From 837dd048828c9c49a51fb70b7f0e8af43947fde4 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 15 Jun 2015 18:23:46 +0200 Subject: [PATCH] minor upstream release 1.0.2c fixing multiple security issues --- .gitignore | 1 + ectest.c | 8 +- openssl-1.0.2a-alt-chains.patch | 527 --------------- openssl-1.0.2a-dh-1024.patch | 75 --- ...atch => openssl-1.0.2c-default-paths.patch | 47 +- ...b.patch => openssl-1.0.2c-ecc-suiteb.patch | 66 +- ...2a-fips.patch => openssl-1.0.2c-fips.patch | 620 +++++++++--------- ...ild.patch => openssl-1.0.2c-rpmbuild.patch | 34 +- ... => openssl-1.0.2c-trusted-first-doc.patch | 156 ++--- openssl.spec | 21 +- sources | 2 +- 11 files changed, 461 insertions(+), 1096 deletions(-) delete mode 100644 openssl-1.0.2a-alt-chains.patch delete mode 100644 openssl-1.0.2a-dh-1024.patch rename openssl-1.0.2a-default-paths.patch => openssl-1.0.2c-default-paths.patch (50%) rename openssl-1.0.2a-ecc-suiteb.patch => openssl-1.0.2c-ecc-suiteb.patch (83%) rename openssl-1.0.2a-fips.patch => openssl-1.0.2c-fips.patch (95%) rename openssl-1.0.2a-rpmbuild.patch => openssl-1.0.2c-rpmbuild.patch (88%) rename openssl-1.0.2a-trusted-first-doc.patch => openssl-1.0.2c-trusted-first-doc.patch (62%) diff --git a/.gitignore b/.gitignore index 0076204..c044edf 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1j-hobbled.tar.xz /openssl-1.0.1k-hobbled.tar.xz /openssl-1.0.2a-hobbled.tar.xz +/openssl-1.0.2c-hobbled.tar.xz diff --git a/ectest.c b/ectest.c index 71fef23..a35f5ad 100644 --- a/ectest.c +++ b/ectest.c @@ -386,7 +386,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" "84F3B9CAC2FC632551")) @@ -442,7 +442,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) @@ -501,7 +501,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" @@ -545,7 +545,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ diff --git a/openssl-1.0.2a-alt-chains.patch b/openssl-1.0.2a-alt-chains.patch deleted file mode 100644 index 44453c6..0000000 --- a/openssl-1.0.2a-alt-chains.patch +++ /dev/null @@ -1,527 +0,0 @@ -diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c ---- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200 -@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg - flags |= X509_V_FLAG_SUITEB_192_LOS; - else if (!strcmp(arg, "-partial_chain")) - flags |= X509_V_FLAG_PARTIAL_CHAIN; -+ else if (!strcmp(arg, "-no_alt_chains")) -+ flags |= X509_V_FLAG_NO_ALT_CHAINS; - else - return 0; - -diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c ---- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200 -+++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200 -@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv) - BIO_printf(bio_err, - "-trusted_first use trusted certificates first when building the trust chain\n"); - BIO_printf(bio_err, -+ "-no_alt_chains only ever use the first certificate chain found\n"); -+ BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); - BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c ---- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200 -+++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200 -@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv) - BIO_printf(bio_err, - "-trusted_first use trusted certificates first when building the trust chain\n"); - BIO_printf(bio_err, -+ "-no_alt_chains only ever use the first certificate chain found\n"); -+ BIO_printf(bio_err, - "-VAfile file validator certificates file\n"); - BIO_printf(bio_err, - "-validity_period n maximum validity discrepancy in seconds\n"); -diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200 -@@ -335,6 +335,8 @@ static void sc_usage(void) - BIO_printf(bio_err, - " -trusted_first - Use trusted CA's first when building the trust chain\n"); - BIO_printf(bio_err, -+ " -no_alt_chains - only ever use the first certificate chain found\n"); -+ BIO_printf(bio_err, - " -reconnect - Drop and re-make the connection with the same Session-ID\n"); - BIO_printf(bio_err, - " -pause - sleep(1) after each read(2) and write(2) system call\n"); -diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c ---- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200 -+++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200 -@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv) - BIO_printf(bio_err, - "-trusted_first use trusted certificates first when building the trust chain\n"); - BIO_printf(bio_err, -+ "-no_alt_chains only ever use the first certificate chain found\n"); -+ BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); - BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200 -@@ -571,6 +571,8 @@ static void sv_usage(void) - BIO_printf(bio_err, - " -trusted_first - Use trusted CA's first when building the trust chain\n"); - BIO_printf(bio_err, -+ " -no_alt_chains - only ever use the first certificate chain found\n"); -+ BIO_printf(bio_err, - " -nocert - Don't use any certificates (Anon-DH)\n"); - BIO_printf(bio_err, - " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); -diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c ---- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200 -+++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200 -@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv) - if (ret == 1) { - BIO_printf(bio_err, - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); -- BIO_printf(bio_err, " [-attime timestamp]"); -+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); - #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, " [-engine e]"); - #endif -diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c ---- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200 -+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200 -@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR - - int X509_verify_cert(X509_STORE_CTX *ctx) - { -- X509 *x, *xtmp, *chain_ss = NULL; -+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; - int bad_chain = 0; - X509_VERIFY_PARAM *param = ctx->param; - int depth, i, ok = 0; -- int num; -+ int num, j, retry; - int (*cb) (int xok, X509_STORE_CTX *xctx); - STACK_OF(X509) *sktmp = NULL; - if (ctx->cert == NULL) { -@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx - break; - } - -+ /* Remember how many untrusted certs we have */ -+ j = num; - /* - * at this point, chain should contain a list of untrusted certificates. - * We now need to add at least one trusted one, if possible, otherwise we - * complain. - */ - -- /* -- * Examine last certificate in chain and see if it is self signed. -- */ -- -- i = sk_X509_num(ctx->chain); -- x = sk_X509_value(ctx->chain, i - 1); -- if (cert_self_signed(x)) { -- /* we have a self signed certificate */ -- if (sk_X509_num(ctx->chain) == 1) { -- /* -- * We have a single self signed certificate: see if we can find -- * it in the store. We must have an exact match to avoid possible -- * impersonation. -- */ -- ok = ctx->get_issuer(&xtmp, ctx, x); -- if ((ok <= 0) || X509_cmp(x, xtmp)) { -- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; -- ctx->current_cert = x; -- ctx->error_depth = i - 1; -- if (ok == 1) -- X509_free(xtmp); -- bad_chain = 1; -- ok = cb(0, ctx); -- if (!ok) -- goto end; -+ do { -+ /* -+ * Examine last certificate in chain and see if it is self signed. -+ */ -+ i = sk_X509_num(ctx->chain); -+ x = sk_X509_value(ctx->chain, i - 1); -+ if (cert_self_signed(x)) { -+ /* we have a self signed certificate */ -+ if (sk_X509_num(ctx->chain) == 1) { -+ /* -+ * We have a single self signed certificate: see if we can -+ * find it in the store. We must have an exact match to avoid -+ * possible impersonation. -+ */ -+ ok = ctx->get_issuer(&xtmp, ctx, x); -+ if ((ok <= 0) || X509_cmp(x, xtmp)) { -+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; -+ ctx->current_cert = x; -+ ctx->error_depth = i - 1; -+ if (ok == 1) -+ X509_free(xtmp); -+ bad_chain = 1; -+ ok = cb(0, ctx); -+ if (!ok) -+ goto end; -+ } else { -+ /* -+ * We have a match: replace certificate with store -+ * version so we get any trust settings. -+ */ -+ X509_free(x); -+ x = xtmp; -+ (void)sk_X509_set(ctx->chain, i - 1, x); -+ ctx->last_untrusted = 0; -+ } - } else { - /* -- * We have a match: replace certificate with store version so -- * we get any trust settings. -+ * extract and save self signed certificate for later use - */ -- X509_free(x); -- x = xtmp; -- (void)sk_X509_set(ctx->chain, i - 1, x); -- ctx->last_untrusted = 0; -+ chain_ss = sk_X509_pop(ctx->chain); -+ ctx->last_untrusted--; -+ num--; -+ j--; -+ x = sk_X509_value(ctx->chain, num - 1); - } -- } else { -- /* -- * extract and save self signed certificate for later use -- */ -- chain_ss = sk_X509_pop(ctx->chain); -- ctx->last_untrusted--; -- num--; -- x = sk_X509_value(ctx->chain, num - 1); - } -- } -- -- /* We now lookup certs from the certificate store */ -- for (;;) { -- /* If we have enough, we break */ -- if (depth < num) -- break; -+ /* We now lookup certs from the certificate store */ -+ for (;;) { -+ /* If we have enough, we break */ -+ if (depth < num) -+ break; -+ /* If we are self signed, we break */ -+ if (cert_self_signed(x)) -+ break; -+ ok = ctx->get_issuer(&xtmp, ctx, x); - -- /* If we are self signed, we break */ -- if (cert_self_signed(x)) -- break; -+ if (ok < 0) -+ return ok; -+ if (ok == 0) -+ break; -+ x = xtmp; -+ if (!sk_X509_push(ctx->chain, x)) { -+ X509_free(xtmp); -+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ num++; -+ } - -- ok = ctx->get_issuer(&xtmp, ctx, x); -+ /* we now have our chain, lets check it... */ -+ i = check_trust(ctx); - -- if (ok < 0) -- return ok; -- if (ok == 0) -- break; -+ /* If explicitly rejected error */ -+ if (i == X509_TRUST_REJECTED) -+ goto end; -+ /* -+ * If it's not explicitly trusted then check if there is an alternative -+ * chain that could be used. We only do this if we haven't already -+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate -+ * chain checking -+ */ -+ retry = 0; -+ if (i != X509_TRUST_TRUSTED -+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) -+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { -+ while (j-- > 1) { -+ STACK_OF(X509) *chtmp = ctx->chain; -+ xtmp2 = sk_X509_value(ctx->chain, j - 1); -+ /* -+ * Temporarily set chain to NULL so we don't discount -+ * duplicates: the same certificate could be an untrusted -+ * CA found in the trusted store. -+ */ -+ ctx->chain = NULL; -+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2); -+ ctx->chain = chtmp; -+ if (ok < 0) -+ goto end; -+ /* Check if we found an alternate chain */ -+ if (ok > 0) { -+ /* -+ * Free up the found cert we'll add it again later -+ */ -+ X509_free(xtmp); - -- x = xtmp; -- if (!sk_X509_push(ctx->chain, x)) { -- X509_free(xtmp); -- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); -- return 0; -+ /* -+ * Dump all the certs above this point - we've found an -+ * alternate chain -+ */ -+ while (num > j) { -+ xtmp = sk_X509_pop(ctx->chain); -+ X509_free(xtmp); -+ num--; -+ ctx->last_untrusted--; -+ } -+ retry = 1; -+ break; -+ } -+ } - } -- num++; -- } -+ } while (retry); - -- /* we now have our chain, lets check it... */ -- -- i = check_trust(ctx); -- -- /* If explicitly rejected error */ -- if (i == X509_TRUST_REJECTED) -- goto end; - /* - * If not explicitly trusted then indicate error unless it's a single - * self signed certificate in which case we've indicated an error already -diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h ---- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200 -+++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200 -@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE - - /* Allow partial chains if at least one certificate is in trusted store */ - # define X509_V_FLAG_PARTIAL_CHAIN 0x80000 -+/* -+ * If the initial chain is not trusted, do not attempt to build an alternative -+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag -+ * will force the behaviour to match that of previous versions. -+ */ -+# define X509_V_FLAG_NO_ALT_CHAINS 0x100000 - - # define X509_VP_FLAG_DEFAULT 0x1 - # define X509_VP_FLAG_OVERWRITE 0x2 -diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod ---- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200 -+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200 -@@ -36,6 +36,7 @@ B B - [B<-CAfile file>] - [B<-CApath dir>] - [B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-md digest>] - [B<-[cipher]>] - [B<-nointern>] -@@ -426,7 +427,7 @@ portion of a message so they may be incl - then many S/MIME mail clients check the signers certificate's email - address matches that specified in the From: address. - --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> - - Set various certificate chain valiadition option. See the - L|verify(1)> manual page for details. -@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir - The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added - to OpenSSL 1.1.0. - -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. -+ - =cut -diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod ---- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200 -+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200 -@@ -30,6 +30,7 @@ B B - [B<-CApath dir>] - [B<-CAfile file>] - [B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-VAfile file>] - [B<-validity_period n>] - [B<-status_age n>] -@@ -151,6 +152,10 @@ in the response or residing in other cer - chain to verify responder certificate. - This is mainly useful in environments with Bridge CA or Cross-Certified CAs. - -+=item B<-no_alt_chains> -+ -+See L|verify(1)> manual page for details. -+ - =item B<-verify_other file> - - file containing additional certificates to search when attempting to locate -@@ -388,3 +393,9 @@ second file. - - openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem - -reqin req.der -respout resp.der -+ -+=head1 HISTORY -+ -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. -+ -+=cut -diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod ---- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200 -+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200 -@@ -20,6 +20,7 @@ B B - [B<-CApath directory>] - [B<-CAfile filename>] - [B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-reconnect>] - [B<-pause>] - [B<-showcerts>] -@@ -124,7 +125,7 @@ also used when building the client certi - A file containing trusted certificates to use during server authentication - and to use when attempting to build the client certificate chain. - --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains> - - Set various certificate chain valiadition option. See the - L|verify(1)> manual page for details. -@@ -365,4 +366,8 @@ information whenever a session is renego - - L, L, L - -+=head1 HISTORY -+ -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. -+ - =cut -diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod ---- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200 -+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200 -@@ -18,6 +18,7 @@ B B - [B<-CAfile file>] - [B<-CApath dir>] - [B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-certfile file>] - [B<-signer file>] - [B<-recip file>] -@@ -268,7 +269,7 @@ portion of a message so they may be incl - then many S/MIME mail clients check the signers certificate's email - address matches that specified in the From: address. - --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> - - Set various options of certificate chain verification. See - L|verify(1)> manual page for details. -@@ -450,5 +451,6 @@ structures may cause parsing errors. - The use of multiple B<-signer> options and the B<-resign> command were first - added in OpenSSL 1.0.0 - -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. - - =cut -diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod ---- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200 -+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200 -@@ -34,6 +34,7 @@ B B - [B<-CApath directory>] - [B<-CAfile filename>] - [B<-trusted_first>] -+[B<-no_alt_chains>] - [B<-nocert>] - [B<-cipher cipherlist>] - [B<-serverpref>] -@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct - when building the trust chain to verify client certificates. - This is mainly useful in environments with Bridge CA or Cross-Certified CAs. - -+=item B<-no_alt_chains> -+ -+See the L|verify(1)> manual page for details. -+ - =item B<-state> - - prints out the SSL session states. -@@ -413,4 +418,8 @@ unknown cipher suites a client says it s - - L, L, L - -+=head1 HISTORY -+ -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. -+ - =cut -diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod ---- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200 -+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200 -@@ -26,6 +26,7 @@ B B - [B<-extended_crl>] - [B<-use_deltas>] - [B<-policy_print>] -+[B<-no_alt_chains>] - [B<-untrusted file>] - [B<-help>] - [B<-issuer_checks>] -@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy ( - - Set policy variable inhibit-policy-mapping (see RFC5280). - -+=item B<-no_alt_chains> -+ -+When building a certificate chain, if the first certificate chain found is not -+trusted, then OpenSSL will continue to check to see if an alternative chain can -+be found that is trusted. With this option that behaviour is suppressed so that -+only the first chain found is ever used. Using this option will force the -+behaviour to match that of previous OpenSSL versions. -+ - =item B<-policy_print> - - Print out diagnostics related to policy processing. -@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER - - L - -+=head1 HISTORY -+ -+The -no_alt_chains options was first added to OpenSSL 1.0.2b. -+ - =cut -diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod ---- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200 -@@ -197,6 +197,12 @@ verification. If this flag is set then a - to the verification callback and it B be prepared to handle such cases - without assuming they are hard errors. - -+The B flag suppresses checking for alternative -+chains. By default, when building a certificate chain, if the first certificate -+chain found is not trusted, then OpenSSL will continue to check to see if an -+alternative chain can be found that is trusted. With this flag set the behaviour -+will match that of OpenSSL versions prior to 1.0.2b. -+ - =head1 NOTES - - The above functions should be used to manipulate verification parameters -@@ -233,6 +239,6 @@ L - - =head1 HISTORY - --TBA -+The B flag was added in OpenSSL 1.0.2b - - =cut diff --git a/openssl-1.0.2a-dh-1024.patch b/openssl-1.0.2a-dh-1024.patch deleted file mode 100644 index 67d3171..0000000 --- a/openssl-1.0.2a-dh-1024.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200 -@@ -230,29 +230,44 @@ static void s_server_init(void); - #endif - - #ifndef OPENSSL_NO_DH --static unsigned char dh512_p[] = { -- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, -- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, -- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, -- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, -- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, -- 0x47, 0x74, 0xE8, 0x33, --}; -- --static unsigned char dh512_g[] = { -- 0x02, --}; -- --static DH *get_dh512(void) -+static DH *get_dh1024() - { -- DH *dh = NULL; -+ static unsigned char dh1024_p[] = { -+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54, -+ 0x63, -+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66, -+ 0x79, -+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0, -+ 0x3C, -+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1, -+ 0xEF, -+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07, -+ 0xFB, -+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98, -+ 0xE3, -+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A, -+ 0xED, -+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97, -+ 0x23, -+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB, -+ 0x05, -+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52, -+ 0xA4, -+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93, -+ }; -+ static unsigned char dh1024_g[] = { -+ 0x02, -+ }; -+ DH *dh; - - if ((dh = DH_new()) == NULL) - return (NULL); -- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); -+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); -+ if ((dh->p == NULL) || (dh->g == NULL)) { -+ DH_free(dh); - return (NULL); -+ } - return (dh); - } - #endif -@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[]) - BIO_printf(bio_s_out, "Setting temp DH parameters\n"); - } else { - BIO_printf(bio_s_out, "Using default temp DH parameters\n"); -- dh = get_dh512(); -+ dh = get_dh1024(); - } - (void)BIO_flush(bio_s_out); - diff --git a/openssl-1.0.2a-default-paths.patch b/openssl-1.0.2c-default-paths.patch similarity index 50% rename from openssl-1.0.2a-default-paths.patch rename to openssl-1.0.2c-default-paths.patch index 6e02c6d..aa607be 100644 --- a/openssl-1.0.2a-default-paths.patch +++ b/openssl-1.0.2c-default-paths.patch @@ -1,38 +1,7 @@ -diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200 -@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv) - - SSL_CTX_set_verify(ctx, verify, verify_callback); - -- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) { -- /* -- * BIO_printf(bio_err,"error setting default verify locations\n"); -- */ -- ERR_print_errors(bio_err); -- /* goto end; */ -+ if (CAfile == NULL && CApath == NULL) { -+ if (!SSL_CTX_set_default_verify_paths(ctx)) { -+ ERR_print_errors(bio_err); -+ } -+ } else { -+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { -+ ERR_print_errors(bio_err); -+ } - } - -- ssl_ctx_add_crls(ctx, crls, crl_download); -- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain)) -- goto end; -- - #ifndef OPENSSL_NO_TLSEXT - if (servername != NULL) { - tlsextcbp.biodebug = bio_err; -diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200 -@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[]) +diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c +--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200 +@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[]) } #endif @@ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv if (vpm) SSL_CTX_set1_param(ctx, vpm); -@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[]) +@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[]) else SSL_CTX_sess_set_cache_size(ctx2, 128); @@ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv ERR_print_errors(bio_err); } if (vpm) -diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c ---- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200 -+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200 +diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c +--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200 @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); diff --git a/openssl-1.0.2a-ecc-suiteb.patch b/openssl-1.0.2c-ecc-suiteb.patch similarity index 83% rename from openssl-1.0.2a-ecc-suiteb.patch rename to openssl-1.0.2c-ecc-suiteb.patch index 5b27fdc..dfcae76 100644 --- a/openssl-1.0.2a-ecc-suiteb.patch +++ b/openssl-1.0.2c-ecc-suiteb.