From 9d21f19320eb51e369a13648ae7dab0a6b2ec358 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Sat, 6 Feb 2016 20:46:00 +0100 Subject: [PATCH] Synced with native openssl-1.0.2f-2 --- .gitignore | 1 + mingw-openssl.spec | 51 +- openssl-1.0.2a-dh-1024.patch | 75 -- ...atch => openssl-1.0.2c-default-paths.patch | 47 +- ...b.patch => openssl-1.0.2c-ecc-suiteb.patch | 66 +- ... => openssl-1.0.2c-trusted-first-doc.patch | 156 ++-- ...anfix.patch => openssl-1.0.2d-manfix.patch | 12 - openssl-1.0.2d-secp256k1.patch | 82 +++ ...2a-fips.patch => openssl-1.0.2e-fips.patch | 667 +++++++++--------- openssl-1.0.2e-remove-nistp224.patch | 15 + ...ild.patch => openssl-1.0.2e-rpmbuild.patch | 35 +- openssl-1.0.2e-speed-doc.patch | 58 ++ ...pad.patch => openssl-1.0.2e-wrap-pad.patch | 72 +- ...atch => openssl-1.0.2f-new-fips-reqs.patch | 134 ++-- sources | 2 +- 15 files changed, 742 insertions(+), 731 deletions(-) delete mode 100644 openssl-1.0.2a-dh-1024.patch rename openssl-1.0.2a-default-paths.patch => openssl-1.0.2c-default-paths.patch (50%) rename openssl-1.0.2a-ecc-suiteb.patch => openssl-1.0.2c-ecc-suiteb.patch (83%) rename openssl-1.0.2a-trusted-first-doc.patch => openssl-1.0.2c-trusted-first-doc.patch (62%) rename openssl-1.0.2a-manfix.patch => openssl-1.0.2d-manfix.patch (87%) create mode 100644 openssl-1.0.2d-secp256k1.patch rename openssl-1.0.2a-fips.patch => openssl-1.0.2e-fips.patch (95%) create mode 100644 openssl-1.0.2e-remove-nistp224.patch rename openssl-1.0.2a-rpmbuild.patch => openssl-1.0.2e-rpmbuild.patch (85%) create mode 100644 openssl-1.0.2e-speed-doc.patch rename openssl-1.0.2a-wrap-pad.patch => openssl-1.0.2e-wrap-pad.patch (88%) rename openssl-1.0.2a-new-fips-reqs.patch => openssl-1.0.2f-new-fips-reqs.patch (92%) diff --git a/.gitignore b/.gitignore index 589a7dc..b17325b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1i-hobbled.tar.xz /openssl-1.0.1j-hobbled.tar.xz /openssl-1.0.2a-hobbled.tar.xz +/openssl-1.0.2f-hobbled.tar.xz diff --git a/mingw-openssl.spec b/mingw-openssl.spec index 37200f2..dbd791f 100644 --- a/mingw-openssl.spec +++ b/mingw-openssl.spec @@ -23,8 +23,8 @@ %global thread_test_threads %{?threads:%{threads}}%{!?threads:1} Name: mingw-openssl -Version: 1.0.2a -Release: 3%{?dist} +Version: 1.0.2f +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -48,7 +48,7 @@ Source12: ec_curve.c Source13: ectest.c # Build changes -Patch1: openssl-1.0.2a-rpmbuild.patch +Patch1: openssl-1.0.2e-rpmbuild.patch Patch2: openssl-1.0.2a-defaults.patch Patch4: openssl-1.0.2a-enginesdir.patch Patch5: openssl-1.0.2a-no-rpath.patch @@ -57,14 +57,14 @@ Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes -Patch23: openssl-1.0.2a-default-paths.patch +Patch23: openssl-1.0.2c-default-paths.patch Patch24: openssl-1.0.2a-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-1.0.2a-x509.patch Patch35: openssl-1.0.2a-version-add-engines.patch Patch39: openssl-1.0.2a-ipv6-apps.patch -Patch40: openssl-1.0.2a-fips.patch +Patch40: openssl-1.0.2e-fips.patch Patch45: openssl-1.0.2a-env-zlib.patch Patch47: openssl-1.0.2a-readme-warning.patch Patch49: openssl-1.0.1i-algo-doc.patch @@ -77,23 +77,25 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch Patch65: openssl-1.0.2a-chil-fixes.patch Patch66: openssl-1.0.2a-pkgconfig-krb5.patch Patch68: openssl-1.0.2a-secure-getenv.patch -Patch69: openssl-1.0.2a-dh-1024.patch Patch70: openssl-1.0.2a-fips-ec.patch -Patch71: openssl-1.0.2a-manfix.patch +Patch71: openssl-1.0.2d-manfix.patch Patch72: openssl-1.0.2a-fips-ctor.patch -Patch73: openssl-1.0.2a-ecc-suiteb.patch +Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch74: openssl-1.0.2a-no-md5-verify.patch Patch75: openssl-1.0.2a-compat-symbols.patch -Patch76: openssl-1.0.2a-new-fips-reqs.patch +Patch76: openssl-1.0.2f-new-fips-reqs.patch Patch77: openssl-1.0.2a-weak-ciphers.patch +Patch78: openssl-1.0.2a-cc-reqs.patch Patch90: openssl-1.0.2a-enc-fail.patch Patch92: openssl-1.0.2a-system-cipherlist.patch Patch93: openssl-1.0.2a-disable-sslv2v3.patch +Patch94: openssl-1.0.2d-secp256k1.patch +Patch95: openssl-1.0.2e-remove-nistp224.patch +Patch96: openssl-1.0.2e-speed-doc.patch # Backported fixes including security fixes -Patch80: openssl-1.0.2a-wrap-pad.patch +Patch80: openssl-1.0.2e-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch -Patch84: openssl-1.0.2a-trusted-first-doc.patch -Patch87: openssl-1.0.2a-cc-reqs.patch +Patch82: openssl-1.0.2c-trusted-first-doc.patch # MinGW-specific patches. # Rename *eay32.dll to lib*.dll @@ -129,7 +131,9 @@ BuildRequires: mktemp BuildRequires: perl BuildRequires: sed BuildRequires: /usr/bin/cmp +BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename +BuildRequires: /usr/bin/pod2man # XXX Not really sure about this one. The build script uses # /usr/bin/makedepend which comes from imake. @@ -239,7 +243,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch65 -p1 -b .chil %patch66 -p1 -b .krb5 #patch68 -p1 -b .secure-getenv -%patch69 -p1 -b .dh1024 #patch70 -p1 -b .fips-ec %patch71 -p1 -b .manfix #patch72 -p1 -b .fips-ctor @@ -248,14 +251,17 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch75 -p1 -b .compat #patch76 -p1 -b .fips-reqs %patch77 -p1 -b .weak-ciphers +%patch78 -p1 -b .cc-reqs %patch90 -p1 -b .enc-fail %patch92 -p1 -b .system %patch93 -p1 -b .v2v3 +%patch94 -p1 -b .secp256k1 +%patch95 -p1 -b .nistp224 +%patch96 -p1 -b .speed-doc %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 -%patch84 -p1 -b .trusted-first -%patch87 -p1 -b .cc-reqs +%patch82 -p1 -b .trusted-first # MinGW specific patches %patch101 -p1 -b .mingw-libversion @@ -298,7 +304,8 @@ PERL=%{__perl} \ --prefix=%{mingw32_prefix} \ --openssldir=%{mingw32_sysconfdir}/pki/tls \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ + enable-cms enable-md2 \ + no-mdc2 no-rc5 no-ec2m no-gost no-srp \ no-fips no-hw \ --cross-compile-prefix=%{mingw32_target}- \ --enginesdir=%{mingw32_libdir}/openssl/engines \ @@ -325,7 +332,8 @@ PERL=%{__perl} \ --prefix=%{mingw64_prefix} \ --openssldir=%{mingw64_sysconfdir}/pki/tls \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ + enable-cms enable-md2 \ + no-mdc2 no-rc5 no-ec2m no-gost no-srp \ no-fips no-hw \ --cross-compile-prefix=%{mingw64_target}- \ --enginesdir=%{mingw64_libdir}/openssl/engines \ @@ -342,6 +350,11 @@ make rehash build-shared popd +# Clean up the .pc files +for i in build_win{32,64}/libcrypto.pc build_win{32,64}/libssl.pc build_win{32,64}/openssl.pc ; do + sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i +done + %if %{run_tests} %check @@ -501,6 +514,10 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private %changelog +* Sat Feb 6 2016 Erik van Pienbroek - 1.0.2f-1 +- Synced with native openssl-1.0.2f-2 +- Fixes RHBZ #1239685 #1290334 #1302768 + * Thu Feb 04 2016 Fedora Release Engineering - 1.0.2a-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild diff --git a/openssl-1.0.2a-dh-1024.patch b/openssl-1.0.2a-dh-1024.patch deleted file mode 100644 index 67d3171..0000000 --- a/openssl-1.0.2a-dh-1024.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200 -@@ -230,29 +230,44 @@ static void s_server_init(void); - #endif - - #ifndef OPENSSL_NO_DH --static unsigned char dh512_p[] = { -- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, -- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, -- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, -- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, -- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, -- 0x47, 0x74, 0xE8, 0x33, --}; -- --static unsigned char dh512_g[] = { -- 0x02, --}; -- --static DH *get_dh512(void) -+static DH *get_dh1024() - { -- DH *dh = NULL; -+ static unsigned char dh1024_p[] = { -+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54, -+ 0x63, -+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66, -+ 0x79, -+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0, -+ 0x3C, -+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1, -+ 0xEF, -+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07, -+ 0xFB, -+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98, -+ 0xE3, -+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A, -+ 0xED, -+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97, -+ 0x23, -+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB, -+ 0x05, -+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52, -+ 0xA4, -+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93, -+ }; -+ static unsigned char dh1024_g[] = { -+ 0x02, -+ }; -+ DH *dh; - - if ((dh = DH_new()) == NULL) - return (NULL); -- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); -- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); -+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); -+ if ((dh->p == NULL) || (dh->g == NULL)) { -+ DH_free(dh); - return (NULL); -+ } - return (dh); - } - #endif -@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[]) - BIO_printf(bio_s_out, "Setting temp DH parameters\n"); - } else { - BIO_printf(bio_s_out, "Using default temp DH parameters\n"); -- dh = get_dh512(); -+ dh = get_dh1024(); - } - (void)BIO_flush(bio_s_out); - diff --git a/openssl-1.0.2a-default-paths.patch b/openssl-1.0.2c-default-paths.patch similarity index 50% rename from openssl-1.0.2a-default-paths.patch rename to openssl-1.0.2c-default-paths.patch index 6e02c6d..aa607be 100644 --- a/openssl-1.0.2a-default-paths.patch +++ b/openssl-1.0.2c-default-paths.patch @@ -1,38 +1,7 @@ -diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200 -@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv) - - SSL_CTX_set_verify(ctx, verify, verify_callback); - -- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) { -- /* -- * BIO_printf(bio_err,"error setting default verify locations\n"); -- */ -- ERR_print_errors(bio_err); -- /* goto end; */ -+ if (CAfile == NULL && CApath == NULL) { -+ if (!SSL_CTX_set_default_verify_paths(ctx)) { -+ ERR_print_errors(bio_err); -+ } -+ } else { -+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { -+ ERR_print_errors(bio_err); -+ } - } - -- ssl_ctx_add_crls(ctx, crls, crl_download); -- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain)) -- goto end; -- - #ifndef OPENSSL_NO_TLSEXT - if (servername != NULL) { - tlsextcbp.biodebug = bio_err; -diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200 -@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[]) +diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c +--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200 +@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[]) } #endif @@ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv if (vpm) SSL_CTX_set1_param(ctx, vpm); -@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[]) +@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[]) else SSL_CTX_sess_set_cache_size(ctx2, 128); @@ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv ERR_print_errors(bio_err); } if (vpm) -diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c ---- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200 -+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200 +diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c +--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200 @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); diff --git a/openssl-1.0.2a-ecc-suiteb.patch b/openssl-1.0.2c-ecc-suiteb.patch similarity index 83% rename from openssl-1.0.2a-ecc-suiteb.patch rename to openssl-1.0.2c-ecc-suiteb.patch index 5b27fdc..dfcae76 100644 --- a/openssl-1.0.2a-ecc-suiteb.patch +++ b/openssl-1.0.2c-ecc-suiteb.