From 52d44af7ecb16f7ad7a963426894bf330ecbcb98 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 8 Feb 2009 21:52:20 +0000 Subject: [PATCH 01/28] Setup of module mingw32-openssl --- .cvsignore | 0 Makefile | 21 +++++++++++++++++++++ sources | 0 3 files changed, 21 insertions(+) create mode 100644 .cvsignore create mode 100644 Makefile create mode 100644 sources diff --git a/.cvsignore b/.cvsignore new file mode 100644 index 0000000..e69de29 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c31d194 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: mingw32-openssl +# $Id$ +NAME := mingw32-openssl +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From 4b2bec50c2ab447c603e76007abd08d30d55a72e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 9 Feb 2009 09:33:37 +0000 Subject: [PATCH 02/28] Initial import. --- .cvsignore | 1 + Makefile.certificate | 74 ++++ hobble-openssl | 45 +++ import.log | 1 + make-dummy-cert | 28 ++ mingw32-openssl-0.9.8g-global.patch | 16 + mingw32-openssl-0.9.8g-sfx.patch | 14 + mingw32-openssl-0.9.8j-configure.patch | 16 + mingw32-openssl-0.9.8j-header-files.patch | 141 ++++++++ mingw32-openssl-0.9.8j-shared.patch | 20 ++ mingw32-openssl.spec | 342 ++++++++++++++++++ openssl-0.9.6-x509.patch | 29 ++ openssl-0.9.8a-defaults.patch | 50 +++ openssl-0.9.8a-link-krb5.patch | 11 + openssl-0.9.8a-no-rpath.patch | 11 + openssl-0.9.8a-reuse-cipher-change.patch | 20 ++ openssl-0.9.8b-aliasing-bug.patch | 24 ++ openssl-0.9.8b-test-use-localhost.patch | 24 ++ openssl-0.9.8b-x509-name-cmp.patch | 18 + openssl-0.9.8g-default-paths.patch | 77 +++++ openssl-0.9.8g-ia64.patch | 19 + openssl-0.9.8g-no-extssl.patch | 27 ++ openssl-0.9.8j-bad-mime.patch | 14 + openssl-0.9.8j-ca-dir.patch | 36 ++ openssl-0.9.8j-eap-fast.patch | 378 ++++++++++++++++++++ openssl-0.9.8j-enginesdir.patch | 40 +++ openssl-0.9.8j-env-nozlib.patch | 13 + openssl-0.9.8j-evp-nonfips.patch | 127 +++++++ openssl-0.9.8j-fips-no-pairwise.patch | 24 ++ openssl-0.9.8j-fipscheck-hmac.patch | 125 +++++++ openssl-0.9.8j-kernel-fipsmode.patch | 62 ++++ openssl-0.9.8j-nocanister.patch | 31 ++ openssl-0.9.8j-readme-warning.patch | 35 ++ openssl-0.9.8j-redhat.patch | 53 +++ openssl-0.9.8j-shlib-version.patch | 12 + openssl-0.9.8j-soversion.patch | 49 +++ openssl-0.9.8j-use-fipscheck.patch | 384 +++++++++++++++++++++ openssl-0.9.8j-version-add-engines.patch | 48 +++ openssl-thread-test.c | 400 ++++++++++++++++++++++ opensslconf-new-warning.h | 7 + opensslconf-new.h | 34 ++ sources | 1 + 42 files changed, 2881 insertions(+) create mode 100644 Makefile.certificate create mode 100755 hobble-openssl create mode 100644 import.log create mode 100755 make-dummy-cert create mode 100644 mingw32-openssl-0.9.8g-global.patch create mode 100644 mingw32-openssl-0.9.8g-sfx.patch create mode 100644 mingw32-openssl-0.9.8j-configure.patch create mode 100644 mingw32-openssl-0.9.8j-header-files.patch create mode 100644 mingw32-openssl-0.9.8j-shared.patch create mode 100644 mingw32-openssl.spec create mode 100644 openssl-0.9.6-x509.patch create mode 100644 openssl-0.9.8a-defaults.patch create mode 100644 openssl-0.9.8a-link-krb5.patch create mode 100644 openssl-0.9.8a-no-rpath.patch create mode 100644 openssl-0.9.8a-reuse-cipher-change.patch create mode 100644 openssl-0.9.8b-aliasing-bug.patch create mode 100644 openssl-0.9.8b-test-use-localhost.patch create mode 100644 openssl-0.9.8b-x509-name-cmp.patch create mode 100644 openssl-0.9.8g-default-paths.patch create mode 100644 openssl-0.9.8g-ia64.patch create mode 100644 openssl-0.9.8g-no-extssl.patch create mode 100644 openssl-0.9.8j-bad-mime.patch create mode 100644 openssl-0.9.8j-ca-dir.patch create mode 100644 openssl-0.9.8j-eap-fast.patch create mode 100644 openssl-0.9.8j-enginesdir.patch create mode 100644 openssl-0.9.8j-env-nozlib.patch create mode 100644 openssl-0.9.8j-evp-nonfips.patch create mode 100644 openssl-0.9.8j-fips-no-pairwise.patch create mode 100644 openssl-0.9.8j-fipscheck-hmac.patch create mode 100644 openssl-0.9.8j-kernel-fipsmode.patch create mode 100644 openssl-0.9.8j-nocanister.patch create mode 100644 openssl-0.9.8j-readme-warning.patch create mode 100644 openssl-0.9.8j-redhat.patch create mode 100644 openssl-0.9.8j-shlib-version.patch create mode 100644 openssl-0.9.8j-soversion.patch create mode 100644 openssl-0.9.8j-use-fipscheck.patch create mode 100644 openssl-0.9.8j-version-add-engines.patch create mode 100644 openssl-thread-test.c create mode 100644 opensslconf-new-warning.h create mode 100644 opensslconf-new.h diff --git a/.cvsignore b/.cvsignore index e69de29..6dba667 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +openssl-0.9.8j-usa.tar.bz2 diff --git a/Makefile.certificate b/Makefile.certificate new file mode 100644 index 0000000..bf3dc21 --- /dev/null +++ b/Makefile.certificate @@ -0,0 +1,74 @@ +UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) +SERIAL=0 + +.PHONY: usage +.SUFFIXES: .key .csr .crt .pem +.PRECIOUS: %.key %.csr %.crt %.pem + +usage: + @echo "This makefile allows you to create:" + @echo " o public/private key pairs" + @echo " o SSL certificate signing requests (CSRs)" + @echo " o self-signed SSL test certificates" + @echo + @echo "To create a key pair, run \"make SOMETHING.key\"." + @echo "To create a CSR, run \"make SOMETHING.csr\"." + @echo "To create a test certificate, run \"make SOMETHING.crt\"." + @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." + @echo + @echo "To create a key for use with Apache, run \"make genkey\"." + @echo "To create a CSR for use with Apache, run \"make certreq\"." + @echo "To create a test certificate for use with Apache, run \"make testcert\"." + @echo + @echo "To create a test certificate with serial number other than zero, add SERIAL=num" + @echo + @echo Examples: + @echo " make server.key" + @echo " make server.csr" + @echo " make server.crt" + @echo " make stunnel.pem" + @echo " make genkey" + @echo " make certreq" + @echo " make testcert" + @echo " make server.crt SERIAL=1" + @echo " make stunnel.pem SERIAL=2" + @echo " make testcert SERIAL=3" + +%.pem: + umask 77 ; \ + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ + cat $$PEM1 > $@ ; \ + echo "" >> $@ ; \ + cat $$PEM2 >> $@ ; \ + $(RM) $$PEM1 $$PEM2 + +%.key: + umask 77 ; \ + /usr/bin/openssl genrsa -des3 1024 > $@ + +%.csr: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ + +%.crt: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL) + +TLSROOT=/etc/pki/tls +KEY=$(TLSROOT)/private/localhost.key +CSR=$(TLSROOT)/certs/localhost.csr +CRT=$(TLSROOT)/certs/localhost.crt + +genkey: $(KEY) +certreq: $(CSR) +testcert: $(CRT) + +$(CSR): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) + +$(CRT): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL) diff --git a/hobble-openssl b/hobble-openssl new file mode 100755 index 0000000..de0490f --- /dev/null +++ b/hobble-openssl @@ -0,0 +1,45 @@ +#!/bin/sh + +# Quit out if anything fails. +set -e + +# Clean out patent-or-otherwise-encumbered code. +# MDC-2: 4,908,861 13/03/2007 +# IDEA: 5,214,703 25/05/2010 +# RC5: 5,724,428 03/03/2015 +# EC: ????????? ??/??/2015 + +# Remove assembler portions of IDEA, MDC2, and RC5. +(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv) + +# IDEA, MDC2, RC5, EC. +for a in idea mdc2 rc5 ec ecdh ecdsa; do + for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do + echo Destroying $c + > $c + done +done + +for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do + echo Destroying $c + > $c +done + +for h in `find crypto ssl apps test -name "*.h"` ; do + echo Removing IDEA, MDC2, RC5, and EC references from $h + cat $h | \ + awk 'BEGIN {ech=1;} \ + /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \ + /^#[ \t]*if/ {if(ech < 1) ech--;} \ + {if(ech>0) {;print $0};} \ + /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ + mv $h.hobbled $h +done + +# Make the makefiles happy. +touch crypto/rc5/asm/rc5-586.pl diff --git a/import.log b/import.log new file mode 100644 index 0000000..b837e05 --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +mingw32-openssl-0_9_8j-2_fc11:HEAD:mingw32-openssl-0.9.8j-2.fc11.src.rpm:1234171576 diff --git a/make-dummy-cert b/make-dummy-cert new file mode 100755 index 0000000..3aff5be --- /dev/null +++ b/make-dummy-cert @@ -0,0 +1,28 @@ +#!/bin/sh +umask 077 + +answers() { + echo -- + echo SomeState + echo SomeCity + echo SomeOrganization + echo SomeOrganizationalUnit + echo localhost.localdomain + echo root@localhost.localdomain +} + +if [ $# -eq 0 ] ; then + echo $"Usage: `basename $0` filename [...]" + exit 0 +fi + +for target in $@ ; do + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` + trap "rm -f $PEM1 $PEM2" SIGINT + answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null + cat $PEM1 > ${target} + echo "" >> ${target} + cat $PEM2 >> ${target} + rm -f $PEM1 $PEM2 +done diff --git a/mingw32-openssl-0.9.8g-global.patch b/mingw32-openssl-0.9.8g-global.patch new file mode 100644 index 0000000..814fb46 --- /dev/null +++ b/mingw32-openssl-0.9.8g-global.patch @@ -0,0 +1,16 @@ +Fix global variable macros. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h +--- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000 ++++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100 +@@ -264,7 +264,7 @@ + # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ + extern type _hide_##name; \ + type *_shadow_##name(void) { return &_hide_##name; } \ +- static type _hide_##name ++ type _hide_##name + # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) + # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) + #else diff --git a/mingw32-openssl-0.9.8g-sfx.patch b/mingw32-openssl-0.9.8g-sfx.patch new file mode 100644 index 0000000..332a926 --- /dev/null +++ b/mingw32-openssl-0.9.8g-sfx.patch @@ -0,0 +1,14 @@ +--- openssl-0.9.8g.orig/engines/Makefile 2006-02-04 01:49:34.000000000 +0000 ++++ openssl-0.9.8g.mingw/engines/Makefile 2008-09-30 20:05:30.000000000 +0100 +@@ -91,7 +91,10 @@ + set -e; \ + for l in $(LIBNAMES); do \ + ( echo installing $$l; \ +- if [ "$(PLATFORM)" != "Cygwin" ]; then \ ++ if [ "$(PLATFORM)" = "mingw" ]; then \ ++ sfx=dll; \ ++ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ ++ elif [ "$(PLATFORM)" != "Cygwin" ]; then \ + case "$(CFLAGS)" in \ + *DSO_DLFCN*) sfx="so";; \ + *DSO_DL*) sfx="sl";; \ diff --git a/mingw32-openssl-0.9.8j-configure.patch b/mingw32-openssl-0.9.8j-configure.patch new file mode 100644 index 0000000..73feff1 --- /dev/null +++ b/mingw32-openssl-0.9.8j-configure.patch @@ -0,0 +1,16 @@ +The 'mingw' target to Configure has some problems with cross-compilation. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure +--- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100 ++++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100 +@@ -468,7 +468,7 @@ + "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", + + # MinGW +-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a", ++"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB", + + # UWIN + "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", diff --git a/mingw32-openssl-0.9.8j-header-files.patch b/mingw32-openssl-0.9.8j-header-files.patch new file mode 100644 index 0000000..55d1203 --- /dev/null +++ b/mingw32-openssl-0.9.8j-header-files.patch @@ -0,0 +1,141 @@ +--- ./crypto/seed/seed_ecb.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 ++++ ./crypto/seed/seed_ecb.c 2009-02-02 18:28:55.000000000 +0100 +@@ -49,7 +49,7 @@ + * + */ + +-#include ++#include "seed.h" + + void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) + { +--- ./crypto/seed/seed_locl.h.mingw-header-files 2009-02-02 18:28:48.000000000 +0100 ++++ ./crypto/seed/seed_locl.h 2009-02-02 18:28:55.000000000 +0100 +@@ -27,7 +27,7 @@ + #define HEADER_SEED_LOCL_H + + #include "openssl/e_os2.h" +-#include ++#include "seed.h" + + + #ifdef SEED_LONG /* need 32-bit type */ +--- ./crypto/seed/seed.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 ++++ ./crypto/seed/seed.c 2009-02-02 18:28:55.000000000 +0100 +@@ -32,7 +32,7 @@ + #include + #endif + +-#include ++#include "seed.h" + #include "seed_locl.h" + + static seed_word SS[4][256] = { { +--- ./crypto/camellia/cmll_cbc.c.mingw-header-files 2006-12-02 13:00:27.000000000 +0100 ++++ ./crypto/camellia/cmll_cbc.c 2009-02-02 18:28:54.000000000 +0100 +@@ -58,7 +58,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, +--- ./crypto/camellia/cmll_cfb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_cfb.c 2009-02-02 18:28:54.000000000 +0100 +@@ -113,7 +113,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + #include "e_os.h" + +--- ./crypto/camellia/cmll_ofb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ofb.c 2009-02-02 18:28:55.000000000 +0100 +@@ -111,7 +111,7 @@ + # endif + #endif + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* The input and output encrypted as though 128bit ofb mode is being +--- ./crypto/camellia/cmll_misc.c.mingw-header-files 2009-02-02 18:29:19.000000000 +0100 ++++ ./crypto/camellia/cmll_misc.c 2009-02-02 18:29:32.000000000 +0100 +@@ -50,7 +50,7 @@ + */ + + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + #include + #ifdef OPENSSL_FIPS +--- ./crypto/camellia/cmll_ecb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ecb.c 2009-02-02 18:28:54.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, +--- ./crypto/camellia/cmll_ctr.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ctr.c 2009-02-02 18:28:54.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code +--- ./crypto/evp/e_seed.c.mingw-header-files 2007-07-04 14:56:32.000000000 +0200 ++++ ./crypto/evp/e_seed.c 2009-02-02 18:28:55.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #ifndef OPENSSL_NO_SEED +-#include ++#include "../seed/seed.h" + #include "evp_locl.h" + + static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); +--- ./crypto/evp/e_camellia.c.mingw-header-files 2008-09-21 12:24:08.000000000 +0200 ++++ ./crypto/evp/e_camellia.c 2009-02-02 18:28:55.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #include +-#include ++#include "../camellia/camellia.h" + #include "evp_locl.h" + + static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, +--- ./apps/speed.c.mingw-header-files 2009-01-07 11:48:22.000000000 +0100 ++++ ./apps/speed.c 2009-02-02 18:28:54.000000000 +0100 +@@ -165,7 +165,7 @@ + #include + #endif + #ifndef OPENSSL_NO_CAMELLIA +-#include ++#include "../crypto/camellia/camellia.h" + #endif + #ifndef OPENSSL_NO_MD2 + #include +@@ -202,7 +202,7 @@ + #include + #endif + #ifndef OPENSSL_NO_SEED +-#include ++#include "../crypto/seed/seed.h" + #endif + #ifndef OPENSSL_NO_BF + #include diff --git a/mingw32-openssl-0.9.8j-shared.patch b/mingw32-openssl-0.9.8j-shared.patch new file mode 100644 index 0000000..c1ea4bf --- /dev/null +++ b/mingw32-openssl-0.9.8j-shared.patch @@ -0,0 +1,20 @@ +--- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100 ++++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100 +@@ -238,7 +238,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; base=; \ ++ SHLIB=lib$(LIBNAME); base=; \ + fi; \ + SHLIB_SUFFIX=.dll; \ + LIBVERSION="$(LIBVERSION)"; \ +@@ -253,7 +253,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; \ ++ SHLIB=lib$(LIBNAME); \ + base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ + fi; \ + SHLIB_SUFFIX=.dll; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec new file mode 100644 index 0000000..bc1b081 --- /dev/null +++ b/mingw32-openssl.spec @@ -0,0 +1,342 @@ +%define __strip %{_mingw32_strip} +%define __objdump %{_mingw32_objdump} +%define _use_internal_dependency_generator 0 +%define __find_requires %{_mingw32_findrequires} +%define __find_provides %{_mingw32_findprovides} + +# For the curious: +# 0.9.5a soversion = 0 +# 0.9.6 soversion = 1 +# 0.9.6a soversion = 2 +# 0.9.6c soversion = 3 +# 0.9.7a soversion = 4 +# 0.9.7ef soversion = 5 +# 0.9.8ab soversion = 6 +# 0.9.8g soversion = 7 +# 0.9.8j + EAP-FAST soversion = 8 +%define soversion 8 + +# Enable the tests. +# These only work some of the time, but fail randomly at other times +# (although I have had them complete a few times, so I don't think +# there is any actual problem with the binaries). +%define run_tests 0 + +# Number of threads to spawn when testing some threading fixes. +%define thread_test_threads %{?threads:%{threads}}%{!?threads:1} + +Name: mingw32-openssl +Version: 0.9.8j +Release: 2%{?dist} +Summary: MinGW port of the OpenSSL toolkit + +License: OpenSSL +Group: Development/Libraries +URL: http://www.openssl.org/ + +# Use the hobble-openssl script to create the source file. +Source0: openssl-%{version}-usa.tar.bz2 + +Source1: hobble-openssl +Source2: Makefile.certificate +Source6: make-dummy-cert +Source8: openssl-thread-test.c +Source9: opensslconf-new.h +Source10: opensslconf-new-warning.h + +# Patches from Fedora native package. +# Build changes +Patch0: openssl-0.9.8j-redhat.patch +Patch1: openssl-0.9.8a-defaults.patch +Patch2: openssl-0.9.8a-link-krb5.patch +Patch3: openssl-0.9.8j-soversion.patch +Patch4: openssl-0.9.8j-enginesdir.patch +Patch5: openssl-0.9.8a-no-rpath.patch +Patch6: openssl-0.9.8b-test-use-localhost.patch +Patch7: openssl-0.9.8j-shlib-version.patch +# Bug fixes +Patch21: openssl-0.9.8b-aliasing-bug.patch +Patch22: openssl-0.9.8b-x509-name-cmp.patch +Patch23: openssl-0.9.8g-default-paths.patch +Patch24: openssl-0.9.8g-no-extssl.patch +# Functionality changes +Patch32: openssl-0.9.8g-ia64.patch +Patch33: openssl-0.9.8j-ca-dir.patch +Patch34: openssl-0.9.6-x509.patch +Patch35: openssl-0.9.8j-version-add-engines.patch +Patch38: openssl-0.9.8a-reuse-cipher-change.patch +# Disabled this because it uses getaddrinfo which is lacking on Windows. +#Patch39: openssl-0.9.8g-ipv6-apps.patch +Patch40: openssl-0.9.8j-nocanister.patch +Patch41: openssl-0.9.8j-use-fipscheck.patch +Patch42: openssl-0.9.8j-fipscheck-hmac.patch +Patch43: openssl-0.9.8j-evp-nonfips.patch +Patch44: openssl-0.9.8j-kernel-fipsmode.patch +Patch45: openssl-0.9.8j-env-nozlib.patch +Patch46: openssl-0.9.8j-eap-fast.patch +Patch47: openssl-0.9.8j-readme-warning.patch +Patch48: openssl-0.9.8j-bad-mime.patch +Patch49: openssl-0.9.8j-fips-no-pairwise.patch +# Backported fixes including security fixes + +# MinGW-specific patches. +Patch100: mingw32-openssl-0.9.8j-header-files.patch +Patch101: mingw32-openssl-0.9.8j-configure.patch +Patch102: mingw32-openssl-0.9.8j-shared.patch +Patch103: mingw32-openssl-0.9.8g-global.patch +Patch104: mingw32-openssl-0.9.8g-sfx.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildArch: noarch + +BuildRequires: mingw32-filesystem >= 40 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-binutils + +BuildRequires: mingw32-zlib +BuildRequires: mingw32-pthreads + +BuildRequires: mktemp +#BuildRequires: krb5-devel +BuildRequires: perl +BuildRequires: sed +BuildRequires: /usr/bin/cmp +BuildRequires: /usr/bin/rename + +# XXX Not really sure about this one. The build script uses +# /usr/bin/makedepend which comes from imake. +BuildRequires: imake + +%if %{run_tests} +# Required both to build, and to run the tests. +# XXX This needs to be fixed - cross-compilation should not +# require running executables. +BuildRequires: wine + +# Required to run the tests. +BuildRequires: xorg-x11-server-Xvfb +%endif + +#Requires: ca-certificates >= 2008-5 +Requires: pkgconfig + + +%description +The OpenSSL toolkit provides support for secure communications between +machines. OpenSSL includes a certificate management tool and shared +libraries which provide various cryptographic algorithms and +protocols. + +This package contains Windows (MinGW) libraries and development tools. + + +%prep +%setup -q -n openssl-%{version} + +%{SOURCE1} > /dev/null +%patch0 -p1 -b .redhat +%patch1 -p1 -b .defaults +# Fix link line for libssl (bug #111154). +%patch2 -p1 -b .krb5 +%patch3 -p1 -b .soversion +%patch4 -p1 -b .enginesdir +%patch5 -p1 -b .no-rpath +%patch6 -p1 -b .use-localhost +%patch7 -p1 -b .shlib-version + +%patch21 -p1 -b .aliasing-bug +%patch22 -p1 -b .name-cmp +%patch23 -p1 -b .default-paths +%patch24 -p1 -b .no-extssl + +%patch32 -p1 -b .ia64 +#patch33 is applied after make test +%patch34 -p1 -b .x509 +%patch35 -p1 -b .version-add-engines +%patch38 -p1 -b .cipher-change +#%patch39 -p1 -b .ipv6-apps +%patch40 -p1 -b .nocanister +%patch41 -p1 -b .use-fipscheck +%patch42 -p1 -b .fipscheck-hmac +%patch43 -p1 -b .evp-nonfips +%patch44 -p1 -b .fipsmode +%patch45 -p1 -b .env-nozlib +%patch46 -p1 -b .eap-fast +%patch47 -p1 -b .warning +%patch48 -p1 -b .bad-mime +%patch49 -p1 -b .no-pairwise + +%patch100 -p1 -b .mingw-header-files +%patch101 -p1 -b .mingw-configure +%patch102 -p1 -b .mingw-shared +%patch103 -p1 -b .mingw-global +%patch104 -p1 -b .mingw-sfx + +# Modify the various perl scripts to reference perl in the right location. +perl util/perlpath.pl `dirname %{__perl}` + +# Generate a table with the compile settings for my perusal. +touch Makefile +make TABLE PERL=%{__perl} + +%build +# NB: 'no-hw' is vital. MinGW cannot build the hardware drivers +# and if you don't have this you'll get an obscure link error. +%{_mingw32_env}; \ +sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \ +./Configure \ + --prefix=%{_mingw32_prefix} \ + --openssldir=%{_mingw32_sysconfdir}/pki/tls \ + zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ + no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \ + --enginesdir=%{_mingw32_libdir}/openssl/engines \ + mingw +# --with-krb5-flavor=MIT +# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} +%{_mingw32_make} depend +%{_mingw32_make} all build-shared + +# Generate hashes for the included certs. +%{_mingw32_make} rehash build-shared + +%if %{run_tests} +#---------------------------------------------------------------------- +# Run some tests. I don't know why this isn't in a %-check section +# but this is how it is in the native RPM. + +# This is a bit of a hack, but the test scripts look for 'openssl' +# by name. +pushd apps +ln -s openssl.exe openssl +popd + +# This is useful for diagnosing Wine problems. +WINEDEBUG=+loaddll +export WINEDEBUG + +# Make sure we can find the installed DLLs. +WINEDLLPATH=%{_mingw32_bindir} +export WINEDLLPATH + +# The tests run Wine and require an X server (but don't really use +# it). Therefore we create a virtual framebuffer for the duration of +# the tests. +# XXX There is no good way to choose a random, unused display. +# XXX Setting depth to 24 bits avoids bug 458219. +unset DISPLAY +display=:21 +Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$! +trap "kill -TERM $xpid ||:" EXIT +sleep 3 +DISPLAY=$display +export DISPLAY + +%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests + +# Disable this thread test, because we don't have pthread on Windows. +%{_mingw32_cc} -o openssl-thread-test \ + -I./include \ + %-{_mingw32_cflags} \ + %-{SOURCE8} \ + -L. \ + -lssl -lcrypto \ + -lpthread -lz -ldl + +## `krb5-config --cflags` +## `krb5-config --libs` +# +./openssl-thread-test --threads %{thread_test_threads} + +#---------------------------------------------------------------------- +%endif + +# Patch33 must be patched after tests otherwise they will fail +patch -p1 -b -z .ca-dir < %{PATCH33} + +# Add generation of HMAC checksum of the final stripped library +#%define __spec_install_post \ +# %{?__debug_package:%{__debug_install_post}} \ +# %{__arch_install_post} \ +# %{__os_install_post} \ +# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \ +# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \ +#%{nil} + +if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then + iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \ + mv -f CHANGES.utf8 CHANGES +fi + + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl +mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir} +make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared + +# Install the actual DLLs. +install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} +install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} + +# Remove static libraries but DON'T remove *.dll.a files. +rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a +rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a + +# I have no idea why it installs the manpages in /etc, but +# we remove them anyway. +rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man + +# Set permissions on lib*.dll.a so that strip works. +chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a +chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a + +# Install a makefile for generating keys and self-signed certs, and a script +# for generating them on the fly. +mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs +install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile +install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert + +# Pick a CA script. +pushd $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc +mv CA.sh CA +popd + +mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA +mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root) +%doc LICENSE +%{_mingw32_bindir}/openssl.exe +%{_mingw32_bindir}/c_rehash +%{_mingw32_bindir}/libcrypto-%{soversion}.dll +%{_mingw32_bindir}/libssl-%{soversion}.dll +#{_mingw32_bindir}/.libcrypto*.hmac +%{_mingw32_libdir}/libcrypto.dll.a +%{_mingw32_libdir}/libssl.dll.a +%{_mingw32_libdir}/engines +%{_mingw32_libdir}/pkgconfig/*.pc +%{_mingw32_includedir}/openssl +%config(noreplace) %{_mingw32_sysconfdir}/pki + + +%changelog +* Mon Feb 2 2009 Levente Farkas - 0.9.8j-2 +- Various build fixes. + +* Wed Jan 28 2009 Levente Farkas - 0.9.8j-1 +- update to new upstream version. + +* Mon Dec 29 2008 Levente Farkas - 0.9.8g-2 +- minor cleanup. + +* Tue Sep 30 2008 Richard W.M. Jones - 0.9.8g-1 +- Initial RPM release. diff --git a/openssl-0.9.6-x509.patch b/openssl-0.9.6-x509.patch new file mode 100644 index 0000000..7b3f49f --- /dev/null +++ b/openssl-0.9.6-x509.patch @@ -0,0 +1,29 @@ +Do not treat duplicate certs as an error. + +--- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000 ++++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000 +@@ -163,8 +163,12 @@ + } + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; +- count++; ++ /* ignore any problems with current certificate ++ and continue with the next one */ ++ if (i) ++ count++; ++ else ++ ERR_clear_error(); + X509_free(x); + x=NULL; + } +@@ -179,7 +183,8 @@ + goto err; + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; ++ if (!i) ++ ERR_clear_error(); + ret=i; + } + else diff --git a/openssl-0.9.8a-defaults.patch b/openssl-0.9.8a-defaults.patch new file mode 100644 index 0000000..5a4db7b --- /dev/null +++ b/openssl-0.9.8a-defaults.patch @@ -0,0 +1,50 @@ +--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 ++++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 +@@ -99,6 +99,7 @@ + #################################################################### + [ req ] + default_bits = 1024 ++default_md = sha1 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -116,23 +117,26 @@ + # MASK:XXXX a literal mask value. + # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings + # so use this option with caution! +-string_mask = nombstr ++# we use PrintableString+UTF8String mask so if pure ASCII texts are used ++# the resulting certificates are compatible with Netscape ++string_mask = MASK:0x2002 + + # req_extensions = v3_req # The extensions to add to a certificate request + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = GB + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++stateOrProvinceName_default = Berkshire + + localityName = Locality Name (eg, city) ++localityName_default = Newbury + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = My Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -141,7 +145,7 @@ + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (eg, YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address diff --git a/openssl-0.9.8a-link-krb5.patch b/openssl-0.9.8a-link-krb5.patch new file mode 100644 index 0000000..f34b1e5 --- /dev/null +++ b/openssl-0.9.8a-link-krb5.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200 ++++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100 +@@ -266,7 +266,7 @@ + + do_$(SHLIB_TARGET): + @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ ++ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-0.9.8a-no-rpath.patch b/openssl-0.9.8a-no-rpath.patch new file mode 100644 index 0000000..8f8fb91 --- /dev/null +++ b/openssl-0.9.8a-no-rpath.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 ++++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/openssl-0.9.8a-reuse-cipher-change.patch b/openssl-0.9.8a-reuse-cipher-change.patch new file mode 100644 index 0000000..666688b --- /dev/null +++ b/openssl-0.9.8a-reuse-cipher-change.patch @@ -0,0 +1,20 @@ +--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100 ++++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100 +@@ -477,7 +477,7 @@ + + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L + #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L +-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L ++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ + #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L + #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L + #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +@@ -494,7 +494,7 @@ + + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +-#define SSL_OP_ALL 0x00000FFFL ++#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */ + + /* DTLS options */ + #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl-0.9.8b-aliasing-bug.patch b/openssl-0.9.8b-aliasing-bug.patch new file mode 100644 index 0000000..8d3b36a --- /dev/null +++ b/openssl-0.9.8b-aliasing-bug.patch @@ -0,0 +1,24 @@ + +This patch fixes a violation of the C aliasing rules that can cause +miscompilation with some compiler versions. + +--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100 ++++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100 +@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co + static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) + { + void *ptr; +- DSO_FUNC_TYPE sym, *tsym = &sym; ++ DSO_FUNC_TYPE sym; + + if((dso == NULL) || (symname == NULL)) + { +@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); + return(NULL); + } +- *(void **)(tsym) = dlsym(ptr, symname); ++ sym = dlsym(ptr, symname); + if(sym == NULL) + { + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); diff --git a/openssl-0.9.8b-test-use-localhost.patch b/openssl-0.9.8b-test-use-localhost.patch new file mode 100644 index 0000000..08adf1c --- /dev/null +++ b/openssl-0.9.8b-test-use-localhost.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c +--- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100 ++++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200 +@@ -839,19 +839,8 @@ bad: + #ifndef OPENSSL_NO_KRB5 + if (c_ssl && c_ssl->kssl_ctx) + { +- char localhost[MAXHOSTNAMELEN+2]; +- +- if (gethostname(localhost, sizeof localhost-1) == 0) +- { +- localhost[sizeof localhost-1]='\0'; +- if(strlen(localhost) == sizeof localhost-1) +- { +- BIO_printf(bio_err,"localhost name too long\n"); +- goto end; +- } + kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, +- localhost); +- } ++ "localhost"); + } + #endif /* OPENSSL_NO_KRB5 */ + diff --git a/openssl-0.9.8b-x509-name-cmp.patch b/openssl-0.9.8b-x509-name-cmp.patch new file mode 100644 index 0000000..c7e8848 --- /dev/null +++ b/openssl-0.9.8b-x509-name-cmp.patch @@ -0,0 +1,18 @@ +--- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 ++++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 +@@ -282,14 +282,7 @@ + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + j=na->value->type-nb->value->type; + if (j) +- { +- nabit = ASN1_tag2bit(na->value->type); +- nbbit = ASN1_tag2bit(nb->value->type); +- if (!(nabit & STR_TYPE_CMP) || +- !(nbbit & STR_TYPE_CMP)) +- return j; +- j = asn1_string_memcmp(na->value, nb->value); +- } ++ return j; + else if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl-0.9.8g-default-paths.patch b/openssl-0.9.8g-default-paths.patch new file mode 100644 index 0000000..23fa4e1 --- /dev/null +++ b/openssl-0.9.8g-default-paths.patch @@ -0,0 +1,77 @@ +diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c +--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 +@@ -1077,12 +1077,13 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + store = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(store, vflags); +@@ -1132,8 +1133,11 @@ bad: + + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c +--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 +@@ -673,12 +673,13 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + store = SSL_CTX_get_cert_store(ctx); +diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c +--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 ++++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 +@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + if (tm_cipher == NULL) diff --git a/openssl-0.9.8g-ia64.patch b/openssl-0.9.8g-ia64.patch new file mode 100644 index 0000000..ec982d2 --- /dev/null +++ b/openssl-0.9.8g-ia64.patch @@ -0,0 +1,19 @@ +diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h +--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200 ++++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200 +@@ -279,6 +279,15 @@ extern "C" { + # define BN_UMULT_HIGH(a,b) __umulh((a),(b)) + # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high))) + # endif ++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG) ++# if defined(__GNUC__) ++# define BN_UMULT_HIGH(a,b) ({ \ ++ register BN_ULONG ret; \ ++ asm ("xmpy.hu %0 = %1, %2" \ ++ : "=f"(ret) \ ++ : "f"(a), "f"(b)); \ ++ ret; }) ++# endif /* compiler */ + # endif /* cpu */ + #endif /* OPENSSL_NO_ASM */ + diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch new file mode 100644 index 0000000..de00d0c --- /dev/null +++ b/openssl-0.9.8g-no-extssl.patch @@ -0,0 +1,27 @@ +diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c +--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 ++++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 +@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ + diff --git a/openssl-0.9.8j-bad-mime.patch b/openssl-0.9.8j-bad-mime.patch new file mode 100644 index 0000000..a990911 --- /dev/null +++ b/openssl-0.9.8j-bad-mime.patch @@ -0,0 +1,14 @@ +diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c +--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200 ++++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100 +@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER + static int mime_hdr_cmp(const MIME_HEADER * const *a, + const MIME_HEADER * const *b) + { ++ if ((*a)->name == NULL || (*b)->name == NULL) ++ return (*a)->name - (*b)->name < 0 ? -1 : ++ (*a)->name - (*b)->name > 0 ? 1 : 0; ++ + return(strcmp((*a)->name, (*b)->name)); + } + diff --git a/openssl-0.9.8j-ca-dir.patch b/openssl-0.9.8j-ca-dir.patch new file mode 100644 index 0000000..52c0025 --- /dev/null +++ b/openssl-0.9.8j-ca-dir.patch @@ -0,0 +1,36 @@ +diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf +--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100 ++++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100 +@@ -34,7 +34,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = ../../CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh +--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200 ++++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100 +@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG" + VERIFY="$OPENSSL verify" + X509="$OPENSSL x509" + +-CATOP=./demoCA ++CATOP=../../CA + CAKEY=./cakey.pem + CAREQ=./careq.pem + CACERT=./cacert.pem +diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in +--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200 ++++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100 +@@ -53,7 +53,7 @@ $VERIFY="$openssl verify"; + $X509="$openssl x509"; + $PKCS12="$openssl pkcs12"; + +-$CATOP="./demoCA"; ++$CATOP="../../CA"; + $CAKEY="cakey.pem"; + $CAREQ="careq.pem"; + $CACERT="cacert.pem"; diff --git a/openssl-0.9.8j-eap-fast.patch b/openssl-0.9.8j-eap-fast.patch new file mode 100644 index 0000000..1e77f00 --- /dev/null +++ b/openssl-0.9.8j-eap-fast.patch @@ -0,0 +1,378 @@ +diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c +--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100 +@@ -106,6 +106,12 @@ int tls1_new(SSL *s) + + void tls1_free(SSL *s) + { ++#ifndef OPENSSL_NO_TLSEXT ++ if (s && s->tlsext_session_ticket) ++ { ++ OPENSSL_free(s->tlsext_session_ticket); ++ } ++#endif /* OPENSSL_NO_TLSEXT */ + ssl3_free(s); + } + +@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex + int ticklen; + if (s->session && s->session->tlsext_tick) + ticklen = s->session->tlsext_ticklen; ++ else if (s->session && s->tlsext_session_ticket && ++ s->tlsext_session_ticket->data) ++ { ++ ticklen = s->tlsext_session_ticket->length; ++ s->session->tlsext_tick = OPENSSL_malloc(ticklen); ++ if (!s->session->tlsext_tick) ++ return NULL; ++ memcpy(s->session->tlsext_tick, ++ s->tlsext_session_ticket->data, ++ ticklen); ++ s->session->tlsext_ticklen = ticklen; ++ } + else + ticklen = 0; ++ if (ticklen == 0 && s->tlsext_session_ticket && ++ s->tlsext_session_ticket->data == NULL) ++ goto skip_ext; + /* Check for enough room 2 for extension type, 2 for len + * rest for ticket + */ +@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex + ret += ticklen; + } + } ++ skip_ext: + + if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) + { +@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s, + } + + } ++ else if (type == TLSEXT_TYPE_session_ticket) ++ { ++ if (s->tls_session_ticket_ext_cb && ++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } + else if (type == TLSEXT_TYPE_status_request + && s->ctx->tlsext_status_cb) + { +@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, + } + else if (type == TLSEXT_TYPE_session_ticket) + { ++ if (s->tls_session_ticket_ext_cb && ++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } + if ((SSL_get_options(s) & SSL_OP_NO_TICKET) + || (size > 0)) + { +@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned + s->tlsext_ticket_expected = 1; + return 0; /* Cache miss */ + } ++ if (s->tls_session_secret_cb) ++ { ++ /* Indicate cache miss here and instead of ++ * generating the session from ticket now, ++ * trigger abbreviated handshake based on ++ * external mechanism to calculate the master ++ * secret later. */ ++ return 0; ++ } + return tls_decrypt_ticket(s, p, size, session_id, len, + ret); + } +diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c +--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 ++++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100 +@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s) + goto f_err; + } + ++#ifndef OPENSSL_NO_TLSEXT ++ /* check if we want to resume the session based on external pre-shared secret */ ++ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) ++ { ++ SSL_CIPHER *pref_cipher=NULL; ++ s->session->master_key_length=sizeof(s->session->master_key); ++ if (s->tls_session_secret_cb(s, s->session->master_key, ++ &s->session->master_key_length, ++ NULL, &pref_cipher, ++ s->tls_session_secret_cb_arg)) ++ { ++ s->session->cipher = pref_cipher ? ++ pref_cipher : ssl_get_cipher_by_char(s, p+j); ++ } ++ } ++#endif /* OPENSSL_NO_TLSEXT */ ++ + if (j != 0 && j == s->session->session_id_length + && memcmp(p,s->session->session_id,j) == 0) + { +@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s) + { + int ok; + long n; +- /* If we have no ticket or session ID is non-zero length (a match of +- * a non-zero session length would never reach here) it cannot be a +- * resumed session. +- */ +- if (!s->session->tlsext_tick || s->session->session_id_length) ++ /* If we have no ticket it cannot be a resumed session. */ ++ if (!s->session->tlsext_tick) + return 1; + /* this function is called when we really expect a Certificate + * message, so permit appropriate message length */ +diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c +--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200 ++++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100 +@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX * + return(s->session_timeout); + } + ++#ifndef OPENSSL_NO_TLSEXT ++int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, ++ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) ++ { ++ if (s == NULL) return(0); ++ s->tls_session_secret_cb = tls_session_secret_cb; ++ s->tls_session_secret_cb_arg = arg; ++ return(1); ++ } ++ ++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, ++ void *arg) ++ { ++ if (s == NULL) return(0); ++ s->tls_session_ticket_ext_cb = cb; ++ s->tls_session_ticket_ext_cb_arg = arg; ++ return(1); ++ } ++ ++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) ++ { ++ if (s->version >= TLS1_VERSION) ++ { ++ if (s->tlsext_session_ticket) ++ { ++ OPENSSL_free(s->tlsext_session_ticket); ++ s->tlsext_session_ticket = NULL; ++ } ++ ++ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); ++ if (!s->tlsext_session_ticket) ++ { ++ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (ext_data) ++ { ++ s->tlsext_session_ticket->length = ext_len; ++ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; ++ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); ++ } ++ else ++ { ++ s->tlsext_session_ticket->length = 0; ++ s->tlsext_session_ticket->data = NULL; ++ } ++ ++ return 1; ++ } ++ ++ return 0; ++ } ++#endif /* OPENSSL_NO_TLSEXT */ ++ + typedef struct timeout_param_st + { + SSL_CTX *ctx; +diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c +--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 ++++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100 +@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s) + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } ++ ++ /* Check if we want to use external pre-shared secret for this ++ * handshake for not reused session only. We need to generate ++ * server_random before calling tls_session_secret_cb in order to allow ++ * SessionTicket processing to use it in key derivation. */ ++ { ++ unsigned long Time; ++ unsigned char *pos; ++ Time=(unsigned long)time(NULL); /* Time */ ++ pos=s->s3->server_random; ++ l2n(Time,pos); ++ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) ++ { ++ al=SSL_AD_INTERNAL_ERROR; ++ goto f_err; ++ } ++ } ++ ++ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) ++ { ++ SSL_CIPHER *pref_cipher=NULL; ++ ++ s->session->master_key_length=sizeof(s->session->master_key); ++ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, ++ ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) ++ { ++ s->hit=1; ++ s->session->ciphers=ciphers; ++ s->session->verify_result=X509_V_OK; ++ ++ ciphers=NULL; ++ ++ /* check if some cipher was preferred by call back */ ++ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); ++ if (pref_cipher == NULL) ++ { ++ al=SSL_AD_HANDSHAKE_FAILURE; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); ++ goto f_err; ++ } ++ ++ s->session->cipher=pref_cipher; ++ ++ if (s->cipher_list) ++ sk_SSL_CIPHER_free(s->cipher_list); ++ ++ if (s->cipher_list_by_id) ++ sk_SSL_CIPHER_free(s->cipher_list_by_id); ++ ++ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); ++ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); ++ } ++ } + #endif + /* Worst case, we will use the NULL compression, but if we have other + * options, we will now look for them. We have i-1 compression +@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s) + unsigned char *buf; + unsigned char *p,*d; + int i,sl; +- unsigned long l,Time; ++ unsigned long l; ++#ifdef OPENSSL_NO_TLSEXT ++ unsigned long Time; ++#endif + + if (s->state == SSL3_ST_SW_SRVR_HELLO_A) + { + buf=(unsigned char *)s->init_buf->data; ++#ifdef OPENSSL_NO_TLSEXT + p=s->s3->server_random; ++ /* Generate server_random if it was not needed previously */ + Time=(unsigned long)time(NULL); /* Time */ + l2n(Time,p); + if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + return -1; ++#endif + /* Do the message type and length last */ + d=p= &(buf[4]); + +diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h +--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100 +@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T + #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ + #endif + ++/* TLS Session Ticket extension struct */ ++struct tls_session_ticket_ext_st ++ { ++ unsigned short length; ++ void *data; ++ }; ++ + #ifdef __cplusplus + } + #endif +diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c +--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200 ++++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100 +@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, + {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, + {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, ++{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, + {0,NULL} + }; + +diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h +--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100 +@@ -344,6 +344,7 @@ extern "C" { + * 'struct ssl_st *' function parameters used to prototype callbacks + * in SSL_CTX. */ + typedef struct ssl_st *ssl_crock_st; ++typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; + + /* used to hold info on the particular ciphers used */ + typedef struct ssl_cipher_st +@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st + + DECLARE_STACK_OF(SSL_CIPHER) + ++typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); ++typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); ++ + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ + typedef struct ssl_method_st + { +@@ -1034,6 +1038,18 @@ struct ssl_st + + /* RFC4507 session ticket expected to be received or sent */ + int tlsext_ticket_expected; ++ ++ /* TLS Session Ticket extension override */ ++ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; ++ ++ /* TLS Session Ticket extension callback */ ++ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; ++ void *tls_session_ticket_ext_cb_arg; ++ ++ /* TLS pre-shared secret session resumption */ ++ tls_session_secret_cb_fn tls_session_secret_cb; ++ void *tls_session_secret_cb_arg; ++ + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ + #define session_ctx initial_ctx + #else +@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v + int SSL_COMP_add_compression_method(int id,void *cm); + #endif + ++/* TLS extensions functions */ ++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); ++ ++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, ++ void *arg); ++ ++/* Pre-shared secret session resumption functions */ ++int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void); + #define SSL_F_TLS1_ENC 210 + #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 + #define SSL_F_WRITE_PENDING 212 ++#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 + + /* Reason codes. */ + #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff --git a/openssl-0.9.8j-enginesdir.patch b/openssl-0.9.8j-enginesdir.patch new file mode 100644 index 0000000..3834fe8 --- /dev/null +++ b/openssl-0.9.8j-enginesdir.patch @@ -0,0 +1,40 @@ +diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100 ++++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100 +@@ -577,6 +577,7 @@ my $idx_arflags = $idx++; + + my $prefix=""; + my $openssldir=""; ++my $enginesdir=""; + my $exe_ext=""; + my $install_prefix=""; + my $fipslibdir="/usr/local/ssl/fips-1.0/lib/"; +@@ -815,6 +816,10 @@ PROCESS_ARGS: + { + $openssldir=$1; + } ++ elsif (/^--enginesdir=(.*)$/) ++ { ++ $enginesdir=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/; + + $openssldir=$prefix . "/ssl" if $openssldir eq ""; + $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +- ++$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; + + print "IsMK1MF=$IsMK1MF\n"; + +@@ -1635,7 +1640,7 @@ while () + if (/^#define\s+OPENSSLDIR/) + { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } + elsif (/^#define\s+ENGINESDIR/) +- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } ++ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; } + elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) + { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" + if $export_var_as_fn; diff --git a/openssl-0.9.8j-env-nozlib.patch b/openssl-0.9.8j-env-nozlib.patch new file mode 100644 index 0000000..65af5a8 --- /dev/null +++ b/openssl-0.9.8j-env-nozlib.patch @@ -0,0 +1,13 @@ +Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set. +diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c +--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100 ++++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100 +@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo + + MemCheck_off(); + ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL) ++ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) + { + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) diff --git a/openssl-0.9.8j-evp-nonfips.patch b/openssl-0.9.8j-evp-nonfips.patch new file mode 100644 index 0000000..c25cf38 --- /dev/null +++ b/openssl-0.9.8j-evp-nonfips.patch @@ -0,0 +1,127 @@ +diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c +--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200 ++++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100 +@@ -64,6 +64,11 @@ + + void OpenSSL_add_all_digests(void) + { ++#ifdef OPENSSL_FIPS ++ OPENSSL_init(); ++ if (!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_MD2 + EVP_add_digest(EVP_md2()); + #endif +@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void) + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_SHA ++ EVP_add_digest(EVP_sha1()); ++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); ++#ifndef OPENSSL_NO_DSA ++ EVP_add_digest(EVP_dss1()); ++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); ++#endif ++#ifndef OPENSSL_NO_ECDSA ++ EVP_add_digest(EVP_ecdsa()); ++#endif ++#endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif ++ } ++#endif + } +diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c +--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200 ++++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100 +@@ -65,6 +65,11 @@ + void OpenSSL_add_all_ciphers(void) + { + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init(); ++ if(!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); +@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void) + EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); + EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede_cfb()); ++ EVP_add_cipher(EVP_des_ede3_cfb()); ++ ++ EVP_add_cipher(EVP_des_ede_ofb()); ++ EVP_add_cipher(EVP_des_ede3_ofb()); ++ ++ EVP_add_cipher(EVP_des_ede_cbc()); ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); ++ ++ EVP_add_cipher(EVP_des_ede()); ++ EVP_add_cipher(EVP_des_ede3()); ++#endif ++ ++#ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_ecb()); ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_128_cfb()); ++ EVP_add_cipher(EVP_aes_128_cfb1()); ++ EVP_add_cipher(EVP_aes_128_cfb8()); ++ EVP_add_cipher(EVP_aes_128_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_128_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); ++ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); ++ EVP_add_cipher(EVP_aes_192_ecb()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_192_cfb()); ++ EVP_add_cipher(EVP_aes_192_cfb1()); ++ EVP_add_cipher(EVP_aes_192_cfb8()); ++ EVP_add_cipher(EVP_aes_192_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_192_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); ++ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); ++ EVP_add_cipher(EVP_aes_256_ecb()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_256_cfb()); ++ EVP_add_cipher(EVP_aes_256_cfb1()); ++ EVP_add_cipher(EVP_aes_256_cfb8()); ++ EVP_add_cipher(EVP_aes_256_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_256_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); ++ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); ++#endif ++ } ++#endif + + PKCS12_PBE_add(); + PKCS5_PBE_add(); diff --git a/openssl-0.9.8j-fips-no-pairwise.patch b/openssl-0.9.8j-fips-no-pairwise.patch new file mode 100644 index 0000000..e6c2f73 --- /dev/null +++ b/openssl-0.9.8j-fips-no-pairwise.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c +--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100 ++++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100 +@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (fips_rsa_pairwise_fail) + BN_add_word(rsa->n, 1); + +- if(!fips_check_rsa(rsa)) ++ if(FIPS_mode() && !fips_check_rsa(rsa)) + goto err; + + ok=1; +diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c +--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200 ++++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100 +@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa) + dsa->pub_key=pub_key; + if (fips_dsa_pairwise_fail) + BN_add_word(dsa->pub_key, 1); +- if(!fips_check_dsa(dsa)) ++ if(FIPS_mode() && !fips_check_dsa(dsa)) + goto err; + ok=1; + diff --git a/openssl-0.9.8j-fipscheck-hmac.patch b/openssl-0.9.8j-fipscheck-hmac.patch new file mode 100644 index 0000000..3ba459b --- /dev/null +++ b/openssl-0.9.8j-fipscheck-hmac.patch @@ -0,0 +1,125 @@ +Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary. +We use the binary just during the OpenSSL build to checksum the libcrypto. +diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile +--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 ++++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100 +@@ -46,7 +46,7 @@ lib: $(LIBOBJ) + @echo $(LIBOBJ) > lib + + ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o +- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ ++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ + $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM + + files: +diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c +--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200 ++++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100 +@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) + + #ifdef OPENSSL_FIPS + +-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, ++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, + const char *key) + { + int len=strlen(key); +@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + if (len > SHA_CBLOCK) + { +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,key,len); +- SHA1_Final(keymd,md_ctx); +- len=20; ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,key,len); ++ SHA256_Final(keymd,md_ctx); ++ len=SHA256_DIGEST_LENGTH; + } + else + memcpy(keymd,key,len); +@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x36^keymd[i]; +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x5c^keymd[i]; +- SHA1_Init(o_ctx); +- SHA1_Update(o_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(o_ctx); ++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); + } + +-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) ++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) + { +- unsigned char buf[20]; ++ unsigned char buf[SHA256_DIGEST_LENGTH]; + +- SHA1_Final(buf,md_ctx); +- SHA1_Update(o_ctx,buf,sizeof buf); +- SHA1_Final(md,o_ctx); ++ SHA256_Final(buf,md_ctx); ++ SHA256_Update(o_ctx,buf,sizeof buf); ++ SHA256_Final(md,o_ctx); + } + + #endif +@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md + int main(int argc,char **argv) + { + #ifdef OPENSSL_FIPS +- static char key[]="etaonrishdlcupfm"; ++ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; + int n,binary=0; + + if(argc < 2) +@@ -125,8 +125,8 @@ int main(int argc,char **argv) + for(; n < argc ; ++n) + { + FILE *f=fopen(argv[n],"rb"); +- SHA_CTX md_ctx,o_ctx; +- unsigned char md[20]; ++ SHA256_CTX md_ctx,o_ctx; ++ unsigned char md[SHA256_DIGEST_LENGTH]; + int i; + + if(!f) +@@ -139,7 +139,7 @@ int main(int argc,char **argv) + for( ; ; ) + { + char buf[1024]; +- int l=fread(buf,1,sizeof buf,f); ++ size_t l=fread(buf,1,sizeof buf,f); + + if(l == 0) + { +@@ -151,18 +151,18 @@ int main(int argc,char **argv) + else + break; + } +- SHA1_Update(&md_ctx,buf,l); ++ SHA256_Update(&md_ctx,buf,l); + } + hmac_final(md,&md_ctx,&o_ctx); + + if (binary) + { +- fwrite(md,20,1,stdout); ++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); + break; /* ... for single(!) file */ + } + +- printf("HMAC-SHA1(%s)= ",argv[n]); +- for(i=0 ; i < 20 ; ++i) ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) + printf("%02x",md[i]); + printf("\n"); + } diff --git a/openssl-0.9.8j-kernel-fipsmode.patch b/openssl-0.9.8j-kernel-fipsmode.patch new file mode 100644 index 0000000..fed04c3 --- /dev/null +++ b/openssl-0.9.8j-kernel-fipsmode.patch @@ -0,0 +1,62 @@ +diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c +--- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100 ++++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100 +@@ -59,6 +59,45 @@ + #include + #include + ++#ifdef OPENSSL_FIPS ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static void init_fips_mode(void) ++ { ++ char buf[2] = "0"; ++ int fd; ++ ++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) ++ { ++ buf[0] = '1'; ++ } ++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) ++ { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); ++ close(fd); ++ } ++ /* Failure reading the fips mode switch file means just not ++ * switching into FIPS mode. We would break too many things ++ * otherwise. ++ */ ++ ++ if (buf[0] == '1') ++ { ++ FIPS_mode_set(1); ++ } ++ } ++#endif ++ + /* Perform any essential OpenSSL initialization operations. + * Currently only sets FIPS callbacks + */ +@@ -73,11 +112,10 @@ void OPENSSL_init(void) + #ifdef CRYPTO_MDEBUG + CRYPTO_malloc_debug_init(); + #endif +-#ifdef OPENSSL_ENGINE ++ init_fips_mode(); + int_EVP_MD_init_engine_callbacks(); + int_EVP_CIPHER_init_engine_callbacks(); + int_RAND_init_engine_callbacks(); +-#endif + done = 1; + } + #endif diff --git a/openssl-0.9.8j-nocanister.patch b/openssl-0.9.8j-nocanister.patch new file mode 100644 index 0000000..f5e1272 --- /dev/null +++ b/openssl-0.9.8j-nocanister.patch @@ -0,0 +1,31 @@ +Do not create a fipscanister.o, add the objects directly. +diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile +--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100 ++++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100 +@@ -142,8 +142,24 @@ lib: $(LIB) + if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi + @touch lib + +-$(LIB): $(FIPSLIBDIR)fipscanister.o +- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o ++$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS) ++ FIPS_ASM=""; \ ++ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ ++ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ ++ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ ++ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ ++ if [ -n "$(CPUID_OBJ)" ]; then \ ++ CPUID=../crypto/$(CPUID_OBJ) ; \ ++ else \ ++ CPUID="" ; \ ++ fi ; \ ++ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ ++ for i in $(FIPS_OBJ_LISTS); do \ ++ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ ++ objs="$$objs `sed "$$script" $$i`"; \ ++ done; \ ++ objs="$$objs" ; \ ++ $(AR) $(LIB) $$objs + $(RANLIB) $(LIB) || echo Never mind. + + $(FIPSCANLIB): $(FIPSCANLOC) diff --git a/openssl-0.9.8j-readme-warning.patch b/openssl-0.9.8j-readme-warning.patch new file mode 100644 index 0000000..411e6bd --- /dev/null +++ b/openssl-0.9.8j-readme-warning.patch @@ -0,0 +1,35 @@ +diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README +--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100 ++++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100 +@@ -5,6 +5,31 @@ + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson + All rights reserved. + ++ WARNING ++ ------- ++ ++ This version of OpenSSL is built in a way that supports operation in ++ the so called FIPS mode. Note though that the library as we build it ++ is not FIPS validated and the FIPS mode is present for testing purposes ++ only. ++ ++ This version also contains a few differences from the upstream code ++ some of which are: ++ * The FIPS integrity verification check is implemented differently ++ from the upstream FIPS validated OpenSSL module. It verifies ++ HMAC-SHA256 checksum of the whole libcrypto shared library. ++ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and ++ tries to initialize the FIPS mode if it is set to 1 aborting if the ++ FIPS mode could not be initialized. It is also possible to force the ++ OpenSSL library to FIPS mode especially for debugging purposes by ++ setting the environment variable OPENSSL_FORCE_FIPS_MODE. ++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module ++ will not automatically load the built in compression method ZLIB ++ when initialized. Applications can still explicitely ask for ZLIB ++ compression method. ++ * There is added a support for EAP-FAST through TLS extension. This code ++ is backported from OpenSSL upstream development branch. ++ + DESCRIPTION + ----------- + diff --git a/openssl-0.9.8j-redhat.patch b/openssl-0.9.8j-redhat.patch new file mode 100644 index 0000000..2e1153d --- /dev/null +++ b/openssl-0.9.8j-redhat.patch @@ -0,0 +1,53 @@ +diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100 ++++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100 +@@ -320,28 +320,28 @@ my %table=( + #### + # *-generic* is endian-neutral target, but ./config is free to + # throw in -D[BL]_ENDIAN, whichever appropriate... +-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", + #### +-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### SPARC Linux setups + # Ray Miller has patiently + # assisted with debugging of following two configs. +-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # it's a real mess with -mcpu=ultrasparc option under Linux, but + # -Wa,-Av8plus should do the trick no matter what. +-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # GCC 3.1 is a requirement +-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### Alpha Linux with GNU C and Compaq C setups + # Special notes: + # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you +@@ -355,8 +355,8 @@ my %table=( + # + # + # +-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + diff --git a/openssl-0.9.8j-shlib-version.patch b/openssl-0.9.8j-shlib-version.patch new file mode 100644 index 0000000..8182398 --- /dev/null +++ b/openssl-0.9.8j-shlib-version.patch @@ -0,0 +1,12 @@ +diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h +--- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100 ++++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100 +@@ -83,7 +83,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "0.9.8" ++#define SHLIB_VERSION_NUMBER "0.9.8j" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl-0.9.8j-soversion.patch b/openssl-0.9.8j-soversion.patch new file mode 100644 index 0000000..80ee5cd --- /dev/null +++ b/openssl-0.9.8j-soversion.patch @@ -0,0 +1,49 @@ +Define and use a soname -- because we have to care about binary +compatibility, we have to increment the soname in order to allow +this version to co-exist with another versions and have everything +work right. + +diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100 +@@ -1371,7 +1371,7 @@ while () + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; +- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { +diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org +--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100 +@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= + SHLIB_MAJOR= + SHLIB_MINOR= + SHLIB_EXT= ++SHLIB_SONAMEVER=8 + PLATFORM=dist + OPTIONS= + CONFIGURE_ARGS= +@@ -277,10 +278,9 @@ clean-shared: + link-shared: + @ set -e; for i in ${SHLIBDIRS}; do \ + $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + symlink.$(SHLIB_TARGET); \ +- libs="$$libs -l$$i"; \ + done + + build-shared: do_$(SHLIB_TARGET) link-shared +@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET): + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + LIBDEPS="$$libs $(EX_LIBS)" \ + link_a.$(SHLIB_TARGET); \ diff --git a/openssl-0.9.8j-use-fipscheck.patch b/openssl-0.9.8j-use-fipscheck.patch new file mode 100644 index 0000000..6f2eca1 --- /dev/null +++ b/openssl-0.9.8j-use-fipscheck.patch @@ -0,0 +1,384 @@ +Use fipscheck compatible way of verification of the integrity of the libcrypto +shared library. +diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile +--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 ++++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100 +@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + LIBRARIES="-L$(TOP) -lfips"; \ + elif [ -n "$(FIPSCANLIB)" ]; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ ++ LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ +@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ +- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- fi; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ +diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org +--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100 ++++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100 +@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA + $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ + $(AR) libcrypto.a fips/fipscanister.o ; \ + else \ +- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; \ +- export CC FIPSLD_CC; \ +- fi; \ + $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ + fi \ + else \ +@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT + fips/fipscanister.o: build_fips + libfips$(SHLIB_EXT): fips/fipscanister.o + @if [ "$(SHLIB_TARGET)" != "" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ + $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- CC=$${CC} LIBNAME=fips THIS=$@ \ ++ CC=$(CC) LIBNAME=fips THIS=$@ \ + LIBEXTRAS=fips/fipscanister.o \ + LIBDEPS="$(EX_LIBS)" \ + LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ +@@ -469,7 +464,7 @@ openssl.pc: Makefile + echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: '; \ +- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ ++ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc + + Makefile: Makefile.org Configure config +diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c +--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 ++++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100 +@@ -47,6 +47,7 @@ + * + */ + ++#define _GNU_SOURCE + + #include + #include +@@ -56,6 +57,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -165,6 +169,7 @@ int FIPS_selftest() + && FIPS_selftest_dsa(); + } + ++#if 0 + extern const void *FIPS_text_start(), *FIPS_text_end(); + extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; + unsigned char FIPS_signature [20] = { 0 }; +@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) + + return 1; + } ++#else ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen-1); ++ path[pathlen-1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char * ++bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++#define HMAC_PREFIX "." ++#define HMAC_SUFFIX ".hmac" ++#define READ_BUFFER_LENGTH 16384 ++ ++static char * ++make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if(path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn-origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int ++compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX c; ++ ++ HMAC_CTX_init(&c); ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); ++ ++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ HMAC_Update(&c, rbuf, len); ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ HMAC_Final(&c, rbuf, &hlen); ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++end: ++ HMAC_CTX_cleanup(&c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int ++FIPSCHECK_verify(const char *libname, const char *symbolname) ++{ ++ char path[PATH_MAX+1]; ++ int rv; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ rv = get_library_path(libname, symbolname, path, sizeof(path)); ++ ++ if (rv < 0) ++ return 0; ++ ++ hmacpath = make_hmac_path(path); ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p=strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex=bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } ++ ++end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ ++#endif + + int FIPS_mode_set(int onoff) + { +@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff) + } + #endif + +- if(fips_signature_witness() != FIPS_signature) +- { +- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); +- fips_selftest_fail = 1; +- ret = 0; +- goto end; +- } +- +- if(!FIPS_check_incore_fingerprint()) ++ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set")) + { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; +@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void) + return ret; + } + ++#if 0 + unsigned char *fips_signature_witness(void) + { + extern unsigned char FIPS_signature[]; + return FIPS_signature; + } ++#endif + + /* Generalized public key test routine. Signs and verifies the data + * supplied in tbs using mesage digest md and setting option digest +diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile +--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100 ++++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100 +@@ -62,9 +62,9 @@ testapps: + + all: + @if [ -z "$(FIPSLIBDIR)" ]; then \ +- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ ++ $(MAKE) -e subdirs lib; \ + else \ +- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ ++ $(MAKE) -e lib; \ + fi + + # Idea behind fipscanister.o is to "seize" the sequestered code between +@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ + HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ + *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ + esac fi +- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + + # If another exception is immediately required, assign approprite + # site-specific ld command to FIPS_SITE_LD environment variable. +@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) + $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. + @touch lib + +-shared: lib subdirs fips_premain_dso$(EXE_EXT) ++shared: lib subdirs + + libs: + @target=lib; $(RECURSIVE_MAKE) +@@ -195,10 +194,6 @@ install: + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + @target=install; $(RECURSIVE_MAKE) +- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ +- fips_premain.c.sha1 \ +- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ +- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* + + lint: + @target=lint; $(RECURSIVE_MAKE) +diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h +--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 ++++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100 +@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); + int fips_set_owning_thread(void); + void fips_set_selftest_fail(void); + int fips_clear_owning_thread(void); ++#if 0 + unsigned char *fips_signature_witness(void); ++#endif + + #define FIPS_MAX_CIPHER_TEST_SIZE 16 + diff --git a/openssl-0.9.8j-version-add-engines.patch b/openssl-0.9.8j-version-add-engines.patch new file mode 100644 index 0000000..f54326c --- /dev/null +++ b/openssl-0.9.8j-version-add-engines.patch @@ -0,0 +1,48 @@ +diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c +--- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200 ++++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100 +@@ -131,6 +131,7 @@ + #ifndef OPENSSL_NO_BF + # include + #endif ++#include + + #undef PROG + #define PROG version_main +@@ -140,7 +141,7 @@ int MAIN(int, char **); + int MAIN(int argc, char **argv) + { + int i,ret=0; +- int cflags=0,version=0,date=0,options=0,platform=0,dir=0; ++ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0; + + apps_startup(); + +@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv) + else if (strcmp(argv[i],"-d") == 0) + dir=1; + else if (strcmp(argv[i],"-a") == 0) +- date=version=cflags=options=platform=dir=1; ++ date=version=cflags=options=platform=dir=engines=1; + else + { + BIO_printf(bio_err,"usage:version -[avbofpd]\n"); +@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv) + } + if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS)); + if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR)); ++ if (engines) ++ { ++ ENGINE *e; ++ printf("engines: "); ++ e = ENGINE_get_first(); ++ while (e) ++ { ++ printf("%s ", ENGINE_get_id(e)); ++ e = ENGINE_get_next(e); ++ } ++ printf("\n"); ++ } + end: + apps_shutdown(); + OPENSSL_EXIT(ret); diff --git a/openssl-thread-test.c b/openssl-thread-test.c new file mode 100644 index 0000000..3b90285 --- /dev/null +++ b/openssl-thread-test.c @@ -0,0 +1,400 @@ +/* Test program to verify that RSA signing is thread-safe in OpenSSL. */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +/* Just assume we want to do engine stuff if we're using 0.9.6b or + * higher. This assumption is only valid for versions bundled with RHL. */ +#if OPENSSL_VERSION_NUMBER >= 0x0090602fL +#include +#define USE_ENGINE +#endif + +#define MAX_THREAD_COUNT 10000 +#define ITERATION_COUNT 10 +#define MAIN_COUNT 100 + +/* OpenSSL requires us to provide thread ID and locking primitives. */ +pthread_mutex_t *mutex_locks = NULL; +static unsigned long +thread_id_cb(void) +{ + return (unsigned long) pthread_self(); +} +static void +lock_cb(int mode, int n, const char *file, int line) +{ + if (mode & CRYPTO_LOCK) { + pthread_mutex_lock(&mutex_locks[n]); + } else { + pthread_mutex_unlock(&mutex_locks[n]); + } +} + +struct thread_args { + RSA *rsa; + int digest_type; + unsigned char *digest; + unsigned int digest_len; + unsigned char *signature; + unsigned int signature_len; + pthread_t main_thread; +}; + +static int print = 0; + +pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_sign = 0; +static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);} +static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);} + +pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_verify = 0; +static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);} +static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);} + +pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER; +long failure_count = 0; +static void +failure() +{ + pthread_mutex_lock(&failure_count_lock); + failure_count++; + pthread_mutex_unlock(&failure_count_lock); +} + +static void * +thread_main(void *argp) +{ + struct thread_args *args = argp; + unsigned char *signature; + unsigned int signature_len, signature_alloc_len; + int ret, i; + + signature_alloc_len = args->signature_len; + if (RSA_size(args->rsa) > signature_alloc_len) { + signature_alloc_len = RSA_size(args->rsa); + } + signature = malloc(signature_alloc_len); + if (signature == NULL) { + fprintf(stderr, "Skipping checks in thread %lu -- %s.\n", + (unsigned long) pthread_self(), strerror(errno)); + pthread_exit(0); + return NULL; + } + for (i = 0; i < ITERATION_COUNT; i++) { + signature_len = signature_alloc_len; + SIGN_LOCK(); + ret = RSA_check_key(args->rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + ret = RSA_sign(args->digest_type, + args->digest, + args->digest_len, + signature, &signature_len, + args->rsa); + SIGN_UNLOCK(); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + + VERIFY_LOCK(); + ret = RSA_verify(args->digest_type, + args->digest, + args->digest_len, + signature, signature_len, + args->rsa); + VERIFY_UNLOCK(); + if (ret != 1) { + fprintf(stderr, + "Signature from thread %lu(%d) fails " + "verification (passed in thread #%lu)!\n", + (long) pthread_self(), i, + (long) args->main_thread); + ERR_print_errors_fp(stdout); + failure(); + continue; + } + if (print) { + fprintf(stderr, ">%d\n", i); + } + } + free(signature); + + pthread_exit(0); + + return NULL; +} + +unsigned char * +xmemdup(unsigned char *s, size_t len) +{ + unsigned char *r; + r = malloc(len); + if (r == NULL) { + fprintf(stderr, "Out of memory.\n"); + ERR_print_errors_fp(stdout); + assert(r != NULL); + } + memcpy(r, s, len); + return r; +} + +int +main(int argc, char **argv) +{ + RSA *rsa; + MD5_CTX md5; + int fd, i; + pthread_t threads[MAX_THREAD_COUNT]; + int thread_count = 1000; + unsigned char *message, *digest; + unsigned int message_len, digest_len; + unsigned char *correct_signature; + unsigned int correct_siglen, ret; + struct thread_args master_args, *args; + int sync = 0, seed = 0; + int again = 1; +#ifdef USE_ENGINE + char *engine = NULL; + ENGINE *e = NULL; +#endif + + pthread_mutex_init(&failure_count_lock, NULL); + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--seed") == 0) { + printf("Seeding PRNG.\n"); + seed++; + } else + if (strcmp(argv[i], "--sync") == 0) { + printf("Running synchronized.\n"); + sync++; + } else + if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) { + i++; + thread_count = atol(argv[i]); + if (thread_count > MAX_THREAD_COUNT) { + thread_count = MAX_THREAD_COUNT; + } + printf("Starting %d threads.\n", thread_count); + sync++; + } else + if (strcmp(argv[i], "--sign") == 0) { + printf("Locking signing.\n"); + locked_sign++; + } else + if (strcmp(argv[i], "--verify") == 0) { + printf("Locking verifies.\n"); + locked_verify++; + } else + if (strcmp(argv[i], "--print") == 0) { + printf("Tracing.\n"); + print++; +#ifdef USE_ENGINE + } else + if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) { + printf("Using engine \"%s\".\n", argv[i + 1]); + engine = argv[i + 1]; + i++; +#endif + } else { + printf("Bad argument: %s\n", argv[i]); + return 1; + } + } + + /* Get some random data to sign. */ + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + fprintf(stderr, "Error opening /dev/urandom: %s\n", + strerror(errno)); + } + + if (print) { + fprintf(stderr, "Reading random data.\n"); + } + message = malloc(message_len = 9371); + read(fd, message, message_len); + close(fd); + + /* Initialize the SSL library and set up thread-safe locking. */ + ERR_load_crypto_strings(); + SSL_library_init(); + mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); + for (i = 0; i < CRYPTO_num_locks(); i++) { + pthread_mutex_init(&mutex_locks[i], NULL); + } + CRYPTO_set_id_callback(thread_id_cb); + CRYPTO_set_locking_callback(lock_cb); + ERR_print_errors_fp(stdout); + + /* Seed the PRNG if we were asked to do so. */ + if (seed) { + if (print) { + fprintf(stderr, "Seeding PRNG.\n"); + } + RAND_add(message, message_len, message_len); + ERR_print_errors_fp(stdout); + } + + /* Turn on a hardware crypto device if asked to do so. */ +#ifdef USE_ENGINE + if (engine) { +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + ENGINE_load_builtin_engines(); +#endif + if (print) { + fprintf(stderr, "Initializing \"%s\" engine.\n", + engine); + } + e = ENGINE_by_id(engine); + ERR_print_errors_fp(stdout); + if (e) { + i = ENGINE_init(e); + ERR_print_errors_fp(stdout); + i = ENGINE_set_default_RSA(e); + ERR_print_errors_fp(stdout); + } + } +#endif + + /* Compute the digest for the signature. */ + if (print) { + fprintf(stderr, "Computing digest.\n"); + } + digest = malloc(digest_len = MD5_DIGEST_LENGTH); + MD5_Init(&md5); + MD5_Update(&md5, message, message_len); + MD5_Final(digest, &md5); + + /* Generate a signing key. */ + if (print) { + fprintf(stderr, "Generating key.\n"); + } + rsa = RSA_generate_key(4096, 3, NULL, NULL); + ERR_print_errors_fp(stdout); + if (rsa == NULL) { + _exit(1); + } + + /* Sign the data. */ + correct_siglen = RSA_size(rsa); + correct_signature = malloc(correct_siglen); + for (i = 0; i < MAIN_COUNT; i++) { + if (print) { + fprintf(stderr, "Signing data (%d).\n", i); + } + ret = RSA_check_key(rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + } + correct_siglen = RSA_size(rsa); + ret = RSA_sign(NID_md5, digest, digest_len, + correct_signature, &correct_siglen, + rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + _exit(2); + } + if (print) { + fprintf(stderr, "Verifying data (%d).\n", i); + } + ret = RSA_verify(NID_md5, digest, digest_len, + correct_signature, correct_siglen, + rsa); + if (ret != 1) { + _exit(2); + } + } + + /* Collect up the inforamtion which other threads will need for + * comparing their signature results with ours. */ + master_args.rsa = rsa; + master_args.digest_type = NID_md5; + master_args.digest = digest; + master_args.digest_len = digest_len; + master_args.signature = correct_signature; + master_args.signature_len = correct_siglen; + master_args.main_thread = pthread_self(); + + fprintf(stdout, "Performing %d signatures in each of %d threads " + "(%d, %d).