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c ---- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200 -+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200 +diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c +--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200 ++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200 @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv) } else # endif @@ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c ecdh_doit[i] = 1; # endif } -diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c ---- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200 -+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200 -@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa - 0, 13, /* sect571k1 (13) */ - # endif +diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c +--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200 ++++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200 +@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ 0, 25, /* secp521r1 (25) */ - 0, 28, /* brainpool512r1 (28) */ - # ifndef OPENSSL_NO_EC2M - 0, 11, /* sect409k1 (11) */ - 0, 12, /* sect409r1 (12) */ - # endif - 0, 27, /* brainpoolP384r1 (27) */ 0, 24, /* secp384r1 (24) */ - # ifndef OPENSSL_NO_EC2M - 0, 9, /* sect283k1 (9) */ - 0, 10, /* sect283r1 (10) */ - # endif - 0, 26, /* brainpoolP256r1 (26) */ - 0, 22, /* secp256k1 (22) */ - 0, 23, /* secp256r1 (23) */ # ifndef OPENSSL_NO_EC2M - 0, 8, /* sect239k1 (8) */ - 0, 6, /* sect233k1 (6) */ - 0, 7, /* sect233r1 (7) */ - # endif + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[ + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ +- 0, 28, /* brainpool512r1 (28) */ +- 0, 27, /* brainpoolP384r1 (27) */ + 0, 24, /* secp384r1 (24) */ +- 0, 26, /* brainpoolP256r1 (26) */ +- 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[ + * Remaining curves disabled by default but still permitted if set + * via an explicit callback or parameters. + */ - 0, 20, /* secp224k1 (20) */ - 0, 21, /* secp224r1 (21) */ - # ifndef OPENSSL_NO_EC2M - 0, 4, /* sect193r1 (4) */ - 0, 5, /* sect193r2 (5) */ - # endif - 0, 18, /* secp192k1 (18) */ - 0, 19, /* secp192r1 (19) */ - # ifndef OPENSSL_NO_EC2M - 0, 1, /* sect163k1 (1) */ - 0, 2, /* sect163r1 (2) */ - 0, 3, /* sect163r2 (3) */ - # endif - 0, 15, /* secp160k1 (15) */ - 0, 16, /* secp160r1 (16) */ - 0, 17, /* secp160r2 (17) */ - }; - - static const unsigned char suiteb_curves[] = { -@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d + # ifndef OPENSSL_NO_EC2M + 0, 8, /* sect239k1 (8) */ + 0, 6, /* sect233k1 (6) */ +@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d 0, 9, /* sect283k1 (9) */ 0, 10, /* sect283r1 (10) */ # endif diff --git a/openssl-1.0.2a-fips.patch b/openssl-1.0.2c-fips.patch similarity index 95% rename from openssl-1.0.2a-fips.patch rename to openssl-1.0.2c-fips.patch index 81bed3a..b23368d 100644 --- a/openssl-1.0.2a-fips.patch +++ b/openssl-1.0.2c-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c ---- openssl-1.0.2a/apps/speed.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/speed.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2c/apps/speed.c.fips openssl-1.0.2c/apps/speed.c +--- openssl-1.0.2c/apps/speed.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:29:59.999283776 +0200 @@ -197,7 +197,6 @@ # ifdef OPENSSL_DOING_MAKEDEPEND # undef AES_set_encrypt_key @@ -133,10 +133,10 @@ diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...", 16, EVP_md5(), NULL); -diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.fips 2015-04-22 16:08:40.266245039 +0200 -+++ openssl-1.0.2a/Configure 2015-04-22 16:08:40.284245465 +0200 -@@ -1040,11 +1040,6 @@ if (defined($disabled{"md5"}) || defined +diff -up openssl-1.0.2c/Configure.fips openssl-1.0.2c/Configure +--- openssl-1.0.2c/Configure.fips 2015-06-15 17:29:59.982283387 +0200 ++++ openssl-1.0.2c/Configure 2015-06-15 17:29:59.999283776 +0200 +@@ -1057,11 +1057,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -148,7 +148,7 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1532,7 +1527,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1550,7 +1545,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -156,7 +156,7 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1724,9 +1718,12 @@ while () +@@ -1751,9 +1745,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -170,9 +170,9 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes_misc.c ---- openssl-1.0.2a/crypto/aes/aes_misc.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/aes/aes_misc.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2c/crypto/aes/aes_misc.c.fips openssl-1.0.2c/crypto/aes/aes_misc.c +--- openssl-1.0.2c/crypto/aes/aes_misc.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/aes/aes_misc.c 2015-06-15 17:29:59.999283776 +0200 @@ -70,17 +70,11 @@ const char *AES_options(void) int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -191,9 +191,9 @@ diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac.c ---- openssl-1.0.2a/crypto/cmac/cmac.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/cmac/cmac.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2c/crypto/cmac/cmac.c.fips openssl-1.0.2c/crypto/cmac/cmac.c +--- openssl-1.0.2c/crypto/cmac/cmac.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/cmac/cmac.c 2015-06-15 17:29:59.999283776 +0200 @@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -207,7 +207,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. EVP_CIPHER_CTX_cleanup(&ctx->cctx); OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); -@@ -158,12 +152,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void +@@ -160,12 +154,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); return 0; } @@ -220,7 +220,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. } #endif /* All zeros means restart */ -@@ -209,10 +197,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi +@@ -211,10 +199,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi { const unsigned char *data = in; size_t bl; @@ -231,7 +231,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; if (dlen == 0) -@@ -252,10 +236,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi +@@ -254,10 +238,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) { int i, bl, lb; @@ -242,9 +242,9 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h ---- openssl-1.0.2a/crypto/crypto.h.fips 2015-04-22 16:08:40.161242552 +0200 -+++ openssl-1.0.2a/crypto/crypto.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/crypto.h.fips openssl-1.0.2c/crypto/crypto.h +--- openssl-1.0.2c/crypto/crypto.h.fips 2015-06-15 17:29:59.886281188 +0200 ++++ openssl-1.0.2c/crypto/crypto.h 2015-06-15 17:29:59.999283776 +0200 @@ -600,24 +600,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -290,9 +290,9 @@ diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h ---- openssl-1.0.2a/crypto/des/des.h.fips 2015-04-22 16:08:40.191243263 +0200 -+++ openssl-1.0.2a/crypto/des/des.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/des/des.h.fips openssl-1.0.2c/crypto/des/des.h +--- openssl-1.0.2c/crypto/des/des.h.fips 2015-06-15 17:29:59.915281852 +0200 ++++ openssl-1.0.2c/crypto/des/des.h 2015-06-15 17:30:00.000283799 +0200 @@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); @@ -304,9 +304,9 @@ diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_key.c ---- openssl-1.0.2a/crypto/des/set_key.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/des/set_key.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/des/set_key.c.fips openssl-1.0.2c/crypto/des/set_key.c +--- openssl-1.0.2c/crypto/des/set_key.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/des/set_key.c 2015-06-15 17:30:00.000283799 +0200 @@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock } @@ -323,9 +323,9 @@ diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_ { static const int shifts2[16] = { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; -diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen.c ---- openssl-1.0.2a/crypto/dh/dh_gen.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/dh/dh_gen.c.fips openssl-1.0.2c/crypto/dh/dh_gen.c +--- openssl-1.0.2c/crypto/dh/dh_gen.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dh/dh_gen.c 2015-06-15 17:30:00.000283799 +0200 @@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if (ret->meth->generate_params) @@ -356,9 +356,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h ---- openssl-1.0.2a/crypto/dh/dh.h.fips 2015-04-22 16:08:40.134241913 +0200 -+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/dh/dh.h.fips openssl-1.0.2c/crypto/dh/dh.h +--- openssl-1.0.2c/crypto/dh/dh.h.fips 2015-06-15 17:29:59.860280593 +0200 ++++ openssl-1.0.2c/crypto/dh/dh.h 2015-06-15 17:30:00.000283799 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif @@ -368,9 +368,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 /* -diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key.c ---- openssl-1.0.2a/crypto/dh/dh_key.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_key.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2c/crypto/dh/dh_key.c.fips openssl-1.0.2c/crypto/dh/dh_key.c +--- openssl-1.0.2c/crypto/dh/dh_key.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dh/dh_key.c 2015-06-15 17:30:00.000283799 +0200 @@ -61,6 +61,9 @@ #include #include @@ -438,9 +438,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib.c ---- openssl-1.0.2a/crypto/dh/dh_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_lib.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2c/crypto/dh/dh_lib.c.fips openssl-1.0.2c/crypto/dh/dh_lib.c +--- openssl-1.0.2c/crypto/dh/dh_lib.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dh/dh_lib.c 2015-06-15 17:30:00.000283799 +0200 @@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH const DH_METHOD *DH_get_default_method(void) { @@ -456,9 +456,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_err.c ---- openssl-1.0.2a/crypto/dsa/dsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_err.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_err.c.fips openssl-1.0.2c/crypto/dsa/dsa_err.c +--- openssl-1.0.2c/crypto/dsa/dsa_err.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_err.c 2015-06-15 17:30:00.001283822 +0200 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[] {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -477,9 +477,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_gen.c ---- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_gen.c.fips openssl-1.0.2c/crypto/dsa/dsa_gen.c +--- openssl-1.0.2c/crypto/dsa/dsa_gen.