(int argc, char *argv[]) @@ -323,8 +323,10 @@ int main(int argc, char *argv[])
if ((ctx=BN_CTX_new()) == NULL) goto err; if ((ctx=BN_CTX_new()) == NULL) goto err;
@ -24,9 +24,9 @@ diff -up openssl-1.0.1e/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.1e/crypto/ecd
if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err; if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err; if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err; if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
diff -up openssl-1.0.1e/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.1e/crypto/ecdh/ech_lib.c diff -up openssl-1.0.1j/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.1j/crypto/ecdh/ech_lib.c
--- openssl-1.0.1e/crypto/ecdh/ech_lib.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdh/ech_lib.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdh/ech_lib.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ecdh/ech_lib.c 2014-10-16 13:25:20.730109190 +0200
@@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth @@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth
{ {
if(!default_ECDH_method) if(!default_ECDH_method)
@ -42,9 +42,9 @@ diff -up openssl-1.0.1e/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.1e/crypto/ecdh
} }
return default_ECDH_method; return default_ECDH_method;
} }
diff -up openssl-1.0.1e/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.1e/crypto/ecdh/ech_ossl.c diff -up openssl-1.0.1j/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.1j/crypto/ecdh/ech_ossl.c
--- openssl-1.0.1e/crypto/ecdh/ech_ossl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdh/ech_ossl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdh/ech_ossl.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ecdh/ech_ossl.c 2014-10-16 13:25:20.730109190 +0200
@@ -79,6 +79,10 @@ @@ -79,6 +79,10 @@
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
#include <openssl/bn.h> #include <openssl/bn.h>
@ -99,9 +99,9 @@ diff -up openssl-1.0.1e/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.1e/crypto/ecd
if ((tmp=EC_POINT_new(group)) == NULL) if ((tmp=EC_POINT_new(group)) == NULL)
{ {
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
diff -up openssl-1.0.1e/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecdsatest.c diff -up openssl-1.0.1j/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecdsatest.c
--- openssl-1.0.1e/crypto/ecdsa/ecdsatest.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdsa/ecdsatest.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdsa/ecdsatest.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ecdsa/ecdsatest.c 2014-10-16 13:25:20.731109212 +0200
@@ -138,11 +138,14 @@ int restore_rand(void) @@ -138,11 +138,14 @@ int restore_rand(void)
} }
@ -137,9 +137,9 @@ diff -up openssl-1.0.1e/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.1e/crypto/e
if (!test_builtin(out)) goto err; if (!test_builtin(out)) goto err;
ret = 0; ret = 0;
diff -up openssl-1.0.1e/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecs_lib.c diff -up openssl-1.0.1j/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecs_lib.c
--- openssl-1.0.1e/crypto/ecdsa/ecs_lib.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdsa/ecs_lib.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdsa/ecs_lib.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ecdsa/ecs_lib.c 2014-10-16 13:25:20.731109212 +0200
@@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me @@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me
{ {
if(!default_ECDSA_method) if(!default_ECDSA_method)
@ -155,9 +155,9 @@ diff -up openssl-1.0.1e/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.1e/crypto/ecd
} }
return default_ECDSA_method; return default_ECDSA_method;
} }
diff -up openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c diff -up openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c
--- openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c 2014-10-16 13:25:20.731109212 +0200
@@ -60,6 +60,9 @@ @@ -60,6 +60,9 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
@ -207,9 +207,9 @@ diff -up openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.1e/crypto/ec