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c ---- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200 -+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200 +diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c +--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200 ++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200 @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv) } else # endif @@ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c ecdh_doit[i] = 1; # endif } -diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c ---- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200 -+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200 -@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa - 0, 13, /* sect571k1 (13) */ - # endif +diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c +--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200 ++++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200 +@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ 0, 25, /* secp521r1 (25) */ - 0, 28, /* brainpool512r1 (28) */ - # ifndef OPENSSL_NO_EC2M - 0, 11, /* sect409k1 (11) */ - 0, 12, /* sect409r1 (12) */ - # endif - 0, 27, /* brainpoolP384r1 (27) */ 0, 24, /* secp384r1 (24) */ - # ifndef OPENSSL_NO_EC2M - 0, 9, /* sect283k1 (9) */ - 0, 10, /* sect283r1 (10) */ - # endif - 0, 26, /* brainpoolP256r1 (26) */ - 0, 22, /* secp256k1 (22) */ - 0, 23, /* secp256r1 (23) */ # ifndef OPENSSL_NO_EC2M - 0, 8, /* sect239k1 (8) */ - 0, 6, /* sect233k1 (6) */ - 0, 7, /* sect233r1 (7) */ - # endif + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[ + 0, 23, /* secp256r1 (23) */ + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ +- 0, 28, /* brainpool512r1 (28) */ +- 0, 27, /* brainpoolP384r1 (27) */ + 0, 24, /* secp384r1 (24) */ +- 0, 26, /* brainpoolP256r1 (26) */ +- 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[ + * Remaining curves disabled by default but still permitted if set + * via an explicit callback or parameters. + */ - 0, 20, /* secp224k1 (20) */ - 0, 21, /* secp224r1 (21) */ - # ifndef OPENSSL_NO_EC2M - 0, 4, /* sect193r1 (4) */ - 0, 5, /* sect193r2 (5) */ - # endif - 0, 18, /* secp192k1 (18) */ - 0, 19, /* secp192r1 (19) */ - # ifndef OPENSSL_NO_EC2M - 0, 1, /* sect163k1 (1) */ - 0, 2, /* sect163r1 (2) */ - 0, 3, /* sect163r2 (3) */ - # endif - 0, 15, /* secp160k1 (15) */ - 0, 16, /* secp160r1 (16) */ - 0, 17, /* secp160r2 (17) */ - }; - - static const unsigned char suiteb_curves[] = { -@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d + # ifndef OPENSSL_NO_EC2M + 0, 8, /* sect239k1 (8) */ + 0, 6, /* sect233k1 (6) */ +@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d 0, 9, /* sect283k1 (9) */ 0, 10, /* sect283r1 (10) */ # endif diff --git a/openssl-1.0.2a-trusted-first-doc.patch b/openssl-1.0.2c-trusted-first-doc.patch similarity index 62% rename from openssl-1.0.2a-trusted-first-doc.patch rename to openssl-1.0.2c-trusted-first-doc.patch index 8333751..63e1076 100644 --- a/openssl-1.0.2a-trusted-first-doc.patch +++ b/openssl-1.0.2c-trusted-first-doc.patch @@ -1,66 +1,66 @@ -diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c ---- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200 +diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c +--- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 ++++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200 @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c ---- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200 + "-crl_check check revocation status of signer's certificate using CRLs\n"); +diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c +--- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200 ++++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200 @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-VAfile file validator certificates file\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-validity_period n maximum validity discrepancy in seconds\n"); -diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c ---- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200 -+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200 + "-VAfile file validator certificates file\n"); +diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c +--- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 ++++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200 @@ -333,6 +333,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err, - " -reconnect - Drop and re-make the connection with the same Session-ID\n"); + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, - " -pause - sleep(1) after each read(2) and write(2) system call\n"); -diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c ---- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200 + " -reconnect - Drop and re-make the connection with the same Session-ID\n"); +diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c +--- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200 ++++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200 @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-trusted_first use trusted certificates first when building the trust chain\n"); + BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c ---- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200 -+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200 -@@ -569,6 +569,8 @@ static void sv_usage(void) + "-crl_check check revocation status of signer's certificate using CRLs\n"); +diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c +--- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 ++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200 +@@ -572,6 +572,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -trusted_first - Use trusted CA's first when building the trust chain\n"); + BIO_printf(bio_err, - " -nocert - Don't use any certificates (Anon-DH)\n"); + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, - " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); -diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c ---- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200 -+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200 + " -nocert - Don't use any certificates (Anon-DH)\n"); +diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c +--- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200 ++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200 @@ -182,6 +182,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ @@ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf("usage: s_time \n\n"); -diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c ---- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200 -+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200 +diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c +--- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200 ++++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200 @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " @@ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ -diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c ---- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200 +diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c +--- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200 ++++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200 @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { BIO_printf(bio_err, - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); + "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); + BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); -diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod ---- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200 +diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod +--- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] - [B<-nointern>] -@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta +@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod ---- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200 -+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200 -@@ -29,6 +29,7 @@ B B +diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod +--- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 ++++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200 +@@ -29,7 +29,8 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +-[B<-no_alt_chains>]] +[B<-trusted_first>] ++[B<-no_alt_chains>] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] -@@ -143,6 +144,13 @@ connection timeout to the OCSP responder +@@ -144,6 +145,13 @@ connection timeout to the OCSP responder file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. @@ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ +chain to verify responder certificate. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + - =item B<-verify_other file> + =item B<-no_alt_chains> - file containing additional certificates to search when attempting to locate -diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod ---- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 -+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200 + See L|verify(1)> manual page for details. +diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod +--- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200 ++++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200 @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] - [B<-showcerts>] -@@ -123,7 +124,7 @@ also used when building the client certi +@@ -124,7 +125,7 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. --=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod ---- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod +--- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200 @@ -15,6 +15,9 @@ B B [B<-pk7out>] [B<-[cipher]>] @@ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps +[B<-CAfile file>] +[B<-CApath dir>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] - [B<-recip file>] -@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta +@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod ---- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 -+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod +--- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200 ++++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] + [B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] - [B<-serverpref>] -@@ -174,6 +175,12 @@ and to use when attempting to build the +@@ -175,6 +176,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. @@ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a +when building the trust chain to verify client certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + - =item B<-state> + =item B<-no_alt_chains> - prints out the SSL session states. -diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod ---- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200 + See the L|verify(1)> manual page for details. +diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod +--- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200 @@ -14,6 +14,7 @@ B B [B<-key filename>] [B<-CApath directory>] @@ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app =item B<-new> performs the timing test using a new session ID for each connection. -diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod ---- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod +--- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] @@ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be -diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod ---- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200 +diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod +--- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200 ++++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] @@ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] -@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error +@@ -79,6 +80,12 @@ If a valid CRL cannot be found an error A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. diff --git a/openssl-1.0.2a-manfix.patch b/openssl-1.0.2d-manfix.patch similarity index 87% rename from openssl-1.0.2a-manfix.patch rename to openssl-1.0.2d-manfix.patch index 91071b0..b509a2b 100644 --- a/openssl-1.0.2a-manfix.patch +++ b/openssl-1.0.2d-manfix.patch @@ -79,15 +79,3 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_s these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -diff -up openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod ---- openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-04-22 20:12:43.082395251 +0200 -@@ -2,7 +2,7 @@ - - =head1 NAME - --SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file -+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo extensions - - =head1 SYNOPSIS - diff --git a/openssl-1.0.2d-secp256k1.patch b/openssl-1.0.2d-secp256k1.patch new file mode 100644 index 0000000..4c94133 --- /dev/null +++ b/openssl-1.0.2d-secp256k1.patch @@ -0,0 +1,82 @@ +diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c +--- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400 ++++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400 +@@ -86,6 +86,42 @@ typedef struct { + unsigned int cofactor; /* promoted to BN_ULONG */ + } EC_CURVE_DATA; + ++static const struct { ++ EC_CURVE_DATA h; ++ unsigned char data[0 + 32 * 6]; ++} _EC_SECG_PRIME_256K1 = { ++ { ++ NID_X9_62_prime_field, 0, 32, 1 ++ }, ++ { ++ /* no seed */ ++ /* p */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, ++ /* a */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ /* b */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, ++ /* x */ ++ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, ++ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, ++ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, ++ /* y */ ++ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, ++ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, ++ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, ++ /* order */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, ++ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 ++ } ++}; ++ + /* the nist prime curves */ + static const struct { + EC_CURVE_DATA h; +@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st { + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ ++ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, ++ "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, + "NIST/SECG curve over a 384 bit prime field"}, +diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c +--- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400 ++++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400 +@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ + 0, 24, /* secp384r1 (24) */ ++ 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[ + /* Other >= 256-bit prime curves. */ + 0, 25, /* secp521r1 (25) */ + 0, 24, /* secp384r1 (24) */ ++ 0, 22, /* secp256k1 (22) */ + # ifndef OPENSSL_NO_EC2M + /* >= 256-bit binary curves. */ + 0, 14, /* sect571r1 (14) */ +@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d + 0, 9, /* sect283k1 (9) */ + 0, 10, /* sect283r1 (10) */ + # endif ++ 0, 22, /* secp256k1 (22) */ + 0, 23, /* secp256r1 (23) */ + # ifndef OPENSSL_NO_EC2M + 0, 8, /* sect239k1 (8) */ diff --git a/openssl-1.0.2a-fips.patch b/openssl-1.0.2e-fips.patch similarity index 95% rename from openssl-1.0.2a-fips.patch rename to openssl-1.0.2e-fips.patch index 81bed3a..ae4e13d 100644 --- a/openssl-1.0.2a-fips.patch +++ b/openssl-1.0.2e-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c ---- openssl-1.0.2a/apps/speed.