\n", ITERATION_COUNT, thread_count, + digest_len, correct_siglen); + fflush(NULL); + + /* Start up all of the threads. */ + for (i = 0; i < thread_count; i++) { + args = malloc(sizeof(struct thread_args)); + args->rsa = RSAPrivateKey_dup(master_args.rsa); + args->digest_type = master_args.digest_type; + args->digest_len = master_args.digest_len; + args->digest = xmemdup(master_args.digest, args->digest_len); + args->signature_len = master_args.signature_len; + args->signature = xmemdup(master_args.signature, + args->signature_len); + args->main_thread = pthread_self(); + ret = pthread_create(&threads[i], NULL, thread_main, args); + while ((ret != 0) && (errno == EAGAIN)) { + ret = pthread_create(&threads[i], NULL, + thread_main, &args); + fprintf(stderr, "Thread limit hit at %d.\n", i); + } + if (ret != 0) { + fprintf(stderr, "Unable to create thread %d: %s.\n", + i, strerror(errno)); + threads[i] = -1; + } else { + if (sync) { + ret = pthread_join(threads[i], NULL); + assert(ret == 0); + } + if (print) { + fprintf(stderr, "%d\n", i); + } + } + } + + /* Wait for all threads to complete. So long as we can find an + * unjoined thread, keep joining threads. */ + do { + again = 0; + for (i = 0; i < thread_count; i++) { + /* If we have an unterminated thread, join it. */ + if (threads[i] != -1) { + again = 1; + if (print) { + fprintf(stderr, "Joining thread %d.\n", + i); + } + pthread_join(threads[i], NULL); + threads[i] = -1; + break; + } + } + } while (again == 1); + + fprintf(stderr, "%ld failures\n", failure_count); + + return (failure_count != 0); +} diff --git a/opensslconf-new-warning.h b/opensslconf-new-warning.h new file mode 100644 index 0000000..de091c8 --- /dev/null +++ b/opensslconf-new-warning.h @@ -0,0 +1,7 @@ +/* Prepended at openssl package build-time. Don't include this file directly, + * use instead. */ + +#ifndef openssl_opensslconf_multilib_redirection_h +#error "Don't include this file directly, use instead!" +#endif + diff --git a/opensslconf-new.h b/opensslconf-new.h new file mode 100644 index 0000000..cf22738 --- /dev/null +++ b/opensslconf-new.h @@ -0,0 +1,34 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in opensslconf.h. The original opensslconf.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef openssl_opensslconf_multilib_redirection_h +#error "Do not define openssl_opensslconf_multilib_redirection_h!" +#endif +#define openssl_opensslconf_multilib_redirection_h + +#if defined(__i386__) +#include "opensslconf-i386.h" +#elif defined(__ia64__) +#include "opensslconf-ia64.h" +#elif defined(__powerpc64__) +#include "opensslconf-ppc64.h" +#elif defined(__powerpc__) +#include "opensslconf-ppc.h" +#elif defined(__s390x__) +#include "opensslconf-s390x.h" +#elif defined(__s390__) +#include "opensslconf-s390.h" +#elif defined(__sparc__) && defined(__arch64__) +#include "opensslconf-sparc64.h" +#elif defined(__sparc__) +#include "opensslconf-sparc.h" +#elif defined(__x86_64__) +#include "opensslconf-x86_64.h" +#else +#error "This openssl-devel package does not work your architecture?" +#endif + +#undef openssl_opensslconf_multilib_redirection_h diff --git a/sources b/sources index e69de29..f0e2eb7 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +573353d8cb4330b71e9985cea4785d61 openssl-0.9.8j-usa.tar.bz2 From 0c92a68fdf7db0fc630bcc42c53037267e695906 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 20 Feb 2009 23:29:13 +0000 Subject: [PATCH 03/28] Rebuild for gcc 4.4 --- mingw32-openssl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index bc1b081..266b59c 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -27,7 +27,7 @@ Name: mingw32-openssl Version: 0.9.8j -Release: 2%{?dist} +Release: 3%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -90,7 +90,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -BuildRequires: mingw32-filesystem >= 40 +BuildRequires: mingw32-filesystem >= 49 BuildRequires: mingw32-gcc BuildRequires: mingw32-binutils @@ -329,6 +329,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Feb 20 2009 Richard W.M. Jones - 0.9.8j-3 +- Rebuild for mingw32-gcc 4.4 + * Mon Feb 2 2009 Levente Farkas - 0.9.8j-2 - Various build fixes. From 68f3093f15f3be993eabc464518845f4296ab257 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Thu, 26 Feb 2009 01:19:25 +0000 Subject: [PATCH 04/28] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 266b59c..ee14313 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -27,7 +27,7 @@ Name: mingw32-openssl Version: 0.9.8j -Release: 3%{?dist} +Release: 4%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -329,6 +329,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Wed Feb 25 2009 Fedora Release Engineering - 0.9.8j-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + * Fri Feb 20 2009 Richard W.M. Jones - 0.9.8j-3 - Rebuild for mingw32-gcc 4.4 From c2a1431a48021bc7d30ff8cd4ffb6611c9443b5c Mon Sep 17 00:00:00 2001 From: epienbro Date: Tue, 14 Apr 2009 19:34:14 +0000 Subject: [PATCH 05/28] - Fixed %defattr line - Added -static subpackage --- mingw32-openssl.spec | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index ee14313..e4d3315 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -27,7 +27,7 @@ Name: mingw32-openssl Version: 0.9.8j -Release: 4%{?dist} +Release: 5%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -131,6 +131,14 @@ protocols. This package contains Windows (MinGW) libraries and development tools. +%package static +Summary: Static version of the MinGW port of the OpenSSL toolkit +Requires: %{name} = %{version}-%{release} + +%description static +Static version of the MinGW port of the OpenSSL toolkit. + + %prep %setup -q -n openssl-%{version} @@ -282,10 +290,6 @@ make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} -# Remove static libraries but DON'T remove *.dll.a files. -rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a -rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a - # I have no idea why it installs the manpages in /etc, but # we remove them anyway. rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man @@ -313,7 +317,7 @@ rm -rf $RPM_BUILD_ROOT %files -%defattr(-,root,root) +%defattr(-,root,root,-) %doc LICENSE %{_mingw32_bindir}/openssl.exe %{_mingw32_bindir}/c_rehash @@ -328,7 +332,17 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) %{_mingw32_sysconfdir}/pki +%files static +%defattr(-,root,root,-) +%{_mingw32_libdir}/libcrypto.a +%{_mingw32_libdir}/libssl.a + + %changelog +* Tue Apr 14 2009 Erik van Pienbroek - 0.9.8j-5 +- Fixed %%defattr line +- Added -static subpackage + * Wed Feb 25 2009 Fedora Release Engineering - 0.9.8j-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild From 1440e4d4125d8d78319416838ab69b6f8eded51e Mon Sep 17 00:00:00 2001 From: epienbro Date: Sat, 9 May 2009 11:34:22 +0000 Subject: [PATCH 06/28] Add the file include/openssl/applink.c to the package (BZ #499934) --- mingw32-openssl.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index e4d3315..a605099 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -27,7 +27,7 @@ Name: mingw32-openssl Version: 0.9.8j -Release: 5%{?dist} +Release: 6%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -286,6 +286,9 @@ mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir} mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir} make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared +# Install the file applink.c (#499934) +install -m644 ms/applink.c $RPM_BUILD_ROOT%{_mingw32_includedir}/openssl/applink.c + # Install the actual DLLs. install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} @@ -339,6 +342,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat May 9 2009 Erik van Pienbroek - 0.9.8j-6 +- Add the file include/openssl/applink.c to the package (BZ #499934) + * Tue Apr 14 2009 Erik van Pienbroek - 0.9.8j-5 - Fixed %%defattr line - Added -static subpackage From 278c82103b3f47e3838a54a95b2dcbdf1c48e67e Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 25 Jul 2009 14:27:40 +0000 Subject: [PATCH 07/28] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index a605099..270fa67 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -27,7 +27,7 @@ Name: mingw32-openssl Version: 0.9.8j -Release: 6%{?dist} +Release: 7%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -342,6 +342,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat Jul 25 2009 Fedora Release Engineering - 0.9.8j-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + * Sat May 9 2009 Erik van Pienbroek - 0.9.8j-6 - Add the file include/openssl/applink.c to the package (BZ #499934) From 1deb3708fce25c9ad81cac29b38df19d31287254 Mon Sep 17 00:00:00 2001 From: epienbro Date: Sat, 29 Aug 2009 16:13:45 +0000 Subject: [PATCH 08/28] - Update to version 1.0.0 beta 3 - Use %global instead of %define - Automatically generate debuginfo subpackage - Merged various changes from the native Fedora package (up to 1.0.0-0.5.beta3) - Don't use the %{_mingw32_make} macro anymore as it's ugly and causes side-effects NOTE: Right now, this package doesn't provide versioned DLL's as the upstream defaults are used and I couldn't find the right spot in the build scripts to realize this (openssl's build system is really messy..). --- .cvsignore | 2 +- hobble-openssl | 11 +- mingw32-openssl-1.0.0-beta3-linker-fix.patch | 44 + mingw32-openssl-1.0.0-beta3-shared.patch | 11 + mingw32-openssl.spec | 131 +- openssl-0.9.8k-algo-doc.patch | 113 + openssl-1.0.0-beta3-cipher-change.patch | 21 + openssl-1.0.0-beta3-const.patch | 36 + openssl-1.0.0-beta3-curl.patch | 27 + openssl-1.0.0-beta3-default-paths.patch | 77 + openssl-1.0.0-beta3-defaults.patch | 44 + openssl-1.0.0-beta3-enginesdir.patch | 52 + openssl-1.0.0-beta3-fips.patch | 12025 +++++++++++++++++ openssl-1.0.0-beta3-fipscheck.patch | 400 + openssl-1.0.0-beta3-fipsmode.patch | 263 + openssl-1.0.0-beta3-fipsrng.patch | 79 + openssl-1.0.0-beta3-ipv6-apps.patch | 506 + openssl-1.0.0-beta3-krb5.patch | 12 + openssl-1.0.0-beta3-namingblk.patch | 253 + openssl-1.0.0-beta3-namingstr.patch | 1663 +++ openssl-1.0.0-beta3-redhat.patch | 59 + openssl-1.0.0-beta3-soversion.patch | 44 + sources | 2 +- 23 files changed, 15807 insertions(+), 68 deletions(-) create mode 100644 mingw32-openssl-1.0.0-beta3-linker-fix.patch create mode 100644 mingw32-openssl-1.0.0-beta3-shared.patch create mode 100644 openssl-0.9.8k-algo-doc.patch create mode 100644 openssl-1.0.0-beta3-cipher-change.patch create mode 100644 openssl-1.0.0-beta3-const.patch create mode 100644 openssl-1.0.0-beta3-curl.patch create mode 100644 openssl-1.0.0-beta3-default-paths.patch create mode 100644 openssl-1.0.0-beta3-defaults.patch create mode 100644 openssl-1.0.0-beta3-enginesdir.patch create mode 100644 openssl-1.0.0-beta3-fips.patch create mode 100644 openssl-1.0.0-beta3-fipscheck.patch create mode 100644 openssl-1.0.0-beta3-fipsmode.patch create mode 100644 openssl-1.0.0-beta3-fipsrng.patch create mode 100644 openssl-1.0.0-beta3-ipv6-apps.patch create mode 100644 openssl-1.0.0-beta3-krb5.patch create mode 100644 openssl-1.0.0-beta3-namingblk.patch create mode 100644 openssl-1.0.0-beta3-namingstr.patch create mode 100644 openssl-1.0.0-beta3-redhat.patch create mode 100644 openssl-1.0.0-beta3-soversion.patch diff --git a/.cvsignore b/.cvsignore index 6dba667..37e2722 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssl-0.9.8j-usa.tar.bz2 +openssl-1.0.0-beta3-usa.tar.bz2 diff --git a/hobble-openssl b/hobble-openssl index de0490f..24b05f9 100755 --- a/hobble-openssl +++ b/hobble-openssl @@ -4,33 +4,32 @@ set -e # Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 +# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway # IDEA: 5,214,703 25/05/2010 # RC5: 5,724,428 03/03/2015 # EC: ????????? ??/??/2015 # Remove assembler portions of IDEA, MDC2, and RC5. -(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv) +(find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv) # IDEA, MDC2, RC5, EC. -for a in idea mdc2 rc5 ec ecdh ecdsa; do +for a in idea rc5 ec ecdh ecdsa; do for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do echo Destroying $c > $c done done -for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do +for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_ecdsa.c"`; do echo Destroying $c > $c done for h in `find crypto ssl apps test -name "*.h"` ; do - echo Removing IDEA, MDC2, RC5, and EC references from $h + echo Removing IDEA, RC5, and EC references from $h cat $h | \ awk 'BEGIN {ech=1;} \ /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \ - /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \ /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \ /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \ /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \ diff --git a/mingw32-openssl-1.0.0-beta3-linker-fix.patch b/mingw32-openssl-1.0.0-beta3-linker-fix.patch new file mode 100644 index 0000000..eb37823 --- /dev/null +++ b/mingw32-openssl-1.0.0-beta3-linker-fix.patch @@ -0,0 +1,44 @@ +--- util/libeay.num.orig 2009-08-29 15:41:45.207820734 +0200 ++++ util/libeay.num 2009-08-29 15:48:03.746817062 +0200 +@@ -1084,7 +1084,6 @@ + PROXY_set_connect_mode 1112 NOEXIST::FUNCTION: + RAND_SSLeay 1113 EXIST::FUNCTION: + RAND_set_rand_method 1114 EXIST::FUNCTION: +-RSA_memory_lock 1115 EXIST::FUNCTION:RSA + bn_sub_words 1116 EXIST::FUNCTION: + bn_mul_normal 1117 NOEXIST::FUNCTION: + bn_mul_comba8 1118 NOEXIST::FUNCTION: +@@ -2844,17 +2843,8 @@ + X509_check_ca 3286 EXIST::FUNCTION: + private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION: + HMAC_CTX_set_flags 3288 NOEXIST::FUNCTION: +-private_SHA_Init 3289 NOEXIST::FUNCTION: +-private_CAST_set_key 3290 NOEXIST::FUNCTION: +-private_RIPEMD160_Init 3291 NOEXIST::FUNCTION: + private_RC5_32_set_key 3292 NOEXIST::FUNCTION: +-private_MD5_Init 3293 NOEXIST::FUNCTION: +-private_RC4_set_key 3294 NOEXIST::FUNCTION: + private_MDC2_Init 3295 NOEXIST::FUNCTION: +-private_RC2_set_key 3296 NOEXIST::FUNCTION: +-private_MD4_Init 3297 NOEXIST::FUNCTION: +-private_BF_set_key 3298 NOEXIST::FUNCTION: +-private_MD2_Init 3299 NOEXIST::FUNCTION: + d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: + PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: + PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +@@ -3318,7 +3308,6 @@ + EVP_PKEY_get_attr_by_NID 3721 EXIST::FUNCTION: + STORE_set_ex_data 3722 NOEXIST::FUNCTION: + ENGINE_get_ECDSA 3723 EXIST::FUNCTION:ENGINE +-EVP_ecdsa 3724 EXIST::FUNCTION:SHA + BN_BLINDING_get_flags 3725 EXIST::FUNCTION: + PKCS12_add_cert 3726 EXIST::FUNCTION: + STORE_OBJECT_new 3727 NOEXIST::FUNCTION: +@@ -3702,7 +3691,6 @@ + FIPS_dsa_sig_encode 4089 NOEXIST::FUNCTION: + CRYPTO_dbg_remove_all_info 4090 NOEXIST::FUNCTION: + OPENSSL_init 4091 NOEXIST::FUNCTION: +-private_Camellia_set_key 4092 NOEXIST::FUNCTION: + CRYPTO_strdup 4093 EXIST::FUNCTION: + JPAKE_STEP3A_process 4094 EXIST::FUNCTION:JPAKE + JPAKE_STEP1_release 4095 EXIST::FUNCTION:JPAKE diff --git a/mingw32-openssl-1.0.0-beta3-shared.patch b/mingw32-openssl-1.0.0-beta3-shared.patch new file mode 100644 index 0000000..2fa6348 --- /dev/null +++ b/mingw32-openssl-1.0.0-beta3-shared.patch @@ -0,0 +1,11 @@ +--- openssl-1.0.0-beta3/Makefile.shared.orig 2009-08-29 17:02:27.496816550 +0200 ++++ openssl-1.0.0-beta3/Makefile.shared 2009-08-29 17:04:54.897820373 +0200 +@@ -250,7 +250,7 @@ + base=-Wl,--enable-auto-image-base; \ + deffile=; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; base=; \ ++ SHLIB=lib$(LIBNAME); base=; \ + if test -f $(LIBNAME)eay32.def; then \ + deffile=$(LIBNAME)eay32.def; \ + fi; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 270fa67..e6be878 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -1,8 +1,9 @@ -%define __strip %{_mingw32_strip} -%define __objdump %{_mingw32_objdump} -%define _use_internal_dependency_generator 0 -%define __find_requires %{_mingw32_findrequires} -%define __find_provides %{_mingw32_findprovides} +%global __strip %{_mingw32_strip} +%global __objdump %{_mingw32_objdump} +%global _use_internal_dependency_generator 0 +%global __find_requires %{_mingw32_findrequires} +%global __find_provides %{_mingw32_findprovides} +%define __debug_install_post %{_mingw32_debug_install_post} # For the curious: # 0.9.5a soversion = 0 @@ -13,21 +14,24 @@ # 0.9.7ef soversion = 5 # 0.9.8ab soversion = 6 # 0.9.8g soversion = 7 -# 0.9.8j + EAP-FAST soversion = 8 -%define soversion 8 +# 0.9.8jk + EAP-FAST soversion = 8 +# 1.0.0 soversion = 10 +%global soversion 10 + +%global beta beta3 # Enable the tests. # These only work some of the time, but fail randomly at other times # (although I have had them complete a few times, so I don't think # there is any actual problem with the binaries). -%define run_tests 0 +%global run_tests 0 # Number of threads to spawn when testing some threading fixes. -%define thread_test_threads %{?threads:%{threads}}%{!?threads:1} +%global thread_test_threads %{?threads:%{threads}}%{!?threads:1} Name: mingw32-openssl -Version: 0.9.8j -Release: 7%{?dist} +Version: 1.0.0 +Release: 0.1.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -35,7 +39,7 @@ Group: Development/Libraries URL: http://www.openssl.org/ # Use the hobble-openssl script to create the source file. -Source0: openssl-%{version}-usa.tar.bz2 +Source0: openssl-%{version}-%{beta}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate @@ -46,38 +50,38 @@ Source10: opensslconf-new-warning.h # Patches from Fedora native package. # Build changes -Patch0: openssl-0.9.8j-redhat.patch -Patch1: openssl-0.9.8a-defaults.patch -Patch2: openssl-0.9.8a-link-krb5.patch -Patch3: openssl-0.9.8j-soversion.patch -Patch4: openssl-0.9.8j-enginesdir.patch +Patch0: openssl-1.0.0-beta3-redhat.patch +Patch1: openssl-1.0.0-beta3-defaults.patch +Patch2: openssl-1.0.0-beta3-krb5.patch +Patch3: openssl-1.0.0-beta3-soversion.patch +Patch4: openssl-1.0.0-beta3-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch -Patch7: openssl-0.9.8j-shlib-version.patch # Bug fixes Patch21: openssl-0.9.8b-aliasing-bug.patch -Patch22: openssl-0.9.8b-x509-name-cmp.patch -Patch23: openssl-0.9.8g-default-paths.patch -Patch24: openssl-0.9.8g-no-extssl.patch +Patch23: openssl-1.0.0-beta3-default-paths.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-0.9.8j-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch -Patch38: openssl-0.9.8a-reuse-cipher-change.patch +Patch38: openssl-1.0.0-beta3-cipher-change.patch # Disabled this because it uses getaddrinfo which is lacking on Windows. -#Patch39: openssl-0.9.8g-ipv6-apps.patch -Patch40: openssl-0.9.8j-nocanister.patch -Patch41: openssl-0.9.8j-use-fipscheck.patch -Patch42: openssl-0.9.8j-fipscheck-hmac.patch -Patch43: openssl-0.9.8j-evp-nonfips.patch -Patch44: openssl-0.9.8j-kernel-fipsmode.patch +#Patch39: openssl-1.0.0-beta3-ipv6-apps.patch +Patch40: openssl-1.0.0-beta3-fips.patch +Patch41: openssl-1.0.0-beta3-fipscheck.patch +Patch43: openssl-1.0.0-beta3-fipsmode.patch +Patch44: openssl-1.0.0-beta3-fipsrng.patch Patch45: openssl-0.9.8j-env-nozlib.patch -Patch46: openssl-0.9.8j-eap-fast.patch Patch47: openssl-0.9.8j-readme-warning.patch Patch48: openssl-0.9.8j-bad-mime.patch -Patch49: openssl-0.9.8j-fips-no-pairwise.patch +Patch49: openssl-0.9.8k-algo-doc.patch +Patch50: openssl-1.0.0-beta3-curl.patch +Patch51: openssl-1.0.0-beta3-const.patch + # Backported fixes including security fixes +Patch60: openssl-1.0.0-beta3-namingstr.patch +Patch61: openssl-1.0.0-beta3-namingblk.patch # MinGW-specific patches. Patch100: mingw32-openssl-0.9.8j-header-files.patch @@ -85,12 +89,13 @@ Patch101: mingw32-openssl-0.9.8j-configure.patch Patch102: mingw32-openssl-0.9.8j-shared.patch Patch103: mingw32-openssl-0.9.8g-global.patch Patch104: mingw32-openssl-0.9.8g-sfx.patch +Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -BuildRequires: mingw32-filesystem >= 49 +BuildRequires: mingw32-filesystem >= 52 BuildRequires: mingw32-gcc BuildRequires: mingw32-binutils @@ -139,8 +144,11 @@ Requires: %{name} = %{version}-%{release} Static version of the MinGW port of the OpenSSL toolkit. +%{_mingw32_debug_package} + + %prep -%setup -q -n openssl-%{version} +%setup -q -n openssl-%{version}-%{beta} %{SOURCE1} > /dev/null %patch0 -p1 -b .redhat @@ -151,12 +159,9 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch4 -p1 -b .enginesdir %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost -%patch7 -p1 -b .shlib-version %patch21 -p1 -b .aliasing-bug -%patch22 -p1 -b .name-cmp %patch23 -p1 -b .default-paths -%patch24 -p1 -b .no-extssl %patch32 -p1 -b .ia64 #patch33 is applied after make test @@ -164,22 +169,25 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch35 -p1 -b .version-add-engines %patch38 -p1 -b .cipher-change #%patch39 -p1 -b .ipv6-apps -%patch40 -p1 -b .nocanister -%patch41 -p1 -b .use-fipscheck -%patch42 -p1 -b .fipscheck-hmac -%patch43 -p1 -b .evp-nonfips -%patch44 -p1 -b .fipsmode +%patch40 -p1 -b .fips +%patch41 -p1 -b .fipscheck +%patch43 -p1 -b .fipsmode +%patch44 -p1 -b .fipsrng %patch45 -p1 -b .env-nozlib -%patch46 -p1 -b .eap-fast %patch47 -p1 -b .warning %patch48 -p1 -b .bad-mime -%patch49 -p1 -b .no-pairwise +%patch49 -p1 -b .algo-doc +%patch50 -p1 -b .curl +%patch51 -p1 -b .const +%patch60 -p1 -b .namingstr +%patch61 -p1 -b .namingblk -%patch100 -p1 -b .mingw-header-files -%patch101 -p1 -b .mingw-configure -%patch102 -p1 -b .mingw-shared -%patch103 -p1 -b .mingw-global -%patch104 -p1 -b .mingw-sfx +#%patch100 -p1 -b .mingw-header-files +#%patch101 -p1 -b .mingw-configure +#%patch102 -p1 -b .mingw-shared +#%patch103 -p1 -b .mingw-global +#%patch104 -p1 -b .mingw-sfx +%patch105 -p0 -b .mingw-linker-fix # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -191,22 +199,22 @@ make TABLE PERL=%{__perl} %build # NB: 'no-hw' is vital. MinGW cannot build the hardware drivers # and if you don't have this you'll get an obscure link error. -%{_mingw32_env}; \ -sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \ +sed -i -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" Configure; \ ./Configure \ --prefix=%{_mingw32_prefix} \ --openssldir=%{_mingw32_sysconfdir}/pki/tls \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \ + enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \ + no-hw shared --cross-compile-prefix=%{_mingw32_target}- \ --enginesdir=%{_mingw32_libdir}/openssl/engines \ mingw # --with-krb5-flavor=MIT # -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} -%{_mingw32_make} depend -%{_mingw32_make} all build-shared +make depend +make all build-shared # Generate hashes for the included certs. -%{_mingw32_make} rehash build-shared +make rehash build-shared %if %{run_tests} #---------------------------------------------------------------------- @@ -240,7 +248,7 @@ sleep 3 DISPLAY=$display export DISPLAY -%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests +make LDCMD=%{_mingw32_cc} -C test apps tests # Disable this thread test, because we don't have pthread on Windows. %{_mingw32_cc} -o openssl-thread-test \ @@ -289,10 +297,6 @@ make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared # Install the file applink.c (#499934) install -m644 ms/applink.c $RPM_BUILD_ROOT%{_mingw32_includedir}/openssl/applink.c -# Install the actual DLLs. -install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} -install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} - # I have no idea why it installs the manpages in /etc, but # we remove them anyway. rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man @@ -324,8 +328,8 @@ rm -rf $RPM_BUILD_ROOT %doc LICENSE %{_mingw32_bindir}/openssl.exe %{_mingw32_bindir}/c_rehash -%{_mingw32_bindir}/libcrypto-%{soversion}.dll -%{_mingw32_bindir}/libssl-%{soversion}.dll +%{_mingw32_bindir}/libeay32.dll +%{_mingw32_bindir}/ssleay32.dll #{_mingw32_bindir}/.libcrypto*.hmac %{_mingw32_libdir}/libcrypto.dll.a %{_mingw32_libdir}/libssl.dll.a @@ -342,6 +346,13 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Aug 28 2009 Erik van Pienbroek - 1.0.0-0.1.beta3 +- Update to version 1.0.0 beta 3 +- Use %%global instead of %%define +- Automatically generate debuginfo subpackage +- Merged various changes from the native Fedora package (up to 1.0.0-0.5.beta3) +- Don't use the %%{_mingw32_make} macro anymore as it's ugly and causes side-effects + * Sat Jul 25 2009 Fedora Release Engineering - 0.9.8j-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild diff --git a/openssl-0.9.8k-algo-doc.patch b/openssl-0.9.8k-algo-doc.patch new file mode 100644 index 0000000..27521a4 --- /dev/null +++ b/openssl-0.9.8k-algo-doc.patch @@ -0,0 +1,113 @@ +diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod +--- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc 2004-05-20 23:39:50.000000000 +0200 ++++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod 2009-06-30 12:04:47.000000000 +0200 +@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_ + EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, + EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, + EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, +-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, ++EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, ++EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2, + EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - + EVP digest routines + +@@ -51,6 +52,10 @@ EVP digest routines + const EVP_MD *EVP_md5(void); + const EVP_MD *EVP_sha(void); + const EVP_MD *EVP_sha1(void); ++ const EVP_MD *EVP_sha224(void); ++ const EVP_MD *EVP_sha256(void); ++ const EVP_MD *EVP_sha384(void); ++ const EVP_MD *EVP_sha512(void); + const EVP_MD *EVP_dss(void); + const EVP_MD *EVP_dss1(void); + const EVP_MD *EVP_mdc2(void); +@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ + + EVP_DigestInit_ex() sets up digest context B to use a digest + B from ENGINE B. B must be initialized before calling this +-function. B will typically be supplied by a functionsuch as EVP_sha1(). ++function. B will typically be supplied by a function such as EVP_sha1(). + If B is NULL then the default implementation of digest B is used. + + EVP_DigestUpdate() hashes B bytes of data at B into the +@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1() + return B. This "link" between digests and signature + algorithms may not be retained in future versions of OpenSSL. + +-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() +-return B structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest +-algorithms respectively. The associated signature algorithm is RSA in each case. ++EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(), ++EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() ++return B structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, ++SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated ++signature algorithm is RSA in each case. + + EVP_dss() and EVP_dss1() return B structures for SHA and SHA1 digest + algorithms but using DSS (DSA) for the signature algorithm. +@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ + EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block + size in bytes. + +-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), ++EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), ++EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(), + EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the + corresponding EVP_MD structures. + +diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod +--- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200 ++++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod 2009-06-30 12:04:47.000000000 +0200 +@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher + int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); + int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); + ++ const EVP_CIPHER *EVP_des_ede3(void); ++ const EVP_CIPHER *EVP_des_ede3_ecb(void); ++ const EVP_CIPHER *EVP_des_ede3_cfb64(void); ++ const EVP_CIPHER *EVP_des_ede3_cfb1(void); ++ const EVP_CIPHER *EVP_des_ede3_cfb8(void); ++ const EVP_CIPHER *EVP_des_ede3_ofb(void); ++ const EVP_CIPHER *EVP_des_ede3_cbc(void); ++ const EVP_CIPHER *EVP_aes_128_ecb(void); ++ const EVP_CIPHER *EVP_aes_128_cbc(void); ++ const EVP_CIPHER *EVP_aes_128_cfb1(void); ++ const EVP_CIPHER *EVP_aes_128_cfb8(void); ++ const EVP_CIPHER *EVP_aes_128_cfb128(void); ++ const EVP_CIPHER *EVP_aes_128_ofb(void); ++ const EVP_CIPHER *EVP_aes_192_ecb(void); ++ const EVP_CIPHER *EVP_aes_192_cbc(void); ++ const EVP_CIPHER *EVP_aes_192_cfb1(void); ++ const EVP_CIPHER *EVP_aes_192_cfb8(void); ++ const EVP_CIPHER *EVP_aes_192_cfb128(void); ++ const EVP_CIPHER *EVP_aes_192_ofb(void); ++ const EVP_CIPHER *EVP_aes_256_ecb(void); ++ const EVP_CIPHER *EVP_aes_256_cbc(void); ++ const EVP_CIPHER *EVP_aes_256_cfb1(void); ++ const EVP_CIPHER *EVP_aes_256_cfb8(void); ++ const EVP_CIPHER *EVP_aes_256_cfb128(void); ++ const EVP_CIPHER *EVP_aes_256_ofb(void); ++ + =head1 DESCRIPTION + + The EVP cipher routines are a high level interface to certain +@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an + + DESX algorithm in CBC mode. + ++=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void) ++ ++AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively. ++ ++=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void) ++ ++AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively. ++ ++=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void) ++ ++AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively. ++ + =item EVP_rc4(void) + + RC4 stream cipher. This is a variable key length cipher with default key length 128 bits. diff --git a/openssl-1.0.0-beta3-cipher-change.patch b/openssl-1.0.0-beta3-cipher-change.patch new file mode 100644 index 0000000..8fe7ada --- /dev/null +++ b/openssl-1.0.0-beta3-cipher-change.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h +--- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200 +@@ -511,7 +511,7 @@ typedef struct ssl_session_st + + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L + #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L +-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L ++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ + #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L + #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L + #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +@@ -528,7 +528,7 @@ typedef struct ssl_session_st + + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +-#define SSL_OP_ALL 0x80000FFFL ++#define SSL_OP_ALL 0x80000FF7L + + /* DTLS options */ + #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl-1.0.0-beta3-const.patch b/openssl-1.0.0-beta3-const.patch new file mode 100644 index 0000000..77c1c95 --- /dev/null +++ b/openssl-1.0.0-beta3-const.patch @@ -0,0 +1,36 @@ +diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod +--- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const 2009-02-14 22:49:37.000000000 +0100 ++++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod 2009-08-22 16:15:32.000000000 +0200 +@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits + const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); + int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); + char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); +- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size); ++ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); + + =head1 DESCRIPTION + +diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c +--- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const 2009-08-22 15:56:12.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-22 15:56:12.000000000 +0200 +@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + return(cipherstack); + } + +-char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) ++char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) + { + int is_export,pkl,kl; + const char *ver,*exp_str; +diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h +--- openssl-1.0.0-beta3/ssl/ssl.h.const 2009-08-22 15:56:11.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-22 15:56:12.000000000 +0200 +@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL * + + int SSL_library_init(void ); + +-char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size); ++char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size); + STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); + + SSL *SSL_dup(SSL *ssl); diff --git a/openssl-1.0.0-beta3-curl.patch b/openssl-1.0.0-beta3-curl.patch new file mode 100644 index 0000000..6141c0e --- /dev/null +++ b/openssl-1.0.0-beta3-curl.patch @@ -0,0 +1,27 @@ +diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget +--- openssl-1.0.0-beta3/apps/tsget.curl 2006-02-13 00:11:21.000000000 +0100 ++++ openssl-1.0.0-beta3/apps/tsget 2009-08-21 15:37:24.000000000 +0200 +@@ -7,7 +7,7 @@ use strict; + use IO::Handle; + use Getopt::Std; + use File::Basename; +-use WWW::Curl::easy; ++use WWW::Curl::Easy; + + use vars qw(%options); + +@@ -37,7 +37,7 @@ sub create_curl { + my $url = shift; + + # Create Curl object. +- my $curl = WWW::Curl::easy::new(); ++ my $curl = WWW::Curl::Easy::new(); + + # Error-handling related options. + $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; +@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) { + STDERR->printflush(", $output written.\n") if $options{v}; + } + $curl->cleanup(); +-WWW::Curl::easy::global_cleanup(); ++WWW::Curl::Easy::global_cleanup(); diff --git a/openssl-1.0.0-beta3-default-paths.patch b/openssl-1.0.0-beta3-default-paths.patch new file mode 100644 index 0000000..4ed02e0 --- /dev/null +++ b/openssl-1.0.0-beta3-default-paths.patch @@ -0,0 +1,77 @@ +diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c +--- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200 +@@ -888,12 +888,13 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + #ifndef OPENSSL_NO_TLSEXT +diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c +--- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200 +@@ -1403,12 +1403,13 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + if (vpm) + SSL_CTX_set1_param(ctx, vpm); +@@ -1457,8 +1458,11 @@ bad: + + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c +--- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200 +@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + if (tm_cipher == NULL) diff --git a/openssl-1.0.0-beta3-defaults.patch b/openssl-1.0.0-beta3-defaults.patch new file mode 100644 index 0000000..4a9d4ed --- /dev/null +++ b/openssl-1.0.0-beta3-defaults.patch @@ -0,0 +1,44 @@ +diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf +--- openssl-1.0.0-beta3/apps/openssl.cnf.defaults 2009-04-04 20:09:43.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/openssl.cnf 2009-08-04 22:57:16.000000000 +0200 +@@ -103,7 +103,8 @@ emailAddress = optional + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 ++default_md = sha1 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -126,17 +127,18 @@ string_mask = utf8only + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = XX + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++#stateOrProvinceName_default = Default Province + + localityName = Locality Name (eg, city) ++localityName_default = Default City + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = Default Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (eg, YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address diff --git a/openssl-1.0.0-beta3-enginesdir.patch b/openssl-1.0.0-beta3-enginesdir.patch new file mode 100644 index 0000000..78a3c50 --- /dev/null +++ b/openssl-1.0.0-beta3-enginesdir.patch @@ -0,0 +1,52 @@ +diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure +--- openssl-1.0.0-beta3/Configure.enginesdir 2009-08-10 19:46:32.000000000 +0200 ++++ openssl-1.0.0-beta3/Configure 2009-08-10 19:46:32.000000000 +0200 +@@ -616,6 +616,7 @@ my $idx_multilib = $idx++; + + my $prefix=""; + my $openssldir=""; ++my $enginesdir=""; + my $exe_ext=""; + my $install_prefix=""; + my $cross_compile_prefix=""; +@@ -820,6 +821,10 @@ PROCESS_ARGS: + { + $openssldir=$1; + } ++ elsif (/^--enginesdir=(.*)$/) ++ { ++ $enginesdir=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/; + + $openssldir=$prefix . "/ssl" if $openssldir eq ""; + $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +- ++$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; + + print "IsMK1MF=$IsMK1MF\n"; + +@@ -1645,7 +1650,7 @@ while () + # $foo is to become "$prefix/lib$multilib/engines"; + # as Makefile.org and engines/Makefile are adapted for + # $multilib suffix. +- my $foo = "$prefix/lib/engines"; ++ my $foo = "$enginesdir"; + $foo =~ s/\\/\\\\/g; + print OUT "#define ENGINESDIR \"$foo\"\n"; + } +diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile +--- openssl-1.0.0-beta3/engines/Makefile.enginesdir 2009-06-14 04:37:22.000000000 +0200 ++++ openssl-1.0.0-beta3/engines/Makefile 2009-08-10 19:46:48.000000000 +0200 +@@ -123,7 +123,7 @@ install: + sfx=".so"; \ + cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ + fi; \ +- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ ++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \ + done; \ + fi diff --git a/openssl-1.0.0-beta3-fips.patch b/openssl-1.0.0-beta3-fips.patch new file mode 100644 index 0000000..d552198 --- /dev/null +++ b/openssl-1.0.0-beta3-fips.patch @@ -0,0 +1,12025 @@ +diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure +--- openssl-1.0.0-beta3/Configure.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/Configure 2009-08-11 18:07:30.000000000 +0200 +@@ -654,6 +654,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml + my $processor=""; + my $default_ranlib; + my $perl; ++my $fips=0; + + + # All of the following is disabled by default (RC5 was enabled before 0.9.8): +@@ -797,6 +798,10 @@ PROCESS_ARGS: + } + elsif (/^386$/) + { $processor=386; } ++ elsif (/^fips$/) ++ { ++ $fips=1; ++ } + elsif (/^rsaref$/) + { + # No RSAref support any more since it's not needed. +@@ -1349,6 +1354,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no + + $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/); + ++if ($fips) ++ { ++ $openssl_other_defines.="#define OPENSSL_FIPS\n"; ++ } ++ + $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); + $des_obj=$des_enc unless ($des_obj =~ /\.o$/); + $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); +@@ -1504,6 +1514,10 @@ while () + s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; + s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; + s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; ++ if ($fips) ++ { ++ s/^FIPS=.*/FIPS=yes/; ++ } + s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; + s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; + s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); +diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto/bf/bf_skey.c +--- openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/bf/bf_skey.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,10 +59,15 @@ + #include + #include + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #include "bf_locl.h" + #include "bf_pi.h" + +-void BF_set_key(BF_KEY *key, int len, const unsigned char *data) ++FIPS_NON_FIPS_VCIPHER_Init(BF) + { + int i; + BF_LONG *p,ri,in[2]; +diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypto/bf/blowfish.h +--- openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bf/blowfish.h 2009-08-11 18:07:30.000000000 +0200 +@@ -104,7 +104,9 @@ typedef struct bf_key_st + BF_LONG S[4*256]; + } BF_KEY; + +- ++#ifdef OPENSSL_FIPS ++void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); ++#endif + void BF_set_key(BF_KEY *key, int len, const unsigned char *data); + + void BF_encrypt(BF_LONG *data,const BF_KEY *key); +diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/bn.h +--- openssl-1.0.0-beta3/crypto/bn/bn.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bn/bn.h 2009-08-11 18:07:30.000000000 +0200 +@@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n + int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, + int do_trial_division, BN_GENCB *cb); + ++int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); ++ ++int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, ++ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, ++ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); ++int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, ++ BIGNUM *Xp1, BIGNUM *Xp2, ++ const BIGNUM *Xp, ++ const BIGNUM *e, BN_CTX *ctx, ++ BN_GENCB *cb); ++ + BN_MONT_CTX *BN_MONT_CTX_new(void ); + void BN_MONT_CTX_init(BN_MONT_CTX *ctx); + int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, +diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/bn/bn_x931p.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,272 @@ ++/* bn_x931p.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2005. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++ ++/* X9.31 routines for prime derivation */ ++ ++/* X9.31 prime derivation. This is used to generate the primes pi ++ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd ++ * integers. ++ */ ++ ++static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, ++ BN_GENCB *cb) ++ { ++ int i = 0; ++ if (!BN_copy(pi, Xpi)) ++ return 0; ++ if (!BN_is_odd(pi) && !BN_add_word(pi, 1)) ++ return 0; ++ for(;;) ++ { ++ i++; ++ BN_GENCB_call(cb, 0, i); ++ /* NB 27 MR is specificed in X9.31 */ ++ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb)) ++ break; ++ if (!BN_add_word(pi, 2)) ++ return 0; ++ } ++ BN_GENCB_call(cb, 2, i); ++ return 1; ++ } ++ ++/* This is the main X9.31 prime derivation function. From parameters ++ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are ++ * not NULL they will be returned too: this is needed for testing. ++ */ ++ ++int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, ++ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, ++ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) ++ { ++ int ret = 0; ++ ++ BIGNUM *t, *p1p2, *pm1; ++ ++ /* Only even e supported */ ++ if (!BN_is_odd(e)) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ if (!p1) ++ p1 = BN_CTX_get(ctx); ++ ++ if (!p2) ++ p2 = BN_CTX_get(ctx); ++ ++ t = BN_CTX_get(ctx); ++ ++ p1p2 = BN_CTX_get(ctx); ++ ++ pm1 = BN_CTX_get(ctx); ++ ++ if (!bn_x931_derive_pi(p1, Xp1, ctx, cb)) ++ goto err; ++ ++ if (!bn_x931_derive_pi(p2, Xp2, ctx, cb)) ++ goto err; ++ ++ if (!BN_mul(p1p2, p1, p2, ctx)) ++ goto err; ++ ++ /* First set p to value of Rp */ ++ ++ if (!BN_mod_inverse(p, p2, p1, ctx)) ++ goto err; ++ ++ if (!BN_mul(p, p, p2, ctx)) ++ goto err; ++ ++ if (!BN_mod_inverse(t, p1, p2, ctx)) ++ goto err; ++ ++ if (!BN_mul(t, t, p1, ctx)) ++ goto err; ++ ++ if (!BN_sub(p, p, t)) ++ goto err; ++ ++ if (p->neg && !BN_add(p, p, p1p2)) ++ goto err; ++ ++ /* p now equals Rp */ ++ ++ if (!BN_mod_sub(p, p, Xp, p1p2, ctx)) ++ goto err; ++ ++ if (!BN_add(p, p, Xp)) ++ goto err; ++ ++ /* p now equals Yp0 */ ++ ++ for (;;) ++ { ++ int i = 1; ++ BN_GENCB_call(cb, 0, i++); ++ if (!BN_copy(pm1, p)) ++ goto err; ++ if (!BN_sub_word(pm1, 1)) ++ goto err; ++ if (!BN_gcd(t, pm1, e, ctx)) ++ goto err; ++ if (BN_is_one(t) ++ /* X9.31 specifies 8 MR and 1 Lucas test or any prime test ++ * offering similar or better guarantees 50 MR is considerably ++ * better. ++ */ ++ && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb)) ++ break; ++ if (!BN_add(p, p, p1p2)) ++ goto err; ++ } ++ ++ BN_GENCB_call(cb, 3, 0); ++ ++ ret = 1; ++ ++ err: ++ ++ BN_CTX_end(ctx); ++ ++ return ret; ++ } ++ ++/* Generate pair of paramters Xp, Xq for X9.31 prime generation. ++ * Note: nbits paramter is sum of number of bits in both. ++ */ ++ ++int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) ++ { ++ BIGNUM *t; ++ int i; ++ /* Number of bits for each prime is of the form ++ * 512+128s for s = 0, 1, ... ++ */ ++ if ((nbits < 1024) || (nbits & 0xff)) ++ return 0; ++ nbits >>= 1; ++ /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and ++ * 2^nbits - 1. By setting the top two bits we ensure that the lower ++ * bound is exceeded. ++ */ ++ if (!BN_rand(Xp, nbits, 1, 0)) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ t = BN_CTX_get(ctx); ++ ++ for (i = 0; i < 1000; i++) ++ { ++ if (!BN_rand(Xq, nbits, 1, 0)) ++ return 0; ++ /* Check that |Xp - Xq| > 2^(nbits - 100) */ ++ BN_sub(t, Xp, Xq); ++ if (BN_num_bits(t) > (nbits - 100)) ++ break; ++ } ++ ++ BN_CTX_end(ctx); ++ ++ if (i < 1000) ++ return 1; ++ ++ return 0; ++ ++ } ++ ++/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1 ++ * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL ++ * the relevant parameter will be stored in it. ++ * ++ * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq ++ * are generated using the previous function and supplied as input. ++ */ ++ ++int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, ++ BIGNUM *Xp1, BIGNUM *Xp2, ++ const BIGNUM *Xp, ++ const BIGNUM *e, BN_CTX *ctx, ++ BN_GENCB *cb) ++ { ++ int ret = 0; ++ ++ BN_CTX_start(ctx); ++ if (!Xp1) ++ Xp1 = BN_CTX_get(ctx); ++ if (!Xp2) ++ Xp2 = BN_CTX_get(ctx); ++ ++ if (!BN_rand(Xp1, 101, 0, 0)) ++ goto error; ++ if (!BN_rand(Xp2, 101, 0, 0)) ++ goto error; ++ if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) ++ goto error; ++ ++ ret = 1; ++ ++ error: ++ BN_CTX_end(ctx); ++ ++ return ret; ++ ++ } ++ +diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/bn/Makefile +--- openssl-1.0.0-beta3/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/bn/Makefile 2009-08-11 18:07:30.000000000 +0200 +@@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li + bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ + bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ + bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ +- bn_depr.c bn_const.c ++ bn_depr.c bn_const.c bn_x931p.c + + LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \ + bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \ + bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \ + bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \ +- bn_depr.o bn_const.o ++ bn_depr.o bn_const.o bn_x931p.o + + SRC= $(LIBSRC) + +diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl +--- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl 2009-08-20 16:54:59.000000000 +0200 +@@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; + } + &function_end("Camellia_Ekeygen"); + ++$setkeyfunc = "Camellia_set_key"; ++$setkeyfunc = "private_Camellia_set_key" if ($ENV{FIPS} ne ""); ++ + if ($OPENSSL) { + # int Camellia_set_key ( + # const unsigned char *userKey, + # int bits, + # CAMELLIA_KEY *key) +-&function_begin_B("Camellia_set_key"); ++&function_begin_B($setkeyfunc); + &push ("ebx"); + &mov ("ecx",&wparam(0)); # pull arguments + &mov ("ebx",&wparam(1)); +@@ -760,7 +763,7 @@ if ($OPENSSL) { + &set_label("done",4); + &pop ("ebx"); + &ret (); +-&function_end_B("Camellia_set_key"); ++&function_end_B($setkeyfunc); + } + + @SBOX=( +diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3/crypto/camellia/camellia.h +--- openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips 2009-08-11 18:07:29.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/camellia.h 2009-08-11 18:07:30.000000000 +0200 +@@ -88,6 +88,11 @@ struct camellia_key_st + }; + typedef struct camellia_key_st CAMELLIA_KEY; + ++#ifdef OPENSSL_FIPS ++int private_Camellia_set_key(const unsigned char *userKey, const int bits, ++ CAMELLIA_KEY *key); ++#endif ++ + int Camellia_set_key(const unsigned char *userKey, const int bits, + CAMELLIA_KEY *key); + +diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c +--- openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips 2009-08-20 17:01:56.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c 2009-08-20 17:03:21.000000000 +0200 +@@ -0,0 +1,68 @@ ++/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ ++/* ==================================================================== ++ * Copyright (c) 2006 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#include ++#include ++#include "cmll_locl.h" ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#ifdef OPENSSL_FIPS ++int Camellia_set_key(const unsigned char *userKey, const int bits, ++ CAMELLIA_KEY *key) ++ { ++ if (FIPS_mode()) ++ FIPS_BAD_ABORT(CAMELLIA) ++ return private_Camellia_set_key(userKey, bits, key); ++ } ++#endif +diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c +--- openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c 2009-08-20 17:04:10.000000000 +0200 +@@ -52,11 +52,20 @@ + #include + #include + #include "cmll_locl.h" ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT; + ++#ifdef OPENSSL_FIPS ++int private_Camellia_set_key(const unsigned char *userKey, const int bits, ++ CAMELLIA_KEY *key) ++#else + int Camellia_set_key(const unsigned char *userKey, const int bits, + CAMELLIA_KEY *key) ++#endif + { + if(!userKey || !key) + return -1; +diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/crypto/camellia/Makefile +--- openssl-1.0.0-beta3/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/camellia/Makefile 2009-08-20 17:02:56.000000000 +0200 +@@ -23,9 +23,9 @@ APPS= + + LIB=$(TOP)/libcrypto.a + LIBSRC=camellia.c cmll_misc.c cmll_ecb.c cmll_cbc.c cmll_ofb.c \ +- cmll_cfb.c cmll_ctr.c ++ cmll_cfb.c cmll_ctr.c cmll_fblk.c + +-LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC) ++LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC) cmll_fblk.o + + SRC= $(LIBSRC) + +diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/cast/cast.h +--- openssl-1.0.0-beta3/crypto/cast/cast.h.fips 2009-08-11 18:07:29.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/cast/cast.h 2009-08-11 18:07:30.000000000 +0200 +@@ -83,7 +83,9 @@ typedef struct cast_key_st + int short_key; /* Use reduced rounds for short key */ + } CAST_KEY; + +- ++#ifdef OPENSSL_FIPS ++void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); ++#endif + void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); + void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, + int enc); +diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypto/cast/c_skey.c +--- openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/cast/c_skey.c 2009-08-11 18:07:30.000000000 +0200 +@@ -57,6 +57,11 @@ + */ + + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #include "cast_lcl.h" + #include "cast_s.h" + +@@ -72,7 +77,7 @@ + #define S6 CAST_S_table6 + #define S7 CAST_S_table7 + +-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) ++FIPS_NON_FIPS_VCIPHER_Init(CAST) + { + CAST_LONG x[16]; + CAST_LONG z[16]; +diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/crypto.h +--- openssl-1.0.0-beta3/crypto/crypto.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/crypto.h 2009-08-11 18:07:30.000000000 +0200 +@@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin + unsigned long *OPENSSL_ia32cap_loc(void); + #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) + ++#ifdef OPENSSL_FIPS ++#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ ++ alg " previous FIPS forbidden algorithm error ignored"); ++ ++#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ ++ #alg " Algorithm forbidden in FIPS mode"); ++ ++#ifdef OPENSSL_FIPS_STRICT ++#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg) ++#else ++#define FIPS_BAD_ALGORITHM(alg) \ ++ { \ ++ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \ ++ ERR_add_error_data(2, "Algorithm=", #alg); \ ++ return 0; \ ++ } ++#endif ++ ++/* Low level digest API blocking macro */ ++ ++#define FIPS_NON_FIPS_MD_Init(alg) \ ++ int alg##_Init(alg##_CTX *c) \ ++ { \ ++ if (FIPS_mode()) \ ++ FIPS_BAD_ALGORITHM(alg) \ ++ return private_##alg##_Init(c); \ ++ } \ ++ int private_##alg##_Init(alg##_CTX *c) ++ ++/* For ciphers the API often varies from cipher to cipher and each needs to ++ * be treated as a special case. Variable key length ciphers (Blowfish, RC4, ++ * CAST) however are very similar and can use a blocking macro. ++ */ ++ ++#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ ++ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \ ++ { \ ++ if (FIPS_mode()) \ ++ FIPS_BAD_ABORT(alg) \ ++ private_##alg##_set_key(key, len, data); \ ++ } \ ++ void private_##alg##_set_key(alg##_KEY *key, int len, \ ++ const unsigned char *data) ++ ++#else ++ ++#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ ++ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) ++ ++#define FIPS_NON_FIPS_MD_Init(alg) \ ++ int alg##_Init(alg##_CTX *c) ++ ++#endif /* def OPENSSL_FIPS */ ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ + void ERR_load_CRYPTO_strings(void); + ++#define OPENSSL_HAVE_INIT 1 ++void OPENSSL_init_library(void); ++ + /* Error codes for the CRYPTO functions. */ + + /* Function codes. */ +diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/dh/dh_err.c +--- openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/dh/dh_err.c 2009-08-11 18:07:30.000000000 +0200 +@@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= + {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, + {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, + {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, ++{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, ++{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"}, + {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, + {ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"}, + {ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"}, +@@ -94,6 +96,7 @@ static ERR_STRING_DATA DH_str_reasons[]= + {ERR_REASON(DH_R_BN_ERROR) ,"bn error"}, + {ERR_REASON(DH_R_DECODE_ERROR) ,"decode error"}, + {ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, ++{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, + {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, + {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, + {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, +diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/dh/dh_gen.c +--- openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh_gen.c 2009-08-11 18:07:30.000000000 +0200 +@@ -65,6 +65,10 @@ + #include "cryptlib.h" + #include + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); + +@@ -106,6 +110,20 @@ static int dh_builtin_genparams(DH *ret, + int g,ok= -1; + BN_CTX *ctx=NULL; + ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) ++ { ++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + ctx=BN_CTX_new(); + if (ctx == NULL) goto err; + BN_CTX_start(ctx); +diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/dh.h +--- openssl-1.0.0-beta3/crypto/dh/dh.h.fips 2009-08-11 18:07:29.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh.h 2009-08-11 18:07:30.000000000 +0200 +@@ -77,6 +77,8 @@ + # define OPENSSL_DH_MAX_MODULUS_BITS 10000 + #endif + ++#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 ++ + #define DH_FLAG_CACHE_MONT_P 0x01 + #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH + * implementation now uses constant time +@@ -240,6 +242,8 @@ void ERR_load_DH_strings(void); + #define DH_F_GENERATE_PARAMETERS 104 + #define DH_F_PKEY_DH_DERIVE 112 + #define DH_F_PKEY_DH_KEYGEN 113 ++#define DH_F_DH_COMPUTE_KEY 114 ++#define DH_F_DH_GENERATE_KEY 115 + + /* Reason codes. */ + #define DH_R_BAD_GENERATOR 101 +@@ -252,6 +256,7 @@ void ERR_load_DH_strings(void); + #define DH_R_NO_PARAMETERS_SET 107 + #define DH_R_NO_PRIVATE_VALUE 100 + #define DH_R_PARAMETER_ENCODING_ERROR 105 ++#define DH_R_KEY_SIZE_TOO_SMALL 110 + + #ifdef __cplusplus + } +diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/dh/dh_key.c +--- openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh_key.c 2009-08-11 18:07:30.000000000 +0200 +@@ -61,6 +61,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + static int generate_key(DH *dh); + static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); +@@ -107,6 +110,14 @@ static int generate_key(DH *dh) + BN_MONT_CTX *mont=NULL; + BIGNUM *pub_key=NULL,*priv_key=NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) ++ { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + ctx = BN_CTX_new(); + if (ctx == NULL) goto err; + +@@ -184,6 +195,13 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); + goto err; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) ++ { ++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif + + ctx = BN_CTX_new(); + if (ctx == NULL) goto err; +@@ -251,6 +269,9 @@ static int dh_bn_mod_exp(const DH *dh, B + + static int dh_init(DH *dh) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dh->flags |= DH_FLAG_CACHE_MONT_P; + return(1); + } +diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c +--- openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c 2009-08-11 18:07:30.000000000 +0200 +@@ -77,8 +77,12 @@ + #include "cryptlib.h" + #include + #include ++#include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + #include "dsa_locl.h" + + int DSA_generate_parameters_ex(DSA *ret, int bits, +@@ -126,6 +130,21 @@ int dsa_builtin_paramgen(DSA *ret, size_ + BN_CTX *ctx=NULL; + unsigned int h=2; + ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) ++ { ++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && + qsize != SHA256_DIGEST_LENGTH) + /* invalid q size */ +diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/dsa/dsa.h +--- openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa.h 2009-08-11 18:07:30.000000000 +0200 +@@ -88,6 +88,8 @@ + # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 + #endif + ++#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 ++ + #define DSA_FLAG_CACHE_MONT_P 0x01 + #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA + * implementation now uses constant time +@@ -97,6 +99,21 @@ + * be used for all exponents. + */ + ++/* If this flag is set the DSA method is FIPS compliant and can be used ++ * in FIPS mode. This is set in the validated module method. If an ++ * application sets this flag in its own methods it is its reposibility ++ * to ensure the result is compliant. ++ */ ++ ++#define DSA_FLAG_FIPS_METHOD 0x0400 ++ ++/* If this flag is set the operations normally disabled in FIPS mode are ++ * permitted it is then the applications responsibility to ensure that the ++ * usage is compliant. ++ */ ++ ++#define DSA_FLAG_NON_FIPS_ALLOW 0x0400 ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -270,8 +287,11 @@ void ERR_load_DSA_strings(void); + #define DSA_F_DO_DSA_PRINT 104 + #define DSA_F_DSAPARAMS_PRINT 100 + #define DSA_F_DSAPARAMS_PRINT_FP 101 ++#define DSA_F_DSA_BUILTIN_KEYGEN 124 ++#define DSA_F_DSA_BUILTIN_PARAMGEN 123 + #define DSA_F_DSA_DO_SIGN 112 + #define DSA_F_DSA_DO_VERIFY 113 ++#define DSA_F_DSA_GENERATE_PARAMETERS 125 + #define DSA_F_DSA_NEW_METHOD 103 + #define DSA_F_DSA_PARAM_DECODE 119 + #define DSA_F_DSA_PRINT_FP 105 +@@ -296,9 +316,12 @@ void ERR_load_DSA_strings(void); + #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 + #define DSA_R_DECODE_ERROR 104 + #define DSA_R_INVALID_DIGEST_TYPE 106 ++#define DSA_R_KEY_SIZE_TOO_SMALL 110 + #define DSA_R_MISSING_PARAMETERS 101 + #define DSA_R_MODULUS_TOO_LARGE 103 ++#define DSA_R_NON_FIPS_METHOD 111 + #define DSA_R_NO_PARAMETERS_SET 107 ++#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 112 + #define DSA_R_PARAMETER_ENCODING_ERROR 105 + + #ifdef __cplusplus +diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_key.c +--- openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_key.c 2009-08-11 18:09:42.000000000 +0200 +@@ -65,9 +65,42 @@ + #include + #include + #include ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include "fips_locl.h" + + static int dsa_builtin_keygen(DSA *dsa); + ++#ifdef OPENSSL_FIPS ++ ++static int fips_dsa_pairwise_fail = 0; ++ ++void FIPS_corrupt_dsa_keygen(void) ++ { ++ fips_dsa_pairwise_fail = 1; ++ } ++ ++int fips_check_dsa(DSA *dsa) ++ { ++ EVP_PKEY pk; ++ unsigned char tbs[] = "DSA Pairwise Check Data"; ++ pk.type = EVP_PKEY_DSA; ++ pk.pkey.dsa = dsa; ++ ++ if (!fips_pkey_signature_test(&pk, tbs, -1, ++ NULL, 0, EVP_dss1(), 0, NULL)) ++ { ++ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ return 0; ++ } ++ return 1; ++ } ++#endif ++ + int DSA_generate_key(DSA *dsa) + { + if(dsa->meth->dsa_keygen) +@@ -79,6 +110,14 @@ static int dsa_builtin_keygen(DSA *dsa) + BN_CTX *ctx=NULL; + BIGNUM *pub_key=NULL,*priv_key=NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) ++ { ++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + if ((ctx=BN_CTX_new()) == NULL) goto err; + + if (dsa->priv_key == NULL) +@@ -117,6 +156,15 @@ static int dsa_builtin_keygen(DSA *dsa) + + dsa->priv_key=priv_key; + dsa->pub_key=pub_key; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if (fips_dsa_pairwise_fail) ++ BN_add_word(dsa->pub_key, 1); ++ if(!fips_check_dsa(dsa)) ++ goto err; ++ } ++#endif + ok=1; + + err: +diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c +--- openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c 2009-08-11 18:07:30.000000000 +0200 +@@ -65,6 +65,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); + static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); +@@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */ + NULL, /* dsa_bn_mod_exp, */ + dsa_init, + dsa_finish, +-0, ++DSA_FLAG_FIPS_METHOD, + NULL, + NULL, + NULL +@@ -137,6 +140,20 @@ static DSA_SIG *dsa_do_sign(const unsign + int reason=ERR_R_BN_LIB; + DSA_SIG *ret=NULL; + ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++ ++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) ++ { ++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); ++ return NULL; ++ } ++#endif ++ + BN_init(&m); + BN_init(&xr); + +@@ -312,6 +329,20 @@ static int dsa_do_verify(const unsigned + return -1; + } + ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) ++ { ++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++#endif ++ + i = BN_num_bits(dsa->q); + /* fips 186-3 allows only different sizes for q */ + if (i != 160 && i != 224 && i != 256) +@@ -403,6 +434,9 @@ static int dsa_do_verify(const unsigned + + static int dsa_init(DSA *dsa) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dsa->flags|=DSA_FLAG_CACHE_MONT_P; + return(1); + } +diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypto/err/err_all.c +--- openssl-1.0.0-beta3/crypto/err/err_all.c.fips 2008-11-24 18:27:06.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/err/err_all.c 2009-08-11 18:07:30.000000000 +0200 +@@ -96,6 +96,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + #ifndef OPENSSL_NO_CMS + #include + #endif +@@ -148,6 +151,9 @@ void ERR_load_crypto_strings(void) + #endif + ERR_load_OCSP_strings(); + ERR_load_UI_strings(); ++#ifdef OPENSSL_FIPS ++ ERR_load_FIPS_strings(); ++#endif + #ifndef OPENSSL_NO_CMS + ERR_load_CMS_strings(); + #endif +diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto/evp/digest.c +--- openssl-1.0.0-beta3/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/digest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -116,6 +116,7 @@ + #ifndef OPENSSL_NO_ENGINE + #include + #endif ++#include "evp_locl.h" + + void EVP_MD_CTX_init(EVP_MD_CTX *ctx) + { +@@ -137,9 +138,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + return EVP_DigestInit_ex(ctx, type, NULL); + } + ++#ifdef OPENSSL_FIPS ++ ++/* The purpose of these is to trap programs that attempt to use non FIPS ++ * algorithms in FIPS mode and ignore the errors. ++ */ ++ ++static int bad_init(EVP_MD_CTX *ctx) ++ { FIPS_ERROR_IGNORED("Digest init"); return 0;} ++ ++static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count) ++ { FIPS_ERROR_IGNORED("Digest update"); return 0;} ++ ++static int bad_final(EVP_MD_CTX *ctx,unsigned char *md) ++ { FIPS_ERROR_IGNORED("Digest Final"); return 0;} ++ ++static const EVP_MD bad_md = ++ { ++ 0, ++ 0, ++ 0, ++ 0, ++ bad_init, ++ bad_update, ++ bad_final, ++ NULL, ++ NULL, ++ NULL, ++ 0, ++ {0,0,0,0}, ++ }; ++ ++#endif ++ + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); ++ ctx->digest = &bad_md; ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts + * so this context may already have an ENGINE! Try to avoid releasing +@@ -195,6 +237,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + #endif + if (ctx->digest != type) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if (!(type->flags & EVP_MD_FLAG_FIPS) ++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) ++ { ++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ ctx->digest = &bad_md; ++ return 0; ++ } ++ } ++#endif + if (ctx->digest && ctx->digest->ctx_size) + OPENSSL_free(ctx->md_data); + ctx->digest=type; +@@ -222,6 +276,9 @@ skip_to_init: + + int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + return ctx->update(ctx,data,count); + } + +@@ -238,6 +295,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns + int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) + { + int ret; ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); + ret=ctx->digest->final(ctx,md); +diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/evp/e_aes.c +--- openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/e_aes.c 2009-08-11 18:07:30.000000000 +0200 +@@ -69,32 +69,29 @@ typedef struct + + IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, + NID_aes_128, 16, 16, 16, 128, +- 0, aes_init_key, NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, +- NULL) ++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ aes_init_key, ++ NULL, NULL, NULL, NULL) + IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, + NID_aes_192, 16, 24, 16, 128, +- 0, aes_init_key, NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, +- NULL) ++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ aes_init_key, ++ NULL, NULL, NULL, NULL) + IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, + NID_aes_256, 16, 32, 16, 128, +- 0, aes_init_key, NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, +- NULL) +- +-#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16) +- +-IMPLEMENT_AES_CFBR(128,1) +-IMPLEMENT_AES_CFBR(192,1) +-IMPLEMENT_AES_CFBR(256,1) +- +-IMPLEMENT_AES_CFBR(128,8) +-IMPLEMENT_AES_CFBR(192,8) +-IMPLEMENT_AES_CFBR(256,8) ++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ aes_init_key, ++ NULL, NULL, NULL, NULL) ++ ++#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) ++ ++IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS) ++IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS) ++IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS) ++ ++IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) ++IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) ++IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS) + + static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/crypto/evp/e_camellia.c +--- openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/e_camellia.c 2009-08-11 18:07:30.000000000 +0200 +@@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, + EVP_CIPHER_get_asn1_iv, + NULL) + +-#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16) ++#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16,0) + + IMPLEMENT_CAMELLIA_CFBR(128,1) + IMPLEMENT_CAMELLIA_CFBR(192,1) +diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto/evp/e_des3.c +--- openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/e_des3.c 2009-08-11 18:07:30.000000000 +0200 +@@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH + } + + BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, +- EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, ++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ des_ede_init_key, ++ NULL, NULL, NULL, + des3_ctrl) + + #define des_ede3_cfb64_cipher des_ede_cfb64_cipher +@@ -217,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, + #define des_ede3_ecb_cipher des_ede_ecb_cipher + + BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, +- EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, ++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ des_ede3_init_key, ++ NULL, NULL, NULL, + des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, +- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, ++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ des_ede3_init_key, ++ NULL, NULL, NULL, + des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, +- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, +- EVP_CIPHER_set_asn1_iv, +- EVP_CIPHER_get_asn1_iv, ++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, ++ des_ede3_init_key, ++ NULL, NULL, NULL, + des3_ctrl) + + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, +diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto/evp/e_null.c +--- openssl-1.0.0-beta3/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/e_null.c 2009-08-11 18:07:30.000000000 +0200 +@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= + { + NID_undef, + 1,0,0, +- 0, ++ EVP_CIPH_FLAG_FIPS, + null_init_key, + null_cipher, + NULL, +diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypto/evp/evp_enc.c +--- openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/evp_enc.c 2009-08-11 18:07:30.000000000 +0200 +@@ -68,8 +68,53 @@ + + const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; + ++#ifdef OPENSSL_FIPS ++ ++/* The purpose of these is to trap programs that attempt to use non FIPS ++ * algorithms in FIPS mode and ignore the errors. ++ */ ++ ++static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) ++ { FIPS_ERROR_IGNORED("Cipher init"); return 0;} ++ ++static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, unsigned int inl) ++ { FIPS_ERROR_IGNORED("Cipher update"); return 0;} ++ ++/* NB: no cleanup because it is allowed after failed init */ ++ ++static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) ++ { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;} ++static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) ++ { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;} ++static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) ++ { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;} ++ ++static const EVP_CIPHER bad_cipher = ++ { ++ 0, ++ 0, ++ 0, ++ 0, ++ 0, ++ bad_init, ++ bad_do_cipher, ++ NULL, ++ 0, ++ bad_set_asn1, ++ bad_get_asn1, ++ bad_ctrl, ++ NULL ++ }; ++ ++#endif ++ + void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + memset(ctx,0,sizeof(EVP_CIPHER_CTX)); + /* ctx->cipher=NULL; */ + } +@@ -101,6 +146,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + enc = 1; + ctx->encrypt = enc; + } ++#ifdef OPENSSL_FIPS ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); ++ ctx->cipher = &bad_cipher; ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts + * so this context may already have an ENGINE! Try to avoid releasing +@@ -219,6 +272,22 @@ skip_to_init: + } + } + ++#ifdef OPENSSL_FIPS ++ /* After 'key' is set no further parameters changes are permissible. ++ * So only check for non FIPS enabling at this point. ++ */ ++ if (key && FIPS_mode()) ++ { ++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) ++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) ++ { ++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ ctx->cipher = &bad_cipher; ++ return 0; ++ } ++ } ++#endif ++ + if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { + if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; + } +diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypto/evp/evp_err.c +--- openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/evp_err.c 2009-08-11 18:07:30.000000000 +0200 +@@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, + {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, + {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, ++{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, + {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, + {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, + {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, +diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/evp/evp.h +--- openssl-1.0.0-beta3/crypto/evp/evp.