From eeb6ac1a65877b1524cb6d847f4316b3da3944a1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 May 2016 18:23:18 +0200 Subject: [PATCH] minor upstream release 1.0.2h fixing security issues --- .gitignore | 1 + openssl-1.0.2a-weak-ciphers.patch | 12 - openssl-1.0.2g-remove-ssl2.patch | 27 - ...2g-fips.patch => openssl-1.0.2h-fips.patch | 574 +++++++++--------- ... => openssl-1.0.2h-trusted-first-doc.patch | 110 ++-- openssl.spec | 15 +- sources | 2 +- 7 files changed, 350 insertions(+), 391 deletions(-) delete mode 100644 openssl-1.0.2a-weak-ciphers.patch delete mode 100644 openssl-1.0.2g-remove-ssl2.patch rename openssl-1.0.2g-fips.patch => openssl-1.0.2h-fips.patch (95%) rename openssl-1.0.2c-trusted-first-doc.patch => openssl-1.0.2h-trusted-first-doc.patch (69%) diff --git a/.gitignore b/.gitignore index 821d304..8966853 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.2e-hobbled.tar.xz /openssl-1.0.2f-hobbled.tar.xz /openssl-1.0.2g-hobbled.tar.xz +/openssl-1.0.2h-hobbled.tar.xz diff --git a/openssl-1.0.2a-weak-ciphers.patch b/openssl-1.0.2a-weak-ciphers.patch deleted file mode 100644 index 7cb708d..0000000 --- a/openssl-1.0.2a-weak-ciphers.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.0.2a/ssl/ssl.h.weak-ciphers openssl-1.0.2a/ssl/ssl.h ---- openssl-1.0.2a/ssl/ssl.h.weak-ciphers 2015-04-22 15:11:14.026574414 +0200 -+++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:14:51.302744713 +0200 -@@ -338,7 +338,7 @@ extern "C" { - * The following cipher list is used by default. It also is substituted when - * an application-defined cipher list string starts with 'DEFAULT'. - */ --# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" -+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!DES" - /* - * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always - * starts with a reasonable order, and all we have to do for DEFAULT is diff --git a/openssl-1.0.2g-remove-ssl2.patch b/openssl-1.0.2g-remove-ssl2.patch deleted file mode 100644 index 1812cde..0000000 --- a/openssl-1.0.2g-remove-ssl2.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h ---- openssl-1.0.2g/ssl/ssl.h.remove-ssl2 2016-03-02 09:26:24.000000000 +0100 -+++ openssl-1.0.2g/ssl/ssl.h 2016-03-29 15:24:01.471422525 +0200 -@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s - /* This sets the 'default' SSL version that SSL_new() will create */ - int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); - --# ifndef OPENSSL_NO_SSL2 -+# ifndef OPENSSL_NO_SSL2_METHOD - const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ - const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ - const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ -diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c ---- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 2016-01-28 14:38:31.000000000 +0100 -+++ openssl-1.0.2g/ssl/s2_meth.c 2016-03-29 15:19:49.319654216 +0200 -@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method, - ssl2_accept, ssl2_connect, ssl2_get_method) - #else /* !OPENSSL_NO_SSL2 */ - --# if PEDANTIC --static void *dummy = &dummy; --# endif -+const SSL_METHOD *SSLv2_method(void) { return NULL; } -+const SSL_METHOD *SSLv2_client_method(void) { return NULL; } -+const SSL_METHOD *SSLv2_server_method(void) { return NULL; } - - #endif diff --git a/openssl-1.0.2g-fips.patch b/openssl-1.0.2h-fips.patch similarity index 95% rename from openssl-1.0.2g-fips.patch rename to openssl-1.0.2h-fips.patch index e6f76b9..e291dd9 100644 --- a/openssl-1.0.2g-fips.patch +++ b/openssl-1.0.2h-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2g/apps/speed.c.fips openssl-1.0.2g/apps/speed.c ---- openssl-1.0.2g/apps/speed.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/apps/speed.c 2016-03-01 16:33:07.611916410 +0100 +diff -up openssl-1.0.2h/apps/speed.c.fips openssl-1.0.2h/apps/speed.c +--- openssl-1.0.2h/apps/speed.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/apps/speed.c 2016-05-03 16:57:58.819320945 +0200 @@ -197,7 +197,6 @@ # ifdef OPENSSL_DOING_MAKEDEPEND # undef AES_set_encrypt_key @@ -133,9 +133,9 @@ diff -up openssl-1.0.2g/apps/speed.c.fips openssl-1.0.2g/apps/speed.c HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...", 16, EVP_md5(), NULL); -diff -up openssl-1.0.2g/Configure.fips openssl-1.0.2g/Configure ---- openssl-1.0.2g/Configure.fips 2016-03-01 16:33:07.597916093 +0100 -+++ openssl-1.0.2g/Configure 2016-03-01 16:33:07.611916410 +0100 +diff -up openssl-1.0.2h/Configure.fips openssl-1.0.2h/Configure +--- openssl-1.0.2h/Configure.fips 2016-05-03 16:57:58.783320095 +0200 ++++ openssl-1.0.2h/Configure 2016-05-03 16:57:58.819320945 +0200 @@ -1067,11 +1067,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -170,9 +170,9 @@ diff -up openssl-1.0.2g/Configure.fips openssl-1.0.2g/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.2g/crypto/aes/aes_misc.c.fips openssl-1.0.2g/crypto/aes/aes_misc.c ---- openssl-1.0.2g/crypto/aes/aes_misc.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/aes/aes_misc.c 2016-03-01 16:33:07.611916410 +0100 +diff -up openssl-1.0.2h/crypto/aes/aes_misc.c.fips openssl-1.0.2h/crypto/aes/aes_misc.c +--- openssl-1.0.2h/crypto/aes/aes_misc.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/aes/aes_misc.c 2016-05-03 16:57:58.819320945 +0200 @@ -70,17 +70,11 @@ const char *AES_options(void) int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -191,9 +191,9 @@ diff -up openssl-1.0.2g/crypto/aes/aes_misc.c.fips openssl-1.0.2g/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.2g/crypto/cmac/cmac.c.fips openssl-1.0.2g/crypto/cmac/cmac.c ---- openssl-1.0.2g/crypto/cmac/cmac.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/cmac/cmac.c 2016-03-01 16:36:35.637624418 +0100 +diff -up openssl-1.0.2h/crypto/cmac/cmac.c.fips openssl-1.0.2h/crypto/cmac/cmac.c +--- openssl-1.0.2h/crypto/cmac/cmac.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/cmac/cmac.c 2016-05-03 16:57:58.819320945 +0200 @@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -250,9 +250,9 @@ diff -up openssl-1.0.2g/crypto/cmac/cmac.c.fips openssl-1.0.2g/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.2g/crypto/crypto.h.fips openssl-1.0.2g/crypto/crypto.h ---- openssl-1.0.2g/crypto/crypto.h.fips 2016-03-01 16:33:07.490913671 +0100 -+++ openssl-1.0.2g/crypto/crypto.h 2016-03-01 16:33:07.612916432 +0100 +diff -up openssl-1.0.2h/crypto/crypto.h.fips openssl-1.0.2h/crypto/crypto.h +--- openssl-1.0.2h/crypto/crypto.h.fips 2016-05-03 16:57:58.673317497 +0200 ++++ openssl-1.0.2h/crypto/crypto.h 2016-05-03 16:57:58.820320969 +0200 @@ -600,24 +600,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -298,9 +298,9 @@ diff -up openssl-1.0.2g/crypto/crypto.h.fips openssl-1.0.2g/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.2g/crypto/des/des.h.fips openssl-1.0.2g/crypto/des/des.h ---- openssl-1.0.2g/crypto/des/des.h.fips 2016-03-01 16:33:07.521914373 +0100 -+++ openssl-1.0.2g/crypto/des/des.h 2016-03-01 16:33:07.612916432 +0100 +diff -up openssl-1.0.2h/crypto/des/des.h.fips openssl-1.0.2h/crypto/des/des.h +--- openssl-1.0.2h/crypto/des/des.h.fips 2016-05-03 16:57:58.709318347 +0200 ++++ openssl-1.0.2h/crypto/des/des.h 2016-05-03 16:57:58.820320969 +0200 @@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); @@ -312,9 +312,9 @@ diff -up openssl-1.0.2g/crypto/des/des.h.fips openssl-1.0.2g/crypto/des/des.h void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -diff -up openssl-1.0.2g/crypto/des/set_key.c.fips openssl-1.0.2g/crypto/des/set_key.c ---- openssl-1.0.2g/crypto/des/set_key.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/des/set_key.c 2016-03-01 16:33:07.612916432 +0100 +diff -up openssl-1.0.2h/crypto/des/set_key.c.fips openssl-1.0.2h/crypto/des/set_key.c +--- openssl-1.0.2h/crypto/des/set_key.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/des/set_key.c 2016-05-03 16:57:58.820320969 +0200 @@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock } @@ -331,9 +331,9 @@ diff -up openssl-1.0.2g/crypto/des/set_key.c.fips openssl-1.0.2g/crypto/des/set_ { static const int shifts2[16] = { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; -diff -up openssl-1.0.2g/crypto/dh/dh_gen.c.fips openssl-1.0.2g/crypto/dh/dh_gen.c ---- openssl-1.0.2g/crypto/dh/dh_gen.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/dh/dh_gen.c 2016-03-01 16:33:07.612916432 +0100 +diff -up openssl-1.0.2h/crypto/dh/dh_gen.c.fips openssl-1.0.2h/crypto/dh/dh_gen.c +--- openssl-1.0.2h/crypto/dh/dh_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dh/dh_gen.c 2016-05-03 16:57:58.820320969 +0200 @@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if (ret->meth->generate_params) @@ -364,9 +364,9 @@ diff -up openssl-1.0.2g/crypto/dh/dh_gen.c.fips openssl-1.0.2g/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.0.2g/crypto/dh/dh.h.fips openssl-1.0.2g/crypto/dh/dh.h ---- openssl-1.0.2g/crypto/dh/dh.h.fips 2016-03-01 16:33:07.462913037 +0100 -+++ openssl-1.0.2g/crypto/dh/dh.h 2016-03-01 16:33:07.612916432 +0100 +diff -up openssl-1.0.2h/crypto/dh/dh.h.fips openssl-1.0.2h/crypto/dh/dh.h +--- openssl-1.0.2h/crypto/dh/dh.h.fips 2016-05-03 16:57:58.622316293 +0200 ++++ openssl-1.0.2h/crypto/dh/dh.h 2016-05-03 16:57:58.820320969 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif @@ -376,9 +376,9 @@ diff -up openssl-1.0.2g/crypto/dh/dh.h.fips openssl-1.0.2g/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 /* -diff -up openssl-1.0.2g/crypto/dh/dh_key.c.fips openssl-1.0.2g/crypto/dh/dh_key.c ---- openssl-1.0.2g/crypto/dh/dh_key.