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/apps/speed.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2e/apps/speed.c.fips openssl-1.0.2e/apps/speed.c +--- openssl-1.0.2e/apps/speed.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/apps/speed.c 2015-12-04 13:55:51.956562389 +0100 @@ -197,7 +197,6 @@ # ifdef OPENSSL_DOING_MAKEDEPEND # undef AES_set_encrypt_key @@ -133,10 +133,10 @@ diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...", 16, EVP_md5(), NULL); -diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.fips 2015-04-22 16:08:40.266245039 +0200 -+++ openssl-1.0.2a/Configure 2015-04-22 16:08:40.284245465 +0200 -@@ -1040,11 +1040,6 @@ if (defined($disabled{"md5"}) || defined +diff -up openssl-1.0.2e/Configure.fips openssl-1.0.2e/Configure +--- openssl-1.0.2e/Configure.fips 2015-12-04 13:55:51.939561992 +0100 ++++ openssl-1.0.2e/Configure 2015-12-04 13:55:51.956562389 +0100 +@@ -1058,11 +1058,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -148,7 +148,7 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1532,7 +1527,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1551,7 +1546,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -156,7 +156,7 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1724,9 +1718,12 @@ while () +@@ -1754,9 +1748,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -170,9 +170,9 @@ diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes_misc.c ---- openssl-1.0.2a/crypto/aes/aes_misc.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/aes/aes_misc.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2e/crypto/aes/aes_misc.c.fips openssl-1.0.2e/crypto/aes/aes_misc.c +--- openssl-1.0.2e/crypto/aes/aes_misc.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/aes/aes_misc.c 2015-12-04 13:55:51.956562389 +0100 @@ -70,17 +70,11 @@ const char *AES_options(void) int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -191,9 +191,9 @@ diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac.c ---- openssl-1.0.2a/crypto/cmac/cmac.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/cmac/cmac.c 2015-04-22 16:08:40.284245465 +0200 +diff -up openssl-1.0.2e/crypto/cmac/cmac.c.fips openssl-1.0.2e/crypto/cmac/cmac.c +--- openssl-1.0.2e/crypto/cmac/cmac.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/cmac/cmac.c 2015-12-04 13:55:51.957562412 +0100 @@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -207,7 +207,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. EVP_CIPHER_CTX_cleanup(&ctx->cctx); OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); -@@ -158,12 +152,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void +@@ -160,12 +154,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); return 0; } @@ -220,7 +220,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. } #endif /* All zeros means restart */ -@@ -209,10 +197,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi +@@ -211,10 +199,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi { const unsigned char *data = in; size_t bl; @@ -231,7 +231,7 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; if (dlen == 0) -@@ -252,10 +236,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi +@@ -254,10 +238,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) { int i, bl, lb; @@ -242,9 +242,9 @@ diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h ---- openssl-1.0.2a/crypto/crypto.h.fips 2015-04-22 16:08:40.161242552 +0200 -+++ openssl-1.0.2a/crypto/crypto.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/crypto.h.fips openssl-1.0.2e/crypto/crypto.h +--- openssl-1.0.2e/crypto/crypto.h.fips 2015-12-04 13:55:51.843559753 +0100 ++++ openssl-1.0.2e/crypto/crypto.h 2015-12-04 13:55:51.957562412 +0100 @@ -600,24 +600,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -290,9 +290,9 @@ diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h ---- openssl-1.0.2a/crypto/des/des.h.fips 2015-04-22 16:08:40.191243263 +0200 -+++ openssl-1.0.2a/crypto/des/des.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/des/des.h.fips openssl-1.0.2e/crypto/des/des.h +--- openssl-1.0.2e/crypto/des/des.h.fips 2015-12-04 13:55:51.871560406 +0100 ++++ openssl-1.0.2e/crypto/des/des.h 2015-12-04 13:55:51.957562412 +0100 @@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); @@ -304,9 +304,9 @@ diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_key.c ---- openssl-1.0.2a/crypto/des/set_key.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/des/set_key.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/des/set_key.c.fips openssl-1.0.2e/crypto/des/set_key.c +--- openssl-1.0.2e/crypto/des/set_key.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/des/set_key.c 2015-12-04 13:55:51.957562412 +0100 @@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock } @@ -323,9 +323,9 @@ diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_ { static const int shifts2[16] = { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; -diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen.c ---- openssl-1.0.2a/crypto/dh/dh_gen.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/dh/dh_gen.c.fips openssl-1.0.2e/crypto/dh/dh_gen.c +--- openssl-1.0.2e/crypto/dh/dh_gen.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dh/dh_gen.c 2015-12-04 13:55:51.957562412 +0100 @@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if (ret->meth->generate_params) @@ -356,9 +356,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h ---- openssl-1.0.2a/crypto/dh/dh.h.fips 2015-04-22 16:08:40.134241913 +0200 -+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/dh/dh.h.fips openssl-1.0.2e/crypto/dh/dh.h +--- openssl-1.0.2e/crypto/dh/dh.h.fips 2015-12-04 13:55:51.816559124 +0100 ++++ openssl-1.0.2e/crypto/dh/dh.h 2015-12-04 13:55:51.957562412 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif @@ -368,9 +368,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 /* -diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key.c ---- openssl-1.0.2a/crypto/dh/dh_key.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_key.c 2015-04-22 16:08:40.285245489 +0200 +diff -up openssl-1.0.2e/crypto/dh/dh_key.c.fips openssl-1.0.2e/crypto/dh/dh_key.c +--- openssl-1.0.2e/crypto/dh/dh_key.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dh/dh_key.c 2015-12-04 13:55:51.958562435 +0100 @@ -61,6 +61,9 @@ #include #include @@ -438,9 +438,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib.c ---- openssl-1.0.2a/crypto/dh/dh_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_lib.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2e/crypto/dh/dh_lib.c.fips openssl-1.0.2e/crypto/dh/dh_lib.c +--- openssl-1.0.2e/crypto/dh/dh_lib.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dh/dh_lib.c 2015-12-04 13:55:51.958562435 +0100 @@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH const DH_METHOD *DH_get_default_method(void) { @@ -456,9 +456,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_err.c ---- openssl-1.0.2a/crypto/dsa/dsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_err.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_err.c.fips openssl-1.0.2e/crypto/dsa/dsa_err.c +--- openssl-1.0.2e/crypto/dsa/dsa_err.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_err.c 2015-12-04 13:55:51.958562435 +0100 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[] {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -477,9 +477,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_gen.c ---- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_gen.c.fips openssl-1.0.2e/crypto/dsa/dsa_gen.c +--- openssl-1.0.2e/crypto/dsa/dsa_gen.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_gen.c 2015-12-04 13:57:39.122061481 +0100 @@ -91,6 +91,16 @@ # include # endif @@ -497,7 +497,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, -@@ -106,13 +116,6 @@ int DSA_generate_parameters_ex(DSA *ret, +@@ -106,97 +116,165 @@ int DSA_generate_parameters_ex(DSA *ret, if (ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); @@ -509,10 +509,8 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ - } -# endif else { - const EVP_MD *evpmd; - size_t qbits = bits >= 2048 ? 256 : 160; -@@ -126,80 +129,156 @@ int DSA_generate_parameters_ex(DSA *ret, - } + const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); + size_t qbits = EVP_MD_size(evpmd) * 8; return dsa_builtin_paramgen(ret, bits, qbits, evpmd, - seed_in, seed_len, NULL, counter_ret, @@ -640,10 +638,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ - if (evpmd == NULL) - /* use SHA1 as default */ -- evpmd = EVP_sha1(); + if (evpmd == NULL) { + if (qbits <= 160) -+ evpmd = EVP_sha1(); + evpmd = EVP_sha1(); + else if (qbits <= 224) + evpmd = EVP_sha224(); + else @@ -668,13 +665,14 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ - if (seed_in != NULL) - memcpy(seed, seed_in, seed_len); - -- if ((ctx = BN_CTX_new()) == NULL) -- goto err; -- - if ((mont = BN_MONT_CTX_new()) == NULL) - goto err; - +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; +- - BN_CTX_start(ctx); +- r0 = BN_CTX_get(ctx); - g = BN_CTX_get(ctx); W = BN_CTX_get(ctx); @@ -693,7 +691,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ + n = (bits + qbits - 1) / qbits - 1; + /* step 4 b = bits - 1 - n * qbits */ + b = bits - 1 - n * qbits; -+ ++ for (;;) { for (;;) { /* find q */ int seed_is_random; @@ -703,7 +701,12 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ if (!BN_GENCB_call(cb, 0, m++)) goto err; -@@ -212,29 +291,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ +- if (!seed_len || !seed_in) { ++ if (!seed_len) { + if (RAND_pseudo_bytes(seed, qsize) < 0) + goto err; + seed_is_random = 1; +@@ -206,29 +284,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ * be bad */ } memcpy(buf, seed, qsize); @@ -736,7 +739,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb); if (r > 0) -@@ -242,8 +310,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -236,8 +303,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (r != 0) goto err; @@ -745,7 +748,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ } if (!BN_GENCB_call(cb, 2, 0)) -@@ -251,19 +317,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -245,19 +310,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 3, 0)) goto err; @@ -768,7 +771,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ for (k = 0; k <= n; k++) { /* * obtain "SEED + offset + k" by incrementing: -@@ -277,36 +340,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -271,36 +333,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) goto err; @@ -814,7 +817,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); if (r > 0) goto end; /* found it */ -@@ -314,12 +378,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -308,12 +371,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ goto err; } @@ -830,7 +833,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ break; } } -@@ -327,7 +391,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -321,7 +384,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 2, 1)) goto err; @@ -865,7 +868,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ /* Set r0=(p-1)/q */ if (!BN_sub(test, p, BN_value_one())) goto err; -@@ -356,46 +446,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -350,46 +439,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ ok = 1; err: if (ok) { @@ -912,7 +915,7 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ /* * This is a parameter generation algorithm for the DSA2 algorithm as * described in FIPS 186-3. -@@ -421,14 +479,6 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -415,14 +472,6 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX mctx; unsigned int h = 2; @@ -927,9 +930,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_ EVP_MD_CTX_init(&mctx); if (evpmd == NULL) { -diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h ---- openssl-1.0.2a/crypto/dsa/dsa.h.fips 2015-04-22 16:08:40.056240066 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa.h.fips openssl-1.0.2e/crypto/dsa/dsa.h +--- openssl-1.0.2e/crypto/dsa/dsa.h.fips 2015-12-04 13:55:51.740557351 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa.h 2015-12-04 13:55:51.958562435 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 # endif @@ -997,9 +1000,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 -diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_key.c ---- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 16:08:40.286245512 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_key.c.fips openssl-1.0.2e/crypto/dsa/dsa_key.c +--- openssl-1.0.2e/crypto/dsa/dsa_key.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_key.c 2015-12-04 13:55:51.958562435 +0100 @@ -66,6 +66,34 @@ # ifdef OPENSSL_FIPS @@ -1075,9 +1078,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_lib.c ---- openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_lib.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_lib.c.fips openssl-1.0.2e/crypto/dsa/dsa_lib.c +--- openssl-1.0.2e/crypto/dsa/dsa_lib.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_lib.c 2015-12-04 13:55:51.959562458 +0100 @@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME const DSA_METHOD *DSA_get_default_method(void) { @@ -1093,9 +1096,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa_locl.h ---- openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips 2015-04-22 16:08:40.058240114 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_locl.h 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_locl.h.fips openssl-1.0.2e/crypto/dsa/dsa_locl.h +--- openssl-1.0.2e/crypto/dsa/dsa_locl.h.fips 2015-12-04 13:55:51.742557398 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_locl.h 2015-12-04 13:55:51.959562458 +0100 @@ -56,7 +56,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, @@ -1105,9 +1108,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa_ossl.c ---- openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_ossl.