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp.h 2009-08-11 18:07:30.000000000 +0200 +@@ -75,6 +75,10 @@ + #include + #endif + ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + /* + #define EVP_RC2_KEY_SIZE 16 + #define EVP_RC4_KEY_SIZE 16 +@@ -197,6 +201,8 @@ typedef int evp_verify_method(int type,c + + #define EVP_MD_FLAG_PKEY_METHOD_SIGNATURE 0x0004 + ++#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ ++ + /* DigestAlgorithmIdentifier flags... */ + + #define EVP_MD_FLAG_DIGALGID_MASK 0x0018 +@@ -269,10 +275,6 @@ struct env_md_ctx_st + * cleaned */ + #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data + * in EVP_MD_CTX_cleanup */ +-/* FIPS and pad options are ignored in 1.0.0, definitions are here +- * so we don't accidentally reuse the values for other purposes. +- */ +- + #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest + * in FIPS mode */ + +@@ -330,6 +332,14 @@ struct evp_cipher_st + #define EVP_CIPH_NO_PADDING 0x100 + /* cipher handles random key generation */ + #define EVP_CIPH_RAND_KEY 0x200 ++/* Note if suitable for use in FIPS mode */ ++#define EVP_CIPH_FLAG_FIPS 0x400 ++/* Allow non FIPS cipher in FIPS mode */ ++#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 ++/* Allow use default ASN1 get/set iv */ ++#define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 ++/* Buffer length in bits not bytes: CFB1 mode only */ ++#define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 + + /* ctrl() values */ + +@@ -507,6 +517,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ + const unsigned char *salt, const unsigned char *data, + int datal, int count, unsigned char *key,unsigned char *iv); + ++void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); ++void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); ++int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx,int flags); ++ + int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, +@@ -1225,6 +1239,7 @@ void ERR_load_EVP_strings(void); + #define EVP_R_DECODE_ERROR 114 + #define EVP_R_DIFFERENT_KEY_TYPES 101 + #define EVP_R_DIFFERENT_PARAMETERS 153 ++#define EVP_R_DISABLED_FOR_FIPS 160 + #define EVP_R_ENCODE_ERROR 115 + #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 + #define EVP_R_EXPECTING_AN_RSA_KEY 127 +diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypto/evp/evp_lib.c +--- openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_lib.c 2009-08-11 18:07:30.000000000 +0200 +@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ + + if (c->cipher->set_asn1_parameters != NULL) + ret=c->cipher->set_asn1_parameters(c,type); ++ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) ++ ret=EVP_CIPHER_set_asn1_iv(c, type); + else + ret=-1; + return(ret); +@@ -78,6 +80,8 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_ + + if (c->cipher->get_asn1_parameters != NULL) + ret=c->cipher->get_asn1_parameters(c,type); ++ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) ++ ret=EVP_CIPHER_get_asn1_iv(c, type); + else + ret=-1; + return(ret); +@@ -180,6 +184,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ + + int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + return ctx->cipher->do_cipher(ctx,out,in,inl); + } + +@@ -289,3 +296,18 @@ int EVP_MD_CTX_test_flags(const EVP_MD_C + { + return (ctx->flags & flags); + } ++ ++void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags) ++ { ++ ctx->flags |= flags; ++ } ++ ++void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags) ++ { ++ ctx->flags &= ~flags; ++ } ++ ++int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) ++ { ++ return (ctx->flags & flags); ++ } +diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/crypto/evp/evp_locl.h +--- openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_locl.h 2009-08-11 18:07:30.000000000 +0200 +@@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER + static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ + {\ + size_t chunk=EVP_MAXCHUNK;\ +- if (cbits==1) chunk>>=3;\ ++ if (cbits==1 && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)) chunk>>=3;\ + if (inl=chunk)\ + {\ +- cprefix##_cfb##cbits##_encrypt(in, out, (long)(cbits==1?chunk*8:chunk), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ ++ cprefix##_cfb##cbits##_encrypt(in, out, (long)(cbits==1 && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)?chunk*8:chunk), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ + inl-=chunk;\ + in +=chunk;\ + out+=chunk;\ +@@ -254,14 +254,29 @@ const EVP_CIPHER *EVP_##cname##_ecb(void + + #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) + +-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \ ++#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \ + BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ + BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ + NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ +- 0, cipher##_init_key, NULL, \ +- EVP_CIPHER_set_asn1_iv, \ +- EVP_CIPHER_get_asn1_iv, \ +- NULL) ++ (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \ ++ cipher##_init_key, NULL, NULL, NULL, NULL) ++ ++#ifdef OPENSSL_FIPS ++#define RC2_set_key private_RC2_set_key ++#define RC4_set_key private_RC4_set_key ++#define CAST_set_key private_CAST_set_key ++#define RC5_32_set_key private_RC5_32_set_key ++#define BF_set_key private_BF_set_key ++#define Camellia_set_key private_Camellia_set_key ++#define idea_set_encrypt_key private_idea_set_encrypt_key ++ ++#define MD5_Init private_MD5_Init ++#define MD4_Init private_MD4_Init ++#define MD2_Init private_MD2_Init ++#define MDC2_Init private_MDC2_Init ++#define SHA_Init private_SHA_Init ++ ++#endif + + struct evp_pkey_ctx_st + { +diff -up openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss1.c +--- openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/m_dss1.c 2009-08-11 18:07:30.000000000 +0200 +@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= + NID_dsa, + NID_dsaWithSHA1, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_DIGEST, ++ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, + init, + update, + final, +diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss.c +--- openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/m_dss.c 2009-08-11 18:07:30.000000000 +0200 +@@ -81,7 +81,7 @@ static const EVP_MD dsa_md= + NID_dsaWithSHA, + NID_dsaWithSHA, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_DIGEST, ++ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, + init, + update, + final, +diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto/evp/m_sha1.c +--- openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/m_sha1.c 2009-08-11 18:07:30.000000000 +0200 +@@ -82,7 +82,8 @@ static const EVP_MD sha1_md= + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| ++ EVP_MD_FLAG_FIPS, + init, + update, + final, +@@ -119,7 +120,8 @@ static const EVP_MD sha224_md= + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| ++ EVP_MD_FLAG_FIPS, + init224, + update256, + final256, +@@ -138,7 +140,8 @@ static const EVP_MD sha256_md= + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| ++ EVP_MD_FLAG_FIPS, + init256, + update256, + final256, +@@ -169,7 +172,8 @@ static const EVP_MD sha384_md= + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| ++ EVP_MD_FLAG_FIPS, + init384, + update512, + final512, +@@ -188,7 +192,8 @@ static const EVP_MD sha512_md= + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| ++ EVP_MD_FLAG_FIPS, + init512, + update512, + final512, +diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/evp/names.c +--- openssl-1.0.0-beta3/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/names.c 2009-08-11 18:07:30.000000000 +0200 +@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) + { + int r; + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++#endif ++ + r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c); + if (r == 0) return(0); + check_defer(c->nid); +@@ -79,6 +83,10 @@ int EVP_add_digest(const EVP_MD *md) + int r; + const char *name; + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++#endif ++ + name=OBJ_nid2sn(md->type); + r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); + if (r == 0) return(0); +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,939 @@ ++/* ==================================================================== ++ * Copyright (c) 2004 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++/*--------------------------------------------- ++ NIST AES Algorithm Validation Suite ++ Test Program ++ ++ Donated to OpenSSL by: ++ V-ONE Corporation ++ 20250 Century Blvd, Suite 300 ++ Germantown, MD 20874 ++ U.S.A. ++ ----------------------------------------------*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include "e_os.h" ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS AES support\n"); ++ return(0); ++} ++ ++#else ++ ++#include ++#include "fips_utl.h" ++ ++#define AES_BLOCK_SIZE 16 ++ ++#define VERBOSE 0 ++ ++/*-----------------------------------------------*/ ++ ++int AESTest(EVP_CIPHER_CTX *ctx, ++ char *amode, int akeysz, unsigned char *aKey, ++ unsigned char *iVec, ++ int dir, /* 0 = decrypt, 1 = encrypt */ ++ unsigned char *plaintext, unsigned char *ciphertext, int len) ++ { ++ const EVP_CIPHER *cipher = NULL; ++ ++ if (strcasecmp(amode, "CBC") == 0) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_cbc(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_cbc(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_cbc(); ++ break; ++ } ++ ++ } ++ else if (strcasecmp(amode, "ECB") == 0) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_ecb(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_ecb(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_ecb(); ++ break; ++ } ++ } ++ else if (strcasecmp(amode, "CFB128") == 0) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_cfb128(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_cfb128(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_cfb128(); ++ break; ++ } ++ ++ } ++ else if (strncasecmp(amode, "OFB", 3) == 0) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_ofb(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_ofb(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_ofb(); ++ break; ++ } ++ } ++ else if(!strcasecmp(amode,"CFB1")) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_cfb1(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_cfb1(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_cfb1(); ++ break; ++ } ++ } ++ else if(!strcasecmp(amode,"CFB8")) ++ { ++ switch (akeysz) ++ { ++ case 128: ++ cipher = EVP_aes_128_cfb8(); ++ break; ++ ++ case 192: ++ cipher = EVP_aes_192_cfb8(); ++ break; ++ ++ case 256: ++ cipher = EVP_aes_256_cfb8(); ++ break; ++ } ++ } ++ else ++ { ++ printf("Unknown mode: %s\n", amode); ++ return 0; ++ } ++ if (!cipher) ++ { ++ printf("Invalid key size: %d\n", akeysz); ++ return 0; ++ } ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) ++ return 0; ++ if(!strcasecmp(amode,"CFB1")) ++ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); ++ if (dir) ++ EVP_Cipher(ctx, ciphertext, plaintext, len); ++ else ++ EVP_Cipher(ctx, plaintext, ciphertext, len); ++ return 1; ++ } ++ ++/*-----------------------------------------------*/ ++char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; ++char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"}; ++enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128}; ++enum XCrypt {XDECRYPT, XENCRYPT}; ++ ++/*=============================*/ ++/* Monte Carlo Tests */ ++/*-----------------------------*/ ++ ++/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/ ++/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/ ++ ++#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1) ++#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8))) ++ ++int do_mct(char *amode, ++ int akeysz, unsigned char *aKey,unsigned char *iVec, ++ int dir, unsigned char *text, int len, ++ FILE *rfp) ++ { ++ int ret = 0; ++ unsigned char key[101][32]; ++ unsigned char iv[101][AES_BLOCK_SIZE]; ++ unsigned char ptext[1001][32]; ++ unsigned char ctext[1001][32]; ++ unsigned char ciphertext[64+4]; ++ int i, j, n, n1, n2; ++ int imode = 0, nkeysz = akeysz/8; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ ++ if (len > 32) ++ { ++ printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n", ++ amode, akeysz); ++ return -1; ++ } ++ for (imode = 0; imode < 6; ++imode) ++ if (strcmp(amode, t_mode[imode]) == 0) ++ break; ++ if (imode == 6) ++ { ++ printf("Unrecognized mode: %s\n", amode); ++ return -1; ++ } ++ ++ memcpy(key[0], aKey, nkeysz); ++ if (iVec) ++ memcpy(iv[0], iVec, AES_BLOCK_SIZE); ++ if (dir == XENCRYPT) ++ memcpy(ptext[0], text, len); ++ else ++ memcpy(ctext[0], text, len); ++ for (i = 0; i < 100; ++i) ++ { ++ /* printf("Iteration %d\n", i); */ ++ if (i > 0) ++ { ++ fprintf(rfp,"COUNT = %d\n",i); ++ OutputValue("KEY",key[i],nkeysz,rfp,0); ++ if (imode != ECB) /* ECB */ ++ OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0); ++ /* Output Ciphertext | Plaintext */ ++ OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp, ++ imode == CFB1); ++ } ++ for (j = 0; j < 1000; ++j) ++ { ++ switch (imode) ++ { ++ case ECB: ++ if (j == 0) ++ { /* set up encryption */ ++ ret = AESTest(&ctx, amode, akeysz, key[i], NULL, ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ ptext[j], ctext[j], len); ++ if (dir == XENCRYPT) ++ memcpy(ptext[j+1], ctext[j], len); ++ else ++ memcpy(ctext[j+1], ptext[j], len); ++ } ++ else ++ { ++ if (dir == XENCRYPT) ++ { ++ EVP_Cipher(&ctx, ctext[j], ptext[j], len); ++ memcpy(ptext[j+1], ctext[j], len); ++ } ++ else ++ { ++ EVP_Cipher(&ctx, ptext[j], ctext[j], len); ++ memcpy(ctext[j+1], ptext[j], len); ++ } ++ } ++ break; ++ ++ case CBC: ++ case OFB: ++ case CFB128: ++ if (j == 0) ++ { ++ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ ptext[j], ctext[j], len); ++ if (dir == XENCRYPT) ++ memcpy(ptext[j+1], iv[i], len); ++ else ++ memcpy(ctext[j+1], iv[i], len); ++ } ++ else ++ { ++ if (dir == XENCRYPT) ++ { ++ EVP_Cipher(&ctx, ctext[j], ptext[j], len); ++ memcpy(ptext[j+1], ctext[j-1], len); ++ } ++ else ++ { ++ EVP_Cipher(&ctx, ptext[j], ctext[j], len); ++ memcpy(ctext[j+1], ptext[j-1], len); ++ } ++ } ++ break; ++ ++ case CFB8: ++ if (j == 0) ++ { ++ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ ptext[j], ctext[j], len); ++ } ++ else ++ { ++ if (dir == XENCRYPT) ++ EVP_Cipher(&ctx, ctext[j], ptext[j], len); ++ else ++ EVP_Cipher(&ctx, ptext[j], ctext[j], len); ++ } ++ if (dir == XENCRYPT) ++ { ++ if (j < 16) ++ memcpy(ptext[j+1], &iv[i][j], len); ++ else ++ memcpy(ptext[j+1], ctext[j-16], len); ++ } ++ else ++ { ++ if (j < 16) ++ memcpy(ctext[j+1], &iv[i][j], len); ++ else ++ memcpy(ctext[j+1], ptext[j-16], len); ++ } ++ break; ++ ++ case CFB1: ++ if(j == 0) ++ { ++#if 0 ++ /* compensate for wrong endianness of input file */ ++ if(i == 0) ++ ptext[0][0]<<=7; ++#endif ++ ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir, ++ ptext[j], ctext[j], len); ++ } ++ else ++ { ++ if (dir == XENCRYPT) ++ EVP_Cipher(&ctx, ctext[j], ptext[j], len); ++ else ++ EVP_Cipher(&ctx, ptext[j], ctext[j], len); ++ ++ } ++ if(dir == XENCRYPT) ++ { ++ if(j < 128) ++ sb(ptext[j+1],0,gb(iv[i],j)); ++ else ++ sb(ptext[j+1],0,gb(ctext[j-128],0)); ++ } ++ else ++ { ++ if(j < 128) ++ sb(ctext[j+1],0,gb(iv[i],j)); ++ else ++ sb(ctext[j+1],0,gb(ptext[j-128],0)); ++ } ++ break; ++ } ++ } ++ --j; /* reset to last of range */ ++ /* Output Ciphertext | Plaintext */ ++ OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp, ++ imode == CFB1); ++ fprintf(rfp, "\n"); /* add separator */ ++ ++ /* Compute next KEY */ ++ if (dir == XENCRYPT) ++ { ++ if (imode == CFB8) ++ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ ++ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) ++ ciphertext[n1] = ctext[j-n2][0]; ++ } ++ else if(imode == CFB1) ++ { ++ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) ++ sb(ciphertext,n1,gb(ctext[j-n2],0)); ++ } ++ else ++ switch (akeysz) ++ { ++ case 128: ++ memcpy(ciphertext, ctext[j], 16); ++ break; ++ case 192: ++ memcpy(ciphertext, ctext[j-1]+8, 8); ++ memcpy(ciphertext+8, ctext[j], 16); ++ break; ++ case 256: ++ memcpy(ciphertext, ctext[j-1], 16); ++ memcpy(ciphertext+16, ctext[j], 16); ++ break; ++ } ++ } ++ else ++ { ++ if (imode == CFB8) ++ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ ++ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) ++ ciphertext[n1] = ptext[j-n2][0]; ++ } ++ else if(imode == CFB1) ++ { ++ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) ++ sb(ciphertext,n1,gb(ptext[j-n2],0)); ++ } ++ else ++ switch (akeysz) ++ { ++ case 128: ++ memcpy(ciphertext, ptext[j], 16); ++ break; ++ case 192: ++ memcpy(ciphertext, ptext[j-1]+8, 8); ++ memcpy(ciphertext+8, ptext[j], 16); ++ break; ++ case 256: ++ memcpy(ciphertext, ptext[j-1], 16); ++ memcpy(ciphertext+16, ptext[j], 16); ++ break; ++ } ++ } ++ /* Compute next key: Key[i+1] = Key[i] xor ct */ ++ for (n = 0; n < nkeysz; ++n) ++ key[i+1][n] = key[i][n] ^ ciphertext[n]; ++ ++ /* Compute next IV and text */ ++ if (dir == XENCRYPT) ++ { ++ switch (imode) ++ { ++ case ECB: ++ memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE); ++ break; ++ case CBC: ++ case OFB: ++ case CFB128: ++ memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE); ++ memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE); ++ break; ++ case CFB8: ++ /* IV[i+1] = ct */ ++ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) ++ iv[i+1][n1] = ctext[j-n2][0]; ++ ptext[0][0] = ctext[j-16][0]; ++ break; ++ case CFB1: ++ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) ++ sb(iv[i+1],n1,gb(ctext[j-n2],0)); ++ ptext[0][0]=ctext[j-128][0]&0x80; ++ break; ++ } ++ } ++ else ++ { ++ switch (imode) ++ { ++ case ECB: ++ memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE); ++ break; ++ case CBC: ++ case OFB: ++ case CFB128: ++ memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE); ++ memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE); ++ break; ++ case CFB8: ++ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) ++ iv[i+1][n1] = ptext[j-n2][0]; ++ ctext[0][0] = ptext[j-16][0]; ++ break; ++ case CFB1: ++ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) ++ sb(iv[i+1],n1,gb(ptext[j-n2],0)); ++ ctext[0][0]=ptext[j-128][0]&0x80; ++ break; ++ } ++ } ++ } ++ ++ return ret; ++ } ++ ++/*================================================*/ ++/*---------------------------- ++ # Config info for v-one ++ # AESVS MMT test data for ECB ++ # State : Encrypt and Decrypt ++ # Key Length : 256 ++ # Fri Aug 30 04:07:22 PM ++ ----------------------------*/ ++ ++int proc_file(char *rqfile, char *rspfile) ++ { ++ char afn[256], rfn[256]; ++ FILE *afp = NULL, *rfp = NULL; ++ char ibuf[2048]; ++ char tbuf[2048]; ++ int ilen, len, ret = 0; ++ char algo[8] = ""; ++ char amode[8] = ""; ++ char atest[8] = ""; ++ int akeysz = 0; ++ unsigned char iVec[20], aKey[40]; ++ int dir = -1, err = 0, step = 0; ++ unsigned char plaintext[2048]; ++ unsigned char ciphertext[2048]; ++ char *rp; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ ++ if (!rqfile || !(*rqfile)) ++ { ++ printf("No req file\n"); ++ return -1; ++ } ++ strcpy(afn, rqfile); ++ ++ if ((afp = fopen(afn, "r")) == NULL) ++ { ++ printf("Cannot open file: %s, %s\n", ++ afn, strerror(errno)); ++ return -1; ++ } ++ if (!rspfile) ++ { ++ strcpy(rfn,afn); ++ rp=strstr(rfn,"req/"); ++#ifdef OPENSSL_SYS_WIN32 ++ if (!rp) ++ rp=strstr(rfn,"req\\"); ++#endif ++ assert(rp); ++ memcpy(rp,"rsp",3); ++ rp = strstr(rfn, ".req"); ++ memcpy(rp, ".rsp", 4); ++ rspfile = rfn; ++ } ++ if ((rfp = fopen(rspfile, "w")) == NULL) ++ { ++ printf("Cannot open file: %s, %s\n", ++ rfn, strerror(errno)); ++ fclose(afp); ++ afp = NULL; ++ return -1; ++ } ++ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) ++ { ++ tidy_line(tbuf, ibuf); ++ ilen = strlen(ibuf); ++ /* printf("step=%d ibuf=%s",step,ibuf); */ ++ switch (step) ++ { ++ case 0: /* read preamble */ ++ if (ibuf[0] == '\n') ++ { /* end of preamble */ ++ if ((*algo == '\0') || ++ (*amode == '\0') || ++ (akeysz == 0)) ++ { ++ printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n", ++ algo,amode,akeysz); ++ err = 1; ++ } ++ else ++ { ++ fputs(ibuf, rfp); ++ ++ step; ++ } ++ } ++ else if (ibuf[0] != '#') ++ { ++ printf("Invalid preamble item: %s\n", ibuf); ++ err = 1; ++ } ++ else ++ { /* process preamble */ ++ char *xp, *pp = ibuf+2; ++ int n; ++ if (akeysz) ++ { /* insert current time & date */ ++ time_t rtim = time(0); ++ fprintf(rfp, "# %s", ctime(&rtim)); ++ } ++ else ++ { ++ fputs(ibuf, rfp); ++ if (strncmp(pp, "AESVS ", 6) == 0) ++ { ++ strcpy(algo, "AES"); ++ /* get test type */ ++ pp += 6; ++ xp = strchr(pp, ' '); ++ n = xp-pp; ++ strncpy(atest, pp, n); ++ atest[n] = '\0'; ++ /* get mode */ ++ xp = strrchr(pp, ' '); /* get mode" */ ++ n = strlen(xp+1)-1; ++ strncpy(amode, xp+1, n); ++ amode[n] = '\0'; ++ /* amode[3] = '\0'; */ ++ if (VERBOSE) ++ printf("Test = %s, Mode = %s\n", atest, amode); ++ } ++ else if (strncasecmp(pp, "Key Length : ", 13) == 0) ++ { ++ akeysz = atoi(pp+13); ++ if (VERBOSE) ++ printf("Key size = %d\n", akeysz); ++ } ++ } ++ } ++ break; ++ ++ case 1: /* [ENCRYPT] | [DECRYPT] */ ++ if (ibuf[0] == '[') ++ { ++ fputs(ibuf, rfp); ++ ++step; ++ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) ++ dir = 1; ++ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) ++ dir = 0; ++ else ++ { ++ printf("Invalid keyword: %s\n", ibuf); ++ err = 1; ++ } ++ break; ++ } ++ else if (dir == -1) ++ { ++ err = 1; ++ printf("Missing ENCRYPT/DECRYPT keyword\n"); ++ break; ++ } ++ else ++ step = 2; ++ ++ case 2: /* KEY = xxxx */ ++ fputs(ibuf, rfp); ++ if(*ibuf == '\n') ++ break; ++ if(!strncasecmp(ibuf,"COUNT = ",8)) ++ break; ++ ++ if (strncasecmp(ibuf, "KEY = ", 6) != 0) ++ { ++ printf("Missing KEY\n"); ++ err = 1; ++ } ++ else ++ { ++ len = hex2bin((char*)ibuf+6, aKey); ++ if (len < 0) ++ { ++ printf("Invalid KEY\n"); ++ err =1; ++ break; ++ } ++ PrintValue("KEY", aKey, len); ++ if (strcmp(amode, "ECB") == 0) ++ { ++ memset(iVec, 0, sizeof(iVec)); ++ step = (dir)? 4: 5; /* no ivec for ECB */ ++ } ++ else ++ ++step; ++ } ++ break; ++ ++ case 3: /* IV = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "IV = ", 5) != 0) ++ { ++ printf("Missing IV\n"); ++ err = 1; ++ } ++ else ++ { ++ len = hex2bin((char*)ibuf+5, iVec); ++ if (len < 0) ++ { ++ printf("Invalid IV\n"); ++ err =1; ++ break; ++ } ++ PrintValue("IV", iVec, len); ++ step = (dir)? 4: 5; ++ } ++ break; ++ ++ case 4: /* PLAINTEXT = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) ++ { ++ printf("Missing PLAINTEXT\n"); ++ err = 1; ++ } ++ else ++ { ++ int nn = strlen(ibuf+12); ++ if(!strcmp(amode,"CFB1")) ++ len=bint2bin(ibuf+12,nn-1,plaintext); ++ else ++ len=hex2bin(ibuf+12, plaintext); ++ if (len < 0) ++ { ++ printf("Invalid PLAINTEXT: %s", ibuf+12); ++ err =1; ++ break; ++ } ++ if (len >= sizeof(plaintext)) ++ { ++ printf("Buffer overflow\n"); ++ } ++ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); ++ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ ++ { ++ if(do_mct(amode, akeysz, aKey, iVec, ++ dir, (unsigned char*)plaintext, len, ++ rfp) < 0) ++ EXIT(1); ++ } ++ else ++ { ++ ret = AESTest(&ctx, amode, akeysz, aKey, iVec, ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ plaintext, ciphertext, len); ++ OutputValue("CIPHERTEXT",ciphertext,len,rfp, ++ !strcmp(amode,"CFB1")); ++ } ++ step = 6; ++ } ++ break; ++ ++ case 5: /* CIPHERTEXT = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) ++ { ++ printf("Missing KEY\n"); ++ err = 1; ++ } ++ else ++ { ++ if(!strcmp(amode,"CFB1")) ++ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); ++ else ++ len = hex2bin(ibuf+13,ciphertext); ++ if (len < 0) ++ { ++ printf("Invalid CIPHERTEXT\n"); ++ err =1; ++ break; ++ } ++ ++ PrintValue("CIPHERTEXT", ciphertext, len); ++ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ ++ { ++ do_mct(amode, akeysz, aKey, iVec, ++ dir, ciphertext, len, rfp); ++ } ++ else ++ { ++ ret = AESTest(&ctx, amode, akeysz, aKey, iVec, ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ plaintext, ciphertext, len); ++ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, ++ !strcmp(amode,"CFB1")); ++ } ++ step = 6; ++ } ++ break; ++ ++ case 6: ++ if (ibuf[0] != '\n') ++ { ++ err = 1; ++ printf("Missing terminator\n"); ++ } ++ else if (strcmp(atest, "MCT") != 0) ++ { /* MCT already added terminating nl */ ++ fputs(ibuf, rfp); ++ } ++ step = 1; ++ break; ++ } ++ } ++ if (rfp) ++ fclose(rfp); ++ if (afp) ++ fclose(afp); ++ return err; ++ } ++ ++/*-------------------------------------------------- ++ Processes either a single file or ++ a set of files whose names are passed in a file. ++ A single file is specified as: ++ aes_test -f xxx.req ++ A set of files is specified as: ++ aes_test -d xxxxx.xxx ++ The default is: -d req.txt ++--------------------------------------------------*/ ++int main(int argc, char **argv) ++ { ++ char *rqlist = "req.txt", *rspfile = NULL; ++ FILE *fp = NULL; ++ char fn[250] = "", rfn[256] = ""; ++ int f_opt = 0, d_opt = 1; ++ ++#ifdef OPENSSL_FIPS ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ EXIT(1); ++ } ++#endif ++ if (argc > 1) ++ { ++ if (strcasecmp(argv[1], "-d") == 0) ++ { ++ d_opt = 1; ++ } ++ else if (strcasecmp(argv[1], "-f") == 0) ++ { ++ f_opt = 1; ++ d_opt = 0; ++ } ++ else ++ { ++ printf("Invalid parameter: %s\n", argv[1]); ++ return 0; ++ } ++ if (argc < 3) ++ { ++ printf("Missing parameter\n"); ++ return 0; ++ } ++ if (d_opt) ++ rqlist = argv[2]; ++ else ++ { ++ strcpy(fn, argv[2]); ++ rspfile = argv[3]; ++ } ++ } ++ if (d_opt) ++ { /* list of files (directory) */ ++ if (!(fp = fopen(rqlist, "r"))) ++ { ++ printf("Cannot open req list file\n"); ++ return -1; ++ } ++ while (fgets(fn, sizeof(fn), fp)) ++ { ++ strtok(fn, "\r\n"); ++ strcpy(rfn, fn); ++ if (VERBOSE) ++ printf("Processing: %s\n", rfn); ++ if (proc_file(rfn, rspfile)) ++ { ++ printf(">>> Processing failed for: %s <<<\n", rfn); ++ EXIT(1); ++ } ++ } ++ fclose(fp); ++ } ++ else /* single file */ ++ { ++ if (VERBOSE) ++ printf("Processing: %s\n", fn); ++ if (proc_file(fn, rspfile)) ++ { ++ printf(">>> Processing failed for: %s <<<\n", fn); ++ } ++ } ++ EXIT(0); ++ return 0; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,702 @@ ++/* ==================================================================== ++ * Copyright (c) 2004 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++/*--------------------------------------------- ++ NIST DES Modes of Operation Validation System ++ Test Program ++ ++ Based on the AES Validation Suite, which was: ++ Donated to OpenSSL by: ++ V-ONE Corporation ++ 20250 Century Blvd, Suite 300 ++ Germantown, MD 20874 ++ U.S.A. ++ ----------------------------------------------*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include "e_os.h" ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS DES support\n"); ++ return(0); ++} ++ ++#else ++ ++#include ++#include "fips_utl.h" ++ ++#define DES_BLOCK_SIZE 8 ++ ++#define VERBOSE 0 ++ ++int DESTest(EVP_CIPHER_CTX *ctx, ++ char *amode, int akeysz, unsigned char *aKey, ++ unsigned char *iVec, ++ int dir, /* 0 = decrypt, 1 = encrypt */ ++ unsigned char *out, unsigned char *in, int len) ++ { ++ const EVP_CIPHER *cipher = NULL; ++ ++ if (akeysz != 192) ++ { ++ printf("Invalid key size: %d\n", akeysz); ++ EXIT(1); ++ } ++ ++ if (strcasecmp(amode, "CBC") == 0) ++ cipher = EVP_des_ede3_cbc(); ++ else if (strcasecmp(amode, "ECB") == 0) ++ cipher = EVP_des_ede3_ecb(); ++ else if (strcasecmp(amode, "CFB64") == 0) ++ cipher = EVP_des_ede3_cfb64(); ++ else if (strncasecmp(amode, "OFB", 3) == 0) ++ cipher = EVP_des_ede3_ofb(); ++ else if(!strcasecmp(amode,"CFB8")) ++ cipher = EVP_des_ede3_cfb8(); ++ else if(!strcasecmp(amode,"CFB1")) ++ cipher = EVP_des_ede3_cfb1(); ++ else ++ { ++ printf("Unknown mode: %s\n", amode); ++ EXIT(1); ++ } ++ ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) ++ return 0; ++ if(!strcasecmp(amode,"CFB1")) ++ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); ++ EVP_Cipher(ctx, out, in, len); ++ ++ return 1; ++ } ++ ++void DebugValue(char *tag, unsigned char *val, int len) ++ { ++ char obuf[2048]; ++ int olen; ++ olen = bin2hex(val, len, obuf); ++ printf("%s = %.*s\n", tag, olen, obuf); ++ } ++ ++void shiftin(unsigned char *dst,unsigned char *src,int nbits) ++ { ++ int n; ++ ++ /* move the bytes... */ ++ memmove(dst,dst+nbits/8,3*8-nbits/8); ++ /* append new data */ ++ memcpy(dst+3*8-nbits/8,src,(nbits+7)/8); ++ /* left shift the bits */ ++ if(nbits%8) ++ for(n=0 ; n < 3*8 ; ++n) ++ dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8)); ++ } ++ ++/*-----------------------------------------------*/ ++char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; ++char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"}; ++enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64}; ++int Sizes[6]={64,64,64,1,8,64}; ++ ++void do_mct(char *amode, ++ int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec, ++ int dir, unsigned char *text, int len, ++ FILE *rfp) ++ { ++ int i,imode; ++ unsigned char nk[4*8]; /* longest key+8 */ ++ unsigned char text0[8]; ++ ++ for (imode=0 ; imode < 6 ; ++imode) ++ if(!strcmp(amode,t_mode[imode])) ++ break; ++ if (imode == 6) ++ { ++ printf("Unrecognized mode: %s\n", amode); ++ EXIT(1); ++ } ++ ++ for(i=0 ; i < 400 ; ++i) ++ { ++ int j; ++ int n; ++ int kp=akeysz/64; ++ unsigned char old_iv[8]; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ ++ fprintf(rfp,"\nCOUNT = %d\n",i); ++ if(kp == 1) ++ OutputValue("KEY",akey,8,rfp,0); ++ else ++ for(n=0 ; n < kp ; ++n) ++ { ++ fprintf(rfp,"KEY%d",n+1); ++ OutputValue("",akey+n*8,8,rfp,0); ++ } ++ ++ if(imode != ECB) ++ OutputValue("IV",ivec,8,rfp,0); ++ OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1); ++#if 0 ++ /* compensate for endianness */ ++ if(imode == CFB1) ++ text[0]<<=7; ++#endif ++ memcpy(text0,text,8); ++ ++ for(j=0 ; j < 10000 ; ++j) ++ { ++ unsigned char old_text[8]; ++ ++ memcpy(old_text,text,8); ++ if(j == 0) ++ { ++ memcpy(old_iv,ivec,8); ++ DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len); ++ } ++ else ++ { ++ memcpy(old_iv,ctx.iv,8); ++ EVP_Cipher(&ctx,text,text,len); ++ } ++ if(j == 9999) ++ { ++ OutputValue(t_tag[dir],text,len,rfp,imode == CFB1); ++ /* memcpy(ivec,text,8); */ ++ } ++ /* DebugValue("iv",ctx.iv,8); */ ++ /* accumulate material for the next key */ ++ shiftin(nk,text,Sizes[imode]); ++ /* DebugValue("nk",nk,24);*/ ++ if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64 ++ || imode == CBC)) || imode == OFB) ++ memcpy(text,old_iv,8); ++ ++ if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64)) ++ { ++ /* the test specifies using the output of the raw DES operation ++ which we don't have, so reconstruct it... */ ++ for(n=0 ; n < 8 ; ++n) ++ text[n]^=old_text[n]; ++ } ++ } ++ for(n=0 ; n < 8 ; ++n) ++ akey[n]^=nk[16+n]; ++ for(n=0 ; n < 8 ; ++n) ++ akey[8+n]^=nk[8+n]; ++ for(n=0 ; n < 8 ; ++n) ++ akey[16+n]^=nk[n]; ++ if(numkeys < 3) ++ memcpy(&akey[2*8],akey,8); ++ if(numkeys < 2) ++ memcpy(&akey[8],akey,8); ++ DES_set_odd_parity((DES_cblock *)akey); ++ DES_set_odd_parity((DES_cblock *)(akey+8)); ++ DES_set_odd_parity((DES_cblock *)(akey+16)); ++ memcpy(ivec,ctx.iv,8); ++ ++ /* pointless exercise - the final text doesn't depend on the ++ initial text in OFB mode, so who cares what it is? (Who ++ designed these tests?) */ ++ if(imode == OFB) ++ for(n=0 ; n < 8 ; ++n) ++ text[n]=text0[n]^old_iv[n]; ++ } ++ } ++ ++int proc_file(char *rqfile, char *rspfile) ++ { ++ char afn[256], rfn[256]; ++ FILE *afp = NULL, *rfp = NULL; ++ char ibuf[2048], tbuf[2048]; ++ int ilen, len, ret = 0; ++ char amode[8] = ""; ++ char atest[100] = ""; ++ int akeysz=0; ++ unsigned char iVec[20], aKey[40]; ++ int dir = -1, err = 0, step = 0; ++ unsigned char plaintext[2048]; ++ unsigned char ciphertext[2048]; ++ char *rp; ++ EVP_CIPHER_CTX ctx; ++ int numkeys=1; ++ EVP_CIPHER_CTX_init(&ctx); ++ ++ if (!rqfile || !(*rqfile)) ++ { ++ printf("No req file\n"); ++ return -1; ++ } ++ strcpy(afn, rqfile); ++ ++ if ((afp = fopen(afn, "r")) == NULL) ++ { ++ printf("Cannot open file: %s, %s\n", ++ afn, strerror(errno)); ++ return -1; ++ } ++ if (!rspfile) ++ { ++ strcpy(rfn,afn); ++ rp=strstr(rfn,"req/"); ++#ifdef OPENSSL_SYS_WIN32 ++ if (!rp) ++ rp=strstr(rfn,"req\\"); ++#endif ++ assert(rp); ++ memcpy(rp,"rsp",3); ++ rp = strstr(rfn, ".req"); ++ memcpy(rp, ".rsp", 4); ++ rspfile = rfn; ++ } ++ if ((rfp = fopen(rspfile, "w")) == NULL) ++ { ++ printf("Cannot open file: %s, %s\n", ++ rfn, strerror(errno)); ++ fclose(afp); ++ afp = NULL; ++ return -1; ++ } ++ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) ++ { ++ tidy_line(tbuf, ibuf); ++ ilen = strlen(ibuf); ++ /* printf("step=%d ibuf=%s",step,ibuf);*/ ++ if(step == 3 && !strcmp(amode,"ECB")) ++ { ++ memset(iVec, 0, sizeof(iVec)); ++ step = (dir)? 4: 5; /* no ivec for ECB */ ++ } ++ switch (step) ++ { ++ case 0: /* read preamble */ ++ if (ibuf[0] == '\n') ++ { /* end of preamble */ ++ if (*amode == '\0') ++ { ++ printf("Missing Mode\n"); ++ err = 1; ++ } ++ else ++ { ++ fputs(ibuf, rfp); ++ ++ step; ++ } ++ } ++ else if (ibuf[0] != '#') ++ { ++ printf("Invalid preamble item: %s\n", ibuf); ++ err = 1; ++ } ++ else ++ { /* process preamble */ ++ char *xp, *pp = ibuf+2; ++ int n; ++ if(*amode) ++ { /* insert current time & date */ ++ time_t rtim = time(0); ++ fprintf(rfp, "# %s", ctime(&rtim)); ++ } ++ else ++ { ++ fputs(ibuf, rfp); ++ if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4) ++ || !strncmp(pp,"TDES ",5) ++ || !strncmp(pp,"PERMUTATION ",12) ++ || !strncmp(pp,"SUBSTITUTION ",13) ++ || !strncmp(pp,"VARIABLE ",9)) ++ { ++ /* get test type */ ++ if(!strncmp(pp,"DES ",4)) ++ pp+=4; ++ else if(!strncmp(pp,"TDES ",5)) ++ pp+=5; ++ xp = strchr(pp, ' '); ++ n = xp-pp; ++ strncpy(atest, pp, n); ++ atest[n] = '\0'; ++ /* get mode */ ++ xp = strrchr(pp, ' '); /* get mode" */ ++ n = strlen(xp+1)-1; ++ strncpy(amode, xp+1, n); ++ amode[n] = '\0'; ++ /* amode[3] = '\0'; */ ++ if (VERBOSE) ++ printf("Test=%s, Mode=%s\n",atest,amode); ++ } ++ } ++ } ++ break; ++ ++ case 1: /* [ENCRYPT] | [DECRYPT] */ ++ if(ibuf[0] == '\n') ++ break; ++ if (ibuf[0] == '[') ++ { ++ fputs(ibuf, rfp); ++ ++step; ++ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) ++ dir = 1; ++ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) ++ dir = 0; ++ else ++ { ++ printf("Invalid keyword: %s\n", ibuf); ++ err = 1; ++ } ++ break; ++ } ++ else if (dir == -1) ++ { ++ err = 1; ++ printf("Missing ENCRYPT/DECRYPT keyword\n"); ++ break; ++ } ++ else ++ step = 2; ++ ++ case 2: /* KEY = xxxx */ ++ if(*ibuf == '\n') ++ { ++ fputs(ibuf, rfp); ++ break; ++ } ++ if(!strncasecmp(ibuf,"COUNT = ",8)) ++ { ++ fputs(ibuf, rfp); ++ break; ++ } ++ if(!strncasecmp(ibuf,"COUNT=",6)) ++ { ++ fputs(ibuf, rfp); ++ break; ++ } ++ if(!strncasecmp(ibuf,"NumKeys = ",10)) ++ { ++ numkeys=atoi(ibuf+10); ++ break; ++ } ++ ++ fputs(ibuf, rfp); ++ if(!strncasecmp(ibuf,"KEY = ",6)) ++ { ++ akeysz=64; ++ len = hex2bin((char*)ibuf+6, aKey); ++ if (len < 0) ++ { ++ printf("Invalid KEY\n"); ++ err=1; ++ break; ++ } ++ PrintValue("KEY", aKey, len); ++ ++step; ++ } ++ else if(!strncasecmp(ibuf,"KEYs = ",7)) ++ { ++ akeysz=64*3; ++ len=hex2bin(ibuf+7,aKey); ++ if(len != 8) ++ { ++ printf("Invalid KEY\n"); ++ err=1; ++ break; ++ } ++ memcpy(aKey+8,aKey,8); ++ memcpy(aKey+16,aKey,8); ++ ibuf[4]='\0'; ++ PrintValue("KEYs",aKey,len); ++ ++step; ++ } ++ else if(!strncasecmp(ibuf,"KEY",3)) ++ { ++ int n=ibuf[3]-'1'; ++ ++ akeysz=64*3; ++ len=hex2bin(ibuf+7,aKey+n*8); ++ if(len != 8) ++ { ++ printf("Invalid KEY\n"); ++ err=1; ++ break; ++ } ++ ibuf[4]='\0'; ++ PrintValue(ibuf,aKey,len); ++ if(n == 2) ++ ++step; ++ } ++ else ++ { ++ printf("Missing KEY\n"); ++ err = 1; ++ } ++ break; ++ ++ case 3: /* IV = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "IV = ", 5) != 0) ++ { ++ printf("Missing IV\n"); ++ err = 1; ++ } ++ else ++ { ++ len = hex2bin((char*)ibuf+5, iVec); ++ if (len < 0) ++ { ++ printf("Invalid IV\n"); ++ err =1; ++ break; ++ } ++ PrintValue("IV", iVec, len); ++ step = (dir)? 4: 5; ++ } ++ break; ++ ++ case 4: /* PLAINTEXT = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) ++ { ++ printf("Missing PLAINTEXT\n"); ++ err = 1; ++ } ++ else ++ { ++ int nn = strlen(ibuf+12); ++ if(!strcmp(amode,"CFB1")) ++ len=bint2bin(ibuf+12,nn-1,plaintext); ++ else ++ len=hex2bin(ibuf+12, plaintext); ++ if (len < 0) ++ { ++ printf("Invalid PLAINTEXT: %s", ibuf+12); ++ err =1; ++ break; ++ } ++ if (len >= sizeof(plaintext)) ++ { ++ printf("Buffer overflow\n"); ++ } ++ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); ++ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ ++ { ++ do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp); ++ } ++ else ++ { ++ assert(dir == 1); ++ ret = DESTest(&ctx, amode, akeysz, aKey, iVec, ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ ciphertext, plaintext, len); ++ OutputValue("CIPHERTEXT",ciphertext,len,rfp, ++ !strcmp(amode,"CFB1")); ++ } ++ step = 6; ++ } ++ break; ++ ++ case 5: /* CIPHERTEXT = xxxx */ ++ fputs(ibuf, rfp); ++ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) ++ { ++ printf("Missing KEY\n"); ++ err = 1; ++ } ++ else ++ { ++ if(!strcmp(amode,"CFB1")) ++ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); ++ else ++ len = hex2bin(ibuf+13,ciphertext); ++ if (len < 0) ++ { ++ printf("Invalid CIPHERTEXT\n"); ++ err =1; ++ break; ++ } ++ ++ PrintValue("CIPHERTEXT", ciphertext, len); ++ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ ++ { ++ do_mct(amode, akeysz, numkeys, aKey, iVec, ++ dir, ciphertext, len, rfp); ++ } ++ else ++ { ++ assert(dir == 0); ++ ret = DESTest(&ctx, amode, akeysz, aKey, iVec, ++ dir, /* 0 = decrypt, 1 = encrypt */ ++ plaintext, ciphertext, len); ++ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, ++ !strcmp(amode,"CFB1")); ++ } ++ step = 6; ++ } ++ break; ++ ++ case 6: ++ if (ibuf[0] != '\n') ++ { ++ err = 1; ++ printf("Missing terminator\n"); ++ } ++ else if (strcmp(atest, "MCT") != 0) ++ { /* MCT already added terminating nl */ ++ fputs(ibuf, rfp); ++ } ++ step = 1; ++ break; ++ } ++ } ++ if (rfp) ++ fclose(rfp); ++ if (afp) ++ fclose(afp); ++ return err; ++ } ++ ++/*-------------------------------------------------- ++ Processes either a single file or ++ a set of files whose names are passed in a file. ++ A single file is specified as: ++ aes_test -f xxx.req ++ A set of files is specified as: ++ aes_test -d xxxxx.xxx ++ The default is: -d req.txt ++--------------------------------------------------*/ ++int main(int argc, char **argv) ++ { ++ char *rqlist = "req.txt", *rspfile = NULL; ++ FILE *fp = NULL; ++ char fn[250] = "", rfn[256] = ""; ++ int f_opt = 0, d_opt = 1; ++ ++#ifdef OPENSSL_FIPS ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ EXIT(1); ++ } ++#endif ++ if (argc > 1) ++ { ++ if (strcasecmp(argv[1], "-d") == 0) ++ { ++ d_opt = 1; ++ } ++ else if (strcasecmp(argv[1], "-f") == 0) ++ { ++ f_opt = 1; ++ d_opt = 0; ++ } ++ else ++ { ++ printf("Invalid parameter: %s\n", argv[1]); ++ return 0; ++ } ++ if (argc < 3) ++ { ++ printf("Missing parameter\n"); ++ return 0; ++ } ++ if (d_opt) ++ rqlist = argv[2]; ++ else ++ { ++ strcpy(fn, argv[2]); ++ rspfile = argv[3]; ++ } ++ } ++ if (d_opt) ++ { /* list of files (directory) */ ++ if (!(fp = fopen(rqlist, "r"))) ++ { ++ printf("Cannot open req list file\n"); ++ return -1; ++ } ++ while (fgets(fn, sizeof(fn), fp)) ++ { ++ strtok(fn, "\r\n"); ++ strcpy(rfn, fn); ++ printf("Processing: %s\n", rfn); ++ if (proc_file(rfn, rspfile)) ++ { ++ printf(">>> Processing failed for: %s <<<\n", rfn); ++ EXIT(1); ++ } ++ } ++ fclose(fp); ++ } ++ else /* single file */ ++ { ++ if (VERBOSE) ++ printf("Processing: %s\n", fn); ++ if (proc_file(fn, rspfile)) ++ { ++ printf(">>> Processing failed for: %s <<<\n", fn); ++ } ++ } ++ EXIT(0); ++ return 0; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,537 @@ ++#include ++ ++#ifndef OPENSSL_FIPS ++#include ++ ++int main(int argc, char **argv) ++{ ++ printf("No FIPS DSA support\n"); ++ return(0); ++} ++#else ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "fips_utl.h" ++ ++static void pbn(const char *name, BIGNUM *bn) ++ { ++ int len, i; ++ unsigned char *tmp; ++ len = BN_num_bytes(bn); ++ tmp = OPENSSL_malloc(len); ++ if (!tmp) ++ { ++ fprintf(stderr, "Memory allocation error\n"); ++ return; ++ } ++ BN_bn2bin(bn, tmp); ++ printf("%s = ", name); ++ for (i = 0; i < len; i++) ++ printf("%02X", tmp[i]); ++ fputs("\n", stdout); ++ OPENSSL_free(tmp); ++ return; ++ } ++ ++void primes() ++ { ++ char buf[10240]; ++ char lbuf[10240]; ++ char *keyword, *value; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ fputs(buf,stdout); ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if(!strcmp(keyword,"Prime")) ++ { ++ BIGNUM *pp; ++ ++ pp=BN_new(); ++ do_hex2bn(&pp,value); ++ printf("result= %c\n", ++ BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F'); ++ } ++ } ++ } ++ ++void pqg() ++ { ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ int nmod=0; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ if(!strcmp(keyword,"[mod")) ++ nmod=atoi(value); ++ else if(!strcmp(keyword,"N")) ++ { ++ int n=atoi(value); ++ ++ printf("[mod = %d]\n\n",nmod); ++ ++ while(n--) ++ { ++ unsigned char seed[20]; ++ DSA *dsa; ++ int counter; ++ unsigned long h; ++ dsa = FIPS_dsa_new(); ++ ++ if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ pbn("P",dsa->p); ++ pbn("Q",dsa->q); ++ pbn("G",dsa->g); ++ pv("Seed",seed,20); ++ printf("c = %d\n",counter); ++ printf("H = %lx\n",h); ++ putc('\n',stdout); ++ } ++ } ++ else ++ fputs(buf,stdout); ++ } ++ } ++ ++void pqgver() ++ { ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ BIGNUM *p = NULL, *q = NULL, *g = NULL; ++ int counter, counter2; ++ unsigned long h, h2; ++ DSA *dsa=NULL; ++ int nmod=0; ++ unsigned char seed[1024]; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ fputs(buf, stdout); ++ if(!strcmp(keyword,"[mod")) ++ nmod=atoi(value); ++ else if(!strcmp(keyword,"P")) ++ p=hex2bn(value); ++ else if(!strcmp(keyword,"Q")) ++ q=hex2bn(value); ++ else if(!strcmp(keyword,"G")) ++ g=hex2bn(value); ++ else if(!strcmp(keyword,"Seed")) ++ { ++ int slen = hex2bin(value, seed); ++ if (slen != 20) ++ { ++ fprintf(stderr, "Seed parse length error\n"); ++ exit (1); ++ } ++ } ++ else if(!strcmp(keyword,"c")) ++ counter =atoi(buf+4); ++ else if(!strcmp(keyword,"H")) ++ { ++ h = atoi(value); ++ if (!p || !q || !g) ++ { ++ fprintf(stderr, "Parse Error\n"); ++ exit (1); ++ } ++ dsa = FIPS_dsa_new(); ++ if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g) ++ || (counter != counter2) || (h != h2)) ++ printf("Result = F\n"); ++ else ++ printf("Result = P\n"); ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ p = NULL; ++ q = NULL; ++ g = NULL; ++ FIPS_dsa_free(dsa); ++ dsa = NULL; ++ } ++ } ++ } ++ ++/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2 ++ * algorithm tests. It is an additional test to perform sanity checks on the ++ * output of the KeyPair test. ++ */ ++ ++static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g, ++ BN_CTX *ctx) ++ { ++ BIGNUM *rem = NULL; ++ if (BN_num_bits(p) != nmod) ++ return 0; ++ if (BN_num_bits(q) != 160) ++ return 0; ++ if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1) ++ return 0; ++ if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1) ++ return 0; ++ rem = BN_new(); ++ if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem) ++ || (BN_cmp(g, BN_value_one()) <= 0) ++ || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem)) ++ { ++ BN_free(rem); ++ return 0; ++ } ++ /* Todo: check g */ ++ BN_free(rem); ++ return 1; ++ } ++ ++void keyver() ++ { ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL; ++ BIGNUM *Y2; ++ BN_CTX *ctx = NULL; ++ int nmod=0, paramcheck = 0; ++ ++ ctx = BN_CTX_new(); ++ Y2 = BN_new(); ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ if(!strcmp(keyword,"[mod")) ++ { ++ if (p) ++ BN_free(p); ++ p = NULL; ++ if (q) ++ BN_free(q); ++ q = NULL; ++ if (g) ++ BN_free(g); ++ g = NULL; ++ paramcheck = 0; ++ nmod=atoi(value); ++ } ++ else if(!strcmp(keyword,"P")) ++ p=hex2bn(value); ++ else if(!strcmp(keyword,"Q")) ++ q=hex2bn(value); ++ else if(!strcmp(keyword,"G")) ++ g=hex2bn(value); ++ else if(!strcmp(keyword,"X")) ++ X=hex2bn(value); ++ else if(!strcmp(keyword,"Y")) ++ { ++ Y=hex2bn(value); ++ if (!p || !q || !g || !X || !Y) ++ { ++ fprintf(stderr, "Parse Error\n"); ++ exit (1); ++ } ++ pbn("P",p); ++ pbn("Q",q); ++ pbn("G",g); ++ pbn("X",X); ++ pbn("Y",Y); ++ if (!paramcheck) ++ { ++ if (dss_paramcheck(nmod, p, q, g, ctx)) ++ paramcheck = 1; ++ else ++ paramcheck = -1; ++ } ++ if (paramcheck != 1) ++ printf("Result = F\n"); ++ else ++ { ++ if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y)) ++ printf("Result = F\n"); ++ else ++ printf("Result = P\n"); ++ } ++ BN_free(X); ++ BN_free(Y); ++ X = NULL; ++ Y = NULL; ++ } ++ } ++ if (p) ++ BN_free(p); ++ if (q) ++ BN_free(q); ++ if (g) ++ BN_free(g); ++ if (Y2) ++ BN_free(Y2); ++ } ++ ++void keypair() ++ { ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ int nmod=0; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ if(!strcmp(keyword,"[mod")) ++ nmod=atoi(value); ++ else if(!strcmp(keyword,"N")) ++ { ++ DSA *dsa; ++ int n=atoi(value); ++ ++ printf("[mod = %d]\n\n",nmod); ++ dsa = FIPS_dsa_new(); ++ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ pbn("P",dsa->p); ++ pbn("Q",dsa->q); ++ pbn("G",dsa->g); ++ putc('\n',stdout); ++ ++ while(n--) ++ { ++ if (!DSA_generate_key(dsa)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ ++ pbn("X",dsa->priv_key); ++ pbn("Y",dsa->pub_key); ++ putc('\n',stdout); ++ } ++ } ++ } ++ } ++ ++void siggen() ++ { ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ int nmod=0; ++ DSA *dsa=NULL; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ if(!strcmp(keyword,"[mod")) ++ { ++ nmod=atoi(value); ++ printf("[mod = %d]\n\n",nmod); ++ if (dsa) ++ FIPS_dsa_free(dsa); ++ dsa = FIPS_dsa_new(); ++ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ pbn("P",dsa->p); ++ pbn("Q",dsa->q); ++ pbn("G",dsa->g); ++ putc('\n',stdout); ++ } ++ else if(!strcmp(keyword,"Msg")) ++ { ++ unsigned char msg[1024]; ++ unsigned char sbuf[60]; ++ unsigned int slen; ++ int n; ++ EVP_PKEY pk; ++ EVP_MD_CTX mctx; ++ DSA_SIG *sig; ++ EVP_MD_CTX_init(&mctx); ++ ++ n=hex2bin(value,msg); ++ pv("Msg",msg,n); ++ ++ if (!DSA_generate_key(dsa)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ pk.type = EVP_PKEY_DSA; ++ pk.pkey.dsa = dsa; ++ pbn("Y",dsa->pub_key); ++ ++ EVP_SignInit_ex(&mctx, EVP_dss1(), NULL); ++ EVP_SignUpdate(&mctx, msg, n); ++ EVP_SignFinal(&mctx, sbuf, &slen, &pk); ++ ++ sig = DSA_SIG_new(); ++ FIPS_dsa_sig_decode(sig, sbuf, slen); ++ ++ pbn("R",sig->r); ++ pbn("S",sig->s); ++ putc('\n',stdout); ++ DSA_SIG_free(sig); ++ EVP_MD_CTX_cleanup(&mctx); ++ } ++ } ++ if (dsa) ++ FIPS_dsa_free(dsa); ++ } ++ ++void sigver() ++ { ++ DSA *dsa=NULL; ++ char buf[1024]; ++ char lbuf[1024]; ++ unsigned char msg[1024]; ++ char *keyword, *value; ++ int nmod=0, n=0; ++ DSA_SIG sg, *sig = &sg; ++ ++ sig->r = NULL; ++ sig->s = NULL; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ { ++ fputs(buf,stdout); ++ continue; ++ } ++ if(!strcmp(keyword,"[mod")) ++ { ++ nmod=atoi(value); ++ if(dsa) ++ FIPS_dsa_free(dsa); ++ dsa=FIPS_dsa_new(); ++ } ++ else if(!strcmp(keyword,"P")) ++ dsa->p=hex2bn(value); ++ else if(!strcmp(keyword,"Q")) ++ dsa->q=hex2bn(value); ++ else if(!strcmp(keyword,"G")) ++ { ++ dsa->g=hex2bn(value); ++ ++ printf("[mod = %d]\n\n",nmod); ++ pbn("P",dsa->p); ++ pbn("Q",dsa->q); ++ pbn("G",dsa->g); ++ putc('\n',stdout); ++ } ++ else if(!strcmp(keyword,"Msg")) ++ { ++ n=hex2bin(value,msg); ++ pv("Msg",msg,n); ++ } ++ else if(!strcmp(keyword,"Y")) ++ dsa->pub_key=hex2bn(value); ++ else if(!strcmp(keyword,"R")) ++ sig->r=hex2bn(value); ++ else if(!strcmp(keyword,"S")) ++ { ++ EVP_MD_CTX mctx; ++ EVP_PKEY pk; ++ unsigned char sigbuf[60]; ++ unsigned int slen; ++ int r; ++ EVP_MD_CTX_init(&mctx); ++ pk.type = EVP_PKEY_DSA; ++ pk.pkey.dsa = dsa; ++ sig->s=hex2bn(value); ++ ++ pbn("Y",dsa->pub_key); ++ pbn("R",sig->r); ++ pbn("S",sig->s); ++ ++ slen = FIPS_dsa_sig_encode(sigbuf, sig); ++ EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL); ++ EVP_VerifyUpdate(&mctx, msg, n); ++ r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk); ++ EVP_MD_CTX_cleanup(&mctx); ++ ++ printf("Result = %c\n", r == 1 ? 'P' : 'F'); ++ putc('\n',stdout); ++ } ++ } ++ } ++ ++int main(int argc,char **argv) ++ { ++ if(argc != 2) ++ { ++ fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]); ++ exit(1); ++ } ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ if(!strcmp(argv[1],"prime")) ++ primes(); ++ else if(!strcmp(argv[1],"pqg")) ++ pqg(); ++ else if(!strcmp(argv[1],"pqgver")) ++ pqgver(); ++ else if(!strcmp(argv[1],"keypair")) ++ keypair(); ++ else if(!strcmp(argv[1],"keyver")) ++ keyver(); ++ else if(!strcmp(argv[1],"siggen")) ++ siggen(); ++ else if(!strcmp(argv[1],"sigver")) ++ sigver(); ++ else ++ { ++ fprintf(stderr,"Don't know how to %s.\n",argv[1]); ++ exit(1); ++ } ++ ++ return 0; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,230 @@ ++/* ++ * Crude test driver for processing the VST and MCT testvector files ++ * generated by the CMVP RNGVS product. ++ * ++ * Note the input files are assumed to have a _very_ specific format ++ * as described in the NIST document "The Random Number Generator ++ * Validation System (RNGVS)", May 25, 2004. ++ * ++ */ ++#include ++ ++#ifndef OPENSSL_FIPS ++#include ++ ++int main(int argc, char **argv) ++{ ++ printf("No FIPS RNG support\n"); ++ return 0; ++} ++#else ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "fips_utl.h" ++ ++void vst() ++ { ++ unsigned char *key = NULL; ++ unsigned char *v = NULL; ++ unsigned char *dt = NULL; ++ unsigned char ret[16]; ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ long i, keylen; ++ ++ keylen = 0; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ fputs(buf,stdout); ++ if(!strncmp(buf,"[AES 128-Key]", 13)) ++ keylen = 16; ++ else if(!strncmp(buf,"[AES 192-Key]", 13)) ++ keylen = 24; ++ else if(!strncmp(buf,"[AES 256-Key]", 13)) ++ keylen = 32; ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if(!strcmp(keyword,"Key")) ++ { ++ key=hex2bin_m(value,&i); ++ if (i != keylen) ++ { ++ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); ++ return; ++ } ++ } ++ else if(!strcmp(keyword,"DT")) ++ { ++ dt=hex2bin_m(value,&i); ++ if (i != 16) ++ { ++ fprintf(stderr, "Invalid DT length\n"); ++ return; ++ } ++ } ++ else if(!strcmp(keyword,"V")) ++ { ++ v=hex2bin_m(value,&i); ++ if (i != 16) ++ { ++ fprintf(stderr, "Invalid V length\n"); ++ return; ++ } ++ ++ if (!key || !dt) ++ { ++ fprintf(stderr, "Missing key or DT\n"); ++ return; ++ } ++ ++ FIPS_rand_set_key(key, keylen); ++ FIPS_rand_seed(v,16); ++ FIPS_rand_set_dt(dt); ++ if (FIPS_rand_bytes(ret,16) <= 0) ++ { ++ fprintf(stderr, "Error getting PRNG value\n"); ++ return; ++ } ++ ++ pv("R",ret,16); ++ OPENSSL_free(key); ++ key = NULL; ++ OPENSSL_free(dt); ++ dt = NULL; ++ OPENSSL_free(v); ++ v = NULL; ++ } ++ } ++ } ++ ++void mct() ++ { ++ unsigned char *key = NULL; ++ unsigned char *v = NULL; ++ unsigned char *dt = NULL; ++ unsigned char ret[16]; ++ char buf[1024]; ++ char lbuf[1024]; ++ char *keyword, *value; ++ long i, keylen; ++ int j; ++ ++ keylen = 0; ++ ++ while(fgets(buf,sizeof buf,stdin) != NULL) ++ { ++ fputs(buf,stdout); ++ if(!strncmp(buf,"[AES 128-Key]", 13)) ++ keylen = 16; ++ else if(!strncmp(buf,"[AES 192-Key]", 13)) ++ keylen = 24; ++ else if(!strncmp(buf,"[AES 256-Key]", 13)) ++ keylen = 32; ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if(!strcmp(keyword,"Key")) ++ { ++ key=hex2bin_m(value,&i); ++ if (i != keylen) ++ { ++ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); ++ return; ++ } ++ } ++ else if(!strcmp(keyword,"DT")) ++ { ++ dt=hex2bin_m(value,&i); ++ if (i != 16) ++ { ++ fprintf(stderr, "Invalid DT length\n"); ++ return; ++ } ++ } ++ else if(!strcmp(keyword,"V")) ++ { ++ v=hex2bin_m(value,&i); ++ if (i != 16) ++ { ++ fprintf(stderr, "Invalid V length\n"); ++ return; ++ } ++ ++ if (!key || !dt) ++ { ++ fprintf(stderr, "Missing key or DT\n"); ++ return; ++ } ++ ++ FIPS_rand_set_key(key, keylen); ++ FIPS_rand_seed(v,16); ++ for (i = 0; i < 10000; i++) ++ { ++ FIPS_rand_set_dt(dt); ++ if (FIPS_rand_bytes(ret,16) <= 0) ++ { ++ fprintf(stderr, "Error getting PRNG value\n"); ++ return; ++ } ++ /* Increment DT */ ++ for (j = 15; j >= 0; j--) ++ { ++ dt[j]++; ++ if (dt[j]) ++ break; ++ } ++ } ++ ++ pv("R",ret,16); ++ OPENSSL_free(key); ++ key = NULL; ++ OPENSSL_free(dt); ++ dt = NULL; ++ OPENSSL_free(v); ++ v = NULL; ++ } ++ } ++ } ++ ++int main(int argc,char **argv) ++ { ++ if(argc != 2) ++ { ++ fprintf(stderr,"%s [mct|vst]\n",argv[0]); ++ exit(1); ++ } ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ exit(1); ++ } ++ FIPS_rand_reset(); ++ if (!FIPS_rand_test_mode()) ++ { ++ fprintf(stderr, "Error setting PRNG test mode\n"); ++ do_print_errors(); ++ exit(1); ++ } ++ if(!strcmp(argv[1],"mct")) ++ mct(); ++ else if(!strcmp(argv[1],"vst")) ++ vst(); ++ else ++ { ++ fprintf(stderr,"Don't know how to %s.\n",argv[1]); ++ exit(1); ++ } ++ ++ return 0; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,390 @@ ++/* fips_rsagtest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2005. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS RSA support\n"); ++ return(0); ++} ++ ++#else ++ ++#include "fips_utl.h" ++ ++int rsa_test(FILE *out, FILE *in); ++static int rsa_printkey1(FILE *out, RSA *rsa, ++ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, ++ BIGNUM *e); ++static int rsa_printkey2(FILE *out, RSA *rsa, ++ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq); ++ ++int main(int argc, char **argv) ++ { ++ FILE *in = NULL, *out = NULL; ++ ++ int ret = 1; ++ ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ goto end; ++ } ++ ++ if (argc == 1) ++ in = stdin; ++ else ++ in = fopen(argv[1], "r"); ++ ++ if (argc < 2) ++ out = stdout; ++ else ++ out = fopen(argv[2], "w"); ++ ++ if (!in) ++ { ++ fprintf(stderr, "FATAL input initialization error\n"); ++ goto end; ++ } ++ ++ if (!out) ++ { ++ fprintf(stderr, "FATAL output initialization error\n"); ++ goto end; ++ } ++ ++ if (!rsa_test(out, in)) ++ { ++ fprintf(stderr, "FATAL RSAGTEST file processing error\n"); ++ goto end; ++ } ++ else ++ ret = 0; ++ ++ end: ++ ++ if (ret) ++ do_print_errors(); ++ ++ if (in && (in != stdin)) ++ fclose(in); ++ if (out && (out != stdout)) ++ fclose(out); ++ ++ return ret; ++ ++ } ++ ++#define RSA_TEST_MAXLINELEN 10240 ++ ++int rsa_test(FILE *out, FILE *in) ++ { ++ char *linebuf, *olinebuf, *p, *q; ++ char *keyword, *value; ++ RSA *rsa = NULL; ++ BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL; ++ BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL; ++ BIGNUM *e = NULL; ++ int ret = 0; ++ int lnum = 0; ++ ++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ ++ if (!linebuf || !olinebuf) ++ goto error; ++ ++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) ++ { ++ lnum++; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no = or starts with [ (for [foo = bar] line) just copy */ ++ if (!p || *keyword=='[') ++ { ++ if (fputs(olinebuf, out) < 0) ++ goto error; ++ continue; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ if (!strcmp(keyword, "xp1")) ++ { ++ if (Xp1 || !do_hex2bn(&Xp1,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "xp2")) ++ { ++ if (Xp2 || !do_hex2bn(&Xp2,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "Xp")) ++ { ++ if (Xp || !do_hex2bn(&Xp,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "xq1")) ++ { ++ if (Xq1 || !do_hex2bn(&Xq1,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "xq2")) ++ { ++ if (Xq2 || !do_hex2bn(&Xq2,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "Xq")) ++ { ++ if (Xq || !do_hex2bn(&Xq,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "e")) ++ { ++ if (e || !do_hex2bn(&e,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "p1")) ++ continue; ++ else if (!strcmp(keyword, "p2")) ++ continue; ++ else if (!strcmp(keyword, "p")) ++ continue; ++ else if (!strcmp(keyword, "q1")) ++ continue; ++ else if (!strcmp(keyword, "q2")) ++ continue; ++ else if (!strcmp(keyword, "q")) ++ continue; ++ else if (!strcmp(keyword, "n")) ++ continue; ++ else if (!strcmp(keyword, "d")) ++ continue; ++ else ++ goto parse_error; ++ ++ fputs(olinebuf, out); ++ ++ if (e && Xp1 && Xp2 && Xp) ++ { ++ rsa = FIPS_rsa_new(); ++ if (!rsa) ++ goto error; ++ if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e)) ++ goto error; ++ BN_free(Xp1); ++ Xp1 = NULL; ++ BN_free(Xp2); ++ Xp2 = NULL; ++ BN_free(Xp); ++ Xp = NULL; ++ BN_free(e); ++ e = NULL; ++ } ++ ++ if (rsa && Xq1 && Xq2 && Xq) ++ { ++ if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq)) ++ goto error; ++ BN_free(Xq1); ++ Xq1 = NULL; ++ BN_free(Xq2); ++ Xq2 = NULL; ++ BN_free(Xq); ++ Xq = NULL; ++ FIPS_rsa_free(rsa); ++ rsa = NULL; ++ } ++ } ++ ++ ret = 1; ++ ++ error: ++ ++ if (olinebuf) ++ OPENSSL_free(olinebuf); ++ if (linebuf) ++ OPENSSL_free(linebuf); ++ ++ if (Xp1) ++ BN_free(Xp1); ++ if (Xp2) ++ BN_free(Xp2); ++ if (Xp) ++ BN_free(Xp); ++ if (Xq1) ++ BN_free(Xq1); ++ if (Xq1) ++ BN_free(Xq1); ++ if (Xq2) ++ BN_free(Xq2); ++ if (Xq) ++ BN_free(Xq); ++ if (e) ++ BN_free(e); ++ if (rsa) ++ FIPS_rsa_free(rsa); ++ ++ return ret; ++ ++ parse_error: ++ ++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); ++ ++ goto error; ++ ++ } ++ ++static int rsa_printkey1(FILE *out, RSA *rsa, ++ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, ++ BIGNUM *e) ++ { ++ int ret = 0; ++ BIGNUM *p1 = NULL, *p2 = NULL; ++ p1 = BN_new(); ++ p2 = BN_new(); ++ if (!p1 || !p2) ++ goto error; ++ ++ if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp, ++ NULL, NULL, NULL, e, NULL)) ++ goto error; ++ ++ do_bn_print_name(out, "p1", p1); ++ do_bn_print_name(out, "p2", p2); ++ do_bn_print_name(out, "p", rsa->p); ++ ++ ret = 1; ++ ++ error: ++ if (p1) ++ BN_free(p1); ++ if (p2) ++ BN_free(p2); ++ ++ return ret; ++ } ++ ++static int rsa_printkey2(FILE *out, RSA *rsa, ++ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq) ++ { ++ int ret = 0; ++ BIGNUM *q1 = NULL, *q2 = NULL; ++ q1 = BN_new(); ++ q2 = BN_new(); ++ if (!q1 || !q2) ++ goto error; ++ ++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL, ++ Xq1, Xq2, Xq, NULL, NULL)) ++ goto error; ++ ++ do_bn_print_name(out, "q1", q1); ++ do_bn_print_name(out, "q2", q2); ++ do_bn_print_name(out, "q", rsa->q); ++ do_bn_print_name(out, "n", rsa->n); ++ do_bn_print_name(out, "d", rsa->d); ++ ++ ret = 1; ++ ++ error: ++ if (q1) ++ BN_free(q1); ++ if (q2) ++ BN_free(q2); ++ ++ return ret; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,370 @@ ++/* fips_rsastest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2005. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS RSA support\n"); ++ return(0); ++} ++ ++#else ++ ++#include "fips_utl.h" ++ ++static int rsa_stest(FILE *out, FILE *in, int Saltlen); ++static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, ++ unsigned char *Msg, long Msglen, int Saltlen); ++ ++int main(int argc, char **argv) ++ { ++ FILE *in = NULL, *out = NULL; ++ ++ int ret = 1, Saltlen = -1; ++ ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ goto end; ++ } ++ ++ if ((argc > 2) && !strcmp("-saltlen", argv[1])) ++ { ++ Saltlen = atoi(argv[2]); ++ if (Saltlen < 0) ++ { ++ fprintf(stderr, "FATAL: Invalid salt length\n"); ++ goto end; ++ } ++ argc -= 2; ++ argv += 2; ++ } ++ else if ((argc > 1) && !strcmp("-x931", argv[1])) ++ { ++ Saltlen = -2; ++ argc--; ++ argv++; ++ } ++ ++ if (argc == 1) ++ in = stdin; ++ else ++ in = fopen(argv[1], "r"); ++ ++ if (argc < 2) ++ out = stdout; ++ else ++ out = fopen(argv[2], "w"); ++ ++ if (!in) ++ { ++ fprintf(stderr, "FATAL input initialization error\n"); ++ goto end; ++ } ++ ++ if (!out) ++ { ++ fprintf(stderr, "FATAL output initialization error\n"); ++ goto end; ++ } ++ ++ if (!rsa_stest(out, in, Saltlen)) ++ { ++ fprintf(stderr, "FATAL RSASTEST file processing error\n"); ++ goto end; ++ } ++ else ++ ret = 0; ++ ++ end: ++ ++ if (ret) ++ do_print_errors(); ++ ++ if (in && (in != stdin)) ++ fclose(in); ++ if (out && (out != stdout)) ++ fclose(out); ++ ++ return ret; ++ ++ } ++ ++#define RSA_TEST_MAXLINELEN 10240 ++ ++int rsa_stest(FILE *out, FILE *in, int Saltlen) ++ { ++ char *linebuf, *olinebuf, *p, *q; ++ char *keyword, *value; ++ RSA *rsa = NULL; ++ const EVP_MD *dgst = NULL; ++ unsigned char *Msg = NULL; ++ long Msglen = -1; ++ int keylen = -1, current_keylen = -1; ++ int ret = 0; ++ int lnum = 0; ++ ++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ ++ if (!linebuf || !olinebuf) ++ goto error; ++ ++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) ++ { ++ lnum++; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no = just copy */ ++ if (!p) ++ { ++ if (fputs(olinebuf, out) < 0) ++ goto error; ++ continue; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ /* Look for [mod = XXX] for key length */ ++ ++ if (!strcmp(keyword, "[mod")) ++ { ++ p = value + strlen(value) - 1; ++ if (*p != ']') ++ goto parse_error; ++ *p = 0; ++ keylen = atoi(value); ++ if (keylen < 0) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "SHAAlg")) ++ { ++ if (!strcmp(value, "SHA1")) ++ dgst = EVP_sha1(); ++ else if (!strcmp(value, "SHA224")) ++ dgst = EVP_sha224(); ++ else if (!strcmp(value, "SHA256")) ++ dgst = EVP_sha256(); ++ else if (!strcmp(value, "SHA384")) ++ dgst = EVP_sha384(); ++ else if (!strcmp(value, "SHA512")) ++ dgst = EVP_sha512(); ++ else ++ { ++ fprintf(stderr, ++ "FATAL: unsupported algorithm \"%s\"\n", ++ value); ++ goto parse_error; ++ } ++ } ++ else if (!strcmp(keyword, "Msg")) ++ { ++ if (Msg) ++ goto parse_error; ++ if (strlen(value) & 1) ++ *(--value) = '0'; ++ Msg = hex2bin_m(value, &Msglen); ++ if (!Msg) ++ goto parse_error; ++ } ++ ++ fputs(olinebuf, out); ++ ++ /* If key length has changed, generate and output public ++ * key components of new RSA private key. ++ */ ++ ++ if (keylen != current_keylen) ++ { ++ BIGNUM *bn_e; ++ if (rsa) ++ FIPS_rsa_free(rsa); ++ rsa = FIPS_rsa_new(); ++ if (!rsa) ++ goto error; ++ bn_e = BN_new(); ++ if (!bn_e || !BN_set_word(bn_e, 0x1001)) ++ goto error; ++ if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL)) ++ goto error; ++ BN_free(bn_e); ++ fputs("n = ", out); ++ do_bn_print(out, rsa->n); ++ fputs("\ne = ", out); ++ do_bn_print(out, rsa->e); ++ fputs("\n", out); ++ current_keylen = keylen; ++ } ++ ++ if (Msg && dgst) ++ { ++ if (!rsa_printsig(out, rsa, dgst, Msg, Msglen, ++ Saltlen)) ++ goto error; ++ OPENSSL_free(Msg); ++ Msg = NULL; ++ } ++ ++ } ++ ++ ret = 1; ++ ++ error: ++ ++ if (olinebuf) ++ OPENSSL_free(olinebuf); ++ if (linebuf) ++ OPENSSL_free(linebuf); ++ if (rsa) ++ FIPS_rsa_free(rsa); ++ ++ return ret; ++ ++ parse_error: ++ ++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); ++ ++ goto error; ++ ++ } ++ ++static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, ++ unsigned char *Msg, long Msglen, int Saltlen) ++ { ++ int ret = 0; ++ unsigned char *sigbuf = NULL; ++ int i, siglen; ++ /* EVP_PKEY structure */ ++ EVP_PKEY pk; ++ EVP_MD_CTX ctx; ++ pk.type = EVP_PKEY_RSA; ++ pk.pkey.rsa = rsa; ++ ++ siglen = RSA_size(rsa); ++ sigbuf = OPENSSL_malloc(siglen); ++ if (!sigbuf) ++ goto error; ++ ++ EVP_MD_CTX_init(&ctx); ++ ++ if (Saltlen >= 0) ++ { ++ M_EVP_MD_CTX_set_flags(&ctx, ++ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); ++ } ++ else if (Saltlen == -2) ++ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); ++ if (!EVP_SignInit_ex(&ctx, dgst, NULL)) ++ goto error; ++ if (!EVP_SignUpdate(&ctx, Msg, Msglen)) ++ goto error; ++ if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk)) ++ goto error; ++ ++ EVP_MD_CTX_cleanup(&ctx); ++ ++ fputs("S = ", out); ++ ++ for (i = 0; i < siglen; i++) ++ fprintf(out, "%02X", sigbuf[i]); ++ ++ fputs("\n", out); ++ ++ ret = 1; ++ ++ error: ++ ++ return ret; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,377 @@ ++/* fips_rsavtest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2005. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS RSA support\n"); ++ return(0); ++} ++ ++#else ++ ++#include "fips_utl.h" ++ ++int rsa_test(FILE *out, FILE *in, int saltlen); ++static int rsa_printver(FILE *out, ++ BIGNUM *n, BIGNUM *e, ++ const EVP_MD *dgst, ++ unsigned char *Msg, long Msglen, ++ unsigned char *S, long Slen, int Saltlen); ++ ++int main(int argc, char **argv) ++ { ++ FILE *in = NULL, *out = NULL; ++ ++ int ret = 1; ++ int Saltlen = -1; ++ ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ goto end; ++ } ++ ++ if ((argc > 2) && !strcmp("-saltlen", argv[1])) ++ { ++ Saltlen = atoi(argv[2]); ++ if (Saltlen < 0) ++ { ++ fprintf(stderr, "FATAL: Invalid salt length\n"); ++ goto end; ++ } ++ argc -= 2; ++ argv += 2; ++ } ++ else if ((argc > 1) && !strcmp("-x931", argv[1])) ++ { ++ Saltlen = -2; ++ argc--; ++ argv++; ++ } ++ ++ if (argc == 1) ++ in = stdin; ++ else ++ in = fopen(argv[1], "r"); ++ ++ if (argc < 2) ++ out = stdout; ++ else ++ out = fopen(argv[2], "w"); ++ ++ if (!in) ++ { ++ fprintf(stderr, "FATAL input initialization error\n"); ++ goto end; ++ } ++ ++ if (!out) ++ { ++ fprintf(stderr, "FATAL output initialization error\n"); ++ goto end; ++ } ++ ++ if (!rsa_test(out, in, Saltlen)) ++ { ++ fprintf(stderr, "FATAL RSAVTEST file processing error\n"); ++ goto end; ++ } ++ else ++ ret = 0; ++ ++ end: ++ ++ if (ret) ++ do_print_errors(); ++ ++ if (in && (in != stdin)) ++ fclose(in); ++ if (out && (out != stdout)) ++ fclose(out); ++ ++ return ret; ++ ++ } ++ ++#define RSA_TEST_MAXLINELEN 10240 ++ ++int rsa_test(FILE *out, FILE *in, int Saltlen) ++ { ++ char *linebuf, *olinebuf, *p, *q; ++ char *keyword, *value; ++ const EVP_MD *dgst = NULL; ++ BIGNUM *n = NULL, *e = NULL; ++ unsigned char *Msg = NULL, *S = NULL; ++ long Msglen, Slen; ++ int ret = 0; ++ int lnum = 0; ++ ++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); ++ ++ if (!linebuf || !olinebuf) ++ goto error; ++ ++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) ++ { ++ lnum++; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no = or starts with [ (for [foo = bar] line) just copy */ ++ if (!p || *keyword=='[') ++ { ++ if (fputs(olinebuf, out) < 0) ++ goto error; ++ continue; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ if (!strcmp(keyword, "n")) ++ { ++ if (!do_hex2bn(&n,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "e")) ++ { ++ if (!do_hex2bn(&e,value)) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "SHAAlg")) ++ { ++ if (!strcmp(value, "SHA1")) ++ dgst = EVP_sha1(); ++ else if (!strcmp(value, "SHA224")) ++ dgst = EVP_sha224(); ++ else if (!strcmp(value, "SHA256")) ++ dgst = EVP_sha256(); ++ else if (!strcmp(value, "SHA384")) ++ dgst = EVP_sha384(); ++ else if (!strcmp(value, "SHA512")) ++ dgst = EVP_sha512(); ++ else ++ { ++ fprintf(stderr, ++ "FATAL: unsupported algorithm \"%s\"\n", ++ value); ++ goto parse_error; ++ } ++ } ++ else if (!strcmp(keyword, "Msg")) ++ { ++ if (Msg) ++ goto parse_error; ++ if (strlen(value) & 1) ++ *(--value) = '0'; ++ Msg = hex2bin_m(value, &Msglen); ++ if (!Msg) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "S")) ++ { ++ if (S) ++ goto parse_error; ++ if (strlen(value) & 1) ++ *(--value) = '0'; ++ S = hex2bin_m(value, &Slen); ++ if (!S) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "Result")) ++ continue; ++ else ++ goto parse_error; ++ ++ fputs(olinebuf, out); ++ ++ if (n && e && Msg && S && dgst) ++ { ++ if (!rsa_printver(out, n, e, dgst, ++ Msg, Msglen, S, Slen, Saltlen)) ++ goto error; ++ OPENSSL_free(Msg); ++ Msg = NULL; ++ OPENSSL_free(S); ++ S = NULL; ++ } ++ ++ } ++ ++ ++ ret = 1; ++ ++ ++ error: ++ ++ if (olinebuf) ++ OPENSSL_free(olinebuf); ++ if (linebuf) ++ OPENSSL_free(linebuf); ++ if (n) ++ BN_free(n); ++ if (e) ++ BN_free(e); ++ ++ return ret; ++ ++ parse_error: ++ ++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); ++ ++ goto error; ++ ++ } ++ ++static int rsa_printver(FILE *out, ++ BIGNUM *n, BIGNUM *e, ++ const EVP_MD *dgst, ++ unsigned char *Msg, long Msglen, ++ unsigned char *S, long Slen, int Saltlen) ++ { ++ int ret = 0, r; ++ /* Setup RSA and EVP_PKEY structures */ ++ RSA *rsa_pubkey = NULL; ++ EVP_PKEY pk; ++ EVP_MD_CTX ctx; ++ unsigned char *buf = NULL; ++ rsa_pubkey = FIPS_rsa_new(); ++ if (!rsa_pubkey) ++ goto error; ++ rsa_pubkey->n = BN_dup(n); ++ rsa_pubkey->e = BN_dup(e); ++ if (!rsa_pubkey->n || !rsa_pubkey->e) ++ goto error; ++ pk.type = EVP_PKEY_RSA; ++ pk.pkey.rsa = rsa_pubkey; ++ ++ EVP_MD_CTX_init(&ctx); ++ ++ if (Saltlen >= 0) ++ { ++ M_EVP_MD_CTX_set_flags(&ctx, ++ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); ++ } ++ else if (Saltlen == -2) ++ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); ++ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL)) ++ goto error; ++ if (!EVP_VerifyUpdate(&ctx, Msg, Msglen)) ++ goto error; ++ ++ r = EVP_VerifyFinal(&ctx, S, Slen, &pk); ++ ++ ++ EVP_MD_CTX_cleanup(&ctx); ++ ++ if (r < 0) ++ goto error; ++ ERR_clear_error(); ++ ++ if (r == 0) ++ fputs("Result = F\n", out); ++ else ++ fputs("Result = P\n", out); ++ ++ ret = 1; ++ ++ error: ++ if (rsa_pubkey) ++ FIPS_rsa_free(rsa_pubkey); ++ if (buf) ++ OPENSSL_free(buf); ++ ++ return ret; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,388 @@ ++/* fips_shatest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2005. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS SHAXXX support\n"); ++ return(0); ++} ++ ++#else ++ ++#include "fips_utl.h" ++ ++static int dgst_test(FILE *out, FILE *in); ++static int print_dgst(const EVP_MD *md, FILE *out, ++ unsigned char *Msg, int Msglen); ++static int print_monte(const EVP_MD *md, FILE *out, ++ unsigned char *Seed, int SeedLen); ++ ++int main(int argc, char **argv) ++ { ++ FILE *in = NULL, *out = NULL; ++ ++ int ret = 1; ++ ++ if(!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ goto end; ++ } ++ ++ if (argc == 1) ++ in = stdin; ++ else ++ in = fopen(argv[1], "r"); ++ ++ if (argc < 2) ++ out = stdout; ++ else ++ out = fopen(argv[2], "w"); ++ ++ if (!in) ++ { ++ fprintf(stderr, "FATAL input initialization error\n"); ++ goto end; ++ } ++ ++ if (!out) ++ { ++ fprintf(stderr, "FATAL output initialization error\n"); ++ goto end; ++ } ++ ++ if (!dgst_test(out, in)) ++ { ++ fprintf(stderr, "FATAL digest file processing error\n"); ++ goto end; ++ } ++ else ++ ret = 0; ++ ++ end: ++ ++ if (ret) ++ do_print_errors(); ++ ++ if (in && (in != stdin)) ++ fclose(in); ++ if (out && (out != stdout)) ++ fclose(out); ++ ++ return ret; ++ ++ } ++ ++#define SHA_TEST_MAX_BITS 102400 ++#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100) ++ ++int dgst_test(FILE *out, FILE *in) ++ { ++ const EVP_MD *md = NULL; ++ char *linebuf, *olinebuf, *p, *q; ++ char *keyword, *value; ++ unsigned char *Msg = NULL, *Seed = NULL; ++ long MsgLen = -1, Len = -1, SeedLen = -1; ++ int ret = 0; ++ int lnum = 0; ++ ++ olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); ++ linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); ++ ++ if (!linebuf || !olinebuf) ++ goto error; ++ ++ ++ while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in)) ++ { ++ lnum++; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no = or starts with [ (for [L=20] line) just copy */ ++ if (!p) ++ { ++ fputs(olinebuf, out); ++ continue; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ if (!strcmp(keyword,"[L") && *p==']') ++ { ++ switch (atoi(value)) ++ { ++ case 20: md=EVP_sha1(); break; ++ case 28: md=EVP_sha224(); break; ++ case 32: md=EVP_sha256(); break; ++ case 48: md=EVP_sha384(); break; ++ case 64: md=EVP_sha512(); break; ++ default: goto parse_error; ++ } ++ } ++ else if (!strcmp(keyword, "Len")) ++ { ++ if (Len != -1) ++ goto parse_error; ++ Len = atoi(value); ++ if (Len < 0) ++ goto parse_error; ++ /* Only handle multiples of 8 bits */ ++ if (Len & 0x7) ++ goto parse_error; ++ if (Len > SHA_TEST_MAX_BITS) ++ goto parse_error; ++ MsgLen = Len >> 3; ++ } ++ ++ else if (!strcmp(keyword, "Msg")) ++ { ++ long tmplen; ++ if (strlen(value) & 1) ++ *(--value) = '0'; ++ if (Msg) ++ goto parse_error; ++ Msg = hex2bin_m(value, &tmplen); ++ if (!Msg) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "Seed")) ++ { ++ if (strlen(value) & 1) ++ *(--value) = '0'; ++ if (Seed) ++ goto parse_error; ++ Seed = hex2bin_m(value, &SeedLen); ++ if (!Seed) ++ goto parse_error; ++ } ++ else if (!strcmp(keyword, "MD")) ++ continue; ++ else ++ goto parse_error; ++ ++ fputs(olinebuf, out); ++ ++ if (md && Msg && (MsgLen >= 0)) ++ { ++ if (!print_dgst(md, out, Msg, MsgLen)) ++ goto error; ++ OPENSSL_free(Msg); ++ Msg = NULL; ++ MsgLen = -1; ++ Len = -1; ++ } ++ else if (md && Seed && (SeedLen > 0)) ++ { ++ if (!print_monte(md, out, Seed, SeedLen)) ++ goto error; ++ OPENSSL_free(Seed); ++ Seed = NULL; ++ SeedLen = -1; ++ } ++ ++ ++ } ++ ++ ++ ret = 1; ++ ++ ++ error: ++ ++ if (olinebuf) ++ OPENSSL_free(olinebuf); ++ if (linebuf) ++ OPENSSL_free(linebuf); ++ if (Msg) ++ OPENSSL_free(Msg); ++ if (Seed) ++ OPENSSL_free(Seed); ++ ++ return ret; ++ ++ parse_error: ++ ++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); ++ ++ goto error; ++ ++ } ++ ++static int print_dgst(const EVP_MD *emd, FILE *out, ++ unsigned char *Msg, int Msglen) ++ { ++ int i, mdlen; ++ unsigned char md[EVP_MAX_MD_SIZE]; ++ if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL)) ++ { ++ fputs("Error calculating HASH\n", stderr); ++ return 0; ++ } ++ fputs("MD = ", out); ++ for (i = 0; i < mdlen; i++) ++ fprintf(out, "%02x", md[i]); ++ fputs("\n", out); ++ return 1; ++ } ++ ++static int print_monte(const EVP_MD *md, FILE *out, ++ unsigned char *Seed, int SeedLen) ++ { ++ unsigned int i, j, k; ++ int ret = 0; ++ EVP_MD_CTX ctx; ++ unsigned char *m1, *m2, *m3, *p; ++ unsigned int mlen, m1len, m2len, m3len; ++ ++ EVP_MD_CTX_init(&ctx); ++ ++ if (SeedLen > EVP_MAX_MD_SIZE) ++ mlen = SeedLen; ++ else ++ mlen = EVP_MAX_MD_SIZE; ++ ++ m1 = OPENSSL_malloc(mlen); ++ m2 = OPENSSL_malloc(mlen); ++ m3 = OPENSSL_malloc(mlen); ++ ++ if (!m1 || !m2 || !m3) ++ goto mc_error; ++ ++ m1len = m2len = m3len = SeedLen; ++ memcpy(m1, Seed, SeedLen); ++ memcpy(m2, Seed, SeedLen); ++ memcpy(m3, Seed, SeedLen); ++ ++ fputs("\n", out); ++ ++ for (j = 0; j < 100; j++) ++ { ++ for (i = 0; i < 1000; i++) ++ { ++ EVP_DigestInit_ex(&ctx, md, NULL); ++ EVP_DigestUpdate(&ctx, m1, m1len); ++ EVP_DigestUpdate(&ctx, m2, m2len); ++ EVP_DigestUpdate(&ctx, m3, m3len); ++ p = m1; ++ m1 = m2; ++ m1len = m2len; ++ m2 = m3; ++ m2len = m3len; ++ m3 = p; ++ EVP_DigestFinal_ex(&ctx, m3, &m3len); ++ } ++ fprintf(out, "COUNT = %d\n", j); ++ fputs("MD = ", out); ++ for (k = 0; k < m3len; k++) ++ fprintf(out, "%02x", m3[k]); ++ fputs("\n\n", out); ++ memcpy(m1, m3, m3len); ++ memcpy(m2, m3, m3len); ++ m1len = m2len = m3len; ++ } ++ ++ ret = 1; ++ ++ mc_error: ++ if (m1) ++ OPENSSL_free(m1); ++ if (m2) ++ OPENSSL_free(m2); ++ if (m3) ++ OPENSSL_free(m3); ++ ++ EVP_MD_CTX_cleanup(&ctx); ++ ++ return ret; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,343 @@ ++/* ==================================================================== ++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++void do_print_errors(void) ++ { ++ const char *file, *data; ++ int line, flags; ++ unsigned long l; ++ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags))) ++ { ++ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d" ++ ":file=%s:line=%d:%s\n", ++ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l), ++ file, line, flags & ERR_TXT_STRING ? data : ""); ++ } ++ } ++ ++int hex2bin(const char *in, unsigned char *out) ++ { ++ int n1, n2; ++ unsigned char ch; ++ ++ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; ) ++ { /* first byte */ ++ if ((in[n1] >= '0') && (in[n1] <= '9')) ++ ch = in[n1++] - '0'; ++ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) ++ ch = in[n1++] - 'A' + 10; ++ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) ++ ch = in[n1++] - 'a' + 10; ++ else ++ return -1; ++ if(!in[n1]) ++ { ++ out[n2++]=ch; ++ break; ++ } ++ out[n2] = ch << 4; ++ /* second byte */ ++ if ((in[n1] >= '0') && (in[n1] <= '9')) ++ ch = in[n1++] - '0'; ++ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) ++ ch = in[n1++] - 'A' + 10; ++ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) ++ ch = in[n1++] - 'a' + 10; ++ else ++ return -1; ++ out[n2++] |= ch; ++ } ++ return n2; ++ } ++ ++unsigned char *hex2bin_m(const char *in, long *plen) ++ { ++ unsigned char *p; ++ p = OPENSSL_malloc((strlen(in) + 1)/2); ++ *plen = hex2bin(in, p); ++ return p; ++ } ++ ++int do_hex2bn(BIGNUM **pr, const char *in) ++ { ++ unsigned char *p; ++ long plen; ++ int r = 0; ++ p = hex2bin_m(in, &plen); ++ if (!p) ++ return 0; ++ if (!*pr) ++ *pr = BN_new(); ++ if (!*pr) ++ return 0; ++ if (BN_bin2bn(p, plen, *pr)) ++ r = 1; ++ OPENSSL_free(p); ++ return r; ++ } ++ ++int do_bn_print(FILE *out, BIGNUM *bn) ++ { ++ int len, i; ++ unsigned char *tmp; ++ len = BN_num_bytes(bn); ++ if (len == 0) ++ { ++ fputs("00", out); ++ return 1; ++ } ++ ++ tmp = OPENSSL_malloc(len); ++ if (!tmp) ++ { ++ fprintf(stderr, "Memory allocation error\n"); ++ return 0; ++ } ++ BN_bn2bin(bn, tmp); ++ for (i = 0; i < len; i++) ++ fprintf(out, "%02x", tmp[i]); ++ OPENSSL_free(tmp); ++ return 1; ++ } ++ ++int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn) ++ { ++ int r; ++ fprintf(out, "%s = ", name); ++ r = do_bn_print(out, bn); ++ if (!r) ++ return 0; ++ fputs("\n", out); ++ return 1; ++ } ++ ++int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf) ++ { ++ char *keyword, *value, *p, *q; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no '=' exit */ ++ if (!p) ++ return 0; ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ *pkw = keyword; ++ *pval = value; ++ return 1; ++ } ++ ++BIGNUM *hex2bn(const char *in) ++ { ++ BIGNUM *p=NULL; ++ ++ if (!do_hex2bn(&p, in)) ++ return NULL; ++ ++ return p; ++ } ++ ++int bin2hex(const unsigned char *in,int len,char *out) ++ { ++ int n1, n2; ++ unsigned char ch; ++ ++ for (n1=0,n2=0 ; n1 < len ; ++n1) ++ { ++ ch=in[n1] >> 4; ++ if (ch <= 0x09) ++ out[n2++]=ch+'0'; ++ else ++ out[n2++]=ch-10+'a'; ++ ch=in[n1] & 0x0f; ++ if(ch <= 0x09) ++ out[n2++]=ch+'0'; ++ else ++ out[n2++]=ch-10+'a'; ++ } ++ out[n2]='\0'; ++ return n2; ++ } ++ ++void pv(const char *tag,const unsigned char *val,int len) ++ { ++ char obuf[2048]; ++ ++ bin2hex(val,len,obuf); ++ printf("%s = %s\n",tag,obuf); ++ } ++ ++/* To avoid extensive changes to test program at this stage just convert ++ * the input line into an acceptable form. Keyword lines converted to form ++ * "keyword = value\n" no matter what white space present, all other lines ++ * just have leading and trailing space removed. ++ */ ++ ++int tidy_line(char *linebuf, char *olinebuf) ++ { ++ char *keyword, *value, *p, *q; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no '=' just chop leading, trailing ws */ ++ if (!p) ++ { ++ p = keyword + strlen(keyword) - 1; ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ strcpy(olinebuf, keyword); ++ strcat(olinebuf, "\n"); ++ return 1; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ strcpy(olinebuf, keyword); ++ strcat(olinebuf, " = "); ++ strcat(olinebuf, value); ++ strcat(olinebuf, "\n"); ++ ++ return 1; ++ } ++ ++/* NB: this return the number of _bits_ read */ ++int bint2bin(const char *in, int len, unsigned char *out) ++ { ++ int n; ++ ++ memset(out,0,len); ++ for(n=0 ; n < len ; ++n) ++ if(in[n] == '1') ++ out[n/8]|=(0x80 >> (n%8)); ++ return len; ++ } ++ ++int bin2bint(const unsigned char *in,int len,char *out) ++ { ++ int n; ++ ++ for(n=0 ; n < len ; ++n) ++ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0'; ++ return n; ++ } ++ ++/*-----------------------------------------------*/ ++ ++void PrintValue(char *tag, unsigned char *val, int len) ++{ ++#if VERBOSE ++ char obuf[2048]; ++ int olen; ++ olen = bin2hex(val, len, obuf); ++ printf("%s = %.*s\n", tag, olen, obuf); ++#endif ++} ++ ++void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode) ++ { ++ char obuf[2048]; ++ int olen; ++ ++ if(bitmode) ++ olen=bin2bint(val,len,obuf); ++ else ++ olen=bin2hex(val,len,obuf); ++ ++ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf); ++#if VERBOSE ++ printf("%s = %.*s\n", tag, olen, obuf); ++#endif ++ } ++ +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_err.