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_gen.c 2015-06-15 17:30:00.001283822 +0200 @@ -91,6 +91,16 @@ # include # endif @@ -703,7 +703,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ if (!BN_GENCB_call(cb, 0, m++)) goto err; -@@ -212,29 +291,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -213,29 +292,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ * be bad */ } memcpy(buf, seed, qsize); @@ -736,7 +736,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb); if (r > 0) -@@ -242,8 +310,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -243,8 +311,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (r != 0) goto err; @@ -745,7 +745,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ } if (!BN_GENCB_call(cb, 2, 0)) -@@ -251,19 +317,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -252,19 +318,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 3, 0)) goto err; @@ -768,7 +768,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ for (k = 0; k <= n; k++) { /* * obtain "SEED + offset + k" by incrementing: -@@ -277,36 +340,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -278,36 +341,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) goto err; @@ -814,7 +814,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); if (r > 0) goto end; /* found it */ -@@ -314,12 +378,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -315,12 +379,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ goto err; } @@ -830,7 +830,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ break; } } -@@ -327,7 +391,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -328,7 +392,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 2, 1)) goto err; @@ -865,7 +865,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ /* Set r0=(p-1)/q */ if (!BN_sub(test, p, BN_value_one())) goto err; -@@ -356,46 +446,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -357,46 +447,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ ok = 1; err: if (ok) { @@ -912,7 +912,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ /* * This is a parameter generation algorithm for the DSA2 algorithm as * described in FIPS 186-3. -@@ -421,14 +479,6 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -422,14 +480,6 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX mctx; unsigned int h = 2; @@ -927,9 +927,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ EVP_MD_CTX_init(&mctx); if (evpmd == NULL) { -diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h ---- openssl-1.0.2a/crypto/dsa/dsa.h.fips 2015-04-22 16:08:40.056240066 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa.h.fips openssl-1.0.2c/crypto/dsa/dsa.h +--- openssl-1.0.2c/crypto/dsa/dsa.h.fips 2015-06-15 17:29:59.784278853 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa.h 2015-06-15 17:30:00.001283822 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 # endif @@ -997,9 +997,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 -diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_key.c ---- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_key.c.fips openssl-1.0.2c/crypto/dsa/dsa_key.c +--- openssl-1.0.2c/crypto/dsa/dsa_key.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_key.c 2015-06-15 17:30:00.001283822 +0200 @@ -66,6 +66,34 @@ # ifdef OPENSSL_FIPS @@ -1075,9 +1075,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_lib.c ---- openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_lib.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_lib.c.fips openssl-1.0.2c/crypto/dsa/dsa_lib.c +--- openssl-1.0.2c/crypto/dsa/dsa_lib.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_lib.c 2015-06-15 17:30:00.001283822 +0200 @@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME const DSA_METHOD *DSA_get_default_method(void) { @@ -1093,9 +1093,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa_locl.h ---- openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips 2015-04-22 16:08:40.058240114 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_locl.h 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_locl.h.fips openssl-1.0.2c/crypto/dsa/dsa_locl.h +--- openssl-1.0.2c/crypto/dsa/dsa_locl.h.fips 2015-06-15 17:29:59.786278898 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_locl.h 2015-06-15 17:30:00.002283845 +0200 @@ -56,7 +56,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, @@ -1105,9 +1105,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa_ossl.c ---- openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_ossl.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2c/crypto/dsa/dsa_ossl.c +--- openssl-1.0.2c/crypto/dsa/dsa_ossl.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_ossl.c 2015-06-15 17:30:00.002283845 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1176,9 +1176,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_pmeth.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2c/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.2c/crypto/dsa/dsa_pmeth.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsa_pmeth.c 2015-06-15 17:30:00.002283845 +0200 @@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1188,9 +1188,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsatest.c ---- openssl-1.0.2a/crypto/dsa/dsatest.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsatest.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/dsa/dsatest.c.fips openssl-1.0.2c/crypto/dsa/dsatest.c +--- openssl-1.0.2c/crypto/dsa/dsatest.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/dsa/dsatest.c 2015-06-15 17:30:00.002283845 +0200 @@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1274,9 +1274,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsat goto end; } if (h != 2) { -diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engine/eng_all.c ---- openssl-1.0.2a/crypto/engine/eng_all.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/engine/eng_all.c.fips openssl-1.0.2c/crypto/engine/eng_all.c +--- openssl-1.0.2c/crypto/engine/eng_all.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/engine/eng_all.c 2015-06-15 17:30:00.002283845 +0200 @@ -59,11 +59,25 @@ #include "cryptlib.h" @@ -1303,9 +1303,9 @@ diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engin #if 0 /* * There's no longer any need for an "openssl" ENGINE unless, one day, it -diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_allc.c ---- openssl-1.0.2a/crypto/evp/c_allc.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2c/crypto/evp/c_allc.c.fips openssl-1.0.2c/crypto/evp/c_allc.c +--- openssl-1.0.2c/crypto/evp/c_allc.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/c_allc.c 2015-06-15 17:30:00.002283845 +0200 @@ -65,6 +65,10 @@ void OpenSSL_add_all_ciphers(void) { @@ -1382,9 +1382,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_alld.c ---- openssl-1.0.2a/crypto/evp/c_alld.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/c_alld.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2c/crypto/evp/c_alld.c.fips openssl-1.0.2c/crypto/evp/c_alld.c +--- openssl-1.0.2c/crypto/evp/c_alld.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/c_alld.c 2015-06-15 17:30:00.003283868 +0200 @@ -64,51 +64,81 @@ void OpenSSL_add_all_digests(void) @@ -1490,9 +1490,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_all + } #endif } -diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/digest.c ---- openssl-1.0.2a/crypto/evp/digest.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/digest.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2c/crypto/evp/digest.c.fips openssl-1.0.2c/crypto/evp/digest.c +--- openssl-1.0.2c/crypto/evp/digest.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/digest.c 2015-06-15 17:30:00.003283868 +0200 @@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1651,10 +1651,10 @@ diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/diges memset(ctx, '\0', sizeof *ctx); return 1; -diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes.c ---- openssl-1.0.2a/crypto/evp/e_aes.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 16:08:40.288245560 +0200 -@@ -59,9 +59,6 @@ +diff -up openssl-1.0.2c/crypto/evp/e_aes.c.fips openssl-1.0.2c/crypto/evp/e_aes.c +--- openssl-1.0.2c/crypto/evp/e_aes.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/e_aes.c 2015-06-15 17:30:00.003283868 +0200 +@@ -60,9 +60,6 @@ # include "modes_lcl.h" # include @@ -1664,7 +1664,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. typedef struct { union { double align; -@@ -1158,6 +1155,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -1159,6 +1156,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_GCM_SET_IVLEN: if (arg <= 0) return 0; @@ -1676,7 +1676,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -1726,6 +1728,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -1727,6 +1729,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1691,9 +1691,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, ctx->iv); -diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des3.c ---- openssl-1.0.2a/crypto/evp/e_des3.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2c/crypto/evp/e_des3.c.fips openssl-1.0.2c/crypto/evp/e_des3.c +--- openssl-1.0.2c/crypto/evp/e_des3.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/e_des3.c 2015-06-15 17:30:00.003283868 +0200 @@ -65,10 +65,6 @@ # include # include @@ -1705,9 +1705,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des typedef struct { union { double align; -diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_null.c ---- openssl-1.0.2a/crypto/evp/e_null.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_null.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2c/crypto/evp/e_null.c.fips openssl-1.0.2c/crypto/evp/e_null.c +--- openssl-1.0.2c/crypto/evp/e_null.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/e_null.c 2015-06-15 17:30:00.003283868 +0200 @@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c static const EVP_CIPHER n_cipher = { NID_undef, @@ -1717,9 +1717,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_enc.c ---- openssl-1.0.2a/crypto/evp/evp_enc.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/evp_enc.c 2015-04-22 16:08:40.289245583 +0200 +diff -up openssl-1.0.2c/crypto/evp/evp_enc.c.fips openssl-1.0.2c/crypto/evp/evp_enc.c +--- openssl-1.0.2c/crypto/evp/evp_enc.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/evp_enc.c 2015-06-15 17:30:00.004283891 +0200 @@ -69,16 +69,73 @@ #endif #include "evp_locl.h" @@ -1887,10 +1887,10 @@ diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_ memset(c, 0, sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h ---- openssl-1.0.2a/crypto/evp/evp.h.fips 2015-04-22 16:08:40.174242860 +0200 -+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 16:08:40.289245583 +0200 -@@ -123,6 +123,10 @@ +diff -up openssl-1.0.2c/crypto/evp/evp.h.fips openssl-1.0.2c/crypto/evp/evp.h +--- openssl-1.0.2c/crypto/evp/evp.h.fips 2015-06-15 17:29:59.898281463 +0200 ++++ openssl-1.0.2c/crypto/evp/evp.h 2015-06-15 17:30:00.004283891 +0200 +@@ -122,6 +122,10 @@ extern "C" { #endif @@ -1901,7 +1901,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h /* * Type needs to be a bit field Sub-type needs to be for variations on the * method, as in, can it do arbitrary encryption.... -@@ -286,11 +290,6 @@ struct env_md_ctx_st { +@@ -285,11 +289,6 @@ struct env_md_ctx_st { * cleaned */ # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data * in EVP_MD_CTX_cleanup */ @@ -1913,7 +1913,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS * digest in FIPS mode */ -@@ -303,6 +302,10 @@ struct env_md_ctx_st { +@@ -302,6 +301,10 @@ struct env_md_ctx_st { # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */ # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */ # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */ @@ -1924,7 +1924,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */ -@@ -364,15 +367,15 @@ struct evp_cipher_st { +@@ -363,15 +366,15 @@ struct evp_cipher_st { /* cipher handles random key generation */ # define EVP_CIPH_RAND_KEY 0x200 /* cipher has its own additional copying logic */ @@ -1943,9 +1943,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h /* * Cipher handles any and all padding logic as well as finalisation. */ -diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_lib.c ---- openssl-1.0.2a/crypto/evp/evp_lib.