/* check input values */ /* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
diff -up openssl-1.0.1e/crypto/ec/ec_key.c.fips-ec openssl-1.0.1e/crypto/ec/ec_key.c diff -up openssl-1.0.1j/crypto/ec/ec_key.c.fips-ec openssl-1.0.1j/crypto/ec/ec_key.c
--- openssl-1.0.1e/crypto/ec/ec_key.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ec/ec_key.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/ec/ec_key.c 2013-11-08 17:59:43.148028024 +0100 +++ openssl-1.0.1j/crypto/ec/ec_key.c 2014-10-16 13:25:20.731109212 +0200
@@ -64,9 +64,6 @@ @@ -64,9 +64,6 @@
#include <string.h> #include <string.h>
#include "ec_lcl.h" #include "ec_lcl.h"
@ -306,10 +306,10 @@ diff -up openssl-1.0.1e/crypto/ec/ec_key.c.fips-ec openssl-1.0.1e/crypto/ec/ec_k
{ {
ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
EC_R_COORDINATES_OUT_OF_RANGE); EC_R_COORDINATES_OUT_OF_RANGE);
diff -up openssl-1.0.1e/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_mont.c diff -up openssl-1.0.1j/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_mont.c
--- openssl-1.0.1e/crypto/ec/ecp_mont.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/ec/ecp_mont.c.fips-ec 2014-10-16 13:25:20.731109212 +0200
+++ openssl-1.0.1e/crypto/ec/ecp_mont.c 2013-11-08 17:59:43.149028046 +0100 +++ openssl-1.0.1j/crypto/ec/ecp_mont.c 2014-10-16 13:27:34.156121340 +0200
@@ -63,18 +63,11 @@ @@ -63,10 +63,6 @@
#include <openssl/err.h> #include <openssl/err.h>
@ -320,26 +320,22 @@ diff -up openssl-1.0.1e/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.1e/crypto/ec/ec
#include "ec_lcl.h" #include "ec_lcl.h"
const EC_METHOD *EC_GFp_mont_method(void) @@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void
{ ec_GFp_mont_field_decode,
-#ifdef OPENSSL_FIPS
- return fips_ec_gfp_mont_method();
-#else
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_prime_field,
@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void
ec_GFp_mont_field_set_to_one }; ec_GFp_mont_field_set_to_one };
return &ret; -#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return fips_ec_gfp_mont_method();
-#endif -#endif
-
return &ret;
} }
diff -up openssl-1.0.1j/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_nist.c
diff -up openssl-1.0.1e/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_nist.c --- openssl-1.0.1j/crypto/ec/ecp_nist.c.fips-ec 2014-10-16 13:25:20.732109235 +0200
--- openssl-1.0.1e/crypto/ec/ecp_nist.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 +++ openssl-1.0.1j/crypto/ec/ecp_nist.c 2014-10-16 13:27:53.163550441 +0200
+++ openssl-1.0.1e/crypto/ec/ecp_nist.c 2013-11-08 17:59:43.149028046 +0100 @@ -67,10 +67,6 @@
@@ -67,15 +67,8 @@
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
#include "ec_lcl.h" #include "ec_lcl.h"
@ -349,24 +345,23 @@ diff -up openssl-1.0.1e/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.1e/crypto/ec/ec
- -
const EC_METHOD *EC_GFp_nist_method(void) const EC_METHOD *EC_GFp_nist_method(void)
{ {
-#ifdef OPENSSL_FIPS
- return fips_ec_gfp_nist_method();
-#else
static const EC_METHOD ret = { static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT, @@ -112,11 +108,6 @@ const EC_METHOD *EC_GFp_nist_method(void
NID_X9_62_prime_field, 0 /* field_decode */,
@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void
0 /* field_set_to_one */ }; 0 /* field_set_to_one */ };
return &ret; -#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return fips_ec_gfp_nist_method();
-#endif -#endif
-
return &ret;
} }
int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) diff -up openssl-1.0.1j/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_smpl.c
diff -up openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_smpl.c --- openssl-1.0.1j/crypto/ec/ecp_smpl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
--- openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 +++ openssl-1.0.1j/crypto/ec/ecp_smpl.c 2014-10-16 13:28:39.386593946 +0200
+++ openssl-1.0.1e/crypto/ec/ecp_smpl.c 2013-11-08 17:59:43.149028046 +0100 @@ -65,10 +65,6 @@
@@ -65,17 +65,10 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/symhacks.h> #include <openssl/symhacks.h>