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/dh/dh_key.c 2016-03-01 16:33:07.613916455 +0100 +diff -up openssl-1.0.2h/crypto/dh/dh_key.c.fips openssl-1.0.2h/crypto/dh/dh_key.c +--- openssl-1.0.2h/crypto/dh/dh_key.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dh/dh_key.c 2016-05-03 16:57:58.821320992 +0200 @@ -61,6 +61,9 @@ #include #include @@ -446,9 +446,9 @@ diff -up openssl-1.0.2g/crypto/dh/dh_key.c.fips openssl-1.0.2g/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2g/crypto/dh/dh_lib.c.fips openssl-1.0.2g/crypto/dh/dh_lib.c ---- openssl-1.0.2g/crypto/dh/dh_lib.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/dh/dh_lib.c 2016-03-01 16:33:07.613916455 +0100 +diff -up openssl-1.0.2h/crypto/dh/dh_lib.c.fips openssl-1.0.2h/crypto/dh/dh_lib.c +--- openssl-1.0.2h/crypto/dh/dh_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dh/dh_lib.c 2016-05-03 16:57:58.821320992 +0200 @@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH const DH_METHOD *DH_get_default_method(void) { @@ -464,9 +464,9 @@ diff -up openssl-1.0.2g/crypto/dh/dh_lib.c.fips openssl-1.0.2g/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.2g/crypto/dsa/dsa_err.c.fips openssl-1.0.2g/crypto/dsa/dsa_err.c ---- openssl-1.0.2g/crypto/dsa/dsa_err.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_err.c 2016-03-01 16:33:07.613916455 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_err.c.fips openssl-1.0.2h/crypto/dsa/dsa_err.c +--- openssl-1.0.2h/crypto/dsa/dsa_err.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_err.c 2016-05-03 16:57:58.821320992 +0200 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[] {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -485,9 +485,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_err.c.fips openssl-1.0.2g/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -diff -up openssl-1.0.2g/crypto/dsa/dsa_gen.c.fips openssl-1.0.2g/crypto/dsa/dsa_gen.c ---- openssl-1.0.2g/crypto/dsa/dsa_gen.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_gen.c 2016-03-01 16:33:07.613916455 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_gen.c +--- openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_gen.c 2016-05-03 16:57:58.821320992 +0200 @@ -91,6 +91,16 @@ # include # endif @@ -938,9 +938,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_gen.c.fips openssl-1.0.2g/crypto/dsa/dsa_ EVP_MD_CTX_init(&mctx); if (evpmd == NULL) { -diff -up openssl-1.0.2g/crypto/dsa/dsa.h.fips openssl-1.0.2g/crypto/dsa/dsa.h ---- openssl-1.0.2g/crypto/dsa/dsa.h.fips 2016-03-01 16:33:07.382911227 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa.h 2016-03-01 16:33:07.613916455 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa.h.fips openssl-1.0.2h/crypto/dsa/dsa.h +--- openssl-1.0.2h/crypto/dsa/dsa.h.fips 2016-05-03 16:57:58.513313719 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa.h 2016-05-03 16:57:58.821320992 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 # endif @@ -1008,9 +1008,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa.h.fips openssl-1.0.2g/crypto/dsa/dsa.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 -diff -up openssl-1.0.2g/crypto/dsa/dsa_key.c.fips openssl-1.0.2g/crypto/dsa/dsa_key.c ---- openssl-1.0.2g/crypto/dsa/dsa_key.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_key.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_key.c.fips openssl-1.0.2h/crypto/dsa/dsa_key.c +--- openssl-1.0.2h/crypto/dsa/dsa_key.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_key.c 2016-05-03 16:57:58.822321016 +0200 @@ -66,6 +66,34 @@ # ifdef OPENSSL_FIPS @@ -1086,9 +1086,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_key.c.fips openssl-1.0.2g/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.0.2g/crypto/dsa/dsa_lib.c.fips openssl-1.0.2g/crypto/dsa/dsa_lib.c ---- openssl-1.0.2g/crypto/dsa/dsa_lib.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_lib.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_lib.c.fips openssl-1.0.2h/crypto/dsa/dsa_lib.c +--- openssl-1.0.2h/crypto/dsa/dsa_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_lib.c 2016-05-03 16:57:58.822321016 +0200 @@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME const DSA_METHOD *DSA_get_default_method(void) { @@ -1104,9 +1104,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_lib.c.fips openssl-1.0.2g/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.2g/crypto/dsa/dsa_locl.h.fips openssl-1.0.2g/crypto/dsa/dsa_locl.h ---- openssl-1.0.2g/crypto/dsa/dsa_locl.h.fips 2016-03-01 16:33:07.384911272 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_locl.h 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_locl.h.fips openssl-1.0.2h/crypto/dsa/dsa_locl.h +--- openssl-1.0.2h/crypto/dsa/dsa_locl.h.fips 2016-05-03 16:57:58.515313767 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_locl.h 2016-05-03 16:57:58.822321016 +0200 @@ -56,7 +56,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, @@ -1116,9 +1116,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_locl.h.fips openssl-1.0.2g/crypto/dsa/dsa int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.2g/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2g/crypto/dsa/dsa_ossl.c ---- openssl-1.0.2g/crypto/dsa/dsa_ossl.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2h/crypto/dsa/dsa_ossl.c +--- openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c 2016-05-03 16:57:58.822321016 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1187,9 +1187,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2g/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2g/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2g/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.2g/crypto/dsa/dsa_pmeth.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsa_pmeth.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2h/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.2h/crypto/dsa/dsa_pmeth.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsa_pmeth.c 2016-05-03 16:57:58.822321016 +0200 @@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1199,9 +1199,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2g/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.2g/crypto/dsa/dsatest.c.fips openssl-1.0.2g/crypto/dsa/dsatest.c ---- openssl-1.0.2g/crypto/dsa/dsatest.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/dsa/dsatest.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/dsa/dsatest.c.fips openssl-1.0.2h/crypto/dsa/dsatest.c +--- openssl-1.0.2h/crypto/dsa/dsatest.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/dsa/dsatest.c 2016-05-03 16:57:58.822321016 +0200 @@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1285,9 +1285,9 @@ diff -up openssl-1.0.2g/crypto/dsa/dsatest.c.fips openssl-1.0.2g/crypto/dsa/dsat goto end; } if (h != 2) { -diff -up openssl-1.0.2g/crypto/engine/eng_all.c.fips openssl-1.0.2g/crypto/engine/eng_all.c ---- openssl-1.0.2g/crypto/engine/eng_all.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/engine/eng_all.c 2016-03-01 16:33:07.614916478 +0100 +diff -up openssl-1.0.2h/crypto/engine/eng_all.c.fips openssl-1.0.2h/crypto/engine/eng_all.c +--- openssl-1.0.2h/crypto/engine/eng_all.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/engine/eng_all.c 2016-05-03 16:57:58.822321016 +0200 @@ -59,11 +59,25 @@ #include "cryptlib.h" @@ -1314,9 +1314,9 @@ diff -up openssl-1.0.2g/crypto/engine/eng_all.c.fips openssl-1.0.2g/crypto/engin #if 0 /* * There's no longer any need for an "openssl" ENGINE unless, one day, it -diff -up openssl-1.0.2g/crypto/evp/c_allc.c.fips openssl-1.0.2g/crypto/evp/c_allc.c ---- openssl-1.0.2g/crypto/evp/c_allc.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/c_allc.c 2016-03-01 16:33:07.615916500 +0100 +diff -up openssl-1.0.2h/crypto/evp/c_allc.c.fips openssl-1.0.2h/crypto/evp/c_allc.c +--- openssl-1.0.2h/crypto/evp/c_allc.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/c_allc.c 2016-05-03 16:57:58.823321039 +0200 @@ -65,6 +65,10 @@ void OpenSSL_add_all_ciphers(void) { @@ -1393,9 +1393,9 @@ diff -up openssl-1.0.2g/crypto/evp/c_allc.c.fips openssl-1.0.2g/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.2g/crypto/evp/c_alld.c.fips openssl-1.0.2g/crypto/evp/c_alld.c ---- openssl-1.0.2g/crypto/evp/c_alld.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/c_alld.c 2016-03-01 16:33:07.615916500 +0100 +diff -up openssl-1.0.2h/crypto/evp/c_alld.c.fips openssl-1.0.2h/crypto/evp/c_alld.c +--- openssl-1.0.2h/crypto/evp/c_alld.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/c_alld.c 2016-05-03 16:57:58.823321039 +0200 @@ -64,51 +64,81 @@ void OpenSSL_add_all_digests(void) @@ -1501,9 +1501,9 @@ diff -up openssl-1.0.2g/crypto/evp/c_alld.c.fips openssl-1.0.2g/crypto/evp/c_all + } #endif } -diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/digest.c ---- openssl-1.0.2g/crypto/evp/digest.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/digest.c 2016-03-01 16:33:07.615916500 +0100 +diff -up openssl-1.0.2h/crypto/evp/digest.c.fips openssl-1.0.2h/crypto/evp/digest.c +--- openssl-1.0.2h/crypto/evp/digest.