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/evp_lib.c 2015-04-22 16:10:58.297513170 +0200 +diff -up openssl-1.0.2c/crypto/evp/evp_lib.c.fips openssl-1.0.2c/crypto/evp/evp_lib.c +--- openssl-1.0.2c/crypto/evp/evp_lib.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/evp_lib.c 2015-06-15 17:30:00.004283891 +0200 @@ -60,10 +60,6 @@ #include "cryptlib.h" #include @@ -2031,9 +2031,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_ return md->flags; } -diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp_locl.h ---- openssl-1.0.2a/crypto/evp/evp_locl.h.fips 2015-04-22 16:08:40.170242766 +0200 -+++ openssl-1.0.2a/crypto/evp/evp_locl.h 2015-04-22 16:08:40.289245583 +0200 +diff -up openssl-1.0.2c/crypto/evp/evp_locl.h.fips openssl-1.0.2c/crypto/evp/evp_locl.h +--- openssl-1.0.2c/crypto/evp/evp_locl.h.fips 2015-06-15 17:29:59.895281394 +0200 ++++ openssl-1.0.2c/crypto/evp/evp_locl.h 2015-06-15 17:30:00.004283891 +0200 @@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -2067,9 +2067,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp # define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss.c ---- openssl-1.0.2a/crypto/evp/m_dss.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_dss.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/m_dss.c.fips openssl-1.0.2c/crypto/evp/m_dss.c +--- openssl-1.0.2c/crypto/evp/m_dss.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/m_dss.c 2015-06-15 17:30:00.004283891 +0200 @@ -86,7 +86,7 @@ static const EVP_MD dsa_md = { NID_dsaWithSHA, NID_dsaWithSHA, @@ -2079,9 +2079,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss. init, update, final, -diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss1.c ---- openssl-1.0.2a/crypto/evp/m_dss1.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_dss1.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/m_dss1.c.fips openssl-1.0.2c/crypto/evp/m_dss1.c +--- openssl-1.0.2c/crypto/evp/m_dss1.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/m_dss1.c 2015-06-15 17:30:00.004283891 +0200 @@ -87,7 +87,7 @@ static const EVP_MD dss1_md = { NID_dsa, NID_dsaWithSHA1, @@ -2091,9 +2091,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss init, update, final, -diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2.c ---- openssl-1.0.2a/crypto/evp/m_md2.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_md2.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/m_md2.c.fips openssl-1.0.2c/crypto/evp/m_md2.c +--- openssl-1.0.2c/crypto/evp/m_md2.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/m_md2.c 2015-06-15 17:30:00.005283913 +0200 @@ -68,6 +68,7 @@ # ifndef OPENSSL_NO_RSA # include @@ -2102,9 +2102,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { -diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha1.c ---- openssl-1.0.2a/crypto/evp/m_sha1.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_sha1.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/m_sha1.c.fips openssl-1.0.2c/crypto/evp/m_sha1.c +--- openssl-1.0.2c/crypto/evp/m_sha1.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/m_sha1.c 2015-06-15 17:30:00.005283913 +0200 @@ -87,7 +87,8 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -2155,9 +2155,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sign.c ---- openssl-1.0.2a/crypto/evp/p_sign.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/p_sign.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/p_sign.c.fips openssl-1.0.2c/crypto/evp/p_sign.c +--- openssl-1.0.2c/crypto/evp/p_sign.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/p_sign.c 2015-06-15 17:30:00.005283913 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2189,9 +2189,9 @@ diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_verify.c ---- openssl-1.0.2a/crypto/evp/p_verify.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/p_verify.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2c/crypto/evp/p_verify.c.fips openssl-1.0.2c/crypto/evp/p_verify.c +--- openssl-1.0.2c/crypto/evp/p_verify.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/evp/p_verify.c 2015-06-15 17:30:00.005283913 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2223,9 +2223,9 @@ diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_aes_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_aes_selftest.c.fips 2015-06-15 17:30:00.005283913 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_aes_selftest.c 2015-06-15 17:30:00.005283913 +0200 @@ -0,0 +1,365 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2592,9 +2592,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips.c.fips openssl-1.0.2c/crypto/fips/fips.c +--- openssl-1.0.2c/crypto/fips/fips.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,483 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3079,9 +3079,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips. +# endif + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3239,9 +3239,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/cry + return rv; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_des_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_des_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_des_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_des_selftest.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_des_selftest.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,138 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3381,9 +3381,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/cryp + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3800,9 +3800,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/f + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_hash.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_hash.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_hash.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,358 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4162,9 +4162,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/ + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c.fips 2015-06-15 17:30:00.006283936 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c 2015-06-15 17:30:00.006283936 +0200 @@ -0,0 +1,270 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4436,9 +4436,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/ + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_lib.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_lib.c.fips 2015-06-15 17:30:00.007283959 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_lib.c 2015-06-15 17:30:00.007283959 +0200 @@ -0,0 +1,553 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4993,9 +4993,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_rand.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_rand.c.fips 2015-06-15 17:30:00.007283959 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_rand.c 2015-06-15 17:30:00.007283959 +0200 @@ -0,0 +1,166 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5163,9 +5163,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips 2015-04-22 16:08:40.296245749 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c 2015-04-22 16:08:40.296245749 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c.fips 2015-06-15 17:30:00.007283959 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c 2015-06-15 17:30:00.007283959 +0200 @@ -0,0 +1,827 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5994,9 +5994,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h.fips 2015-06-15 17:30:00.008283982 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h 2015-06-15 17:30:00.008283982 +0200 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7789,9 +7789,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c.fips 2015-06-15 17:30:00.008283982 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c 2015-06-15 17:30:00.008283982 +0200 @@ -0,0 +1,192 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7985,9 +7985,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/cryp + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/fips_enc.c ---- openssl-1.0.2a/crypto/fips/fips_enc.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_enc.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_enc.c.fips openssl-1.0.2c/crypto/fips/fips_enc.c +--- openssl-1.0.2c/crypto/fips/fips_enc.c.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_enc.c 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8178,9 +8178,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/f + + } +} -diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips.h ---- openssl-1.0.2a/crypto/fips/fips.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips.h.fips openssl-1.0.2c/crypto/fips/fips.h +--- openssl-1.0.2c/crypto/fips/fips.h.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips.h 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,278 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8460,9 +8460,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips. +} +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8598,9 +8598,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/cry + return 1; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/fips_locl.h ---- openssl-1.0.2a/crypto/fips/fips_locl.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_locl.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_locl.h.fips openssl-1.0.2c/crypto/fips/fips_locl.h +--- openssl-1.0.2c/crypto/fips/fips_locl.h.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_locl.h 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8673,9 +8673,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fips_md.c ---- openssl-1.0.2a/crypto/fips/fips_md.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_md.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_md.c.fips openssl-1.0.2c/crypto/fips/fips_md.c +--- openssl-1.0.2c/crypto/fips/fips_md.c.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_md.c 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8821,9 +8821,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fi + return NULL; + } +} -diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/fips_post.c ---- openssl-1.0.2a/crypto/fips/fips_post.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_post.c.fips openssl-1.0.2c/crypto/fips/fips_post.c +--- openssl-1.0.2c/crypto/fips/fips_post.c.fips 2015-06-15 17:30:00.009284005 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_post.c 2015-06-15 17:30:00.009284005 +0200 @@ -0,0 +1,201 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9026,9 +9026,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/fips_rand.c ---- openssl-1.0.2a/crypto/fips/fips_rand.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rand.c.fips openssl-1.0.2c/crypto/fips/fips_rand.c +--- openssl-1.0.2c/crypto/fips/fips_rand.c.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rand.c 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,428 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -9458,9 +9458,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/ +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/fips_rand.h ---- openssl-1.0.2a/crypto/fips/fips_rand.h.