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2e/crypto/dsa/dsa_ossl.c +--- openssl-1.0.2e/crypto/dsa/dsa_ossl.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_ossl.c 2015-12-04 13:55:51.959562458 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1176,9 +1179,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsa_pmeth.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2e/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.2e/crypto/dsa/dsa_pmeth.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsa_pmeth.c 2015-12-04 13:55:51.959562458 +0100 @@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1188,9 +1191,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsatest.c ---- openssl-1.0.2a/crypto/dsa/dsatest.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/dsa/dsatest.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/dsa/dsatest.c.fips openssl-1.0.2e/crypto/dsa/dsatest.c +--- openssl-1.0.2e/crypto/dsa/dsatest.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/dsa/dsatest.c 2015-12-04 13:55:51.959562458 +0100 @@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1274,9 +1277,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsat goto end; } if (h != 2) { -diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engine/eng_all.c ---- openssl-1.0.2a/crypto/engine/eng_all.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/engine/eng_all.c.fips openssl-1.0.2e/crypto/engine/eng_all.c +--- openssl-1.0.2e/crypto/engine/eng_all.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/engine/eng_all.c 2015-12-04 13:55:51.959562458 +0100 @@ -59,11 +59,25 @@ #include "cryptlib.h" @@ -1303,9 +1306,9 @@ diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engin #if 0 /* * There's no longer any need for an "openssl" ENGINE unless, one day, it -diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_allc.c ---- openssl-1.0.2a/crypto/evp/c_allc.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 16:08:40.287245536 +0200 +diff -up openssl-1.0.2e/crypto/evp/c_allc.c.fips openssl-1.0.2e/crypto/evp/c_allc.c +--- openssl-1.0.2e/crypto/evp/c_allc.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:55:51.959562458 +0100 @@ -65,6 +65,10 @@ void OpenSSL_add_all_ciphers(void) { @@ -1382,9 +1385,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_alld.c ---- openssl-1.0.2a/crypto/evp/c_alld.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/c_alld.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2e/crypto/evp/c_alld.c.fips openssl-1.0.2e/crypto/evp/c_alld.c +--- openssl-1.0.2e/crypto/evp/c_alld.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/c_alld.c 2015-12-04 13:55:51.960562482 +0100 @@ -64,51 +64,81 @@ void OpenSSL_add_all_digests(void) @@ -1490,9 +1493,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_all + } #endif } -diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/digest.c ---- openssl-1.0.2a/crypto/evp/digest.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/digest.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2e/crypto/evp/digest.c.fips openssl-1.0.2e/crypto/evp/digest.c +--- openssl-1.0.2e/crypto/evp/digest.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/digest.c 2015-12-04 13:55:51.960562482 +0100 @@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1651,10 +1654,10 @@ diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/diges memset(ctx, '\0', sizeof *ctx); return 1; -diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes.c ---- openssl-1.0.2a/crypto/evp/e_aes.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 16:08:40.288245560 +0200 -@@ -59,9 +59,6 @@ +diff -up openssl-1.0.2e/crypto/evp/e_aes.c.fips openssl-1.0.2e/crypto/evp/e_aes.c +--- openssl-1.0.2e/crypto/evp/e_aes.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:55:51.960562482 +0100 +@@ -60,9 +60,6 @@ # include "modes_lcl.h" # include @@ -1664,7 +1667,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. typedef struct { union { double align; -@@ -1158,6 +1155,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -1159,6 +1156,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_GCM_SET_IVLEN: if (arg <= 0) return 0; @@ -1676,7 +1679,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -1726,6 +1728,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -1727,6 +1729,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1691,9 +1694,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, ctx->iv); -diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des3.c ---- openssl-1.0.2a/crypto/evp/e_des3.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2e/crypto/evp/e_des3.c.fips openssl-1.0.2e/crypto/evp/e_des3.c +--- openssl-1.0.2e/crypto/evp/e_des3.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:55:51.960562482 +0100 @@ -65,10 +65,6 @@ # include # include @@ -1705,9 +1708,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des typedef struct { union { double align; -diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_null.c ---- openssl-1.0.2a/crypto/evp/e_null.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/e_null.c 2015-04-22 16:08:40.288245560 +0200 +diff -up openssl-1.0.2e/crypto/evp/e_null.c.fips openssl-1.0.2e/crypto/evp/e_null.c +--- openssl-1.0.2e/crypto/evp/e_null.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/e_null.c 2015-12-04 13:55:51.960562482 +0100 @@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c static const EVP_CIPHER n_cipher = { NID_undef, @@ -1717,9 +1720,9 @@ diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_enc.c ---- openssl-1.0.2a/crypto/evp/evp_enc.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/evp_enc.c 2015-04-22 16:08:40.289245583 +0200 +diff -up openssl-1.0.2e/crypto/evp/evp_enc.c.fips openssl-1.0.2e/crypto/evp/evp_enc.c +--- openssl-1.0.2e/crypto/evp/evp_enc.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/evp_enc.c 2015-12-04 13:55:51.961562505 +0100 @@ -69,16 +69,73 @@ #endif #include "evp_locl.h" @@ -1887,10 +1890,10 @@ diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_ memset(c, 0, sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h ---- openssl-1.0.2a/crypto/evp/evp.h.fips 2015-04-22 16:08:40.174242860 +0200 -+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 16:08:40.289245583 +0200 -@@ -123,6 +123,10 @@ +diff -up openssl-1.0.2e/crypto/evp/evp.h.fips openssl-1.0.2e/crypto/evp/evp.h +--- openssl-1.0.2e/crypto/evp/evp.h.fips 2015-12-04 13:55:51.855560033 +0100 ++++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:55:51.961562505 +0100 +@@ -122,6 +122,10 @@ extern "C" { #endif @@ -1901,7 +1904,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h /* * Type needs to be a bit field Sub-type needs to be for variations on the * method, as in, can it do arbitrary encryption.... -@@ -286,11 +290,6 @@ struct env_md_ctx_st { +@@ -285,11 +289,6 @@ struct env_md_ctx_st { * cleaned */ # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data * in EVP_MD_CTX_cleanup */ @@ -1913,7 +1916,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS * digest in FIPS mode */ -@@ -303,6 +302,10 @@ struct env_md_ctx_st { +@@ -302,6 +301,10 @@ struct env_md_ctx_st { # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */ # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */ # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */ @@ -1924,7 +1927,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */ -@@ -364,15 +367,15 @@ struct evp_cipher_st { +@@ -363,15 +366,15 @@ struct evp_cipher_st { /* cipher handles random key generation */ # define EVP_CIPH_RAND_KEY 0x200 /* cipher has its own additional copying logic */ @@ -1943,9 +1946,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h /* * Cipher handles any and all padding logic as well as finalisation. */ -diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_lib.c ---- openssl-1.0.2a/crypto/evp/evp_lib.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/evp_lib.c 2015-04-22 16:10:58.297513170 +0200 +diff -up openssl-1.0.2e/crypto/evp/evp_lib.c.fips openssl-1.0.2e/crypto/evp/evp_lib.c +--- openssl-1.0.2e/crypto/evp/evp_lib.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/evp_lib.c 2015-12-04 13:55:51.961562505 +0100 @@ -60,10 +60,6 @@ #include "cryptlib.h" #include @@ -1957,7 +1960,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { -@@ -200,6 +196,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ +@@ -224,6 +220,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { @@ -1967,7 +1970,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx, out, in, inl); } -@@ -210,22 +209,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher( +@@ -234,22 +233,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher( unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) { @@ -1990,7 +1993,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_ } void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) -@@ -292,40 +281,8 @@ int EVP_MD_size(const EVP_MD *md) +@@ -316,40 +305,8 @@ int EVP_MD_size(const EVP_MD *md) return md->md_size; } @@ -2031,9 +2034,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_ return md->flags; } -diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp_locl.h ---- openssl-1.0.2a/crypto/evp/evp_locl.h.fips 2015-04-22 16:08:40.170242766 +0200 -+++ openssl-1.0.2a/crypto/evp/evp_locl.h 2015-04-22 16:08:40.289245583 +0200 +diff -up openssl-1.0.2e/crypto/evp/evp_locl.h.fips openssl-1.0.2e/crypto/evp/evp_locl.h +--- openssl-1.0.2e/crypto/evp/evp_locl.h.fips 2015-12-04 13:55:51.851559940 +0100 ++++ openssl-1.0.2e/crypto/evp/evp_locl.h 2015-12-04 13:55:51.961562505 +0100 @@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -2067,9 +2070,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp # define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss.c ---- openssl-1.0.2a/crypto/evp/m_dss.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_dss.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/m_dss.c.fips openssl-1.0.2e/crypto/evp/m_dss.c +--- openssl-1.0.2e/crypto/evp/m_dss.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/m_dss.c 2015-12-04 13:55:51.961562505 +0100 @@ -86,7 +86,7 @@ static const EVP_MD dsa_md = { NID_dsaWithSHA, NID_dsaWithSHA, @@ -2079,9 +2082,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss. init, update, final, -diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss1.c ---- openssl-1.0.2a/crypto/evp/m_dss1.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_dss1.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/m_dss1.c.fips openssl-1.0.2e/crypto/evp/m_dss1.c +--- openssl-1.0.2e/crypto/evp/m_dss1.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/m_dss1.c 2015-12-04 13:55:51.961562505 +0100 @@ -87,7 +87,7 @@ static const EVP_MD dss1_md = { NID_dsa, NID_dsaWithSHA1, @@ -2091,9 +2094,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss init, update, final, -diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2.c ---- openssl-1.0.2a/crypto/evp/m_md2.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_md2.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/m_md2.c.fips openssl-1.0.2e/crypto/evp/m_md2.c +--- openssl-1.0.2e/crypto/evp/m_md2.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/m_md2.c 2015-12-04 13:55:51.962562529 +0100 @@ -68,6 +68,7 @@ # ifndef OPENSSL_NO_RSA # include @@ -2102,9 +2105,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { -diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha1.c ---- openssl-1.0.2a/crypto/evp/m_sha1.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/m_sha1.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/m_sha1.c.fips openssl-1.0.2e/crypto/evp/m_sha1.c +--- openssl-1.0.2e/crypto/evp/m_sha1.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/m_sha1.c 2015-12-04 13:55:51.962562529 +0100 @@ -87,7 +87,8 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -2155,9 +2158,9 @@ diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sign.c ---- openssl-1.0.2a/crypto/evp/p_sign.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/p_sign.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/p_sign.c.fips openssl-1.0.2e/crypto/evp/p_sign.c +--- openssl-1.0.2e/crypto/evp/p_sign.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/p_sign.c 2015-12-04 13:55:51.962562529 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2189,9 +2192,9 @@ diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_verify.c ---- openssl-1.0.2a/crypto/evp/p_verify.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/p_verify.c 2015-04-22 16:08:40.290245607 +0200 +diff -up openssl-1.0.2e/crypto/evp/p_verify.c.fips openssl-1.0.2e/crypto/evp/p_verify.c +--- openssl-1.0.2e/crypto/evp/p_verify.