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/digest.c 2016-05-03 16:59:54.090042781 +0200 @@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1582,10 +1582,10 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges + } + } +#endif - if (ctx->digest && ctx->digest->ctx_size) + if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); - ctx->digest = type; -@@ -236,25 +283,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + ctx->md_data = NULL; +@@ -238,25 +285,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) return 1; @@ -1613,7 +1613,7 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges } /* The caller can assume that this removes any secret data from the context */ -@@ -269,11 +306,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns +@@ -271,11 +308,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { @@ -1628,7 +1628,7 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -@@ -284,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, +@@ -286,7 +323,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, } memset(ctx->md_data, 0, ctx->digest->ctx_size); return ret; @@ -1636,7 +1636,7 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) -@@ -373,7 +409,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) +@@ -375,7 +411,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { @@ -1644,7 +1644,7 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges /* * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because * sometimes only copies of the context are ever finalised. -@@ -386,7 +421,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -388,7 +423,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } @@ -1652,7 +1652,7 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE -@@ -397,9 +431,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -399,9 +433,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) */ ENGINE_finish(ctx->engine); #endif @@ -1662,9 +1662,9 @@ diff -up openssl-1.0.2g/crypto/evp/digest.c.fips openssl-1.0.2g/crypto/evp/diges memset(ctx, '\0', sizeof *ctx); return 1; -diff -up openssl-1.0.2g/crypto/evp/e_aes.c.fips openssl-1.0.2g/crypto/evp/e_aes.c ---- openssl-1.0.2g/crypto/evp/e_aes.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/e_aes.c 2016-03-01 16:33:07.615916500 +0100 +diff -up openssl-1.0.2h/crypto/evp/e_aes.c.fips openssl-1.0.2h/crypto/evp/e_aes.c +--- openssl-1.0.2h/crypto/evp/e_aes.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/e_aes.c 2016-05-03 16:57:58.823321039 +0200 @@ -60,9 +60,6 @@ # include "modes_lcl.h" # include @@ -1702,9 +1702,9 @@ diff -up openssl-1.0.2g/crypto/evp/e_aes.c.fips openssl-1.0.2g/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, ctx->iv); -diff -up openssl-1.0.2g/crypto/evp/e_des3.c.fips openssl-1.0.2g/crypto/evp/e_des3.c ---- openssl-1.0.2g/crypto/evp/e_des3.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/e_des3.c 2016-03-01 16:33:07.615916500 +0100 +diff -up openssl-1.0.2h/crypto/evp/e_des3.c.fips openssl-1.0.2h/crypto/evp/e_des3.c +--- openssl-1.0.2h/crypto/evp/e_des3.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/e_des3.c 2016-05-03 16:57:58.823321039 +0200 @@ -65,10 +65,6 @@ # include # include @@ -1716,9 +1716,9 @@ diff -up openssl-1.0.2g/crypto/evp/e_des3.c.fips openssl-1.0.2g/crypto/evp/e_des typedef struct { union { double align; -diff -up openssl-1.0.2g/crypto/evp/e_null.c.fips openssl-1.0.2g/crypto/evp/e_null.c ---- openssl-1.0.2g/crypto/evp/e_null.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/e_null.c 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/e_null.c.fips openssl-1.0.2h/crypto/evp/e_null.c +--- openssl-1.0.2h/crypto/evp/e_null.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/e_null.c 2016-05-03 16:57:58.824321063 +0200 @@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c static const EVP_CIPHER n_cipher = { NID_undef, @@ -1728,9 +1728,9 @@ diff -up openssl-1.0.2g/crypto/evp/e_null.c.fips openssl-1.0.2g/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.0.2g/crypto/evp/evp_enc.c.fips openssl-1.0.2g/crypto/evp/evp_enc.c ---- openssl-1.0.2g/crypto/evp/evp_enc.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/evp_enc.c 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/evp_enc.c.fips openssl-1.0.2h/crypto/evp/evp_enc.c +--- openssl-1.0.2h/crypto/evp/evp_enc.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/evp_enc.c 2016-05-03 16:57:58.824321063 +0200 @@ -69,16 +69,73 @@ #endif #include "evp_locl.h" @@ -1898,9 +1898,9 @@ diff -up openssl-1.0.2g/crypto/evp/evp_enc.c.fips openssl-1.0.2g/crypto/evp/evp_ memset(c, 0, sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.2g/crypto/evp/evp.h.fips openssl-1.0.2g/crypto/evp/evp.h ---- openssl-1.0.2g/crypto/evp/evp.h.fips 2016-03-01 16:33:07.503913965 +0100 -+++ openssl-1.0.2g/crypto/evp/evp.h 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/evp.h.fips openssl-1.0.2h/crypto/evp/evp.h +--- openssl-1.0.2h/crypto/evp/evp.h.fips 2016-05-03 16:57:58.690317899 +0200 ++++ openssl-1.0.2h/crypto/evp/evp.h 2016-05-03 16:57:58.824321063 +0200 @@ -122,6 +122,10 @@ extern "C" { #endif @@ -1954,9 +1954,9 @@ diff -up openssl-1.0.2g/crypto/evp/evp.h.fips openssl-1.0.2g/crypto/evp/evp.h /* * Cipher handles any and all padding logic as well as finalisation. */ -diff -up openssl-1.0.2g/crypto/evp/evp_lib.c.fips openssl-1.0.2g/crypto/evp/evp_lib.c ---- openssl-1.0.2g/crypto/evp/evp_lib.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/evp_lib.c 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/evp_lib.c.fips openssl-1.0.2h/crypto/evp/evp_lib.c +--- openssl-1.0.2h/crypto/evp/evp_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/evp_lib.c 2016-05-03 16:57:58.824321063 +0200 @@ -60,10 +60,6 @@ #include "cryptlib.h" #include @@ -2042,9 +2042,9 @@ diff -up openssl-1.0.2g/crypto/evp/evp_lib.c.fips openssl-1.0.2g/crypto/evp/evp_ return md->flags; } -diff -up openssl-1.0.2g/crypto/evp/evp_locl.h.fips openssl-1.0.2g/crypto/evp/evp_locl.h ---- openssl-1.0.2g/crypto/evp/evp_locl.h.fips 2016-03-01 16:33:07.499913875 +0100 -+++ openssl-1.0.2g/crypto/evp/evp_locl.h 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/evp_locl.h.fips openssl-1.0.2h/crypto/evp/evp_locl.h +--- openssl-1.0.2h/crypto/evp/evp_locl.h.fips 2016-05-03 16:57:58.684317757 +0200 ++++ openssl-1.0.2h/crypto/evp/evp_locl.h 2016-05-03 16:57:58.824321063 +0200 @@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -2078,9 +2078,9 @@ diff -up openssl-1.0.2g/crypto/evp/evp_locl.h.fips openssl-1.0.2g/crypto/evp/evp # define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.2g/crypto/evp/m_dss.c.fips openssl-1.0.2g/crypto/evp/m_dss.c ---- openssl-1.0.2g/crypto/evp/m_dss.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/m_dss.c 2016-03-01 16:33:07.616916523 +0100 +diff -up openssl-1.0.2h/crypto/evp/m_dss.c.fips openssl-1.0.2h/crypto/evp/m_dss.c +--- openssl-1.0.2h/crypto/evp/m_dss.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/m_dss.c 2016-05-03 16:57:58.825321086 +0200 @@ -86,7 +86,7 @@ static const EVP_MD dsa_md = { NID_dsaWithSHA, NID_dsaWithSHA, @@ -2090,9 +2090,9 @@ diff -up openssl-1.0.2g/crypto/evp/m_dss.c.fips openssl-1.0.2g/crypto/evp/m_dss. init, update, final, -diff -up openssl-1.0.2g/crypto/evp/m_dss1.c.fips openssl-1.0.2g/crypto/evp/m_dss1.c ---- openssl-1.0.2g/crypto/evp/m_dss1.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/m_dss1.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/evp/m_dss1.c.fips openssl-1.0.2h/crypto/evp/m_dss1.c +--- openssl-1.0.2h/crypto/evp/m_dss1.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/m_dss1.c 2016-05-03 16:57:58.825321086 +0200 @@ -87,7 +87,7 @@ static const EVP_MD dss1_md = { NID_dsa, NID_dsaWithSHA1, @@ -2102,9 +2102,9 @@ diff -up openssl-1.0.2g/crypto/evp/m_dss1.c.fips openssl-1.0.2g/crypto/evp/m_dss init, update, final, -diff -up openssl-1.0.2g/crypto/evp/m_md2.c.fips openssl-1.0.2g/crypto/evp/m_md2.c ---- openssl-1.0.2g/crypto/evp/m_md2.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/m_md2.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/evp/m_md2.c.fips openssl-1.0.2h/crypto/evp/m_md2.c +--- openssl-1.0.2h/crypto/evp/m_md2.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/m_md2.c 2016-05-03 16:57:58.825321086 +0200 @@ -68,6 +68,7 @@ # ifndef OPENSSL_NO_RSA # include @@ -2113,9 +2113,9 @@ diff -up openssl-1.0.2g/crypto/evp/m_md2.c.fips openssl-1.0.2g/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { -diff -up openssl-1.0.2g/crypto/evp/m_sha1.c.fips openssl-1.0.2g/crypto/evp/m_sha1.c ---- openssl-1.0.2g/crypto/evp/m_sha1.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/m_sha1.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/evp/m_sha1.c.fips openssl-1.0.2h/crypto/evp/m_sha1.c +--- openssl-1.0.2h/crypto/evp/m_sha1.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/m_sha1.c 2016-05-03 16:57:58.825321086 +0200 @@ -87,7 +87,8 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -2166,9 +2166,9 @@ diff -up openssl-1.0.2g/crypto/evp/m_sha1.c.fips openssl-1.0.2g/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.0.2g/crypto/evp/p_sign.c.fips openssl-1.0.2g/crypto/evp/p_sign.c ---- openssl-1.0.2g/crypto/evp/p_sign.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/p_sign.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/evp/p_sign.c.fips openssl-1.0.2h/crypto/evp/p_sign.c +--- openssl-1.0.2h/crypto/evp/p_sign.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/p_sign.c 2016-05-03 16:57:58.825321086 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2200,9 +2200,9 @@ diff -up openssl-1.0.2g/crypto/evp/p_sign.c.fips openssl-1.0.2g/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.2g/crypto/evp/p_verify.c.fips openssl-1.0.2g/crypto/evp/p_verify.c ---- openssl-1.0.2g/crypto/evp/p_verify.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/evp/p_verify.