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand.h 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rand.h.fips openssl-1.0.2c/crypto/fips/fips_rand.h +--- openssl-1.0.2c/crypto/fips/fips_rand.h.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rand.h 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9625,9 +9625,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/ +# endif +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2c/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.2c/crypto/fips/fips_rand_lcl.h.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rand_lcl.h 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,213 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9842,9 +9842,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/fips/fips_rand_lib.c ---- openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_lib.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2c/crypto/fips/fips_rand_lib.c +--- openssl-1.0.2c/crypto/fips/fips_rand_lib.c.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rand_lib.c 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,181 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -10027,9 +10027,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/f + } + return 0; +} -diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_selftest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_rand_selftest.c.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rand_selftest.c 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,176 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10207,9 +10207,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/cry +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/fips/fips_randtest.c ---- openssl-1.0.2a/crypto/fips/fips_randtest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_randtest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_randtest.c.fips openssl-1.0.2c/crypto/fips/fips_randtest.c +--- openssl-1.0.2c/crypto/fips/fips_randtest.c.fips 2015-06-15 17:30:00.010284028 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_randtest.c 2015-06-15 17:30:00.010284028 +0200 @@ -0,0 +1,247 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -10458,9 +10458,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/f +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c.fips 2015-06-15 17:30:00.011284051 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c 2015-06-15 17:30:00.011284051 +0200 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -10906,9 +10906,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c.fips 2015-06-15 17:30:00.011284051 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c 2015-06-15 17:30:00.011284051 +0200 @@ -0,0 +1,273 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -11183,9 +11183,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/ + return 0; + +} -diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_sha_selftest.c 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.2c/crypto/fips/fips_sha_selftest.c.fips 2015-06-15 17:30:00.011284051 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_sha_selftest.c 2015-06-15 17:30:00.011284051 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11332,9 +11332,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips 2015-04-22 19:05:28.500174541 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c 2015-04-22 19:20:28.777446278 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c.fips 2015-06-15 17:30:00.011284051 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c 2015-06-15 17:30:00.011284051 +0200 @@ -0,0 +1,268 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11604,9 +11604,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/c +#endif + return 0; +} -diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto/fips/fips_test_suite.c ---- openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_test_suite.c 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2c/crypto/fips/fips_test_suite.c.fips openssl-1.0.2c/crypto/fips/fips_test_suite.c +--- openssl-1.0.2c/crypto/fips/fips_test_suite.c.fips 2015-06-15 17:30:00.012284074 +0200 ++++ openssl-1.0.2c/crypto/fips/fips_test_suite.c 2015-06-15 17:30:00.012284074 +0200 @@ -0,0 +1,639 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -12247,9 +12247,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Makefile ---- openssl-1.0.2a/crypto/fips/Makefile.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2c/crypto/fips/Makefile.fips openssl-1.0.2c/crypto/fips/Makefile +--- openssl-1.0.2c/crypto/fips/Makefile.fips 2015-06-15 17:30:00.012284074 +0200 ++++ openssl-1.0.2c/crypto/fips/Makefile 2015-06-15 17:30:00.012284074 +0200 @@ -0,0 +1,341 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -12592,9 +12592,9 @@ diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac.c ---- openssl-1.0.2a/crypto/hmac/hmac.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/hmac/hmac.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/hmac/hmac.c.fips openssl-1.0.2c/crypto/hmac/hmac.c +--- openssl-1.0.2c/crypto/hmac/hmac.c.fips 2015-06-12 16:51:27.000000000 +0200 ++++ openssl-1.0.2c/crypto/hmac/hmac.c 2015-06-15 17:33:11.707682908 +0200 @@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -12607,9 +12607,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif - -@@ -105,6 +99,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - md = ctx->md; + /* If we are changing MD then we must have a key */ +@@ -111,6 +105,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + } if (key != NULL) { +#ifdef OPENSSL_FIPS @@ -12622,7 +12622,7 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. reset = 1; j = EVP_MD_block_size(md); OPENSSL_assert(j <= (int)sizeof(ctx->key)); -@@ -157,10 +158,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void +@@ -164,10 +165,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { @@ -12630,10 +12630,10 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_update(ctx, data, len); -#endif - return EVP_DigestUpdate(&ctx->md_ctx, data, len); - } + if (!ctx->md) + return 0; -@@ -168,10 +165,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c +@@ -178,10 +175,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c { unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; @@ -12642,9 +12642,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - return FIPS_hmac_final(ctx, md, len); -#endif - if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) + if (!ctx->md) goto err; -@@ -211,12 +204,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C +@@ -225,12 +218,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C void HMAC_CTX_cleanup(HMAC_CTX *ctx) { @@ -12657,9 +12657,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/mdc2/mdc2dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2c/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.2c/crypto/mdc2/mdc2dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/mdc2/mdc2dgst.c 2015-06-15 17:30:00.012284074 +0200 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -12669,9 +12669,9 @@ diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/m { c->num = 0; c->pad_type = 1; -diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2_dgst.c ---- openssl-1.0.2a/crypto/md2/md2_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md2/md2_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/md2/md2_dgst.c.fips openssl-1.0.2c/crypto/md2/md2_dgst.c +--- openssl-1.0.2c/crypto/md2/md2_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/md2/md2_dgst.c 2015-06-15 17:30:00.012284074 +0200 @@ -62,6 +62,11 @@ #include #include @@ -12693,9 +12693,9 @@ diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2 { c->num = 0; memset(c->state, 0, sizeof c->state); -diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4_dgst.c ---- openssl-1.0.2a/crypto/md4/md4_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md4/md4_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/md4/md4_dgst.c.fips openssl-1.0.2c/crypto/md4/md4_dgst.c +--- openssl-1.0.2c/crypto/md4/md4_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/md4/md4_dgst.c 2015-06-15 17:30:00.013284097 +0200 @@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12705,9 +12705,9 @@ diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5_dgst.c ---- openssl-1.0.2a/crypto/md5/md5_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/md5/md5_dgst.c.fips openssl-1.0.2c/crypto/md5/md5_dgst.c +--- openssl-1.0.2c/crypto/md5/md5_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/md5/md5_dgst.c 2015-06-15 17:30:00.013284097 +0200 @@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12717,9 +12717,9 @@ diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c ---- openssl-1.0.2a/crypto/o_fips.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/o_fips.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/o_fips.c.fips openssl-1.0.2c/crypto/o_fips.c +--- openssl-1.0.2c/crypto/o_fips.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/o_fips.c 2015-06-15 17:30:00.013284097 +0200 @@ -80,6 +80,8 @@ int FIPS_mode_set(int r) # ifndef FIPS_AUTH_USER_PASS # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -12729,9 +12729,9 @@ diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c ---- openssl-1.0.2a/crypto/o_init.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/o_init.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/o_init.c.fips openssl-1.0.2c/crypto/o_init.c +--- openssl-1.0.2c/crypto/o_init.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/o_init.c 2015-06-15 17:30:00.013284097 +0200 @@ -56,8 +56,37 @@ #include #include @@ -12801,9 +12801,9 @@ diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c +{ + OPENSSL_init_library(); +} -diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opensslconf.h.in ---- openssl-1.0.2a/crypto/opensslconf.h.in.fips 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2c/crypto/opensslconf.h.in.fips openssl-1.0.2c/crypto/opensslconf.h.in +--- openssl-1.0.2c/crypto/opensslconf.h.in.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/opensslconf.h.in 2015-06-15 17:30:00.013284097 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -12825,9 +12825,9 @@ diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md_rand.c ---- openssl-1.0.2a/crypto/rand/md_rand.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/md_rand.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/rand/md_rand.c.fips openssl-1.0.2c/crypto/rand/md_rand.c +--- openssl-1.0.2c/crypto/rand/md_rand.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rand/md_rand.c 2015-06-15 17:30:00.013284097 +0200 @@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -12840,9 +12840,9 @@ diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md RAND_poll(); initialized = 1; } -diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand.h ---- openssl-1.0.2a/crypto/rand/rand.h.fips 2015-04-22 16:08:40.044239782 +0200 -+++ openssl-1.0.2a/crypto/rand/rand.h 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/rand/rand.h.fips openssl-1.0.2c/crypto/rand/rand.h +--- openssl-1.0.2c/crypto/rand/rand.h.fips 2015-06-15 17:29:59.773278601 +0200 ++++ openssl-1.0.2c/crypto/rand/rand.h 2015-06-15 17:30:00.013284097 +0200 @@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -12883,9 +12883,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/ripemd/rmd_dgst.