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,7 @@ ++#include ++ ++#ifdef OPENSSL_FIPS ++# include "fips_err.h" ++#else ++static void *dummy=&dummy; ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_err.h 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,137 @@ ++/* crypto/fips_err.h */ ++/* ==================================================================== ++ * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++/* NOTE: this file was auto generated by the mkerr.pl script: any changes ++ * made to it will be overwritten when the script next updates this file, ++ * only reason strings will be preserved. ++ */ ++ ++#include ++#include ++#include ++ ++/* BEGIN ERROR CODES */ ++#ifndef OPENSSL_NO_ERR ++ ++#define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) ++#define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) ++ ++static ERR_STRING_DATA FIPS_str_functs[]= ++ { ++{ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, ++{ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"}, ++{ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, ++{ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, ++{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, ++{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++{ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"}, ++{ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_CHECK_INCORE_FINGERPRINT"}, ++{ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "FIPS_CHECK_RSA"}, ++{ERR_FUNC(FIPS_F_FIPS_DSA_CHECK), "FIPS_DSA_CHECK"}, ++{ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"}, ++{ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"}, ++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, ++{ERR_FUNC(FIPS_F_HASH_FINAL), "HASH_FINAL"}, ++{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"}, ++{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"}, ++{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"}, ++{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, ++{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, ++{ERR_FUNC(FIPS_F_RSA_X931_GENERATE_KEY_EX), "RSA_X931_generate_key_ex"}, ++{ERR_FUNC(FIPS_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, ++{0,NULL} ++ }; ++ ++static ERR_STRING_DATA FIPS_str_reasons[]= ++ { ++{ERR_REASON(FIPS_R_CANNOT_READ_EXE) ,"cannot read exe"}, ++{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"}, ++{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"}, ++{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"}, ++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"}, ++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"}, ++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"}, ++{ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"}, ++{ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"}, ++{ERR_REASON(FIPS_R_INVALID_KEY_LENGTH) ,"invalid key length"}, ++{ERR_REASON(FIPS_R_KEY_TOO_SHORT) ,"key too short"}, ++{ERR_REASON(FIPS_R_NON_FIPS_METHOD) ,"non fips method"}, ++{ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"}, ++{ERR_REASON(FIPS_R_RSA_DECRYPT_ERROR) ,"rsa decrypt error"}, ++{ERR_REASON(FIPS_R_RSA_ENCRYPT_ERROR) ,"rsa encrypt error"}, ++{ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"}, ++{ERR_REASON(FIPS_R_TEST_FAILURE) ,"test failure"}, ++{ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM) ,"unsupported platform"}, ++{0,NULL} ++ }; ++ ++#endif ++ ++void ERR_load_FIPS_strings(void) ++ { ++#ifndef OPENSSL_NO_ERR ++ ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) ++ { ++ ERR_load_strings(0,FIPS_str_functs); ++ ERR_load_strings(0,FIPS_str_reasons); ++ } ++#endif ++ } +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,103 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++static struct ++ { ++ unsigned char key[16]; ++ unsigned char plaintext[16]; ++ unsigned char ciphertext[16]; ++ } tests[]= ++ { ++ { ++ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, ++ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F }, ++ { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77, ++ 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF }, ++ { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30, ++ 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A }, ++ }, ++ }; ++ ++void FIPS_corrupt_aes() ++ { ++ tests[0].key[0]++; ++ } ++ ++int FIPS_selftest_aes() ++ { ++ int n; ++ int ret = 0; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ ++ for(n=0 ; n < 1 ; ++n) ++ { ++ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(), ++ tests[n].key, NULL, ++ tests[n].plaintext, ++ tests[n].ciphertext, ++ 16) <= 0) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_cleanup(&ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED); ++ return ret; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,419 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++#include ++ ++#ifndef PATH_MAX ++#define PATH_MAX 1024 ++#endif ++ ++static int fips_selftest_fail; ++static int fips_mode; ++static const void *fips_rand_check; ++ ++static void fips_set_mode(int onoff) ++ { ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_is_started()) ++ { ++ if (!owning_thread) fips_w_lock(); ++ fips_mode = onoff; ++ if (!owning_thread) fips_w_unlock(); ++ } ++ } ++ ++static void fips_set_rand_check(const void *rand_check) ++ { ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_is_started()) ++ { ++ if (!owning_thread) fips_w_lock(); ++ fips_rand_check = rand_check; ++ if (!owning_thread) fips_w_unlock(); ++ } ++ } ++ ++int FIPS_mode(void) ++ { ++ int ret = 0; ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_is_started()) ++ { ++ if (!owning_thread) fips_r_lock(); ++ ret = fips_mode; ++ if (!owning_thread) fips_r_unlock(); ++ } ++ return ret; ++ } ++ ++const void *FIPS_rand_check(void) ++ { ++ const void *ret = 0; ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_is_started()) ++ { ++ if (!owning_thread) fips_r_lock(); ++ ret = fips_rand_check; ++ if (!owning_thread) fips_r_unlock(); ++ } ++ return ret; ++ } ++ ++int FIPS_selftest_failed(void) ++ { ++ int ret = 0; ++ if (fips_is_started()) ++ { ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (!owning_thread) fips_r_lock(); ++ ret = fips_selftest_fail; ++ if (!owning_thread) fips_r_unlock(); ++ } ++ return ret; ++ } ++ ++/* Selftest failure fatal exit routine. This will be called ++ * during *any* cryptographic operation. It has the minimum ++ * overhead possible to avoid too big a performance hit. ++ */ ++ ++void FIPS_selftest_check(void) ++ { ++ if (fips_selftest_fail) ++ { ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ } ++ } ++ ++void fips_set_selftest_fail(void) ++ { ++ fips_selftest_fail = 1; ++ } ++ ++int FIPS_selftest() ++ { ++ ++ return FIPS_selftest_sha1() ++ && FIPS_selftest_hmac() ++ && FIPS_selftest_aes() ++ && FIPS_selftest_des() ++ && FIPS_selftest_rsa() ++ && FIPS_selftest_dsa(); ++ } ++ ++int FIPS_mode_set(int onoff) ++ { ++ int fips_set_owning_thread(); ++ int fips_clear_owning_thread(); ++ int ret = 0; ++ ++ fips_w_lock(); ++ fips_set_started(); ++ fips_set_owning_thread(); ++ ++ if(onoff) ++ { ++ unsigned char buf[48]; ++ ++ fips_selftest_fail = 0; ++ ++ /* Don't go into FIPS mode twice, just so we can do automagic ++ seeding */ ++ if(FIPS_mode()) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++#ifdef OPENSSL_IA32_SSE2 ++ if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++#endif ++ ++ /* Perform RNG KAT before seeding */ ++ if (!FIPS_selftest_rng()) ++ { ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ /* automagically seed PRNG if not already seeded */ ++ if(!FIPS_rand_status()) ++ { ++ if(RAND_bytes(buf,sizeof buf) <= 0) ++ { ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ FIPS_rand_set_key(buf,32); ++ FIPS_rand_seed(buf+32,16); ++ } ++ ++ /* now switch into FIPS mode */ ++ fips_set_rand_check(FIPS_rand_method()); ++ RAND_set_rand_method(FIPS_rand_method()); ++ if(FIPS_selftest()) ++ fips_set_mode(1); ++ else ++ { ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ret = 1; ++ goto end; ++ } ++ fips_set_mode(0); ++ fips_selftest_fail = 0; ++ ret = 1; ++end: ++ fips_clear_owning_thread(); ++ fips_w_unlock(); ++ return ret; ++ } ++ ++void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } ++void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } ++void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } ++void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } ++ ++static int fips_started = 0; ++static unsigned long fips_thread = 0; ++ ++void fips_set_started(void) ++ { ++ fips_started = 1; ++ } ++ ++int fips_is_started(void) ++ { ++ return fips_started; ++ } ++ ++int fips_is_owning_thread(void) ++ { ++ int ret = 0; ++ ++ if (fips_is_started()) ++ { ++ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); ++ if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) ++ ret = 1; ++ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); ++ } ++ return ret; ++ } ++ ++int fips_set_owning_thread(void) ++ { ++ int ret = 0; ++ ++ if (fips_is_started()) ++ { ++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); ++ if (fips_thread == 0) ++ { ++ fips_thread = CRYPTO_thread_id(); ++ ret = 1; ++ } ++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); ++ } ++ return ret; ++ } ++ ++int fips_clear_owning_thread(void) ++ { ++ int ret = 0; ++ ++ if (fips_is_started()) ++ { ++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); ++ if (fips_thread == CRYPTO_thread_id()) ++ { ++ fips_thread = 0; ++ ret = 1; ++ } ++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); ++ } ++ return ret; ++ } ++ ++/* Generalized public key test routine. Signs and verifies the data ++ * supplied in tbs using mesage digest md and setting option digest ++ * flags md_flags. If the 'kat' parameter is not NULL it will ++ * additionally check the signature matches it: a known answer test ++ * The string "fail_str" is used for identification purposes in case ++ * of failure. ++ */ ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, unsigned int katlen, ++ const EVP_MD *digest, unsigned int md_flags, ++ const char *fail_str) ++ { ++ int ret = 0; ++ unsigned char sigtmp[256], *sig = sigtmp; ++ unsigned int siglen; ++ EVP_MD_CTX mctx; ++ EVP_MD_CTX_init(&mctx); ++ ++ if ((pkey->type == EVP_PKEY_RSA) ++ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) ++ { ++ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa)); ++ if (!sig) ++ { ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ } ++ ++ if (tbslen == -1) ++ tbslen = strlen((char *)tbs); ++ ++ if (md_flags) ++ EVP_MD_CTX_set_flags(&mctx, md_flags); ++ ++ if (!EVP_SignInit_ex(&mctx, digest, NULL)) ++ goto error; ++ if (!EVP_SignUpdate(&mctx, tbs, tbslen)) ++ goto error; ++ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey)) ++ goto error; ++ ++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) ++ goto error; ++ ++ if (!EVP_VerifyInit_ex(&mctx, digest, NULL)) ++ goto error; ++ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen)) ++ goto error; ++ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey); ++ ++ error: ++ if (sig != sigtmp) ++ OPENSSL_free(sig); ++ EVP_MD_CTX_cleanup(&mctx); ++ if (ret != 1) ++ { ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE); ++ if (fail_str) ++ ERR_add_error_data(2, "Type=", fail_str); ++ return 0; ++ } ++ return 1; ++ } ++ ++/* Generalized symmetric cipher test routine. Encrypt data, verify result ++ * against known answer, decrypt and compare with original plaintext. ++ */ ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, ++ int len) ++ { ++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) ++ return 0; ++ EVP_Cipher(ctx, citmp, plaintext, len); ++ if (memcmp(citmp, ciphertext, len)) ++ return 0; ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) ++ return 0; ++ EVP_Cipher(ctx, pltmp, citmp, len); ++ if (memcmp(pltmp, plaintext, len)) ++ return 0; ++ return 1; ++ } ++ ++#if 0 ++/* The purpose of this is to ensure the error code exists and the function ++ * name is to keep the error checking script quiet ++ */ ++void hash_final(void) ++ { ++ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); ++ } ++#endif ++ ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,139 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static struct ++ { ++ unsigned char key[16]; ++ unsigned char plaintext[8]; ++ unsigned char ciphertext[8]; ++ } tests2[]= ++ { ++ { ++ { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec, ++ 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 }, ++ { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef }, ++ { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd } ++ }, ++ { ++ { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34, ++ 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 }, ++ { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e }, ++ { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff }, ++ } ++ }; ++ ++static struct ++ { ++ unsigned char key[24]; ++ unsigned char plaintext[8]; ++ unsigned char ciphertext[8]; ++ } tests3[]= ++ { ++ { ++ { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10, ++ 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 }, ++ { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c }, ++ { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b }, ++ }, ++ { ++ { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE, ++ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, ++ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 }, ++ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, ++ { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 }, ++ }, ++ }; ++ ++void FIPS_corrupt_des() ++ { ++ tests2[0].plaintext[0]++; ++ } ++ ++int FIPS_selftest_des() ++ { ++ int n, ret = 0; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ ++ for(n=0 ; n < 2 ; ++n) ++ { ++ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(), ++ tests2[n].key, NULL, ++ tests2[n].plaintext, tests2[n].ciphertext, 8)) ++ goto err; ++ } ++ ++ /* Encrypt/decrypt with 3DES and compare to known answers */ ++ for(n=0 ; n < 2 ; ++n) ++ { ++ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(), ++ tests3[n].key, NULL, ++ tests3[n].plaintext, tests3[n].ciphertext, 8)) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_cleanup(&ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED); ++ ++ return ret; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,182 @@ ++/* crypto/dsa/dsatest.c */ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++ ++#include ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++/* seed, out_p, out_q, out_g are taken the NIST test vectors */ ++ ++static unsigned char seed[20] = { ++ 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34, ++ 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a ++ }; ++ ++static unsigned char out_p[] = { ++ 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57, ++ 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b, ++ 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43, ++ 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69, ++ 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12, ++ 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47, ++ 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4, ++ 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8, ++ 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef, ++ 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8, ++ 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef ++ }; ++ ++static unsigned char out_q[] = { ++ 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c, ++ 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3 ++ }; ++ ++static unsigned char out_g[] = { ++ 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb, ++ 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e, ++ 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63, ++ 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35, ++ 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf, ++ 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a, ++ 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed, ++ 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf, ++ 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2, ++ 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36, ++ 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec ++ }; ++ ++static const unsigned char str1[]="12345678901234567890"; ++ ++void FIPS_corrupt_dsa() ++ { ++ ++seed[0]; ++ } ++ ++int FIPS_selftest_dsa() ++ { ++ DSA *dsa=NULL; ++ int counter,i,j, ret = 0; ++ unsigned int slen; ++ unsigned char buf[256]; ++ unsigned long h; ++ EVP_MD_CTX mctx; ++ EVP_PKEY pk; ++ ++ EVP_MD_CTX_init(&mctx); ++ ++ dsa = DSA_new(); ++ ++ if(dsa == NULL) ++ goto err; ++ if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) ++ goto err; ++ if (counter != 378) ++ goto err; ++ if (h != 2) ++ goto err; ++ i=BN_bn2bin(dsa->q,buf); ++ j=sizeof(out_q); ++ if (i != j || memcmp(buf,out_q,i) != 0) ++ goto err; ++ ++ i=BN_bn2bin(dsa->p,buf); ++ j=sizeof(out_p); ++ if (i != j || memcmp(buf,out_p,i) != 0) ++ goto err; ++ ++ i=BN_bn2bin(dsa->g,buf); ++ j=sizeof(out_g); ++ if (i != j || memcmp(buf,out_g,i) != 0) ++ goto err; ++ DSA_generate_key(dsa); ++ pk.type = EVP_PKEY_DSA; ++ pk.pkey.dsa = dsa; ++ ++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) ++ goto err; ++ if (!EVP_SignUpdate(&mctx, str1, 20)) ++ goto err; ++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) ++ goto err; ++ ++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) ++ goto err; ++ if (!EVP_VerifyUpdate(&mctx, str1, 20)) ++ goto err; ++ if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ EVP_MD_CTX_cleanup(&mctx); ++ if (dsa) ++ DSA_free(dsa); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); ++ return ret; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.h 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,163 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++ ++#ifndef OPENSSL_FIPS ++#error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++struct dsa_st; ++struct evp_pkey_st; ++struct env_md_st; ++struct evp_cipher_st; ++struct evp_cipher_ctx_st; ++ ++int FIPS_mode_set(int onoff); ++int FIPS_mode(void); ++const void *FIPS_rand_check(void); ++int FIPS_selftest_failed(void); ++void FIPS_selftest_check(void); ++void FIPS_corrupt_sha1(void); ++int FIPS_selftest_sha1(void); ++void FIPS_corrupt_aes(void); ++int FIPS_selftest_aes(void); ++void FIPS_corrupt_des(void); ++int FIPS_selftest_des(void); ++void FIPS_corrupt_rsa(void); ++void FIPS_corrupt_rsa_keygen(void); ++int FIPS_selftest_rsa(void); ++void FIPS_corrupt_dsa(void); ++void FIPS_corrupt_dsa_keygen(void); ++int FIPS_selftest_dsa(void); ++void FIPS_corrupt_rng(void); ++void FIPS_rng_stick(void); ++int FIPS_selftest_rng(void); ++int FIPS_selftest_hmac(void); ++ ++int fips_pkey_signature_test(struct evp_pkey_st *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, unsigned int katlen, ++ const struct env_md_st *digest, unsigned int md_flags, ++ const char *fail_str); ++ ++int fips_cipher_test(struct evp_cipher_ctx_st *ctx, ++ const struct evp_cipher_st *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, ++ int len); ++ ++/* BEGIN ERROR CODES */ ++/* The following lines are auto generated by the script mkerr.pl. Any changes ++ * made after this point may be overwritten when the script is next run. ++ */ ++void ERR_load_FIPS_strings(void); ++ ++/* Error codes for the FIPS functions. */ ++ ++/* Function codes. */ ++#define FIPS_F_DH_BUILTIN_GENPARAMS 100 ++#define FIPS_F_DSA_BUILTIN_PARAMGEN 101 ++#define FIPS_F_DSA_DO_SIGN 102 ++#define FIPS_F_DSA_DO_VERIFY 103 ++#define FIPS_F_EVP_CIPHERINIT_EX 124 ++#define FIPS_F_EVP_DIGESTINIT_EX 125 ++#define FIPS_F_FIPS_CHECK_DSA 104 ++#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 ++#define FIPS_F_FIPS_CHECK_RSA 106 ++#define FIPS_F_FIPS_DSA_CHECK 107 ++#define FIPS_F_FIPS_MODE_SET 108 ++#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 ++#define FIPS_F_FIPS_SELFTEST_AES 110 ++#define FIPS_F_FIPS_SELFTEST_DES 111 ++#define FIPS_F_FIPS_SELFTEST_DSA 112 ++#define FIPS_F_FIPS_SELFTEST_HMAC 113 ++#define FIPS_F_FIPS_SELFTEST_RNG 114 ++#define FIPS_F_FIPS_SELFTEST_SHA1 115 ++#define FIPS_F_HASH_FINAL 123 ++#define FIPS_F_RSA_BUILTIN_KEYGEN 116 ++#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 ++#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 ++#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 ++#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 ++#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 ++#define FIPS_F_SSLEAY_RAND_BYTES 122 ++ ++/* Reason codes. */ ++#define FIPS_R_CANNOT_READ_EXE 103 ++#define FIPS_R_CANNOT_READ_EXE_DIGEST 104 ++#define FIPS_R_CONTRADICTING_EVIDENCE 114 ++#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105 ++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 ++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 ++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 ++#define FIPS_R_FIPS_MODE_ALREADY_SET 102 ++#define FIPS_R_FIPS_SELFTEST_FAILED 106 ++#define FIPS_R_INVALID_KEY_LENGTH 109 ++#define FIPS_R_KEY_TOO_SHORT 108 ++#define FIPS_R_NON_FIPS_METHOD 100 ++#define FIPS_R_PAIRWISE_TEST_FAILED 107 ++#define FIPS_R_RSA_DECRYPT_ERROR 115 ++#define FIPS_R_RSA_ENCRYPT_ERROR 116 ++#define FIPS_R_SELFTEST_FAILED 101 ++#define FIPS_R_TEST_FAILURE 117 ++#define FIPS_R_UNSUPPORTED_PLATFORM 113 ++ ++#ifdef __cplusplus ++} ++#endif ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,137 @@ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++typedef struct { ++ const EVP_MD *(*alg)(void); ++ const char *key, *iv; ++ unsigned char kaval[EVP_MAX_MD_SIZE]; ++} HMAC_KAT; ++ ++static const HMAC_KAT vector[] = { ++ { EVP_sha1, ++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19, ++ 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c, ++ 0xc6,0xc7,0x5d,0x24 } ++ }, ++ { EVP_sha224, ++ /* just keep extending the above... */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb, ++ 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa, ++ 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b, ++ 0x8c,0x8d,0x12,0xc7 } ++ }, ++ { EVP_sha256, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09, ++ 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34, ++ 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38, ++ 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 } ++ }, ++ { EVP_sha384, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad, ++ 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6, ++ 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04, ++ 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f, ++ 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50, ++ 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f } ++ }, ++ { EVP_sha512, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41, ++ 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac, ++ 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0, ++ 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68, ++ 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f, ++ 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7, ++ 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45, ++ 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 } ++ }, ++}; ++ ++int FIPS_selftest_hmac() ++ { ++ int n; ++ unsigned int outlen; ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ const EVP_MD *md; ++ const HMAC_KAT *t; ++ ++ for(n=0,t=vector; nalg)(); ++ HMAC(md,t->key,strlen(t->key), ++ (const unsigned char *)t->iv,strlen(t->iv), ++ out,&outlen); ++ ++ if(memcmp(out,t->kaval,outlen)) ++ { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ } ++ return 1; ++ } ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,412 @@ ++/* ==================================================================== ++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/* ++ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4. ++ */ ++ ++#include "e_os.h" ++ ++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't ++ be defined and gettimeofday() won't be declared with strict compilers ++ like DEC C in ANSI C mode. */ ++#ifndef _XOPEN_SOURCE_EXTENDED ++#define _XOPEN_SOURCE_EXTENDED 1 ++#endif ++ ++#include ++#include ++#include ++#include ++#ifndef OPENSSL_SYS_WIN32 ++#include ++#endif ++#include ++#ifndef OPENSSL_SYS_WIN32 ++# ifdef OPENSSL_UNISTD ++# include OPENSSL_UNISTD ++# else ++# include ++# endif ++#endif ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++void *OPENSSL_stderr(void); ++ ++#define AES_BLOCK_LENGTH 16 ++ ++ ++/* AES FIPS PRNG implementation */ ++ ++typedef struct ++ { ++ int seeded; ++ int keyed; ++ int test_mode; ++ int second; ++ int error; ++ unsigned long counter; ++ AES_KEY ks; ++ int vpos; ++ /* Temporary storage for key if it equals seed length */ ++ unsigned char tmp_key[AES_BLOCK_LENGTH]; ++ unsigned char V[AES_BLOCK_LENGTH]; ++ unsigned char DT[AES_BLOCK_LENGTH]; ++ unsigned char last[AES_BLOCK_LENGTH]; ++ } FIPS_PRNG_CTX; ++ ++static FIPS_PRNG_CTX sctx; ++ ++static int fips_prng_fail = 0; ++ ++void FIPS_rng_stick(void) ++ { ++ fips_prng_fail = 1; ++ } ++ ++void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx) ++ { ++ ctx->seeded = 0; ++ ctx->keyed = 0; ++ ctx->test_mode = 0; ++ ctx->counter = 0; ++ ctx->second = 0; ++ ctx->error = 0; ++ ctx->vpos = 0; ++ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH); ++ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY)); ++ } ++ ++ ++static int fips_set_prng_key(FIPS_PRNG_CTX *ctx, ++ const unsigned char *key, FIPS_RAND_SIZE_T keylen) ++ { ++ FIPS_selftest_check(); ++ if (keylen != 16 && keylen != 24 && keylen != 32) ++ { ++ /* error: invalid key size */ ++ return 0; ++ } ++ AES_set_encrypt_key(key, keylen << 3, &ctx->ks); ++ if (keylen == 16) ++ { ++ memcpy(ctx->tmp_key, key, 16); ++ ctx->keyed = 2; ++ } ++ else ++ ctx->keyed = 1; ++ ctx->seeded = 0; ++ ctx->second = 0; ++ return 1; ++ } ++ ++static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx, ++ const unsigned char *seed, FIPS_RAND_SIZE_T seedlen) ++ { ++ int i; ++ if (!ctx->keyed) ++ return 0; ++ /* In test mode seed is just supplied data */ ++ if (ctx->test_mode) ++ { ++ if (seedlen != AES_BLOCK_LENGTH) ++ return 0; ++ memcpy(ctx->V, seed, AES_BLOCK_LENGTH); ++ ctx->seeded = 1; ++ return 1; ++ } ++ /* Outside test mode XOR supplied data with existing seed */ ++ for (i = 0; i < seedlen; i++) ++ { ++ ctx->V[ctx->vpos++] ^= seed[i]; ++ if (ctx->vpos == AES_BLOCK_LENGTH) ++ { ++ ctx->vpos = 0; ++ /* Special case if first seed and key length equals ++ * block size check key and seed do not match. ++ */ ++ if (ctx->keyed == 2) ++ { ++ if (!memcmp(ctx->tmp_key, ctx->V, 16)) ++ { ++ RANDerr(RAND_F_FIPS_SET_PRNG_SEED, ++ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY); ++ return 0; ++ } ++ OPENSSL_cleanse(ctx->tmp_key, 16); ++ ctx->keyed = 1; ++ } ++ ctx->seeded = 1; ++ } ++ } ++ return 1; ++ } ++ ++int fips_set_test_mode(FIPS_PRNG_CTX *ctx) ++ { ++ if (ctx->keyed) ++ { ++ RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED); ++ return 0; ++ } ++ ctx->test_mode = 1; ++ return 1; ++ } ++ ++int FIPS_rand_test_mode(void) ++ { ++ return fips_set_test_mode(&sctx); ++ } ++ ++int FIPS_rand_set_dt(unsigned char *dt) ++ { ++ if (!sctx.test_mode) ++ { ++ RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE); ++ return 0; ++ } ++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); ++ return 1; ++ } ++ ++static void fips_get_dt(FIPS_PRNG_CTX *ctx) ++ { ++#ifdef OPENSSL_SYS_WIN32 ++ FILETIME ft; ++#else ++ struct timeval tv; ++#endif ++ unsigned char *buf = ctx->DT; ++ ++#ifndef GETPID_IS_MEANINGLESS ++ unsigned long pid; ++#endif ++ ++#ifdef OPENSSL_SYS_WIN32 ++ GetSystemTimeAsFileTime(&ft); ++ buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff); ++ buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff); ++ buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff); ++ buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff); ++ buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff); ++ buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff); ++ buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff); ++ buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff); ++#else ++ gettimeofday(&tv,NULL); ++ buf[0] = (unsigned char) (tv.tv_sec & 0xff); ++ buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff); ++ buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff); ++ buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff); ++ buf[4] = (unsigned char) (tv.tv_usec & 0xff); ++ buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff); ++ buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff); ++ buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff); ++#endif ++ buf[8] = (unsigned char) (ctx->counter & 0xff); ++ buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff); ++ buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff); ++ buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff); ++ ++ ctx->counter++; ++ ++ ++#ifndef GETPID_IS_MEANINGLESS ++ pid=(unsigned long)getpid(); ++ buf[12] = (unsigned char) (pid & 0xff); ++ buf[13] = (unsigned char) ((pid >> 8) & 0xff); ++ buf[14] = (unsigned char) ((pid >> 16) & 0xff); ++ buf[15] = (unsigned char) ((pid >> 24) & 0xff); ++#endif ++ } ++ ++static int fips_rand(FIPS_PRNG_CTX *ctx, ++ unsigned char *out, FIPS_RAND_SIZE_T outlen) ++ { ++ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; ++ unsigned char tmp[AES_BLOCK_LENGTH]; ++ int i; ++ if (ctx->error) ++ { ++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); ++ return 0; ++ } ++ if (!ctx->keyed) ++ { ++ RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET); ++ return 0; ++ } ++ if (!ctx->seeded) ++ { ++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED); ++ return 0; ++ } ++ for (;;) ++ { ++ if (!ctx->test_mode) ++ fips_get_dt(ctx); ++ AES_encrypt(ctx->DT, I, &ctx->ks); ++ for (i = 0; i < AES_BLOCK_LENGTH; i++) ++ tmp[i] = I[i] ^ ctx->V[i]; ++ AES_encrypt(tmp, R, &ctx->ks); ++ for (i = 0; i < AES_BLOCK_LENGTH; i++) ++ tmp[i] = R[i] ^ I[i]; ++ AES_encrypt(tmp, ctx->V, &ctx->ks); ++ /* Continuous PRNG test */ ++ if (ctx->second) ++ { ++ if (fips_prng_fail) ++ memcpy(ctx->last, R, AES_BLOCK_LENGTH); ++ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) ++ { ++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK); ++ ctx->error = 1; ++ fips_set_selftest_fail(); ++ return 0; ++ } ++ } ++ memcpy(ctx->last, R, AES_BLOCK_LENGTH); ++ if (!ctx->second) ++ { ++ ctx->second = 1; ++ if (!ctx->test_mode) ++ continue; ++ } ++ ++ if (outlen <= AES_BLOCK_LENGTH) ++ { ++ memcpy(out, R, outlen); ++ break; ++ } ++ ++ memcpy(out, R, AES_BLOCK_LENGTH); ++ out += AES_BLOCK_LENGTH; ++ outlen -= AES_BLOCK_LENGTH; ++ } ++ return 1; ++ } ++ ++ ++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen) ++ { ++ int ret; ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ ret = fips_set_prng_key(&sctx, key, keylen); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ return ret; ++ } ++ ++int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) ++ { ++ int ret; ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ ret = fips_set_prng_seed(&sctx, seed, seedlen); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ return ret; ++ } ++ ++ ++int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count) ++ { ++ int ret; ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ ret = fips_rand(&sctx, out, count); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ return ret; ++ } ++ ++int FIPS_rand_status(void) ++ { ++ int ret; ++ CRYPTO_r_lock(CRYPTO_LOCK_RAND); ++ ret = sctx.seeded; ++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND); ++ return ret; ++ } ++ ++void FIPS_rand_reset(void) ++ { ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ fips_rand_prng_reset(&sctx); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ } ++ ++static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) ++ { ++ FIPS_rand_seed(seed, seedlen); ++ } ++ ++static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen, ++ double add_entropy) ++ { ++ FIPS_rand_seed(seed, seedlen); ++ } ++ ++static const RAND_METHOD rand_fips_meth= ++ { ++ fips_do_rand_seed, ++ FIPS_rand_bytes, ++ FIPS_rand_reset, ++ fips_do_rand_add, ++ FIPS_rand_bytes, ++ FIPS_rand_status ++ }; ++ ++const RAND_METHOD *FIPS_rand_method(void) ++{ ++ return &rand_fips_meth; ++} ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.h 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,77 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifndef HEADER_FIPS_RAND_H ++#define HEADER_FIPS_RAND_H ++ ++#include "des.h" ++ ++#ifdef OPENSSL_FIPS ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen); ++int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num); ++int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen); ++ ++int FIPS_rand_test_mode(void); ++void FIPS_rand_reset(void); ++int FIPS_rand_set_dt(unsigned char *dt); ++ ++int FIPS_rand_status(void); ++ ++const RAND_METHOD *FIPS_rand_method(void); ++ ++#ifdef __cplusplus ++} ++#endif ++#endif ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,373 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++ ++ ++typedef struct ++ { ++ unsigned char DT[16]; ++ unsigned char V[16]; ++ unsigned char R[16]; ++ } AES_PRNG_TV; ++ ++/* The following test vectors are taken directly from the RGNVS spec */ ++ ++static unsigned char aes_128_key[16] = ++ {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42, ++ 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02}; ++ ++static AES_PRNG_TV aes_128_tv[] = { ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9}, ++ /* V */ ++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55, ++ 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa}, ++ /* V */ ++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c, ++ 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb}, ++ /* V */ ++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5, ++ 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc}, ++ /* V */ ++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5, ++ 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd}, ++ /* V */ ++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb, ++ 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, ++ /* R */ ++ {0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc, ++ 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea} ++ }, ++ { ++ /* DT */ ++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, ++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, ++ /* R */ ++ {0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5, ++ 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33} ++ }, ++}; ++ ++static unsigned char aes_192_key[24] = ++ {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e, ++ 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc, ++ 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b}; ++ ++static AES_PRNG_TV aes_192_tv[] = { ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b}, ++ /* V */ ++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef, ++ 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c}, ++ /* V */ ++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0, ++ 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d}, ++ /* V */ ++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e, ++ 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e}, ++ /* V */ ++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7, ++ 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f}, ++ /* V */ ++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf, ++ 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, ++ /* R */ ++ {0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43, ++ 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d} ++ }, ++ { ++ /* DT */ ++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, ++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, ++ /* R */ ++ {0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50, ++ 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea} ++ }, ++}; ++ ++static unsigned char aes_256_key[32] = ++ {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d, ++ 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f, ++ 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5, ++ 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb}; ++ ++static AES_PRNG_TV aes_256_tv[] = { ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88}, ++ /* V */ ++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc, ++ 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89}, ++ /* V */ ++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41, ++ 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a}, ++ /* V */ ++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30, ++ 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b}, ++ /* V */ ++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30, ++ 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c}, ++ /* V */ ++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, ++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, ++ /* R */ ++ {0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4, ++ 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, ++ /* R */ ++ {0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28, ++ 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec} ++ }, ++ { ++ /* DT */ ++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, ++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07}, ++ /* V */ ++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, ++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, ++ /* R */ ++ {0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3, ++ 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84} ++ }, ++}; ++ ++ ++void FIPS_corrupt_rng() ++ { ++ aes_192_tv[0].V[0]++; ++ } ++ ++#define fips_rand_test(key, tv) \ ++ do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV)) ++ ++static int do_rand_test(unsigned char *key, int keylen, ++ AES_PRNG_TV *tv, int ntv) ++ { ++ unsigned char R[16]; ++ int i; ++ if (!FIPS_rand_set_key(key, keylen)) ++ return 0; ++ for (i = 0; i < ntv; i++) ++ { ++ FIPS_rand_seed(tv[i].V, 16); ++ FIPS_rand_set_dt(tv[i].DT); ++ FIPS_rand_bytes(R, 16); ++ if (memcmp(R, tv[i].R, 16)) ++ return 0; ++ } ++ return 1; ++ } ++ ++ ++int FIPS_selftest_rng() ++ { ++ FIPS_rand_reset(); ++ if (!FIPS_rand_test_mode()) ++ { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ if (!fips_rand_test(aes_128_key,aes_128_tv) ++ || !fips_rand_test(aes_192_key, aes_192_tv) ++ || !fips_rand_test(aes_256_key, aes_256_tv)) ++ { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ FIPS_rand_reset(); ++ return 1; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_randtest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,248 @@ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "e_os.h" ++ ++#ifndef OPENSSL_FIPS ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS RAND support\n"); ++ return(0); ++} ++ ++#else ++ ++#include "fips_utl.h" ++ ++typedef struct ++ { ++ unsigned char DT[16]; ++ unsigned char V[16]; ++ unsigned char R[16]; ++ } AES_PRNG_MCT; ++ ++static unsigned char aes_128_mct_key[16] = ++ {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5, ++ 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48}; ++ ++static AES_PRNG_MCT aes_128_mct_tv = { ++ /* DT */ ++ {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b, ++ 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac}, ++ /* V */ ++ {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97, ++ 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1}, ++ /* R */ ++ {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb, ++ 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73} ++}; ++ ++static unsigned char aes_192_mct_key[24] = ++ {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73, ++ 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91, ++ 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a}; ++ ++static AES_PRNG_MCT aes_192_mct_tv = { ++ /* DT */ ++ {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9, ++ 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52}, ++ /* V */ ++ {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64, ++ 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d}, ++ /* R */ ++ {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21, ++ 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47} ++}; ++ ++static unsigned char aes_256_mct_key[32] = ++ {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a, ++ 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0, ++ 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d, ++ 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50}; ++ ++static AES_PRNG_MCT aes_256_mct_tv = { ++ /* DT */ ++ {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee, ++ 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c}, ++ /* V */ ++ {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1, ++ 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca}, ++ /* R */ ++ {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1, ++ 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d} ++}; ++ ++static void dump(const unsigned char *b,int n) ++ { ++ while(n-- > 0) ++ { ++ printf(" %02x",*b++); ++ } ++ } ++ ++static void compare(const unsigned char *result,const unsigned char *expected, ++ int n) ++ { ++ int i; ++ ++ for(i=0 ; i < n ; ++i) ++ if(result[i] != expected[i]) ++ { ++ puts("Random test failed, got:"); ++ dump(result,n); ++ puts("\n expected:"); ++ dump(expected,n); ++ putchar('\n'); ++ EXIT(1); ++ } ++ } ++ ++ ++static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv) ++ { ++ unsigned char buf[16], dt[16]; ++ int i, j; ++ FIPS_rand_reset(); ++ FIPS_rand_test_mode(); ++ FIPS_rand_set_key(key, keylen); ++ FIPS_rand_seed(tv->V, 16); ++ memcpy(dt, tv->DT, 16); ++ for (i = 0; i < 10000; i++) ++ { ++ FIPS_rand_set_dt(dt); ++ FIPS_rand_bytes(buf, 16); ++ /* Increment DT */ ++ for (j = 15; j >= 0; j--) ++ { ++ dt[j]++; ++ if (dt[j]) ++ break; ++ } ++ } ++ ++ compare(buf,tv->R, 16); ++ } ++ ++int main() ++ { ++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv); ++ printf("FIPS PRNG test 1 done\n"); ++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv); ++ printf("FIPS PRNG test 2 done\n"); ++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv); ++ printf("FIPS PRNG test 3 done\n"); ++ return 0; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,434 @@ ++/* ==================================================================== ++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static unsigned char n[] = ++"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" ++"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" ++"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" ++"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" ++"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" ++"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" ++"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" ++"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" ++"\xCB"; ++ ++ ++static int setrsakey(RSA *key) ++ { ++ static const unsigned char e[] = "\x11"; ++ ++ static const unsigned char d[] = ++"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" ++"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" ++"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" ++"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" ++"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" ++"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" ++"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" ++"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" ++"\xC1"; ++ ++ static const unsigned char p[] = ++"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++"\x99"; ++ ++ static const unsigned char q[] = ++"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++"\x03"; ++ ++ static const unsigned char dmp1[] = ++"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; ++ ++ static const unsigned char dmq1[] = ++"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; ++ ++ static const unsigned char iqmp[] = ++"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++"\xF7"; ++ ++ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); ++ key->e = BN_bin2bn(e, sizeof(e)-1, key->e); ++ key->d = BN_bin2bn(d, sizeof(d)-1, key->d); ++ key->p = BN_bin2bn(p, sizeof(p)-1, key->p); ++ key->q = BN_bin2bn(q, sizeof(q)-1, key->q); ++ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); ++ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); ++ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); ++ return 1; ++ } ++ ++void FIPS_corrupt_rsa() ++ { ++ n[0]++; ++ } ++ ++/* Known Answer Test (KAT) data for the above RSA private key signing ++ * kat_tbs. ++ */ ++ ++static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT"; ++ ++static const unsigned char kat_RSA_PSS_SHA1[] = { ++ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, ++ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, ++ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, ++ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, ++ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, ++ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, ++ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, ++ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, ++ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, ++ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, ++ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA224[] = { ++ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, ++ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, ++ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, ++ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, ++ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, ++ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, ++ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, ++ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, ++ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, ++ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, ++ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA256[] = { ++ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, ++ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, ++ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, ++ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, ++ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, ++ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, ++ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, ++ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, ++ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, ++ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, ++ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA384[] = { ++ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, ++ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, ++ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, ++ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, ++ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, ++ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, ++ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, ++ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, ++ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, ++ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, ++ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA512[] = { ++ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, ++ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, ++ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, ++ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, ++ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, ++ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, ++ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, ++ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, ++ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, ++ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, ++ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B ++}; ++ ++static const unsigned char kat_RSA_SHA1[] = { ++ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, ++ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, ++ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, ++ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, ++ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, ++ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, ++ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, ++ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, ++ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, ++ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, ++ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 ++}; ++ ++static const unsigned char kat_RSA_SHA224[] = { ++ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, ++ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, ++ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, ++ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, ++ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, ++ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, ++ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, ++ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, ++ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, ++ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, ++ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D ++}; ++ ++static const unsigned char kat_RSA_SHA256[] = { ++ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, ++ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, ++ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, ++ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, ++ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, ++ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, ++ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, ++ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, ++ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, ++ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, ++ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A ++}; ++ ++static const unsigned char kat_RSA_SHA384[] = { ++ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, ++ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, ++ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, ++ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, ++ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, ++ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, ++ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, ++ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, ++ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, ++ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, ++ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF ++}; ++ ++static const unsigned char kat_RSA_SHA512[] = { ++ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, ++ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, ++ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, ++ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, ++ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, ++ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, ++ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, ++ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, ++ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, ++ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, ++ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 ++}; ++ ++static const unsigned char kat_RSA_X931_SHA1[] = { ++ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, ++ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, ++ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, ++ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, ++ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, ++ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, ++ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, ++ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, ++ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, ++ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, ++ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 ++}; ++ ++static const unsigned char kat_RSA_X931_SHA256[] = { ++ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, ++ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, ++ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, ++ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, ++ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, ++ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, ++ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, ++ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, ++ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, ++ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, ++ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 ++}; ++ ++static const unsigned char kat_RSA_X931_SHA384[] = { ++ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, ++ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, ++ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, ++ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, ++ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, ++ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, ++ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, ++ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, ++ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, ++ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, ++ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 ++}; ++ ++static const unsigned char kat_RSA_X931_SHA512[] = { ++ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, ++ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, ++ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, ++ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, ++ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, ++ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, ++ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, ++ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, ++ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, ++ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, ++ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 ++}; ++ ++ ++int FIPS_selftest_rsa() ++ { ++ int ret = 0; ++ RSA *key = NULL; ++ EVP_PKEY pk; ++ key=RSA_new(); ++ setrsakey(key); ++ pk.type = EVP_PKEY_RSA; ++ pk.pkey.rsa = key; ++ ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1), ++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA1 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224), ++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA224 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), ++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA256 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384), ++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA384 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512), ++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA512 PKCS#1")) ++ goto err; ++ ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), ++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA1 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224), ++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA224 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256), ++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA256 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384), ++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA384 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512), ++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA512 PSS")) ++ goto err; ++ ++ ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1), ++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, ++ "RSA SHA1 X931")) ++ goto err; ++ /* NB: SHA224 not supported in X9.31 */ ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256), ++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931, ++ "RSA SHA256 X931")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384), ++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931, ++ "RSA SHA384 X931")) ++ goto err; ++ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512), ++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931, ++ "RSA SHA512 X931")) ++ goto err; ++ ++ ++ ret = 1; ++ ++ err: ++ RSA_free(key); ++ return ret; ++ } ++ ++#endif /* def OPENSSL_FIPS */ +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,281 @@ ++/* crypto/rsa/rsa_gen.c */ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++ ++extern int fips_check_rsa(RSA *rsa); ++#endif ++ ++/* X9.31 RSA key derivation and generation */ ++ ++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, ++ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, ++ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, ++ const BIGNUM *e, BN_GENCB *cb) ++ { ++ BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL; ++ BN_CTX *ctx=NULL,*ctx2=NULL; ++ ++ if (!rsa) ++ goto err; ++ ++ ctx = BN_CTX_new(); ++ if (!ctx) ++ goto err; ++ BN_CTX_start(ctx); ++ ++ r0 = BN_CTX_get(ctx); ++ r1 = BN_CTX_get(ctx); ++ r2 = BN_CTX_get(ctx); ++ r3 = BN_CTX_get(ctx); ++ ++ if (r3 == NULL) ++ goto err; ++ if (!rsa->e) ++ { ++ rsa->e = BN_dup(e); ++ if (!rsa->e) ++ goto err; ++ } ++ else ++ e = rsa->e; ++ ++ /* If not all parameters present only calculate what we can. ++ * This allows test programs to output selective parameters. ++ */ ++ ++ if (Xp && !rsa->p) ++ { ++ rsa->p = BN_new(); ++ if (!rsa->p) ++ goto err; ++ ++ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2, ++ Xp, Xp1, Xp2, e, ctx, cb)) ++ goto err; ++ } ++ ++ if (Xq && !rsa->q) ++ { ++ rsa->q = BN_new(); ++ if (!rsa->q) ++ goto err; ++ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2, ++ Xq, Xq1, Xq2, e, ctx, cb)) ++ goto err; ++ } ++ ++ if (!rsa->p || !rsa->q) ++ { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return 2; ++ } ++ ++ /* Since both primes are set we can now calculate all remaining ++ * components. ++ */ ++ ++ /* calculate n */ ++ rsa->n=BN_new(); ++ if (rsa->n == NULL) ++ goto err; ++ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) ++ goto err; ++ ++ /* calculate d */ ++ if (!BN_sub(r1,rsa->p,BN_value_one())) ++ goto err; /* p-1 */ ++ if (!BN_sub(r2,rsa->q,BN_value_one())) ++ goto err; /* q-1 */ ++ if (!BN_mul(r0,r1,r2,ctx)) ++ goto err; /* (p-1)(q-1) */ ++ ++ if (!BN_gcd(r3, r1, r2, ctx)) ++ goto err; ++ ++ if (!BN_div(r0, NULL, r0, r3, ctx)) ++ goto err; /* LCM((p-1)(q-1)) */ ++ ++ ctx2 = BN_CTX_new(); ++ if (!ctx2) ++ goto err; ++ ++ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ ++ if (rsa->d == NULL) ++ goto err; ++ ++ /* calculate d mod (p-1) */ ++ rsa->dmp1=BN_new(); ++ if (rsa->dmp1 == NULL) ++ goto err; ++ if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) ++ goto err; ++ ++ /* calculate d mod (q-1) */ ++ rsa->dmq1=BN_new(); ++ if (rsa->dmq1 == NULL) ++ goto err; ++ if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) ++ goto err; ++ ++ /* calculate inverse of q mod p */ ++ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); ++ ++ err: ++ if (ctx) ++ { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } ++ if (ctx2) ++ BN_CTX_free(ctx2); ++ /* If this is set all calls successful */ ++ if (rsa && rsa->iqmp != NULL) ++ return 1; ++ ++ return 0; ++ ++ } ++ ++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb) ++ { ++ int ok = 0; ++ BIGNUM *Xp = NULL, *Xq = NULL; ++ BN_CTX *ctx = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT); ++ return 0; ++ } ++ ++ if (bits & 0xff) ++ { ++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif ++ ++ ctx = BN_CTX_new(); ++ if (!ctx) ++ goto error; ++ ++ BN_CTX_start(ctx); ++ Xp = BN_CTX_get(ctx); ++ Xq = BN_CTX_get(ctx); ++ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx)) ++ goto error; ++ ++ rsa->p = BN_new(); ++ rsa->q = BN_new(); ++ if (!rsa->p || !rsa->q) ++ goto error; ++ ++ /* Generate two primes from Xp, Xq */ ++ ++ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp, ++ e, ctx, cb)) ++ goto error; ++ ++ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq, ++ e, ctx, cb)) ++ goto error; ++ ++ /* Since rsa->p and rsa->q are valid this call will just derive ++ * remaining RSA components. ++ */ ++ ++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, e, cb)) ++ goto error; ++ ++#ifdef OPENSSL_FIPS ++ if(!fips_check_rsa(rsa)) ++ goto error; ++#endif ++ ++ ok = 1; ++ ++ error: ++ if (ctx) ++ { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } ++ ++ if (ok) ++ return 1; ++ ++ return 0; ++ ++ } +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,99 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++static char test[][60]= ++ { ++ "", ++ "abc", ++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" ++ }; ++ ++static const unsigned char ret[][SHA_DIGEST_LENGTH]= ++ { ++ { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55, ++ 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 }, ++ { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e, ++ 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d }, ++ { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae, ++ 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 }, ++ }; ++ ++void FIPS_corrupt_sha1() ++ { ++ test[2][0]++; ++ } ++ ++int FIPS_selftest_sha1() ++ { ++ int n; ++ ++ for(n=0 ; n ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef FIPSCANISTER_O ++int FIPS_selftest_failed() { return 0; } ++void FIPS_selftest_check() {} ++void OPENSSL_cleanse(void *p,size_t len) {} ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, ++ const char *key) ++ { ++ size_t len=strlen(key); ++ int i; ++ unsigned char keymd[HMAC_MAX_MD_CBLOCK]; ++ unsigned char pad[HMAC_MAX_MD_CBLOCK]; ++ ++ if (len > SHA_CBLOCK) ++ { ++ SHA1_Init(md_ctx); ++ SHA1_Update(md_ctx,key,len); ++ SHA1_Final(keymd,md_ctx); ++ len=20; ++ } ++ else ++ memcpy(keymd,key,len); ++ memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len); ++ ++ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) ++ pad[i]=0x36^keymd[i]; ++ SHA1_Init(md_ctx); ++ SHA1_Update(md_ctx,pad,SHA_CBLOCK); ++ ++ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) ++ pad[i]=0x5c^keymd[i]; ++ SHA1_Init(o_ctx); ++ SHA1_Update(o_ctx,pad,SHA_CBLOCK); ++ } ++ ++static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) ++ { ++ unsigned char buf[20]; ++ ++ SHA1_Final(buf,md_ctx); ++ SHA1_Update(o_ctx,buf,sizeof buf); ++ SHA1_Final(md,o_ctx); ++ } ++ ++#endif ++ ++int main(int argc,char **argv) ++ { ++#ifdef OPENSSL_FIPS ++ static char key[]="etaonrishdlcupfm"; ++ int n,binary=0; ++ ++ if(argc < 2) ++ { ++ fprintf(stderr,"%s []+\n",argv[0]); ++ exit(1); ++ } ++ ++ n=1; ++ if (!strcmp(argv[n],"-binary")) ++ { ++ n++; ++ binary=1; /* emit binary fingerprint... */ ++ } ++ ++ for(; n < argc ; ++n) ++ { ++ FILE *f=fopen(argv[n],"rb"); ++ SHA_CTX md_ctx,o_ctx; ++ unsigned char md[20]; ++ int i; ++ ++ if(!f) ++ { ++ perror(argv[n]); ++ exit(2); ++ } ++ ++ hmac_init(&md_ctx,&o_ctx,key); ++ for( ; ; ) ++ { ++ char buf[1024]; ++ size_t l=fread(buf,1,sizeof buf,f); ++ ++ if(l == 0) ++ { ++ if(ferror(f)) ++ { ++ perror(argv[n]); ++ exit(3); ++ } ++ else ++ break; ++ } ++ SHA1_Update(&md_ctx,buf,l); ++ } ++ hmac_final(md,&md_ctx,&o_ctx); ++ ++ if (binary) ++ { ++ fwrite(md,20,1,stdout); ++ break; /* ... for single(!) file */ ++ } ++ ++ printf("HMAC-SHA1(%s)= ",argv[n]); ++ for(i=0 ; i < 20 ; ++i) ++ printf("%02x",md[i]); ++ printf("\n"); ++ } ++#endif ++ return 0; ++ } ++ ++ +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,588 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * ++ * This command is intended as a test driver for the FIPS-140 testing ++ * lab performing FIPS-140 validation. It demonstrates the use of the ++ * OpenSSL library ito perform a variety of common cryptographic ++ * functions. A power-up self test is demonstrated by deliberately ++ * pointing to an invalid executable hash ++ * ++ * Contributed by Steve Marquess. ++ * ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++ ++#ifndef OPENSSL_FIPS ++int main(int argc, char *argv[]) ++ { ++ printf("No FIPS support\n"); ++ return(0); ++ } ++#else ++ ++#include ++#include "fips_utl.h" ++ ++/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext ++*/ ++static int FIPS_aes_test(void) ++ { ++ int ret = 0; ++ unsigned char pltmp[16]; ++ unsigned char citmp[16]; ++ unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; ++ unsigned char plaintext[16] = "etaonrishdlcu"; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0) ++ goto err; ++ EVP_Cipher(&ctx, citmp, plaintext, 16); ++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0) ++ goto err; ++ EVP_Cipher(&ctx, pltmp, citmp, 16); ++ if (memcmp(pltmp, plaintext, 16)) ++ goto err; ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_cleanup(&ctx); ++ return ret; ++ } ++ ++static int FIPS_des3_test(void) ++ { ++ int ret = 0; ++ unsigned char pltmp[8]; ++ unsigned char citmp[8]; ++ unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, ++ 19,20,21,22,23,24}; ++ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' }; ++ EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX_init(&ctx); ++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0) ++ goto err; ++ EVP_Cipher(&ctx, citmp, plaintext, 8); ++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0) ++ goto err; ++ EVP_Cipher(&ctx, pltmp, citmp, 8); ++ if (memcmp(pltmp, plaintext, 8)) ++ goto err; ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_cleanup(&ctx); ++ return ret; ++ } ++ ++/* ++ * DSA: generate keys and sign, verify input plaintext. ++ */ ++static int FIPS_dsa_test(int bad) ++ { ++ DSA *dsa = NULL; ++ EVP_PKEY pk; ++ unsigned char dgst[] = "etaonrishdlc"; ++ unsigned char buf[60]; ++ unsigned int slen; ++ int r = 0; ++ EVP_MD_CTX mctx; ++ ++ ERR_clear_error(); ++ EVP_MD_CTX_init(&mctx); ++ dsa = DSA_new(); ++ if (!dsa) ++ goto end; ++ if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL)) ++ goto end; ++ if (!DSA_generate_key(dsa)) ++ goto end; ++ if (bad) ++ BN_add_word(dsa->pub_key, 1); ++ ++ pk.type = EVP_PKEY_DSA; ++ pk.pkey.dsa = dsa; ++ ++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) ++ goto end; ++ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1)) ++ goto end; ++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) ++ goto end; ++ ++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) ++ goto end; ++ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1)) ++ goto end; ++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); ++ end: ++ EVP_MD_CTX_cleanup(&mctx); ++ if (dsa) ++ DSA_free(dsa); ++ if (r != 1) ++ return 0; ++ return 1; ++ } ++ ++/* ++ * RSA: generate keys and sign, verify input plaintext. ++ */ ++static int FIPS_rsa_test(int bad) ++ { ++ RSA *key; ++ unsigned char input_ptext[] = "etaonrishdlc"; ++ unsigned char buf[256]; ++ unsigned int slen; ++ BIGNUM *bn; ++ EVP_MD_CTX mctx; ++ EVP_PKEY pk; ++ int r = 0; ++ ++ ERR_clear_error(); ++ EVP_MD_CTX_init(&mctx); ++ key = RSA_new(); ++ bn = BN_new(); ++ if (!key || !bn) ++ return 0; ++ BN_set_word(bn, 65537); ++ if (!RSA_generate_key_ex(key, 1024,bn,NULL)) ++ return 0; ++ BN_free(bn); ++ if (bad) ++ BN_add_word(key->n, 1); ++ ++ pk.type = EVP_PKEY_RSA; ++ pk.pkey.rsa = key; ++ ++ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL)) ++ goto end; ++ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) ++ goto end; ++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) ++ goto end; ++ ++ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL)) ++ goto end; ++ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) ++ goto end; ++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); ++ end: ++ EVP_MD_CTX_cleanup(&mctx); ++ if (key) ++ RSA_free(key); ++ if (r != 1) ++ return 0; ++ return 1; ++ } ++ ++/* SHA1: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_sha1_test() ++ { ++ unsigned char digest[SHA_DIGEST_LENGTH] = ++ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 }; ++ unsigned char str[] = "etaonrishd"; ++ ++ unsigned char md[SHA_DIGEST_LENGTH]; ++ ++ ERR_clear_error(); ++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0; ++ if (memcmp(md,digest,sizeof(md))) ++ return 0; ++ return 1; ++ } ++ ++/* SHA256: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_sha256_test() ++ { ++ unsigned char digest[SHA256_DIGEST_LENGTH] = ++ {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91, ++ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57}; ++ unsigned char str[] = "etaonrishd"; ++ ++ unsigned char md[SHA256_DIGEST_LENGTH]; ++ ++ ERR_clear_error(); ++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0; ++ if (memcmp(md,digest,sizeof(md))) ++ return 0; ++ return 1; ++ } ++ ++/* SHA512: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_sha512_test() ++ { ++ unsigned char digest[SHA512_DIGEST_LENGTH] = ++ {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca, ++ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a, ++ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22, ++ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3}; ++ unsigned char str[] = "etaonrishd"; ++ ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ ERR_clear_error(); ++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0; ++ if (memcmp(md,digest,sizeof(md))) ++ return 0; ++ return 1; ++ } ++ ++/* HMAC-SHA1: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_hmac_sha1_test() ++ { ++ unsigned char key[] = "etaonrishd"; ++ unsigned char iv[] = "Sample text"; ++ unsigned char kaval[EVP_MAX_MD_SIZE] = ++ {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70, ++ 0xb2, 0xfb, 0xec, 0xc6}; ++ ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ unsigned int outlen; ++ ++ ERR_clear_error(); ++ if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; ++ if (memcmp(out,kaval,outlen)) ++ return 0; ++ return 1; ++ } ++ ++/* HMAC-SHA224: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_hmac_sha224_test() ++ { ++ unsigned char key[] = "etaonrishd"; ++ unsigned char iv[] = "Sample text"; ++ unsigned char kaval[EVP_MAX_MD_SIZE] = ++ {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35, ++ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19}; ++ ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ unsigned int outlen; ++ ++ ERR_clear_error(); ++ if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; ++ if (memcmp(out,kaval,outlen)) ++ return 0; ++ return 1; ++ } ++ ++/* HMAC-SHA256: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_hmac_sha256_test() ++ { ++ unsigned char key[] = "etaonrishd"; ++ unsigned char iv[] = "Sample text"; ++ unsigned char kaval[EVP_MAX_MD_SIZE] = ++ {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87, ++ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4}; ++ ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ unsigned int outlen; ++ ++ ERR_clear_error(); ++ if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; ++ if (memcmp(out,kaval,outlen)) ++ return 0; ++ return 1; ++ } ++ ++/* HMAC-SHA384: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_hmac_sha384_test() ++ { ++ unsigned char key[] = "etaonrishd"; ++ unsigned char iv[] = "Sample text"; ++ unsigned char kaval[EVP_MAX_MD_SIZE] = ++ {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10, ++ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08, ++ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c}; ++ ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ unsigned int outlen; ++ ++ ERR_clear_error(); ++ if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; ++ if (memcmp(out,kaval,outlen)) ++ return 0; ++ return 1; ++ } ++ ++/* HMAC-SHA512: generate hash of known digest value and compare to known ++ precomputed correct hash ++*/ ++static int FIPS_hmac_sha512_test() ++ { ++ unsigned char key[] = "etaonrishd"; ++ unsigned char iv[] = "Sample text"; ++ unsigned char kaval[EVP_MAX_MD_SIZE] = ++ {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6, ++ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1, ++ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c, ++ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53}; ++ ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ unsigned int outlen; ++ ++ ERR_clear_error(); ++ if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; ++ if (memcmp(out,kaval,outlen)) ++ return 0; ++ return 1; ++ } ++ ++ ++/* DH: generate shared parameters ++*/ ++static int dh_test() ++ { ++ DH *dh; ++ ERR_clear_error(); ++ dh = FIPS_dh_new(); ++ if (!dh) ++ return 0; ++ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) ++ return 0; ++ FIPS_dh_free(dh); ++ return 1; ++ } ++ ++/* Zeroize ++*/ ++static int Zeroize() ++ { ++ RSA *key; ++ BIGNUM *bn; ++ unsigned char userkey[16] = ++ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 }; ++ int i, n; ++ ++ key = FIPS_rsa_new(); ++ bn = BN_new(); ++ if (!key || !bn) ++ return 0; ++ BN_set_word(bn, 65537); ++ if (!RSA_generate_key_ex(key, 1024,bn,NULL)) ++ return 0; ++ BN_free(bn); ++ ++ n = BN_num_bytes(key->d); ++ printf(" Generated %d byte RSA private key\n", n); ++ printf("\tBN key before overwriting:\n"); ++ do_bn_print(stdout, key->d); ++ BN_rand(key->d,n*8,-1,0); ++ printf("\tBN key after overwriting:\n"); ++ do_bn_print(stdout, key->d); ++ ++ printf("\tchar buffer key before overwriting: \n\t\t"); ++ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); ++ printf("\n"); ++ RAND_bytes(userkey, sizeof userkey); ++ printf("\tchar buffer key after overwriting: \n\t\t"); ++ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); ++ printf("\n"); ++ ++ return 1; ++ } ++ ++static int Error; ++const char * Fail(const char *msg) ++ { ++ do_print_errors(); ++ Error++; ++ return msg; ++ } ++ ++int main(int argc,char **argv) ++ { ++ ++ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0; ++ int bad_rsa = 0, bad_dsa = 0; ++ int do_rng_stick = 0; ++ int no_exit = 0; ++ ++ printf("\tFIPS-mode test application\n\n"); ++ ++ /* Load entropy from external file, if any */ ++ RAND_load_file(".rnd", 1024); ++ ++ if (argv[1]) { ++ /* Corrupted KAT tests */ ++ if (!strcmp(argv[1], "aes")) { ++ FIPS_corrupt_aes(); ++ printf("AES encryption/decryption with corrupted KAT...\n"); ++ } else if (!strcmp(argv[1], "des")) { ++ FIPS_corrupt_des(); ++ printf("DES3-ECB encryption/decryption with corrupted KAT...\n"); ++ } else if (!strcmp(argv[1], "dsa")) { ++ FIPS_corrupt_dsa(); ++ printf("DSA key generation and signature validation with corrupted KAT...\n"); ++ } else if (!strcmp(argv[1], "rsa")) { ++ FIPS_corrupt_rsa(); ++ printf("RSA key generation and signature validation with corrupted KAT...\n"); ++ } else if (!strcmp(argv[1], "rsakey")) { ++ printf("RSA key generation and signature validation with corrupted key...\n"); ++ bad_rsa = 1; ++ no_exit = 1; ++ } else if (!strcmp(argv[1], "rsakeygen")) { ++ do_corrupt_rsa_keygen = 1; ++ no_exit = 1; ++ printf("RSA key generation and signature validation with corrupted keygen...\n"); ++ } else if (!strcmp(argv[1], "dsakey")) { ++ printf("DSA key generation and signature validation with corrupted key...\n"); ++ bad_dsa = 1; ++ no_exit = 1; ++ } else if (!strcmp(argv[1], "dsakeygen")) { ++ do_corrupt_dsa_keygen = 1; ++ no_exit = 1; ++ printf("DSA key generation and signature validation with corrupted keygen...\n"); ++ } else if (!strcmp(argv[1], "sha1")) { ++ FIPS_corrupt_sha1(); ++ printf("SHA-1 hash with corrupted KAT...\n"); ++ } else if (!strcmp(argv[1], "rng")) { ++ FIPS_corrupt_rng(); ++ } else if (!strcmp(argv[1], "rngstick")) { ++ do_rng_stick = 1; ++ no_exit = 1; ++ printf("RNG test with stuck continuous test...\n"); ++ } else { ++ printf("Bad argument \"%s\"\n", argv[1]); ++ exit(1); ++ } ++ if (!no_exit) { ++ if (!FIPS_mode_set(1)) { ++ do_print_errors(); ++ printf("Power-up self test failed\n"); ++ exit(1); ++ } ++ printf("Power-up self test successful\n"); ++ exit(0); ++ } ++ } ++ ++ /* Non-Approved cryptographic operation ++ */ ++ printf("1. Non-Approved cryptographic operation test...\n"); ++ printf("\ta. Included algorithm (D-H)..."); ++ printf( dh_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* Power-up self test ++ */ ++ ERR_clear_error(); ++ printf("2. Automatic power-up self test..."); ++ if (!FIPS_mode_set(1)) ++ { ++ do_print_errors(); ++ printf(Fail("FAILED!\n")); ++ exit(1); ++ } ++ printf("successful\n"); ++ if (do_corrupt_dsa_keygen) ++ FIPS_corrupt_dsa_keygen(); ++ if (do_corrupt_rsa_keygen) ++ FIPS_corrupt_rsa_keygen(); ++ if (do_rng_stick) ++ FIPS_rng_stick(); ++ ++ /* AES encryption/decryption ++ */ ++ printf("3. AES encryption/decryption..."); ++ printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* RSA key generation and encryption/decryption ++ */ ++ printf("4. RSA key generation and encryption/decryption..."); ++ printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* DES-CBC encryption/decryption ++ */ ++ printf("5. DES-ECB encryption/decryption..."); ++ printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* DSA key generation and signature validation ++ */ ++ printf("6. DSA key generation and signature validation..."); ++ printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* SHA-1 hash ++ */ ++ printf("7a. SHA-1 hash..."); ++ printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* SHA-256 hash ++ */ ++ printf("7b. SHA-256 hash..."); ++ printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* SHA-512 hash ++ */ ++ printf("7c. SHA-512 hash..."); ++ printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* HMAC-SHA-1 hash ++ */ ++ printf("7d. HMAC-SHA-1 hash..."); ++ printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* HMAC-SHA-224 hash ++ */ ++ printf("7e. HMAC-SHA-224 hash..."); ++ printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* HMAC-SHA-256 hash ++ */ ++ printf("7f. HMAC-SHA-256 hash..."); ++ printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* HMAC-SHA-384 hash ++ */ ++ printf("7g. HMAC-SHA-384 hash..."); ++ printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* HMAC-SHA-512 hash ++ */ ++ printf("7h. HMAC-SHA-512 hash..."); ++ printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); ++ ++ /* Non-Approved cryptographic operation ++ */ ++ printf("8. Non-Approved cryptographic operation test...\n"); ++ printf("\ta. Included algorithm (D-H)..."); ++ printf( dh_test() ? "successful as expected\n" ++ : Fail("failed INCORRECTLY!\n") ); ++ ++ /* Zeroization ++ */ ++ printf("9. Zero-ization...\n"); ++ printf( Zeroize() ? "\tsuccessful as expected\n" ++ : Fail("\tfailed INCORRECTLY!\n") ); ++ ++ printf("\nAll tests completed with %d errors\n", Error); ++ return Error ? 1 : 0; ++ } ++ ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_locl.h 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,72 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifdef OPENSSL_FIPS ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++void fips_w_lock(void); ++void fips_w_unlock(void); ++void fips_r_lock(void); ++void fips_r_unlock(void); ++int fips_is_started(void); ++void fips_set_started(void); ++int fips_is_owning_thread(void); ++int fips_set_owning_thread(void); ++void fips_set_selftest_fail(void); ++int fips_clear_owning_thread(void); ++ ++#define FIPS_MAX_CIPHER_TEST_SIZE 16 ++ ++#ifdef __cplusplus ++} ++#endif ++#endif +diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,81 @@ ++# ++# OpenSSL/crypto/fips/Makefile ++# ++ ++DIR= fips ++TOP= ../.. ++CC= cc ++INCLUDES= ++CFLAG=-g ++MAKEFILE= Makefile ++AR= ar r ++ ++CFLAGS= $(INCLUDES) $(CFLAG) ++ ++GENERAL=Makefile ++TEST=fips_test_suite.c fips_randtest.c ++APPS= ++ ++LIB=$(TOP)/libcrypto.a ++LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ ++ fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ ++ fips_rsa_x931g.c ++ ++LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ ++ fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ ++ fips_rsa_x931g.o ++ ++SRC= $(LIBSRC) fips_standalone_sha1.c ++ ++EXHEADER= fips.h fips_rand.h ++HEADER= $(EXHEADER) ++ ++ALL= $(GENERAL) $(SRC) $(HEADER) ++ ++top: ++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) ++ ++all: lib ++ ++lib: $(LIBOBJ) ++ $(AR) $(LIB) $(LIBOBJ) ++ $(RANLIB) $(LIB) || echo Never mind. ++ @touch lib ++ ++files: ++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO ++ ++links: ++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) ++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) ++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) ++ ++install: ++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... ++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ ++ do \ ++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ ++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ ++ done; ++ ++tags: ++ ctags $(SRC) ++ ++tests: ++ ++lint: ++ lint -DLINT $(INCLUDES) $(SRC)>fluff ++ ++depend: ++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... ++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) ++ ++dclean: ++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new ++ mv -f Makefile.new $(MAKEFILE) ++ ++clean: ++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff ++ ++# DO NOT DELETE THIS LINE -- make depend depends on it. ++ +diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/hmac/hmac.c +--- openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/hmac/hmac.c 2009-08-11 18:07:30.000000000 +0200 +@@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + + if (key != NULL) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) ++ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) ++ goto err; ++#endif + reset=1; + j=EVP_MD_block_size(md); + OPENSSL_assert(j <= (int)sizeof(ctx->key)); +@@ -209,3 +216,10 @@ unsigned char *HMAC(const EVP_MD *evp_md + return NULL; + } + ++void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) ++ { ++ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); ++ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); ++ EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); ++ } ++ +diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/hmac/hmac.h +--- openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/hmac/hmac.h 2009-08-11 18:07:30.000000000 +0200 +@@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md + unsigned int *md_len); + int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); + ++void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); + + #ifdef __cplusplus + } +diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Makefile +--- openssl-1.0.0-beta3/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/Makefile 2009-08-11 18:07:30.000000000 +0200 +@@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i + + LIB= $(TOP)/libcrypto.a + SHARED_LIB= libcrypto$(SHLIB_EXT) +-LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c +-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ) ++LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c o_init.c fips_err.c ++LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_init.o fips_err.o $(CPUID_OBJ) + + SRC= $(LIBSRC) + + EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ + ossl_typ.h +-HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) ++HEADER= cryptlib.h buildinf.h fips_locl.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) + + ALL= $(GENERAL) $(SRC) $(HEADER) + +diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/crypto/md2/md2_dgst.c +--- openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md2/md2_dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -62,6 +62,11 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#include + + const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; + +@@ -116,7 +121,7 @@ const char *MD2_options(void) + return("md2(int)"); + } + +-int MD2_Init(MD2_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD2) + { + c->num=0; + memset(c->state,0,sizeof c->state); +diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md2/md2.h +--- openssl-1.0.0-beta3/crypto/md2/md2.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md2/md2.h 2009-08-11 18:07:30.000000000 +0200 +@@ -81,6 +81,9 @@ typedef struct MD2state_st + } MD2_CTX; + + const char *MD2_options(void); ++#ifdef OPENSSL_FIPS ++int private_MD2_Init(MD2_CTX *c); ++#endif + int MD2_Init(MD2_CTX *c); + int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); + int MD2_Final(unsigned char *md, MD2_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/crypto/md4/md4_dgst.c +--- openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/md4/md4_dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,6 +59,11 @@ + #include + #include "md4_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; + +@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_V + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-int MD4_Init(MD4_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD4) + { + memset (c,0,sizeof(*c)); + c->A=INIT_DATA_A; +diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md4/md4.h +--- openssl-1.0.0-beta3/crypto/md4/md4.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md4/md4.h 2009-08-11 18:07:30.000000000 +0200 +@@ -105,6 +105,9 @@ typedef struct MD4state_st + unsigned int num; + } MD4_CTX; + ++#ifdef OPENSSL_FIPS ++int private_MD4_Init(MD4_CTX *c); ++#endif + int MD4_Init(MD4_CTX *c); + int MD4_Update(MD4_CTX *c, const void *data, size_t len); + int MD4_Final(unsigned char *md, MD4_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/crypto/md5/md5_dgst.c +--- openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/md5/md5_dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,6 +59,11 @@ + #include + #include "md5_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; + +@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_V + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-int MD5_Init(MD5_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD5) + { + memset (c,0,sizeof(*c)); + c->A=INIT_DATA_A; +diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md5/md5.h +--- openssl-1.0.0-beta3/crypto/md5/md5.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md5/md5.h 2009-08-11 18:07:30.000000000 +0200 +@@ -105,6 +105,9 @@ typedef struct MD5state_st + unsigned int num; + } MD5_CTX; + ++#ifdef OPENSSL_FIPS ++int private_MD5_Init(MD5_CTX *c); ++#endif + int MD5_Init(MD5_CTX *c); + int MD5_Update(MD5_CTX *c, const void *data, size_t len); + int MD5_Final(unsigned char *md, MD5_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -61,6 +61,11 @@ + #include + #include + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + #undef c2l + #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ +@@ -75,7 +80,7 @@ + *((c)++)=(unsigned char)(((l)>>24L)&0xff)) + + static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len); +-int MDC2_Init(MDC2_CTX *c) ++FIPS_NON_FIPS_MD_Init(MDC2) + { + c->num=0; + c->pad_type=1; +diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2.h +--- openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/mdc2/mdc2.h 2009-08-11 18:07:30.000000000 +0200 +@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st + int pad_type; /* either 1 or 2, default 1 */ + } MDC2_CTX; + +- ++#ifdef OPENSSL_FIPS ++int private_MDC2_Init(MDC2_CTX *c); ++#endif + int MDC2_Init(MDC2_CTX *c); + int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); + int MDC2_Final(unsigned char *md, MDC2_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c +--- openssl-1.0.0-beta3/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/mem.c 2009-08-11 18:07:30.000000000 +0200 +@@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) + + /* may be changed as long as 'allow_customize_debug' is set */ + /* XXX use correct function pointer types */ +-#ifdef CRYPTO_MDEBUG ++#if defined(CRYPTO_MDEBUG) && !defined(OPENSSL_FIPS) + /* use default functions from mem_dbg.c */ + static void (*malloc_debug_func)(void *,int,const char *,int,int) + = CRYPTO_dbg_malloc; +diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,80 @@ ++/* o_init.