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/evp/p_verify.c.fips openssl-1.0.2h/crypto/evp/p_verify.c +--- openssl-1.0.2h/crypto/evp/p_verify.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/evp/p_verify.c 2016-05-03 16:57:58.825321086 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2234,9 +2234,9 @@ diff -up openssl-1.0.2g/crypto/evp/p_verify.c.fips openssl-1.0.2g/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.2g/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_aes_selftest.c.fips 2016-03-01 16:33:07.617916545 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_aes_selftest.c 2016-03-01 16:33:07.617916545 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_aes_selftest.c.fips 2016-05-03 16:57:58.825321086 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_aes_selftest.c 2016-05-03 16:57:58.825321086 +0200 @@ -0,0 +1,365 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2603,9 +2603,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2g/cryp +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips.c.fips openssl-1.0.2g/crypto/fips/fips.c ---- openssl-1.0.2g/crypto/fips/fips.c.fips 2016-03-01 16:33:07.618916568 +0100 -+++ openssl-1.0.2g/crypto/fips/fips.c 2016-03-01 16:33:07.618916568 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips.c.fips openssl-1.0.2h/crypto/fips/fips.c +--- openssl-1.0.2h/crypto/fips/fips.c.fips 2016-05-03 16:57:58.826321110 +0200 ++++ openssl-1.0.2h/crypto/fips/fips.c 2016-05-03 16:57:58.826321110 +0200 @@ -0,0 +1,483 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3090,9 +3090,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips.c.fips openssl-1.0.2g/crypto/fips/fips. +# endif + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_cmac_selftest.c.fips 2016-03-01 16:33:07.618916568 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_cmac_selftest.c 2016-03-01 16:33:07.618916568 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c.fips 2016-05-03 16:57:58.826321110 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c 2016-05-03 16:57:58.826321110 +0200 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3250,9 +3250,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2g/cry + return rv; +} +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_des_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_des_selftest.c.fips 2016-03-01 16:33:07.618916568 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_des_selftest.c 2016-03-01 16:33:07.618916568 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_des_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_des_selftest.c.fips 2016-05-03 16:57:58.826321110 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_des_selftest.c 2016-05-03 16:57:58.826321110 +0200 @@ -0,0 +1,138 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3392,9 +3392,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2g/cryp + return ret; +} +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_ctr.c.fips 2016-03-01 16:33:07.618916568 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_ctr.c 2016-03-01 16:33:07.618916568 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c.fips 2016-05-03 16:57:58.826321110 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c 2016-05-03 16:57:58.826321110 +0200 @@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3811,9 +3811,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2g/crypto/f + + return 1; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_hash.c.fips 2016-03-01 16:33:07.618916568 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_hash.c 2016-03-01 16:33:07.618916568 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_hash.c.fips 2016-05-03 16:57:58.826321110 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_hash.c 2016-05-03 16:57:58.826321110 +0200 @@ -0,0 +1,358 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4173,9 +4173,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2g/crypto/ + + return 1; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_hmac.c.fips 2016-03-01 16:33:07.619916591 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_hmac.c 2016-03-01 16:33:07.619916591 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c.fips 2016-05-03 16:57:58.827321134 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c 2016-05-03 16:57:58.827321134 +0200 @@ -0,0 +1,270 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4447,9 +4447,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2g/crypto/ + + return 1; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_lib.c.fips 2016-03-01 16:33:07.619916591 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_lib.c 2016-03-01 16:33:07.619916591 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_lib.c.fips 2016-05-03 16:57:58.827321134 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_lib.c 2016-05-03 16:57:58.827321134 +0200 @@ -0,0 +1,553 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -5004,9 +5004,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2g/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_rand.c.fips 2016-03-01 16:33:07.619916591 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_rand.c 2016-03-01 16:33:07.619916591 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_rand.c.fips 2016-05-03 16:57:58.827321134 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_rand.c 2016-05-03 16:57:58.827321134 +0200 @@ -0,0 +1,166 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5174,9 +5174,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2g/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_drbg_selftest.c.fips 2016-03-01 16:33:07.619916591 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_selftest.c 2016-03-01 16:33:07.619916591 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c.fips 2016-05-03 16:57:58.827321134 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c 2016-05-03 16:57:58.827321134 +0200 @@ -0,0 +1,827 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6005,9 +6005,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2g/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.0.2g/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2g/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.2g/crypto/fips/fips_drbg_selftest.h.fips 2016-03-01 16:33:07.620916613 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_drbg_selftest.h 2016-03-01 16:33:07.620916613 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h.fips 2016-05-03 16:57:58.828321157 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h 2016-05-03 16:57:58.828321157 +0200 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7800,9 +7800,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2g/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.0.2g/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_dsa_selftest.c.fips 2016-03-01 16:33:07.620916613 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_dsa_selftest.c 2016-03-01 16:33:07.620916613 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c.fips 2016-05-03 16:57:58.828321157 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c 2016-05-03 16:57:58.828321157 +0200 @@ -0,0 +1,192 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7996,9 +7996,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2g/cryp + return ret; +} +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_enc.c.fips openssl-1.0.2g/crypto/fips/fips_enc.c ---- openssl-1.0.2g/crypto/fips/fips_enc.c.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_enc.c 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_enc.c.fips openssl-1.0.2h/crypto/fips/fips_enc.c +--- openssl-1.0.2h/crypto/fips/fips_enc.c.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_enc.c 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8189,9 +8189,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_enc.c.fips openssl-1.0.2g/crypto/fips/f + + } +} -diff -up openssl-1.0.2g/crypto/fips/fips.h.fips openssl-1.0.2g/crypto/fips/fips.h ---- openssl-1.0.2g/crypto/fips/fips.h.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips.h 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips.h.fips openssl-1.0.2h/crypto/fips/fips.h +--- openssl-1.0.2h/crypto/fips/fips.h.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips.h 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,278 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8471,9 +8471,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips.h.fips openssl-1.0.2g/crypto/fips/fips. +} +# endif +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_hmac_selftest.c.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_hmac_selftest.c 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8609,9 +8609,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2g/cry + return 1; +} +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_locl.h.fips openssl-1.0.2g/crypto/fips/fips_locl.h ---- openssl-1.0.2g/crypto/fips/fips_locl.h.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_locl.h 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_locl.h.fips openssl-1.0.2h/crypto/fips/fips_locl.h +--- openssl-1.0.2h/crypto/fips/fips_locl.h.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_locl.h 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8684,9 +8684,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_locl.h.fips openssl-1.0.2g/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_md.c.fips openssl-1.0.2g/crypto/fips/fips_md.c ---- openssl-1.0.2g/crypto/fips/fips_md.c.