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/p_verify.c 2015-12-04 13:55:51.962562529 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2223,9 +2226,9 @@ diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_aes_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_aes_selftest.c.fips 2015-12-04 13:55:51.962562529 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_aes_selftest.c 2015-12-04 13:55:51.962562529 +0100 @@ -0,0 +1,365 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2592,9 +2595,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips.c.fips openssl-1.0.2e/crypto/fips/fips.c +--- openssl-1.0.2e/crypto/fips/fips.c.fips 2015-12-04 13:55:51.962562529 +0100 ++++ openssl-1.0.2e/crypto/fips/fips.c 2015-12-04 13:55:51.962562529 +0100 @@ -0,0 +1,483 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3079,9 +3082,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips. +# endif + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_cmac_selftest.c.fips 2015-12-04 13:55:51.963562552 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_cmac_selftest.c 2015-12-04 13:55:51.963562552 +0100 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3239,9 +3242,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/cry + return rv; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_des_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_des_selftest.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_des_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_des_selftest.c.fips 2015-12-04 13:55:51.963562552 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_des_selftest.c 2015-12-04 13:55:51.963562552 +0100 @@ -0,0 +1,138 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3381,9 +3384,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/cryp + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips 2015-04-22 16:08:40.294245702 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c 2015-04-22 16:08:40.294245702 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_ctr.c.fips 2015-12-04 13:55:51.963562552 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_ctr.c 2015-12-04 13:55:51.963562552 +0100 @@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3800,9 +3803,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/f + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_hash.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_hash.c.fips 2015-12-04 13:55:51.963562552 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_hash.c 2015-12-04 13:55:51.963562552 +0100 @@ -0,0 +1,358 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4162,9 +4165,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/ + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_hmac.c.fips 2015-12-04 13:55:51.963562552 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_hmac.c 2015-12-04 13:55:51.963562552 +0100 @@ -0,0 +1,270 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4436,9 +4439,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/ + + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_lib.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_lib.c.fips 2015-12-04 13:55:51.964562575 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_lib.c 2015-12-04 13:55:51.964562575 +0100 @@ -0,0 +1,553 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4993,9 +4996,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips 2015-04-22 16:08:40.295245725 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_rand.c 2015-04-22 16:08:40.295245725 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_rand.c.fips 2015-12-04 13:55:51.964562575 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_rand.c 2015-12-04 13:55:51.964562575 +0100 @@ -0,0 +1,166 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5163,9 +5166,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips 2015-04-22 16:08:40.296245749 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c 2015-04-22 16:08:40.296245749 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_drbg_selftest.c.fips 2015-12-04 13:55:51.964562575 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_selftest.c 2015-12-04 13:55:51.964562575 +0100 @@ -0,0 +1,827 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5994,9 +5997,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2e/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.2e/crypto/fips/fips_drbg_selftest.h.fips 2015-12-04 13:55:51.965562598 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_drbg_selftest.h 2015-12-04 13:55:51.965562598 +0100 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7789,9 +7792,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_dsa_selftest.c.fips 2015-12-04 13:55:51.965562598 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_dsa_selftest.c 2015-12-04 13:55:51.965562598 +0100 @@ -0,0 +1,192 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7985,9 +7988,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/cryp + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/fips_enc.c ---- openssl-1.0.2a/crypto/fips/fips_enc.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_enc.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_enc.c.fips openssl-1.0.2e/crypto/fips/fips_enc.c +--- openssl-1.0.2e/crypto/fips/fips_enc.c.fips 2015-12-04 13:55:51.965562598 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_enc.c 2015-12-04 13:55:51.965562598 +0100 @@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8178,9 +8181,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/f + + } +} -diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips.h ---- openssl-1.0.2a/crypto/fips/fips.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips.h.fips openssl-1.0.2e/crypto/fips/fips.h +--- openssl-1.0.2e/crypto/fips/fips.h.fips 2015-12-04 13:55:51.966562622 +0100 ++++ openssl-1.0.2e/crypto/fips/fips.h 2015-12-04 13:55:51.966562622 +0100 @@ -0,0 +1,278 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8460,9 +8463,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips. +} +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_hmac_selftest.c.fips 2015-12-04 13:55:51.966562622 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_hmac_selftest.c 2015-12-04 13:55:51.966562622 +0100 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8598,9 +8601,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/cry + return 1; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/fips_locl.h ---- openssl-1.0.2a/crypto/fips/fips_locl.h.fips 2015-04-22 16:08:40.297245773 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_locl.h 2015-04-22 16:08:40.297245773 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_locl.h.fips openssl-1.0.2e/crypto/fips/fips_locl.h +--- openssl-1.0.2e/crypto/fips/fips_locl.h.fips 2015-12-04 13:55:51.966562622 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_locl.h 2015-12-04 13:55:51.966562622 +0100 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8673,9 +8676,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fips_md.c ---- openssl-1.0.2a/crypto/fips/fips_md.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_md.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_md.c.fips openssl-1.0.2e/crypto/fips/fips_md.c +--- openssl-1.0.2e/crypto/fips/fips_md.c.fips 2015-12-04 13:55:51.966562622 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_md.c 2015-12-04 13:55:51.966562622 +0100 @@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8821,9 +8824,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fi + return NULL; + } +} -diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/fips_post.c ---- openssl-1.0.2a/crypto/fips/fips_post.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_post.c.fips openssl-1.0.2e/crypto/fips/fips_post.c +--- openssl-1.0.2e/crypto/fips/fips_post.c.fips 2015-12-04 13:55:51.966562622 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_post.c 2015-12-04 13:55:51.966562622 +0100 @@ -0,0 +1,201 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9026,9 +9029,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/fips_rand.c ---- openssl-1.0.2a/crypto/fips/fips_rand.c.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand.c 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rand.c.fips openssl-1.0.2e/crypto/fips/fips_rand.c +--- openssl-1.0.2e/crypto/fips/fips_rand.c.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rand.c 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,428 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -9458,9 +9461,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/ +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/fips_rand.h ---- openssl-1.0.2a/crypto/fips/fips_rand.h.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand.h 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rand.h.fips openssl-1.0.2e/crypto/fips/fips_rand.h +--- openssl-1.0.2e/crypto/fips/fips_rand.h.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rand.h 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9625,9 +9628,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/ +# endif +# endif +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips 2015-04-22 16:08:40.298245796 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-04-22 16:08:40.298245796 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2e/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.2e/crypto/fips/fips_rand_lcl.h.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rand_lcl.h 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,213 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9842,9 +9845,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/fips/fips_rand_lib.c ---- openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_lib.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2e/crypto/fips/fips_rand_lib.c +--- openssl-1.0.2e/crypto/fips/fips_rand_lib.c.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rand_lib.c 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,181 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -10027,9 +10030,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/f + } + return 0; +} -diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rand_selftest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_rand_selftest.c.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rand_selftest.c 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,176 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10207,9 +10210,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/cry +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/fips/fips_randtest.c ---- openssl-1.0.2a/crypto/fips/fips_randtest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_randtest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_randtest.c.fips openssl-1.0.2e/crypto/fips/fips_randtest.c +--- openssl-1.0.2e/crypto/fips/fips_randtest.c.fips 2015-12-04 13:55:51.967562645 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_randtest.c 2015-12-04 13:55:51.967562645 +0100 @@ -0,0 +1,247 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -10458,9 +10461,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/f +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_rsa_selftest.c.fips 2015-12-04 13:55:51.968562668 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rsa_selftest.c 2015-12-04 13:55:51.968562668 +0100 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -10906,9 +10909,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips 2015-04-22 16:08:40.299245820 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-04-22 16:08:40.299245820 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2e/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.2e/crypto/fips/fips_rsa_x931g.c.fips 2015-12-04 13:55:51.968562668 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_rsa_x931g.c 2015-12-04 13:55:51.968562668 +0100 @@ -0,0 +1,273 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -11183,9 +11186,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/ + return 0; + +} -diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_sha_selftest.c 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2e/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.2e/crypto/fips/fips_sha_selftest.c.fips 2015-12-04 13:55:51.968562668 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_sha_selftest.c 2015-12-04 13:55:51.968562668 +0100 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11332,9 +11335,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/cryp +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips 2015-04-22 19:05:28.500174541 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c 2015-04-22 19:20:28.777446278 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2e/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.2e/crypto/fips/fips_standalone_hmac.c.fips 2015-12-04 13:55:51.968562668 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_standalone_hmac.c 2015-12-04 13:55:51.968562668 +0100 @@ -0,0 +1,268 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11604,9 +11607,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/c +#endif + return 0; +} -diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto/fips/fips_test_suite.c ---- openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_test_suite.c 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2e/crypto/fips/fips_test_suite.c.fips openssl-1.0.2e/crypto/fips/fips_test_suite.c +--- openssl-1.0.2e/crypto/fips/fips_test_suite.c.fips 2015-12-04 13:55:51.968562668 +0100 ++++ openssl-1.0.2e/crypto/fips/fips_test_suite.c 2015-12-04 13:55:51.968562668 +0100 @@ -0,0 +1,639 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -12247,9 +12250,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto +} + +#endif -diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Makefile ---- openssl-1.0.2a/crypto/fips/Makefile.fips 2015-04-22 16:08:40.300245844 +0200 -+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 16:08:40.300245844 +0200 +diff -up openssl-1.0.2e/crypto/fips/Makefile.fips openssl-1.0.2e/crypto/fips/Makefile +--- openssl-1.0.2e/crypto/fips/Makefile.fips 2015-12-04 13:55:51.969562692 +0100 ++++ openssl-1.0.2e/crypto/fips/Makefile 2015-12-04 13:55:51.969562692 +0100 @@ -0,0 +1,341 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -12592,9 +12595,9 @@ diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac.c ---- openssl-1.0.2a/crypto/hmac/hmac.