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++ ++/* Perform any essential OpenSSL initialization operations. ++ * Currently only sets FIPS callbacks ++ */ ++ ++void OPENSSL_init_library(void) ++ { ++#ifdef OPENSSL_FIPS ++ static int done = 0; ++ if (!done) ++ { ++#ifdef CRYPTO_MDEBUG ++ CRYPTO_malloc_debug_init(); ++#endif ++ done = 1; ++ } ++#endif ++ } ++ ++ +diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/crypto/opensslconf.h.in +--- openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/opensslconf.h.in 2009-08-11 18:07:30.000000000 +0200 +@@ -1,5 +1,20 @@ + /* crypto/opensslconf.h.in */ + ++#ifdef OPENSSL_DOING_MAKEDEPEND ++ ++/* Include any symbols here that have to be explicitly set to enable a feature ++ * that should be visible to makedepend. ++ * ++ * [Our "make depend" doesn't actually look at this, we use actual build settings ++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.] ++ */ ++ ++#ifndef OPENSSL_FIPS ++#define OPENSSL_FIPS ++#endif ++ ++#endif ++ + /* Generate 80386 code? */ + #undef I386_ONLY + +diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c +--- openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,6 +59,10 @@ + #include + #include "cryptlib.h" + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + + static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); +@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char * + + /* Set defaults */ + if (!nid_cert) ++ { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; ++ else ++#endif + nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; ++ } + if (!nid_key) + nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + if (!iter) +diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/crypto/rand/md_rand.c +--- openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rand/md_rand.c 2009-08-11 18:07:30.000000000 +0200 +@@ -126,6 +126,10 @@ + + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + #ifdef BN_DEBUG + # define PREDICT +@@ -342,6 +346,14 @@ static int ssleay_rand_bytes(unsigned ch + #endif + int do_stir_pool = 0; + ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode()) ++ { ++ FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif ++ + #ifdef PREDICT + if (rand_predictable) + { +diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/crypto/rand/rand_err.c +--- openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rand/rand_err.c 2009-08-11 18:07:30.000000000 +0200 +@@ -70,6 +70,13 @@ + + static ERR_STRING_DATA RAND_str_functs[]= + { ++{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD), "ENG_RAND_GET_RAND_METHOD"}, ++{ERR_FUNC(RAND_F_FIPS_RAND), "FIPS_RAND"}, ++{ERR_FUNC(RAND_F_FIPS_RAND_BYTES), "FIPS_RAND_BYTES"}, ++{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT), "FIPS_RAND_SET_DT"}, ++{ERR_FUNC(RAND_F_FIPS_SET_DT), "FIPS_SET_DT"}, ++{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED), "FIPS_SET_PRNG_SEED"}, ++{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE), "FIPS_SET_TEST_MODE"}, + {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"}, + {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, + {0,NULL} +@@ -77,7 +84,17 @@ static ERR_STRING_DATA RAND_str_functs[] + + static ERR_STRING_DATA RAND_str_reasons[]= + { ++{ERR_REASON(RAND_R_NON_FIPS_METHOD) ,"non fips method"}, ++{ERR_REASON(RAND_R_NOT_IN_TEST_MODE) ,"not in test mode"}, ++{ERR_REASON(RAND_R_NO_KEY_SET) ,"no key set"}, ++{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"}, ++{ERR_REASON(RAND_R_PRNG_ERROR) ,"prng error"}, ++{ERR_REASON(RAND_R_PRNG_KEYED) ,"prng keyed"}, ++{ERR_REASON(RAND_R_PRNG_NOT_REKEYED) ,"prng not rekeyed"}, ++{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED) ,"prng not reseeded"}, + {ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"}, ++{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"}, ++{ERR_REASON(RAND_R_PRNG_STUCK) ,"prng stuck"}, + {0,NULL} + }; + +diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/rand/rand.h +--- openssl-1.0.0-beta3/crypto/rand/rand.h.fips 2009-08-11 18:07:29.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/rand.h 2009-08-11 18:07:30.000000000 +0200 +@@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); + /* Error codes for the RAND functions. */ + + /* Function codes. */ ++#define RAND_F_ENG_RAND_GET_RAND_METHOD 108 ++#define RAND_F_FIPS_RAND 103 ++#define RAND_F_FIPS_RAND_BYTES 102 ++#define RAND_F_FIPS_RAND_SET_DT 106 ++#define RAND_F_FIPS_SET_DT 104 ++#define RAND_F_FIPS_SET_PRNG_SEED 107 ++#define RAND_F_FIPS_SET_TEST_MODE 105 + #define RAND_F_RAND_GET_RAND_METHOD 101 + #define RAND_F_SSLEAY_RAND_BYTES 100 + + /* Reason codes. */ ++#define RAND_R_NON_FIPS_METHOD 105 ++#define RAND_R_NOT_IN_TEST_MODE 106 ++#define RAND_R_NO_KEY_SET 107 ++#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101 ++#define RAND_R_PRNG_ERROR 108 ++#define RAND_R_PRNG_KEYED 109 ++#define RAND_R_PRNG_NOT_REKEYED 102 ++#define RAND_R_PRNG_NOT_RESEEDED 103 + #define RAND_R_PRNG_NOT_SEEDED 100 ++#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110 ++#define RAND_R_PRNG_STUCK 104 + + #ifdef __cplusplus + } +diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/crypto/rand/rand_lib.c +--- openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rand/rand_lib.c 2009-08-11 18:07:30.000000000 +0200 +@@ -60,6 +60,12 @@ + #include + #include "cryptlib.h" + #include ++#include "rand_lcl.h" ++#ifdef OPENSSL_FIPS ++#include ++#include ++#endif ++ + #ifndef OPENSSL_NO_ENGINE + #include + #endif +@@ -102,8 +108,19 @@ const RAND_METHOD *RAND_get_rand_method( + funct_ref = e; + else + #endif ++#ifdef OPENSSL_FIPS ++ default_RAND_meth = FIPS_mode() ? FIPS_rand_method() : RAND_SSLeay(); ++ } ++ if (FIPS_mode() ++ && default_RAND_meth != FIPS_rand_check()) ++ { ++ RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#else + default_RAND_meth = RAND_SSLeay(); + } ++#endif + return default_RAND_meth; + } + +diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc2/rc2.h +--- openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc2/rc2.h 2009-08-11 18:07:30.000000000 +0200 +@@ -79,7 +79,9 @@ typedef struct rc2_key_st + RC2_INT data[64]; + } RC2_KEY; + +- ++#ifdef OPENSSL_FIPS ++void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); ++#endif + void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); + void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, + int enc); +diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c +--- openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c 2009-08-11 18:07:30.000000000 +0200 +@@ -57,6 +57,11 @@ + */ + + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #include "rc2_locl.h" + + static const unsigned char key_table[256]={ +@@ -94,8 +99,20 @@ static const unsigned char key_table[256 + * BSAFE uses the 'retarded' version. What I previously shipped is + * the same as specifying 1024 for the 'bits' parameter. Bsafe uses + * a version where the bits parameter is the same as len*8 */ ++ ++#ifdef OPENSSL_FIPS + void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) + { ++ if (FIPS_mode()) ++ FIPS_BAD_ABORT(RC2) ++ private_RC2_set_key(key, len, data, bits); ++ } ++void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, ++ int bits) ++#else ++void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) ++#endif ++ { + int i,j; + unsigned char *k; + RC2_INT *ki; +diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl +--- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl 2009-08-11 18:07:30.000000000 +0200 +@@ -166,8 +166,12 @@ $idx="edx"; + + &external_label("OPENSSL_ia32cap_P"); + ++$setkeyfunc = "RC4_set_key"; ++$setkeyfunc = "private_RC4_set_key" if ($ENV{FIPS} ne ""); ++ ++ + # void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data); +-&function_begin("RC4_set_key"); ++&function_begin($setkeyfunc); + &mov ($out,&wparam(0)); # load key + &mov ($idi,&wparam(1)); # load len + &mov ($inp,&wparam(2)); # load data +@@ -245,7 +249,7 @@ $idx="edx"; + &xor ("eax","eax"); + &mov (&DWP(-8,$out),"eax"); # key->x=0; + &mov (&DWP(-4,$out),"eax"); # key->y=0; +-&function_end("RC4_set_key"); ++&function_end($setkeyfunc); + + # const char *RC4_options(void); + &function_begin_B("RC4_options"); +diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl +--- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl 2009-08-11 18:07:30.000000000 +0200 +@@ -202,4 +202,6 @@ RC4_options: + .string "rc4(8x,char)" + ___ + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; +diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl 2009-08-11 18:07:30.000000000 +0200 +@@ -499,6 +499,8 @@ ___ + + $code =~ s/#([bwd])/$1/gm; + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; + + close STDOUT; +diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto/rc4/Makefile +--- openssl-1.0.0-beta3/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rc4/Makefile 2009-08-11 18:07:30.000000000 +0200 +@@ -21,8 +21,8 @@ TEST=rc4test.c + APPS= + + LIB=$(TOP)/libcrypto.a +-LIBSRC=rc4_skey.c rc4_enc.c +-LIBOBJ=$(RC4_ENC) ++LIBSRC=rc4_skey.c rc4_enc.c rc4_fblk.c ++LIBOBJ=$(RC4_ENC) rc4_fblk.o + + SRC= $(LIBSRC) + +diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c +--- /dev/null 2009-07-27 08:39:22.849064505 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c 2009-08-11 18:07:30.000000000 +0200 +@@ -0,0 +1,75 @@ ++/* crypto/rc4/rc4_fblk.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2008 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++ ++#include ++#include "rc4_locl.h" ++#include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++/* FIPS mode blocking for RC4 has to be done separately since RC4_set_key ++ * may be implemented in an assembly language file. ++ */ ++ ++#ifdef OPENSSL_FIPS ++void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) ++ { ++ if (FIPS_mode()) ++ FIPS_BAD_ABORT(RC4) ++ private_RC4_set_key(key, len, data); ++ } ++#endif ++ +diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc4/rc4.h +--- openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4.h 2009-08-11 18:07:30.000000000 +0200 +@@ -78,6 +78,9 @@ typedef struct rc4_key_st + + + const char *RC4_options(void); ++#ifdef OPENSSL_FIPS ++void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); ++#endif + void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); + void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, + unsigned char *outdata); +diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c +--- openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,6 +59,11 @@ + #include + #include "rc4_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT; + +@@ -85,7 +90,11 @@ const char *RC4_options(void) + * Date: Wed, 14 Sep 1994 06:35:31 GMT + */ + ++#ifdef OPENSSL_FIPS ++void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) ++#else + void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) ++#endif + { + register RC4_INT tmp; + register int id1,id2; +@@ -126,7 +135,12 @@ void RC4_set_key(RC4_KEY *key, int len, + * module... + * + */ ++#ifdef OPENSSL_FIPS ++ unsigned long *ia32cap_ptr = OPENSSL_ia32cap_loc(); ++ if (ia32cap_ptr && (*ia32cap_ptr & (1<<28))) { ++#else + if (OPENSSL_ia32cap_P & (1<<28)) { ++#endif + unsigned char *cp=(unsigned char *)d; + + for (i=0;i<256;i++) cp[i]=i; +diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/crypto/ripemd/ripemd.h +--- openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/ripemd/ripemd.h 2009-08-11 18:07:30.000000000 +0200 +@@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st + unsigned int num; + } RIPEMD160_CTX; + ++#ifdef OPENSSL_FIPS ++int private_RIPEMD160_Init(RIPEMD160_CTX *c); ++#endif + int RIPEMD160_Init(RIPEMD160_CTX *c); + int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); + int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -59,6 +59,11 @@ + #include + #include "rmd_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT; + +@@ -69,7 +74,7 @@ const char RMD160_version[]="RIPE-MD160" + void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); + # endif + +-int RIPEMD160_Init(RIPEMD160_CTX *c) ++FIPS_NON_FIPS_MD_Init(RIPEMD160) + { + memset (c,0,sizeof(*c)); + c->A=RIPEMD160_A; +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c +--- openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c 2009-08-11 18:07:30.000000000 +0200 +@@ -116,6 +116,10 @@ + #include + #include + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + #ifndef RSA_NULL + +@@ -138,7 +140,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={ + BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ + RSA_eay_init, + RSA_eay_finish, +- 0, /* flags */ ++ RSA_FLAG_FIPS_METHOD, /* flags */ + NULL, + 0, /* rsa_sign */ + 0, /* rsa_verify */ +@@ -150,6 +152,16 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) + return(&rsa_pkcs1_eay_meth); + } + ++/* Usage example; ++ * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); ++ */ ++#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ ++ if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ ++ !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ ++ CRYPTO_LOCK_RSA, \ ++ (rsa)->m, (ctx))) \ ++ err_instr ++ + static int RSA_eay_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding) + { +@@ -158,6 +170,23 @@ static int RSA_eay_public_encrypt(int fl + unsigned char *buf=NULL; + BN_CTX *ctx=NULL; + ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode()) ++ { ++ if (FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++#endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); +@@ -223,9 +252,7 @@ static int RSA_eay_public_encrypt(int fl + goto err; + } + +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) +- goto err; ++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, + rsa->_method_mod_n)) goto err; +@@ -355,6 +382,23 @@ static int RSA_eay_private_encrypt(int f + int local_blinding = 0; + BN_BLINDING *blinding = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++#endif ++ + if ((ctx=BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); +@@ -432,9 +476,7 @@ static int RSA_eay_private_encrypt(int f + else + d= rsa->d; + +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) +- goto err; ++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + + if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, + rsa->_method_mod_n)) goto err; +@@ -488,6 +530,23 @@ static int RSA_eay_private_decrypt(int f + int local_blinding = 0; + BN_BLINDING *blinding = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++#endif ++ + if((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); +@@ -555,9 +614,7 @@ static int RSA_eay_private_decrypt(int f + else + d = rsa->d; + +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) +- goto err; ++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, + rsa->_method_mod_n)) + goto err; +@@ -617,6 +674,23 @@ static int RSA_eay_public_decrypt(int fl + unsigned char *buf=NULL; + BN_CTX *ctx=NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++#endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); +@@ -667,9 +741,7 @@ static int RSA_eay_public_decrypt(int fl + goto err; + } + +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) +- goto err; ++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, + rsa->_method_mod_n)) goto err; +@@ -717,6 +789,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c + BIGNUM *r1,*m1,*vrfy; + BIGNUM local_dmp1,local_dmq1,local_c,local_r1; + BIGNUM *dmp1,*dmq1,*c,*pr1; ++ int bn_flags; + int ret=0; + + BN_CTX_start(ctx); +@@ -724,41 +797,31 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c + m1 = BN_CTX_get(ctx); + vrfy = BN_CTX_get(ctx); + +- { +- BIGNUM local_p, local_q; +- BIGNUM *p = NULL, *q = NULL; +- +- /* Make sure BN_mod_inverse in Montgomery intialization uses the +- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) +- */ +- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) +- { +- BN_init(&local_p); +- p = &local_p; +- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); +- +- BN_init(&local_q); +- q = &local_q; +- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); +- } +- else +- { +- p = rsa->p; +- q = rsa->q; +- } ++ /* Make sure mod_inverse in montgomerey intialization use correct ++ * BN_FLG_CONSTTIME flag. ++ */ ++ bn_flags = rsa->p->flags; ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) ++ { ++ rsa->p->flags |= BN_FLG_CONSTTIME; ++ } ++ MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); ++ /* We restore bn_flags back */ ++ rsa->p->flags = bn_flags; + +- if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) +- { +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) +- goto err; +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) +- goto err; +- } +- } ++ /* Make sure mod_inverse in montgomerey intialization use correct ++ * BN_FLG_CONSTTIME flag. ++ */ ++ bn_flags = rsa->q->flags; ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) ++ { ++ rsa->q->flags |= BN_FLG_CONSTTIME; ++ } ++ MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); ++ /* We restore bn_flags back */ ++ rsa->q->flags = bn_flags; + +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) +- goto err; ++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + + /* compute I mod q */ + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) +@@ -875,6 +938,9 @@ err: + + static int RSA_eay_init(RSA *rsa) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; + return(1); + } +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_err.c +--- openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_err.c 2009-08-11 18:07:30.000000000 +0200 +@@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= + {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, + {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, + {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"}, ++{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"}, + {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, ++{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"}, + {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, ++{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, ++{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, + {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, + {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, + {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, +@@ -155,10 +159,12 @@ static ERR_STRING_DATA RSA_str_reasons[] + {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, + {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, + {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, ++{ERR_REASON(RSA_R_NON_FIPS_METHOD) ,"non fips method"}, + {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, + {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, + {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, + {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, ++{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"}, + {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, + {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, + {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c +--- openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c 2009-08-11 18:07:30.000000000 +0200 +@@ -67,6 +67,77 @@ + #include "cryptlib.h" + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++static int fips_rsa_pairwise_fail = 0; ++ ++void FIPS_corrupt_rsa_keygen(void) ++ { ++ fips_rsa_pairwise_fail = 1; ++ } ++ ++int fips_check_rsa(RSA *rsa) ++ { ++ const unsigned char tbs[] = "RSA Pairwise Check Data"; ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int len, ret = 0; ++ EVP_PKEY pk; ++ pk.type = EVP_PKEY_RSA; ++ pk.pkey.rsa = rsa; ++ ++ /* Perform pairwise consistency signature test */ ++ if (!fips_pkey_signature_test(&pk, tbs, -1, ++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) ++ || !fips_pkey_signature_test(&pk, tbs, -1, ++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) ++ || !fips_pkey_signature_test(&pk, tbs, -1, ++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) ++ goto err; ++ /* Now perform pairwise consistency encrypt/decrypt test */ ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; ++ ++ len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) ++ goto err; ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ ++ if (!ptbuf) ++ goto err; ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != (sizeof(tbs) - 1)) ++ goto err; ++ if (memcmp(ptbuf, tbs, len)) ++ goto err; ++ ++ ret = 1; ++ ++ if (!ptbuf) ++ goto err; ++ ++ err: ++ if (ret == 0) ++ { ++ fips_set_selftest_fail(); ++ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); ++ } ++ ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ ++ return ret; ++ } ++#endif + + static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); + +@@ -90,6 +161,23 @@ static int rsa_builtin_keygen(RSA *rsa, + int bitsp,bitsq,ok= -1,n=0; + BN_CTX *ctx=NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if(FIPS_selftest_failed()) ++ { ++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) ++ { ++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT); ++ return 0; ++ } ++ } ++#endif ++ + ctx=BN_CTX_new(); + if (ctx == NULL) goto err; + BN_CTX_start(ctx); +@@ -201,6 +289,17 @@ static int rsa_builtin_keygen(RSA *rsa, + p = rsa->p; + if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ if (fips_rsa_pairwise_fail) ++ BN_add_word(rsa->n, 1); ++ ++ if(!fips_check_rsa(rsa)) ++ goto err; ++ } ++#endif ++ + ok=1; + err: + if (ok == -1) +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rsa/rsa.h +--- openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips 2009-08-11 18:07:29.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa.h 2009-08-11 18:07:30.000000000 +0200 +@@ -74,6 +74,21 @@ + #error RSA is disabled. + #endif + ++/* If this flag is set the RSA method is FIPS compliant and can be used ++ * in FIPS mode. This is set in the validated module method. If an ++ * application sets this flag in its own methods it is its reposibility ++ * to ensure the result is compliant. ++ */ ++ ++#define RSA_FLAG_FIPS_METHOD 0x0400 ++ ++/* If this flag is set the operations normally disabled in FIPS mode are ++ * permitted it is then the applications responsibility to ensure that the ++ * usage is compliant. ++ */ ++ ++#define RSA_FLAG_NON_FIPS_ALLOW 0x0400 ++ + #ifdef __cplusplus + extern "C" { + #endif +@@ -164,6 +179,8 @@ struct rsa_st + # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 + #endif + ++#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024 ++ + #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS + # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 + #endif +@@ -267,6 +284,11 @@ RSA * RSA_generate_key(int bits, unsigne + + /* New version */ + int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); ++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, ++ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, ++ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, ++ const BIGNUM *e, BN_GENCB *cb); ++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb); + + int RSA_check_key(const RSA *); + /* next 4 return -1 on error */ +@@ -438,8 +460,12 @@ void ERR_load_RSA_strings(void); + #define RSA_F_RSA_PRINT_FP 116 + #define RSA_F_RSA_PRIV_DECODE 137 + #define RSA_F_RSA_PRIV_ENCODE 138 ++#define RSA_F_RSA_PRIVATE_ENCRYPT 148 + #define RSA_F_RSA_PUB_DECODE 139 ++#define RSA_F_RSA_PUBLIC_DECRYPT 149 + #define RSA_F_RSA_SETUP_BLINDING 136 ++#define RSA_F_RSA_SET_DEFAULT_METHOD 150 ++#define RSA_F_RSA_SET_METHOD 151 + #define RSA_F_RSA_SIGN 117 + #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + #define RSA_F_RSA_VERIFY 119 +@@ -479,10 +505,12 @@ void ERR_load_RSA_strings(void); + #define RSA_R_KEY_SIZE_TOO_SMALL 120 + #define RSA_R_LAST_OCTET_INVALID 134 + #define RSA_R_MODULUS_TOO_LARGE 105 ++#define RSA_R_NON_FIPS_METHOD 149 + #define RSA_R_NO_PUBLIC_EXPONENT 140 + #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + #define RSA_R_OAEP_DECODING_ERROR 121 ++#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150 + #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + #define RSA_R_PADDING_CHECK_FAILED 114 + #define RSA_R_P_NOT_PRIME 128 +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c +--- openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips 2008-08-06 17:54:14.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c 2009-08-11 18:07:30.000000000 +0200 +@@ -80,6 +80,13 @@ RSA *RSA_new(void) + + void RSA_set_default_method(const RSA_METHOD *meth) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) ++ { ++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD); ++ return; ++ } ++#endif + default_RSA_meth = meth; + } + +@@ -111,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M + /* NB: The caller is specifically setting a method, so it's not up to us + * to deal with which ENGINE it comes from. */ + const RSA_METHOD *mtmp; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) ++ { ++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + mtmp = rsa->meth; + if (mtmp->finish) mtmp->finish(rsa); + #ifndef OPENSSL_NO_ENGINE +@@ -163,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine) + } + } + #endif ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) ++ { ++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD); ++#ifndef OPENSSL_NO_ENGINE ++ if (ret->engine) ++ ENGINE_finish(ret->engine); ++#endif ++ OPENSSL_free(ret); ++ return NULL; ++ } ++#endif + + ret->pad=0; + ret->version=0; +@@ -285,6 +311,13 @@ int RSA_public_encrypt(int flen, const u + int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) ++ { ++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return 0; ++ } ++#endif + return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); + } + +@@ -297,6 +330,13 @@ int RSA_private_decrypt(int flen, const + int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) ++ { ++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return 0; ++ } ++#endif + return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); + } + +@@ -422,51 +462,8 @@ err: + BN_CTX_end(ctx); + if (in_ctx == NULL) + BN_CTX_free(ctx); ++ if(rsa->e == NULL) ++ BN_free(e); + + return ret; + } +- +-int RSA_memory_lock(RSA *r) +- { +- int i,j,k,off; +- char *p; +- BIGNUM *bn,**t[6],*b; +- BN_ULONG *ul; +- +- if (r->d == NULL) return(1); +- t[0]= &r->d; +- t[1]= &r->p; +- t[2]= &r->q; +- t[3]= &r->dmp1; +- t[4]= &r->dmq1; +- t[5]= &r->iqmp; +- k=sizeof(BIGNUM)*6; +- off=k/sizeof(BN_ULONG)+1; +- j=1; +- for (i=0; i<6; i++) +- j+= (*t[i])->top; +- if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL) +- { +- RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE); +- return(0); +- } +- bn=(BIGNUM *)p; +- ul=(BN_ULONG *)&(p[off]); +- for (i=0; i<6; i++) +- { +- b= *(t[i]); +- *(t[i])= &(bn[i]); +- memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM)); +- bn[i].flags=BN_FLG_STATIC_DATA; +- bn[i].d=ul; +- memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top); +- ul+=b->top; +- BN_clear_free(b); +- } +- +- /* I should fix this so it can still be done */ +- r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC); +- +- r->bignum_data=p; +- return(1); +- } +diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c +--- openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c 2009-08-11 18:07:30.000000000 +0200 +@@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch + i2d_X509_SIG(&sig,&p); + s=tmps; + } +- i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING); ++ /* NB: call underlying method directly to avoid FIPS blocking */ ++ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0; + if (i <= 0) + ret=0; + else +@@ -161,8 +162,8 @@ int int_rsa_verify(int dtype, const unsi + + if((dtype == NID_md5_sha1) && rm) + { +- i = RSA_public_decrypt((int)siglen, +- sigbuf,rm,rsa,RSA_PKCS1_PADDING); ++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, ++ sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0; + if (i <= 0) + return 0; + *prm_len = i; +@@ -179,7 +180,8 @@ int int_rsa_verify(int dtype, const unsi + RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); + goto err; + } +- i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); ++ /* NB: call underlying method directly to avoid FIPS blocking */ ++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0; + + if (i <= 0) goto err; + +diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha1dgst.c +--- openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/sha/sha1dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -63,6 +63,10 @@ + #define SHA_1 + + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; + +diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto/sha/sha256.c +--- openssl-1.0.0-beta3/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/sha/sha256.c 2009-08-11 18:07:30.000000000 +0200 +@@ -12,12 +12,19 @@ + + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #include + + const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT; + + int SHA224_Init (SHA256_CTX *c) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + memset (c,0,sizeof(*c)); + c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL; + c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL; +@@ -29,6 +36,9 @@ int SHA224_Init (SHA256_CTX *c) + + int SHA256_Init (SHA256_CTX *c) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + memset (c,0,sizeof(*c)); + c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; + c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; +diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto/sha/sha512.c +--- openssl-1.0.0-beta3/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/sha/sha512.c 2009-08-11 18:07:30.000000000 +0200 +@@ -5,6 +5,10 @@ + * ==================================================================== + */ + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) + /* + * IMPLEMENTATION NOTES. +@@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP + + int SHA384_Init (SHA512_CTX *c) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) + /* maintain dword order required by assembler module */ + unsigned int *h = (unsigned int *)c->h; +@@ -90,6 +97,9 @@ int SHA384_Init (SHA512_CTX *c) + + int SHA512_Init (SHA512_CTX *c) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) + /* maintain dword order required by assembler module */ + unsigned int *h = (unsigned int *)c->h; +@@ -380,7 +390,7 @@ static const SHA_LONG64 K512[80] = { + ((SHA_LONG64)hi)<<32|lo; }) + # endif + # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) +-# define ROTR(a,n) ({ unsigned long ret; \ ++# define ROTR(a,n) ({ SHA_LONG64 ret; \ + asm ("rotrdi %0,%1,%2" \ + : "=r"(ret) \ + : "r"(a),"K"(n)); ret; }) +diff -up openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha_dgst.c +--- openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/sha/sha_dgst.c 2009-08-11 18:07:30.000000000 +0200 +@@ -57,6 +57,12 @@ + */ + + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#include + #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) + + #undef SHA_1 +diff -up openssl-1.0.0-beta3/crypto/sha/sha.h.fips openssl-1.0.0-beta3/crypto/sha/sha.h +--- openssl-1.0.0-beta3/crypto/sha/sha.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha.h 2009-08-11 18:07:30.000000000 +0200 +@@ -106,6 +106,9 @@ typedef struct SHAstate_st + } SHA_CTX; + + #ifndef OPENSSL_NO_SHA0 ++#ifdef OPENSSL_FIPS ++int private_SHA_Init(SHA_CTX *c); ++#endif + int SHA_Init(SHA_CTX *c); + int SHA_Update(SHA_CTX *c, const void *data, size_t len); + int SHA_Final(unsigned char *md, SHA_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta3/crypto/sha/sha_locl.h +--- openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha_locl.h 2009-08-11 18:07:30.000000000 +0200 +@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, + #define INIT_DATA_h3 0x10325476UL + #define INIT_DATA_h4 0xc3d2e1f0UL + ++#if defined(SHA_0) && defined(OPENSSL_FIPS) ++FIPS_NON_FIPS_MD_Init(SHA) ++#else + int HASH_INIT (SHA_CTX *c) ++#endif + { ++#if defined(SHA_1) && defined(OPENSSL_FIPS) ++ FIPS_selftest_check(); ++#endif + memset (c,0,sizeof(*c)); + c->h0=INIT_DATA_h0; + c->h1=INIT_DATA_h1; +diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org +--- openssl-1.0.0-beta3/Makefile.org.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/Makefile.org 2009-08-11 18:07:30.000000000 +0200 +@@ -109,6 +109,9 @@ LIBKRB5= + ZLIB_INCLUDE= + LIBZLIB= + ++# Non-empty if FIPS enabled ++FIPS= ++ + DIRS= crypto ssl engines apps test tools + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl +@@ -121,7 +124,7 @@ SDIRS= \ + bn ec rsa dsa ecdsa dh ecdh dso engine \ + buffer bio stack lhash rand err \ + evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ +- cms pqueue ts jpake store ++ cms pqueue ts jpake store fips + # keep in mind that the above list is adjusted by ./Configure + # according to no-xxx arguments... + +@@ -204,6 +207,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS + RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ + WP_ASM_OBJ='$(WP_ASM_OBJ)' \ + PERLASM_SCHEME='$(PERLASM_SCHEME)' \ ++ FIPS="$${FIPS:-$(FIPS)}" \ + THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= + # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, + # which in turn eliminates ambiguities in variable treatment with -e. +diff -up openssl-1.0.0-beta3/ssl/s23_clnt.c.fips openssl-1.0.0-beta3/ssl/s23_clnt.c +--- openssl-1.0.0-beta3/ssl/s23_clnt.c.fips 2009-04-07 19:01:07.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s23_clnt.c 2009-08-11 18:07:30.000000000 +0200 +@@ -332,6 +332,14 @@ static int ssl23_client_hello(SSL *s) + version_major = TLS1_VERSION_MAJOR; + version_minor = TLS1_VERSION_MINOR; + } ++#ifdef OPENSSL_FIPS ++ else if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + else if (version == SSL3_VERSION) + { + version_major = SSL3_VERSION_MAJOR; +@@ -615,6 +623,14 @@ static int ssl23_get_server_hello(SSL *s + if ((p[2] == SSL3_VERSION_MINOR) && + !(s->options & SSL_OP_NO_SSLv3)) + { ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif + s->version=SSL3_VERSION; + s->method=SSLv3_client_method(); + } +diff -up openssl-1.0.0-beta3/ssl/s23_srvr.c.fips openssl-1.0.0-beta3/ssl/s23_srvr.c +--- openssl-1.0.0-beta3/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s23_srvr.c 2009-08-11 18:07:30.000000000 +0200 +@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) + } + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (s->version < TLS1_VERSION)) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif ++ + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) + { + /* we have SSLv3/TLSv1 in an SSLv2 header +diff -up openssl-1.0.0-beta3/ssl/s3_clnt.c.fips openssl-1.0.0-beta3/ssl/s3_clnt.c +--- openssl-1.0.0-beta3/ssl/s3_clnt.c.fips 2009-06-16 18:39:20.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_clnt.c 2009-08-11 18:07:30.000000000 +0200 +@@ -156,6 +156,10 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #ifndef OPENSSL_NO_DH + #include + #endif +@@ -1524,6 +1528,8 @@ int ssl3_get_key_exchange(SSL *s) + q=md_buf; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); +diff -up openssl-1.0.0-beta3/ssl/s3_enc.c.fips openssl-1.0.0-beta3/ssl/s3_enc.c +--- openssl-1.0.0-beta3/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_enc.c 2009-08-11 18:07:30.000000000 +0200 +@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * + #endif + k=0; + EVP_MD_CTX_init(&m5); ++ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_init(&s1); + for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) + { + s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); ++ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); + EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); + } +@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in + return 0; + } + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_copy_ex(&ctx,d); + n=EVP_MD_CTX_size(&ctx); + if (n < 0) +diff -up openssl-1.0.0-beta3/ssl/s3_srvr.c.fips openssl-1.0.0-beta3/ssl/s3_srvr.c +--- openssl-1.0.0-beta3/ssl/s3_srvr.c.fips 2009-06-26 17:04:22.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_srvr.c 2009-08-11 18:07:30.000000000 +0200 +@@ -1674,6 +1674,8 @@ int ssl3_send_server_key_exchange(SSL *s + j=0; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); +diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_ciph.c +--- openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips 2009-04-07 14:10:59.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-11 18:07:30.000000000 +0200 +@@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c + !(c->algorithm_auth & disabled_auth) && + !(c->algorithm_enc & disabled_enc) && + !(c->algorithm_mac & disabled_mac) && ++#ifdef OPENSSL_FIPS ++ (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && ++#endif + !(c->algorithm_ssl & disabled_ssl)) + { + co_list[co_list_num].cipher = c; +@@ -1423,7 +1426,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + for (curr = head; curr != NULL; curr = curr->next) + { ++#ifdef OPENSSL_FIPS ++ if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) ++#else + if (curr->active) ++#endif + { + sk_SSL_CIPHER_push(cipherstack, curr->cipher); + #ifdef CIPHER_DEBUG +diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib.c +--- openssl-1.0.0-beta3/ssl/ssl_lib.c.fips 2009-06-30 13:57:24.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-08-11 18:07:30.000000000 +0200 +@@ -1470,6 +1470,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + return(NULL); + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (meth->version < TLS1_VERSION)) ++ { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ return NULL; ++ } ++#endif ++ + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) + { + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); +diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest.c +--- openssl-1.0.0-beta3/ssl/ssltest.c.fips 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssltest.c 2009-08-11 18:07:30.000000000 +0200 +@@ -265,6 +265,9 @@ static void sv_usage(void) + { + fprintf(stderr,"usage: ssltest [args ...]\n"); + fprintf(stderr,"\n"); ++#ifdef OPENSSL_FIPS ++ fprintf(stderr,"-F - run test in FIPS mode\n"); ++#endif + fprintf(stderr," -server_auth - check server certificate\n"); + fprintf(stderr," -client_auth - do client authentication\n"); + fprintf(stderr," -proxy - allow proxy certificates\n"); +@@ -484,6 +487,9 @@ int main(int argc, char *argv[]) + #endif + STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; + int test_cipherlist = 0; ++#ifdef OPENSSL_FIPS ++ int fips_mode=0; ++#endif + + verbose = 0; + debug = 0; +@@ -515,7 +521,16 @@ int main(int argc, char *argv[]) + + while (argc >= 1) + { +- if (strcmp(*argv,"-server_auth") == 0) ++ if(!strcmp(*argv,"-F")) ++ { ++#ifdef OPENSSL_FIPS ++ fips_mode=1; ++#else ++ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); ++ EXIT(0); ++#endif ++ } ++ else if (strcmp(*argv,"-server_auth") == 0) + server_auth=1; + else if (strcmp(*argv,"-client_auth") == 0) + client_auth=1; +@@ -711,6 +726,20 @@ bad: + EXIT(1); + } + ++#ifdef OPENSSL_FIPS ++ if(fips_mode) ++ { ++ if(!FIPS_mode_set(1)) ++ { ++ ERR_load_crypto_strings(); ++ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); ++ EXIT(1); ++ } ++ else ++ fprintf(stderr,"*** IN FIPS MODE ***\n"); ++ } ++#endif ++ + if (print_time) + { + if (!bio_pair) +@@ -2153,12 +2182,12 @@ static int MS_CALLBACK app_verify_callba + } + + #ifndef OPENSSL_NO_X509_VERIFY +-# ifdef OPENSSL_FIPS ++# if 0 + if(s->version == TLS1_VERSION) + FIPS_allow_md5(1); + # endif + ok = X509_verify_cert(ctx); +-# ifdef OPENSSL_FIPS ++# if 0 + if(s->version == TLS1_VERSION) + FIPS_allow_md5(0); + # endif +diff -up openssl-1.0.0-beta3/ssl/t1_enc.c.fips openssl-1.0.0-beta3/ssl/t1_enc.c +--- openssl-1.0.0-beta3/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/t1_enc.c 2009-08-11 18:07:30.000000000 +0200 +@@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md + + HMAC_CTX_init(&ctx); + HMAC_CTX_init(&ctx_tmp); ++ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); + HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); + if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); diff --git a/openssl-1.0.0-beta3-fipscheck.patch b/openssl-1.0.0-beta3-fipscheck.patch new file mode 100644 index 0000000..2951b48 --- /dev/null +++ b/openssl-1.0.0-beta3-fipscheck.patch @@ -0,0 +1,400 @@ +diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c +--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck 2009-08-10 20:11:59.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-10 20:11:59.000000000 +0200 +@@ -47,6 +47,7 @@ + * + */ + ++#define _GNU_SOURCE + + #include + #include +@@ -56,6 +57,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -165,6 +169,204 @@ int FIPS_selftest() + && FIPS_selftest_dsa(); + } + ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen-1); ++ path[pathlen-1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char * ++bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++#define HMAC_PREFIX "." ++#define HMAC_SUFFIX ".hmac" ++#define READ_BUFFER_LENGTH 16384 ++ ++static char * ++make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if(path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn-origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int ++compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX c; ++ ++ HMAC_CTX_init(&c); ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); ++ ++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ HMAC_Update(&c, rbuf, len); ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ HMAC_Final(&c, rbuf, &hlen); ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++end: ++ HMAC_CTX_cleanup(&c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int ++FIPSCHECK_verify(const char *libname, const char *symbolname) ++{ ++ char path[PATH_MAX+1]; ++ int rv; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ rv = get_library_path(libname, symbolname, path, sizeof(path)); ++ ++ if (rv < 0) ++ return 0; ++ ++ hmacpath = make_hmac_path(path); ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p=strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex=bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } ++ ++end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ + int FIPS_mode_set(int onoff) + { + int fips_set_owning_thread(); +@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff) + } + #endif + ++ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ + /* Perform RNG KAT before seeding */ + if (!FIPS_selftest_rng()) + { +diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c +--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck 2009-08-10 20:11:59.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-10 20:11:59.000000000 +0200 +@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) + + #ifdef OPENSSL_FIPS + +-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, ++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, + const char *key) + { + size_t len=strlen(key); +@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + if (len > SHA_CBLOCK) + { +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,key,len); +- SHA1_Final(keymd,md_ctx); +- len=20; ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,key,len); ++ SHA256_Final(keymd,md_ctx); ++ len=SHA256_DIGEST_LENGTH; + } + else + memcpy(keymd,key,len); +@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x36^keymd[i]; +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x5c^keymd[i]; +- SHA1_Init(o_ctx); +- SHA1_Update(o_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(o_ctx); ++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); + } + +-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) ++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) + { +- unsigned char buf[20]; ++ unsigned char buf[SHA256_DIGEST_LENGTH]; + +- SHA1_Final(buf,md_ctx); +- SHA1_Update(o_ctx,buf,sizeof buf); +- SHA1_Final(md,o_ctx); ++ SHA256_Final(buf,md_ctx); ++ SHA256_Update(o_ctx,buf,sizeof buf); ++ SHA256_Final(md,o_ctx); + } + + #endif +@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md + int main(int argc,char **argv) + { + #ifdef OPENSSL_FIPS +- static char key[]="etaonrishdlcupfm"; ++ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; + int n,binary=0; + + if(argc < 2) +@@ -125,8 +125,8 @@ int main(int argc,char **argv) + for(; n < argc ; ++n) + { + FILE *f=fopen(argv[n],"rb"); +- SHA_CTX md_ctx,o_ctx; +- unsigned char md[20]; ++ SHA256_CTX md_ctx,o_ctx; ++ unsigned char md[SHA256_DIGEST_LENGTH]; + int i; + + if(!f) +@@ -151,18 +151,18 @@ int main(int argc,char **argv) + else + break; + } +- SHA1_Update(&md_ctx,buf,l); ++ SHA256_Update(&md_ctx,buf,l); + } + hmac_final(md,&md_ctx,&o_ctx); + + if (binary) + { +- fwrite(md,20,1,stdout); ++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); + break; /* ... for single(!) file */ + } + +- printf("HMAC-SHA1(%s)= ",argv[n]); +- for(i=0 ; i < 20 ; ++i) ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) + printf("%02x",md[i]); + printf("\n"); + } +diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile +--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck 2009-08-10 20:11:59.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-10 20:27:45.000000000 +0200 +@@ -16,6 +16,9 @@ GENERAL=Makefile + TEST=fips_test_suite.c fips_randtest.c + APPS= + ++PROGRAM= fips_standalone_sha1 ++EXE= $(PROGRAM)$(EXE_EXT) ++ + LIB=$(TOP)/libcrypto.a + LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ + fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ +@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self + fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ + fips_rsa_x931g.o + ++LIBCRYPTO=-L.. -lcrypto ++ + SRC= $(LIBSRC) fips_standalone_sha1.c + + EXHEADER= fips.h fips_rand.h +@@ -35,13 +40,15 @@ ALL= $(GENERAL) $(SRC) $(HEADER) + top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +-all: lib ++all: lib exe + + lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + ++exe: $(EXE) ++ + files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +@@ -77,5 +84,9 @@ dclean: + clean: + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + ++$(EXE): $(PROGRAM).o ++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \ ++ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM ++ + # DO NOT DELETE THIS LINE -- make depend depends on it. + diff --git a/openssl-1.0.0-beta3-fipsmode.patch b/openssl-1.0.0-beta3-fipsmode.patch new file mode 100644 index 0000000..643654e --- /dev/null +++ b/openssl-1.0.0-beta3-fipsmode.patch @@ -0,0 +1,263 @@ +diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta3/crypto/engine/eng_all.c +--- openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/engine/eng_all.c 2009-08-11 17:37:16.000000000 +0200 +@@ -58,9 +58,23 @@ + + #include "cryptlib.h" + #include "eng_int.h" ++#ifdef OPENSSL_FIPS ++#include ++#endif + + void ENGINE_load_builtin_engines(void) + { ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++ if (FIPS_mode()) { ++ /* We allow loading dynamic engine as a third party ++ engine might be FIPS validated. ++ User is disallowed to load non-validated engines ++ by security policy. */ ++ ENGINE_load_dynamic(); ++ return; ++ } ++#endif + #if 0 + /* There's no longer any need for an "openssl" ENGINE unless, one day, + * it is the *only* way for standard builtin implementations to be be +diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_allc.c +--- openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:48:28.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/c_allc.c 2009-08-11 17:42:34.000000000 +0200 +@@ -65,6 +65,11 @@ + void OpenSSL_add_all_ciphers(void) + { + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++ if(!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); +@@ -219,4 +224,61 @@ void OpenSSL_add_all_ciphers(void) + EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); + EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede_cfb()); ++ EVP_add_cipher(EVP_des_ede3_cfb()); ++ ++ EVP_add_cipher(EVP_des_ede_ofb()); ++ EVP_add_cipher(EVP_des_ede3_ofb()); ++ ++ EVP_add_cipher(EVP_des_ede_cbc()); ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); ++ ++ EVP_add_cipher(EVP_des_ede()); ++ EVP_add_cipher(EVP_des_ede3()); ++#endif ++ ++#ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_ecb()); ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_128_cfb()); ++ EVP_add_cipher(EVP_aes_128_cfb1()); ++ EVP_add_cipher(EVP_aes_128_cfb8()); ++ EVP_add_cipher(EVP_aes_128_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_128_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); ++ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); ++ EVP_add_cipher(EVP_aes_192_ecb()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_192_cfb()); ++ EVP_add_cipher(EVP_aes_192_cfb1()); ++ EVP_add_cipher(EVP_aes_192_cfb8()); ++ EVP_add_cipher(EVP_aes_192_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_192_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); ++ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); ++ EVP_add_cipher(EVP_aes_256_ecb()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_256_cfb()); ++ EVP_add_cipher(EVP_aes_256_cfb1()); ++ EVP_add_cipher(EVP_aes_256_cfb8()); ++ EVP_add_cipher(EVP_aes_256_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_256_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); ++ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); ++#endif ++ } ++#endif + } +diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_alld.c +--- openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/c_alld.c 2009-08-11 17:54:08.000000000 +0200 +@@ -64,6 +64,11 @@ + + void OpenSSL_add_all_digests(void) + { ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++ if (!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +@@ -110,5 +115,33 @@ void OpenSSL_add_all_digests(void) + #endif + #ifndef OPENSSL_NO_WHIRLPOOL + EVP_add_digest(EVP_whirlpool()); ++#endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) ++ EVP_add_digest(EVP_sha1()); ++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); ++#ifndef OPENSSL_NO_DSA ++ EVP_add_digest(EVP_dss1()); ++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); ++#endif ++#ifndef OPENSSL_NO_ECDSA ++ EVP_add_digest(EVP_ecdsa()); ++#endif ++#endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif ++ } + #endif + } +diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto/o_init.c +--- openssl-1.0.0-beta3/crypto/o_init.c.fipsmode 2009-08-11 17:28:25.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 17:39:06.000000000 +0200 +@@ -59,6 +59,43 @@ + #include + #include + ++#ifdef OPENSSL_FIPS ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static void init_fips_mode(void) ++ { ++ char buf[2] = "0"; ++ int fd; ++ ++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) ++ { ++ buf[0] = '1'; ++ } ++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) ++ { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); ++ close(fd); ++ } ++ /* Failure reading the fips mode switch file means just not ++ * switching into FIPS mode. We would break too many things ++ * otherwise. ++ */ ++ ++ if (buf[0] == '1') ++ { ++ FIPS_mode_set(1); ++ } ++ } ++#endif ++ + /* Perform any essential OpenSSL initialization operations. + * Currently only sets FIPS callbacks + */ +@@ -72,6 +109,7 @@ void OPENSSL_init_library(void) + #ifdef CRYPTO_MDEBUG + CRYPTO_malloc_debug_init(); + #endif ++ init_fips_mode(); + done = 1; + } + #endif +diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl_algs.c +--- openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode 2009-07-08 10:50:53.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_algs.c 2009-08-11 18:01:13.000000000 +0200 +@@ -64,6 +64,12 @@ + int SSL_library_init(void) + { + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init_library(); ++ if (!FIPS_mode()) ++ { ++#endif ++ + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cbc()); + EVP_add_cipher(EVP_des_ede3_cbc()); +@@ -115,6 +121,38 @@ int SSL_library_init(void) + EVP_add_digest(EVP_sha()); + EVP_add_digest(EVP_dss()); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++#endif ++#ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++#endif ++#ifndef OPENSSL_NO_MD5 ++ /* needed even in the FIPS mode for TLS MAC */ ++ EVP_add_digest(EVP_md5()); ++#endif ++#ifndef OPENSSL_NO_SHA ++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ ++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); ++#endif ++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) ++ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ ++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); ++#endif ++#ifndef OPENSSL_NO_ECDSA ++ EVP_add_digest(EVP_ecdsa()); ++#endif ++ } ++#endif + #ifndef OPENSSL_NO_COMP + /* This will initialise the built-in compression algorithms. + The value returned is a STACK_OF(SSL_COMP), but that can diff --git a/openssl-1.0.0-beta3-fipsrng.patch b/openssl-1.0.0-beta3-fipsrng.patch new file mode 100644 index 0000000..6040421 --- /dev/null +++ b/openssl-1.0.0-beta3-fipsrng.patch @@ -0,0 +1,79 @@ +diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c +--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200 +@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff) + goto end; + } + ++ /* now switch the RNG into FIPS mode */ ++ fips_set_rand_check(FIPS_rand_method()); ++ RAND_set_rand_method(FIPS_rand_method()); ++ + /* automagically seed PRNG if not already seeded */ + if(!FIPS_rand_status()) + { +- if(RAND_bytes(buf,sizeof buf) <= 0) ++ RAND_poll(); ++ if (!FIPS_rand_status()) + { + fips_selftest_fail = 1; + ret = 0; + goto end; + } +- FIPS_rand_set_key(buf,32); +- FIPS_rand_seed(buf+32,16); + } + +- /* now switch into FIPS mode */ +- fips_set_rand_check(FIPS_rand_method()); +- RAND_set_rand_method(FIPS_rand_method()); + if(FIPS_selftest()) + fips_set_mode(1); + else +diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c +--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200 +@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_ + { + int i; + if (!ctx->keyed) +- return 0; ++ { ++ FIPS_RAND_SIZE_T keylen = 16; ++ ++ if (seedlen - keylen < AES_BLOCK_LENGTH) ++ return 0; ++ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH) ++ keylen += 8; ++ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH) ++ keylen += 8; ++ seedlen -= keylen; ++ fips_set_prng_key(ctx, seed+seedlen, keylen); ++ } + /* In test mode seed is just supplied data */ + if (ctx->test_mode) + { +@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx, + unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; + unsigned char tmp[AES_BLOCK_LENGTH]; + int i; ++ FIPS_selftest_check(); + if (ctx->error) + { + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); +diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h +--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200 +@@ -112,8 +112,11 @@ + #ifndef HEADER_RAND_LCL_H + #define HEADER_RAND_LCL_H + ++#ifndef OPENSSL_FIPS + #define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ +- ++#else ++#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */ ++#endif + + #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) + #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) diff --git a/openssl-1.0.0-beta3-ipv6-apps.patch b/openssl-1.0.0-beta3-ipv6-apps.patch new file mode 100644 index 0000000..690bc98 --- /dev/null +++ b/openssl-1.0.0-beta3-ipv6-apps.patch @@ -0,0 +1,506 @@ +diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h +--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200 +@@ -148,7 +148,7 @@ typedef fd_mask fd_set; + #define PORT_STR "4433" + #define PROTOCOL "tcp" + +-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); ++int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); + #ifdef HEADER_X509_H + int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); + #endif +@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, + int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); + int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); + #endif +-int init_client(int *sock, char *server, int port, int type); ++int init_client(int *sock, char *server, char *port, int type); + int should_retry(int i); +-int extract_port(char *str, short *port_ptr); +-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); ++int extract_host_port(char *str,char **host_ptr,char **port_ptr); + + long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret); +diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c +--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200 +@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv) + int cbuf_len,cbuf_off; + int sbuf_len,sbuf_off; + fd_set readfds,writefds; +- short port=PORT; ++ char *port_str = PORT_STR; + int full_log=1; + char *host=SSL_HOST_NAME; + char *cert_file=NULL,*key_file=NULL; +@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv) + else if (strcmp(*argv,"-port") == 0) + { + if (--argc < 1) goto bad; +- port=atoi(*(++argv)); +- if (port == 0) goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-connect") == 0) + { + if (--argc < 1) goto bad; +- if (!extract_host_port(*(++argv),&host,NULL,&port)) ++ if (!extract_host_port(*(++argv),&host,&port_str)) + goto bad; + } + else if (strcmp(*argv,"-verify") == 0) +@@ -956,7 +955,7 @@ bad: + + re_start: + +- if (init_client(&s,host,port,socket_type) == 0) ++ if (init_client(&s,host,port_str,socket_type) == 0) + { + BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); + SHUTDOWN(s); +diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c +--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 ++++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200 +@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[]) + { + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; +- short port=PORT; ++ char *port_str = PORT_STR; + char *CApath=NULL,*CAfile=NULL; + unsigned char *context = NULL; + char *dhfile = NULL; +@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[]) + (strcmp(*argv,"-accept") == 0)) + { + if (--argc < 1) goto bad; +- if (!extract_port(*(++argv),&port)) +- goto bad; ++ port_str= *(++argv); + } + else if (strcmp(*argv,"-verify") == 0) + { +@@ -1685,9 +1684,9 @@ bad: + BIO_printf(bio_s_out,"ACCEPT\n"); + (void)BIO_flush(bio_s_out); + if (www) +- do_server(port,socket_type,&accept_socket,www_body, context); ++ do_server(port_str,socket_type,&accept_socket,www_body, context); + else +- do_server(port,socket_type,&accept_socket,sv_body, context); ++ do_server(port_str,socket_type,&accept_socket,sv_body, context); + print_stats(bio_s_out,ctx); + ret=0; + end: +diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c +--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100 ++++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200 +@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha + static void ssl_sock_cleanup(void); + #endif + static int ssl_sock_init(void); +-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); +-static int init_server(int *sock, int port, int type); +-static int init_server_long(int *sock, int port,char *ip, int type); ++static int init_server(int *sock, char *port, int type); + static int do_accept(int acc_sock, int *sock, char **host); + static int host_ip(char *str, unsigned char ip[4]); + +@@ -228,58 +226,70 @@ static int ssl_sock_init(void) + return(1); + } + +-int init_client(int *sock, char *host, int port, int type) ++int init_client(int *sock, char *host, char *port, int type) + { +- unsigned char ip[4]; +- +- if (!host_ip(host,&(ip[0]))) +- { +- return(0); +- } +- return(init_client_ip(sock,ip,port,type)); +- } +- +-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) +- { +- unsigned long addr; +- struct sockaddr_in them; +- int s,i; ++ struct addrinfo *res, *res0, hints; ++ char * failed_call = NULL; ++ int s; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&them,0,sizeof(them)); +- them.sin_family=AF_INET; +- them.sin_port=htons((unsigned short)port); +- addr=(unsigned long) +- ((unsigned long)ip[0]<<24L)| +- ((unsigned long)ip[1]<<16L)| +- ((unsigned long)ip[2]<< 8L)| +- ((unsigned long)ip[3]); +- them.sin_addr.s_addr=htonl(addr); +- +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* ( type == SOCK_DGRAM) */ +- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); +- +- if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_ADDRCONFIG; ++ ++ e = getaddrinfo(host, port, &hints, &res); ++ if (e) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } + ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } + #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) + if (type == SOCK_STREAM) + { +- i=0; +- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); +- if (i < 0) { perror("keepalive"); return(0); } ++ int i=0; ++ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, ++ (char *)&i,sizeof(i)); ++ if (i < 0) { ++ failed_call = "keepalive"; ++ goto nextres; ++ } + } + #endif +- +- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) +- { closesocket(s); perror("connect"); return(0); } ++ if (connect(s,(struct sockaddr *)res->ai_addr, ++ res->ai_addrlen) == 0) ++ { ++ freeaddrinfo(res0); + *sock=s; + return(1); + } + +-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) ++ failed_call = "socket"; ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; ++ } ++ freeaddrinfo(res0); ++ ++ perror(failed_call); ++ return(0); ++ } ++ ++int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) + { + int sock; + char *name = NULL; +@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r + } + } + +-static int init_server_long(int *sock, int port, char *ip, int type) ++static int init_server(int *sock, char *port, int type) + { +- int ret=0; +- struct sockaddr_in server; +- int s= -1,i; ++ struct addrinfo *res, *res0, hints; ++ char * failed_call = NULL; ++ char port_name[8]; ++ int s; ++ int e; + + if (!ssl_sock_init()) return(0); + +- memset((char *)&server,0,sizeof(server)); +- server.sin_family=AF_INET; +- server.sin_port=htons((unsigned short)port); +- if (ip == NULL) +- server.sin_addr.s_addr=INADDR_ANY; +- else +-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ +-#ifndef BIT_FIELD_LIMITS +- memcpy(&server.sin_addr.s_addr,ip,4); +-#else +- memcpy(&server.sin_addr,ip,4); +-#endif ++ memset(&hints, '\0', sizeof(hints)); ++ hints.ai_socktype = type; ++ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + +- if (type == SOCK_STREAM) +- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); +- else /* type == SOCK_DGRAM */ +- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); ++ e = getaddrinfo(NULL, port, &hints, &res); ++ if (e) ++ { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); ++ if (e == EAI_SYSTEM) ++ perror("getaddrinfo"); ++ return (0); ++ } + +- if (s == INVALID_SOCKET) goto err; ++ res0 = res; ++ while (res) ++ { ++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); ++ if (s == INVALID_SOCKET) ++ { ++ failed_call = "socket"; ++ goto nextres; ++ } + #if defined SOL_SOCKET && defined SO_REUSEADDR + { + int j = 1; +@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i + (void *) &j, sizeof j); + } + #endif +- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) ++ ++ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) + { +-#ifndef OPENSSL_SYS_WINDOWS +- perror("bind"); +-#endif +- goto err; ++ failed_call = "bind"; ++ goto nextres; + } +- /* Make it 128 for linux */ +- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; +- i=0; +- *sock=s; +- ret=1; +-err: +- if ((ret == 0) && (s != -1)) ++ if (type==SOCK_STREAM && listen(s,128) == -1) + { +- SHUTDOWN(s); ++ failed_call = "listen"; ++ goto nextres; + } +- return(ret); ++ ++ *sock=s; ++ return(1); ++ ++nextres: ++ if (s != INVALID_SOCKET) ++ close(s); ++ res = res->ai_next; + } ++ freeaddrinfo(res0); + +-static int init_server(int *sock, int port, int type) +- { +- return(init_server_long(sock, port, NULL, type)); ++ if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ ++ perror(failed_call); ++ return(0); + } + + static int do_accept(int acc_sock, int *sock, char **host) + { +- int ret,i; +- struct hostent *h1,*h2; +- static struct sockaddr_in from; ++ static struct sockaddr_storage from; ++ char buffer[NI_MAXHOST]; ++ int ret; + int len; + /* struct linger ling; */ + +@@ -425,137 +443,62 @@ redoit: + if (i < 0) { perror("keepalive"); return(0); } + */ + +- if (host == NULL) goto end; +-#ifndef BIT_FIELD_LIMITS +- /* I should use WSAAsyncGetHostByName() under windows */ +- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, +- sizeof(from.sin_addr.s_addr),AF_INET); +-#else +- h1=gethostbyaddr((char *)&from.sin_addr, +- sizeof(struct in_addr),AF_INET); +-#endif +- if (h1 == NULL) ++ if (host == NULL) + { +- BIO_printf(bio_err,"bad gethostbyaddr\n"); +- *host=NULL; +- /* return(0); */ +- } +- else +- { +- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) +- { +- perror("OPENSSL_malloc"); ++ *sock=ret; + return(0); + } +- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); + +- h2=GetHostByName(*host); +- if (h2 == NULL) ++ if (getnameinfo((struct sockaddr *)&from, sizeof(from), ++ buffer, sizeof(buffer), ++ NULL, 0, 0)) + { +- BIO_printf(bio_err,"gethostbyname failure\n"); ++ BIO_printf(bio_err,"getnameinfo failed\n"); ++ *host=NULL; + return(0); + } +- i=0; +- if (h2->h_addrtype != AF_INET) ++ else + { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); ++ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) ++ { ++ perror("OPENSSL_malloc"); + return(0); + } +- } +-end: ++ strcpy(*host, buffer); + *sock=ret; + return(1); + } ++ } + +-int extract_host_port(char *str, char **host_ptr, unsigned char *ip, +- short *port_ptr) ++int extract_host_port(char *str, char **host_ptr, ++ char **port_ptr) + { +- char *h,*p; ++ char *h,*p,*x; + +- h=str; +- p=strchr(str,':'); ++ x=h=str; ++ if (*h == '[') ++ { ++ h++; ++ p=strchr(h,']'); + if (p == NULL) + { +- BIO_printf(bio_err,"no port defined\n"); ++ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); + return(0); + } + *(p++)='\0'; +- +- if ((ip != NULL) && !host_ip(str,ip)) +- goto err; +- if (host_ptr != NULL) *host_ptr=h; +- +- if (!extract_port(p,port_ptr)) +- goto err; +- return(1); +-err: +- return(0); ++ x = p; + } +- +-static int host_ip(char *str, unsigned char ip[4]) +- { +- unsigned int in[4]; +- int i; +- +- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) +- { +- for (i=0; i<4; i++) +- if (in[i] > 255) +- { +- BIO_printf(bio_err,"invalid IP address\n"); +- goto err; +- } +- ip[0]=in[0]; +- ip[1]=in[1]; +- ip[2]=in[2]; +- ip[3]=in[3]; +- } +- else +- { /* do a gethostbyname */ +- struct hostent *he; +- +- if (!ssl_sock_init()) return(0); +- +- he=GetHostByName(str); +- if (he == NULL) +- { +- BIO_printf(bio_err,"gethostbyname failure\n"); +- goto err; +- } +- /* cast to short because of win16 winsock definition */ +- if ((short)he->h_addrtype != AF_INET) ++ p=strchr(x,':'); ++ if (p == NULL) + { +- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); +- return(0); +- } +- ip[0]=he->h_addr_list[0][0]; +- ip[1]=he->h_addr_list[0][1]; +- ip[2]=he->h_addr_list[0][2]; +- ip[3]=he->h_addr_list[0][3]; +- } +- return(1); +-err: ++ BIO_printf(bio_err,"no port defined\n"); + return(0); + } ++ *(p++)='\0'; + +-int extract_port(char *str, short *port_ptr) +- { +- int i; +- struct servent *s; ++ if (host_ptr != NULL) *host_ptr=h; ++ if (port_ptr != NULL) *port_ptr=p; + +- i=atoi(str); +- if (i != 0) +- *port_ptr=(unsigned short)i; +- else +- { +- s=getservbyname(str,"tcp"); +- if (s == NULL) +- { +- BIO_printf(bio_err,"getservbyname failure for %s\n",str); +- return(0); +- } +- *port_ptr=ntohs((unsigned short)s->s_port); +- } + return(1); + } + diff --git a/openssl-1.0.0-beta3-krb5.patch b/openssl-1.0.0-beta3-krb5.patch new file mode 100644 index 0000000..ef7ccde --- /dev/null +++ b/openssl-1.0.0-beta3-krb5.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org +--- openssl-1.0.0-beta3/Makefile.org.krb5 2009-04-23 18:12:09.000000000 +0200 ++++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:01:16.000000000 +0200 +@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh + + do_$(SHLIB_TARGET): + @ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \ +- if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \ ++ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-1.0.0-beta3-namingblk.patch b/openssl-1.0.0-beta3-namingblk.patch new file mode 100644 index 0000000..d43e56c --- /dev/null +++ b/openssl-1.0.0-beta3-namingblk.patch @@ -0,0 +1,253 @@ +Index: openssl/crypto/asn1/a_set.c +RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v +rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null +--- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20 ++++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1 +@@ -85,7 +85,7 @@ + } + + /* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */ +-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp, ++int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, + i2d_of_void *i2d, int ex_tag, int ex_class, + int is_set) + { +@@ -97,8 +97,8 @@ + int totSize; + + if (a == NULL) return(0); +- for (i=sk_BLOCK_num(a)-1; i>=0; i--) +- ret+=i2d(sk_BLOCK_value(a,i),NULL); ++ for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--) ++ ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL); + r=ASN1_object_size(1,ret,ex_tag); + if (pp == NULL) return(r); + +@@ -109,10 +109,10 @@ + /* And then again by Ben */ + /* And again by Steve */ + +- if(!is_set || (sk_BLOCK_num(a) < 2)) ++ if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2)) + { +- for (i=0; i/dev/null +--- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3 ++++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4 +@@ -887,12 +887,13 @@ + ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); + int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); + +-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp, ++int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, + i2d_of_void *i2d, int ex_tag, int ex_class, + int is_set); +-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp, ++STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, ++ const unsigned char **pp, + long length, d2i_of_void *d2i, +- void (*free_func)(BLOCK), int ex_tag, ++ void (*free_func)(OPENSSL_BLOCK), int ex_tag, + int ex_class); + + #ifndef OPENSSL_NO_BIO +@@ -1045,9 +1046,9 @@ + int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num, + unsigned char *data, int max_len); + +-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, +- d2i_of_void *d2i, void (*free_func)(BLOCK)); +-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d, ++STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, ++ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK)); ++unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, + unsigned char **buf, int *len ); + void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i); + void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it); +Index: openssl/crypto/asn1/asn_pack.c +RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v +rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null +--- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19 ++++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1 +@@ -66,10 +66,10 @@ + + /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */ + +-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, +- d2i_of_void *d2i, void (*free_func)(BLOCK)) ++STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, ++ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK)) + { +- STACK_OF(BLOCK) *sk; ++ STACK_OF(OPENSSL_BLOCK) *sk; + const unsigned char *pbuf; + pbuf = buf; + if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func, +@@ -82,7 +82,7 @@ + * OPENSSL_malloc'ed buffer + */ + +-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d, ++unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, + unsigned char **buf, int *len) + { + int safelen; +Index: openssl/crypto/stack/safestack.h +RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v +rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null +--- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4 ++++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5 +@@ -128,8 +128,8 @@ + * nul-terminated. These should also be distinguished from "normal" + * stacks. */ + +-typedef void *BLOCK; +-DECLARE_SPECIAL_STACK_OF(BLOCK, void) ++typedef void *OPENSSL_BLOCK; ++DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) + + /* SKM_sk_... stack macros are internal to safestack.h: + * never use them directly, use sk__... instead */ +@@ -2055,29 +2055,29 @@ + #define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) + + +-#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) +-#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null()) +-#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) +-#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) +-#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i)) +-#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st) +-#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func)) +-#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i) +-#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st) +-#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val)) +-#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st)) +-#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) +-#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val)) +-#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i)) +-#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr)) +-#define sk_BLOCK_set_cmp_func(st, cmp) \ ++#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) ++#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null()) ++#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) ++#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) ++#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i)) ++#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st) ++#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func)) ++#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i) ++#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st) ++#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val)) ++#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st)) ++#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) ++#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val)) ++#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i)) ++#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr)) ++#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp) \ + ((int (*)(const void * const *,const void * const *)) \ +- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp))) +-#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st) +-#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st)) +-#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st)) +-#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st)) +-#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st)) ++ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp))) ++#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st) ++#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st)) ++#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st)) ++#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st)) ++#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st)) + + + #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) diff --git a/openssl-1.0.0-beta3-namingstr.patch b/openssl-1.0.0-beta3-namingstr.patch new file mode 100644 index 0000000..44dee95 --- /dev/null +++ b/openssl-1.0.0-beta3-namingstr.patch @@ -0,0 +1,1663 @@ +Index: openssl/apps/apps.c +RCS File: /v/openssl/cvs/openssl/apps/apps.c,v +rcsdiff -q -kk '-r1.133.2.6' '-r1.133.2.7' -u '/v/openssl/cvs/openssl/apps/apps.c,v' 2>/dev/null +--- openssl/apps/apps.c 2009/06/29 16:09:58 1.133.2.6 ++++ openssl/apps/apps.c 2009/07/27 21:08:43 1.133.2.7 +@@ -1488,7 +1488,7 @@ + return p; + } + +-static unsigned long index_serial_hash(const CSTRING *a) ++static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) + { + const char *n; + +@@ -1497,7 +1497,7 @@ + return(lh_strhash(n)); + } + +-static int index_serial_cmp(const CSTRING *a, const CSTRING *b) ++static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) + { + const char *aa,*bb; + +@@ -1509,16 +1509,16 @@ + static int index_name_qual(char **a) + { return(a[0][0] == 'V'); } + +-static unsigned long index_name_hash(const CSTRING *a) ++static unsigned long index_name_hash(const OPENSSL_CSTRING *a) + { return(lh_strhash(a[DB_name])); } + +-int index_name_cmp(const CSTRING *a, const CSTRING *b) ++int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) + { return(strcmp(a[DB_name], b[DB_name])); } + +-static IMPLEMENT_LHASH_HASH_FN(index_serial, CSTRING) +-static IMPLEMENT_LHASH_COMP_FN(index_serial, CSTRING) +-static IMPLEMENT_LHASH_HASH_FN(index_name, CSTRING) +-static IMPLEMENT_LHASH_COMP_FN(index_name, CSTRING) ++static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) ++static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) ++static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) ++static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) + + #undef BSIZE + #define BSIZE 256 +Index: openssl/apps/apps.h +RCS File: /v/openssl/cvs/openssl/apps/apps.h,v +rcsdiff -q -kk '-r1.91' '-r1.91.2.1' -u '/v/openssl/cvs/openssl/apps/apps.h,v' 2>/dev/null +--- openssl/apps/apps.h 2008/11/24 17:27:05 1.91 ++++ openssl/apps/apps.h 2009/07/27 21:08:44 1.91.2.1 +@@ -295,9 +295,9 @@ + int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix); + void free_index(CA_DB *db); + #define index_name_cmp_noconst(a, b) \ +- index_name_cmp((const CSTRING *)CHECKED_PTR_OF(STRING, a), \ +- (const CSTRING *)CHECKED_PTR_OF(STRING, b)) +-int index_name_cmp(const CSTRING *a, const CSTRING *b); ++ index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ ++ (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) ++int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); + int parse_yesno(const char *str, int def); + + X509_NAME *parse_name(char *str, long chtype, int multirdn); +Index: openssl/apps/asn1pars.c +RCS File: /v/openssl/cvs/openssl/apps/asn1pars.c,v +rcsdiff -q -kk '-r1.26' '-r1.26.2.1' -u '/v/openssl/cvs/openssl/apps/asn1pars.c,v' 2>/dev/null +--- openssl/apps/asn1pars.c 2008/11/05 18:38:51 1.26 ++++ openssl/apps/asn1pars.c 2009/07/27 21:08:44 1.26.2.1 +@@ -96,7 +96,7 @@ + unsigned char *tmpbuf; + const unsigned char *ctmpbuf; + BUF_MEM *buf=NULL; +- STACK_OF(STRING) *osk=NULL; ++ STACK_OF(OPENSSL_STRING) *osk=NULL; + ASN1_TYPE *at=NULL; + + informat=FORMAT_PEM; +@@ -113,7 +113,7 @@ + prog=argv[0]; + argc--; + argv++; +- if ((osk=sk_STRING_new_null()) == NULL) ++ if ((osk=sk_OPENSSL_STRING_new_null()) == NULL) + { + BIO_printf(bio_err,"Memory allocation failure\n"); + goto end; +@@ -169,7 +169,7 @@ + else if (strcmp(*argv,"-strparse") == 0) + { + if (--argc < 1) goto bad; +- sk_STRING_push(osk,*(++argv)); ++ sk_OPENSSL_STRING_push(osk,*(++argv)); + } + else if (strcmp(*argv,"-genstr") == 0) + { +@@ -302,18 +302,18 @@ + + /* If any structs to parse go through in sequence */ + +- if (sk_STRING_num(osk)) ++ if (sk_OPENSSL_STRING_num(osk)) + { + tmpbuf=(unsigned char *)str; + tmplen=num; +- for (i=0; i/dev/null +--- openssl/apps/ca.c 2009/03/09 13:59:07 1.167 ++++ openssl/apps/ca.c 2009/07/27 21:08:44 1.167.2.1 +@@ -883,9 +883,9 @@ + if (db == NULL) goto err; + + /* Lets check some fields */ +- for (i=0; idb->data); i++) ++ for (i=0; idb->data); i++) + { +- pp=sk_PSTRING_value(db->db->data,i); ++ pp=sk_OPENSSL_PSTRING_value(db->db->data,i); + if ((pp[DB_type][0] != DB_TYPE_REV) && + (pp[DB_rev_date][0] != '\0')) + { +@@ -938,7 +938,7 @@ + #endif + TXT_DB_write(out,db->db); + BIO_printf(bio_err,"%d entries loaded from the database\n", +- sk_PSTRING_num(db->db->data)); ++ sk_OPENSSL_PSTRING_num(db->db->data)); + BIO_printf(bio_err,"generating index\n"); + } + +@@ -1408,9 +1408,9 @@ + + ASN1_TIME_free(tmptm); + +- for (i=0; idb->data); i++) ++ for (i=0; idb->data); i++) + { +- pp=sk_PSTRING_value(db->db->data,i); ++ pp=sk_OPENSSL_PSTRING_value(db->db->data,i); + if (pp[DB_type][0] == DB_TYPE_REV) + { + if ((r=X509_REVOKED_new()) == NULL) goto err; +@@ -1685,9 +1685,9 @@ + int ok= -1,i,j,last,nid; + const char *p; + CONF_VALUE *cv; +- STRING row[DB_NUMBER]; +- STRING *irow=NULL; +- STRING *rrow=NULL; ++ OPENSSL_STRING row[DB_NUMBER]; ++ OPENSSL_STRING *irow=NULL; ++ OPENSSL_STRING *rrow=NULL; + char buf[25]; + + tmptm=ASN1_UTCTIME_new(); +@@ -1929,7 +1929,7 @@ + + if (db->attributes.unique_subject) + { +- STRING *crow=row; ++ OPENSSL_STRING *crow=row; + + rrow=TXT_DB_get_by_index(db->db,DB_name,crow); + if (rrow != NULL) +@@ -2632,9 +2632,9 @@ + else + a_y2k = 0; + +- for (i = 0; i < sk_PSTRING_num(db->db->data); i++) ++ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) + { +- rrow = sk_PSTRING_value(db->db->data, i); ++ rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (rrow[DB_type][0] == 'V') + { +Index: openssl/apps/cms.c +RCS File: /v/openssl/cvs/openssl/apps/cms.c,v +rcsdiff -q -kk '-r1.23.2.1' '-r1.23.2.2' -u '/v/openssl/cvs/openssl/apps/cms.c,v' 2>/dev/null +--- openssl/apps/cms.c 2009/04/16 17:22:47 1.23.2.1 ++++ openssl/apps/cms.c 2009/07/27 21:08:44 1.23.2.2 +@@ -71,9 +71,9 @@ + static int save_certs(char *signerfile, STACK_OF(X509) *signers); + static int cms_cb(int ok, X509_STORE_CTX *ctx); + static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); +-static