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_md.c 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_md.c.fips openssl-1.0.2h/crypto/fips/fips_md.c +--- openssl-1.0.2h/crypto/fips/fips_md.c.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_md.c 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8832,9 +8832,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_md.c.fips openssl-1.0.2g/crypto/fips/fi + return NULL; + } +} -diff -up openssl-1.0.2g/crypto/fips/fips_post.c.fips openssl-1.0.2g/crypto/fips/fips_post.c ---- openssl-1.0.2g/crypto/fips/fips_post.c.fips 2016-03-01 16:33:07.621916636 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_post.c 2016-03-01 16:33:07.621916636 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_post.c.fips openssl-1.0.2h/crypto/fips/fips_post.c +--- openssl-1.0.2h/crypto/fips/fips_post.c.fips 2016-05-03 16:57:58.829321181 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_post.c 2016-05-03 16:57:58.829321181 +0200 @@ -0,0 +1,201 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9037,9 +9037,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_post.c.fips openssl-1.0.2g/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_rand.c.fips openssl-1.0.2g/crypto/fips/fips_rand.c ---- openssl-1.0.2g/crypto/fips/fips_rand.c.fips 2016-03-01 16:33:07.622916659 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rand.c 2016-03-01 16:33:07.622916659 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rand.c.fips openssl-1.0.2h/crypto/fips/fips_rand.c +--- openssl-1.0.2h/crypto/fips/fips_rand.c.fips 2016-05-03 16:57:58.830321204 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rand.c 2016-05-03 16:57:58.830321204 +0200 @@ -0,0 +1,428 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -9469,9 +9469,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rand.c.fips openssl-1.0.2g/crypto/fips/ +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_rand.h.fips openssl-1.0.2g/crypto/fips/fips_rand.h ---- openssl-1.0.2g/crypto/fips/fips_rand.h.fips 2016-03-01 16:33:07.622916659 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rand.h 2016-03-01 16:33:07.622916659 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rand.h.fips openssl-1.0.2h/crypto/fips/fips_rand.h +--- openssl-1.0.2h/crypto/fips/fips_rand.h.fips 2016-05-03 16:57:58.830321204 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rand.h 2016-05-03 16:57:58.830321204 +0200 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9636,9 +9636,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rand.h.fips openssl-1.0.2g/crypto/fips/ +# endif +# endif +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2g/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.2g/crypto/fips/fips_rand_lcl.h.fips 2016-03-01 16:33:07.622916659 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rand_lcl.h 2016-03-01 16:33:07.622916659 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2h/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.2h/crypto/fips/fips_rand_lcl.h.fips 2016-05-03 16:57:58.830321204 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rand_lcl.h 2016-05-03 16:57:58.830321204 +0200 @@ -0,0 +1,213 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9853,9 +9853,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2g/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.2g/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2g/crypto/fips/fips_rand_lib.c ---- openssl-1.0.2g/crypto/fips/fips_rand_lib.c.fips 2016-03-01 16:33:07.622916659 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rand_lib.c 2016-03-01 16:33:07.622916659 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2h/crypto/fips/fips_rand_lib.c +--- openssl-1.0.2h/crypto/fips/fips_rand_lib.c.fips 2016-05-03 16:57:58.830321204 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rand_lib.c 2016-05-03 16:57:58.830321204 +0200 @@ -0,0 +1,181 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -10038,9 +10038,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2g/crypto/f + } + return 0; +} -diff -up openssl-1.0.2g/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_rand_selftest.c.fips 2016-03-01 16:33:07.622916659 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rand_selftest.c 2016-03-01 16:33:07.622916659 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_rand_selftest.c.fips 2016-05-03 16:57:58.830321204 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rand_selftest.c 2016-05-03 16:57:58.830321204 +0200 @@ -0,0 +1,176 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10218,9 +10218,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2g/cry +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_randtest.c.fips openssl-1.0.2g/crypto/fips/fips_randtest.c ---- openssl-1.0.2g/crypto/fips/fips_randtest.c.fips 2016-03-01 16:33:07.623916681 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_randtest.c 2016-03-01 16:33:07.623916681 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_randtest.c.fips openssl-1.0.2h/crypto/fips/fips_randtest.c +--- openssl-1.0.2h/crypto/fips/fips_randtest.c.fips 2016-05-03 16:57:58.831321228 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_randtest.c 2016-05-03 16:57:58.831321228 +0200 @@ -0,0 +1,247 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -10469,9 +10469,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_randtest.c.fips openssl-1.0.2g/crypto/f +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_rsa_selftest.c.fips 2016-03-01 16:33:07.623916681 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rsa_selftest.c 2016-03-01 16:33:07.623916681 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c.fips 2016-05-03 16:57:58.831321228 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c 2016-05-03 16:57:58.831321228 +0200 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -10917,9 +10917,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2g/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.2g/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2g/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.2g/crypto/fips/fips_rsa_x931g.c.fips 2016-03-01 16:33:07.623916681 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_rsa_x931g.c 2016-03-01 16:33:07.623916681 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c.fips 2016-05-03 16:57:58.831321228 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c 2016-05-03 16:57:58.831321228 +0200 @@ -0,0 +1,273 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -11194,9 +11194,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2g/crypto/ + return 0; + +} -diff -up openssl-1.0.2g/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2g/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.2g/crypto/fips/fips_sha_selftest.c.fips 2016-03-01 16:33:07.623916681 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_sha_selftest.c 2016-03-01 16:33:07.623916681 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.2h/crypto/fips/fips_sha_selftest.c.fips 2016-05-03 16:57:58.831321228 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_sha_selftest.c 2016-05-03 16:57:58.831321228 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11343,9 +11343,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2g/cryp +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2g/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.2g/crypto/fips/fips_standalone_hmac.c.fips 2016-03-01 16:33:07.623916681 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_standalone_hmac.c 2016-03-01 16:33:07.623916681 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c.fips 2016-05-03 16:57:58.831321228 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c 2016-05-03 16:57:58.831321228 +0200 @@ -0,0 +1,268 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11615,9 +11615,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2g/c +#endif + return 0; +} -diff -up openssl-1.0.2g/crypto/fips/fips_test_suite.c.fips openssl-1.0.2g/crypto/fips/fips_test_suite.c ---- openssl-1.0.2g/crypto/fips/fips_test_suite.c.fips 2016-03-01 16:33:07.624916704 +0100 -+++ openssl-1.0.2g/crypto/fips/fips_test_suite.c 2016-03-01 16:33:07.624916704 +0100 +diff -up openssl-1.0.2h/crypto/fips/fips_test_suite.c.fips openssl-1.0.2h/crypto/fips/fips_test_suite.c +--- openssl-1.0.2h/crypto/fips/fips_test_suite.c.fips 2016-05-03 16:57:58.832321252 +0200 ++++ openssl-1.0.2h/crypto/fips/fips_test_suite.c 2016-05-03 16:57:58.832321252 +0200 @@ -0,0 +1,639 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -12258,9 +12258,9 @@ diff -up openssl-1.0.2g/crypto/fips/fips_test_suite.c.fips openssl-1.0.2g/crypto +} + +#endif -diff -up openssl-1.0.2g/crypto/fips/Makefile.fips openssl-1.0.2g/crypto/fips/Makefile ---- openssl-1.0.2g/crypto/fips/Makefile.fips 2016-03-01 16:33:07.624916704 +0100 -+++ openssl-1.0.2g/crypto/fips/Makefile 2016-03-01 16:33:07.624916704 +0100 +diff -up openssl-1.0.2h/crypto/fips/Makefile.fips openssl-1.0.2h/crypto/fips/Makefile +--- openssl-1.0.2h/crypto/fips/Makefile.fips 2016-05-03 16:57:58.832321252 +0200 ++++ openssl-1.0.2h/crypto/fips/Makefile 2016-05-03 16:57:58.832321252 +0200 @@ -0,0 +1,341 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -12603,9 +12603,9 @@ diff -up openssl-1.0.2g/crypto/fips/Makefile.fips openssl-1.0.2g/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.2g/crypto/hmac/hmac.c.fips openssl-1.0.2g/crypto/hmac/hmac.c ---- openssl-1.0.2g/crypto/hmac/hmac.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/hmac/hmac.c 2016-03-01 16:33:07.624916704 +0100 +diff -up openssl-1.0.2h/crypto/hmac/hmac.c.fips openssl-1.0.2h/crypto/hmac/hmac.c +--- openssl-1.0.2h/crypto/hmac/hmac.