@ -377,22 +372,19 @@ diff -up openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1e/crypto/ec/ec
#include "ec_lcl.h" #include "ec_lcl.h"
const EC_METHOD *EC_GFp_simple_method(void) const EC_METHOD *EC_GFp_simple_method(void)
{ @@ -112,11 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
-#ifdef OPENSSL_FIPS 0 /* field_decode */,
- return fips_ec_gfp_simple_method();
-#else
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_prime_field,
@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
0 /* field_set_to_one */ }; 0 /* field_set_to_one */ };
return &ret; -#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return fips_ec_gfp_simple_method();
-#endif -#endif
-
return &ret;
} }
@@ -187,6 +178,12 @@ int ec_GFp_simple_group_set_curve(EC_GRO
@@ -186,6 +178,12 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -405,9 +397,9 @@ diff -up openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1e/crypto/ec/ec
if (ctx == NULL) if (ctx == NULL)
{ {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
diff -up openssl-1.0.1e/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.1e/crypto/evp/m_ecdsa.c diff -up openssl-1.0.1j/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.1j/crypto/evp/m_ecdsa.c
--- openssl-1.0.1e/crypto/evp/m_ecdsa.c.fips-ec 2013-02-11 16:26:04.000000000 +0100 --- openssl-1.0.1j/crypto/evp/m_ecdsa.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
+++ openssl-1.0.1e/crypto/evp/m_ecdsa.c 2013-11-08 17:59:43.149028046 +0100 +++ openssl-1.0.1j/crypto/evp/m_ecdsa.c 2014-10-16 13:25:20.732109235 +0200
@@ -116,7 +116,6 @@ @@ -116,7 +116,6 @@
#include <openssl/x509.h> #include <openssl/x509.h>
@ -430,9 +422,9 @@ diff -up openssl-1.0.1e/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.1e/crypto/evp/m
} }
#endif #endif
-#endif -#endif
diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c diff -up openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c
--- openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2013-11-08 17:59:43.149028046 +0100 --- openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2014-10-16 13:25:20.732109235 +0200
+++ openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c 2013-11-08 17:59:43.149028046 +0100 +++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c 2014-10-16 13:25:20.732109235 +0200
@@ -0,0 +1,496 @@ @@ -0,0 +1,496 @@
+/* fips/ecdh/fips_ecdhvs.c */ +/* fips/ecdh/fips_ecdhvs.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -930,9 +922,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.1e/cr
+ } + }
+ +
+#endif +#endif
diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c diff -up openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c
--- openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2013-11-08 17:59:43.150028068 +0100 --- openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
+++ openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c 2013-11-08 17:59:43.150028068 +0100 +++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c 2014-10-16 13:25:20.733109257 +0200
@@ -0,0 +1,533 @@ @@ -0,0 +1,533 @@
+/* fips/ecdsa/fips_ecdsavs.c */ +/* fips/ecdsa/fips_ecdsavs.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -1467,9 +1459,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.1e/c
+ } + }
+ +
+#endif +#endif
diff -up openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c diff -up openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c
--- openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c.fips-ec 2013-11-08 17:59:43.150028068 +0100 --- openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
+++ openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c 2013-11-08 17:59:43.150028068 +0100 +++ openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c 2014-10-16 13:25:20.733109257 +0200
@@ -0,0 +1,252 @@ @@ -0,0 +1,252 @@
+/* fips/ecdh/fips_ecdh_selftest.c */ +/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -1723,9 +1715,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.1e/
+ } + }
+ +
+#endif +#endif
diff -up openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c diff -up openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c
--- openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2013-11-08 17:59:43.150028068 +0100 --- openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
+++ openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c 2013-11-08 17:59:43.150028068 +0100 +++ openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c 2014-10-16 13:25:20.733109257 +0200
@@ -0,0 +1,167 @@ @@ -0,0 +1,167 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -1894,9 +1886,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.1e
+ } + }
+ +
+#endif +#endif
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ec openssl-1.0.1e/crypto/fips/fips.h diff -up openssl-1.0.1j/crypto/fips/fips.h.fips-ec openssl-1.0.1j/crypto/fips/fips.h
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ec 2013-11-08 17:59:43.116027318 +0100 --- openssl-1.0.1j/crypto/fips/fips.h.fips-ec 2014-10-16 13:25:20.701108535 +0200
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-11-08 17:59:43.150028068 +0100 +++ openssl-1.0.1j/crypto/fips/fips.h 2014-10-16 13:25:20.733109257 +0200
@@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void); @@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void);
void FIPS_corrupt_dsa(void); void FIPS_corrupt_dsa(void);
void FIPS_corrupt_dsa_keygen(void); void FIPS_corrupt_dsa_keygen(void);
@ -1906,9 +1898,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ec openssl-1.0.1e/crypto/fips/fi
void FIPS_corrupt_rng(void); void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void); void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff); void FIPS_x931_stick(int onoff);
diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-ec openssl-1.0.1e/crypto/fips/fips_post.c diff -up openssl-1.0.1j/crypto/fips/fips_post.c.fips-ec openssl-1.0.1j/crypto/fips/fips_post.c
--- openssl-1.0.1e/crypto/fips/fips_post.c.fips-ec 2013-11-08 17:59:43.117027340 +0100 --- openssl-1.0.1j/crypto/fips/fips_post.c.fips-ec 2014-10-16 13:25:20.702108557 +0200
+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-11-08 17:59:43.150028068 +0100 +++ openssl-1.0.1j/crypto/fips/fips_post.c 2014-10-16 13:25:20.733109257 +0200
@@ -95,8 +95,12 @@ int FIPS_selftest(void) @@ -95,8 +95,12 @@ int FIPS_selftest(void)
rv = 0; rv = 0;
if (!FIPS_selftest_rsa()) if (!FIPS_selftest_rsa())
@ -1922,9 +1914,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-ec openssl-1.0.1e/crypto/fi
return rv; return rv;
} }
diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/Makefile diff -up openssl-1.0.1j/crypto/fips/Makefile.fips-ec openssl-1.0.1j/crypto/fips/Makefile
--- openssl-1.0.1e/crypto/fips/Makefile.fips-ec 2013-11-08 17:59:43.119027384 +0100 --- openssl-1.0.1j/crypto/fips/Makefile.fips-ec 2014-10-16 13:25:20.704108603 +0200
+++ openssl-1.0.1e/crypto/fips/Makefile 2013-11-08 17:59:43.151028090 +0100 +++ openssl-1.0.1j/crypto/fips/Makefile 2014-10-16 13:25:20.734109280 +0200
@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self @@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@ -1941,7 +1933,7 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/
LIBCRYPTO=-L.. -lcrypto LIBCRYPTO=-L.. -lcrypto
@@ -118,6 +118,21 @@ fips_aes_selftest.o: ../../include/opens @@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/opens
fips_aes_selftest.o: ../../include/openssl/safestack.h fips_aes_selftest.o: ../../include/openssl/safestack.h
fips_aes_selftest.o: ../../include/openssl/stack.h fips_aes_selftest.o: ../../include/openssl/stack.h
fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
@ -1963,7 +1955,7 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/
fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
fips_des_selftest.o: ../../include/openssl/crypto.h fips_des_selftest.o: ../../include/openssl/crypto.h
fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -231,6 +246,46 @@ fips_dsa_selftest.o: ../../include/opens @@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/opens
fips_dsa_selftest.o: ../../include/openssl/stack.h fips_dsa_selftest.o: ../../include/openssl/stack.h
fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
fips_dsa_selftest.o: fips_locl.h fips_dsa_selftest.o: fips_locl.h