CMS_ReceiptRequest *make_receipt_request(STACK_OF(STRING) *rr_to, ++static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, +- STACK_OF(STRING) *rr_from); ++ STACK_OF(OPENSSL_STRING) *rr_from); + + #define SMIME_OP 0x10 + #define SMIME_IP 0x20 +@@ -108,7 +108,7 @@ + const char *inmode = "r", *outmode = "w"; + char *infile = NULL, *outfile = NULL, *rctfile = NULL; + char *signerfile = NULL, *recipfile = NULL; +- STACK_OF(STRING) *sksigners = NULL, *skkeys = NULL; ++ STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile=NULL; + char *certsoutfile = NULL; + const EVP_CIPHER *cipher = NULL; +@@ -122,7 +122,7 @@ + int flags = CMS_DETACHED, noout = 0, print = 0; + int verify_retcode = 0; + int rr_print = 0, rr_allorfirst = -1; +- STACK_OF(STRING) *rr_to = NULL, *rr_from = NULL; ++ STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + CMS_ReceiptRequest *rr = NULL; + char *to = NULL, *from = NULL, *subject = NULL; + char *CAfile = NULL, *CApath = NULL; +@@ -281,8 +281,8 @@ + goto argerr; + args++; + if (!rr_from) +- rr_from = sk_STRING_new_null(); +- sk_STRING_push(rr_from, *args); ++ rr_from = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(rr_from, *args); + } + else if (!strcmp(*args,"-receipt_request_to")) + { +@@ -290,8 +290,8 @@ + goto argerr; + args++; + if (!rr_to) +- rr_to = sk_STRING_new_null(); +- sk_STRING_push(rr_to, *args); ++ rr_to = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(rr_to, *args); + } + else if (!strcmp (*args, "-print")) + { +@@ -387,13 +387,13 @@ + if (signerfile) + { + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!keyfile) + keyfile = signerfile; + if (!skkeys) +- skkeys = sk_STRING_new_null(); +- sk_STRING_push(skkeys, keyfile); ++ skkeys = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; + } + signerfile = *++args; +@@ -435,12 +435,12 @@ + goto argerr; + } + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (!skkeys) +- skkeys = sk_STRING_new_null(); +- sk_STRING_push(skkeys, keyfile); ++ skkeys = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + } + keyfile = *++args; + } +@@ -539,13 +539,13 @@ + if (signerfile) + { + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys) +- skkeys = sk_STRING_new_null(); ++ skkeys = sk_OPENSSL_STRING_new_null(); + if (!keyfile) + keyfile = signerfile; +- sk_STRING_push(skkeys, keyfile); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) + { +@@ -980,11 +980,11 @@ + } + else + flags |= CMS_REUSE_DIGEST; +- for (i = 0; i < sk_STRING_num(sksigners); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) + { + CMS_SignerInfo *si; +- signerfile = sk_STRING_value(sksigners, i); +- keyfile = sk_STRING_value(skkeys, i); ++ signerfile = sk_OPENSSL_STRING_value(sksigners, i); ++ keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, + e, "signer certificate"); + if (!signer) +@@ -1160,9 +1160,9 @@ + if (vpm) + X509_VERIFY_PARAM_free(vpm); + if (sksigners) +- sk_STRING_free(sksigners); ++ sk_OPENSSL_STRING_free(sksigners); + if (skkeys) +- sk_STRING_free(skkeys); ++ sk_OPENSSL_STRING_free(skkeys); + if (secret_key) + OPENSSL_free(secret_key); + if (secret_keyid) +@@ -1172,9 +1172,9 @@ + if (rr) + CMS_ReceiptRequest_free(rr); + if (rr_to) +- sk_STRING_free(rr_to); ++ sk_OPENSSL_STRING_free(rr_to); + if (rr_from) +- sk_STRING_free(rr_from); ++ sk_OPENSSL_STRING_free(rr_from); + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); +@@ -1296,7 +1296,7 @@ + } + } + +-static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(STRING) *ns) ++static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) + { + int i; + STACK_OF(GENERAL_NAMES) *ret; +@@ -1305,9 +1305,9 @@ + ret = sk_GENERAL_NAMES_new_null(); + if (!ret) + goto err; +- for (i = 0; i < sk_STRING_num(ns); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) + { +- char *str = sk_STRING_value(ns, i); ++ char *str = sk_OPENSSL_STRING_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); + if (!gen) + goto err; +@@ -1335,9 +1335,9 @@ + } + + +-static CMS_ReceiptRequest *make_receipt_request(STACK_OF(STRING) *rr_to, ++static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, + int rr_allorfirst, +- STACK_OF(STRING) *rr_from) ++ STACK_OF(OPENSSL_STRING) *rr_from) + { + STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; + CMS_ReceiptRequest *rr; +Index: openssl/apps/crl2p7.c +RCS File: /v/openssl/cvs/openssl/apps/crl2p7.c,v +rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/apps/crl2p7.c,v' 2>/dev/null +--- openssl/apps/crl2p7.c 2008/06/04 11:00:45 1.19 ++++ openssl/apps/crl2p7.c 2009/07/27 21:08:45 1.19.2.1 +@@ -92,7 +92,7 @@ + PKCS7 *p7 = NULL; + PKCS7_SIGNED *p7s = NULL; + X509_CRL *crl=NULL; +- STACK_OF(STRING) *certflst=NULL; ++ STACK_OF(OPENSSL_STRING) *certflst=NULL; + STACK_OF(X509_CRL) *crl_stack=NULL; + STACK_OF(X509) *cert_stack=NULL; + int ret=1,nocrl=0; +@@ -140,8 +140,8 @@ + else if (strcmp(*argv,"-certfile") == 0) + { + if (--argc < 1) goto bad; +- if(!certflst) certflst = sk_STRING_new_null(); +- sk_STRING_push(certflst,*(++argv)); ++ if(!certflst) certflst = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(certflst,*(++argv)); + } + else + { +@@ -226,8 +226,8 @@ + if ((cert_stack=sk_X509_new_null()) == NULL) goto end; + p7s->cert=cert_stack; + +- if(certflst) for(i = 0; i < sk_STRING_num(certflst); i++) { +- certfile = sk_STRING_value(certflst, i); ++ if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { ++ certfile = sk_OPENSSL_STRING_value(certflst, i); + if (add_certs_from_file(cert_stack,certfile) < 0) + { + BIO_printf(bio_err, "error loading certificates\n"); +@@ -236,7 +236,7 @@ + } + } + +- sk_STRING_free(certflst); ++ sk_OPENSSL_STRING_free(certflst); + + if (outfile == NULL) + { +Index: openssl/apps/dgst.c +RCS File: /v/openssl/cvs/openssl/apps/dgst.c,v +rcsdiff -q -kk '-r1.54.2.3' '-r1.54.2.4' -u '/v/openssl/cvs/openssl/apps/dgst.c,v' 2>/dev/null +--- openssl/apps/dgst.c 2009/04/26 12:16:12 1.54.2.3 ++++ openssl/apps/dgst.c 2009/07/27 21:08:45 1.54.2.4 +@@ -127,7 +127,7 @@ + #endif + char *hmac_key=NULL; + char *mac_name=NULL; +- STACK_OF(STRING) *sigopts = NULL, *macopts = NULL; ++ STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; + + apps_startup(); + +@@ -230,8 +230,8 @@ + if (--argc < 1) + break; + if (!sigopts) +- sigopts = sk_STRING_new_null(); +- if (!sigopts || !sk_STRING_push(sigopts, *(++argv))) ++ sigopts = sk_OPENSSL_STRING_new_null(); ++ if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + break; + } + else if (strcmp(*argv,"-macopt") == 0) +@@ -239,8 +239,8 @@ + if (--argc < 1) + break; + if (!macopts) +- macopts = sk_STRING_new_null(); +- if (!macopts || !sk_STRING_push(macopts, *(++argv))) ++ macopts = sk_OPENSSL_STRING_new_null(); ++ if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) + break; + } + else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) +@@ -365,9 +365,9 @@ + if (macopts) + { + char *macopt; +- for (i = 0; i < sk_STRING_num(macopts); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) + { +- macopt = sk_STRING_value(macopts, i); ++ macopt = sk_OPENSSL_STRING_value(macopts, i); + if (pkey_ctrl_string(mac_ctx, macopt) <= 0) + { + BIO_printf(bio_err, +@@ -424,9 +424,9 @@ + if (sigopts) + { + char *sigopt; +- for (i = 0; i < sk_STRING_num(sigopts); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) + { +- sigopt = sk_STRING_value(sigopts, i); ++ sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pctx, sigopt) <= 0) + { + BIO_printf(bio_err, +@@ -531,9 +531,9 @@ + BIO_free_all(out); + EVP_PKEY_free(sigkey); + if (sigopts) +- sk_STRING_free(sigopts); ++ sk_OPENSSL_STRING_free(sigopts); + if (macopts) +- sk_STRING_free(macopts); ++ sk_OPENSSL_STRING_free(macopts); + if(sigbuf) OPENSSL_free(sigbuf); + if (bmd != NULL) BIO_free(bmd); + apps_shutdown(); +Index: openssl/apps/engine.c +RCS File: /v/openssl/cvs/openssl/apps/engine.c,v +rcsdiff -q -kk '-r1.34' '-r1.34.2.1' -u '/v/openssl/cvs/openssl/apps/engine.c,v' 2>/dev/null +--- openssl/apps/engine.c 2009/02/15 15:29:59 1.34 ++++ openssl/apps/engine.c 2009/07/27 21:08:45 1.34.2.1 +@@ -200,7 +200,7 @@ + char *desc = NULL; + int flags; + int xpos = 0; +- STACK_OF(STRING) *cmds = NULL; ++ STACK_OF(OPENSSL_STRING) *cmds = NULL; + if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || + ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, + 0, NULL, NULL)) <= 0)) +@@ -211,7 +211,7 @@ + return 1; + } + +- cmds = sk_STRING_new_null(); ++ cmds = sk_OPENSSL_STRING_new_null(); + + if(!cmds) + goto err; +@@ -284,16 +284,16 @@ + BIO_printf(bio_out, "\n"); + ret = 1; + err: +- if(cmds) sk_STRING_pop_free(cmds, identity); ++ if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity); + if(name) OPENSSL_free(name); + if(desc) OPENSSL_free(desc); + return ret; + } + +-static void util_do_cmds(ENGINE *e, STACK_OF(STRING) *cmds, BIO *bio_out, +- const char *indent) ++static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, ++ BIO *bio_out, const char *indent) + { +- int loop, res, num = sk_STRING_num(cmds); ++ int loop, res, num = sk_OPENSSL_STRING_num(cmds); + + if(num < 0) + { +@@ -304,7 +304,7 @@ + { + char buf[256]; + const char *cmd, *arg; +- cmd = sk_STRING_value(cmds, loop); ++ cmd = sk_OPENSSL_STRING_value(cmds, loop); + res = 1; /* assume success */ + /* Check if this command has no ":arg" */ + if((arg = strstr(cmd, ":")) == NULL) +@@ -344,9 +344,9 @@ + const char **pp; + int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0; + ENGINE *e; +- STACK_OF(STRING) *engines = sk_STRING_new_null(); +- STACK_OF(STRING) *pre_cmds = sk_STRING_new_null(); +- STACK_OF(STRING) *post_cmds = sk_STRING_new_null(); ++ STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); ++ STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); ++ STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); + int badops=1; + BIO *bio_out=NULL; + const char *indent = " "; +@@ -393,20 +393,20 @@ + argc--; argv++; + if (argc == 0) + goto skip_arg_loop; +- sk_STRING_push(pre_cmds,*argv); ++ sk_OPENSSL_STRING_push(pre_cmds,*argv); + } + else if (strcmp(*argv,"-post") == 0) + { + argc--; argv++; + if (argc == 0) + goto skip_arg_loop; +- sk_STRING_push(post_cmds,*argv); ++ sk_OPENSSL_STRING_push(post_cmds,*argv); + } + else if ((strncmp(*argv,"-h",2) == 0) || + (strcmp(*argv,"-?") == 0)) + goto skip_arg_loop; + else +- sk_STRING_push(engines,*argv); ++ sk_OPENSSL_STRING_push(engines,*argv); + argc--; + argv++; + } +@@ -421,17 +421,17 @@ + goto end; + } + +- if (sk_STRING_num(engines) == 0) ++ if (sk_OPENSSL_STRING_num(engines) == 0) + { + for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) + { +- sk_STRING_push(engines,(char *)ENGINE_get_id(e)); ++ sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e)); + } + } + +- for (i=0; i/dev/null +--- openssl/apps/ocsp.c 2009/04/02 15:19:03 1.54.2.1 ++++ openssl/apps/ocsp.c 2009/07/27 21:08:45 1.54.2.2 +@@ -99,7 +99,7 @@ + static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer, + STACK_OF(OCSP_CERTID) *ids); + static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, +- STACK_OF(STRING) *names, ++ STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage); + +@@ -153,7 +153,7 @@ + int badarg = 0; + int i; + int ignore_err = 0; +- STACK_OF(STRING) *reqnames = NULL; ++ STACK_OF(OPENSSL_STRING) *reqnames = NULL; + STACK_OF(OCSP_CERTID) *ids = NULL; + + X509 *rca_cert = NULL; +@@ -170,7 +170,7 @@ + SSL_load_error_strings(); + OpenSSL_add_ssl_algorithms(); + args = argv + 1; +- reqnames = sk_STRING_new_null(); ++ reqnames = sk_OPENSSL_STRING_new_null(); + ids = sk_OCSP_CERTID_new_null(); + while (!badarg && *args && *args[0] == '-') + { +@@ -432,7 +432,7 @@ + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) + goto end; +- if(!sk_STRING_push(reqnames, *args)) ++ if(!sk_OPENSSL_STRING_push(reqnames, *args)) + goto end; + } + else badarg = 1; +@@ -445,7 +445,7 @@ + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) + goto end; +- if(!sk_STRING_push(reqnames, *args)) ++ if(!sk_OPENSSL_STRING_push(reqnames, *args)) + goto end; + } + else badarg = 1; +@@ -901,7 +901,7 @@ + OCSP_REQUEST_free(req); + OCSP_RESPONSE_free(resp); + OCSP_BASICRESP_free(bs); +- sk_STRING_free(reqnames); ++ sk_OPENSSL_STRING_free(reqnames); + sk_OCSP_CERTID_free(ids); + sk_X509_pop_free(sign_other, X509_free); + sk_X509_pop_free(verify_other, X509_free); +@@ -971,7 +971,7 @@ + } + + static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, +- STACK_OF(STRING) *names, ++ STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage) + { +@@ -983,13 +983,13 @@ + + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + +- if (!bs || !req || !sk_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) ++ if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) + return 1; + + for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) + { + id = sk_OCSP_CERTID_value(ids, i); +- name = sk_STRING_value(names, i); ++ name = sk_OPENSSL_STRING_value(names, i); + BIO_printf(out, "%s: ", name); + + if(!OCSP_resp_find_status(bs, id, &status, &reason, +Index: openssl/apps/pkcs12.c +RCS File: /v/openssl/cvs/openssl/apps/pkcs12.c,v +rcsdiff -q -kk '-r1.92.2.1' '-r1.92.2.2' -u '/v/openssl/cvs/openssl/apps/pkcs12.c,v' 2>/dev/null +--- openssl/apps/pkcs12.c 2009/06/17 12:05:49 1.92.2.1 ++++ openssl/apps/pkcs12.c 2009/07/27 21:08:45 1.92.2.2 +@@ -117,7 +117,7 @@ + int ret = 1; + int macver = 1; + int noprompt = 0; +- STACK_OF(STRING) *canames = NULL; ++ STACK_OF(OPENSSL_STRING) *canames = NULL; + char *cpass = NULL, *mpass = NULL; + char *passargin = NULL, *passargout = NULL, *passarg = NULL; + char *passin = NULL, *passout = NULL; +@@ -222,8 +222,8 @@ + } else if (!strcmp (*args, "-caname")) { + if (args[1]) { + args++; +- if (!canames) canames = sk_STRING_new_null(); +- sk_STRING_push(canames, *args); ++ if (!canames) canames = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(canames, *args); + } else badarg = 1; + } else if (!strcmp (*args, "-in")) { + if (args[1]) { +@@ -549,9 +549,9 @@ + + /* Add any CA names */ + +- for (i = 0; i < sk_STRING_num(canames); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) + { +- catmp = (unsigned char *)sk_STRING_value(canames, i); ++ catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); + X509_alias_set1(sk_X509_value(certs, i), catmp, -1); + } + +@@ -687,7 +687,7 @@ + #endif + BIO_free(in); + BIO_free_all(out); +- if (canames) sk_STRING_free(canames); ++ if (canames) sk_OPENSSL_STRING_free(canames); + if(passin) OPENSSL_free(passin); + if(passout) OPENSSL_free(passout); + apps_shutdown(); +Index: openssl/apps/req.c +RCS File: /v/openssl/cvs/openssl/apps/req.c,v +rcsdiff -q -kk '-r1.139.2.2' '-r1.139.2.3' -u '/v/openssl/cvs/openssl/apps/req.c,v' 2>/dev/null +--- openssl/apps/req.c 2009/04/23 17:16:38 1.139.2.2 ++++ openssl/apps/req.c 2009/07/27 21:08:45 1.139.2.3 +@@ -165,7 +165,7 @@ + EVP_PKEY_CTX *genctx = NULL; + const char *keyalg = NULL; + char *keyalgstr = NULL; +- STACK_OF(STRING) *pkeyopts = NULL; ++ STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; + EVP_PKEY *pkey=NULL; + int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; + long newkey = -1; +@@ -306,8 +306,8 @@ + if (--argc < 1) + goto bad; + if (!pkeyopts) +- pkeyopts = sk_STRING_new_null(); +- if (!pkeyopts || !sk_STRING_push(pkeyopts, *(++argv))) ++ pkeyopts = sk_OPENSSL_STRING_new_null(); ++ if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) + goto bad; + } + else if (strcmp(*argv,"-batch") == 0) +@@ -667,9 +667,9 @@ + if (pkeyopts) + { + char *genopt; +- for (i = 0; i < sk_STRING_num(pkeyopts); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) + { +- genopt = sk_STRING_value(pkeyopts, i); ++ genopt = sk_OPENSSL_STRING_value(pkeyopts, i); + if (pkey_ctrl_string(genctx, genopt) <= 0) + { + BIO_printf(bio_err, +@@ -1083,7 +1083,7 @@ + if (genctx) + EVP_PKEY_CTX_free(genctx); + if (pkeyopts) +- sk_STRING_free(pkeyopts); ++ sk_OPENSSL_STRING_free(pkeyopts); + #ifndef OPENSSL_NO_ENGINE + if (gen_eng) + ENGINE_free(gen_eng); +Index: openssl/apps/s_server.c +RCS File: /v/openssl/cvs/openssl/apps/s_server.c,v +rcsdiff -q -kk '-r1.136.2.4' '-r1.136.2.5' -u '/v/openssl/cvs/openssl/apps/s_server.c,v' 2>/dev/null +--- openssl/apps/s_server.c 2009/06/30 16:10:24 1.136.2.4 ++++ openssl/apps/s_server.c 2009/07/27 21:08:46 1.136.2.5 +@@ -712,7 +712,7 @@ + int use_ssl; + unsigned char *rspder = NULL; + int rspderlen; +- STACK_OF(STRING) *aia = NULL; ++ STACK_OF(OPENSSL_STRING) *aia = NULL; + X509 *x = NULL; + X509_STORE_CTX inctx; + X509_OBJECT obj; +@@ -734,7 +734,7 @@ + aia = X509_get1_ocsp(x); + if (aia) + { +- if (!OCSP_parse_url(sk_STRING_value(aia, 0), ++ if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), + &host, &port, &path, &use_ssl)) + { + BIO_puts(err, "cert_status: can't parse AIA URL\n"); +@@ -742,7 +742,7 @@ + } + if (srctx->verbose) + BIO_printf(err, "cert_status: AIA URL: %s\n", +- sk_STRING_value(aia, 0)); ++ sk_OPENSSL_STRING_value(aia, 0)); + } + else + { +Index: openssl/apps/smime.c +RCS File: /v/openssl/cvs/openssl/apps/smime.c,v +rcsdiff -q -kk '-r1.69' '-r1.69.2.1' -u '/v/openssl/cvs/openssl/apps/smime.c,v' 2>/dev/null +--- openssl/apps/smime.c 2008/11/05 18:38:51 1.69 ++++ openssl/apps/smime.c 2009/07/27 21:08:46 1.69.2.1 +@@ -93,7 +93,7 @@ + const char *inmode = "r", *outmode = "w"; + char *infile = NULL, *outfile = NULL; + char *signerfile = NULL, *recipfile = NULL; +- STACK_OF(STRING) *sksigners = NULL, *skkeys = NULL; ++ STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile=NULL; + const EVP_CIPHER *cipher = NULL; + PKCS7 *p7 = NULL; +@@ -260,13 +260,13 @@ + if (signerfile) + { + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!keyfile) + keyfile = signerfile; + if (!skkeys) +- skkeys = sk_STRING_new_null(); +- sk_STRING_push(skkeys, keyfile); ++ skkeys = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; + } + signerfile = *++args; +@@ -302,12 +302,12 @@ + goto argerr; + } + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (!skkeys) +- skkeys = sk_STRING_new_null(); +- sk_STRING_push(skkeys, keyfile); ++ skkeys = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + } + keyfile = *++args; + } +@@ -389,13 +389,13 @@ + if (signerfile) + { + if (!sksigners) +- sksigners = sk_STRING_new_null(); +- sk_STRING_push(sksigners, signerfile); ++ sksigners = sk_OPENSSL_STRING_new_null(); ++ sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys) +- skkeys = sk_STRING_new_null(); ++ skkeys = sk_OPENSSL_STRING_new_null(); + if (!keyfile) + keyfile = signerfile; +- sk_STRING_push(skkeys, keyfile); ++ sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) + { +@@ -707,10 +707,10 @@ + } + else + flags |= PKCS7_REUSE_DIGEST; +- for (i = 0; i < sk_STRING_num(sksigners); i++) ++ for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) + { +- signerfile = sk_STRING_value(sksigners, i); +- keyfile = sk_STRING_value(skkeys, i); ++ signerfile = sk_OPENSSL_STRING_value(sksigners, i); ++ keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, + e, "signer certificate"); + if (!signer) +@@ -807,9 +807,9 @@ + if (vpm) + X509_VERIFY_PARAM_free(vpm); + if (sksigners) +- sk_STRING_free(sksigners); ++ sk_OPENSSL_STRING_free(sksigners); + if (skkeys) +- sk_STRING_free(skkeys); ++ sk_OPENSSL_STRING_free(skkeys); + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); +Index: openssl/apps/x509.c +RCS File: /v/openssl/cvs/openssl/apps/x509.c,v +rcsdiff -q -kk '-r1.102.2.3' '-r1.102.2.4' -u '/v/openssl/cvs/openssl/apps/x509.c,v' 2>/dev/null +--- openssl/apps/x509.c 2009/07/14 15:14:39 1.102.2.3 ++++ openssl/apps/x509.c 2009/07/27 21:08:46 1.102.2.4 +@@ -738,14 +738,14 @@ + else if ((email == i) || (ocsp_uri == i)) + { + int j; +- STACK_OF(STRING) *emlst; ++ STACK_OF(OPENSSL_STRING) *emlst; + if (email == i) + emlst = X509_get1_email(x); + else + emlst = X509_get1_ocsp(x); +- for (j = 0; j < sk_STRING_num(emlst); j++) ++ for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(STDout, "%s\n", +- sk_STRING_value(emlst, j)); ++ sk_OPENSSL_STRING_value(emlst, j)); + X509_email_free(emlst); + } + else if (aliasout == i) +Index: openssl/crypto/cryptlib.c +RCS File: /v/openssl/cvs/openssl/crypto/cryptlib.c,v +rcsdiff -q -kk '-r1.75.2.2' '-r1.75.2.3' -u '/v/openssl/cvs/openssl/crypto/cryptlib.c,v' 2>/dev/null +--- openssl/crypto/cryptlib.c 2009/05/05 19:23:14 1.75.2.2 ++++ openssl/crypto/cryptlib.c 2009/07/27 21:08:48 1.75.2.3 +@@ -174,7 +174,7 @@ + + /* This is for applications to allocate new type names in the non-dynamic + array of lock names. These are numbered with positive numbers. */ +-static STACK_OF(STRING) *app_locks=NULL; ++static STACK_OF(OPENSSL_STRING) *app_locks=NULL; + + /* For applications that want a more dynamic way of handling threads, the + following stack is used. These are externally numbered with negative +@@ -210,7 +210,7 @@ + SSLeay_MSVC5_hack=(double)name[0]*(double)name[1]; + #endif + +- if ((app_locks == NULL) && ((app_locks=sk_STRING_new_null()) == NULL)) ++ if ((app_locks == NULL) && ((app_locks=sk_OPENSSL_STRING_new_null()) == NULL)) + { + CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE); + return(0); +@@ -220,7 +220,7 @@ + CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE); + return(0); + } +- i=sk_STRING_push(app_locks,str); ++ i=sk_OPENSSL_STRING_push(app_locks,str); + if (!i) + OPENSSL_free(str); + else +@@ -651,10 +651,10 @@ + return("dynamic"); + else if (type < CRYPTO_NUM_LOCKS) + return(lock_names[type]); +- else if (type-CRYPTO_NUM_LOCKS > sk_STRING_num(app_locks)) ++ else if (type-CRYPTO_NUM_LOCKS > sk_OPENSSL_STRING_num(app_locks)) + return("ERROR"); + else +- return(sk_STRING_value(app_locks,type-CRYPTO_NUM_LOCKS)); ++ return(sk_OPENSSL_STRING_value(app_locks,type-CRYPTO_NUM_LOCKS)); + } + + #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ +Index: openssl/crypto/engine/eng_dyn.c +RCS File: /v/openssl/cvs/openssl/crypto/engine/eng_dyn.c,v +rcsdiff -q -kk '-r1.14' '-r1.14.2.1' -u '/v/openssl/cvs/openssl/crypto/engine/eng_dyn.c,v' 2>/dev/null +--- openssl/crypto/engine/eng_dyn.c 2008/06/04 11:01:29 1.14 ++++ openssl/crypto/engine/eng_dyn.c 2009/07/27 21:08:49 1.14.2.1 +@@ -146,7 +146,7 @@ + * 'dirs' for loading. Default is to use 'dirs' as a fallback. */ + int dir_load; + /* A stack of directories from which ENGINEs could be loaded */ +- STACK_OF(STRING) *dirs; ++ STACK_OF(OPENSSL_STRING) *dirs; + }; + + /* This is the "ex_data" index we obtain and reserve for use with our context +@@ -174,7 +174,7 @@ + if(ctx->engine_id) + OPENSSL_free((void*)ctx->engine_id); + if(ctx->dirs) +- sk_STRING_pop_free(ctx->dirs, int_free_str); ++ sk_OPENSSL_STRING_pop_free(ctx->dirs, int_free_str); + OPENSSL_free(ctx); + } + } +@@ -203,7 +203,7 @@ + c->DYNAMIC_F1 = "v_check"; + c->DYNAMIC_F2 = "bind_engine"; + c->dir_load = 1; +- c->dirs = sk_STRING_new_null(); ++ c->dirs = sk_OPENSSL_STRING_new_null(); + if(!c->dirs) + { + ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX,ERR_R_MALLOC_FAILURE); +@@ -393,7 +393,7 @@ + ERR_R_MALLOC_FAILURE); + return 0; + } +- sk_STRING_insert(ctx->dirs, tmp_str, -1); ++ sk_OPENSSL_STRING_insert(ctx->dirs, tmp_str, -1); + } + return 1; + default: +@@ -411,11 +411,11 @@ + ctx->DYNAMIC_LIBNAME, NULL, 0)) != NULL) + return 1; + /* If we're not allowed to use 'dirs' or we have none, fail */ +- if(!ctx->dir_load || (num = sk_STRING_num(ctx->dirs)) < 1) ++ if(!ctx->dir_load || (num = sk_OPENSSL_STRING_num(ctx->dirs)) < 1) + return 0; + for(loop = 0; loop < num; loop++) + { +- const char *s = sk_STRING_value(ctx->dirs, loop); ++ const char *s = sk_OPENSSL_STRING_value(ctx->dirs, loop); + char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s); + if(!merge) + return 0; +Index: openssl/crypto/lhash/lhash.h +RCS File: /v/openssl/cvs/openssl/crypto/lhash/lhash.h,v +rcsdiff -q -kk '-r1.23' '-r1.23.2.1' -u '/v/openssl/cvs/openssl/crypto/lhash/lhash.h,v' 2>/dev/null +--- openssl/crypto/lhash/lhash.h 2008/06/04 11:01:31 1.23 ++++ openssl/crypto/lhash/lhash.h 2009/07/27 21:08:50 1.23.2.1 +@@ -230,8 +230,8 @@ + lh_stats_bio(CHECKED_LHASH_OF(type, lh), out) + #define LHM_lh_free(type, lh) lh_free(CHECKED_LHASH_OF(type, lh)) + +-DECLARE_LHASH_OF(STRING); +-DECLARE_LHASH_OF(CSTRING); ++DECLARE_LHASH_OF(OPENSSL_STRING); ++DECLARE_LHASH_OF(OPENSSL_CSTRING); + + #ifdef __cplusplus + } +Index: openssl/crypto/stack/safestack.h +RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v +rcsdiff -q -kk '-r1.72.2.3' '-r1.72.2.4' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null +--- openssl/crypto/stack/safestack.h 2009/04/28 21:56:04 1.72.2.3 ++++ openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4 +@@ -110,9 +110,9 @@ + * string. For now, I'm settling for dealing with the fact it is a + * string at all. + */ +-typedef char *STRING; ++typedef char *OPENSSL_STRING; + +-typedef const char *CSTRING; ++typedef const char *OPENSSL_CSTRING; + + /* Confusingly, LHASH_OF(STRING) deals with char ** throughout, but + * STACK_OF(STRING) is really more like STACK_OF(char), only, as +@@ -122,7 +122,7 @@ + * macros below. + */ + +-DECLARE_SPECIAL_STACK_OF(STRING, char) ++DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char) + + /* Similarly, we sometimes use a block of characters, NOT + * nul-terminated. These should also be distinguished from "normal" +@@ -2030,29 +2030,29 @@ + #define sk_void_sort(st) SKM_sk_sort(void, (st)) + #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st)) + +-#define sk_STRING_new(cmp) ((STACK_OF(STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) +-#define sk_STRING_new_null() ((STACK_OF(STRING) *)sk_new_null()) +-#define sk_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) +-#define sk_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) +-#define sk_STRING_value(st, i) ((STRING)sk_value(CHECKED_PTR_OF(STACK_OF(STRING), st), i)) +-#define sk_STRING_num(st) SKM_sk_num(STRING, st) +-#define sk_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_FREE_FUNC2(STRING, free_func)) +-#define sk_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val), i) +-#define sk_STRING_free(st) SKM_sk_free(STRING, st) +-#define sk_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), i, CHECKED_PTR_OF(char, val)) +-#define sk_STRING_zero(st) SKM_sk_zero(STRING, (st)) +-#define sk_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) +-#define sk_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(STRING), st), CHECKED_CONST_PTR_OF(char, val)) +-#define sk_STRING_delete(st, i) SKM_sk_delete(STRING, (st), (i)) +-#define sk_STRING_delete_ptr(st, ptr) (STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, ptr)) +-#define sk_STRING_set_cmp_func(st, cmp) \ ++#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) ++#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null()) ++#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) ++#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) ++#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i)) ++#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st) ++#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func)) ++#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i) ++#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st) ++#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val)) ++#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st)) ++#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) ++#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val)) ++#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i)) ++#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr)) ++#define sk_OPENSSL_STRING_set_cmp_func(st, cmp) \ + ((int (*)(const char * const *,const char * const *)) \ +- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) +-#define sk_STRING_dup(st) SKM_sk_dup(STRING, st) +-#define sk_STRING_shift(st) SKM_sk_shift(STRING, (st)) +-#define sk_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st)) +-#define sk_STRING_sort(st) SKM_sk_sort(STRING, (st)) +-#define sk_STRING_is_sorted(st) SKM_sk_is_sorted(STRING, (st)) ++ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) ++#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st) ++#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st)) ++#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st)) ++#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st)) ++#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) + + + #define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) +@@ -2080,29 +2080,29 @@ + #define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st)) + + +-#define sk_PSTRING_new(cmp) ((STACK_OF(PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(STRING, cmp))) +-#define sk_PSTRING_new_null() ((STACK_OF(PSTRING) *)sk_new_null()) +-#define sk_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) +-#define sk_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) +-#define sk_PSTRING_value(st, i) ((PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(PSTRING), st), i)) +-#define sk_PSTRING_num(st) SKM_sk_num(PSTRING, st) +-#define sk_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_FREE_FUNC2(PSTRING, free_func)) +-#define sk_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val), i) +-#define sk_PSTRING_free(st) SKM_sk_free(PSTRING, st) +-#define sk_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), i, CHECKED_PTR_OF(STRING, val)) +-#define sk_PSTRING_zero(st) SKM_sk_zero(PSTRING, (st)) +-#define sk_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) +-#define sk_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(PSTRING), st), CHECKED_CONST_PTR_OF(STRING, val)) +-#define sk_PSTRING_delete(st, i) SKM_sk_delete(PSTRING, (st), (i)) +-#define sk_PSTRING_delete_ptr(st, ptr) (PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, ptr)) +-#define sk_PSTRING_set_cmp_func(st, cmp) \ +- ((int (*)(const STRING * const *,const STRING * const *)) \ +- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_CMP_FUNC(STRING, cmp))) +-#define sk_PSTRING_dup(st) SKM_sk_dup(PSTRING, st) +-#define sk_PSTRING_shift(st) SKM_sk_shift(PSTRING, (st)) +-#define sk_PSTRING_pop(st) (STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st)) +-#define sk_PSTRING_sort(st) SKM_sk_sort(PSTRING, (st)) +-#define sk_PSTRING_is_sorted(st) SKM_sk_is_sorted(PSTRING, (st)) ++#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) ++#define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null()) ++#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) ++#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) ++#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i)) ++#define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st) ++#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func)) ++#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val), i) ++#define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st) ++#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i, CHECKED_PTR_OF(OPENSSL_STRING, val)) ++#define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st)) ++#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) ++#define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val)) ++#define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i)) ++#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, ptr)) ++#define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp) \ ++ ((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \ ++ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) ++#define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st) ++#define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st)) ++#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st)) ++#define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st)) ++#define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st)) + + + #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ +@@ -2390,24 +2390,6 @@ + LHM_lh_stats_bio(CONF_VALUE,lh,out) + #define lh_CONF_VALUE_free(lh) LHM_lh_free(CONF_VALUE,lh) + +-#define lh_CSTRING_new() LHM_lh_new(CSTRING,cstring) +-#define lh_CSTRING_insert(lh,inst) LHM_lh_insert(CSTRING,lh,inst) +-#define lh_CSTRING_retrieve(lh,inst) LHM_lh_retrieve(CSTRING,lh,inst) +-#define lh_CSTRING_delete(lh,inst) LHM_lh_delete(CSTRING,lh,inst) +-#define lh_CSTRING_doall(lh,fn) LHM_lh_doall(CSTRING,lh,fn) +-#define lh_CSTRING_doall_arg(lh,fn,arg_type,arg) \ +- LHM_lh_doall_arg(CSTRING,lh,fn,arg_type,arg) +-#define lh_CSTRING_error(lh) LHM_lh_error(CSTRING,lh) +-#define lh_CSTRING_num_items(lh) LHM_lh_num_items(CSTRING,lh) +-#define lh_CSTRING_down_load(lh) LHM_lh_down_load(CSTRING,lh) +-#define lh_CSTRING_node_stats_bio(lh,out) \ +- LHM_lh_node_stats_bio(CSTRING,lh,out) +-#define lh_CSTRING_node_usage_stats_bio(lh,out) \ +- LHM_lh_node_usage_stats_bio(CSTRING,lh,out) +-#define lh_CSTRING_stats_bio(lh,out) \ +- LHM_lh_stats_bio(CSTRING,lh,out) +-#define lh_CSTRING_free(lh) LHM_lh_free(CSTRING,lh) +- + #define lh_ENGINE_PILE_new() LHM_lh_new(ENGINE_PILE,engine_pile) + #define lh_ENGINE_PILE_insert(lh,inst) LHM_lh_insert(ENGINE_PILE,lh,inst) + #define lh_ENGINE_PILE_retrieve(lh,inst) LHM_lh_retrieve(ENGINE_PILE,lh,inst) +@@ -2534,6 +2516,42 @@ + LHM_lh_stats_bio(OBJ_NAME,lh,out) + #define lh_OBJ_NAME_free(lh) LHM_lh_free(OBJ_NAME,lh) + ++#define lh_OPENSSL_CSTRING_new() LHM_lh_new(OPENSSL_CSTRING,openssl_cstring) ++#define lh_OPENSSL_CSTRING_insert(lh,inst) LHM_lh_insert(OPENSSL_CSTRING,lh,inst) ++#define lh_OPENSSL_CSTRING_retrieve(lh,inst) LHM_lh_retrieve(OPENSSL_CSTRING,lh,inst) ++#define lh_OPENSSL_CSTRING_delete(lh,inst) LHM_lh_delete(OPENSSL_CSTRING,lh,inst) ++#define lh_OPENSSL_CSTRING_doall(lh,fn) LHM_lh_doall(OPENSSL_CSTRING,lh,fn) ++#define lh_OPENSSL_CSTRING_doall_arg(lh,fn,arg_type,arg) \ ++ LHM_lh_doall_arg(OPENSSL_CSTRING,lh,fn,arg_type,arg) ++#define lh_OPENSSL_CSTRING_error(lh) LHM_lh_error(OPENSSL_CSTRING,lh) ++#define lh_OPENSSL_CSTRING_num_items(lh) LHM_lh_num_items(OPENSSL_CSTRING,lh) ++#define lh_OPENSSL_CSTRING_down_load(lh) LHM_lh_down_load(OPENSSL_CSTRING,lh) ++#define lh_OPENSSL_CSTRING_node_stats_bio(lh,out) \ ++ LHM_lh_node_stats_bio(OPENSSL_CSTRING,lh,out) ++#define lh_OPENSSL_CSTRING_node_usage_stats_bio(lh,out) \ ++ LHM_lh_node_usage_stats_bio(OPENSSL_CSTRING,lh,out) ++#define lh_OPENSSL_CSTRING_stats_bio(lh,out) \ ++ LHM_lh_stats_bio(OPENSSL_CSTRING,lh,out) ++#define lh_OPENSSL_CSTRING_free(lh) LHM_lh_free(OPENSSL_CSTRING,lh) ++ ++#define lh_OPENSSL_STRING_new() LHM_lh_new(OPENSSL_STRING,openssl_string) ++#define lh_OPENSSL_STRING_insert(lh,inst) LHM_lh_insert(OPENSSL_STRING,lh,inst) ++#define lh_OPENSSL_STRING_retrieve(lh,inst) LHM_lh_retrieve(OPENSSL_STRING,lh,inst) ++#define lh_OPENSSL_STRING_delete(lh,inst) LHM_lh_delete(OPENSSL_STRING,lh,inst) ++#define lh_OPENSSL_STRING_doall(lh,fn) LHM_lh_doall(OPENSSL_STRING,lh,fn) ++#define lh_OPENSSL_STRING_doall_arg(lh,fn,arg_type,arg) \ ++ LHM_lh_doall_arg(OPENSSL_STRING,lh,fn,arg_type,arg) ++#define lh_OPENSSL_STRING_error(lh) LHM_lh_error(OPENSSL_STRING,lh) ++#define lh_OPENSSL_STRING_num_items(lh) LHM_lh_num_items(OPENSSL_STRING,lh) ++#define lh_OPENSSL_STRING_down_load(lh) LHM_lh_down_load(OPENSSL_STRING,lh) ++#define lh_OPENSSL_STRING_node_stats_bio(lh,out) \ ++ LHM_lh_node_stats_bio(OPENSSL_STRING,lh,out) ++#define lh_OPENSSL_STRING_node_usage_stats_bio(lh,out) \ ++ LHM_lh_node_usage_stats_bio(OPENSSL_STRING,lh,out) ++#define lh_OPENSSL_STRING_stats_bio(lh,out) \ ++ LHM_lh_stats_bio(OPENSSL_STRING,lh,out) ++#define lh_OPENSSL_STRING_free(lh) LHM_lh_free(OPENSSL_STRING,lh) ++ + #define lh_SSL_SESSION_new() LHM_lh_new(SSL_SESSION,ssl_session) + #define lh_SSL_SESSION_insert(lh,inst) LHM_lh_insert(SSL_SESSION,lh,inst) + #define lh_SSL_SESSION_retrieve(lh,inst) LHM_lh_retrieve(SSL_SESSION,lh,inst) +@@ -2551,24 +2569,6 @@ + #define lh_SSL_SESSION_stats_bio(lh,out) \ + LHM_lh_stats_bio(SSL_SESSION,lh,out) + #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh) +- +-#define lh_STRING_new() LHM_lh_new(STRING,string) +-#define lh_STRING_insert(lh,inst) LHM_lh_insert(STRING,lh,inst) +-#define lh_STRING_retrieve(lh,inst) LHM_lh_retrieve(STRING,lh,inst) +-#define lh_STRING_delete(lh,inst) LHM_lh_delete(STRING,lh,inst) +-#define lh_STRING_doall(lh,fn) LHM_lh_doall(STRING,lh,fn) +-#define lh_STRING_doall_arg(lh,fn,arg_type,arg) \ +- LHM_lh_doall_arg(STRING,lh,fn,arg_type,arg) +-#define lh_STRING_error(lh) LHM_lh_error(STRING,lh) +-#define lh_STRING_num_items(lh) LHM_lh_num_items(STRING,lh) +-#define lh_STRING_down_load(lh) LHM_lh_down_load(STRING,lh) +-#define lh_STRING_node_stats_bio(lh,out) \ +- LHM_lh_node_stats_bio(STRING,lh,out) +-#define lh_STRING_node_usage_stats_bio(lh,out) \ +- LHM_lh_node_usage_stats_bio(STRING,lh,out) +-#define lh_STRING_stats_bio(lh,out) \ +- LHM_lh_stats_bio(STRING,lh,out) +-#define lh_STRING_free(lh) LHM_lh_free(STRING,lh) + /* End of util/mkstack.pl block, you may now edit :-) */ + + #endif /* !defined HEADER_SAFESTACK_H */ +Index: openssl/crypto/txt_db/txt_db.c +RCS File: /v/openssl/cvs/openssl/crypto/txt_db/txt_db.c,v +rcsdiff -q -kk '-r1.25' '-r1.25.2.1' -u '/v/openssl/cvs/openssl/crypto/txt_db/txt_db.c,v' 2>/dev/null +--- openssl/crypto/txt_db/txt_db.c 2008/07/04 23:12:51 1.25 ++++ openssl/crypto/txt_db/txt_db.c 2009/07/27 21:08:51 1.25.2.1 +@@ -78,7 +78,7 @@ + int size=BUFSIZE; + int offset=0; + char *p,*f; +- STRING *pp; ++ OPENSSL_STRING *pp; + BUF_MEM *buf=NULL; + + if ((buf=BUF_MEM_new()) == NULL) goto err; +@@ -89,7 +89,7 @@ + ret->num_fields=num; + ret->index=NULL; + ret->qual=NULL; +- if ((ret->data=sk_PSTRING_new_null()) == NULL) ++ if ((ret->data=sk_OPENSSL_PSTRING_new_null()) == NULL) + goto err; + if ((ret->index=OPENSSL_malloc(sizeof(*ret->index)*num)) == NULL) + goto err; +@@ -163,7 +163,7 @@ + goto err; + } + pp[n]=p; +- if (!sk_PSTRING_push(ret->data,pp)) ++ if (!sk_OPENSSL_PSTRING_push(ret->data,pp)) + { + #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) /* temporary fix :-( */ + fprintf(stderr,"failure in sk_push\n"); +@@ -182,7 +182,7 @@ + #endif + if (ret != NULL) + { +- if (ret->data != NULL) sk_PSTRING_free(ret->data); ++ if (ret->data != NULL) sk_OPENSSL_PSTRING_free(ret->data); + if (ret->index != NULL) OPENSSL_free(ret->index); + if (ret->qual != NULL) OPENSSL_free(ret->qual); + if (ret != NULL) OPENSSL_free(ret); +@@ -193,10 +193,10 @@ + return(ret); + } + +-STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, STRING *value) ++OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, OPENSSL_STRING *value) + { +- STRING *ret; +- LHASH_OF(STRING) *lh; ++ OPENSSL_STRING *ret; ++ LHASH_OF(OPENSSL_STRING) *lh; + + if (idx >= db->num_fields) + { +@@ -209,16 +209,16 @@ + db->error=DB_ERROR_NO_INDEX; + return(NULL); + } +- ret=lh_STRING_retrieve(lh,value); ++ ret=lh_OPENSSL_STRING_retrieve(lh,value); + db->error=DB_ERROR_OK; + return(ret); + } + +-int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(STRING *), ++int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(OPENSSL_STRING *), + LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp) + { +- LHASH_OF(STRING) *idx; +- STRING *r; ++ LHASH_OF(OPENSSL_STRING) *idx; ++ OPENSSL_STRING *r; + int i,n; + + if (field >= db->num_fields) +@@ -227,26 +227,26 @@ + return(0); + } + /* FIXME: we lose type checking at this point */ +- if ((idx=(LHASH_OF(STRING) *)lh_new(hash,cmp)) == NULL) ++ if ((idx=(LHASH_OF(OPENSSL_STRING) *)lh_new(hash,cmp)) == NULL) + { + db->error=DB_ERROR_MALLOC; + return(0); + } +- n=sk_PSTRING_num(db->data); ++ n=sk_OPENSSL_PSTRING_num(db->data); + for (i=0; idata,i); ++ r=sk_OPENSSL_PSTRING_value(db->data,i); + if ((qual != NULL) && (qual(r) == 0)) continue; +- if ((r=lh_STRING_insert(idx,r)) != NULL) ++ if ((r=lh_OPENSSL_STRING_insert(idx,r)) != NULL) + { + db->error=DB_ERROR_INDEX_CLASH; +- db->arg1=sk_PSTRING_find(db->data,r); ++ db->arg1=sk_OPENSSL_PSTRING_find(db->data,r); + db->arg2=i; +- lh_STRING_free(idx); ++ lh_OPENSSL_STRING_free(idx); + return(0); + } + } +- if (db->index[field] != NULL) lh_STRING_free(db->index[field]); ++ if (db->index[field] != NULL) lh_OPENSSL_STRING_free(db->index[field]); + db->index[field]=idx; + db->qual[field]=qual; + return(1); +@@ -261,11 +261,11 @@ + + if ((buf=BUF_MEM_new()) == NULL) + goto err; +- n=sk_PSTRING_num(db->data); ++ n=sk_OPENSSL_PSTRING_num(db->data); + nn=db->num_fields; + for (i=0; idata,i); ++ pp=sk_OPENSSL_PSTRING_value(db->data,i); + + l=0; + for (j=0; jnum_fields; i++) + { +@@ -311,7 +311,7 @@ + { + if ((db->qual[i] != NULL) && + (db->qual[i](row) == 0)) continue; +- r=lh_STRING_retrieve(db->index[i],row); ++ r=lh_OPENSSL_STRING_retrieve(db->index[i],row); + if (r != NULL) + { + db->error=DB_ERROR_INDEX_CLASH; +@@ -322,7 +322,7 @@ + } + } + /* We have passed the index checks, now just append and insert */ +- if (!sk_PSTRING_push(db->data,row)) ++ if (!sk_OPENSSL_PSTRING_push(db->data,row)) + { + db->error=DB_ERROR_MALLOC; + goto err; +@@ -334,7 +334,7 @@ + { + if ((db->qual[i] != NULL) && + (db->qual[i](row) == 0)) continue; +- (void)lh_STRING_insert(db->index[i],row); ++ (void)lh_OPENSSL_STRING_insert(db->index[i],row); + } + } + return(1); +@@ -353,18 +353,18 @@ + if (db->index != NULL) + { + for (i=db->num_fields-1; i>=0; i--) +- if (db->index[i] != NULL) lh_STRING_free(db->index[i]); ++ if (db->index[i] != NULL) lh_OPENSSL_STRING_free(db->index[i]); + OPENSSL_free(db->index); + } + if (db->qual != NULL) + OPENSSL_free(db->qual); + if (db->data != NULL) + { +- for (i=sk_PSTRING_num(db->data)-1; i>=0; i--) ++ for (i=sk_OPENSSL_PSTRING_num(db->data)-1; i>=0; i--) + { + /* check if any 'fields' have been allocated + * from outside of the initial block */ +- p=sk_PSTRING_value(db->data,i); ++ p=sk_OPENSSL_PSTRING_value(db->data,i); + max=p[db->num_fields]; /* last address */ + if (max == NULL) /* new row */ + { +@@ -380,9 +380,9 @@ + OPENSSL_free(p[n]); + } + } +- OPENSSL_free(sk_PSTRING_value(db->data,i)); ++ OPENSSL_free(sk_OPENSSL_PSTRING_value(db->data,i)); + } +- sk_PSTRING_free(db->data); ++ sk_OPENSSL_PSTRING_free(db->data); + } + OPENSSL_free(db); + } +Index: openssl/crypto/txt_db/txt_db.h +RCS File: /v/openssl/cvs/openssl/crypto/txt_db/txt_db.h,v +rcsdiff -q -kk '-r1.11' '-r1.11.2.1' -u '/v/openssl/cvs/openssl/crypto/txt_db/txt_db.h,v' 2>/dev/null +--- openssl/crypto/txt_db/txt_db.h 2008/06/04 11:01:38 1.11 ++++ openssl/crypto/txt_db/txt_db.h 2009/07/27 21:08:51 1.11.2.1 +@@ -77,19 +77,19 @@ + extern "C" { + #endif + +-typedef STRING *PSTRING; +-DECLARE_SPECIAL_STACK_OF(PSTRING, STRING) ++typedef OPENSSL_STRING *OPENSSL_PSTRING; ++DECLARE_SPECIAL_STACK_OF(OPENSSL_PSTRING, OPENSSL_STRING) + + typedef struct txt_db_st + { + int num_fields; +- STACK_OF(PSTRING) *data; +- LHASH_OF(STRING) **index; +- int (**qual)(STRING *); ++ STACK_OF(OPENSSL_PSTRING) *data; ++ LHASH_OF(OPENSSL_STRING) **index; ++ int (**qual)(OPENSSL_STRING *); + long error; + long arg1; + long arg2; +- STRING *arg_row; ++ OPENSSL_STRING *arg_row; + } TXT_DB; + + #ifndef OPENSSL_NO_BIO +@@ -99,11 +99,11 @@ + TXT_DB *TXT_DB_read(char *in, int num); + long TXT_DB_write(char *out, TXT_DB *db); + #endif +-int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(STRING *), ++int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(OPENSSL_STRING *), + LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp); + void TXT_DB_free(TXT_DB *db); +-STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, STRING *value); +-int TXT_DB_insert(TXT_DB *db, STRING *value); ++OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, OPENSSL_STRING *value); ++int TXT_DB_insert(TXT_DB *db, OPENSSL_STRING *value); + + #ifdef __cplusplus + } +Index: openssl/crypto/x509v3/v3_utl.c +RCS File: /v/openssl/cvs/openssl/crypto/x509v3/v3_utl.c,v +rcsdiff -q -kk '-r1.44' '-r1.44.2.1' -u '/v/openssl/cvs/openssl/crypto/x509v3/v3_utl.c,v' 2>/dev/null +--- openssl/crypto/x509v3/v3_utl.c 2009/02/14 21:49:36 1.44 ++++ openssl/crypto/x509v3/v3_utl.c 2009/07/27 21:08:53 1.44.2.1 +@@ -67,9 +67,9 @@ + + static char *strip_spaces(char *name); + static int sk_strcmp(const char * const *a, const char * const *b); +-static STACK_OF(STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens); +-static void str_free(STRING str); +-static int append_ia5(STACK_OF(STRING) **sk, ASN1_IA5STRING *email); ++static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens); ++static void str_free(OPENSSL_STRING str); ++static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email); + + static int ipv4_from_asc(unsigned char *v4, const char *in); + static int ipv6_from_asc(unsigned char *v6, const char *in); +@@ -463,10 +463,10 @@ + return strcmp(*a, *b); + } + +-STACK_OF(STRING) *X509_get1_email(X509 *x) ++STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) + { + GENERAL_NAMES *gens; +- STACK_OF(STRING) *ret; ++ STACK_OF(OPENSSL_STRING) *ret; + + gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + ret = get_email(X509_get_subject_name(x), gens); +@@ -474,10 +474,10 @@ + return ret; + } + +-STACK_OF(STRING) *X509_get1_ocsp(X509 *x) ++STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) + { + AUTHORITY_INFO_ACCESS *info; +- STACK_OF(STRING) *ret = NULL; ++ STACK_OF(OPENSSL_STRING) *ret = NULL; + int i; + + info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL); +@@ -499,11 +499,11 @@ + return ret; + } + +-STACK_OF(STRING) *X509_REQ_get1_email(X509_REQ *x) ++STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) + { + GENERAL_NAMES *gens; + STACK_OF(X509_EXTENSION) *exts; +- STACK_OF(STRING) *ret; ++ STACK_OF(OPENSSL_STRING) *ret; + + exts = X509_REQ_get_extensions(x); + gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL); +@@ -514,9 +514,9 @@ + } + + +-static STACK_OF(STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) ++static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) + { +- STACK_OF(STRING) *ret = NULL; ++ STACK_OF(OPENSSL_STRING) *ret = NULL; + X509_NAME_ENTRY *ne; + ASN1_IA5STRING *email; + GENERAL_NAME *gen; +@@ -539,23 +539,23 @@ + return ret; + } + +-static void str_free(STRING str) ++static void str_free(OPENSSL_STRING str) + { + OPENSSL_free(str); + } + +-static int append_ia5(STACK_OF(STRING) **sk, ASN1_IA5STRING *email) ++static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) + { + char *emtmp; + /* First some sanity checks */ + if(email->type != V_ASN1_IA5STRING) return 1; + if(!email->data || !email->length) return 1; +- if(!*sk) *sk = sk_STRING_new(sk_strcmp); ++ if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp); + if(!*sk) return 0; + /* Don't add duplicates */ +- if(sk_STRING_find(*sk, (char *)email->data) != -1) return 1; ++ if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1; + emtmp = BUF_strdup((char *)email->data); +- if(!emtmp || !sk_STRING_push(*sk, emtmp)) { ++ if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) { + X509_email_free(*sk); + *sk = NULL; + return 0; +@@ -563,9 +563,9 @@ + return 1; + } + +-void X509_email_free(STACK_OF(STRING) *sk) ++void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) + { +- sk_STRING_pop_free(sk, str_free); ++ sk_OPENSSL_STRING_pop_free(sk, str_free); + } + + /* Convert IP addresses both IPv4 and IPv6 into an +Index: openssl/crypto/x509v3/x509v3.h +RCS File: /v/openssl/cvs/openssl/crypto/x509v3/x509v3.h,v +rcsdiff -q -kk '-r1.126.2.1' '-r1.126.2.2' -u '/v/openssl/cvs/openssl/crypto/x509v3/x509v3.h,v' 2>/dev/null +--- openssl/crypto/x509v3/x509v3.h 2009/04/19 17:58:01 1.126.2.1 ++++ openssl/crypto/x509v3/x509v3.h 2009/07/27 21:08:53 1.126.2.2 +@@ -693,10 +693,10 @@ + void X509_PURPOSE_cleanup(void); + int X509_PURPOSE_get_id(X509_PURPOSE *); + +-STACK_OF(STRING) *X509_get1_email(X509 *x); +-STACK_OF(STRING) *X509_REQ_get1_email(X509_REQ *x); +-void X509_email_free(STACK_OF(STRING) *sk); +-STACK_OF(STRING) *X509_get1_ocsp(X509 *x); ++STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); ++STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); ++void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); ++STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); + + ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); + ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); diff --git a/openssl-1.0.0-beta3-redhat.patch b/openssl-1.0.0-beta3-redhat.patch new file mode 100644 index 0000000..bd6b9af --- /dev/null +++ b/openssl-1.0.0-beta3-redhat.patch @@ -0,0 +1,59 @@ +diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure +--- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200 ++++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200 +@@ -331,32 +331,32 @@ my %table=( + #### + # *-generic* is endian-neutral target, but ./config is free to + # throw in -D[BL]_ENDIAN, whichever appropriate... +-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # It's believed that majority of ARM toolchains predefine appropriate -march. + # If you compiler does not, do complement config command line with one! +-"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out", + #### +-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)", ++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", ++"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", ++"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", + #### SPARC Linux setups + # Ray Miller has patiently + # assisted with debugging of following two configs. +-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # it's a real mess with -mcpu=ultrasparc option under Linux, but + # -Wa,-Av8plus should do the trick no matter what. +-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # GCC 3.1 is a requirement +-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", + #### Alpha Linux with GNU C and Compaq C setups + # Special notes: + # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you +@@ -370,8 +370,8 @@ my %table=( + # + # + # +-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + diff --git a/openssl-1.0.0-beta3-soversion.patch b/openssl-1.0.0-beta3-soversion.patch new file mode 100644 index 0000000..3836e89 --- /dev/null +++ b/openssl-1.0.0-beta3-soversion.patch @@ -0,0 +1,44 @@ +diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure +--- openssl-1.0.0-beta3/Configure.soversion 2009-08-04 23:06:52.000000000 +0200 ++++ openssl-1.0.0-beta3/Configure 2009-08-04 23:06:52.000000000 +0200 +@@ -1514,7 +1514,7 @@ while () + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; +- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { +diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org +--- openssl-1.0.0-beta3/Makefile.org.soversion 2009-08-04 23:06:52.000000000 +0200 ++++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:11:01.000000000 +0200 +@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= + SHLIB_MAJOR= + SHLIB_MINOR= + SHLIB_EXT= ++SHLIB_SONAMEVER=10 + PLATFORM=dist + OPTIONS= + CONFIGURE_ARGS= +@@ -289,10 +290,9 @@ clean-shared: + link-shared: + @ set -e; for i in $(SHLIBDIRS); do \ + $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ ++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \ + LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ + symlink.$(SHLIB_TARGET); \ +- libs="$$libs -l$$i"; \ + done + + build-shared: do_$(SHLIB_TARGET) link-shared +@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET): + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ ++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \ + LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ + LIBDEPS="$$libs $(EX_LIBS)" \ + link_a.$(SHLIB_TARGET); \ diff --git a/sources b/sources index f0e2eb7..ccd2532 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -573353d8cb4330b71e9985cea4785d61 openssl-0.9.8j-usa.tar.bz2 +9926dcf78e797a12d8e3ffd7a018824b openssl-1.0.0-beta3-usa.tar.bz2 From 1bc08028b930644c2830280fa113ed836894da87 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 29 Aug 2009 20:22:06 +0000 Subject: [PATCH 09/28] - Added missing BuildRequires mingw32-dlfcn - Reworked patches to rename *eay32.dll to lib*.dll - Patch Configure script to use %%{_mingw32_cflags} --- mingw32-openssl-0.9.8g-global.patch | 16 --- mingw32-openssl-0.9.8g-sfx.patch | 14 -- mingw32-openssl-0.9.8j-configure.patch | 16 --- mingw32-openssl-0.9.8j-header-files.patch | 141 ------------------- mingw32-openssl-0.9.8j-shared.patch | 20 --- mingw32-openssl-1.0.0-beta3-configure.patch | 12 ++ mingw32-openssl-1.0.0-beta3-libversion.patch | 55 ++++++++ mingw32-openssl-1.0.0-beta3-sfx.patch | 15 ++ mingw32-openssl-1.0.0-beta3-shared.patch | 11 -- mingw32-openssl.spec | 30 ++-- 10 files changed, 98 insertions(+), 232 deletions(-) delete mode 100644 mingw32-openssl-0.9.8g-global.patch delete mode 100644 mingw32-openssl-0.9.8g-sfx.patch delete mode 100644 mingw32-openssl-0.9.8j-configure.patch delete mode 100644 mingw32-openssl-0.9.8j-header-files.patch delete mode 100644 mingw32-openssl-0.9.8j-shared.patch create mode 100644 mingw32-openssl-1.0.0-beta3-configure.patch create mode 100644 mingw32-openssl-1.0.0-beta3-libversion.patch create mode 100644 mingw32-openssl-1.0.0-beta3-sfx.patch delete mode 100644 mingw32-openssl-1.0.0-beta3-shared.patch diff --git a/mingw32-openssl-0.9.8g-global.patch b/mingw32-openssl-0.9.8g-global.patch deleted file mode 100644 index 814fb46..0000000 --- a/mingw32-openssl-0.9.8g-global.patch +++ /dev/null @@ -1,16 +0,0 @@ -Fix global variable macros. - - - RWMJ 2008-09-30 - -diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h ---- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000 -+++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100 -@@ -264,7 +264,7 @@ - # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ - extern type _hide_##name; \ - type *_shadow_##name(void) { return &_hide_##name; } \ -- static type _hide_##name -+ type _hide_##name - # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) - # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) - #else diff --git a/mingw32-openssl-0.9.8g-sfx.patch b/mingw32-openssl-0.9.8g-sfx.patch deleted file mode 100644 index 332a926..0000000 --- a/mingw32-openssl-0.9.8g-sfx.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- openssl-0.9.8g.orig/engines/Makefile 2006-02-04 01:49:34.000000000 +0000 -+++ openssl-0.9.8g.mingw/engines/Makefile 2008-09-30 20:05:30.000000000 +0100 -@@ -91,7 +91,10 @@ - set -e; \ - for l in $(LIBNAMES); do \ - ( echo installing $$l; \ -- if [ "$(PLATFORM)" != "Cygwin" ]; then \ -+ if [ "$(PLATFORM)" = "mingw" ]; then \ -+ sfx=dll; \ -+ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ -+ elif [ "$(PLATFORM)" != "Cygwin" ]; then \ - case "$(CFLAGS)" in \ - *DSO_DLFCN*) sfx="so";; \ - *DSO_DL*) sfx="sl";; \ diff --git a/mingw32-openssl-0.9.8j-configure.patch b/mingw32-openssl-0.9.8j-configure.patch deleted file mode 100644 index 73feff1..0000000 --- a/mingw32-openssl-0.9.8j-configure.patch +++ /dev/null @@ -1,16 +0,0 @@ -The 'mingw' target to Configure has some problems with cross-compilation. - - - RWMJ 2008-09-30 - -diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure ---- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100 -+++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100 -@@ -468,7 +468,7 @@ - "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", - - # MinGW --"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a", -+"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB", - - # UWIN - "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", diff --git a/mingw32-openssl-0.9.8j-header-files.patch b/mingw32-openssl-0.9.8j-header-files.patch deleted file mode 100644 index 55d1203..0000000 --- a/mingw32-openssl-0.9.8j-header-files.patch +++ /dev/null @@ -1,141 +0,0 @@ ---- ./crypto/seed/seed_ecb.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 -+++ ./crypto/seed/seed_ecb.c 2009-02-02 18:28:55.000000000 +0100 -@@ -49,7 +49,7 @@ - * - */ - --#include -+#include "seed.h" - - void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) - { ---- ./crypto/seed/seed_locl.h.mingw-header-files 2009-02-02 18:28:48.000000000 +0100 -+++ ./crypto/seed/seed_locl.h 2009-02-02 18:28:55.000000000 +0100 -@@ -27,7 +27,7 @@ - #define HEADER_SEED_LOCL_H - - #include "openssl/e_os2.h" --#include -+#include "seed.h" - - - #ifdef SEED_LONG /* need 32-bit type */ ---- ./crypto/seed/seed.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 -+++ ./crypto/seed/seed.c 2009-02-02 18:28:55.000000000 +0100 -@@ -32,7 +32,7 @@ - #include - #endif - --#include -+#include "seed.h" - #include "seed_locl.h" - - static seed_word SS[4][256] = { { ---- ./crypto/camellia/cmll_cbc.c.mingw-header-files 2006-12-02 13:00:27.000000000 +0100 -+++ ./crypto/camellia/cmll_cbc.c 2009-02-02 18:28:54.000000000 +0100 -@@ -58,7 +58,7 @@ - #include - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, ---- ./crypto/camellia/cmll_cfb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_cfb.c 2009-02-02 18:28:54.000000000 +0100 -@@ -113,7 +113,7 @@ - #include - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - #include "e_os.h" - ---- ./crypto/camellia/cmll_ofb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ofb.c 2009-02-02 18:28:55.000000000 +0100 -@@ -111,7 +111,7 @@ - # endif - #endif - #include --#include -+#include "camellia.h" - #include "cmll_locl.h" - - /* The input and output encrypted as though 128bit ofb mode is being ---- ./crypto/camellia/cmll_misc.c.mingw-header-files 2009-02-02 18:29:19.000000000 +0100 -+++ ./crypto/camellia/cmll_misc.c 2009-02-02 18:29:32.000000000 +0100 -@@ -50,7 +50,7 @@ - */ - - #include --#include -+#include "camellia.h" - #include "cmll_locl.h" - #include - #ifdef OPENSSL_FIPS ---- ./crypto/camellia/cmll_ecb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ecb.c 2009-02-02 18:28:54.000000000 +0100 -@@ -56,7 +56,7 @@ - #endif - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, ---- ./crypto/camellia/cmll_ctr.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 -+++ ./crypto/camellia/cmll_ctr.c 2009-02-02 18:28:54.000000000 +0100 -@@ -56,7 +56,7 @@ - #endif - #include - --#include -+#include "camellia.h" - #include "cmll_locl.h" - - /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code ---- ./crypto/evp/e_seed.c.mingw-header-files 2007-07-04 14:56:32.000000000 +0200 -+++ ./crypto/evp/e_seed.c 2009-02-02 18:28:55.000000000 +0100 -@@ -59,7 +59,7 @@ - #include - #include - #ifndef OPENSSL_NO_SEED --#include -+#include "../seed/seed.h" - #include "evp_locl.h" - - static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); ---- ./crypto/evp/e_camellia.c.mingw-header-files 2008-09-21 12:24:08.000000000 +0200 -+++ ./crypto/evp/e_camellia.c 2009-02-02 18:28:55.000000000 +0100 -@@ -59,7 +59,7 @@ - #include - #include - #include --#include -+#include "../camellia/camellia.h" - #include "evp_locl.h" - - static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ---- ./apps/speed.c.mingw-header-files 2009-01-07 11:48:22.000000000 +0100 -+++ ./apps/speed.c 2009-02-02 18:28:54.000000000 +0100 -@@ -165,7 +165,7 @@ - #include - #endif - #ifndef OPENSSL_NO_CAMELLIA --#include -+#include "../crypto/camellia/camellia.h" - #endif - #ifndef OPENSSL_NO_MD2 - #include -@@ -202,7 +202,7 @@ - #include - #endif - #ifndef OPENSSL_NO_SEED --#include -+#include "../crypto/seed/seed.h" - #endif - #ifndef OPENSSL_NO_BF - #include diff --git a/mingw32-openssl-0.9.8j-shared.patch b/mingw32-openssl-0.9.8j-shared.patch deleted file mode 100644 index c1ea4bf..0000000 --- a/mingw32-openssl-0.9.8j-shared.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100 -+++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100 -@@ -238,7 +238,7 @@ - SHLIB=cyg$(LIBNAME); \ - base=-Wl,--enable-auto-image-base; \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ -- SHLIB=$(LIBNAME)eay32; base=; \ -+ SHLIB=lib$(LIBNAME); base=; \ - fi; \ - SHLIB_SUFFIX=.dll; \ - LIBVERSION="$(LIBVERSION)"; \ -@@ -253,7 +253,7 @@ - SHLIB=cyg$(LIBNAME); \ - base=-Wl,--enable-auto-image-base; \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ -- SHLIB=$(LIBNAME)eay32; \ -+ SHLIB=lib$(LIBNAME); \ - base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ - fi; \ - SHLIB_SUFFIX=.dll; \ diff --git a/mingw32-openssl-1.0.0-beta3-configure.patch b/mingw32-openssl-1.0.0-beta3-configure.patch new file mode 100644 index 0000000..8f4679e --- /dev/null +++ b/mingw32-openssl-1.0.0-beta3-configure.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.0-beta3/Configure.mingw-configure openssl-1.0.0-beta3/Configure +--- openssl-1.0.0-beta3/Configure.mingw-configure 2009-08-29 21:20:14.000000000 +0300 ++++ openssl-1.0.0-beta3/Configure 2009-08-29 21:23:14.000000000 +0300 +@@ -498,7 +498,7 @@ my %table=( + "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", + + # MinGW +-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -DOPENSSL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a", ++"mingw", "gcc:-DL_ENDIAN -DOPENSSL_NO_CAPIENG -Wall \$(MINGW32_CFLAGS) -DMK1MF_BUILD:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:\$(MINGW32_CFLAGS):.dll.a", + # As for OPENSSL_USE_APPLINK. Applink makes it possible to use .dll + # compiled with one compiler with application compiled with another + # compiler. It's possible to engage Applink support in mingw64 build, diff --git a/mingw32-openssl-1.0.0-beta3-libversion.patch b/mingw32-openssl-1.0.0-beta3-libversion.patch new file mode 100644 index 0000000..98da3b6 --- /dev/null +++ b/mingw32-openssl-1.0.0-beta3-libversion.patch @@ -0,0 +1,55 @@ +diff -up openssl-1.0.0-beta3/Makefile.org.mingw-libversion openssl-1.0.0-beta3/Makefile.org +--- openssl-1.0.0-beta3/Makefile.org.mingw-libversion 2009-08-29 22:44:10.000000000 +0300 ++++ openssl-1.0.0-beta3/Makefile.org 2009-08-29 22:45:42.000000000 +0300 +@@ -542,8 +542,8 @@ install_sw: + fi ); \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ + ( case $$i in \ +- *crypto*) i=libeay32.dll;; \ +- *ssl*) i=ssleay32.dll;; \ ++ *crypto*) i=libcrypto-$(SHLIB_SONAMEVER).dll;; \ ++ *ssl*) i=libssl-$(SHLIB_SONAMEVER).dll;; \ + esac; \ + echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ +diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta3/Makefile.shared +--- openssl-1.0.0-beta3/Makefile.shared.mingw-libversion 2009-08-29 22:33:22.000000000 +0300 ++++ openssl-1.0.0-beta3/Makefile.shared 2009-08-29 22:33:22.000000000 +0300 +@@ -47,7 +47,7 @@ LIBEXTRAS= + # LIBVERSION contains the current version of the library. + # For example, to build libfoo.so.1.2, you need to do the following: + #LIBVERSION=1.2 +-LIBVERSION= ++LIBVERSION=10 + + # LIBCOMPATVERSIONS contains the compatibility versions (a list) of + # the library. They MUST be in decreasing order. +@@ -250,9 +250,9 @@ link_o.cygwin: + base=-Wl,--enable-auto-image-base; \ + deffile=; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; base=; \ +- if test -f $(LIBNAME)eay32.def; then \ +- deffile=$(LIBNAME)eay32.def; \ ++ SHLIB=lib$(LIBNAME); base=; \ ++ if test -f $(LIBNAME).def; then \ ++ deffile=$(LIBNAME).def; \ + fi; \ + fi; \ + SHLIB_SUFFIX=.dll; \ +@@ -270,13 +270,9 @@ link_a.cygwin: + dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- case $(LIBNAME) in \ +- crypto) SHLIB=libeay;; \ +- ssl) SHLIB=ssleay;; \ +- esac; \ +- SHLIB_SOVER=32; \ ++ SHLIB=lib$(LIBNAME); \ + extras="$(LIBNAME).def"; \ +- $(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \ ++ $(PERL) util/mkdef.pl 32 $(LIBNAME) > $$extras; \ + base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ + fi; \ + dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \ diff --git a/mingw32-openssl-1.0.0-beta3-sfx.patch b/mingw32-openssl-1.0.0-beta3-sfx.patch new file mode 100644 index 0000000..05e0a3c --- /dev/null +++ b/mingw32-openssl-1.0.0-beta3-sfx.patch @@ -0,0 +1,15 @@ +diff -up openssl-1.0.0-beta3/engines/Makefile.mingw-libversion openssl-1.0.0-beta3/engines/Makefile +--- openssl-1.0.0-beta3/engines/Makefile.mingw-libversion 2009-08-29 22:33:22.000000000 +0300 ++++ openssl-1.0.0-beta3/engines/Makefile 2009-08-29 22:34:15.000000000 +0300 +@@ -110,7 +110,10 @@ install: + for l in $(LIBNAMES); do \ + ( echo installing $$l; \ + pfx=lib; \ +- if [ "$(PLATFORM)" != "Cygwin" ]; then \ ++ if [ "$(PLATFORM)" = "mingw" ]; then \ ++ sfx=.dll; \ ++ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ ++ elif [ "$(PLATFORM)" != "Cygwin" ]; then \ + case "$(CFLAGS)" in \ + *DSO_BEOS*) sfx=".so";; \ + *DSO_DLFCN*) sfx=".so";; \ diff --git a/mingw32-openssl-1.0.0-beta3-shared.patch b/mingw32-openssl-1.0.0-beta3-shared.patch deleted file mode 100644 index 2fa6348..0000000 --- a/mingw32-openssl-1.0.0-beta3-shared.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-1.0.0-beta3/Makefile.shared.orig 2009-08-29 17:02:27.496816550 +0200 -+++ openssl-1.0.0-beta3/Makefile.shared 2009-08-29 17:04:54.897820373 +0200 -@@ -250,7 +250,7 @@ - base=-Wl,--enable-auto-image-base; \ - deffile=; \ - if expr $(PLATFORM) : 'mingw' > /dev/null; then \ -- SHLIB=$(LIBNAME)eay32; base=; \ -+ SHLIB=lib$(LIBNAME); base=; \ - if test -f $(LIBNAME)eay32.def; then \ - deffile=$(LIBNAME)eay32.def; \ - fi; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index e6be878..c49f7cb 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -78,17 +78,17 @@ Patch48: openssl-0.9.8j-bad-mime.patch Patch49: openssl-0.9.8k-algo-doc.patch Patch50: openssl-1.0.0-beta3-curl.patch Patch51: openssl-1.0.0-beta3-const.patch - # Backported fixes including security fixes Patch60: openssl-1.0.0-beta3-namingstr.patch Patch61: openssl-1.0.0-beta3-namingblk.patch # MinGW-specific patches. -Patch100: mingw32-openssl-0.9.8j-header-files.patch -Patch101: mingw32-openssl-0.9.8j-configure.patch -Patch102: mingw32-openssl-0.9.8j-shared.patch -Patch103: mingw32-openssl-0.9.8g-global.patch -Patch104: mingw32-openssl-0.9.8g-sfx.patch +# Use MINGW32_CFLAGS (set below) in Configure script +Patch100: mingw32-openssl-1.0.0-beta3-configure.patch +# Rename *eay32.dll to lib*.dll +Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch +# Fix engines/ install target after lib rename +Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -101,6 +101,7 @@ BuildRequires: mingw32-binutils BuildRequires: mingw32-zlib BuildRequires: mingw32-pthreads +BuildRequires: mingw32-dlfcn BuildRequires: mktemp #BuildRequires: krb5-devel @@ -182,11 +183,9 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch60 -p1 -b .namingstr %patch61 -p1 -b .namingblk -#%patch100 -p1 -b .mingw-header-files -#%patch101 -p1 -b .mingw-configure -#%patch102 -p1 -b .mingw-shared -#%patch103 -p1 -b .mingw-global -#%patch104 -p1 -b .mingw-sfx +%patch100 -p1 -b .mingw-configure +%patch101 -p1 -b .mingw-libversion +%patch102 -p1 -b .mingw-sfx %patch105 -p0 -b .mingw-linker-fix # Modify the various perl scripts to reference perl in the right location. @@ -199,7 +198,7 @@ make TABLE PERL=%{__perl} %build # NB: 'no-hw' is vital. MinGW cannot build the hardware drivers # and if you don't have this you'll get an obscure link error. -sed -i -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" Configure; \ +export MINGW32_CFLAGS="%{_mingw32_cflags}"; \ ./Configure \ --prefix=%{_mingw32_prefix} \ --openssldir=%{_mingw32_sysconfdir}/pki/tls \ @@ -328,8 +327,8 @@ rm -rf $RPM_BUILD_ROOT %doc LICENSE %{_mingw32_bindir}/openssl.exe %{_mingw32_bindir}/c_rehash -%{_mingw32_bindir}/libeay32.dll -%{_mingw32_bindir}/ssleay32.dll +%{_mingw32_bindir}/libcrypto-%{soversion}.dll +%{_mingw32_bindir}/libssl-%{soversion}.dll #{_mingw32_bindir}/.libcrypto*.hmac %{_mingw32_libdir}/libcrypto.dll.a %{_mingw32_libdir}/libssl.dll.a @@ -352,6 +351,9 @@ rm -rf $RPM_BUILD_ROOT - Automatically generate debuginfo subpackage - Merged various changes from the native Fedora package (up to 1.0.0-0.5.beta3) - Don't use the %%{_mingw32_make} macro anymore as it's ugly and causes side-effects +- Added missing BuildRequires mingw32-dlfcn (Kalev Lember) +- Reworked patches to rename *eay32.dll to lib*.dll (Kalev Lember) +- Patch Configure script to use %%{_mingw32_cflags} (Kalev Lember) * Sat Jul 25 2009 Fedora Release Engineering - 0.9.8j-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild From aa14161f4f77743fff76ebc921a1ef26bc0ebde4 Mon Sep 17 00:00:00 2001 From: epienbro Date: Sat, 29 Aug 2009 20:38:51 +0000 Subject: [PATCH 10/28] Dropped several unused (obsoleted) patches and added a comment to the .spec file about the purpose of one of patches --- mingw32-openssl.spec | 2 + openssl-0.9.8a-defaults.patch | 50 --- openssl-0.9.8a-link-krb5.patch | 11 - openssl-0.9.8a-reuse-cipher-change.patch | 20 -- openssl-0.9.8b-x509-name-cmp.patch | 18 -- openssl-0.9.8g-default-paths.patch | 77 ----- openssl-0.9.8g-no-extssl.patch | 27 -- openssl-0.9.8j-eap-fast.patch | 378 ---------------------- openssl-0.9.8j-enginesdir.patch | 40 --- openssl-0.9.8j-evp-nonfips.patch | 127 -------- openssl-0.9.8j-fips-no-pairwise.patch | 24 -- openssl-0.9.8j-fipscheck-hmac.patch | 125 -------- openssl-0.9.8j-kernel-fipsmode.patch | 62 ---- openssl-0.9.8j-nocanister.patch | 31 -- openssl-0.9.8j-redhat.patch | 53 ---- openssl-0.9.8j-shlib-version.patch | 12 - openssl-0.9.8j-soversion.patch | 49 --- openssl-0.9.8j-use-fipscheck.patch | 384 ----------------------- 18 files changed, 2 insertions(+), 1488 deletions(-) delete mode 100644 openssl-0.9.8a-defaults.patch delete mode 100644 openssl-0.9.8a-link-krb5.patch delete mode 100644 openssl-0.9.8a-reuse-cipher-change.patch delete mode 100644 openssl-0.9.8b-x509-name-cmp.patch delete mode 100644 openssl-0.9.8g-default-paths.patch delete mode 100644 openssl-0.9.8g-no-extssl.patch delete mode 100644 openssl-0.9.8j-eap-fast.patch delete mode 100644 openssl-0.9.8j-enginesdir.patch delete mode 100644 openssl-0.9.8j-evp-nonfips.patch delete mode 100644 openssl-0.9.8j-fips-no-pairwise.patch delete mode 100644 openssl-0.9.8j-fipscheck-hmac.patch delete mode 100644 openssl-0.9.8j-kernel-fipsmode.patch delete mode 100644 openssl-0.9.8j-nocanister.patch delete mode 100644 openssl-0.9.8j-redhat.patch delete mode 100644 openssl-0.9.8j-shlib-version.patch delete mode 100644 openssl-0.9.8j-soversion.patch delete mode 100644 openssl-0.9.8j-use-fipscheck.patch diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index c49f7cb..0b13141 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -89,6 +89,8 @@ Patch100: mingw32-openssl-1.0.0-beta3-configure.patch Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch # Fix engines/ install target after lib rename Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch +# Ugly patch to fix a compilation error (the linker can't find +# some symbols mentioned in an autogenerated .def file) Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) diff --git a/openssl-0.9.8a-defaults.patch b/openssl-0.9.8a-defaults.patch deleted file mode 100644 index 5a4db7b..0000000 --- a/openssl-0.9.8a-defaults.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 -+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 -@@ -99,6 +99,7 @@ - #################################################################### - [ req ] - default_bits = 1024 -+default_md = sha1 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -116,23 +117,26 @@ - # MASK:XXXX a literal mask value. - # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings - # so use this option with caution! --string_mask = nombstr -+# we use PrintableString+UTF8String mask so if pure ASCII texts are used -+# the resulting certificates are compatible with Netscape -+string_mask = MASK:0x2002 - - # req_extensions = v3_req # The extensions to add to a certificate request - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = GB - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+stateOrProvinceName_default = Berkshire - - localityName = Locality Name (eg, city) -+localityName_default = Newbury - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = My Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -141,7 +145,7 @@ - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (eg, YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address diff --git a/openssl-0.9.8a-link-krb5.patch b/openssl-0.9.8a-link-krb5.patch deleted file mode 100644 index f34b1e5..0000000 --- a/openssl-0.9.8a-link-krb5.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200 -+++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100 -@@ -266,7 +266,7 @@ - - do_$(SHLIB_TARGET): - @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ -- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ -+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-0.9.8a-reuse-cipher-change.patch b/openssl-0.9.8a-reuse-cipher-change.patch deleted file mode 100644 index 666688b..0000000 --- a/openssl-0.9.8a-reuse-cipher-change.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100 -+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100 -@@ -477,7 +477,7 @@ - - #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L - #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L --#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -@@ -494,7 +494,7 @@ - - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. - * This used to be 0x000FFFFFL before 0.9.7. */ --#define SSL_OP_ALL 0x00000FFFL -+#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */ - - /* DTLS options */ - #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl-0.9.8b-x509-name-cmp.patch b/openssl-0.9.8b-x509-name-cmp.patch deleted file mode 100644 index c7e8848..0000000 --- a/openssl-0.9.8b-x509-name-cmp.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 -+++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 -@@ -282,14 +282,7 @@ - nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->type-nb->value->type; - if (j) -- { -- nabit = ASN1_tag2bit(na->value->type); -- nbbit = ASN1_tag2bit(nb->value->type); -- if (!(nabit & STR_TYPE_CMP) || -- !(nbbit & STR_TYPE_CMP)) -- return j; -- j = asn1_string_memcmp(na->value, nb->value); -- } -+ return j; - else if (na->value->type == V_ASN1_PRINTABLESTRING) - j=nocase_spacenorm_cmp(na->value, nb->value); - else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl-0.9.8g-default-paths.patch b/openssl-0.9.8g-default-paths.patch deleted file mode 100644 index 23fa4e1..0000000 --- a/openssl-0.9.8g-default-paths.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c ---- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 -+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 -@@ -1077,12 +1077,13 @@ bad: - } - #endif - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); -@@ -1132,8 +1133,11 @@ bad: - - SSL_CTX_sess_set_cache_size(ctx2,128); - -- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx2))) -+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx2)) - { - ERR_print_errors(bio_err); - } -diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c ---- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 -+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 -@@ -673,12 +673,13 @@ bad: - if (!set_cert_key_stuff(ctx,cert,key)) - goto end; - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - store = SSL_CTX_get_cert_store(ctx); -diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c ---- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 -+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 -@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) - - SSL_load_error_strings(); - -- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(tm_ctx))) -+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - if (tm_cipher == NULL) diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch deleted file mode 100644 index de00d0c..0000000 --- a/openssl-0.9.8g-no-extssl.