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/hmac/hmac.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/hmac/hmac.c.fips openssl-1.0.2e/crypto/hmac/hmac.c +--- openssl-1.0.2e/crypto/hmac/hmac.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/hmac/hmac.c 2015-12-04 13:55:51.969562692 +0100 @@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -12607,9 +12610,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif - -@@ -105,6 +99,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - md = ctx->md; + /* If we are changing MD then we must have a key */ +@@ -111,6 +105,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + } if (key != NULL) { +#ifdef OPENSSL_FIPS @@ -12622,7 +12625,7 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. reset = 1; j = EVP_MD_block_size(md); OPENSSL_assert(j <= (int)sizeof(ctx->key)); -@@ -157,10 +158,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void +@@ -164,10 +165,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { @@ -12630,10 +12633,10 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - if (FIPS_mode() && !ctx->i_ctx.engine) - return FIPS_hmac_update(ctx, data, len); -#endif - return EVP_DigestUpdate(&ctx->md_ctx, data, len); - } + if (!ctx->md) + return 0; -@@ -168,10 +165,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c +@@ -178,10 +175,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c { unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; @@ -12642,9 +12645,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. - return FIPS_hmac_final(ctx, md, len); -#endif - if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) + if (!ctx->md) goto err; -@@ -211,12 +204,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C +@@ -225,12 +218,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C void HMAC_CTX_cleanup(HMAC_CTX *ctx) { @@ -12657,9 +12660,9 @@ diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/mdc2/mdc2dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2e/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.2e/crypto/mdc2/mdc2dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/mdc2/mdc2dgst.c 2015-12-04 13:55:51.969562692 +0100 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -12669,9 +12672,9 @@ diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/m { c->num = 0; c->pad_type = 1; -diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2_dgst.c ---- openssl-1.0.2a/crypto/md2/md2_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md2/md2_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/md2/md2_dgst.c.fips openssl-1.0.2e/crypto/md2/md2_dgst.c +--- openssl-1.0.2e/crypto/md2/md2_dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/md2/md2_dgst.c 2015-12-04 13:55:51.969562692 +0100 @@ -62,6 +62,11 @@ #include #include @@ -12693,9 +12696,9 @@ diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2 { c->num = 0; memset(c->state, 0, sizeof c->state); -diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4_dgst.c ---- openssl-1.0.2a/crypto/md4/md4_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md4/md4_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/md4/md4_dgst.c.fips openssl-1.0.2e/crypto/md4/md4_dgst.c +--- openssl-1.0.2e/crypto/md4/md4_dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/md4/md4_dgst.c 2015-12-04 13:55:51.969562692 +0100 @@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12705,9 +12708,9 @@ diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5_dgst.c ---- openssl-1.0.2a/crypto/md5/md5_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/md5/md5_dgst.c.fips openssl-1.0.2e/crypto/md5/md5_dgst.c +--- openssl-1.0.2e/crypto/md5/md5_dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/md5/md5_dgst.c 2015-12-04 13:55:51.969562692 +0100 @@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12717,9 +12720,9 @@ diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c ---- openssl-1.0.2a/crypto/o_fips.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/o_fips.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/o_fips.c.fips openssl-1.0.2e/crypto/o_fips.c +--- openssl-1.0.2e/crypto/o_fips.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/o_fips.c 2015-12-04 13:55:51.970562715 +0100 @@ -80,6 +80,8 @@ int FIPS_mode_set(int r) # ifndef FIPS_AUTH_USER_PASS # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -12729,9 +12732,9 @@ diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c ---- openssl-1.0.2a/crypto/o_init.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/o_init.c 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/o_init.c.fips openssl-1.0.2e/crypto/o_init.c +--- openssl-1.0.2e/crypto/o_init.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/o_init.c 2015-12-04 13:55:51.970562715 +0100 @@ -56,8 +56,37 @@ #include #include @@ -12801,9 +12804,9 @@ diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c +{ + OPENSSL_init_library(); +} -diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opensslconf.h.in ---- openssl-1.0.2a/crypto/opensslconf.h.in.fips 2015-01-20 13:33:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 16:08:40.301245867 +0200 +diff -up openssl-1.0.2e/crypto/opensslconf.h.in.fips openssl-1.0.2e/crypto/opensslconf.h.in +--- openssl-1.0.2e/crypto/opensslconf.h.in.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/opensslconf.h.in 2015-12-04 13:55:51.970562715 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -12825,9 +12828,9 @@ diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md_rand.c ---- openssl-1.0.2a/crypto/rand/md_rand.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/md_rand.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/rand/md_rand.c.fips openssl-1.0.2e/crypto/rand/md_rand.c +--- openssl-1.0.2e/crypto/rand/md_rand.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rand/md_rand.c 2015-12-04 13:55:51.970562715 +0100 @@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -12840,9 +12843,9 @@ diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md RAND_poll(); initialized = 1; } -diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand.h ---- openssl-1.0.2a/crypto/rand/rand.h.fips 2015-04-22 16:08:40.044239782 +0200 -+++ openssl-1.0.2a/crypto/rand/rand.h 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/rand/rand.h.fips openssl-1.0.2e/crypto/rand/rand.h +--- openssl-1.0.2e/crypto/rand/rand.h.fips 2015-12-04 13:55:51.729557095 +0100 ++++ openssl-1.0.2e/crypto/rand/rand.h 2015-12-04 13:55:51.970562715 +0100 @@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -12883,9 +12886,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/ripemd/rmd_dgst.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2e/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.2e/crypto/ripemd/rmd_dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/ripemd/rmd_dgst.c 2015-12-04 13:55:51.970562715 +0100 @@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX * void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num); #endif @@ -12895,9 +12898,9 @@ diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripe { memset(c, 0, sizeof(*c)); c->A = RIPEMD160_A; -diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa_crpt.c ---- openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_crpt.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2e/crypto/rsa/rsa_crpt.c +--- openssl-1.0.2e/crypto/rsa/rsa_crpt.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_crpt.c 2015-12-04 13:55:51.970562715 +0100 @@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const unsigned char *to, RSA *rsa, int padding) { @@ -12924,9 +12927,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_eay.c ---- openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_eay.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_eay.c.fips openssl-1.0.2e/crypto/rsa/rsa_eay.c +--- openssl-1.0.2e/crypto/rsa/rsa_eay.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_eay.c 2015-12-04 13:55:51.971562738 +0100 @@ -114,6 +114,10 @@ #include #include @@ -13049,9 +13052,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; return (1); } -diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_err.c ---- openssl-1.0.2a/crypto/rsa/rsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_err.c 2015-04-22 16:08:40.302245891 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_err.c.fips openssl-1.0.2e/crypto/rsa/rsa_err.c +--- openssl-1.0.2e/crypto/rsa/rsa_err.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_err.c 2015-12-04 13:55:51.971562738 +0100 @@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[] {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -13061,13 +13064,15 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, -diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_gen.c ---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 16:08:40.303245914 +0200 -@@ -69,6 +69,80 @@ +diff -up openssl-1.0.2e/crypto/rsa/rsa_gen.c.fips openssl-1.0.2e/crypto/rsa/rsa_gen.c +--- openssl-1.0.2e/crypto/rsa/rsa_gen.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_gen.c 2015-12-04 13:55:51.971562738 +0100 +@@ -69,8 +69,80 @@ #include #ifdef OPENSSL_FIPS # include +-extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, +- BN_GENCB *cb); +# include +# include + @@ -13145,7 +13150,7 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_ #endif static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -@@ -84,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -86,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa, int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { #ifdef OPENSSL_FIPS @@ -13154,18 +13159,18 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); return 0; -@@ -92,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi +@@ -94,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi #endif if (rsa->meth->rsa_keygen) return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); -#ifdef OPENSSL_FIPS - if (FIPS_mode()) -- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); +- return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb); -#endif return rsa_builtin_keygen(rsa, bits, e_value, cb); } -@@ -108,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -110,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bitsp, bitsq, ok = -1, n = 0; BN_CTX *ctx = NULL; @@ -13186,7 +13191,7 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_ ctx = BN_CTX_new(); if (ctx == NULL) goto err; -@@ -233,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -235,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa, if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) goto err; @@ -13203,9 +13208,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_ ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h ---- openssl-1.0.2a/crypto/rsa/rsa.h.fips 2015-04-22 16:08:40.178242955 +0200 -+++ openssl-1.0.2a/crypto/rsa/rsa.h 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa.h.fips openssl-1.0.2e/crypto/rsa/rsa.h +--- openssl-1.0.2e/crypto/rsa/rsa.h.fips 2015-12-04 13:55:51.859560126 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa.h 2015-12-04 13:55:51.971562738 +0100 @@ -168,6 +168,8 @@ struct rsa_st { # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # endif @@ -13302,9 +13307,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_lib.c ---- openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_lib.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_lib.c.fips openssl-1.0.2e/crypto/rsa/rsa_lib.c +--- openssl-1.0.2e/crypto/rsa/rsa_lib.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_lib.c 2015-12-04 13:55:51.971562738 +0100 @@ -84,23 +84,22 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -13377,9 +13382,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE if (ret->engine) -diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_pmeth.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2e/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.2e/crypto/rsa/rsa_pmeth.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_pmeth.c 2015-12-04 13:55:51.972562762 +0100 @@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -13401,7 +13406,7 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rs if (EVP_MD_type(rctx->md) == NID_mdc2) { unsigned int sltmp; -@@ -353,17 +339,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX +@@ -359,17 +345,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX } #endif if (rctx->md) { @@ -13419,9 +13424,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa_sign.c ---- openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/rsa/rsa_sign.c 2015-04-22 16:08:40.303245914 +0200 +diff -up openssl-1.0.2e/crypto/rsa/rsa_sign.c.fips openssl-1.0.2e/crypto/rsa/rsa_sign.c +--- openssl-1.0.2e/crypto/rsa/rsa_sign.