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/hmac/hmac.c 2016-05-03 16:57:58.832321252 +0200 @@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -12668,9 +12668,9 @@ diff -up openssl-1.0.2g/crypto/hmac/hmac.c.fips openssl-1.0.2g/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.2g/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2g/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.2g/crypto/mdc2/mdc2dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/mdc2/mdc2dgst.c 2016-03-01 16:33:07.624916704 +0100 +diff -up openssl-1.0.2h/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2h/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.2h/crypto/mdc2/mdc2dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/mdc2/mdc2dgst.c 2016-05-03 16:57:58.832321252 +0200 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -12680,9 +12680,9 @@ diff -up openssl-1.0.2g/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2g/crypto/mdc2/m { c->num = 0; c->pad_type = 1; -diff -up openssl-1.0.2g/crypto/md2/md2_dgst.c.fips openssl-1.0.2g/crypto/md2/md2_dgst.c ---- openssl-1.0.2g/crypto/md2/md2_dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/md2/md2_dgst.c 2016-03-01 16:33:07.624916704 +0100 +diff -up openssl-1.0.2h/crypto/md2/md2_dgst.c.fips openssl-1.0.2h/crypto/md2/md2_dgst.c +--- openssl-1.0.2h/crypto/md2/md2_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/md2/md2_dgst.c 2016-05-03 16:57:58.832321252 +0200 @@ -62,6 +62,11 @@ #include #include @@ -12704,9 +12704,9 @@ diff -up openssl-1.0.2g/crypto/md2/md2_dgst.c.fips openssl-1.0.2g/crypto/md2/md2 { c->num = 0; memset(c->state, 0, sizeof c->state); -diff -up openssl-1.0.2g/crypto/md4/md4_dgst.c.fips openssl-1.0.2g/crypto/md4/md4_dgst.c ---- openssl-1.0.2g/crypto/md4/md4_dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/md4/md4_dgst.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/md4/md4_dgst.c.fips openssl-1.0.2h/crypto/md4/md4_dgst.c +--- openssl-1.0.2h/crypto/md4/md4_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/md4/md4_dgst.c 2016-05-03 16:57:58.832321252 +0200 @@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12716,9 +12716,9 @@ diff -up openssl-1.0.2g/crypto/md4/md4_dgst.c.fips openssl-1.0.2g/crypto/md4/md4 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2g/crypto/md5/md5_dgst.c.fips openssl-1.0.2g/crypto/md5/md5_dgst.c ---- openssl-1.0.2g/crypto/md5/md5_dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/md5/md5_dgst.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/md5/md5_dgst.c.fips openssl-1.0.2h/crypto/md5/md5_dgst.c +--- openssl-1.0.2h/crypto/md5/md5_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/md5/md5_dgst.c 2016-05-03 16:57:58.833321275 +0200 @@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12728,9 +12728,9 @@ diff -up openssl-1.0.2g/crypto/md5/md5_dgst.c.fips openssl-1.0.2g/crypto/md5/md5 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2g/crypto/o_fips.c.fips openssl-1.0.2g/crypto/o_fips.c ---- openssl-1.0.2g/crypto/o_fips.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/o_fips.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/o_fips.c.fips openssl-1.0.2h/crypto/o_fips.c +--- openssl-1.0.2h/crypto/o_fips.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/o_fips.c 2016-05-03 16:57:58.833321275 +0200 @@ -80,6 +80,8 @@ int FIPS_mode_set(int r) # ifndef FIPS_AUTH_USER_PASS # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -12740,9 +12740,9 @@ diff -up openssl-1.0.2g/crypto/o_fips.c.fips openssl-1.0.2g/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.2g/crypto/o_init.c.fips openssl-1.0.2g/crypto/o_init.c ---- openssl-1.0.2g/crypto/o_init.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/o_init.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/o_init.c.fips openssl-1.0.2h/crypto/o_init.c +--- openssl-1.0.2h/crypto/o_init.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/o_init.c 2016-05-03 16:57:58.833321275 +0200 @@ -56,8 +56,37 @@ #include #include @@ -12812,9 +12812,9 @@ diff -up openssl-1.0.2g/crypto/o_init.c.fips openssl-1.0.2g/crypto/o_init.c +{ + OPENSSL_init_library(); +} -diff -up openssl-1.0.2g/crypto/opensslconf.h.in.fips openssl-1.0.2g/crypto/opensslconf.h.in ---- openssl-1.0.2g/crypto/opensslconf.h.in.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/opensslconf.h.in 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/opensslconf.h.in.fips openssl-1.0.2h/crypto/opensslconf.h.in +--- openssl-1.0.2h/crypto/opensslconf.h.in.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/opensslconf.h.in 2016-05-03 16:57:58.833321275 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -12836,9 +12836,9 @@ diff -up openssl-1.0.2g/crypto/opensslconf.h.in.fips openssl-1.0.2g/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.2g/crypto/rand/md_rand.c.fips openssl-1.0.2g/crypto/rand/md_rand.c ---- openssl-1.0.2g/crypto/rand/md_rand.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/rand/md_rand.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/rand/md_rand.c.fips openssl-1.0.2h/crypto/rand/md_rand.c +--- openssl-1.0.2h/crypto/rand/md_rand.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rand/md_rand.c 2016-05-03 16:57:58.833321275 +0200 @@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -12851,9 +12851,9 @@ diff -up openssl-1.0.2g/crypto/rand/md_rand.c.fips openssl-1.0.2g/crypto/rand/md RAND_poll(); initialized = 1; } -diff -up openssl-1.0.2g/crypto/rand/rand.h.fips openssl-1.0.2g/crypto/rand/rand.h ---- openssl-1.0.2g/crypto/rand/rand.h.fips 2016-03-01 16:33:07.369910933 +0100 -+++ openssl-1.0.2g/crypto/rand/rand.h 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/rand/rand.h.fips openssl-1.0.2h/crypto/rand/rand.h +--- openssl-1.0.2h/crypto/rand/rand.h.fips 2016-05-03 16:57:58.501313436 +0200 ++++ openssl-1.0.2h/crypto/rand/rand.h 2016-05-03 16:57:58.833321275 +0200 @@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -12894,9 +12894,9 @@ diff -up openssl-1.0.2g/crypto/rand/rand.h.fips openssl-1.0.2g/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.2g/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2g/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.2g/crypto/ripemd/rmd_dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/ripemd/rmd_dgst.c 2016-03-01 16:33:07.625916726 +0100 +diff -up openssl-1.0.2h/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2h/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.2h/crypto/ripemd/rmd_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/ripemd/rmd_dgst.c 2016-05-03 16:57:58.833321275 +0200 @@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX * void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num); #endif @@ -12906,9 +12906,9 @@ diff -up openssl-1.0.2g/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2g/crypto/ripe { memset(c, 0, sizeof(*c)); c->A = RIPEMD160_A; -diff -up openssl-1.0.2g/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2g/crypto/rsa/rsa_crpt.c ---- openssl-1.0.2g/crypto/rsa/rsa_crpt.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_crpt.c 2016-03-01 16:33:07.626916749 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2h/crypto/rsa/rsa_crpt.c +--- openssl-1.0.2h/crypto/rsa/rsa_crpt.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_crpt.c 2016-05-03 16:57:58.834321299 +0200 @@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const unsigned char *to, RSA *rsa, int padding) { @@ -12935,9 +12935,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2g/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.2g/crypto/rsa/rsa_eay.c.fips openssl-1.0.2g/crypto/rsa/rsa_eay.c ---- openssl-1.0.2g/crypto/rsa/rsa_eay.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_eay.c 2016-03-01 16:33:07.626916749 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_eay.c.fips openssl-1.0.2h/crypto/rsa/rsa_eay.c +--- openssl-1.0.2h/crypto/rsa/rsa_eay.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_eay.c 2016-05-03 16:57:58.834321299 +0200 @@ -114,6 +114,10 @@ #include #include @@ -13060,9 +13060,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_eay.c.fips openssl-1.0.2g/crypto/rsa/rsa_ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; return (1); } -diff -up openssl-1.0.2g/crypto/rsa/rsa_err.c.fips openssl-1.0.2g/crypto/rsa/rsa_err.c ---- openssl-1.0.2g/crypto/rsa/rsa_err.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_err.c 2016-03-01 16:33:07.626916749 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_err.c.fips openssl-1.0.2h/crypto/rsa/rsa_err.c +--- openssl-1.0.2h/crypto/rsa/rsa_err.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_err.c 2016-05-03 16:57:58.834321299 +0200 @@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[] {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -13072,9 +13072,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_err.c.fips openssl-1.0.2g/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, -diff -up openssl-1.0.2g/crypto/rsa/rsa_gen.c.fips openssl-1.0.2g/crypto/rsa/rsa_gen.c ---- openssl-1.0.2g/crypto/rsa/rsa_gen.