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c ---- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 -+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 -@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - - if (ret>=limit) return NULL; /* this really never occurs, but ... */ -@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ - diff --git a/openssl-0.9.8j-eap-fast.patch b/openssl-0.9.8j-eap-fast.patch deleted file mode 100644 index 1e77f00..0000000 --- a/openssl-0.9.8j-eap-fast.patch +++ /dev/null @@ -1,378 +0,0 @@ -diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c ---- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100 -@@ -106,6 +106,12 @@ int tls1_new(SSL *s) - - void tls1_free(SSL *s) - { -+#ifndef OPENSSL_NO_TLSEXT -+ if (s && s->tlsext_session_ticket) -+ { -+ OPENSSL_free(s->tlsext_session_ticket); -+ } -+#endif /* OPENSSL_NO_TLSEXT */ - ssl3_free(s); - } - -@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex - int ticklen; - if (s->session && s->session->tlsext_tick) - ticklen = s->session->tlsext_ticklen; -+ else if (s->session && s->tlsext_session_ticket && -+ s->tlsext_session_ticket->data) -+ { -+ ticklen = s->tlsext_session_ticket->length; -+ s->session->tlsext_tick = OPENSSL_malloc(ticklen); -+ if (!s->session->tlsext_tick) -+ return NULL; -+ memcpy(s->session->tlsext_tick, -+ s->tlsext_session_ticket->data, -+ ticklen); -+ s->session->tlsext_ticklen = ticklen; -+ } - else - ticklen = 0; -+ if (ticklen == 0 && s->tlsext_session_ticket && -+ s->tlsext_session_ticket->data == NULL) -+ goto skip_ext; - /* Check for enough room 2 for extension type, 2 for len - * rest for ticket - */ -@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex - ret += ticklen; - } - } -+ skip_ext: - - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) - { -@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s, - } - - } -+ else if (type == TLSEXT_TYPE_session_ticket) -+ { -+ if (s->tls_session_ticket_ext_cb && -+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) -+ { -+ *al = TLS1_AD_INTERNAL_ERROR; -+ return 0; -+ } -+ } - else if (type == TLSEXT_TYPE_status_request - && s->ctx->tlsext_status_cb) - { -@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - else if (type == TLSEXT_TYPE_session_ticket) - { -+ if (s->tls_session_ticket_ext_cb && -+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) -+ { -+ *al = TLS1_AD_INTERNAL_ERROR; -+ return 0; -+ } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) - { -@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned - s->tlsext_ticket_expected = 1; - return 0; /* Cache miss */ - } -+ if (s->tls_session_secret_cb) -+ { -+ /* Indicate cache miss here and instead of -+ * generating the session from ticket now, -+ * trigger abbreviated handshake based on -+ * external mechanism to calculate the master -+ * secret later. */ -+ return 0; -+ } - return tls_decrypt_ticket(s, p, size, session_id, len, - ret); - } -diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c ---- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 -+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100 -@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s) - goto f_err; - } - -+#ifndef OPENSSL_NO_TLSEXT -+ /* check if we want to resume the session based on external pre-shared secret */ -+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) -+ { -+ SSL_CIPHER *pref_cipher=NULL; -+ s->session->master_key_length=sizeof(s->session->master_key); -+ if (s->tls_session_secret_cb(s, s->session->master_key, -+ &s->session->master_key_length, -+ NULL, &pref_cipher, -+ s->tls_session_secret_cb_arg)) -+ { -+ s->session->cipher = pref_cipher ? -+ pref_cipher : ssl_get_cipher_by_char(s, p+j); -+ } -+ } -+#endif /* OPENSSL_NO_TLSEXT */ -+ - if (j != 0 && j == s->session->session_id_length - && memcmp(p,s->session->session_id,j) == 0) - { -@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s) - { - int ok; - long n; -- /* If we have no ticket or session ID is non-zero length (a match of -- * a non-zero session length would never reach here) it cannot be a -- * resumed session. -- */ -- if (!s->session->tlsext_tick || s->session->session_id_length) -+ /* If we have no ticket it cannot be a resumed session. */ -+ if (!s->session->tlsext_tick) - return 1; - /* this function is called when we really expect a Certificate - * message, so permit appropriate message length */ -diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c ---- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200 -+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100 -@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX * - return(s->session_timeout); - } - -+#ifndef OPENSSL_NO_TLSEXT -+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, -+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) -+ { -+ if (s == NULL) return(0); -+ s->tls_session_secret_cb = tls_session_secret_cb; -+ s->tls_session_secret_cb_arg = arg; -+ return(1); -+ } -+ -+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, -+ void *arg) -+ { -+ if (s == NULL) return(0); -+ s->tls_session_ticket_ext_cb = cb; -+ s->tls_session_ticket_ext_cb_arg = arg; -+ return(1); -+ } -+ -+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) -+ { -+ if (s->version >= TLS1_VERSION) -+ { -+ if (s->tlsext_session_ticket) -+ { -+ OPENSSL_free(s->tlsext_session_ticket); -+ s->tlsext_session_ticket = NULL; -+ } -+ -+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); -+ if (!s->tlsext_session_ticket) -+ { -+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (ext_data) -+ { -+ s->tlsext_session_ticket->length = ext_len; -+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; -+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); -+ } -+ else -+ { -+ s->tlsext_session_ticket->length = 0; -+ s->tlsext_session_ticket->data = NULL; -+ } -+ -+ return 1; -+ } -+ -+ return 0; -+ } -+#endif /* OPENSSL_NO_TLSEXT */ -+ - typedef struct timeout_param_st - { - SSL_CTX *ctx; -diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c ---- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 -+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100 -@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s) - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } -+ -+ /* Check if we want to use external pre-shared secret for this -+ * handshake for not reused session only. We need to generate -+ * server_random before calling tls_session_secret_cb in order to allow -+ * SessionTicket processing to use it in key derivation. */ -+ { -+ unsigned long Time; -+ unsigned char *pos; -+ Time=(unsigned long)time(NULL); /* Time */ -+ pos=s->s3->server_random; -+ l2n(Time,pos); -+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ goto f_err; -+ } -+ } -+ -+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) -+ { -+ SSL_CIPHER *pref_cipher=NULL; -+ -+ s->session->master_key_length=sizeof(s->session->master_key); -+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, -+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) -+ { -+ s->hit=1; -+ s->session->ciphers=ciphers; -+ s->session->verify_result=X509_V_OK; -+ -+ ciphers=NULL; -+ -+ /* check if some cipher was preferred by call back */ -+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); -+ if (pref_cipher == NULL) -+ { -+ al=SSL_AD_HANDSHAKE_FAILURE; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); -+ goto f_err; -+ } -+ -+ s->session->cipher=pref_cipher; -+ -+ if (s->cipher_list) -+ sk_SSL_CIPHER_free(s->cipher_list); -+ -+ if (s->cipher_list_by_id) -+ sk_SSL_CIPHER_free(s->cipher_list_by_id); -+ -+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); -+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); -+ } -+ } - #endif - /* Worst case, we will use the NULL compression, but if we have other - * options, we will now look for them. We have i-1 compression -@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s) - unsigned char *buf; - unsigned char *p,*d; - int i,sl; -- unsigned long l,Time; -+ unsigned long l; -+#ifdef OPENSSL_NO_TLSEXT -+ unsigned long Time; -+#endif - - if (s->state == SSL3_ST_SW_SRVR_HELLO_A) - { - buf=(unsigned char *)s->init_buf->data; -+#ifdef OPENSSL_NO_TLSEXT - p=s->s3->server_random; -+ /* Generate server_random if it was not needed previously */ - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) - return -1; -+#endif - /* Do the message type and length last */ - d=p= &(buf[4]); - -diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h ---- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100 -@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T - #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ - #endif - -+/* TLS Session Ticket extension struct */ -+struct tls_session_ticket_ext_st -+ { -+ unsigned short length; -+ void *data; -+ }; -+ - #ifdef __cplusplus - } - #endif -diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c ---- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200 -+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100 -@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]= - {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, - {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, - {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, -+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, - {0,NULL} - }; - -diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h ---- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 -+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100 -@@ -344,6 +344,7 @@ extern "C" { - * 'struct ssl_st *' function parameters used to prototype callbacks - * in SSL_CTX. */ - typedef struct ssl_st *ssl_crock_st; -+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; - - /* used to hold info on the particular ciphers used */ - typedef struct ssl_cipher_st -@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st - - DECLARE_STACK_OF(SSL_CIPHER) - -+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); -+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); -+ - /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ - typedef struct ssl_method_st - { -@@ -1034,6 +1038,18 @@ struct ssl_st - - /* RFC4507 session ticket expected to be received or sent */ - int tlsext_ticket_expected; -+ -+ /* TLS Session Ticket extension override */ -+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; -+ -+ /* TLS Session Ticket extension callback */ -+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; -+ void *tls_session_ticket_ext_cb_arg; -+ -+ /* TLS pre-shared secret session resumption */ -+ tls_session_secret_cb_fn tls_session_secret_cb; -+ void *tls_session_secret_cb_arg; -+ - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ - #define session_ctx initial_ctx - #else -@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v - int SSL_COMP_add_compression_method(int id,void *cm); - #endif - -+/* TLS extensions functions */ -+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); -+ -+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, -+ void *arg); -+ -+/* Pre-shared secret session resumption functions */ -+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); -+ - /* BEGIN ERROR CODES */ - /* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. -@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void); - #define SSL_F_TLS1_ENC 210 - #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 - #define SSL_F_WRITE_PENDING 212 -+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 - - /* Reason codes. */ - #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff --git a/openssl-0.9.8j-enginesdir.patch b/openssl-0.9.8j-enginesdir.patch deleted file mode 100644 index 3834fe8..0000000 --- a/openssl-0.9.8j-enginesdir.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100 -+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100 -@@ -577,6 +577,7 @@ my $idx_arflags = $idx++; - - my $prefix=""; - my $openssldir=""; -+my $enginesdir=""; - my $exe_ext=""; - my $install_prefix=""; - my $fipslibdir="/usr/local/ssl/fips-1.0/lib/"; -@@ -815,6 +816,10 @@ PROCESS_ARGS: - { - $openssldir=$1; - } -+ elsif (/^--enginesdir=(.*)$/) -+ { -+ $enginesdir=$1; -+ } - elsif (/^--install.prefix=(.*)$/) - { - $install_prefix=$1; -@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/; - - $openssldir=$prefix . "/ssl" if $openssldir eq ""; - $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; -- -+$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; - - print "IsMK1MF=$IsMK1MF\n"; - -@@ -1635,7 +1640,7 @@ while () - if (/^#define\s+OPENSSLDIR/) - { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } - elsif (/^#define\s+ENGINESDIR/) -- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } -+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; } - elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) - { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" - if $export_var_as_fn; diff --git a/openssl-0.9.8j-evp-nonfips.patch b/openssl-0.9.8j-evp-nonfips.patch deleted file mode 100644 index c25cf38..0000000 --- a/openssl-0.9.8j-evp-nonfips.patch +++ /dev/null @@ -1,127 +0,0 @@ -diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c ---- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200 -+++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100 -@@ -64,6 +64,11 @@ - - void OpenSSL_add_all_digests(void) - { -+#ifdef OPENSSL_FIPS -+ OPENSSL_init(); -+ if (!FIPS_mode()) -+ { -+#endif - #ifndef OPENSSL_NO_MD2 - EVP_add_digest(EVP_md2()); - #endif -@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void) - EVP_add_digest(EVP_sha384()); - EVP_add_digest(EVP_sha512()); - #endif -+#ifdef OPENSSL_FIPS -+ } -+ else -+ { -+#ifndef OPENSSL_NO_SHA -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); -+#ifndef OPENSSL_NO_DSA -+ EVP_add_digest(EVP_dss1()); -+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); -+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); -+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); -+#endif -+#ifndef OPENSSL_NO_ECDSA -+ EVP_add_digest(EVP_ecdsa()); -+#endif -+#endif -+#ifndef OPENSSL_NO_SHA256 -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+#endif -+#ifndef OPENSSL_NO_SHA512 -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+#endif -+ } -+#endif - } -diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c ---- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200 -+++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100 -@@ -65,6 +65,11 @@ - void OpenSSL_add_all_ciphers(void) - { - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init(); -+ if(!FIPS_mode()) -+ { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); - EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); - #endif -+#ifdef OPENSSL_FIPS -+ } -+ else -+ { -+#ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede_cfb()); -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede_ofb()); -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede_cbc()); -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); -+ -+ EVP_add_cipher(EVP_des_ede()); -+ EVP_add_cipher(EVP_des_ede3()); -+#endif -+ -+#ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_128_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_192_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+#if 0 -+ EVP_add_cipher(EVP_aes_256_ctr()); -+#endif -+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); -+#endif -+ } -+#endif - - PKCS12_PBE_add(); - PKCS5_PBE_add(); diff --git a/openssl-0.9.8j-fips-no-pairwise.patch b/openssl-0.9.8j-fips-no-pairwise.patch deleted file mode 100644 index e6c2f73..0000000 --- a/openssl-0.9.8j-fips-no-pairwise.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c ---- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100 -+++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100 -@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, - if (fips_rsa_pairwise_fail) - BN_add_word(rsa->n, 1); - -- if(!fips_check_rsa(rsa)) -+ if(FIPS_mode() && !fips_check_rsa(rsa)) - goto err; - - ok=1; -diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c ---- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200 -+++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100 -@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa) - dsa->pub_key=pub_key; - if (fips_dsa_pairwise_fail) - BN_add_word(dsa->pub_key, 1); -- if(!fips_check_dsa(dsa)) -+ if(FIPS_mode() && !fips_check_dsa(dsa)) - goto err; - ok=1; - diff --git a/openssl-0.9.8j-fipscheck-hmac.patch b/openssl-0.9.8j-fipscheck-hmac.patch deleted file mode 100644 index 3ba459b..0000000 --- a/openssl-0.9.8j-fipscheck-hmac.patch +++ /dev/null @@ -1,125 +0,0 @@ -Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary. -We use the binary just during the OpenSSL build to checksum the libcrypto. -diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile ---- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 -+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100 -@@ -46,7 +46,7 @@ lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - - ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o -- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ -+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM - - files: -diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c ---- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200 -+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100 -@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) - - #ifdef OPENSSL_FIPS - --static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, -+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, - const char *key) - { - int len=strlen(key); -@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - if (len > SHA_CBLOCK) - { -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,key,len); -- SHA1_Final(keymd,md_ctx); -- len=20; -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,key,len); -+ SHA256_Final(keymd,md_ctx); -+ len=SHA256_DIGEST_LENGTH; - } - else - memcpy(keymd,key,len); -@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x36^keymd[i]; -- SHA1_Init(md_ctx); -- SHA1_Update(md_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x5c^keymd[i]; -- SHA1_Init(o_ctx); -- SHA1_Update(o_ctx,pad,SHA_CBLOCK); -+ SHA256_Init(o_ctx); -+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); - } - --static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) -+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) - { -- unsigned char buf[20]; -+ unsigned char buf[SHA256_DIGEST_LENGTH]; - -- SHA1_Final(buf,md_ctx); -- SHA1_Update(o_ctx,buf,sizeof buf); -- SHA1_Final(md,o_ctx); -+ SHA256_Final(buf,md_ctx); -+ SHA256_Update(o_ctx,buf,sizeof buf); -+ SHA256_Final(md,o_ctx); - } - - #endif -@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md - int main(int argc,char **argv) - { - #ifdef OPENSSL_FIPS -- static char key[]="etaonrishdlcupfm"; -+ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; - int n,binary=0; - - if(argc < 2) -@@ -125,8 +125,8 @@ int main(int argc,char **argv) - for(; n < argc ; ++n) - { - FILE *f=fopen(argv[n],"rb"); -- SHA_CTX md_ctx,o_ctx; -- unsigned char md[20]; -+ SHA256_CTX md_ctx,o_ctx; -+ unsigned char md[SHA256_DIGEST_LENGTH]; - int i; - - if(!f) -@@ -139,7 +139,7 @@ int main(int argc,char **argv) - for( ; ; ) - { - char buf[1024]; -- int l=fread(buf,1,sizeof buf,f); -+ size_t l=fread(buf,1,sizeof buf,f); - - if(l == 0) - { -@@ -151,18 +151,18 @@ int main(int argc,char **argv) - else - break; - } -- SHA1_Update(&md_ctx,buf,l); -+ SHA256_Update(&md_ctx,buf,l); - } - hmac_final(md,&md_ctx,&o_ctx); - - if (binary) - { -- fwrite(md,20,1,stdout); -+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); - break; /* ... for single(!) file */ - } - -- printf("HMAC-SHA1(%s)= ",argv[n]); -- for(i=0 ; i < 20 ; ++i) -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) - printf("%02x",md[i]); - printf("\n"); - } diff --git a/openssl-0.9.8j-kernel-fipsmode.patch b/openssl-0.9.8j-kernel-fipsmode.patch deleted file mode 100644 index fed04c3..0000000 --- a/openssl-0.9.8j-kernel-fipsmode.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c ---- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100 -+++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100 -@@ -59,6 +59,45 @@ - #include - #include - -+#ifdef OPENSSL_FIPS -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static void init_fips_mode(void) -+ { -+ char buf[2] = "0"; -+ int fd; -+ -+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) -+ { -+ buf[0] = '1'; -+ } -+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) -+ { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); -+ close(fd); -+ } -+ /* Failure reading the fips mode switch file means just not -+ * switching into FIPS mode. We would break too many things -+ * otherwise. -+ */ -+ -+ if (buf[0] == '1') -+ { -+ FIPS_mode_set(1); -+ } -+ } -+#endif -+ - /* Perform any essential OpenSSL initialization operations. - * Currently only sets FIPS callbacks - */ -@@ -73,11 +112,10 @@ void OPENSSL_init(void) - #ifdef CRYPTO_MDEBUG - CRYPTO_malloc_debug_init(); - #endif --#ifdef OPENSSL_ENGINE -+ init_fips_mode(); - int_EVP_MD_init_engine_callbacks(); - int_EVP_CIPHER_init_engine_callbacks(); - int_RAND_init_engine_callbacks(); --#endif - done = 1; - } - #endif diff --git a/openssl-0.9.8j-nocanister.patch b/openssl-0.9.8j-nocanister.patch deleted file mode 100644 index f5e1272..0000000 --- a/openssl-0.9.8j-nocanister.patch +++ /dev/null @@ -1,31 +0,0 @@ -Do not create a fipscanister.o, add the objects directly. -diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile ---- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100 -+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100 -@@ -142,8 +142,24 @@ lib: $(LIB) - if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi - @touch lib - --$(LIB): $(FIPSLIBDIR)fipscanister.o -- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o -+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS) -+ FIPS_ASM=""; \ -+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ -+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ -+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ -+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ -+ if [ -n "$(CPUID_OBJ)" ]; then \ -+ CPUID=../crypto/$(CPUID_OBJ) ; \ -+ else \ -+ CPUID="" ; \ -+ fi ; \ -+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ -+ for i in $(FIPS_OBJ_LISTS); do \ -+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ -+ objs="$$objs `sed "$$script" $$i`"; \ -+ done; \ -+ objs="$$objs" ; \ -+ $(AR) $(LIB) $$objs - $(RANLIB) $(LIB) || echo Never mind. - - $(FIPSCANLIB): $(FIPSCANLOC) diff --git a/openssl-0.9.8j-redhat.patch b/openssl-0.9.8j-redhat.patch deleted file mode 100644 index 2e1153d..0000000 --- a/openssl-0.9.8j-redhat.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100 -+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100 -@@ -320,28 +320,28 @@ my %table=( - #### - # *-generic* is endian-neutral target, but ./config is free to - # throw in -D[BL]_ENDIAN, whichever appropriate... --"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### IA-32 targets... - "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", - #### --"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### SPARC Linux setups - # Ray Miller has patiently - # assisted with debugging of following two configs. --"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # it's a real mess with -mcpu=ultrasparc option under Linux, but - # -Wa,-Av8plus should do the trick no matter what. --"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - # GCC 3.1 is a requirement --"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - #### Alpha Linux with GNU C and Compaq C setups - # Special notes: - # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -355,8 +355,8 @@ my %table=( - # - # - # --"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", -+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", - diff --git a/openssl-0.9.8j-shlib-version.patch b/openssl-0.9.8j-shlib-version.patch deleted file mode 100644 index 8182398..0000000 --- a/openssl-0.9.8j-shlib-version.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h ---- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100 -+++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100 -@@ -83,7 +83,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "0.9.8" -+#define SHLIB_VERSION_NUMBER "0.9.8j" - - - #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl-0.9.8j-soversion.patch b/openssl-0.9.8j-soversion.patch deleted file mode 100644 index 80ee5cd..0000000 --- a/openssl-0.9.8j-soversion.patch +++ /dev/null @@ -1,49 +0,0 @@ -Define and use a soname -- because we have to care about binary -compatibility, we have to increment the soname in order to allow -this version to co-exist with another versions and have everything -work right. - -diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure ---- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100 -+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100 -@@ -1371,7 +1371,7 @@ while () - elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) - { - my $sotmp = $1; -- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; -+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; - } - elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) - { -diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org ---- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100 -+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100 -@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= - SHLIB_MAJOR= - SHLIB_MINOR= - SHLIB_EXT= -+SHLIB_SONAMEVER=8 - PLATFORM=dist - OPTIONS= - CONFIGURE_ARGS= -@@ -277,10 +278,9 @@ clean-shared: - link-shared: - @ set -e; for i in ${SHLIBDIRS}; do \ - $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ - LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ - symlink.$(SHLIB_TARGET); \ -- libs="$$libs -l$$i"; \ - done - - build-shared: do_$(SHLIB_TARGET) link-shared -@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET): - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ - LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ - LIBDEPS="$$libs $(EX_LIBS)" \ - link_a.$(SHLIB_TARGET); \ diff --git a/openssl-0.9.8j-use-fipscheck.patch b/openssl-0.9.8j-use-fipscheck.patch deleted file mode 100644 index 6f2eca1..0000000 --- a/openssl-0.9.8j-use-fipscheck.patch +++ /dev/null @@ -1,384 +0,0 @@ -Use fipscheck compatible way of verification of the integrity of the libcrypto -shared library. -diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile ---- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 -+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100 -@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ - if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - LIBRARIES="-L$(TOP) -lfips"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ -+ LIBRARIES="$(LIBCRYPTO)"; \ - fi; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if - shlib_target="$(SHLIB_TARGET)"; \ - fi; \ - LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ -- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -- fi; \ - [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ -diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org ---- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100 -+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100 -@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA - $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ - $(AR) libcrypto.a fips/fipscanister.o ; \ - else \ -- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; \ -- export CC FIPSLD_CC; \ -- fi; \ - $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ - fi \ - else \ -@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT - fips/fipscanister.o: build_fips - libfips$(SHLIB_EXT): fips/fipscanister.o - @if [ "$(SHLIB_TARGET)" != "" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ - $(MAKE) -f Makefile.shared -e $(BUILDENV) \ -- CC=$${CC} LIBNAME=fips THIS=$@ \ -+ CC=$(CC) LIBNAME=fips THIS=$@ \ - LIBEXTRAS=fips/fipscanister.o \ - LIBDEPS="$(EX_LIBS)" \ - LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ -@@ -469,7 +464,7 @@ openssl.pc: Makefile - echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc - - Makefile: Makefile.org Configure config -diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c ---- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 -+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100 -@@ -47,6 +47,7 @@ - * - */ - -+#define _GNU_SOURCE - - #include - #include -@@ -56,6 +57,9 @@ - #include - #include - #include -+#include -+#include -+#include - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -165,6 +169,7 @@ int FIPS_selftest() - && FIPS_selftest_dsa(); - } - -+#if 0 - extern const void *FIPS_text_start(), *FIPS_text_end(); - extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; - unsigned char FIPS_signature [20] = { 0 }; -@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) - - return 1; - } -+#else -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen-1); -+ path[pathlen-1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char * -+bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+#define HMAC_PREFIX "." -+#define HMAC_SUFFIX ".hmac" -+#define READ_BUFFER_LENGTH 16384 -+ -+static char * -+make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if(path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn-origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int -+compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX c; -+ -+ HMAC_CTX_init(&c); -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); -+ -+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ HMAC_Update(&c, rbuf, len); -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ HMAC_Final(&c, rbuf, &hlen); -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+end: -+ HMAC_CTX_cleanup(&c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int -+FIPSCHECK_verify(const char *libname, const char *symbolname) -+{ -+ char path[PATH_MAX+1]; -+ int rv; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ rv = get_library_path(libname, symbolname, path, sizeof(path)); -+ -+ if (rv < 0) -+ return 0; -+ -+ hmacpath = make_hmac_path(path); -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p=strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex=bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } -+ -+end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+#endif - - int FIPS_mode_set(int onoff) - { -@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff) - } - #endif - -- if(fips_signature_witness() != FIPS_signature) -- { -- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); -- fips_selftest_fail = 1; -- ret = 0; -- goto end; -- } -- -- if(!FIPS_check_incore_fingerprint()) -+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set")) - { -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; -@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void) - return ret; - } - -+#if 0 - unsigned char *fips_signature_witness(void) - { - extern unsigned char FIPS_signature[]; - return FIPS_signature; - } -+#endif - - /* Generalized public key test routine. Signs and verifies the data - * supplied in tbs using mesage digest md and setting option digest -diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile ---- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100 -+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100 -@@ -62,9 +62,9 @@ testapps: - - all: - @if [ -z "$(FIPSLIBDIR)" ]; then \ -- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ -+ $(MAKE) -e subdirs lib; \ - else \ -- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ -+ $(MAKE) -e lib; \ - fi - - # Idea behind fipscanister.o is to "seize" the sequestered code between -@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ - HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ - *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ - esac fi -- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 - - # If another exception is immediately required, assign approprite - # site-specific ld command to FIPS_SITE_LD environment variable. -@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) - $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. - @touch lib - --shared: lib subdirs fips_premain_dso$(EXE_EXT) -+shared: lib subdirs - - libs: - @target=lib; $(RECURSIVE_MAKE) -@@ -195,10 +194,6 @@ install: - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; - @target=install; $(RECURSIVE_MAKE) -- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ -- fips_premain.c.sha1 \ -- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ -- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* - - lint: - @target=lint; $(RECURSIVE_MAKE) -diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h ---- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 -+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100 -@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); - int fips_set_owning_thread(void); - void fips_set_selftest_fail(void); - int fips_clear_owning_thread(void); -+#if 0 - unsigned char *fips_signature_witness(void); -+#endif - - #define FIPS_MAX_CIPHER_TEST_SIZE 16 - From faece3739aa93939bb69b7156977dffa62bf7d6d Mon Sep 17 00:00:00 2001 From: epienbro Date: Sat, 29 Aug 2009 23:13:34 +0000 Subject: [PATCH 11/28] - Fixed invalid RPM Provides --- mingw32-openssl-1.0.0-beta3-libversion.patch | 11 +++++++++++ mingw32-openssl.spec | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl-1.0.0-beta3-libversion.patch b/mingw32-openssl-1.0.0-beta3-libversion.patch index 98da3b6..d4d1c6c 100644 --- a/mingw32-openssl-1.0.0-beta3-libversion.patch +++ b/mingw32-openssl-1.0.0-beta3-libversion.patch @@ -53,3 +53,14 @@ diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ fi; \ dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \ +--- openssl-1.0.0-beta3/util/mkdef.pl.orig 2009-08-30 00:50:32.108820466 +0200 ++++ openssl-1.0.0-beta3/util/mkdef.pl 2009-08-30 00:51:00.032820656 +0200 +@@ -1244,7 +1244,7 @@ + my $description = "$what $version, $name - http://$http_vendor"; + + if ($W32) +- { $libname.="32"; } ++ { $libname="lib$libname-10.dll"; } + elsif ($W16) + { $libname.="16"; } + elsif ($OS2) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 0b13141..0a823a3 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -31,7 +31,7 @@ Name: mingw32-openssl Version: 1.0.0 -Release: 0.1.%{beta}%{?dist} +Release: 0.2.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -347,6 +347,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sun Aug 30 2009 Erik van Pienbroek - 1.0.0-0.2.beta3 +- Fixed invalid RPM Provides + * Fri Aug 28 2009 Erik van Pienbroek - 1.0.0-0.1.beta3 - Update to version 1.0.0 beta 3 - Use %%global instead of %%define From 98504654ea8a83641d5bc61f272df2dd63d9631e Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sun, 30 Aug 2009 00:53:20 +0000 Subject: [PATCH 12/28] Simplified the lib renaming patch --- mingw32-openssl-1.0.0-beta3-libversion.patch | 28 +++++--------------- mingw32-openssl.spec | 5 +++- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/mingw32-openssl-1.0.0-beta3-libversion.patch b/mingw32-openssl-1.0.0-beta3-libversion.patch index d4d1c6c..7b37847 100644 --- a/mingw32-openssl-1.0.0-beta3-libversion.patch +++ b/mingw32-openssl-1.0.0-beta3-libversion.patch @@ -24,20 +24,16 @@ diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta # LIBCOMPATVERSIONS contains the compatibility versions (a list) of # the library. They MUST be in decreasing order. -@@ -250,9 +250,9 @@ link_o.cygwin: +@@ -250,7 +250,7 @@ link_o.cygwin: base=-Wl,--enable-auto-image-base; \ deffile=; \ if expr $(PLATFORM) : 'mingw' > /dev/null; then \ - SHLIB=$(LIBNAME)eay32; base=; \ -- if test -f $(LIBNAME)eay32.def; then \ -- deffile=$(LIBNAME)eay32.def; \ + SHLIB=lib$(LIBNAME); base=; \ -+ if test -f $(LIBNAME).def; then \ -+ deffile=$(LIBNAME).def; \ + if test -f $(LIBNAME)eay32.def; then \ + deffile=$(LIBNAME)eay32.def; \ fi; \ - fi; \ - SHLIB_SUFFIX=.dll; \ -@@ -270,13 +270,9 @@ link_a.cygwin: +@@ -270,13 +270,7 @@ link_a.cygwin: dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \ base=-Wl,--enable-auto-image-base; \ if expr $(PLATFORM) : 'mingw' > /dev/null; then \ @@ -46,21 +42,9 @@ diff -up openssl-1.0.0-beta3/Makefile.shared.mingw-libversion openssl-1.0.0-beta - ssl) SHLIB=ssleay;; \ - esac; \ - SHLIB_SOVER=32; \ -+ SHLIB=lib$(LIBNAME); \ - extras="$(LIBNAME).def"; \ +- extras="$(LIBNAME).def"; \ - $(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \ -+ $(PERL) util/mkdef.pl 32 $(LIBNAME) > $$extras; \ ++ SHLIB=lib$(LIBNAME); \ base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ fi; \ dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \ ---- openssl-1.0.0-beta3/util/mkdef.pl.orig 2009-08-30 00:50:32.108820466 +0200 -+++ openssl-1.0.0-beta3/util/mkdef.pl 2009-08-30 00:51:00.032820656 +0200 -@@ -1244,7 +1244,7 @@ - my $description = "$what $version, $name - http://$http_vendor"; - - if ($W32) -- { $libname.="32"; } -+ { $libname="lib$libname-10.dll"; } - elsif ($W16) - { $libname.="16"; } - elsif ($OS2) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 0a823a3..9ec966f 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -31,7 +31,7 @@ Name: mingw32-openssl Version: 1.0.0 -Release: 0.2.%{beta}%{?dist} +Release: 0.3.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -347,6 +347,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sun Aug 30 2009 Kalev Lember - 1.0.0-0.3.beta3 +- Simplified the lib renaming patch + * Sun Aug 30 2009 Erik van Pienbroek - 1.0.0-0.2.beta3 - Fixed invalid RPM Provides From 43970f8ab979259f6c9220babffbf5cb85370c59 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Fri, 18 Sep 2009 20:29:10 +0000 Subject: [PATCH 13/28] Rebuilt to fix debuginfo --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 9ec966f..d530ab4 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -31,7 +31,7 @@ Name: mingw32-openssl Version: 1.0.0 -Release: 0.3.%{beta}%{?dist} +Release: 0.4.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -347,6 +347,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Sep 18 2009 Kalev Lember - 1.0.0-0.4.beta3 +- Rebuilt to fix debuginfo + * Sun Aug 30 2009 Kalev Lember - 1.0.0-0.3.beta3 - Simplified the lib renaming patch From 543260c394dae55a5e7356ff6c071dd6087e71f0 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sun, 22 Nov 2009 17:44:35 +0000 Subject: [PATCH 14/28] - Updated to version 1.0.0 beta 4 - Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4) - Added patch to fix build with fips disabled --- .cvsignore | 2 +- Makefile.certificate | 4 +- make-dummy-cert | 2 +- mingw32-openssl-1.0.0-beta4-nofips.patch | 130 ++ mingw32-openssl.spec | 57 +- openssl-0.9.8b-aliasing-bug.patch | 24 - openssl-0.9.8j-ca-dir.patch | 36 - openssl-1.0.0-beta3-const.patch | 36 - openssl-1.0.0-beta3-curl.patch | 27 - openssl-1.0.0-beta3-enginesdir.patch | 52 - openssl-1.0.0-beta3-fipsmode.patch | 4 +- openssl-1.0.0-beta3-krb5.patch | 12 - openssl-1.0.0-beta3-namingblk.patch | 253 --- openssl-1.0.0-beta3-namingstr.patch | 1663 ----------------- ...atch => openssl-1.0.0-beta4-algo-doc.patch | 16 +- openssl-1.0.0-beta4-backports.patch | 45 + openssl-1.0.0-beta4-binutils.patch | 56 + openssl-1.0.0-beta4-ca-dir.patch | 36 + openssl-1.0.0-beta4-client-reneg.patch | 35 + ...=> openssl-1.0.0-beta4-default-paths.patch | 28 +- openssl-1.0.0-beta4-dtls1-abi.patch | 25 + openssl-1.0.0-beta4-enginesdir.patch | 52 + ...ps.patch => openssl-1.0.0-beta4-fips.patch | 1540 +++++++-------- ....patch => openssl-1.0.0-beta4-redhat.patch | 16 +- openssl-1.0.0-beta4-reneg-err.patch | 93 + openssl-1.0.0-beta4-reneg.patch | 237 +++ openssl-1.0.0-beta4-version.patch | 14 + sources | 2 +- 28 files changed, 1582 insertions(+), 2915 deletions(-) create mode 100644 mingw32-openssl-1.0.0-beta4-nofips.patch delete mode 100644 openssl-0.9.8b-aliasing-bug.patch delete mode 100644 openssl-0.9.8j-ca-dir.patch delete mode 100644 openssl-1.0.0-beta3-const.patch delete mode 100644 openssl-1.0.0-beta3-curl.patch delete mode 100644 openssl-1.0.0-beta3-enginesdir.patch delete mode 100644 openssl-1.0.0-beta3-krb5.patch delete mode 100644 openssl-1.0.0-beta3-namingblk.patch delete mode 100644 openssl-1.0.0-beta3-namingstr.patch rename openssl-0.9.8k-algo-doc.patch => openssl-1.0.0-beta4-algo-doc.patch (86%) create mode 100644 openssl-1.0.0-beta4-backports.patch create mode 100644 openssl-1.0.0-beta4-binutils.patch create mode 100644 openssl-1.0.0-beta4-ca-dir.patch create mode 100644 openssl-1.0.0-beta4-client-reneg.patch rename openssl-1.0.0-beta3-default-paths.patch => openssl-1.0.0-beta4-default-paths.patch (66%) create mode 100644 openssl-1.0.0-beta4-dtls1-abi.patch create mode 100644 openssl-1.0.0-beta4-enginesdir.patch rename openssl-1.0.0-beta3-fips.patch => openssl-1.0.0-beta4-fips.patch (90%) rename openssl-1.0.0-beta3-redhat.patch => openssl-1.0.0-beta4-redhat.patch (92%) create mode 100644 openssl-1.0.0-beta4-reneg-err.patch create mode 100644 openssl-1.0.0-beta4-reneg.patch create mode 100644 openssl-1.0.0-beta4-version.patch diff --git a/.cvsignore b/.cvsignore index 37e2722..3819647 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssl-1.0.0-beta3-usa.tar.bz2 +openssl-1.0.0-beta4-usa.tar.bz2 diff --git a/Makefile.certificate b/Makefile.certificate index bf3dc21..e839427 100644 --- a/Makefile.certificate +++ b/Makefile.certificate @@ -38,7 +38,7 @@ usage: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ + /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ @@ -46,7 +46,7 @@ usage: %.key: umask 77 ; \ - /usr/bin/openssl genrsa -des3 1024 > $@ + /usr/bin/openssl genrsa -aes128 2048 > $@ %.csr: %.key umask 77 ; \ diff --git a/make-dummy-cert b/make-dummy-cert index 3aff5be..f5f0453 100755 --- a/make-dummy-cert +++ b/make-dummy-cert @@ -20,7 +20,7 @@ for target in $@ ; do PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` trap "rm -f $PEM1 $PEM2" SIGINT - answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null + answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null cat $PEM1 > ${target} echo "" >> ${target} cat $PEM2 >> ${target} diff --git a/mingw32-openssl-1.0.0-beta4-nofips.patch b/mingw32-openssl-1.0.0-beta4-nofips.patch new file mode 100644 index 0000000..fba1b6f --- /dev/null +++ b/mingw32-openssl-1.0.0-beta4-nofips.patch @@ -0,0 +1,130 @@ +diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c +--- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-22 19:07:58.000000000 +0200 +@@ -65,7 +65,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include "fips_locl.h" + + static int dsa_builtin_keygen(DSA *dsa); +diff -up openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + + #ifdef OPENSSL_FIPS +diff -up openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + #include + +diff -up openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -59,7 +59,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + #include + #include +diff -up openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + + #ifdef OPENSSL_FIPS +diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand.c +--- openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-22 19:07:58.000000000 +0200 +@@ -76,7 +76,9 @@ + # endif + #endif + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + #include + +diff -up openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + #include + #include +diff -up openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c +--- openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-22 19:07:58.000000000 +0200 +@@ -49,7 +49,9 @@ + + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + #include + #include + +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-22 19:07:58.000000000 +0200 +@@ -115,7 +115,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS + #include ++#endif + + #ifndef RSA_NULL + diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index d530ab4..3f8f216 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -18,7 +18,7 @@ # 1.0.0 soversion = 10 %global soversion 10 -%global beta beta3 +%global beta beta4 # Enable the tests. # These only work some of the time, but fail randomly at other times @@ -31,7 +31,7 @@ Name: mingw32-openssl Version: 1.0.0 -Release: 0.4.%{beta}%{?dist} +Release: 0.5.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -50,37 +50,39 @@ Source10: opensslconf-new-warning.h # Patches from Fedora native package. # Build changes -Patch0: openssl-1.0.0-beta3-redhat.patch +Patch0: openssl-1.0.0-beta4-redhat.patch Patch1: openssl-1.0.0-beta3-defaults.patch -Patch2: openssl-1.0.0-beta3-krb5.patch Patch3: openssl-1.0.0-beta3-soversion.patch -Patch4: openssl-1.0.0-beta3-enginesdir.patch +Patch4: openssl-1.0.0-beta4-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch # Bug fixes -Patch21: openssl-0.9.8b-aliasing-bug.patch -Patch23: openssl-1.0.0-beta3-default-paths.patch +Patch23: openssl-1.0.0-beta4-default-paths.patch +Patch24: openssl-1.0.0-beta4-binutils.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch -Patch33: openssl-0.9.8j-ca-dir.patch +Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch Patch38: openssl-1.0.0-beta3-cipher-change.patch # Disabled this because it uses getaddrinfo which is lacking on Windows. #Patch39: openssl-1.0.0-beta3-ipv6-apps.patch -Patch40: openssl-1.0.0-beta3-fips.patch +Patch40: openssl-1.0.0-beta4-fips.patch Patch41: openssl-1.0.0-beta3-fipscheck.patch Patch43: openssl-1.0.0-beta3-fipsmode.patch Patch44: openssl-1.0.0-beta3-fipsrng.patch Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-0.9.8j-readme-warning.patch Patch48: openssl-0.9.8j-bad-mime.patch -Patch49: openssl-0.9.8k-algo-doc.patch -Patch50: openssl-1.0.0-beta3-curl.patch -Patch51: openssl-1.0.0-beta3-const.patch +Patch49: openssl-1.0.0-beta4-algo-doc.patch +Patch50: openssl-1.0.0-beta4-dtls1-abi.patch +Patch51: openssl-1.0.0-beta4-version.patch # Backported fixes including security fixes -Patch60: openssl-1.0.0-beta3-namingstr.patch -Patch61: openssl-1.0.0-beta3-namingblk.patch +Patch60: openssl-1.0.0-beta4-reneg.patch +# This one is not backported but has to be applied after reneg patch +Patch61: openssl-1.0.0-beta4-client-reneg.patch +Patch62: openssl-1.0.0-beta4-backports.patch +Patch63: openssl-1.0.0-beta4-reneg-err.patch # MinGW-specific patches. # Use MINGW32_CFLAGS (set below) in Configure script @@ -92,6 +94,8 @@ Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch # Ugly patch to fix a compilation error (the linker can't find # some symbols mentioned in an autogenerated .def file) Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch +# Fix build without fips +Patch106: mingw32-openssl-1.0.0-beta4-nofips.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -156,15 +160,13 @@ Static version of the MinGW port of the OpenSSL toolkit. %{SOURCE1} > /dev/null %patch0 -p1 -b .redhat %patch1 -p1 -b .defaults -# Fix link line for libssl (bug #111154). -%patch2 -p1 -b .krb5 %patch3 -p1 -b .soversion %patch4 -p1 -b .enginesdir %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost -%patch21 -p1 -b .aliasing-bug %patch23 -p1 -b .default-paths +%patch24 -p1 -b .binutils %patch32 -p1 -b .ia64 #patch33 is applied after make test @@ -180,15 +182,19 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch47 -p1 -b .warning %patch48 -p1 -b .bad-mime %patch49 -p1 -b .algo-doc -%patch50 -p1 -b .curl -%patch51 -p1 -b .const -%patch60 -p1 -b .namingstr -%patch61 -p1 -b .namingblk +%patch50 -p1 -b .dtls1-abi +%patch51 -p1 -b .version + +%patch60 -p1 -b .reneg +%patch61 -p1 -b .client-reneg +%patch62 -p1 -b .backports +%patch63 -p1 -b .reneg-err %patch100 -p1 -b .mingw-configure %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx %patch105 -p0 -b .mingw-linker-fix +%patch106 -p1 -b .mingw-nofips # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -206,9 +212,9 @@ export MINGW32_CFLAGS="%{_mingw32_cflags}"; \ --openssldir=%{_mingw32_sysconfdir}/pki/tls \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \ - no-hw shared --cross-compile-prefix=%{_mingw32_target}- \ + no-hw --cross-compile-prefix=%{_mingw32_target}- \ --enginesdir=%{_mingw32_libdir}/openssl/engines \ - mingw + shared mingw # --with-krb5-flavor=MIT # -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} make depend @@ -347,6 +353,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sun Nov 22 2009 Kalev Lember - 1.0.0-0.5.beta4 +- Updated to version 1.0.0 beta 4 +- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4) +- Added patch to fix build with fips disabled + * Fri Sep 18 2009 Kalev Lember - 1.0.0-0.4.beta3 - Rebuilt to fix debuginfo diff --git a/openssl-0.9.8b-aliasing-bug.patch b/openssl-0.9.8b-aliasing-bug.patch deleted file mode 100644 index 8d3b36a..0000000 --- a/openssl-0.9.8b-aliasing-bug.patch +++ /dev/null @@ -1,24 +0,0 @@ - -This patch fixes a violation of the C aliasing rules that can cause -miscompilation with some compiler versions. - ---- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100 -+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100 -@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co - static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) - { - void *ptr; -- DSO_FUNC_TYPE sym, *tsym = &sym; -+ DSO_FUNC_TYPE sym; - - if((dso == NULL) || (symname == NULL)) - { -@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO - DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); - return(NULL); - } -- *(void **)(tsym) = dlsym(ptr, symname); -+ sym = dlsym(ptr, symname); - if(sym == NULL) - { - DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); diff --git a/openssl-0.9.8j-ca-dir.patch b/openssl-0.9.8j-ca-dir.patch deleted file mode 100644 index 52c0025..0000000 --- a/openssl-0.9.8j-ca-dir.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf ---- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100 -+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100 -@@ -34,7 +34,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = ../../CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh ---- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200 -+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100 -@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG" - VERIFY="$OPENSSL verify" - X509="$OPENSSL x509" - --CATOP=./demoCA -+CATOP=../../CA - CAKEY=./cakey.pem - CAREQ=./careq.pem - CACERT=./cacert.pem -diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in ---- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200 -+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100 -@@ -53,7 +53,7 @@ $VERIFY="$openssl verify"; - $X509="$openssl x509"; - $PKCS12="$openssl pkcs12"; - --$CATOP="./demoCA"; -+$CATOP="../../CA"; - $CAKEY="cakey.pem"; - $CAREQ="careq.pem"; - $CACERT="cacert.pem"; diff --git a/openssl-1.0.0-beta3-const.patch b/openssl-1.0.0-beta3-const.patch deleted file mode 100644 index 77c1c95..0000000 --- a/openssl-1.0.0-beta3-const.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod ---- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const 2009-02-14 22:49:37.000000000 +0100 -+++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod 2009-08-22 16:15:32.000000000 +0200 -@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits - const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); - int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); - char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); -- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size); -+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); - - =head1 DESCRIPTION - -diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c ---- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const 2009-08-22 15:56:12.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-22 15:56:12.000000000 +0200 -@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - return(cipherstack); - } - --char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) -+char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) - { - int is_export,pkl,kl; - const char *ver,*exp_str; -diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h ---- openssl-1.0.0-beta3/ssl/ssl.h.const 2009-08-22 15:56:11.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-22 15:56:12.000000000 +0200 -@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL * - - int SSL_library_init(void ); - --char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size); -+char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size); - STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); - - SSL *SSL_dup(SSL *ssl); diff --git a/openssl-1.0.0-beta3-curl.patch b/openssl-1.0.0-beta3-curl.patch deleted file mode 100644 index 6141c0e..0000000 --- a/openssl-1.0.0-beta3-curl.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget ---- openssl-1.0.0-beta3/apps/tsget.curl 2006-02-13 00:11:21.000000000 +0100 -+++ openssl-1.0.0-beta3/apps/tsget 2009-08-21 15:37:24.000000000 +0200 -@@ -7,7 +7,7 @@ use strict; - use IO::Handle; - use Getopt::Std; - use File::Basename; --use WWW::Curl::easy; -+use WWW::Curl::Easy; - - use vars qw(%options); - -@@ -37,7 +37,7 @@ sub create_curl { - my $url = shift; - - # Create Curl object. -- my $curl = WWW::Curl::easy::new(); -+ my $curl = WWW::Curl::Easy::new(); - - # Error-handling related options. - $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; -@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) { - STDERR->printflush(", $output written.\n") if $options{v}; - } - $curl->cleanup(); --WWW::Curl::easy::global_cleanup(); -+WWW::Curl::Easy::global_cleanup(); diff --git a/openssl-1.0.0-beta3-enginesdir.patch b/openssl-1.0.0-beta3-enginesdir.patch deleted file mode 100644 index 78a3c50..0000000 --- a/openssl-1.0.0-beta3-enginesdir.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.enginesdir 2009-08-10 19:46:32.000000000 +0200 -+++ openssl-1.0.0-beta3/Configure 2009-08-10 19:46:32.000000000 +0200 -@@ -616,6 +616,7 @@ my $idx_multilib = $idx++; - - my $prefix=""; - my $openssldir=""; -+my $enginesdir=""; - my $exe_ext=""; - my $install_prefix=""; - my $cross_compile_prefix=""; -@@ -820,6 +821,10 @@ PROCESS_ARGS: - { - $openssldir=$1; - } -+ elsif (/^--enginesdir=(.*)$/) -+ { -+ $enginesdir=$1; -+ } - elsif (/^--install.prefix=(.*)$/) - { - $install_prefix=$1; -@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/; - - $openssldir=$prefix . "/ssl" if $openssldir eq ""; - $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; -- -+$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; - - print "IsMK1MF=$IsMK1MF\n"; - -@@ -1645,7 +1650,7 @@ while () - # $foo is to become "$prefix/lib$multilib/engines"; - # as Makefile.org and engines/Makefile are adapted for - # $multilib suffix. -- my $foo = "$prefix/lib/engines"; -+ my $foo = "$enginesdir"; - $foo =~ s/\\/\\\\/g; - print OUT "#define ENGINESDIR \"$foo\"\n"; - } -diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile ---- openssl-1.0.0-beta3/engines/Makefile.enginesdir 2009-06-14 04:37:22.000000000 +0200 -+++ openssl-1.0.0-beta3/engines/Makefile 2009-08-10 19:46:48.000000000 +0200 -@@ -123,7 +123,7 @@ install: - sfx=".so"; \ - cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ - fi; \ -- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ -+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \ - done; \ - fi diff --git a/openssl-1.0.0-beta3-fipsmode.patch b/openssl-1.0.0-beta3-fipsmode.patch index 643654e..2fbf0a6 100644 --- a/openssl-1.0.0-beta3-fipsmode.patch +++ b/openssl-1.0.0-beta3-fipsmode.patch @@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -115,6 +121,38 @@ int SSL_library_init(void) +@@ -115,6 +121,40 @@ int SSL_library_init(void) EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif @@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl +#ifndef OPENSSL_NO_MD5 + /* needed even in the FIPS mode for TLS MAC */ + EVP_add_digest(EVP_md5()); ++ EVP_add_digest_alias(SN_md5,"ssl2-md5"); ++ EVP_add_digest_alias(SN_md5,"ssl3-md5"); +#endif +#ifndef OPENSSL_NO_SHA + EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ diff --git a/openssl-1.0.0-beta3-krb5.patch b/openssl-1.0.0-beta3-krb5.patch deleted file mode 100644 index ef7ccde..0000000 --- a/openssl-1.0.0-beta3-krb5.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org ---- openssl-1.0.0-beta3/Makefile.org.krb5 2009-04-23 18:12:09.000000000 +0200 -+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:01:16.000000000 +0200 -@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh - - do_$(SHLIB_TARGET): - @ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \ -- if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \ -+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ - libs="$(LIBKRB5) $$libs"; \ - fi; \ - $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-1.0.0-beta3-namingblk.patch b/openssl-1.0.0-beta3-namingblk.patch deleted file mode 100644 index d43e56c..0000000 --- a/openssl-1.0.0-beta3-namingblk.patch +++ /dev/null @@ -1,253 +0,0 @@ -Index: openssl/crypto/asn1/a_set.c -RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v -rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null ---- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20 -+++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1 -@@ -85,7 +85,7 @@ - } - - /* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */ --int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp, -+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, - i2d_of_void *i2d, int ex_tag, int ex_class, - int is_set) - { -@@ -97,8 +97,8 @@ - int totSize; - - if (a == NULL) return(0); -- for (i=sk_BLOCK_num(a)-1; i>=0; i--) -- ret+=i2d(sk_BLOCK_value(a,i),NULL); -+ for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--) -+ ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL); - r=ASN1_object_size(1,ret,ex_tag); - if (pp == NULL) return(r); - -@@ -109,10 +109,10 @@ - /* And then again by Ben */ - /* And again by Steve */ - -- if(!is_set || (sk_BLOCK_num(a) < 2)) -+ if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2)) - { -- for (i=0; i/dev/null ---- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3 -+++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4 -@@ -887,12 +887,13 @@ - ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); - int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); - --int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp, -+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, - i2d_of_void *i2d, int ex_tag, int ex_class, - int is_set); --STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp, -+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, -+ const unsigned char **pp, - long length, d2i_of_void *d2i, -- void (*free_func)(BLOCK), int ex_tag, -+ void (*free_func)(OPENSSL_BLOCK), int ex_tag, - int ex_class); - - #ifndef OPENSSL_NO_BIO -@@ -1045,9 +1046,9 @@ - int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num, - unsigned char *data, int max_len); - --STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, -- d2i_of_void *d2i, void (*free_func)(BLOCK)); --unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d, -+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, -+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK)); -+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, - unsigned char **buf, int *len ); - void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i); - void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it); -Index: openssl/crypto/asn1/asn_pack.c -RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v -rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null ---- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19 -+++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1 -@@ -66,10 +66,10 @@ - - /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */ - --STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, -- d2i_of_void *d2i, void (*free_func)(BLOCK)) -+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, -+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK)) - { -- STACK_OF(BLOCK) *sk; -+ STACK_OF(OPENSSL_BLOCK) *sk; - const unsigned char *pbuf; - pbuf = buf; - if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func, -@@ -82,7 +82,7 @@ - * OPENSSL_malloc'ed buffer - */ - --unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d, -+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, - unsigned char **buf, int *len) - { - int safelen; -Index: openssl/crypto/stack/safestack.h -RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v -rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null ---- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4 -+++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5 -@@ -128,8 +128,8 @@ - * nul-terminated. These should also be distinguished from "normal" - * stacks. */ - --typedef void *BLOCK; --DECLARE_SPECIAL_STACK_OF(BLOCK, void) -+typedef void *OPENSSL_BLOCK; -+DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) - - /* SKM_sk_... stack macros are internal to safestack.h: - * never use them directly, use sk__... instead */ -@@ -2055,29 +2055,29 @@ - #define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) - - --#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) --#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null()) --#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) --#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) --#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i)) --#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st) --#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func)) --#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i) --#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st) --#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val)) --#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st)) --#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val)) --#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val)) --#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i)) --#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr)) --#define sk_BLOCK_set_cmp_func(st, cmp) \ -+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) -+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null()) -+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) -+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) -+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i)) -+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st) -+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func)) -+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i) -+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st) -+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val)) -+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st)) -+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) -+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val)) -+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i)) -+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr)) -+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp) \ - ((int (*)(const void * const *,const void * const *)) \ -- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp))) --#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st) --#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st)) --#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st)) --#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st)) --#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st)) -+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp))) -+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st) -+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st)) -+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st)) -+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st)) -+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st)) - - - #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) diff --git a/openssl-1.0.0-beta3-namingstr.patch b/openssl-1.0.0-beta3-namingstr.patch deleted file mode 100644 index 44dee95..0000000 --- a/openssl-1.0.0-beta3-namingstr.patch +++ /dev/null @@ -1,1663 +0,0 @@ -Index: openssl/apps/apps.c -RCS File: /v/openssl/cvs/openssl/apps/apps.c,v -rcsdiff -q -kk '-r1.133.2.6' '-r1.133.2.7' -u '/v/openssl/cvs/openssl/apps/apps.c,v' 2>/dev/null ---- openssl/apps/apps.c 2009/06/29 16:09:58 1.133.2.6 -+++ openssl/apps/apps.c 2009/07/27 21:08:43 1.133.2.7 -@@ -1488,7 +1488,7 @@ - return p; - } - --static unsigned long index_serial_hash(const CSTRING *a) -+static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) - { - const char *n; - -@@ -1497,7 +1497,7 @@ - return(lh_strhash(n)); - } - --static int index_serial_cmp(const CSTRING *a, const CSTRING *b) -+static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) - { - const char *aa,*bb; - -@@ -1509,16 +1509,16 @@ - static int index_name_qual(char **a) - { return(a[0][0] == 'V'); } - --static unsigned long index_name_hash(const CSTRING *a) -+static unsigned long index_name_hash(const OPENSSL_CSTRING *a) - { return(lh_strhash(a[DB_name])); } - --int index_name_cmp(const CSTRING *a, const CSTRING *b) -+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) - { return(strcmp(a[DB_name], b[DB_name])); } - --static IMPLEMENT_LHASH_HASH_FN(index_serial, CSTRING) --static IMPLEMENT_LHASH_COMP_FN(index_serial, CSTRING) --static IMPLEMENT_LHASH_HASH_FN(index_name, CSTRING) --static IMPLEMENT_LHASH_COMP_FN(index_name, CSTRING) -+static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) -+static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) -+static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) -+static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) - - #undef BSIZE - #define BSIZE 256 -Index: openssl/apps/apps.h -RCS File: /v/openssl/cvs/openssl/apps/apps.h,v -rcsdiff -q -kk '-r1.91' '-r1.91.2.1' -u '/v/openssl/cvs/openssl/apps/apps.h,v' 2>/dev/null ---- openssl/apps/apps.h 2008/11/24 17:27:05 1.91 -+++ openssl/apps/apps.h 2009/07/27 21:08:44 1.91.2.1 -@@ -295,9 +295,9 @@ - int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix); - void free_index(CA_DB *db); - #define index_name_cmp_noconst(a, b) \ -- index_name_cmp((const CSTRING *)CHECKED_PTR_OF(STRING, a), \ -- (const CSTRING *)CHECKED_PTR_OF(STRING, b)) --int index_name_cmp(const CSTRING *a, const CSTRING *b); -+ index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ -+ (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) -+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); - int parse_yesno(const char *str, int def); - - X509_NAME *parse_name(char *str, long chtype, int multirdn); -Index: openssl/apps/asn1pars.c -RCS File: /v/openssl/cvs/openssl/apps/asn1pars.c,v -rcsdiff -q -kk '-r1.26' '-r1.26.2.1' -u '/v/openssl/cvs/openssl/apps/asn1pars.c,v' 2>/dev/null ---- openssl/apps/asn1pars.c 2008/11/05 18:38:51 1.26 -+++ openssl/apps/asn1pars.c 2009/07/27 21:08:44 1.26.2.1 -@@ -96,7 +96,7 @@ - unsigned char *tmpbuf; - const unsigned char *ctmpbuf; - BUF_MEM *buf=NULL; -- STACK_OF(STRING) *osk=NULL; -+ STACK_OF(OPENSSL_STRING) *osk=NULL; - ASN1_TYPE *at=NULL; - - informat=FORMAT_PEM; -@@ -113,7 +113,7 @@ - prog=argv[0]; - argc--; - argv++; -- if ((osk=sk_STRING_new_null()) == NULL) -+ if ((osk=sk_OPENSSL_STRING_new_null()) == NULL) - { - BIO_printf(bio_err,"Memory allocation failure\n"); - goto end; -@@ -169,7 +169,7 @@ - else if (strcmp(*argv,"-strparse") == 0) - { - if (--argc < 1) goto bad; -- sk_STRING_push(osk,*(++argv)); -+ sk_OPENSSL_STRING_push(osk,*(++argv)); - } - else if (strcmp(*argv,"-genstr") == 0) - { -@@ -302,18 +302,18 @@ - - /* If any structs to parse go through in sequence */ - -- if (sk_STRING_num(osk)) -+ if (sk_OPENSSL_STRING_num(osk)) - { - tmpbuf=(unsigned char *)str; - tmplen=num; -- for (i=0; i/dev/null ---- openssl/apps/ca.c 2009/03/09 13:59:07 1.167 -+++ openssl/apps/ca.c 2009/07/27 21:08:44 1.167.2.1 -@@ -883,9 +883,9 @@ - if (db == NULL) goto err; - - /* Lets check some fields */ -- for (i=0; idb->data); i++) -+ for (i=0; idb->data); i++) - { -- pp=sk_PSTRING_value(db->db->data,i); -+ pp=sk_OPENSSL_PSTRING_value(db->db->data,i); - if ((pp[DB_type][0] != DB_TYPE_REV) && - (pp[DB_rev_date][0] != '\0')) - { -@@ -938,7 +938,7 @@ - #endif - TXT_DB_write(out,db->db); - BIO_printf(bio_err,"%d entries loaded from the database\n", -- sk_PSTRING_num(db->db->data)); -+ sk_OPENSSL_PSTRING_num(db->db->data)); - BIO_printf(bio_err,"generating index\n"); - } - -@@ -1408,9 +1408,9 @@ - - ASN1_TIME_free(tmptm); - -- for (i=0; idb->data); i++) -+ for (i=0; idb->data); i++) - { -- pp=sk_PSTRING_value(db->db->data,i); -+ pp=sk_OPENSSL_PSTRING_value(db->db->data,i); - if (pp[DB_type][0] == DB_TYPE_REV) - { - if ((r=X509_REVOKED_new()) == NULL) goto err; -@@ -1685,9 +1685,9 @@ - int ok= -1,i,j,last,nid; - const char *p; - CONF_VALUE *cv; -- STRING row[DB_NUMBER]; -- STRING *irow=NULL; -- STRING *rrow=NULL; -+ OPENSSL_STRING row[DB_NUMBER]; -+ OPENSSL_STRING *irow=NULL; -+ OPENSSL_STRING *rrow=NULL; - char buf[25]; - - tmptm=ASN1_UTCTIME_new(); -@@ -1929,7 +1929,7 @@ - - if (db->attributes.unique_subject) - { -- STRING *crow=row; -+ OPENSSL_STRING *crow=row; - - rrow=TXT_DB_get_by_index(db->db,DB_name,crow); - if (rrow != NULL) -@@ -2632,9 +2632,9 @@ - else - a_y2k = 0; - -- for (i = 0; i < sk_PSTRING_num(db->db->data); i++) -+ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) - { -- rrow = sk_PSTRING_value(db->db->data, i); -+ rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); - - if (rrow[DB_type][0] == 'V') - { -Index: openssl/apps/cms.c -RCS File: /v/openssl/cvs/openssl/apps/cms.c,v -rcsdiff -q -kk '-r1.23.2.1' '-r1.23.2.2' -u '/v/openssl/cvs/openssl/apps/cms.c,v' 2>/dev/null ---- openssl/apps/cms.c 2009/04/16 17:22:47 1.23.2.1 -+++ openssl/apps/cms.c 2009/07/27 21:08:44 1.23.2.2 -@@ -71,9 +71,9 @@ - static int save_certs(char *signerfile, STACK_OF(X509) *signers); - static int cms_cb(int ok, X509_STORE_CTX *ctx); - static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); --static CMS_ReceiptRequest *make_receipt_request(STACK_OF(STRING) *rr_to, -+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, - int rr_allorfirst, -- STACK_OF(STRING) *rr_from); -+ STACK_OF(OPENSSL_STRING) *rr_from); - - #define SMIME_OP 0x10 - #define SMIME_IP 0x20 -@@ -108,7 +108,7 @@ - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL, *rctfile = NULL; - char *signerfile = NULL, *recipfile = NULL; -- STACK_OF(STRING) *sksigners = NULL, *skkeys = NULL; -+ STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile=NULL; - char *certsoutfile = NULL; - const EVP_CIPHER *cipher = NULL; -@@ -122,7 +122,7 @@ - int flags = CMS_DETACHED, noout = 0, print = 0; - int verify_retcode = 0; - int rr_print = 0, rr_allorfirst = -1; -- STACK_OF(STRING) *rr_to = NULL, *rr_from = NULL; -+ STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; - CMS_ReceiptRequest *rr = NULL; - char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; -@@ -281,8 +281,8 @@ - goto argerr; - args++; - if (!rr_from) -- rr_from = sk_STRING_new_null(); -- sk_STRING_push(rr_from, *args); -+ rr_from = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(rr_from, *args); - } - else if (!strcmp(*args,"-receipt_request_to")) - { -@@ -290,8 +290,8 @@ - goto argerr; - args++; - if (!rr_to) -- rr_to = sk_STRING_new_null(); -- sk_STRING_push(rr_to, *args); -+ rr_to = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(rr_to, *args); - } - else if (!strcmp (*args, "-print")) - { -@@ -387,13 +387,13 @@ - if (signerfile) - { - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) - keyfile = signerfile; - if (!skkeys) -- skkeys = sk_STRING_new_null(); -- sk_STRING_push(skkeys, keyfile); -+ skkeys = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - keyfile = NULL; - } - signerfile = *++args; -@@ -435,12 +435,12 @@ - goto argerr; - } - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - signerfile = NULL; - if (!skkeys) -- skkeys = sk_STRING_new_null(); -- sk_STRING_push(skkeys, keyfile); -+ skkeys = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - } - keyfile = *++args; - } -@@ -539,13 +539,13 @@ - if (signerfile) - { - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!skkeys) -- skkeys = sk_STRING_new_null(); -+ skkeys = sk_OPENSSL_STRING_new_null(); - if (!keyfile) - keyfile = signerfile; -- sk_STRING_push(skkeys, keyfile); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - } - if (!sksigners) - { -@@ -980,11 +980,11 @@ - } - else - flags |= CMS_REUSE_DIGEST; -- for (i = 0; i < sk_STRING_num(sksigners); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) - { - CMS_SignerInfo *si; -- signerfile = sk_STRING_value(sksigners, i); -- keyfile = sk_STRING_value(skkeys, i); -+ signerfile = sk_OPENSSL_STRING_value(sksigners, i); -+ keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, - e, "signer certificate"); - if (!signer) -@@ -1160,9 +1160,9 @@ - if (vpm) - X509_VERIFY_PARAM_free(vpm); - if (sksigners) -- sk_STRING_free(sksigners); -+ sk_OPENSSL_STRING_free(sksigners); - if (skkeys) -- sk_STRING_free(skkeys); -+ sk_OPENSSL_STRING_free(skkeys); - if (secret_key) - OPENSSL_free(secret_key); - if (secret_keyid) -@@ -1172,9 +1172,9 @@ - if (rr) - CMS_ReceiptRequest_free(rr); - if (rr_to) -- sk_STRING_free(rr_to); -+ sk_OPENSSL_STRING_free(rr_to); - if (rr_from) -- sk_STRING_free(rr_from); -+ sk_OPENSSL_STRING_free(rr_from); - X509_STORE_free(store); - X509_free(cert); - X509_free(recip); -@@ -1296,7 +1296,7 @@ - } - } - --static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(STRING) *ns) -+static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) - { - int i; - STACK_OF(GENERAL_NAMES) *ret; -@@ -1305,9 +1305,9 @@ - ret = sk_GENERAL_NAMES_new_null(); - if (!ret) - goto err; -- for (i = 0; i < sk_STRING_num(ns); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) - { -- char *str = sk_STRING_value(ns, i); -+ char *str = sk_OPENSSL_STRING_value(ns, i); - gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); - if (!gen) - goto err; -@@ -1335,9 +1335,9 @@ - } - - --static CMS_ReceiptRequest *make_receipt_request(STACK_OF(STRING) *rr_to, -+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, - int rr_allorfirst, -- STACK_OF(STRING) *rr_from) -+ STACK_OF(OPENSSL_STRING) *rr_from) - { - STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; - CMS_ReceiptRequest *rr; -Index: openssl/apps/crl2p7.c -RCS File: /v/openssl/cvs/openssl/apps/crl2p7.c,v -rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/apps/crl2p7.c,v' 2>/dev/null ---- openssl/apps/crl2p7.c 2008/06/04 11:00:45 1.19 -+++ openssl/apps/crl2p7.c 2009/07/27 21:08:45 1.19.2.1 -@@ -92,7 +92,7 @@ - PKCS7 *p7 = NULL; - PKCS7_SIGNED *p7s = NULL; - X509_CRL *crl=NULL; -- STACK_OF(STRING) *certflst=NULL; -+ STACK_OF(OPENSSL_STRING) *certflst=NULL; - STACK_OF(X509_CRL) *crl_stack=NULL; - STACK_OF(X509) *cert_stack=NULL; - int ret=1,nocrl=0; -@@ -140,8 +140,8 @@ - else if (strcmp(*argv,"-certfile") == 0) - { - if (--argc < 1) goto bad; -- if(!certflst) certflst = sk_STRING_new_null(); -- sk_STRING_push(certflst,*(++argv)); -+ if(!certflst) certflst = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(certflst,*(++argv)); - } - else - { -@@ -226,8 +226,8 @@ - if ((cert_stack=sk_X509_new_null()) == NULL) goto end; - p7s->cert=cert_stack; - -- if(certflst) for(i = 0; i < sk_STRING_num(certflst); i++) { -- certfile = sk_STRING_value(certflst, i); -+ if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { -+ certfile = sk_OPENSSL_STRING_value(certflst, i); - if (add_certs_from_file(cert_stack,certfile) < 0) - { - BIO_printf(bio_err, "error loading certificates\n"); -@@ -236,7 +236,7 @@ - } - } - -- sk_STRING_free(certflst); -+ sk_OPENSSL_STRING_free(certflst); - - if (outfile == NULL) - { -Index: openssl/apps/dgst.c -RCS File: /v/openssl/cvs/openssl/apps/dgst.c,v -rcsdiff -q -kk '-r1.54.2.3' '-r1.54.2.4' -u '/v/openssl/cvs/openssl/apps/dgst.c,v' 2>/dev/null ---- openssl/apps/dgst.c 2009/04/26 12:16:12 1.54.2.3 -+++ openssl/apps/dgst.c 2009/07/27 21:08:45 1.54.2.4 -@@ -127,7 +127,7 @@ - #endif - char *hmac_key=NULL; - char *mac_name=NULL; -- STACK_OF(STRING) *sigopts = NULL, *macopts = NULL; -+ STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; - - apps_startup(); - -@@ -230,8 +230,8 @@ - if (--argc < 1) - break; - if (!sigopts) -- sigopts = sk_STRING_new_null(); -- if (!sigopts || !sk_STRING_push(sigopts, *(++argv))) -+ sigopts = sk_OPENSSL_STRING_new_null(); -+ if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - break; - } - else if (strcmp(*argv,"-macopt") == 0) -@@ -239,8 +239,8 @@ - if (--argc < 1) - break; - if (!macopts) -- macopts = sk_STRING_new_null(); -- if (!macopts || !sk_STRING_push(macopts, *(++argv))) -+ macopts = sk_OPENSSL_STRING_new_null(); -+ if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) - break; - } - else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) -@@ -365,9 +365,9 @@ - if (macopts) - { - char *macopt; -- for (i = 0; i < sk_STRING_num(macopts); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) - { -- macopt = sk_STRING_value(macopts, i); -+ macopt = sk_OPENSSL_STRING_value(macopts, i); - if (pkey_ctrl_string(mac_ctx, macopt) <= 0) - { - BIO_printf(bio_err, -@@ -424,9 +424,9 @@ - if (sigopts) - { - char *sigopt; -- for (i = 0; i < sk_STRING_num(sigopts); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) - { -- sigopt = sk_STRING_value(sigopts, i); -+ sigopt = sk_OPENSSL_STRING_value(sigopts, i); - if (pkey_ctrl_string(pctx, sigopt) <= 0) - { - BIO_printf(bio_err, -@@ -531,9 +531,9 @@ - BIO_free_all(out); - EVP_PKEY_free(sigkey); - if (sigopts) -- sk_STRING_free(sigopts); -+ sk_OPENSSL_STRING_free(sigopts); - if (macopts) -- sk_STRING_free(macopts); -+ sk_OPENSSL_STRING_free(macopts); - if(sigbuf) OPENSSL_free(sigbuf); - if (bmd != NULL) BIO_free(bmd); - apps_shutdown(); -Index: openssl/apps/engine.c -RCS File: /v/openssl/cvs/openssl/apps/engine.c,v -rcsdiff -q -kk '-r1.34' '-r1.34.2.1' -u '/v/openssl/cvs/openssl/apps/engine.c,v' 2>/dev/null ---- openssl/apps/engine.c 2009/02/15 15:29:59 1.34 -+++ openssl/apps/engine.c 2009/07/27 21:08:45 1.34.2.1 -@@ -200,7 +200,7 @@ - char *desc = NULL; - int flags; - int xpos = 0; -- STACK_OF(STRING) *cmds = NULL; -+ STACK_OF(OPENSSL_STRING) *cmds = NULL; - if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || - ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, - 0, NULL, NULL)) <= 0)) -@@ -211,7 +211,7 @@ - return 1; - } - -- cmds = sk_STRING_new_null(); -+ cmds = sk_OPENSSL_STRING_new_null(); - - if(!cmds) - goto err; -@@ -284,16 +284,16 @@ - BIO_printf(bio_out, "\n"); - ret = 1; - err: -- if(cmds) sk_STRING_pop_free(cmds, identity); -+ if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity); - if(name) OPENSSL_free(name); - if(desc) OPENSSL_free(desc); - return ret; - } - --static void util_do_cmds(ENGINE *e, STACK_OF(STRING) *cmds, BIO *bio_out, -- const char *indent) -+static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, -+ BIO *bio_out, const char *indent) - { -- int loop, res, num = sk_STRING_num(cmds); -+ int loop, res, num = sk_OPENSSL_STRING_num(cmds); - - if(num < 0) - { -@@ -304,7 +304,7 @@ - { - char buf[256]; - const char *cmd, *arg; -- cmd = sk_STRING_value(cmds, loop); -+ cmd = sk_OPENSSL_STRING_value(cmds, loop); - res = 1; /* assume success */ - /* Check if this command has no ":arg" */ - if((arg = strstr(cmd, ":")) == NULL) -@@ -344,9 +344,9 @@ - const char **pp; - int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0; - ENGINE *e; -- STACK_OF(STRING) *engines = sk_STRING_new_null(); -- STACK_OF(STRING) *pre_cmds = sk_STRING_new_null(); -- STACK_OF(STRING) *post_cmds = sk_STRING_new_null(); -+ STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); -+ STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); -+ STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); - int badops=1; - BIO *bio_out=NULL; - const char *indent = " "; -@@ -393,20 +393,20 @@ - argc--; argv++; - if (argc == 0) - goto skip_arg_loop; -- sk_STRING_push(pre_cmds,*argv); -+ sk_OPENSSL_STRING_push(pre_cmds,*argv); - } - else if (strcmp(*argv,"-post") == 0) - { - argc--; argv++; - if (argc == 0) - goto skip_arg_loop; -- sk_STRING_push(post_cmds,*argv); -+ sk_OPENSSL_STRING_push(post_cmds,*argv); - } - else if ((strncmp(*argv,"-h",2) == 0) || - (strcmp(*argv,"-?") == 0)) - goto skip_arg_loop; - else -- sk_STRING_push(engines,*argv); -+ sk_OPENSSL_STRING_push(engines,*argv); - argc--; - argv++; - } -@@ -421,17 +421,17 @@ - goto end; - } - -- if (sk_STRING_num(engines) == 0) -+ if (sk_OPENSSL_STRING_num(engines) == 0) - { - for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) - { -- sk_STRING_push(engines,(char *)ENGINE_get_id(e)); -+ sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e)); - } - } - -- for (i=0; i/dev/null ---- openssl/apps/ocsp.c 2009/04/02 15:19:03 1.54.2.1 -+++ openssl/apps/ocsp.c 2009/07/27 21:08:45 1.54.2.2 -@@ -99,7 +99,7 @@ - static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer, - STACK_OF(OCSP_CERTID) *ids); - static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, -- STACK_OF(STRING) *names, -+ STACK_OF(OPENSSL_STRING) *names, - STACK_OF(OCSP_CERTID) *ids, long nsec, - long maxage); - -@@ -153,7 +153,7 @@ - int badarg = 0; - int i; - int ignore_err = 0; -- STACK_OF(STRING) *reqnames = NULL; -+ STACK_OF(OPENSSL_STRING) *reqnames = NULL; - STACK_OF(OCSP_CERTID) *ids = NULL; - - X509 *rca_cert = NULL; -@@ -170,7 +170,7 @@ - SSL_load_error_strings(); - OpenSSL_add_ssl_algorithms(); - args = argv + 1; -- reqnames = sk_STRING_new_null(); -+ reqnames = sk_OPENSSL_STRING_new_null(); - ids = sk_OCSP_CERTID_new_null(); - while (!badarg && *args && *args[0] == '-') - { -@@ -432,7 +432,7 @@ - if (!cert_id_md) cert_id_md = EVP_sha1(); - if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) - goto end; -- if(!sk_STRING_push(reqnames, *args)) -+ if(!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } - else badarg = 1; -@@ -445,7 +445,7 @@ - if (!cert_id_md) cert_id_md = EVP_sha1(); - if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) - goto end; -- if(!sk_STRING_push(reqnames, *args)) -+ if(!