@ -2010,7 +2002,7 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/
fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
fips_hmac_selftest.o: ../../include/openssl/crypto.h fips_hmac_selftest.o: ../../include/openssl/crypto.h
fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -245,6 +300,15 @@ fips_hmac_selftest.o: ../../include/open @@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/open
fips_hmac_selftest.o: ../../include/openssl/safestack.h fips_hmac_selftest.o: ../../include/openssl/safestack.h
fips_hmac_selftest.o: ../../include/openssl/stack.h fips_hmac_selftest.o: ../../include/openssl/stack.h
fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
@ -2026,9 +2018,9 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/
fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
diff -up openssl-1.0.1e/version.map.fips-ec openssl-1.0.1e/version.map diff -up openssl-1.0.1j/version.map.fips-ec openssl-1.0.1j/version.map
--- openssl-1.0.1e/version.map.fips-ec 2013-11-08 17:59:43.131027649 +0100 --- openssl-1.0.1j/version.map.fips-ec 2014-10-16 13:25:20.716108873 +0200
+++ openssl-1.0.1e/version.map 2013-11-08 17:59:43.151028090 +0100 +++ openssl-1.0.1j/version.map 2014-10-16 13:25:20.734109280 +0200
@@ -6,3 +6,7 @@ OPENSSL_1.0.1 { @@ -6,3 +6,7 @@ OPENSSL_1.0.1 {
_original*; _original*;
_current*; _current*;

File diff suppressed because it is too large Load Diff

View File

@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.1i Version: 1.0.1j
Release: 5%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -58,7 +58,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch Patch35: openssl-0.9.8j-version-add-engines.patch
Patch39: openssl-1.0.1h-ipv6-apps.patch Patch39: openssl-1.0.1h-ipv6-apps.patch
Patch40: openssl-1.0.1g-fips.patch Patch40: openssl-1.0.1j-fips.patch
Patch45: openssl-1.0.1e-env-zlib.patch Patch45: openssl-1.0.1e-env-zlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch Patch49: openssl-1.0.1i-algo-doc.patch
@ -72,7 +72,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
Patch66: openssl-1.0.1-pkgconfig-krb5.patch Patch66: openssl-1.0.1-pkgconfig-krb5.patch
Patch68: openssl-1.0.1e-secure-getenv.patch Patch68: openssl-1.0.1e-secure-getenv.patch
Patch69: openssl-1.0.1c-dh-1024.patch Patch69: openssl-1.0.1c-dh-1024.patch
Patch70: openssl-1.0.1e-fips-ec.patch Patch70: openssl-1.0.1j-fips-ec.patch
Patch71: openssl-1.0.1i-manfix.patch Patch71: openssl-1.0.1i-manfix.patch
Patch72: openssl-1.0.1e-fips-ctor.patch Patch72: openssl-1.0.1e-fips-ctor.patch
Patch73: openssl-1.0.1e-ecc-suiteb.patch Patch73: openssl-1.0.1e-ecc-suiteb.patch
@ -84,12 +84,11 @@ Patch90: openssl-1.0.1e-enc-fail.patch
Patch92: openssl-1.0.1h-system-cipherlist.patch Patch92: openssl-1.0.1h-system-cipherlist.patch
Patch93: openssl-1.0.1h-disable-sslv2v3.patch Patch93: openssl-1.0.1h-disable-sslv2v3.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch80: openssl-1.0.1i-evp-wrap.patch Patch80: openssl-1.0.1j-evp-wrap.patch
Patch81: openssl-1.0.1-beta2-padlock64.patch Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch84: openssl-1.0.1i-trusted-first.patch Patch84: openssl-1.0.1i-trusted-first.patch
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
Patch89: openssl-1.0.1e-ephemeral-key-size.patch Patch89: openssl-1.0.1j-ephemeral-key-size.patch
Patch94: openssl-1.0.1i-copy-algo.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -212,7 +211,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch84 -p1 -b .trusted-first %patch84 -p1 -b .trusted-first
%patch85 -p1 -b .armcap %patch85 -p1 -b .armcap
%patch89 -p1 -b .ephemeral %patch89 -p1 -b .ephemeral
%patch94 -p1 -b .copy-algo
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -480,6 +478,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Oct 16 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-1
- new upstream release fixing multiple security issues
* Fri Oct 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-5 * Fri Oct 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-5
- copy negotiated digests when switching certs by SNI (#1150032) - copy negotiated digests when switching certs by SNI (#1150032)