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/rsa/rsa_sign.c 2015-12-04 13:55:51.972562762 +0100 @@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig, &p); s = tmps; @@ -13460,9 +13465,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa if (i <= 0) goto err; -diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h ---- openssl-1.0.2a/crypto/sha/sha.h.fips 2015-04-22 16:08:39.964237888 +0200 -+++ openssl-1.0.2a/crypto/sha/sha.h 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/crypto/sha/sha.h.fips openssl-1.0.2e/crypto/sha/sha.h +--- openssl-1.0.2e/crypto/sha/sha.h.fips 2015-12-04 13:55:51.651555276 +0100 ++++ openssl-1.0.2e/crypto/sha/sha.h 2015-12-04 13:55:51.972562762 +0100 @@ -105,9 +105,6 @@ typedef struct SHAstate_st { } SHA_CTX; @@ -13505,9 +13510,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha_locl.h ---- openssl-1.0.2a/crypto/sha/sha_locl.h.fips 2015-04-22 16:08:39.966237935 +0200 -+++ openssl-1.0.2a/crypto/sha/sha_locl.h 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/crypto/sha/sha_locl.h.fips openssl-1.0.2e/crypto/sha/sha_locl.h +--- openssl-1.0.2e/crypto/sha/sha_locl.h.fips 2015-12-04 13:55:51.653555322 +0100 ++++ openssl-1.0.2e/crypto/sha/sha_locl.h 2015-12-04 13:55:51.972562762 +0100 @@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c #define INIT_DATA_h4 0xc3d2e1f0UL @@ -13524,9 +13529,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha256.c ---- openssl-1.0.2a/crypto/sha/sha256.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/sha/sha256.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/crypto/sha/sha256.c.fips openssl-1.0.2e/crypto/sha/sha256.c +--- openssl-1.0.2e/crypto/sha/sha256.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/sha/sha256.c 2015-12-04 13:55:51.972562762 +0100 @@ -12,12 +12,19 @@ # include @@ -13557,9 +13562,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha512.c ---- openssl-1.0.2a/crypto/sha/sha512.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/sha/sha512.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/crypto/sha/sha512.c.fips openssl-1.0.2e/crypto/sha/sha512.c +--- openssl-1.0.2e/crypto/sha/sha512.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/sha/sha512.c 2015-12-04 13:55:51.972562762 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -13591,9 +13596,9 @@ diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/whrlpool/wp_dgst.c 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2e/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.2e/crypto/whrlpool/wp_dgst.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/whrlpool/wp_dgst.c 2015-12-04 13:55:51.973562785 +0100 @@ -55,7 +55,7 @@ #include #include @@ -13603,9 +13608,9 @@ diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whr { memset(c, 0, sizeof(*c)); return (1); -diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org ---- openssl-1.0.2a/Makefile.org.fips 2015-04-22 16:08:40.270245133 +0200 -+++ openssl-1.0.2a/Makefile.org 2015-04-22 16:08:40.304245938 +0200 +diff -up openssl-1.0.2e/Makefile.org.fips openssl-1.0.2e/Makefile.org +--- openssl-1.0.2e/Makefile.org.fips 2015-12-04 13:55:51.943562085 +0100 ++++ openssl-1.0.2e/Makefile.org 2015-12-04 13:55:51.973562785 +0100 @@ -137,6 +137,9 @@ FIPSCANLIB= BASEADDR= @@ -13625,7 +13630,7 @@ diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org # keep in mind that the above list is adjusted by ./Configure # according to no-xxx arguments... -@@ -238,6 +241,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS +@@ -240,6 +243,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM) FIPSLIBDIR='${FIPSLIBDIR}' \ FIPSDIR='${FIPSDIR}' \ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ @@ -13633,9 +13638,9 @@ diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.2a/ssl/ssl_algs.c.fips openssl-1.0.2a/ssl/ssl_algs.c ---- openssl-1.0.2a/ssl/ssl_algs.c.fips 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/ssl/ssl_algs.c 2015-04-22 16:08:40.305245962 +0200 +diff -up openssl-1.0.2e/ssl/ssl_algs.c.fips openssl-1.0.2e/ssl/ssl_algs.c +--- openssl-1.0.2e/ssl/ssl_algs.c.fips 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/ssl/ssl_algs.c 2015-12-04 13:55:51.973562785 +0100 @@ -64,6 +64,11 @@ int SSL_library_init(void) { diff --git a/openssl-1.0.2e-remove-nistp224.patch b/openssl-1.0.2e-remove-nistp224.patch new file mode 100644 index 0000000..22b99c1 --- /dev/null +++ b/openssl-1.0.2e-remove-nistp224.patch @@ -0,0 +1,15 @@ +diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h +--- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100 ++++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100 +@@ -149,11 +149,6 @@ const EC_METHOD *EC_GFp_mont_method(void + const EC_METHOD *EC_GFp_nist_method(void); + + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +-/** Returns 64-bit optimized methods for nistp224 +- * \return EC_METHOD object +- */ +-const EC_METHOD *EC_GFp_nistp224_method(void); +- + /** Returns 64-bit optimized methods for nistp256 + * \return EC_METHOD object + */ diff --git a/openssl-1.0.2a-rpmbuild.patch b/openssl-1.0.2e-rpmbuild.patch similarity index 85% rename from openssl-1.0.2a-rpmbuild.patch rename to openssl-1.0.2e-rpmbuild.patch index 4efb633..db1460c 100644 --- a/openssl-1.0.2a-rpmbuild.patch +++ b/openssl-1.0.2e-rpmbuild.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure ---- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200 -@@ -348,8 +348,8 @@ my %table=( +diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure +--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100 +@@ -365,8 +365,8 @@ my %table=( #### # *-generic* is endian-neutral target, but ./config is free to # throw in -D[BL]_ENDIAN, whichever appropriate... @@ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure ####################################################################### # Note that -march is not among compiler options in below linux-armv4 -@@ -378,30 +378,30 @@ my %table=( +@@ -395,31 +395,31 @@ my %table=( # # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 # -"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", # Configure script adds minimally required -march for assembly support, # if no -march was specified at command line. mips32 and mips64 below # refer to contemporary MIPS Architecture specifications, MIPS32 and @@ -40,14 +40,15 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure -"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", - "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", + "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", + "debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", -"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", @@ -55,12 +56,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure #### So called "highgprs" target for z/Architecture CPUs # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see # /proc/cpuinfo. The idea is to preserve most significant bits of -@@ -419,12 +419,12 @@ my %table=( +@@ -437,12 +437,12 @@ my %table=( #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. --"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -71,7 +72,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure #### Alpha Linux with GNU C and Compaq C setups # Special notes: # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -1737,7 +1737,7 @@ while () +@@ -1767,7 +1767,7 @@ while () elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; @@ -80,9 +81,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) { -diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org ---- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200 +diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org +--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100 @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= @@ -91,7 +92,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org PLATFORM=dist OPTIONS= CONFIGURE_ARGS= -@@ -335,10 +336,9 @@ clean-shared: +@@ -341,10 +342,9 @@ clean-shared: link-shared: @ set -e; for i in $(SHLIBDIRS); do \ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ @@ -103,7 +104,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org done build-shared: do_$(SHLIB_TARGET) link-shared -@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET): +@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET): libs="$(LIBKRB5) $$libs"; \ fi; \ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-1.0.2e-speed-doc.patch b/openssl-1.0.2e-speed-doc.patch new file mode 100644 index 0000000..8e3d95b --- /dev/null +++ b/openssl-1.0.2e-speed-doc.patch @@ -0,0 +1,58 @@ +diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c +--- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100 ++++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100 +@@ -648,10 +648,6 @@ int MAIN(int argc, char **argv) + # endif + int multiblock = 0; + +-# ifndef TIMES +- usertime = -1; +-# endif +- + apps_startup(); + memset(results, 0, sizeof(results)); + # ifndef OPENSSL_NO_DSA +@@ -1145,10 +1141,8 @@ int MAIN(int argc, char **argv) + + BIO_printf(bio_err, "\n"); + BIO_printf(bio_err, "Available options:\n"); +-# if defined(TIMES) || defined(USE_TOD) + BIO_printf(bio_err, "-elapsed " + "measure time in real time instead of CPU user time.\n"); +-# endif + # ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err, + "-engine e " +diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod +--- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100 ++++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100 +@@ -8,6 +8,9 @@ speed - test library performance + + B + [B<-engine id>] ++[B<-elapsed>] ++[B<-evp algo>] ++[B<-decrypt>] + [B] + [B] + [B] +@@ -49,6 +52,19 @@ to attempt to obtain a functional refere + thus initialising it if needed. The engine will then be set as the default + for all available algorithms. + ++=item B<-elapsed> ++ ++Measure time in real time instead of CPU time. It can be useful when testing ++speed of hardware engines. ++ ++=item B<-evp algo> ++ ++Use the specified cipher or message digest algorithm via the EVP interface. ++ ++=item B<-decrypt> ++ ++Time the decryption instead of encryption. Affects only the EVP testing. ++ + =item B<[zero or more test algorithms]> + + If any options are given, B tests those algorithms, otherwise all of diff --git a/openssl-1.0.2a-wrap-pad.patch b/openssl-1.0.2e-wrap-pad.patch similarity index 88% rename from openssl-1.0.2a-wrap-pad.patch rename to openssl-1.0.2e-wrap-pad.patch index ff1a133..fad043c 100644 --- a/openssl-1.0.2a-wrap-pad.patch +++ b/openssl-1.0.2e-wrap-pad.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_allc.c ---- openssl-1.0.2a/crypto/evp/c_allc.c.wrap 2015-04-22 15:41:32.147488107 +0200 -+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 15:47:25.486946239 +0200 +diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c +--- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100 ++++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100 @@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_128_xts()); EVP_add_cipher(EVP_aes_128_ccm()); @@ -57,9 +57,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_all EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); # endif -diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.c ---- openssl-1.0.2a/crypto/evp/e_aes.c.wrap 2015-04-22 15:41:32.148488131 +0200 -+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 15:52:21.809039506 +0200 +diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c +--- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100 ++++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100 @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. @@ -67,7 +67,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -1952,7 +1952,7 @@ static int aes_wrap_init_key(EVP_CIPHER_ +@@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_ wctx->iv = NULL; } if (iv) { @@ -76,7 +76,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes. wctx->iv = ctx->iv; } return 1; -@@ -1963,30 +1963,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT { EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; size_t rv; @@ -142,7 +142,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -@@ -2031,3 +2058,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) +@@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) { return &aes_256_wrap; } @@ -188,10 +188,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes. +{ + return &aes_256_wrap_pad; +} -diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des3.c ---- openssl-1.0.2a/crypto/evp/e_des3.c.wrap 2015-04-22 15:41:40.301683300 +0200 -+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 15:53:39.529899964 +0200 -@@ -473,7 +473,7 @@ static const EVP_CIPHER des3_wrap = { +diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c +--- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100 ++++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100 +@@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = { NID_id_smime_alg_CMS3DESwrap, 8, 24, 0, EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER @@ -200,10 +200,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des des_ede3_init_key, des_ede3_wrap_cipher, NULL, sizeof(DES_EDE_KEY), -diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h ---- openssl-1.0.2a/crypto/evp/evp.h.wrap 2015-04-22 19:30:57.000000000 +0200 -+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 19:51:06.352832516 +0200 -@@ -832,6 +832,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void); +diff -up openssl-1.0.2e/crypto/evp/evp.h.wrap openssl-1.0.2e/crypto/evp/evp.h +--- openssl-1.0.2e/crypto/evp/evp.h.wrap 2015-12-04 13:33:42.120550083 +0100 ++++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:33:42.191551745 +0100 +@@ -834,6 +834,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void); const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_128_wrap(void); @@ -211,7 +211,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); const EVP_CIPHER *EVP_aes_192_cfb1(void); -@@ -843,6 +844,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void); +@@ -845,6 +846,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void); const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_192_wrap(void); @@ -219,7 +219,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb1(void); -@@ -855,6 +857,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void); +@@ -857,6 +859,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void); const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_xts(void); const EVP_CIPHER *EVP_aes_256_wrap(void); @@ -227,9 +227,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void); -diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/evptests.txt ---- openssl-1.0.2a/crypto/evp/evptests.txt.wrap 2015-04-22 15:41:47.194848307 +0200 -+++ openssl-1.0.2a/crypto/evp/evptests.txt 2015-04-22 16:01:08.174540977 +0200 +diff -up openssl-1.0.2e/crypto/evp/evptests.txt.wrap openssl-1.0.2e/crypto/evp/evptests.txt +--- openssl-1.0.2e/crypto/evp/evptests.txt.wrap 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/evp/evptests.txt 2015-12-04 13:33:42.191551745 +0100 @@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0 id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2 id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1 @@ -238,9 +238,9 @@ diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/e +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f + -diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/modes.h ---- openssl-1.0.2a/crypto/modes/modes.h.wrap 2015-04-22 15:41:49.228896997 +0200 -+++ openssl-1.0.2a/crypto/modes/modes.h 2015-04-22 16:03:40.724152855 +0200 +diff -up openssl-1.0.2e/crypto/modes/modes.h.wrap openssl-1.0.2e/crypto/modes/modes.h +--- openssl-1.0.2e/crypto/modes/modes.h.wrap 2015-12-04 13:33:41.770541886 +0100 ++++ openssl-1.0.2e/crypto/modes/modes.h 2015-12-04 13:33:42.191551745 +0100 @@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons unsigned char *out, const unsigned char *in, size_t inlen, @@ -254,9 +254,9 @@ diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/mo #ifdef __cplusplus } -diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/wrap128.c ---- openssl-1.0.2a/crypto/modes/wrap128.c.wrap 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/modes/wrap128.c 2015-04-22 16:06:16.798848197 +0200 +diff -up openssl-1.0.2e/crypto/modes/wrap128.c.wrap openssl-1.0.2e/crypto/modes/wrap128.c +--- openssl-1.0.2e/crypto/modes/wrap128.c.wrap 2015-12-03 15:04:23.000000000 +0100 ++++ openssl-1.0.2e/crypto/modes/wrap128.c 2015-12-04 13:37:51.486366984 +0100 @@ -2,6 +2,7 @@ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -312,7 +312,7 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv, unsigned char *out, const unsigned char *in, size_t inlen, -@@ -72,11 +98,11 @@ size_t CRYPTO_128_wrap(void *key, const +@@ -72,7 +98,7 @@ size_t CRYPTO_128_wrap(void *key, const { unsigned char *A, B[16], *R; size_t i, j, t; @@ -321,11 +321,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/ return 0; A = B; t = 1; -- memcpy(out + 8, in, inlen); -+ memmove(out + 8, in, inlen); - if (!iv) - iv = default_iv; - @@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const return inlen + 8; } @@ -351,15 +346,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/ unsigned char *out, const unsigned char *in, size_t inlen, block128_f block) -@@ -113,7 +155,7 @@ size_t CRYPTO_128_unwrap(void *key, cons - A = B; - t = 6 * (inlen >> 3); - memcpy(A, in, 8); -- memcpy(out, in + 8, inlen); -+ memmove(out, in + 8, inlen); - for (j = 0; j < 6; j++) { - R = out + inlen - 8; - for (i = 0; i < inlen; i += 8, t--, R -= 8) { @@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons memcpy(R, B + 8, 8); } diff --git a/openssl-1.0.2a-new-fips-reqs.patch b/openssl-1.0.2f-new-fips-reqs.patch similarity index 92% rename from openssl-1.0.2a-new-fips-reqs.patch rename to openssl-1.0.2f-new-fips-reqs.patch index 2462012..bbad42b 100644 --- a/openssl-1.0.2a-new-fips-reqs.patch +++ b/openssl-1.0.2f-new-fips-reqs.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/bn_rand.c ---- openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/bn/bn_rand.c 2015-04-22 15:06:37.907003880 +0200 -@@ -136,9 +136,11 @@ static int bnrand(int pseudorand, BIGNUM +diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c +--- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100 ++++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100 +@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM goto err; } @@ -16,9 +16,9 @@ diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/b if (pseudorand) { if (RAND_pseudo_bytes(buf, bytes) == -1) -diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_gen.c ---- openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs 2015-04-22 15:06:37.840002285 +0200 -+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 15:06:37.907003880 +0200 +diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c +--- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100 ++++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100 @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, return 0; } @@ -28,9 +28,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h ---- openssl-1.0.2a/crypto/dh/dh.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 -+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 15:07:25.265130812 +0200 +diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h +--- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100 ++++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100 @@ -78,6 +78,7 @@ # endif @@ -39,44 +39,10 @@ diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 -diff -up openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_check.c ---- openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_check.c 2015-04-22 15:06:37.908003903 +0200 -@@ -164,7 +164,30 @@ int DH_check_pub_key(const DH *dh, const - BN_sub_word(q, 1); - if (BN_cmp(pub_key, q) >= 0) - *ret |= DH_CHECK_PUBKEY_TOO_LARGE; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && dh->q != NULL) { -+ BN_CTX *ctx = NULL; - -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) { -+ BN_CTX_free(ctx); -+ goto err; -+ } -+ if (!BN_is_one(q)) { -+ /* it would be more correct to add new return flag -+ * for this test, but we do not want to do it -+ * so just error out -+ */ -+ BN_CTX_free(ctx); -+ goto err; -+ } -+ -+ BN_CTX_free(ctx); -+ } -+#endif - ok = 1; - err: - if (q != NULL) -diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_gen.c ---- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs 2015-04-22 15:06:37.841002309 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 15:06:37.908003903 +0200 -@@ -165,9 +165,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ +diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c +--- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100 +@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ } if (FIPS_module_mode() && @@ -91,9 +57,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); goto err; } -diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa.h ---- openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 15:09:01.291415852 +0200 +diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h +--- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100 @@ -89,6 +89,7 @@ # endif @@ -114,9 +80,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa * Rabin-Miller */ # define DSA_is_prime(n, callback, cb_arg) \ -diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_key.c ---- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 15:06:37.908003903 +0200 +diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c +--- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100 @@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa) # ifdef OPENSSL_FIPS @@ -126,9 +92,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 15:06:37.909003927 +0200 +diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c +--- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 ++++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100 @@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons ret = 0; goto end; @@ -162,9 +128,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/ ret = 1; goto end; } -diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs 2015-04-22 15:06:37.909003927 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_dh_selftest.c 2015-04-22 15:06:37.909003927 +0200 +diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c +--- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100 ++++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100 @@ -0,0 +1,162 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -328,9 +294,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/ + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/fips.h ---- openssl-1.0.2a/crypto/fips/fips.h.fips-reqs 2015-04-22 15:06:37.899003689 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 15:06:37.909003927 +0200 +diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/fips.h +--- openssl-1.0.2f/crypto/fips/fips.h.fips-reqs 2016-01-28 16:36:22.806387305 +0100 ++++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 16:36:22.813387467 +0100 @@ -96,6 +96,7 @@ extern "C" { int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); @@ -339,9 +305,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_post.c ---- openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs 2015-04-22 15:06:37.895003594 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 15:06:37.909003927 +0200 +diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_post.c +--- openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs 2016-01-28 16:36:22.803387236 +0100 ++++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 16:36:22.813387467 +0100 @@ -99,6 +99,8 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_dsa()) @@ -351,9 +317,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/ if (!FIPS_selftest_ecdh()) rv = 0; return rv; -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs 2015-04-22 15:06:37.854002618 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 15:06:37.910003951 +0200 +diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-01-28 16:36:22.778386661 +0100 ++++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 16:36:22.814387489 +0100 @@ -60,68 +60,107 @@ #ifdef OPENSSL_FIPS @@ -1008,9 +974,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a RSA_free(key); return ret; } -diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fips/Makefile ---- openssl-1.0.2a/crypto/fips/Makefile.fips-reqs 2015-04-22 15:06:37.895003594 +0200 -+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 15:06:37.910003951 +0200 +diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fips/Makefile +--- openssl-1.0.2f/crypto/fips/Makefile.fips-reqs 2016-01-28 16:36:22.803387236 +0100 ++++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 16:36:22.814387489 +0100 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -1029,9 +995,9 @@ diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fip LIBCRYPTO=-L.. -lcrypto -diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/rand/rand_lcl.h ---- openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs 2015-04-22 15:06:37.599996574 +0200 -+++ openssl-1.0.2a/crypto/rand/rand_lcl.h 2015-04-22 15:06:37.910003951 +0200 +diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/rand/rand_lcl.h +--- openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs 2016-01-28 16:36:22.516380636 +0100 ++++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 16:36:22.814387489 +0100 @@ -112,7 +112,7 @@ #ifndef HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H @@ -1041,9 +1007,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/r # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/rand/rand_lib.c ---- openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/rand_lib.c 2015-04-22 15:06:37.910003951 +0200 +diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/rand/rand_lib.c +--- openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs 2016-01-28 14:38:31.000000000 +0100 ++++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 16:36:22.814387489 +0100 @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, double entropy) { @@ -1067,9 +1033,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/r return 1; } -diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c ---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs 2015-04-22 15:06:37.858002714 +0200 -+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 15:06:37.910003951 +0200 +diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa/rsa_gen.c +--- openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs 2016-01-28 16:36:22.781386731 +0100 ++++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 16:36:22.814387489 +0100 @@ -1,5 +1,6 @@ /* crypto/rsa/rsa_gen.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -1371,9 +1337,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2a/ssl/t1_enc.c.fips-reqs openssl-1.0.2a/ssl/t1_enc.c ---- openssl-1.0.2a/ssl/t1_enc.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/ssl/t1_enc.c 2015-04-22 15:06:37.911003975 +0200 +diff -up openssl-1.0.2f/ssl/t1_enc.c.fips-reqs openssl-1.0.2f/ssl/t1_enc.c +--- openssl-1.0.2f/ssl/t1_enc.c.fips-reqs 2016-01-28 14:56:08.000000000 +0100 ++++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 16:36:22.814387489 +0100 @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, return ret; } diff --git a/sources b/sources index 24b2c95..92a2a20 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f51c4df95c3d53fc82a0885fd169225a openssl-1.0.2a-hobbled.tar.xz +e9d29bc1688f65fcb9d1b564d53d6f13 openssl-1.0.2f-hobbled.tar.xz