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2c/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.2c/crypto/ripemd/rmd_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/ripemd/rmd_dgst.c 2015-06-15 17:30:00.014284119 +0200 @@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX * void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num); #endif @@ -12895,9 +12895,9 @@ diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripe { memset(c, 0, sizeof(*c)); c->A = RIPEMD160_A; -diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa_crpt.c ---- openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_crpt.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2c/crypto/rsa/rsa_crpt.c +--- openssl-1.0.2c/crypto/rsa/rsa_crpt.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_crpt.c 2015-06-15 17:30:00.014284119 +0200 @@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const unsigned char *to, RSA *rsa, int padding) { @@ -12924,9 +12924,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_eay.c ---- openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_eay.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_eay.c.fips openssl-1.0.2c/crypto/rsa/rsa_eay.c +--- openssl-1.0.2c/crypto/rsa/rsa_eay.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_eay.c 2015-06-15 17:30:00.014284119 +0200 @@ -114,6 +114,10 @@ #include #include @@ -13049,9 +13049,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; return (1); } -diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_err.c ---- openssl-1.0.2a/crypto/rsa/rsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_err.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_err.c.fips openssl-1.0.2c/crypto/rsa/rsa_err.c +--- openssl-1.0.2c/crypto/rsa/rsa_err.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_err.c 2015-06-15 17:30:00.014284119 +0200 @@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[] {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -13061,9 +13061,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, -diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_gen.c ---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_gen.c.fips openssl-1.0.2c/crypto/rsa/rsa_gen.c +--- openssl-1.0.2c/crypto/rsa/rsa_gen.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_gen.c 2015-06-15 17:30:00.014284119 +0200 @@ -69,6 +69,80 @@ #include #ifdef OPENSSL_FIPS @@ -13203,9 +13203,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_ ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h ---- openssl-1.0.2a/crypto/rsa/rsa.h.fips 2015-04-22 16:08:40.178242955 +0200 -+++ openssl-1.0.2a/crypto/rsa/rsa.h 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa.h.fips openssl-1.0.2c/crypto/rsa/rsa.h +--- openssl-1.0.2c/crypto/rsa/rsa.h.fips 2015-06-15 17:29:59.903281578 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa.h 2015-06-15 17:30:00.014284119 +0200 @@ -168,6 +168,8 @@ struct rsa_st { # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # endif @@ -13302,9 +13302,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_lib.c ---- openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_lib.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_lib.c.fips openssl-1.0.2c/crypto/rsa/rsa_lib.c +--- openssl-1.0.2c/crypto/rsa/rsa_lib.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_lib.c 2015-06-15 17:30:00.015284142 +0200 @@ -84,23 +84,22 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -13377,9 +13377,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE if (ret->engine) -diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_pmeth.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2c/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.2c/crypto/rsa/rsa_pmeth.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_pmeth.c 2015-06-15 17:30:00.015284142 +0200 @@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -13401,7 +13401,7 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rs if (EVP_MD_type(rctx->md) == NID_mdc2) { unsigned int sltmp; -@@ -353,17 +339,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX +@@ -359,17 +345,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX } #endif if (rctx->md) { @@ -13419,9 +13419,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa_sign.c ---- openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_sign.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2c/crypto/rsa/rsa_sign.c.fips openssl-1.0.2c/crypto/rsa/rsa_sign.c +--- openssl-1.0.2c/crypto/rsa/rsa_sign.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/rsa/rsa_sign.c 2015-06-15 17:30:00.015284142 +0200 @@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig, &p); s = tmps; @@ -13460,9 +13460,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa if (i <= 0) goto err; -diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h ---- openssl-1.0.2a/crypto/sha/sha.h.fips 2015-04-22 16:08:39.964237888 +0200 -+++ openssl-1.0.2a/crypto/sha/sha.h 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/crypto/sha/sha.h.fips openssl-1.0.2c/crypto/sha/sha.h +--- openssl-1.0.2c/crypto/sha/sha.h.fips 2015-06-15 17:29:59.697276860 +0200 ++++ openssl-1.0.2c/crypto/sha/sha.h 2015-06-15 17:30:00.015284142 +0200 @@ -105,9 +105,6 @@ typedef struct SHAstate_st { } SHA_CTX; @@ -13505,9 +13505,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha_locl.h ---- openssl-1.0.2a/crypto/sha/sha_locl.h.fips 2015-04-22 16:08:39.966237935 +0200 -+++ openssl-1.0.2a/crypto/sha/sha_locl.h 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/crypto/sha/sha_locl.h.fips openssl-1.0.2c/crypto/sha/sha_locl.h +--- openssl-1.0.2c/crypto/sha/sha_locl.h.fips 2015-06-15 17:29:59.699276906 +0200 ++++ openssl-1.0.2c/crypto/sha/sha_locl.h 2015-06-15 17:30:00.015284142 +0200 @@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c #define INIT_DATA_h4 0xc3d2e1f0UL @@ -13524,9 +13524,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha256.c ---- openssl-1.0.2a/crypto/sha/sha256.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/sha/sha256.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/crypto/sha/sha256.c.fips openssl-1.0.2c/crypto/sha/sha256.c +--- openssl-1.0.2c/crypto/sha/sha256.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/sha/sha256.c 2015-06-15 17:30:00.015284142 +0200 @@ -12,12 +12,19 @@ # include @@ -13557,9 +13557,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha512.c ---- openssl-1.0.2a/crypto/sha/sha512.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/sha/sha512.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/crypto/sha/sha512.c.fips openssl-1.0.2c/crypto/sha/sha512.c +--- openssl-1.0.2c/crypto/sha/sha512.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/sha/sha512.c 2015-06-15 17:30:00.016284165 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -13591,9 +13591,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/whrlpool/wp_dgst.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2c/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.2c/crypto/whrlpool/wp_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/crypto/whrlpool/wp_dgst.c 2015-06-15 17:30:00.016284165 +0200 @@ -55,7 +55,7 @@ #include #include @@ -13603,9 +13603,9 @@ diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whr { memset(c, 0, sizeof(*c)); return (1); -diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org ---- openssl-1.0.2a/Makefile.org.fips 2015-04-22 16:08:40.270245133 +0200 -+++ openssl-1.0.2a/Makefile.org 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2c/Makefile.org.fips openssl-1.0.2c/Makefile.org +--- openssl-1.0.2c/Makefile.org.fips 2015-06-15 17:29:59.986283478 +0200 ++++ openssl-1.0.2c/Makefile.org 2015-06-15 17:30:00.016284165 +0200 @@ -137,6 +137,9 @@ FIPSCANLIB= BASEADDR= @@ -13633,9 +13633,9 @@ diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.2a/ssl/ssl_algs.c.fips openssl-1.0.2a/ssl/ssl_algs.c ---- openssl-1.0.2a/ssl/ssl_algs.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/ssl/ssl_algs.c 2015-04-22 16:08:40.305245962 +0200 +diff -up openssl-1.0.2c/ssl/ssl_algs.c.fips openssl-1.0.2c/ssl/ssl_algs.c +--- openssl-1.0.2c/ssl/ssl_algs.c.fips 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/ssl/ssl_algs.c 2015-06-15 17:30:00.016284165 +0200 @@ -64,6 +64,11 @@ int SSL_library_init(void) { diff --git a/openssl-1.0.2a-rpmbuild.patch b/openssl-1.0.2c-rpmbuild.patch similarity index 88% rename from openssl-1.0.2a-rpmbuild.patch rename to openssl-1.0.2c-rpmbuild.patch index 69252f1..555010c 100644 --- a/openssl-1.0.2a-rpmbuild.patch +++ b/openssl-1.0.2c-rpmbuild.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200 -@@ -348,8 +348,8 @@ my %table=( +diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure +--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200 +@@ -365,8 +365,8 @@ my %table=( #### # *-generic* is endian-neutral target, but ./config is free to # throw in -D[BL]_ENDIAN, whichever appropriate... @@ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure ####################################################################### # Note that -march is not among compiler options in below linux-armv4 -@@ -378,30 +378,30 @@ my %table=( +@@ -395,30 +395,30 @@ my %table=( # # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 # -"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", ++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", # Configure script adds minimally required -march for assembly support, # if no -march was specified at command line. mips32 and mips64 below # refer to contemporary MIPS Architecture specifications, MIPS32 and @@ -40,14 +40,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure -"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", ++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", + "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", -"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", @@ -55,12 +55,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure #### So called "highgprs" target for z/Architecture CPUs # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see # /proc/cpuinfo. The idea is to preserve most significant bits of -@@ -419,12 +419,12 @@ my %table=( +@@ -436,12 +436,12 @@ my %table=( #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. --"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -71,7 +71,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure #### Alpha Linux with GNU C and Compaq C setups # Special notes: # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -1737,7 +1737,7 @@ while () +@@ -1764,7 +1764,7 @@ while () elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; @@ -80,9 +80,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) { -diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org ---- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200 +diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org +--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200 @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= @@ -91,7 +91,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org PLATFORM=dist OPTIONS= CONFIGURE_ARGS= -@@ -335,10 +336,9 @@ clean-shared: +@@ -338,10 +339,9 @@ clean-shared: link-shared: @ set -e; for i in $(SHLIBDIRS); do \ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ @@ -103,7 +103,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org done build-shared: do_$(SHLIB_TARGET) link-shared -@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET): +@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET): libs="$(LIBKRB5) $$libs"; \ fi; \ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-1.0.2a-trusted-first-doc.patch b/openssl-1.0.2c-trusted-first-doc.patch similarity index 62% rename from openssl-1.0.2a-trusted-first-doc.patch rename to openssl-1.0.2c-trusted-first-doc.patch index 8333751..63e1076 100644 --- a/openssl-1.0.2a-trusted-first-doc.patch +++ b/openssl-1.0.2c-trusted-first-doc.patch @@ -1,66 +1,66 @@ -diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c ---- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200 +diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c +--- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 ++++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200 @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c ---- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200 + "-crl_check check revocation status of signer's certificate using CRLs\n"); +diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c +--- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 ++++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200 @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-VAfile file validator certificates file\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-validity_period n maximum validity discrepancy in seconds\n"); -diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200 + "-VAfile file validator certificates file\n"); +diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c +--- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 ++++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200 @@ -333,6 +333,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err, - " -reconnect - Drop and re-make the connection with the same Session-ID\n"); + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, - " -pause - sleep(1) after each read(2) and write(2) system call\n"); -diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c ---- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200 + " -reconnect - Drop and re-make the connection with the same Session-ID\n"); +diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c +--- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 ++++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200 @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200 -@@ -569,6 +569,8 @@ static void sv_usage(void) + "-crl_check check revocation status of signer's certificate using CRLs\n"); +diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c +--- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 ++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200 +@@ -572,6 +572,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err, - " -nocert - Don't use any certificates (Anon-DH)\n"); + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, - " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); -diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c ---- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200 -+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200 + " -nocert - Don't use any certificates (Anon-DH)\n"); +diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c +--- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200 ++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200 @@ -182,6 +182,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ @@ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf("usage: s_time \n\n"); -diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c ---- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200 -+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200 +diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c +--- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200 ++++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200 @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " @@ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ -diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c ---- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200 +diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c +--- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 ++++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200 @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { BIO_printf(bio_err, - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); + "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); + BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); -diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod ---- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200 +diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod +--- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] - [B<-nointern>] -@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta +@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod ---- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200 -+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200 -@@ -29,6 +29,7 @@ B B +diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod +--- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 ++++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200 +@@ -29,7 +29,8 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +-[B<-no_alt_chains>]] +[B<-trusted_first>] ++[B<-no_alt_chains>] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] -@@ -143,6 +144,13 @@ connection timeout to the OCSP responder +@@ -144,6 +145,13 @@ connection timeout to the OCSP responder file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. @@ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ +chain to verify responder certificate. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + - =item B<-verify_other file> + =item B<-no_alt_chains> - file containing additional certificates to search when attempting to locate -diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod ---- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 -+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200 + See L|verify(1)> manual page for details. +diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod +--- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 ++++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200 @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] - [B<-showcerts>] -@@ -123,7 +124,7 @@ also used when building the client certi +@@ -124,7 +125,7 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod ---- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod +--- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200 @@ -15,6 +15,9 @@ B B [B<-pk7out>] [B<-[cipher]>] @@ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps +[B<-CAfile file>] +[B<-CApath dir>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] - [B<-recip file>] -@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta +@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod ---- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 -+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod +--- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200 ++++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] - [B<-serverpref>] -@@ -174,6 +175,12 @@ and to use when attempting to build the +@@ -175,6 +176,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. @@ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a +when building the trust chain to verify client certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + - =item B<-state> + =item B<-no_alt_chains> - prints out the SSL session states. -diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod ---- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200 + See the L|verify(1)> manual page for details. +diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod +--- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200 @@ -14,6 +14,7 @@ B B [B<-key filename>] [B<-CApath directory>] @@ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app =item B<-new> performs the timing test using a new session ID for each connection. -diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod ---- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod +--- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] @@ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be -diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod ---- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod +--- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] @@ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] -@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error +@@ -79,6 +80,12 @@ If a valid CRL cannot be found an error A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. diff --git a/openssl.spec b/openssl.spec index 324fa09..78def87 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.2a -Release: 4%{?dist} +Version: 1.0.2c +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -40,7 +40,7 @@ Source11: README.FIPS Source12: ec_curve.c Source13: ectest.c # Build changes -Patch1: openssl-1.0.2a-rpmbuild.patch +Patch1: openssl-1.0.2c-rpmbuild.patch Patch2: openssl-1.0.2a-defaults.patch Patch4: openssl-1.0.2a-enginesdir.patch Patch5: openssl-1.0.2a-no-rpath.patch @@ -49,14 +49,14 @@ Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes -Patch23: openssl-1.0.2a-default-paths.patch +Patch23: openssl-1.0.2c-default-paths.patch Patch24: openssl-1.0.2a-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-1.0.2a-x509.patch Patch35: openssl-1.0.2a-version-add-engines.patch Patch39: openssl-1.0.2a-ipv6-apps.patch -Patch40: openssl-1.0.2a-fips.patch +Patch40: openssl-1.0.2c-fips.patch Patch45: openssl-1.0.2a-env-zlib.patch Patch47: openssl-1.0.2a-readme-warning.patch Patch49: openssl-1.0.1i-algo-doc.patch @@ -69,11 +69,10 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch Patch65: openssl-1.0.2a-chil-fixes.patch Patch66: openssl-1.0.2a-pkgconfig-krb5.patch Patch68: openssl-1.0.2a-secure-getenv.patch -Patch69: openssl-1.0.2a-dh-1024.patch Patch70: openssl-1.0.2a-fips-ec.patch Patch71: openssl-1.0.2a-manfix.patch Patch72: openssl-1.0.2a-fips-ctor.patch -Patch73: openssl-1.0.2a-ecc-suiteb.patch +Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch74: openssl-1.0.2a-no-md5-verify.patch Patch75: openssl-1.0.2a-compat-symbols.patch Patch76: openssl-1.0.2a-new-fips-reqs.patch @@ -85,8 +84,7 @@ Patch93: openssl-1.0.2a-disable-sslv2v3.patch # Backported fixes including security fixes Patch80: openssl-1.0.2a-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch -Patch82: openssl-1.0.2a-trusted-first-doc.patch -Patch83: openssl-1.0.2a-alt-chains.patch +Patch82: openssl-1.0.2c-trusted-first-doc.patch License: OpenSSL Group: System Environment/Libraries @@ -190,7 +188,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch65 -p1 -b .chil %patch66 -p1 -b .krb5 %patch68 -p1 -b .secure-getenv -%patch69 -p1 -b .dh1024 %patch70 -p1 -b .fips-ec %patch71 -p1 -b .manfix %patch72 -p1 -b .fips-ctor @@ -207,7 +204,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first -%patch83 -p1 -b .alt-chains sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -478,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Mon Jun 15 2015 Tomáš Mráz 1.0.2c-1 +- minor upstream release 1.0.2c fixing multiple security issues + * Thu May 7 2015 Peter Robinson 1.0.2a-4 - Add aarch64 sslarch details diff --git a/sources b/sources index 24b2c95..c5a84d6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f51c4df95c3d53fc82a0885fd169225a openssl-1.0.2a-hobbled.tar.xz +178792e60274974ec47aedc6dc5eba7a openssl-1.0.2c-hobbled.tar.xz