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-03-01 16:33:07.626916749 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_gen.c.fips openssl-1.0.2h/crypto/rsa/rsa_gen.c +--- openssl-1.0.2h/crypto/rsa/rsa_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_gen.c 2016-05-03 16:57:58.834321299 +0200 @@ -69,8 +69,80 @@ #include #ifdef OPENSSL_FIPS @@ -13216,9 +13216,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_gen.c.fips openssl-1.0.2g/crypto/rsa/rsa_ ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2g/crypto/rsa/rsa.h.fips openssl-1.0.2g/crypto/rsa/rsa.h ---- openssl-1.0.2g/crypto/rsa/rsa.h.fips 2016-03-01 16:33:07.508914079 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa.h 2016-03-01 16:33:07.626916749 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa.h.fips openssl-1.0.2h/crypto/rsa/rsa.h +--- openssl-1.0.2h/crypto/rsa/rsa.h.fips 2016-05-03 16:57:58.696318040 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa.h 2016-05-03 16:57:58.834321299 +0200 @@ -168,6 +168,8 @@ struct rsa_st { # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # endif @@ -13315,9 +13315,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa.h.fips openssl-1.0.2g/crypto/rsa/rsa.h # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -diff -up openssl-1.0.2g/crypto/rsa/rsa_lib.c.fips openssl-1.0.2g/crypto/rsa/rsa_lib.c ---- openssl-1.0.2g/crypto/rsa/rsa_lib.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_lib.c 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips openssl-1.0.2h/crypto/rsa/rsa_lib.c +--- openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_lib.c 2016-05-03 16:57:58.834321299 +0200 @@ -84,23 +84,22 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -13390,9 +13390,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_lib.c.fips openssl-1.0.2g/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE if (ret->engine) -diff -up openssl-1.0.2g/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2g/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.2g/crypto/rsa/rsa_pmeth.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_pmeth.c 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2h/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.2h/crypto/rsa/rsa_pmeth.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_pmeth.c 2016-05-03 16:57:58.835321323 +0200 @@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -13432,9 +13432,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2g/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.2g/crypto/rsa/rsa_sign.c.fips openssl-1.0.2g/crypto/rsa/rsa_sign.c ---- openssl-1.0.2g/crypto/rsa/rsa_sign.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/rsa/rsa_sign.c 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/rsa/rsa_sign.c.fips openssl-1.0.2h/crypto/rsa/rsa_sign.c +--- openssl-1.0.2h/crypto/rsa/rsa_sign.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/rsa/rsa_sign.c 2016-05-03 16:57:58.835321323 +0200 @@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig, &p); s = tmps; @@ -13473,9 +13473,9 @@ diff -up openssl-1.0.2g/crypto/rsa/rsa_sign.c.fips openssl-1.0.2g/crypto/rsa/rsa if (i <= 0) goto err; -diff -up openssl-1.0.2g/crypto/sha/sha.h.fips openssl-1.0.2g/crypto/sha/sha.h ---- openssl-1.0.2g/crypto/sha/sha.h.fips 2016-03-01 16:33:07.287909077 +0100 -+++ openssl-1.0.2g/crypto/sha/sha.h 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/sha/sha.h.fips openssl-1.0.2h/crypto/sha/sha.h +--- openssl-1.0.2h/crypto/sha/sha.h.fips 2016-05-03 16:57:58.413311358 +0200 ++++ openssl-1.0.2h/crypto/sha/sha.h 2016-05-03 16:57:58.835321323 +0200 @@ -105,9 +105,6 @@ typedef struct SHAstate_st { } SHA_CTX; @@ -13518,9 +13518,9 @@ diff -up openssl-1.0.2g/crypto/sha/sha.h.fips openssl-1.0.2g/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.2g/crypto/sha/sha_locl.h.fips openssl-1.0.2g/crypto/sha/sha_locl.h ---- openssl-1.0.2g/crypto/sha/sha_locl.h.fips 2016-03-01 16:33:07.289909122 +0100 -+++ openssl-1.0.2g/crypto/sha/sha_locl.h 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/sha/sha_locl.h.fips openssl-1.0.2h/crypto/sha/sha_locl.h +--- openssl-1.0.2h/crypto/sha/sha_locl.h.fips 2016-05-03 16:57:58.415311405 +0200 ++++ openssl-1.0.2h/crypto/sha/sha_locl.h 2016-05-03 16:57:58.835321323 +0200 @@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c #define INIT_DATA_h4 0xc3d2e1f0UL @@ -13537,9 +13537,9 @@ diff -up openssl-1.0.2g/crypto/sha/sha_locl.h.fips openssl-1.0.2g/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.0.2g/crypto/sha/sha256.c.fips openssl-1.0.2g/crypto/sha/sha256.c ---- openssl-1.0.2g/crypto/sha/sha256.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/sha/sha256.c 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/sha/sha256.c.fips openssl-1.0.2h/crypto/sha/sha256.c +--- openssl-1.0.2h/crypto/sha/sha256.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/sha/sha256.c 2016-05-03 16:57:58.835321323 +0200 @@ -12,12 +12,19 @@ # include @@ -13570,9 +13570,9 @@ diff -up openssl-1.0.2g/crypto/sha/sha256.c.fips openssl-1.0.2g/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.0.2g/crypto/sha/sha512.c.fips openssl-1.0.2g/crypto/sha/sha512.c ---- openssl-1.0.2g/crypto/sha/sha512.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/crypto/sha/sha512.c 2016-03-01 16:33:07.627916772 +0100 +diff -up openssl-1.0.2h/crypto/sha/sha512.c.fips openssl-1.0.2h/crypto/sha/sha512.c +--- openssl-1.0.2h/crypto/sha/sha512.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/sha/sha512.c 2016-05-03 16:57:58.835321323 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -13604,9 +13604,9 @@ diff -up openssl-1.0.2g/crypto/sha/sha512.c.fips openssl-1.0.2g/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.2g/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2g/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.2g/crypto/whrlpool/wp_dgst.c.fips 2016-03-01 14:35:05.000000000 +0100 -+++ openssl-1.0.2g/crypto/whrlpool/wp_dgst.c 2016-03-01 16:33:07.628916794 +0100 +diff -up openssl-1.0.2h/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2h/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.2h/crypto/whrlpool/wp_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/crypto/whrlpool/wp_dgst.c 2016-05-03 16:57:58.836321346 +0200 @@ -55,7 +55,7 @@ #include #include @@ -13616,9 +13616,9 @@ diff -up openssl-1.0.2g/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2g/crypto/whr { memset(c, 0, sizeof(*c)); return (1); -diff -up openssl-1.0.2g/Makefile.org.fips openssl-1.0.2g/Makefile.org ---- openssl-1.0.2g/Makefile.org.fips 2016-03-01 16:33:07.600916161 +0100 -+++ openssl-1.0.2g/Makefile.org 2016-03-01 16:33:07.628916794 +0100 +diff -up openssl-1.0.2h/Makefile.org.fips openssl-1.0.2h/Makefile.org +--- openssl-1.0.2h/Makefile.org.fips 2016-05-03 16:57:58.791320284 +0200 ++++ openssl-1.0.2h/Makefile.org 2016-05-03 16:57:58.836321346 +0200 @@ -137,6 +137,9 @@ FIPSCANLIB= BASEADDR= @@ -13646,9 +13646,9 @@ diff -up openssl-1.0.2g/Makefile.org.fips openssl-1.0.2g/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.2g/ssl/ssl_algs.c.fips openssl-1.0.2g/ssl/ssl_algs.c ---- openssl-1.0.2g/ssl/ssl_algs.c.fips 2016-03-01 14:35:53.000000000 +0100 -+++ openssl-1.0.2g/ssl/ssl_algs.c 2016-03-01 16:33:07.628916794 +0100 +diff -up openssl-1.0.2h/ssl/ssl_algs.c.fips openssl-1.0.2h/ssl/ssl_algs.c +--- openssl-1.0.2h/ssl/ssl_algs.c.fips 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/ssl/ssl_algs.c 2016-05-03 16:57:58.836321346 +0200 @@ -64,6 +64,11 @@ int SSL_library_init(void) { diff --git a/openssl-1.0.2c-trusted-first-doc.patch b/openssl-1.0.2h-trusted-first-doc.patch similarity index 69% rename from openssl-1.0.2c-trusted-first-doc.patch rename to openssl-1.0.2h-trusted-first-doc.patch index 63e1076..8ea85c9 100644 --- a/openssl-1.0.2c-trusted-first-doc.patch +++ b/openssl-1.0.2h-trusted-first-doc.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c ---- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 -+++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200 +diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c +--- openssl-1.0.2h/apps/cms.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/apps/cms.c 2016-05-03 18:01:16.729556976 +0200 @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); @@ -10,10 +10,10 @@ diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c ---- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 -+++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200 -@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) +diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c +--- openssl-1.0.2h/apps/ocsp.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/apps/ocsp.c 2016-05-03 18:01:16.730556998 +0200 +@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, @@ -22,9 +22,9 @@ diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-VAfile file validator certificates file\n"); -diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c ---- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 -+++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200 +diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_client.c +--- openssl-1.0.2h/apps/s_client.c.trusted-first 2016-05-03 18:01:16.696556246 +0200 ++++ openssl-1.0.2h/apps/s_client.c 2016-05-03 18:01:16.730556998 +0200 @@ -333,6 +333,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); @@ -34,9 +34,9 @@ diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_clie " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); -diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c ---- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 -+++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200 +diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c +--- openssl-1.0.2h/apps/smime.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/apps/smime.c 2016-05-03 18:01:16.730556998 +0200 @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); @@ -46,10 +46,10 @@ diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c ---- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 -+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200 -@@ -572,6 +572,8 @@ static void sv_usage(void) +diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_server.c +--- openssl-1.0.2h/apps/s_server.c.trusted-first 2016-05-03 18:01:16.666555583 +0200 ++++ openssl-1.0.2h/apps/s_server.c 2016-05-03 18:01:16.731557020 +0200 +@@ -578,6 +578,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, @@ -58,9 +58,9 @@ diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_serv " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); -diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c ---- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200 -+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200 +diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c +--- openssl-1.0.2h/apps/s_time.c.trusted-first 2016-05-03 18:01:16.661555472 +0200 ++++ openssl-1.0.2h/apps/s_time.c 2016-05-03 18:01:16.731557020 +0200 @@ -182,6 +182,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ @@ -69,9 +69,9 @@ diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf("usage: s_time \n\n"); -diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c ---- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200 -+++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200 +diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c +--- openssl-1.0.2h/apps/ts.c.trusted-first 2016-05-03 18:01:16.694556202 +0200 ++++ openssl-1.0.2h/apps/ts.c 2016-05-03 18:01:16.731557020 +0200 @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " @@ -81,9 +81,9 @@ diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ -diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c ---- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 -+++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200 +diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c +--- openssl-1.0.2h/apps/verify.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/apps/verify.c 2016-05-03 18:01:16.731557020 +0200 @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { @@ -93,9 +93,9 @@ diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); -diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod ---- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200 +diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/cms.pod +--- openssl-1.0.2h/doc/apps/cms.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/doc/apps/cms.pod 2016-05-03 18:01:16.731557020 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] @@ -117,19 +117,17 @@ diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/c =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod ---- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 -+++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200 -@@ -29,7 +29,8 @@ B B +diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/ocsp.pod +--- openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first 2016-05-03 18:01:16.695556224 +0200 ++++ openssl-1.0.2h/doc/apps/ocsp.pod 2016-05-03 18:02:16.021868012 +0200 +@@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] --[B<-no_alt_chains>]] +[B<-trusted_first>] -+[B<-no_alt_chains>] + [B<-no_alt_chains>] [B<-VAfile file>] [B<-validity_period n>] - [B<-status_age n>] @@ -144,6 +145,13 @@ connection timeout to the OCSP responder file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. @@ -144,9 +142,9 @@ diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ =item B<-no_alt_chains> See L|verify(1)> manual page for details. -diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod ---- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 -+++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200 +diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/apps/s_client.pod +--- openssl-1.0.2h/doc/apps/s_client.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 ++++ openssl-1.0.2h/doc/apps/s_client.pod 2016-05-03 18:01:16.732557042 +0200 @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] @@ -164,9 +162,9 @@ diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/a Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod ---- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200 +diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps/smime.pod +--- openssl-1.0.2h/doc/apps/smime.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/doc/apps/smime.pod 2016-05-03 18:01:16.732557042 +0200 @@ -15,6 +15,9 @@ B B [B<-pk7out>] [B<-[cipher]>] @@ -190,9 +188,9 @@ diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod ---- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200 -+++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200 +diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/apps/s_server.pod +--- openssl-1.0.2h/doc/apps/s_server.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 ++++ openssl-1.0.2h/doc/apps/s_server.pod 2016-05-03 18:01:16.732557042 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] @@ -201,7 +199,7 @@ diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/a [B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] -@@ -175,6 +176,12 @@ and to use when attempting to build the +@@ -177,6 +178,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. @@ -214,9 +212,9 @@ diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/a =item B<-no_alt_chains> See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod ---- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200 +diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/apps/s_time.pod +--- openssl-1.0.2h/doc/apps/s_time.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/doc/apps/s_time.pod 2016-05-03 18:01:16.732557042 +0200 @@ -14,6 +14,7 @@ B B [B<-key filename>] [B<-CApath directory>] @@ -238,9 +236,9 @@ diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/app =item B<-new> performs the timing test using a new session ID for each connection. -diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod ---- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200 +diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts.pod +--- openssl-1.0.2h/doc/apps/ts.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/doc/apps/ts.pod 2016-05-03 18:01:16.732557042 +0200 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] @@ -262,9 +260,9 @@ diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be -diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod ---- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 -+++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200 +diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/apps/verify.pod +--- openssl-1.0.2h/doc/apps/verify.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/doc/apps/verify.pod 2016-05-03 18:01:16.732557042 +0200 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] @@ -273,7 +271,7 @@ diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/app [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] -@@ -79,6 +80,12 @@ If a valid CRL cannot be found an error +@@ -85,6 +86,12 @@ If a valid CRL cannot be found an error A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. diff --git a/openssl.spec b/openssl.spec index 01f2eb3..8d1b85e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.2g -Release: 4%{?dist} +Version: 1.0.2h +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -56,7 +56,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-1.0.2a-x509.patch Patch35: openssl-1.0.2a-version-add-engines.patch Patch39: openssl-1.0.2a-ipv6-apps.patch -Patch40: openssl-1.0.2g-fips.patch +Patch40: openssl-1.0.2h-fips.patch Patch45: openssl-1.0.2a-env-zlib.patch Patch47: openssl-1.0.2a-readme-warning.patch Patch49: openssl-1.0.1i-algo-doc.patch @@ -76,7 +76,6 @@ Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch74: openssl-1.0.2a-no-md5-verify.patch Patch75: openssl-1.0.2a-compat-symbols.patch Patch76: openssl-1.0.2f-new-fips-reqs.patch -Patch77: openssl-1.0.2a-weak-ciphers.patch Patch78: openssl-1.0.2a-cc-reqs.patch Patch90: openssl-1.0.2a-enc-fail.patch Patch92: openssl-1.0.2a-system-cipherlist.patch @@ -87,8 +86,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch # Backported fixes including security fixes Patch80: openssl-1.0.2e-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch -Patch82: openssl-1.0.2c-trusted-first-doc.patch -Patch83: openssl-1.0.2g-remove-ssl2.patch +Patch82: openssl-1.0.2h-trusted-first-doc.patch License: OpenSSL Group: System Environment/Libraries @@ -201,7 +199,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch74 -p1 -b .no-md5-verify %patch75 -p1 -b .compat %patch76 -p1 -b .fips-reqs -%patch77 -p1 -b .weak-ciphers %patch78 -p1 -b .cc-reqs %patch90 -p1 -b .enc-fail %patch92 -p1 -b .system @@ -213,7 +210,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first -%patch83 -p1 -b .remove-ssl2 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -504,6 +500,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Tue May 3 2016 Tomáš Mráz 1.0.2h-1 +- minor upstream release 1.0.2h fixing security issues + * Tue Mar 29 2016 Tomáš Mráz 1.0.2g-4 - disable SSLv2 support altogether (without ABI break) diff --git a/sources b/sources index b732381..f49534e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f32fd979486600e102b77fbc1f88787c openssl-1.0.2g-hobbled.tar.xz +020793e7b8901a1ac62d38f3a77f9a0c openssl-1.0.2h-hobbled.tar.xz