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } - else badarg = 1; -@@ -901,7 +901,7 @@ - OCSP_REQUEST_free(req); - OCSP_RESPONSE_free(resp); - OCSP_BASICRESP_free(bs); -- sk_STRING_free(reqnames); -+ sk_OPENSSL_STRING_free(reqnames); - sk_OCSP_CERTID_free(ids); - sk_X509_pop_free(sign_other, X509_free); - sk_X509_pop_free(verify_other, X509_free); -@@ -971,7 +971,7 @@ - } - - static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, -- STACK_OF(STRING) *names, -+ STACK_OF(OPENSSL_STRING) *names, - STACK_OF(OCSP_CERTID) *ids, long nsec, - long maxage) - { -@@ -983,13 +983,13 @@ - - ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - -- if (!bs || !req || !sk_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) -+ if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) - return 1; - - for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) - { - id = sk_OCSP_CERTID_value(ids, i); -- name = sk_STRING_value(names, i); -+ name = sk_OPENSSL_STRING_value(names, i); - BIO_printf(out, "%s: ", name); - - if(!OCSP_resp_find_status(bs, id, &status, &reason, -Index: openssl/apps/pkcs12.c -RCS File: /v/openssl/cvs/openssl/apps/pkcs12.c,v -rcsdiff -q -kk '-r1.92.2.1' '-r1.92.2.2' -u '/v/openssl/cvs/openssl/apps/pkcs12.c,v' 2>/dev/null ---- openssl/apps/pkcs12.c 2009/06/17 12:05:49 1.92.2.1 -+++ openssl/apps/pkcs12.c 2009/07/27 21:08:45 1.92.2.2 -@@ -117,7 +117,7 @@ - int ret = 1; - int macver = 1; - int noprompt = 0; -- STACK_OF(STRING) *canames = NULL; -+ STACK_OF(OPENSSL_STRING) *canames = NULL; - char *cpass = NULL, *mpass = NULL; - char *passargin = NULL, *passargout = NULL, *passarg = NULL; - char *passin = NULL, *passout = NULL; -@@ -222,8 +222,8 @@ - } else if (!strcmp (*args, "-caname")) { - if (args[1]) { - args++; -- if (!canames) canames = sk_STRING_new_null(); -- sk_STRING_push(canames, *args); -+ if (!canames) canames = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(canames, *args); - } else badarg = 1; - } else if (!strcmp (*args, "-in")) { - if (args[1]) { -@@ -549,9 +549,9 @@ - - /* Add any CA names */ - -- for (i = 0; i < sk_STRING_num(canames); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) - { -- catmp = (unsigned char *)sk_STRING_value(canames, i); -+ catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); - X509_alias_set1(sk_X509_value(certs, i), catmp, -1); - } - -@@ -687,7 +687,7 @@ - #endif - BIO_free(in); - BIO_free_all(out); -- if (canames) sk_STRING_free(canames); -+ if (canames) sk_OPENSSL_STRING_free(canames); - if(passin) OPENSSL_free(passin); - if(passout) OPENSSL_free(passout); - apps_shutdown(); -Index: openssl/apps/req.c -RCS File: /v/openssl/cvs/openssl/apps/req.c,v -rcsdiff -q -kk '-r1.139.2.2' '-r1.139.2.3' -u '/v/openssl/cvs/openssl/apps/req.c,v' 2>/dev/null ---- openssl/apps/req.c 2009/04/23 17:16:38 1.139.2.2 -+++ openssl/apps/req.c 2009/07/27 21:08:45 1.139.2.3 -@@ -165,7 +165,7 @@ - EVP_PKEY_CTX *genctx = NULL; - const char *keyalg = NULL; - char *keyalgstr = NULL; -- STACK_OF(STRING) *pkeyopts = NULL; -+ STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; - EVP_PKEY *pkey=NULL; - int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; - long newkey = -1; -@@ -306,8 +306,8 @@ - if (--argc < 1) - goto bad; - if (!pkeyopts) -- pkeyopts = sk_STRING_new_null(); -- if (!pkeyopts || !sk_STRING_push(pkeyopts, *(++argv))) -+ pkeyopts = sk_OPENSSL_STRING_new_null(); -+ if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) - goto bad; - } - else if (strcmp(*argv,"-batch") == 0) -@@ -667,9 +667,9 @@ - if (pkeyopts) - { - char *genopt; -- for (i = 0; i < sk_STRING_num(pkeyopts); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) - { -- genopt = sk_STRING_value(pkeyopts, i); -+ genopt = sk_OPENSSL_STRING_value(pkeyopts, i); - if (pkey_ctrl_string(genctx, genopt) <= 0) - { - BIO_printf(bio_err, -@@ -1083,7 +1083,7 @@ - if (genctx) - EVP_PKEY_CTX_free(genctx); - if (pkeyopts) -- sk_STRING_free(pkeyopts); -+ sk_OPENSSL_STRING_free(pkeyopts); - #ifndef OPENSSL_NO_ENGINE - if (gen_eng) - ENGINE_free(gen_eng); -Index: openssl/apps/s_server.c -RCS File: /v/openssl/cvs/openssl/apps/s_server.c,v -rcsdiff -q -kk '-r1.136.2.4' '-r1.136.2.5' -u '/v/openssl/cvs/openssl/apps/s_server.c,v' 2>/dev/null ---- openssl/apps/s_server.c 2009/06/30 16:10:24 1.136.2.4 -+++ openssl/apps/s_server.c 2009/07/27 21:08:46 1.136.2.5 -@@ -712,7 +712,7 @@ - int use_ssl; - unsigned char *rspder = NULL; - int rspderlen; -- STACK_OF(STRING) *aia = NULL; -+ STACK_OF(OPENSSL_STRING) *aia = NULL; - X509 *x = NULL; - X509_STORE_CTX inctx; - X509_OBJECT obj; -@@ -734,7 +734,7 @@ - aia = X509_get1_ocsp(x); - if (aia) - { -- if (!OCSP_parse_url(sk_STRING_value(aia, 0), -+ if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), - &host, &port, &path, &use_ssl)) - { - BIO_puts(err, "cert_status: can't parse AIA URL\n"); -@@ -742,7 +742,7 @@ - } - if (srctx->verbose) - BIO_printf(err, "cert_status: AIA URL: %s\n", -- sk_STRING_value(aia, 0)); -+ sk_OPENSSL_STRING_value(aia, 0)); - } - else - { -Index: openssl/apps/smime.c -RCS File: /v/openssl/cvs/openssl/apps/smime.c,v -rcsdiff -q -kk '-r1.69' '-r1.69.2.1' -u '/v/openssl/cvs/openssl/apps/smime.c,v' 2>/dev/null ---- openssl/apps/smime.c 2008/11/05 18:38:51 1.69 -+++ openssl/apps/smime.c 2009/07/27 21:08:46 1.69.2.1 -@@ -93,7 +93,7 @@ - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL; - char *signerfile = NULL, *recipfile = NULL; -- STACK_OF(STRING) *sksigners = NULL, *skkeys = NULL; -+ STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile=NULL; - const EVP_CIPHER *cipher = NULL; - PKCS7 *p7 = NULL; -@@ -260,13 +260,13 @@ - if (signerfile) - { - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) - keyfile = signerfile; - if (!skkeys) -- skkeys = sk_STRING_new_null(); -- sk_STRING_push(skkeys, keyfile); -+ skkeys = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - keyfile = NULL; - } - signerfile = *++args; -@@ -302,12 +302,12 @@ - goto argerr; - } - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - signerfile = NULL; - if (!skkeys) -- skkeys = sk_STRING_new_null(); -- sk_STRING_push(skkeys, keyfile); -+ skkeys = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - } - keyfile = *++args; - } -@@ -389,13 +389,13 @@ - if (signerfile) - { - if (!sksigners) -- sksigners = sk_STRING_new_null(); -- sk_STRING_push(sksigners, signerfile); -+ sksigners = sk_OPENSSL_STRING_new_null(); -+ sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!skkeys) -- skkeys = sk_STRING_new_null(); -+ skkeys = sk_OPENSSL_STRING_new_null(); - if (!keyfile) - keyfile = signerfile; -- sk_STRING_push(skkeys, keyfile); -+ sk_OPENSSL_STRING_push(skkeys, keyfile); - } - if (!sksigners) - { -@@ -707,10 +707,10 @@ - } - else - flags |= PKCS7_REUSE_DIGEST; -- for (i = 0; i < sk_STRING_num(sksigners); i++) -+ for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) - { -- signerfile = sk_STRING_value(sksigners, i); -- keyfile = sk_STRING_value(skkeys, i); -+ signerfile = sk_OPENSSL_STRING_value(sksigners, i); -+ keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, - e, "signer certificate"); - if (!signer) -@@ -807,9 +807,9 @@ - if (vpm) - X509_VERIFY_PARAM_free(vpm); - if (sksigners) -- sk_STRING_free(sksigners); -+ sk_OPENSSL_STRING_free(sksigners); - if (skkeys) -- sk_STRING_free(skkeys); -+ sk_OPENSSL_STRING_free(skkeys); - X509_STORE_free(store); - X509_free(cert); - X509_free(recip); -Index: openssl/apps/x509.c -RCS File: /v/openssl/cvs/openssl/apps/x509.c,v -rcsdiff -q -kk '-r1.102.2.3' '-r1.102.2.4' -u '/v/openssl/cvs/openssl/apps/x509.c,v' 2>/dev/null ---- openssl/apps/x509.c 2009/07/14 15:14:39 1.102.2.3 -+++ openssl/apps/x509.c 2009/07/27 21:08:46 1.102.2.4 -@@ -738,14 +738,14 @@ - else if ((email == i) || (ocsp_uri == i)) - { - int j; -- STACK_OF(STRING) *emlst; -+ STACK_OF(OPENSSL_STRING) *emlst; - if (email == i) - emlst = X509_get1_email(x); - else - emlst = X509_get1_ocsp(x); -- for (j = 0; j < sk_STRING_num(emlst); j++) -+ for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) - BIO_printf(STDout, "%s\n", -- sk_STRING_value(emlst, j)); -+ sk_OPENSSL_STRING_value(emlst, j)); - X509_email_free(emlst); - } - else if (aliasout == i) -Index: openssl/crypto/cryptlib.c -RCS File: /v/openssl/cvs/openssl/crypto/cryptlib.c,v -rcsdiff -q -kk '-r1.75.2.2' '-r1.75.2.3' -u '/v/openssl/cvs/openssl/crypto/cryptlib.c,v' 2>/dev/null ---- openssl/crypto/cryptlib.c 2009/05/05 19:23:14 1.75.2.2 -+++ openssl/crypto/cryptlib.c 2009/07/27 21:08:48 1.75.2.3 -@@ -174,7 +174,7 @@ - - /* This is for applications to allocate new type names in the non-dynamic - array of lock names. These are numbered with positive numbers. */ --static STACK_OF(STRING) *app_locks=NULL; -+static STACK_OF(OPENSSL_STRING) *app_locks=NULL; - - /* For applications that want a more dynamic way of handling threads, the - following stack is used. These are externally numbered with negative -@@ -210,7 +210,7 @@ - SSLeay_MSVC5_hack=(double)name[0]*(double)name[1]; - #endif - -- if ((app_locks == NULL) && ((app_locks=sk_STRING_new_null()) == NULL)) -+ if ((app_locks == NULL) && ((app_locks=sk_OPENSSL_STRING_new_null()) == NULL)) - { - CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE); - return(0); -@@ -220,7 +220,7 @@ - CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE); - return(0); - } -- i=sk_STRING_push(app_locks,str); -+ i=sk_OPENSSL_STRING_push(app_locks,str); - if (!i) - OPENSSL_free(str); - else -@@ -651,10 +651,10 @@ - return("dynamic"); - else if (type < CRYPTO_NUM_LOCKS) - return(lock_names[type]); -- else if (type-CRYPTO_NUM_LOCKS > sk_STRING_num(app_locks)) -+ else if (type-CRYPTO_NUM_LOCKS > sk_OPENSSL_STRING_num(app_locks)) - return("ERROR"); - else -- return(sk_STRING_value(app_locks,type-CRYPTO_NUM_LOCKS)); -+ return(sk_OPENSSL_STRING_value(app_locks,type-CRYPTO_NUM_LOCKS)); - } - - #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ -Index: openssl/crypto/engine/eng_dyn.c -RCS File: /v/openssl/cvs/openssl/crypto/engine/eng_dyn.c,v -rcsdiff -q -kk '-r1.14' '-r1.14.2.1' -u '/v/openssl/cvs/openssl/crypto/engine/eng_dyn.c,v' 2>/dev/null ---- openssl/crypto/engine/eng_dyn.c 2008/06/04 11:01:29 1.14 -+++ openssl/crypto/engine/eng_dyn.c 2009/07/27 21:08:49 1.14.2.1 -@@ -146,7 +146,7 @@ - * 'dirs' for loading. Default is to use 'dirs' as a fallback. */ - int dir_load; - /* A stack of directories from which ENGINEs could be loaded */ -- STACK_OF(STRING) *dirs; -+ STACK_OF(OPENSSL_STRING) *dirs; - }; - - /* This is the "ex_data" index we obtain and reserve for use with our context -@@ -174,7 +174,7 @@ - if(ctx->engine_id) - OPENSSL_free((void*)ctx->engine_id); - if(ctx->dirs) -- sk_STRING_pop_free(ctx->dirs, int_free_str); -+ sk_OPENSSL_STRING_pop_free(ctx->dirs, int_free_str); - OPENSSL_free(ctx); - } - } -@@ -203,7 +203,7 @@ - c->DYNAMIC_F1 = "v_check"; - c->DYNAMIC_F2 = "bind_engine"; - c->dir_load = 1; -- c->dirs = sk_STRING_new_null(); -+ c->dirs = sk_OPENSSL_STRING_new_null(); - if(!c->dirs) - { - ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX,ERR_R_MALLOC_FAILURE); -@@ -393,7 +393,7 @@ - ERR_R_MALLOC_FAILURE); - return 0; - } -- sk_STRING_insert(ctx->dirs, tmp_str, -1); -+ sk_OPENSSL_STRING_insert(ctx->dirs, tmp_str, -1); - } - return 1; - default: -@@ -411,11 +411,11 @@ - ctx->DYNAMIC_LIBNAME, NULL, 0)) != NULL) - return 1; - /* If we're not allowed to use 'dirs' or we have none, fail */ -- if(!ctx->dir_load || (num = sk_STRING_num(ctx->dirs)) < 1) -+ if(!ctx->dir_load || (num = sk_OPENSSL_STRING_num(ctx->dirs)) < 1) - return 0; - for(loop = 0; loop < num; loop++) - { -- const char *s = sk_STRING_value(ctx->dirs, loop); -+ const char *s = sk_OPENSSL_STRING_value(ctx->dirs, loop); - char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s); - if(!merge) - return 0; -Index: openssl/crypto/lhash/lhash.h -RCS File: /v/openssl/cvs/openssl/crypto/lhash/lhash.h,v -rcsdiff -q -kk '-r1.23' '-r1.23.2.1' -u '/v/openssl/cvs/openssl/crypto/lhash/lhash.h,v' 2>/dev/null ---- openssl/crypto/lhash/lhash.h 2008/06/04 11:01:31 1.23 -+++ openssl/crypto/lhash/lhash.h 2009/07/27 21:08:50 1.23.2.1 -@@ -230,8 +230,8 @@ - lh_stats_bio(CHECKED_LHASH_OF(type, lh), out) - #define LHM_lh_free(type, lh) lh_free(CHECKED_LHASH_OF(type, lh)) - --DECLARE_LHASH_OF(STRING); --DECLARE_LHASH_OF(CSTRING); -+DECLARE_LHASH_OF(OPENSSL_STRING); -+DECLARE_LHASH_OF(OPENSSL_CSTRING); - - #ifdef __cplusplus - } -Index: openssl/crypto/stack/safestack.h -RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v -rcsdiff -q -kk '-r1.72.2.3' '-r1.72.2.4' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null ---- openssl/crypto/stack/safestack.h 2009/04/28 21:56:04 1.72.2.3 -+++ openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4 -@@ -110,9 +110,9 @@ - * string. For now, I'm settling for dealing with the fact it is a - * string at all. - */ --typedef char *STRING; -+typedef char *OPENSSL_STRING; - --typedef const char *CSTRING; -+typedef const char *OPENSSL_CSTRING; - - /* Confusingly, LHASH_OF(STRING) deals with char ** throughout, but - * STACK_OF(STRING) is really more like STACK_OF(char), only, as -@@ -122,7 +122,7 @@ - * macros below. - */ - --DECLARE_SPECIAL_STACK_OF(STRING, char) -+DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char) - - /* Similarly, we sometimes use a block of characters, NOT - * nul-terminated. These should also be distinguished from "normal" -@@ -2030,29 +2030,29 @@ - #define sk_void_sort(st) SKM_sk_sort(void, (st)) - #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st)) - --#define sk_STRING_new(cmp) ((STACK_OF(STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) --#define sk_STRING_new_null() ((STACK_OF(STRING) *)sk_new_null()) --#define sk_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) --#define sk_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) --#define sk_STRING_value(st, i) ((STRING)sk_value(CHECKED_PTR_OF(STACK_OF(STRING), st), i)) --#define sk_STRING_num(st) SKM_sk_num(STRING, st) --#define sk_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_FREE_FUNC2(STRING, free_func)) --#define sk_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val), i) --#define sk_STRING_free(st) SKM_sk_free(STRING, st) --#define sk_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), i, CHECKED_PTR_OF(char, val)) --#define sk_STRING_zero(st) SKM_sk_zero(STRING, (st)) --#define sk_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val)) --#define sk_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(STRING), st), CHECKED_CONST_PTR_OF(char, val)) --#define sk_STRING_delete(st, i) SKM_sk_delete(STRING, (st), (i)) --#define sk_STRING_delete_ptr(st, ptr) (STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, ptr)) --#define sk_STRING_set_cmp_func(st, cmp) \ -+#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) -+#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null()) -+#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -+#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -+#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i)) -+#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st) -+#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func)) -+#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i) -+#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st) -+#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val)) -+#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st)) -+#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -+#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val)) -+#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i)) -+#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr)) -+#define sk_OPENSSL_STRING_set_cmp_func(st, cmp) \ - ((int (*)(const char * const *,const char * const *)) \ -- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) --#define sk_STRING_dup(st) SKM_sk_dup(STRING, st) --#define sk_STRING_shift(st) SKM_sk_shift(STRING, (st)) --#define sk_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st)) --#define sk_STRING_sort(st) SKM_sk_sort(STRING, (st)) --#define sk_STRING_is_sorted(st) SKM_sk_is_sorted(STRING, (st)) -+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) -+#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st) -+#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st)) -+#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st)) -+#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st)) -+#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) - - - #define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) -@@ -2080,29 +2080,29 @@ - #define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st)) - - --#define sk_PSTRING_new(cmp) ((STACK_OF(PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(STRING, cmp))) --#define sk_PSTRING_new_null() ((STACK_OF(PSTRING) *)sk_new_null()) --#define sk_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) --#define sk_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) --#define sk_PSTRING_value(st, i) ((PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(PSTRING), st), i)) --#define sk_PSTRING_num(st) SKM_sk_num(PSTRING, st) --#define sk_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_FREE_FUNC2(PSTRING, free_func)) --#define sk_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val), i) --#define sk_PSTRING_free(st) SKM_sk_free(PSTRING, st) --#define sk_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), i, CHECKED_PTR_OF(STRING, val)) --#define sk_PSTRING_zero(st) SKM_sk_zero(PSTRING, (st)) --#define sk_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val)) --#define sk_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(PSTRING), st), CHECKED_CONST_PTR_OF(STRING, val)) --#define sk_PSTRING_delete(st, i) SKM_sk_delete(PSTRING, (st), (i)) --#define sk_PSTRING_delete_ptr(st, ptr) (PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, ptr)) --#define sk_PSTRING_set_cmp_func(st, cmp) \ -- ((int (*)(const STRING * const *,const STRING * const *)) \ -- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_CMP_FUNC(STRING, cmp))) --#define sk_PSTRING_dup(st) SKM_sk_dup(PSTRING, st) --#define sk_PSTRING_shift(st) SKM_sk_shift(PSTRING, (st)) --#define sk_PSTRING_pop(st) (STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st)) --#define sk_PSTRING_sort(st) SKM_sk_sort(PSTRING, (st)) --#define sk_PSTRING_is_sorted(st) SKM_sk_is_sorted(PSTRING, (st)) -+#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) -+#define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null()) -+#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) -+#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) -+#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i)) -+#define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st) -+#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func)) -+#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val), i) -+#define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st) -+#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i, CHECKED_PTR_OF(OPENSSL_STRING, val)) -+#define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st)) -+#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val)) -+#define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val)) -+#define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i)) -+#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, ptr)) -+#define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp) \ -+ ((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \ -+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) -+#define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st) -+#define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st)) -+#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st)) -+#define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st)) -+#define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st)) - - - #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ -@@ -2390,24 +2390,6 @@ - LHM_lh_stats_bio(CONF_VALUE,lh,out) - #define lh_CONF_VALUE_free(lh) LHM_lh_free(CONF_VALUE,lh) - --#define lh_CSTRING_new() LHM_lh_new(CSTRING,cstring) --#define lh_CSTRING_insert(lh,inst) LHM_lh_insert(CSTRING,lh,inst) --#define lh_CSTRING_retrieve(lh,inst) LHM_lh_retrieve(CSTRING,lh,inst) --#define lh_CSTRING_delete(lh,inst) LHM_lh_delete(CSTRING,lh,inst) --#define lh_CSTRING_doall(lh,fn) LHM_lh_doall(CSTRING,lh,fn) --#define lh_CSTRING_doall_arg(lh,fn,arg_type,arg) \ -- LHM_lh_doall_arg(CSTRING,lh,fn,arg_type,arg) --#define lh_CSTRING_error(lh) LHM_lh_error(CSTRING,lh) --#define lh_CSTRING_num_items(lh) LHM_lh_num_items(CSTRING,lh) --#define lh_CSTRING_down_load(lh) LHM_lh_down_load(CSTRING,lh) --#define lh_CSTRING_node_stats_bio(lh,out) \ -- LHM_lh_node_stats_bio(CSTRING,lh,out) --#define lh_CSTRING_node_usage_stats_bio(lh,out) \ -- LHM_lh_node_usage_stats_bio(CSTRING,lh,out) --#define lh_CSTRING_stats_bio(lh,out) \ -- LHM_lh_stats_bio(CSTRING,lh,out) --#define lh_CSTRING_free(lh) LHM_lh_free(CSTRING,lh) -- - #define lh_ENGINE_PILE_new() LHM_lh_new(ENGINE_PILE,engine_pile) - #define lh_ENGINE_PILE_insert(lh,inst) LHM_lh_insert(ENGINE_PILE,lh,inst) - #define lh_ENGINE_PILE_retrieve(lh,inst) LHM_lh_retrieve(ENGINE_PILE,lh,inst) -@@ -2534,6 +2516,42 @@ - LHM_lh_stats_bio(OBJ_NAME,lh,out) - #define lh_OBJ_NAME_free(lh) LHM_lh_free(OBJ_NAME,lh) - -+#define lh_OPENSSL_CSTRING_new() LHM_lh_new(OPENSSL_CSTRING,openssl_cstring) -+#define lh_OPENSSL_CSTRING_insert(lh,inst) LHM_lh_insert(OPENSSL_CSTRING,lh,inst) -+#define lh_OPENSSL_CSTRING_retrieve(lh,inst) LHM_lh_retrieve(OPENSSL_CSTRING,lh,inst) -+#define lh_OPENSSL_CSTRING_delete(lh,inst) LHM_lh_delete(OPENSSL_CSTRING,lh,inst) -+#define lh_OPENSSL_CSTRING_doall(lh,fn) LHM_lh_doall(OPENSSL_CSTRING,lh,fn) -+#define lh_OPENSSL_CSTRING_doall_arg(lh,fn,arg_type,arg) \ -+ LHM_lh_doall_arg(OPENSSL_CSTRING,lh,fn,arg_type,arg) -+#define lh_OPENSSL_CSTRING_error(lh) LHM_lh_error(OPENSSL_CSTRING,lh) -+#define lh_OPENSSL_CSTRING_num_items(lh) LHM_lh_num_items(OPENSSL_CSTRING,lh) -+#define lh_OPENSSL_CSTRING_down_load(lh) LHM_lh_down_load(OPENSSL_CSTRING,lh) -+#define lh_OPENSSL_CSTRING_node_stats_bio(lh,out) \ -+ LHM_lh_node_stats_bio(OPENSSL_CSTRING,lh,out) -+#define lh_OPENSSL_CSTRING_node_usage_stats_bio(lh,out) \ -+ LHM_lh_node_usage_stats_bio(OPENSSL_CSTRING,lh,out) -+#define lh_OPENSSL_CSTRING_stats_bio(lh,out) \ -+ LHM_lh_stats_bio(OPENSSL_CSTRING,lh,out) -+#define lh_OPENSSL_CSTRING_free(lh) LHM_lh_free(OPENSSL_CSTRING,lh) -+ -+#define lh_OPENSSL_STRING_new() LHM_lh_new(OPENSSL_STRING,openssl_string) -+#define lh_OPENSSL_STRING_insert(lh,inst) LHM_lh_insert(OPENSSL_STRING,lh,inst) -+#define lh_OPENSSL_STRING_retrieve(lh,inst) LHM_lh_retrieve(OPENSSL_STRING,lh,inst) -+#define lh_OPENSSL_STRING_delete(lh,inst) LHM_lh_delete(OPENSSL_STRING,lh,inst) -+#define lh_OPENSSL_STRING_doall(lh,fn) LHM_lh_doall(OPENSSL_STRING,lh,fn) -+#define lh_OPENSSL_STRING_doall_arg(lh,fn,arg_type,arg) \ -+ LHM_lh_doall_arg(OPENSSL_STRING,lh,fn,arg_type,arg) -+#define lh_OPENSSL_STRING_error(lh) LHM_lh_error(OPENSSL_STRING,lh) -+#define lh_OPENSSL_STRING_num_items(lh) LHM_lh_num_items(OPENSSL_STRING,lh) -+#define lh_OPENSSL_STRING_down_load(lh) LHM_lh_down_load(OPENSSL_STRING,lh) -+#define lh_OPENSSL_STRING_node_stats_bio(lh,out) \ -+ LHM_lh_node_stats_bio(OPENSSL_STRING,lh,out) -+#define lh_OPENSSL_STRING_node_usage_stats_bio(lh,out) \ -+ LHM_lh_node_usage_stats_bio(OPENSSL_STRING,lh,out) -+#define lh_OPENSSL_STRING_stats_bio(lh,out) \ -+ LHM_lh_stats_bio(OPENSSL_STRING,lh,out) -+#define lh_OPENSSL_STRING_free(lh) LHM_lh_free(OPENSSL_STRING,lh) -+ - #define lh_SSL_SESSION_new() LHM_lh_new(SSL_SESSION,ssl_session) - #define lh_SSL_SESSION_insert(lh,inst) LHM_lh_insert(SSL_SESSION,lh,inst) - #define lh_SSL_SESSION_retrieve(lh,inst) LHM_lh_retrieve(SSL_SESSION,lh,inst) -@@ -2551,24 +2569,6 @@ - #define lh_SSL_SESSION_stats_bio(lh,out) \ - LHM_lh_stats_bio(SSL_SESSION,lh,out) - #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh) -- --#define lh_STRING_new() LHM_lh_new(STRING,string) --#define lh_STRING_insert(lh,inst) LHM_lh_insert(STRING,lh,inst) --#define lh_STRING_retrieve(lh,inst) LHM_lh_retrieve(STRING,lh,inst) --#define lh_STRING_delete(lh,inst) LHM_lh_delete(STRING,lh,inst) --#define lh_STRING_doall(lh,fn) LHM_lh_doall(STRING,lh,fn) --#define lh_STRING_doall_arg(lh,fn,arg_type,arg) \ -- LHM_lh_doall_arg(STRING,lh,fn,arg_type,arg) --#define lh_STRING_error(lh) LHM_lh_error(STRING,lh) --#define lh_STRING_num_items(lh) LHM_lh_num_items(STRING,lh) --#define lh_STRING_down_load(lh) LHM_lh_down_load(STRING,lh) --#define lh_STRING_node_stats_bio(lh,out) \ -- LHM_lh_node_stats_bio(STRING,lh,out) --#define lh_STRING_node_usage_stats_bio(lh,out) \ -- LHM_lh_node_usage_stats_bio(STRING,lh,out) --#define lh_STRING_stats_bio(lh,out) \ -- LHM_lh_stats_bio(STRING,lh,out) --#define lh_STRING_free(lh) LHM_lh_free(STRING,lh) - /* End of util/mkstack.pl block, you may now edit :-) */ - - #endif /* !defined HEADER_SAFESTACK_H */ -Index: openssl/crypto/txt_db/txt_db.c -RCS File: /v/openssl/cvs/openssl/crypto/txt_db/txt_db.c,v -rcsdiff -q -kk '-r1.25' '-r1.25.2.1' -u '/v/openssl/cvs/openssl/crypto/txt_db/txt_db.c,v' 2>/dev/null ---- openssl/crypto/txt_db/txt_db.c 2008/07/04 23:12:51 1.25 -+++ openssl/crypto/txt_db/txt_db.c 2009/07/27 21:08:51 1.25.2.1 -@@ -78,7 +78,7 @@ - int size=BUFSIZE; - int offset=0; - char *p,*f; -- STRING *pp; -+ OPENSSL_STRING *pp; - BUF_MEM *buf=NULL; - - if ((buf=BUF_MEM_new()) == NULL) goto err; -@@ -89,7 +89,7 @@ - ret->num_fields=num; - ret->index=NULL; - ret->qual=NULL; -- if ((ret->data=sk_PSTRING_new_null()) == NULL) -+ if ((ret->data=sk_OPENSSL_PSTRING_new_null()) == NULL) - goto err; - if ((ret->index=OPENSSL_malloc(sizeof(*ret->index)*num)) == NULL) - goto err; -@@ -163,7 +163,7 @@ - goto err; - } - pp[n]=p; -- if (!sk_PSTRING_push(ret->data,pp)) -+ if (!sk_OPENSSL_PSTRING_push(ret->data,pp)) - { - #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) /* temporary fix :-( */ - fprintf(stderr,"failure in sk_push\n"); -@@ -182,7 +182,7 @@ - #endif - if (ret != NULL) - { -- if (ret->data != NULL) sk_PSTRING_free(ret->data); -+ if (ret->data != NULL) sk_OPENSSL_PSTRING_free(ret->data); - if (ret->index != NULL) OPENSSL_free(ret->index); - if (ret->qual != NULL) OPENSSL_free(ret->qual); - if (ret != NULL) OPENSSL_free(ret); -@@ -193,10 +193,10 @@ - return(ret); - } - --STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, STRING *value) -+OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, OPENSSL_STRING *value) - { -- STRING *ret; -- LHASH_OF(STRING) *lh; -+ OPENSSL_STRING *ret; -+ LHASH_OF(OPENSSL_STRING) *lh; - - if (idx >= db->num_fields) - { -@@ -209,16 +209,16 @@ - db->error=DB_ERROR_NO_INDEX; - return(NULL); - } -- ret=lh_STRING_retrieve(lh,value); -+ ret=lh_OPENSSL_STRING_retrieve(lh,value); - db->error=DB_ERROR_OK; - return(ret); - } - --int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(STRING *), -+int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(OPENSSL_STRING *), - LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp) - { -- LHASH_OF(STRING) *idx; -- STRING *r; -+ LHASH_OF(OPENSSL_STRING) *idx; -+ OPENSSL_STRING *r; - int i,n; - - if (field >= db->num_fields) -@@ -227,26 +227,26 @@ - return(0); - } - /* FIXME: we lose type checking at this point */ -- if ((idx=(LHASH_OF(STRING) *)lh_new(hash,cmp)) == NULL) -+ if ((idx=(LHASH_OF(OPENSSL_STRING) *)lh_new(hash,cmp)) == NULL) - { - db->error=DB_ERROR_MALLOC; - return(0); - } -- n=sk_PSTRING_num(db->data); -+ n=sk_OPENSSL_PSTRING_num(db->data); - for (i=0; idata,i); -+ r=sk_OPENSSL_PSTRING_value(db->data,i); - if ((qual != NULL) && (qual(r) == 0)) continue; -- if ((r=lh_STRING_insert(idx,r)) != NULL) -+ if ((r=lh_OPENSSL_STRING_insert(idx,r)) != NULL) - { - db->error=DB_ERROR_INDEX_CLASH; -- db->arg1=sk_PSTRING_find(db->data,r); -+ db->arg1=sk_OPENSSL_PSTRING_find(db->data,r); - db->arg2=i; -- lh_STRING_free(idx); -+ lh_OPENSSL_STRING_free(idx); - return(0); - } - } -- if (db->index[field] != NULL) lh_STRING_free(db->index[field]); -+ if (db->index[field] != NULL) lh_OPENSSL_STRING_free(db->index[field]); - db->index[field]=idx; - db->qual[field]=qual; - return(1); -@@ -261,11 +261,11 @@ - - if ((buf=BUF_MEM_new()) == NULL) - goto err; -- n=sk_PSTRING_num(db->data); -+ n=sk_OPENSSL_PSTRING_num(db->data); - nn=db->num_fields; - for (i=0; idata,i); -+ pp=sk_OPENSSL_PSTRING_value(db->data,i); - - l=0; - for (j=0; jnum_fields; i++) - { -@@ -311,7 +311,7 @@ - { - if ((db->qual[i] != NULL) && - (db->qual[i](row) == 0)) continue; -- r=lh_STRING_retrieve(db->index[i],row); -+ r=lh_OPENSSL_STRING_retrieve(db->index[i],row); - if (r != NULL) - { - db->error=DB_ERROR_INDEX_CLASH; -@@ -322,7 +322,7 @@ - } - } - /* We have passed the index checks, now just append and insert */ -- if (!sk_PSTRING_push(db->data,row)) -+ if (!sk_OPENSSL_PSTRING_push(db->data,row)) - { - db->error=DB_ERROR_MALLOC; - goto err; -@@ -334,7 +334,7 @@ - { - if ((db->qual[i] != NULL) && - (db->qual[i](row) == 0)) continue; -- (void)lh_STRING_insert(db->index[i],row); -+ (void)lh_OPENSSL_STRING_insert(db->index[i],row); - } - } - return(1); -@@ -353,18 +353,18 @@ - if (db->index != NULL) - { - for (i=db->num_fields-1; i>=0; i--) -- if (db->index[i] != NULL) lh_STRING_free(db->index[i]); -+ if (db->index[i] != NULL) lh_OPENSSL_STRING_free(db->index[i]); - OPENSSL_free(db->index); - } - if (db->qual != NULL) - OPENSSL_free(db->qual); - if (db->data != NULL) - { -- for (i=sk_PSTRING_num(db->data)-1; i>=0; i--) -+ for (i=sk_OPENSSL_PSTRING_num(db->data)-1; i>=0; i--) - { - /* check if any 'fields' have been allocated - * from outside of the initial block */ -- p=sk_PSTRING_value(db->data,i); -+ p=sk_OPENSSL_PSTRING_value(db->data,i); - max=p[db->num_fields]; /* last address */ - if (max == NULL) /* new row */ - { -@@ -380,9 +380,9 @@ - OPENSSL_free(p[n]); - } - } -- OPENSSL_free(sk_PSTRING_value(db->data,i)); -+ OPENSSL_free(sk_OPENSSL_PSTRING_value(db->data,i)); - } -- sk_PSTRING_free(db->data); -+ sk_OPENSSL_PSTRING_free(db->data); - } - OPENSSL_free(db); - } -Index: openssl/crypto/txt_db/txt_db.h -RCS File: /v/openssl/cvs/openssl/crypto/txt_db/txt_db.h,v -rcsdiff -q -kk '-r1.11' '-r1.11.2.1' -u '/v/openssl/cvs/openssl/crypto/txt_db/txt_db.h,v' 2>/dev/null ---- openssl/crypto/txt_db/txt_db.h 2008/06/04 11:01:38 1.11 -+++ openssl/crypto/txt_db/txt_db.h 2009/07/27 21:08:51 1.11.2.1 -@@ -77,19 +77,19 @@ - extern "C" { - #endif - --typedef STRING *PSTRING; --DECLARE_SPECIAL_STACK_OF(PSTRING, STRING) -+typedef OPENSSL_STRING *OPENSSL_PSTRING; -+DECLARE_SPECIAL_STACK_OF(OPENSSL_PSTRING, OPENSSL_STRING) - - typedef struct txt_db_st - { - int num_fields; -- STACK_OF(PSTRING) *data; -- LHASH_OF(STRING) **index; -- int (**qual)(STRING *); -+ STACK_OF(OPENSSL_PSTRING) *data; -+ LHASH_OF(OPENSSL_STRING) **index; -+ int (**qual)(OPENSSL_STRING *); - long error; - long arg1; - long arg2; -- STRING *arg_row; -+ OPENSSL_STRING *arg_row; - } TXT_DB; - - #ifndef OPENSSL_NO_BIO -@@ -99,11 +99,11 @@ - TXT_DB *TXT_DB_read(char *in, int num); - long TXT_DB_write(char *out, TXT_DB *db); - #endif --int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(STRING *), -+int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(OPENSSL_STRING *), - LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp); - void TXT_DB_free(TXT_DB *db); --STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, STRING *value); --int TXT_DB_insert(TXT_DB *db, STRING *value); -+OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx, OPENSSL_STRING *value); -+int TXT_DB_insert(TXT_DB *db, OPENSSL_STRING *value); - - #ifdef __cplusplus - } -Index: openssl/crypto/x509v3/v3_utl.c -RCS File: /v/openssl/cvs/openssl/crypto/x509v3/v3_utl.c,v -rcsdiff -q -kk '-r1.44' '-r1.44.2.1' -u '/v/openssl/cvs/openssl/crypto/x509v3/v3_utl.c,v' 2>/dev/null ---- openssl/crypto/x509v3/v3_utl.c 2009/02/14 21:49:36 1.44 -+++ openssl/crypto/x509v3/v3_utl.c 2009/07/27 21:08:53 1.44.2.1 -@@ -67,9 +67,9 @@ - - static char *strip_spaces(char *name); - static int sk_strcmp(const char * const *a, const char * const *b); --static STACK_OF(STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens); --static void str_free(STRING str); --static int append_ia5(STACK_OF(STRING) **sk, ASN1_IA5STRING *email); -+static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens); -+static void str_free(OPENSSL_STRING str); -+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email); - - static int ipv4_from_asc(unsigned char *v4, const char *in); - static int ipv6_from_asc(unsigned char *v6, const char *in); -@@ -463,10 +463,10 @@ - return strcmp(*a, *b); - } - --STACK_OF(STRING) *X509_get1_email(X509 *x) -+STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) - { - GENERAL_NAMES *gens; -- STACK_OF(STRING) *ret; -+ STACK_OF(OPENSSL_STRING) *ret; - - gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); - ret = get_email(X509_get_subject_name(x), gens); -@@ -474,10 +474,10 @@ - return ret; - } - --STACK_OF(STRING) *X509_get1_ocsp(X509 *x) -+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) - { - AUTHORITY_INFO_ACCESS *info; -- STACK_OF(STRING) *ret = NULL; -+ STACK_OF(OPENSSL_STRING) *ret = NULL; - int i; - - info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL); -@@ -499,11 +499,11 @@ - return ret; - } - --STACK_OF(STRING) *X509_REQ_get1_email(X509_REQ *x) -+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) - { - GENERAL_NAMES *gens; - STACK_OF(X509_EXTENSION) *exts; -- STACK_OF(STRING) *ret; -+ STACK_OF(OPENSSL_STRING) *ret; - - exts = X509_REQ_get_extensions(x); - gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL); -@@ -514,9 +514,9 @@ - } - - --static STACK_OF(STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) -+static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) - { -- STACK_OF(STRING) *ret = NULL; -+ STACK_OF(OPENSSL_STRING) *ret = NULL; - X509_NAME_ENTRY *ne; - ASN1_IA5STRING *email; - GENERAL_NAME *gen; -@@ -539,23 +539,23 @@ - return ret; - } - --static void str_free(STRING str) -+static void str_free(OPENSSL_STRING str) - { - OPENSSL_free(str); - } - --static int append_ia5(STACK_OF(STRING) **sk, ASN1_IA5STRING *email) -+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) - { - char *emtmp; - /* First some sanity checks */ - if(email->type != V_ASN1_IA5STRING) return 1; - if(!email->data || !email->length) return 1; -- if(!*sk) *sk = sk_STRING_new(sk_strcmp); -+ if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp); - if(!*sk) return 0; - /* Don't add duplicates */ -- if(sk_STRING_find(*sk, (char *)email->data) != -1) return 1; -+ if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1; - emtmp = BUF_strdup((char *)email->data); -- if(!emtmp || !sk_STRING_push(*sk, emtmp)) { -+ if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) { - X509_email_free(*sk); - *sk = NULL; - return 0; -@@ -563,9 +563,9 @@ - return 1; - } - --void X509_email_free(STACK_OF(STRING) *sk) -+void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) - { -- sk_STRING_pop_free(sk, str_free); -+ sk_OPENSSL_STRING_pop_free(sk, str_free); - } - - /* Convert IP addresses both IPv4 and IPv6 into an -Index: openssl/crypto/x509v3/x509v3.h -RCS File: /v/openssl/cvs/openssl/crypto/x509v3/x509v3.h,v -rcsdiff -q -kk '-r1.126.2.1' '-r1.126.2.2' -u '/v/openssl/cvs/openssl/crypto/x509v3/x509v3.h,v' 2>/dev/null ---- openssl/crypto/x509v3/x509v3.h 2009/04/19 17:58:01 1.126.2.1 -+++ openssl/crypto/x509v3/x509v3.h 2009/07/27 21:08:53 1.126.2.2 -@@ -693,10 +693,10 @@ - void X509_PURPOSE_cleanup(void); - int X509_PURPOSE_get_id(X509_PURPOSE *); - --STACK_OF(STRING) *X509_get1_email(X509 *x); --STACK_OF(STRING) *X509_REQ_get1_email(X509_REQ *x); --void X509_email_free(STACK_OF(STRING) *sk); --STACK_OF(STRING) *X509_get1_ocsp(X509 *x); -+STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); -+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); -+void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); -+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); - - ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); - ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); diff --git a/openssl-0.9.8k-algo-doc.patch b/openssl-1.0.0-beta4-algo-doc.patch similarity index 86% rename from openssl-0.9.8k-algo-doc.patch rename to openssl-1.0.0-beta4-algo-doc.patch index 27521a4..2f18f3f 100644 --- a/openssl-0.9.8k-algo-doc.patch +++ b/openssl-1.0.0-beta4-algo-doc.patch @@ -1,6 +1,6 @@ -diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod ---- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc 2004-05-20 23:39:50.000000000 +0200 -+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod 2009-06-30 12:04:47.000000000 +0200 +diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod +--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200 ++++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100 @@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_ EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, @@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do +signature algorithm is RSA in each case. EVP_dss() and EVP_dss1() return B structures for SHA and SHA1 digest - algorithms but using DSS (DSA) for the signature algorithm. -@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ + algorithms but using DSS (DSA) for the signature algorithm. Note: there is +@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block size in bytes. @@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the corresponding EVP_MD structures. -diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod ---- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200 -+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod 2009-06-30 12:04:47.000000000 +0200 +diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod +--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200 ++++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100 @@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch new file mode 100644 index 0000000..ad4c7e4 --- /dev/null +++ b/openssl-1.0.0-beta4-backports.patch @@ -0,0 +1,45 @@ +diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c +--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100 +@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK + } + else ret= *a; + +- ret->save_type=type; +- ret->type=EVP_PKEY_type(type); +- switch (ret->type) ++ if (!EVP_PKEY_set_type(ret, type)) ++ { ++ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB); ++ goto err; ++ } ++ ++ switch (EVP_PKEY_id(ret)) + { + #ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: +diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c +--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100 +@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey, + #ifndef OPENSSL_NO_ENGINE + /* If we have an ENGINE release it */ + if (pkey->engine) ++ { + ENGINE_finish(pkey->engine); ++ pkey->engine = NULL; ++ } + #endif + } + if (str) +diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c +--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100 +@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, + offset= -offset; + } + atm.type=ctm->type; ++ atm.flags = 0; + atm.length=sizeof(buff2); + atm.data=(unsigned char *)buff2; + diff --git a/openssl-1.0.0-beta4-binutils.patch b/openssl-1.0.0-beta4-binutils.patch new file mode 100644 index 0000000..d39b2e6 --- /dev/null +++ b/openssl-1.0.0-beta4-binutils.patch @@ -0,0 +1,56 @@ +diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl +--- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100 +@@ -19,6 +19,7 @@ my $code; + sub round1_step + { + my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_; ++ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal + $code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1); + $code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1); + $code .= <= (d+n-2)) + { ++#if 0 + /* Because the client does not see any renegotiation during an + attack, we must enforce this on all server hellos, even the + first */ +@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } ++#endif + return 1; + } + +@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, + return 0; + } + ++#if 0 + if (!renegotiate_seen + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } ++#endif + + if (!s->hit && tlsext_servername == 1) + { diff --git a/openssl-1.0.0-beta3-default-paths.patch b/openssl-1.0.0-beta4-default-paths.patch similarity index 66% rename from openssl-1.0.0-beta3-default-paths.patch rename to openssl-1.0.0-beta4-default-paths.patch index 4ed02e0..0b48a27 100644 --- a/openssl-1.0.0-beta3-default-paths.patch +++ b/openssl-1.0.0-beta4-default-paths.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c ---- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200 -@@ -888,12 +888,13 @@ bad: +diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c +--- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200 ++++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100 +@@ -889,12 +889,13 @@ bad: if (!set_cert_key_stuff(ctx,cert,key)) goto end; @@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a } #ifndef OPENSSL_NO_TLSEXT -diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c ---- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200 -@@ -1403,12 +1403,13 @@ bad: +diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c +--- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100 ++++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100 +@@ -1408,12 +1408,13 @@ bad: } #endif @@ -40,9 +40,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a } if (vpm) SSL_CTX_set1_param(ctx, vpm); -@@ -1457,8 +1458,11 @@ bad: - - SSL_CTX_sess_set_cache_size(ctx2,128); +@@ -1465,8 +1466,11 @@ bad: + else + SSL_CTX_sess_set_cache_size(ctx2,128); - if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx2))) @@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a { ERR_print_errors(bio_err); } -diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c ---- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200 +diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c +--- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 ++++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100 @@ -373,12 +373,13 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); diff --git a/openssl-1.0.0-beta4-dtls1-abi.patch b/openssl-1.0.0-beta4-dtls1-abi.patch new file mode 100644 index 0000000..a50f55d --- /dev/null +++ b/openssl-1.0.0-beta4-dtls1-abi.patch @@ -0,0 +1,25 @@ +Adding struct member is ABI breaker however as the structure is always allocated by +the library calls we just move it to the end and it should be reasonably safe. +diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h +--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100 +@@ -216,9 +216,6 @@ typedef struct dtls1_state_st + */ + record_pqueue buffered_app_data; + +- /* Is set when listening for new connections with dtls1_listen() */ +- unsigned int listen; +- + unsigned int mtu; /* max DTLS packet size */ + + struct hm_header_st w_msg_hdr; +@@ -242,6 +239,9 @@ typedef struct dtls1_state_st + unsigned int retransmitting; + unsigned int change_cipher_spec_ok; + ++ /* Is set when listening for new connections with dtls1_listen() */ ++ unsigned int listen; ++ + } DTLS1_STATE; + + typedef struct dtls1_record_data_st diff --git a/openssl-1.0.0-beta4-enginesdir.patch b/openssl-1.0.0-beta4-enginesdir.patch new file mode 100644 index 0000000..0a304ce --- /dev/null +++ b/openssl-1.0.0-beta4-enginesdir.patch @@ -0,0 +1,52 @@ +diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure +--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100 ++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100 +@@ -622,6 +622,7 @@ my $idx_multilib = $idx++; + my $prefix=""; + my $libdir=""; + my $openssldir=""; ++my $enginesdir=""; + my $exe_ext=""; + my $install_prefix= "$ENV{'INSTALL_PREFIX'}"; + my $cross_compile_prefix=""; +@@ -833,6 +834,10 @@ PROCESS_ARGS: + { + $openssldir=$1; + } ++ elsif (/^--enginesdir=(.*)$/) ++ { ++ $enginesdir=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/; + + $openssldir=$prefix . "/ssl" if $openssldir eq ""; + $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +- ++$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; + + print "IsMK1MF=$IsMK1MF\n"; + +@@ -1676,7 +1681,7 @@ while () + # $foo is to become "$prefix/lib$multilib/engines"; + # as Makefile.org and engines/Makefile are adapted for + # $multilib suffix. +- my $foo = "$prefix/lib/engines"; ++ my $foo = "$enginesdir"; + $foo =~ s/\\/\\\\/g; + print OUT "#define ENGINESDIR \"$foo\"\n"; + } +diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile +--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100 ++++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100 +@@ -124,7 +124,7 @@ install: + sfx=".so"; \ + cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ + fi; \ +- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ ++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ + done; \ + fi diff --git a/openssl-1.0.0-beta3-fips.patch b/openssl-1.0.0-beta4-fips.patch similarity index 90% rename from openssl-1.0.0-beta3-fips.patch rename to openssl-1.0.0-beta4-fips.patch index d552198..bc81d71 100644 --- a/openssl-1.0.0-beta3-fips.patch +++ b/openssl-1.0.0-beta4-fips.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/Configure 2009-08-11 18:07:30.000000000 +0200 -@@ -654,6 +654,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml +diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure +--- openssl-1.0.0-beta4/Configure.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:36:50.000000000 +0100 +@@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml my $processor=""; my $default_ranlib; my $perl; @@ -9,7 +9,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure # All of the following is disabled by default (RC5 was enabled before 0.9.8): -@@ -797,6 +798,10 @@ PROCESS_ARGS: +@@ -806,6 +807,10 @@ PROCESS_ARGS: } elsif (/^386$/) { $processor=386; } @@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. -@@ -1349,6 +1354,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no +@@ -1368,6 +1373,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/); @@ -32,7 +32,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); -@@ -1504,6 +1514,10 @@ while () +@@ -1535,6 +1545,10 @@ while () s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; @@ -43,9 +43,9 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto/bf/bf_skey.c ---- openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/bf/bf_skey.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto/bf/bf_skey.c +--- openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-12 12:36:50.000000000 +0100 @@ -59,10 +59,15 @@ #include #include @@ -63,9 +63,9 @@ diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto { int i; BF_LONG *p,ri,in[2]; -diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypto/bf/blowfish.h ---- openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/bf/blowfish.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypto/bf/blowfish.h +--- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-12 12:36:50.000000000 +0100 @@ -104,7 +104,9 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; @@ -77,9 +77,9 @@ diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypt void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); -diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/bn.h ---- openssl-1.0.0-beta3/crypto/bn/bn.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/bn/bn.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/bn.h +--- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-12 12:36:50.000000000 +0100 @@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); @@ -98,9 +98,9 @@ diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/b BN_MONT_CTX *BN_MONT_CTX_new(void ); void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, -diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/bn/bn_x931p.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,272 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -374,9 +374,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c + + } + -diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/bn/Makefile ---- openssl-1.0.0-beta3/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/bn/Makefile 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/bn/Makefile +--- openssl-1.0.0-beta4/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-12 12:36:50.000000000 +0100 @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ @@ -393,9 +393,9 @@ diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/ SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl ---- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl 2009-08-20 16:54:59.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl +--- openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-12 12:36:50.000000000 +0100 @@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; } &function_end("Camellia_Ekeygen"); @@ -422,9 +422,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0- } @SBOX=( -diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3/crypto/camellia/camellia.h ---- openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/camellia.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4/crypto/camellia/camellia.h +--- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-12 12:36:50.000000000 +0100 @@ -88,6 +88,11 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; @@ -437,9 +437,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3 int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); -diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c ---- openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips 2009-08-20 17:01:56.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c 2009-08-20 17:03:21.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,68 @@ +/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* ==================================================================== @@ -509,9 +509,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta + return private_Camellia_set_key(userKey, bits, key); + } +#endif -diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c ---- openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c 2009-08-20 17:04:10.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c +--- openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-12 12:36:50.000000000 +0100 @@ -52,11 +52,20 @@ #include #include @@ -533,9 +533,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta { if(!userKey || !key) return -1; -diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/crypto/camellia/Makefile ---- openssl-1.0.0-beta3/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/camellia/Makefile 2009-08-20 17:02:56.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/crypto/camellia/Makefile +--- openssl-1.0.0-beta4/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-12 12:36:50.000000000 +0100 @@ -23,9 +23,9 @@ APPS= LIB=$(TOP)/libcrypto.a @@ -548,9 +548,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/c SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/cast/cast.h ---- openssl-1.0.0-beta3/crypto/cast/cast.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/cast/cast.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/cast/cast.h +--- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-12 12:36:50.000000000 +0100 @@ -83,7 +83,9 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; @@ -562,9 +562,9 @@ diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/ void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, int enc); -diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypto/cast/c_skey.c ---- openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/cast/c_skey.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypto/cast/c_skey.c +--- openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-12 12:36:50.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -586,9 +586,9 @@ diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypt { CAST_LONG x[16]; CAST_LONG z[16]; -diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/crypto.h ---- openssl-1.0.0-beta3/crypto/crypto.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/crypto.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/crypto.h +--- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-12 12:36:50.000000000 +0100 @@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) @@ -659,9 +659,9 @@ diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/cry /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/dh/dh_err.c ---- openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/dh/dh_err.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/dh/dh_err.c +--- openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-12 12:36:50.000000000 +0100 @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, @@ -679,9 +679,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/ {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, -diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/dh/dh_gen.c ---- openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh_gen.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/dh/dh_gen.c +--- openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-12 12:36:50.000000000 +0100 @@ -65,6 +65,10 @@ #include "cryptlib.h" #include @@ -714,9 +714,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/ ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/dh.h ---- openssl-1.0.0-beta3/crypto/dh/dh.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/dh.h +--- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-12 12:36:50.000000000 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -726,7 +726,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH * implementation now uses constant time -@@ -240,6 +242,8 @@ void ERR_load_DH_strings(void); +@@ -241,6 +243,8 @@ void ERR_load_DH_strings(void); #define DH_F_GENERATE_PARAMETERS 104 #define DH_F_PKEY_DH_DERIVE 112 #define DH_F_PKEY_DH_KEYGEN 113 @@ -735,7 +735,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d /* Reason codes. */ #define DH_R_BAD_GENERATOR 101 -@@ -252,6 +256,7 @@ void ERR_load_DH_strings(void); +@@ -253,6 +257,7 @@ void ERR_load_DH_strings(void); #define DH_R_NO_PARAMETERS_SET 107 #define DH_R_NO_PRIVATE_VALUE 100 #define DH_R_PARAMETER_ENCODING_ERROR 105 @@ -743,9 +743,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d #ifdef __cplusplus } -diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/dh/dh_key.c ---- openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh_key.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/dh/dh_key.c +--- openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-12 12:36:50.000000000 +0100 @@ -61,6 +61,9 @@ #include #include @@ -795,9 +795,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/ dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c ---- openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c +--- openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-12 12:36:50.000000000 +0100 @@ -77,8 +77,12 @@ #include "cryptlib.h" #include @@ -833,9 +833,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypt if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ -diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/dsa/dsa.h ---- openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/dsa/dsa.h +--- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-12 12:36:50.000000000 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -892,18 +892,16 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/ds #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_key.c ---- openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_key.c 2009-08-11 18:09:42.000000000 +0200 -@@ -65,9 +65,42 @@ +diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c +--- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-12 12:36:50.000000000 +0100 +@@ -63,9 +63,53 @@ #include #include #include +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include "fips_locl.h" static int dsa_builtin_keygen(DSA *dsa); @@ -919,26 +917,39 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt + +int fips_check_dsa(DSA *dsa) + { -+ EVP_PKEY pk; ++ EVP_PKEY *pk; + unsigned char tbs[] = "DSA Pairwise Check Data"; -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; ++ int ret = 0; + -+ if (!fips_pkey_signature_test(&pk, tbs, -1, -+ NULL, 0, EVP_dss1(), 0, NULL)) ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_DSA(pk, dsa); ++ ++ if (!fips_pkey_signature_test(pk, tbs, -1, ++ NULL, 0, EVP_sha1(), 0, NULL)) ++ goto err; ++ ++ ret = 1; ++ ++err: ++ if (ret == 0) + { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + fips_set_selftest_fail(); -+ return 0; ++ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + } -+ return 1; ++ ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; + } +#endif + int DSA_generate_key(DSA *dsa) { if(dsa->meth->dsa_keygen) -@@ -79,6 +110,14 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -79,6 +123,14 @@ static int dsa_builtin_keygen(DSA *dsa) BN_CTX *ctx=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -953,7 +964,7 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt if ((ctx=BN_CTX_new()) == NULL) goto err; if (dsa->priv_key == NULL) -@@ -117,6 +156,15 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -117,6 +169,15 @@ static int dsa_builtin_keygen(DSA *dsa) dsa->priv_key=priv_key; dsa->pub_key=pub_key; @@ -969,9 +980,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt ok=1; err: -diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c ---- openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c +--- openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-12 12:36:50.000000000 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1043,9 +1054,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/cryp dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypto/err/err_all.c ---- openssl-1.0.0-beta3/crypto/err/err_all.c.fips 2008-11-24 18:27:06.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/err/err_all.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypto/err/err_all.c +--- openssl-1.0.0-beta4/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-12 12:36:50.000000000 +0100 @@ -96,6 +96,9 @@ #include #include @@ -1056,7 +1067,7 @@ diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypt #ifndef OPENSSL_NO_CMS #include #endif -@@ -148,6 +151,9 @@ void ERR_load_crypto_strings(void) +@@ -149,6 +152,9 @@ void ERR_load_crypto_strings(void) #endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); @@ -1066,9 +1077,9 @@ diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypt #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif -diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto/evp/digest.c ---- openssl-1.0.0-beta3/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/digest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto/evp/digest.c +--- openssl-1.0.0-beta4/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-12 12:36:50.000000000 +0100 @@ -116,6 +116,7 @@ #ifndef OPENSSL_NO_ENGINE #include @@ -1167,9 +1178,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); -diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/evp/e_aes.c ---- openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_aes.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/evp/e_aes.c +--- openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-12 12:36:50.000000000 +0100 @@ -69,32 +69,29 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, @@ -1222,9 +1233,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/crypto/evp/e_camellia.c ---- openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/e_camellia.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/crypto/evp/e_camellia.c +--- openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-12 12:36:50.000000000 +0100 @@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, EVP_CIPHER_get_asn1_iv, NULL) @@ -1234,9 +1245,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/cr IMPLEMENT_CAMELLIA_CFBR(128,1) IMPLEMENT_CAMELLIA_CFBR(192,1) -diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto/evp/e_des3.c ---- openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_des3.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto/evp/e_des3.c +--- openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-12 12:36:50.000000000 +0100 @@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH } @@ -1281,9 +1292,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto/evp/e_null.c ---- openssl-1.0.0-beta3/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_null.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto/evp/e_null.c +--- openssl-1.0.0-beta4/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-12 12:36:50.000000000 +0100 @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, @@ -1293,9 +1304,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto null_init_key, null_cipher, NULL, -diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypto/evp/evp_enc.c ---- openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/evp_enc.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypto/evp/evp_enc.c +--- openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-12 12:36:50.000000000 +0100 @@ -68,8 +68,53 @@ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -1388,9 +1399,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypt if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } -diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypto/evp/evp_err.c ---- openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/evp_err.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypto/evp/evp_err.c +--- openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-12 12:36:50.000000000 +0100 @@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, @@ -1399,9 +1410,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypt {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, -diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/evp/evp.h ---- openssl-1.0.0-beta3/crypto/evp/evp.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/evp/evp.h +--- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-12 12:36:50.000000000 +0100 @@ -75,6 +75,10 @@ #include #endif @@ -1433,7 +1444,18 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest * in FIPS mode */ -@@ -330,6 +332,14 @@ struct evp_cipher_st +@@ -284,6 +286,10 @@ struct env_md_ctx_st + #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */ + #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */ + #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */ ++#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \ ++ ((ctx->flags>>16) &0xFFFF) /* seed length */ ++#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */ ++#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */ + + #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */ + +@@ -330,6 +336,14 @@ struct evp_cipher_st #define EVP_CIPH_NO_PADDING 0x100 /* cipher handles random key generation */ #define EVP_CIPH_RAND_KEY 0x200 @@ -1448,7 +1470,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev /* ctrl() values */ -@@ -507,6 +517,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ +@@ -507,6 +521,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ const unsigned char *salt, const unsigned char *data, int datal, int count, unsigned char *key,unsigned char *iv); @@ -1459,7 +1481,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, -@@ -1225,6 +1239,7 @@ void ERR_load_EVP_strings(void); +@@ -1225,6 +1243,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 #define EVP_R_DIFFERENT_PARAMETERS 153 @@ -1467,9 +1489,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 -diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypto/evp/evp_lib.c ---- openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp_lib.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypto/evp/evp_lib.c +--- openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-12 12:36:50.000000000 +0100 @@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ if (c->cipher->set_asn1_parameters != NULL) @@ -1517,9 +1539,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypt + { + return (ctx->flags & flags); + } -diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/crypto/evp/evp_locl.h ---- openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp_locl.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/crypto/evp/evp_locl.h +--- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-12 12:36:50.000000000 +0100 @@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ {\ @@ -1569,21 +1591,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/cryp struct evp_pkey_ctx_st { -diff -up openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss1.c ---- openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/m_dss1.c 2009-08-11 18:07:30.000000000 +0200 -@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= - NID_dsa, - NID_dsaWithSHA1, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, - init, - update, - final, -diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss.c ---- openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/m_dss.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss.c +--- openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-12 12:36:50.000000000 +0100 @@ -81,7 +81,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, @@ -1593,9 +1603,21 @@ diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/ init, update, final, -diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto/evp/m_sha1.c ---- openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/m_sha1.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss1.c +--- openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-12 12:36:50.000000000 +0100 +@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= + NID_dsa, + NID_dsaWithSHA1, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_DIGEST, ++ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, + init, + update, + final, +diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto/evp/m_sha1.c +--- openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-12 12:36:50.000000000 +0100 @@ -82,7 +82,8 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, @@ -1646,9 +1668,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto init512, update512, final512, -diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/evp/names.c ---- openssl-1.0.0-beta3/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/names.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/evp/names.c +--- openssl-1.0.0-beta4/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-12 12:36:50.000000000 +0100 @@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; @@ -1671,9 +1693,77 @@ diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/ name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); if (r == 0) return(0); -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto/evp/p_sign.c +--- openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-12 12:36:50.000000000 +0100 +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + #ifdef undef + void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type) +@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) + goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) ++ goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) ++ { ++ int saltlen; ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ goto err; ++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); ++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) ++ saltlen = -1; ++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) ++ saltlen = -2; ++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) ++ goto err; ++ } + if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) + goto err; + *siglen = sltmp; +diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/crypto/evp/p_verify.c +--- openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-12 12:36:50.000000000 +0100 +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, + unsigned int siglen, EVP_PKEY *pkey) +@@ -86,6 +87,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) + goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) ++ goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) ++ { ++ int saltlen; ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ goto err; ++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); ++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) ++ saltlen = -1; ++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) ++ saltlen = -2; ++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) ++ goto err; ++ } + i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); + err: + EVP_PKEY_CTX_free(pkctx); +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -2614,9 +2704,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3320,9 +3410,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,537 @@ +#include + @@ -3861,9 +3951,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -4095,9 +4185,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c + return 0; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4489,9 +4579,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4863,9 +4953,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5244,9 +5334,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5636,9 +5726,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -5983,9 +6073,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h +#endif + } + -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_err.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,7 @@ +#include + @@ -5994,9 +6084,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c +#else +static void *dummy=&dummy; +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_err.h 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,137 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -6135,10 +6225,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h + } +#endif + } -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,103 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,101 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -6190,9 +6280,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include + +#ifdef OPENSSL_FIPS @@ -6242,9 +6330,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,419 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6665,10 +6753,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c + + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,139 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -6720,9 +6808,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include +#include + @@ -6808,10 +6894,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,182 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,184 @@ +/* crypto/dsa/dsatest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -6873,9 +6959,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c +#include +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include +#include +#include @@ -6931,13 +7015,13 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c + +int FIPS_selftest_dsa() + { -+ DSA *dsa=NULL; ++ DSA *dsa; + int counter,i,j, ret = 0; + unsigned int slen; + unsigned char buf[256]; + unsigned long h; + EVP_MD_CTX mctx; -+ EVP_PKEY pk; ++ EVP_PKEY *pk = NULL; + + EVP_MD_CTX_init(&mctx); + @@ -6966,37 +7050,41 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c + if (i != j || memcmp(buf,out_g,i) != 0) + goto err; + DSA_generate_key(dsa); -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; ++ ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ EVP_PKEY_assign_DSA(pk, dsa); + + if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) + goto err; + if (!EVP_SignUpdate(&mctx, str1, 20)) + goto err; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) ++ if (!EVP_SignFinal(&mctx, buf, &slen, pk)) + goto err; + + if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) + goto err; + if (!EVP_VerifyUpdate(&mctx, str1, 20)) + goto err; -+ if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1) ++ if (EVP_VerifyFinal(&mctx, buf, slen, pk) != 1) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_cleanup(&mctx); -+ if (dsa) ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (dsa) + DSA_free(dsa); + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips.h 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7161,10 +7249,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,137 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,135 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * @@ -7216,9 +7304,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include + +#ifdef OPENSSL_FIPS @@ -7302,10 +7388,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c + return 1; + } +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,412 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,410 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * @@ -7384,9 +7470,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c +# endif +#endif +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS @@ -7718,9 +7802,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c +} + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.h 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,77 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7799,10 +7883,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h +#endif +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,373 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,371 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -7854,9 +7938,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include +#include + @@ -8176,9 +8258,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_randtest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,248 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8428,10 +8510,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,434 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,439 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. + * @@ -8483,9 +8565,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include +#include +#include @@ -8775,83 +8855,87 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c +int FIPS_selftest_rsa() + { + int ret = 0; -+ RSA *key = NULL; -+ EVP_PKEY pk; -+ key=RSA_new(); -+ setrsakey(key); -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = key; ++ RSA *key; ++ EVP_PKEY *pk = NULL; + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if ((key=RSA_new()) == NULL) ++ goto err; ++ setrsakey(key); ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_RSA(pk, key); ++ ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA1, sizeof(kat_RSA_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA1 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA224, sizeof(kat_RSA_SHA224), + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA224 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA256, sizeof(kat_RSA_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA256 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA384, sizeof(kat_RSA_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA384 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA512, sizeof(kat_RSA_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA512 PKCS#1")) + goto err; + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA1 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224), + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA224 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA256 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA384 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA512 PSS")) + goto err; + + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA1 X931")) + goto err; + /* NB: SHA224 not supported in X9.31 */ -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA256 X931")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA384 X931")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA512 X931")) @@ -8861,14 +8945,17 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c + ret = 1; + + err: -+ RSA_free(key); ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (key) ++ RSA_free(key); + return ret; + } + +#endif /* def OPENSSL_FIPS */ -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,281 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -9151,10 +9238,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c + return 0; + + } -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,99 @@ +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-12 12:36:50.000000000 +0100 +@@ -0,0 +1,97 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -9206,9 +9293,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c + +#include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif +#include +#include + @@ -9254,9 +9339,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,173 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9431,9 +9516,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c + } + + -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10023,9 +10108,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_locl.h 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,72 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10099,9 +10184,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -10184,9 +10269,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile + +# DO NOT DELETE THIS LINE -- make depend depends on it. + -diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/hmac/hmac.c ---- openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/hmac/hmac.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/hmac/hmac.c +--- openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-12 12:36:50.000000000 +0100 @@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo if (key != NULL) @@ -10212,9 +10297,9 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/ + EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); + } + -diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/hmac/hmac.h ---- openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/hmac/hmac.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/hmac/hmac.h +--- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-12 12:36:50.000000000 +0100 @@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md unsigned int *md_len); int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); @@ -10223,9 +10308,9 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/ #ifdef __cplusplus } -diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Makefile ---- openssl-1.0.0-beta3/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/Makefile 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Makefile +--- openssl-1.0.0-beta4/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-12 12:36:50.000000000 +0100 @@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i LIB= $(TOP)/libcrypto.a @@ -10244,120 +10329,9 @@ diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Mak ALL= $(GENERAL) $(SRC) $(HEADER) -diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/crypto/md2/md2_dgst.c ---- openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md2/md2_dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -62,6 +62,11 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#include - - const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; - -@@ -116,7 +121,7 @@ const char *MD2_options(void) - return("md2(int)"); - } - --int MD2_Init(MD2_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD2) - { - c->num=0; - memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md2/md2.h ---- openssl-1.0.0-beta3/crypto/md2/md2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md2/md2.h 2009-08-11 18:07:30.000000000 +0200 -@@ -81,6 +81,9 @@ typedef struct MD2state_st - } MD2_CTX; - - const char *MD2_options(void); -+#ifdef OPENSSL_FIPS -+int private_MD2_Init(MD2_CTX *c); -+#endif - int MD2_Init(MD2_CTX *c); - int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); - int MD2_Final(unsigned char *md, MD2_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/crypto/md4/md4_dgst.c ---- openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/md4/md4_dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -59,6 +59,11 @@ - #include - #include "md4_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; - -@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_V - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --int MD4_Init(MD4_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD4) - { - memset (c,0,sizeof(*c)); - c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md4/md4.h ---- openssl-1.0.0-beta3/crypto/md4/md4.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md4/md4.h 2009-08-11 18:07:30.000000000 +0200 -@@ -105,6 +105,9 @@ typedef struct MD4state_st - unsigned int num; - } MD4_CTX; - -+#ifdef OPENSSL_FIPS -+int private_MD4_Init(MD4_CTX *c); -+#endif - int MD4_Init(MD4_CTX *c); - int MD4_Update(MD4_CTX *c, const void *data, size_t len); - int MD4_Final(unsigned char *md, MD4_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/crypto/md5/md5_dgst.c ---- openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/md5/md5_dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -59,6 +59,11 @@ - #include - #include "md5_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; - -@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_V - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --int MD5_Init(MD5_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD5) - { - memset (c,0,sizeof(*c)); - c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md5/md5.h ---- openssl-1.0.0-beta3/crypto/md5/md5.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md5/md5.h 2009-08-11 18:07:30.000000000 +0200 -@@ -105,6 +105,9 @@ typedef struct MD5state_st - unsigned int num; - } MD5_CTX; - -+#ifdef OPENSSL_FIPS -+int private_MD5_Init(MD5_CTX *c); -+#endif - int MD5_Init(MD5_CTX *c); - int MD5_Update(MD5_CTX *c, const void *data, size_t len); - int MD5_Final(unsigned char *md, MD5_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-12 12:36:50.000000000 +0100 @@ -61,6 +61,11 @@ #include #include @@ -10379,9 +10353,9 @@ diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/cry { c->num=0; c->pad_type=1; -diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2.h ---- openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2.h +--- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-12 12:36:50.000000000 +0100 @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; @@ -10393,9 +10367,120 @@ diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/ int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c ---- openssl-1.0.0-beta3/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/mem.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/crypto/md2/md2_dgst.c +--- openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-12 12:36:50.000000000 +0100 +@@ -62,6 +62,11 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#include + + const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; + +@@ -116,7 +121,7 @@ const char *MD2_options(void) + return("md2(int)"); + } + +-int MD2_Init(MD2_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD2) + { + c->num=0; + memset(c->state,0,sizeof c->state); +diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md2/md2.h +--- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-12 12:36:50.000000000 +0100 +@@ -81,6 +81,9 @@ typedef struct MD2state_st + } MD2_CTX; + + const char *MD2_options(void); ++#ifdef OPENSSL_FIPS ++int private_MD2_Init(MD2_CTX *c); ++#endif + int MD2_Init(MD2_CTX *c); + int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); + int MD2_Final(unsigned char *md, MD2_CTX *c); +diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/crypto/md4/md4_dgst.c +--- openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-12 12:36:50.000000000 +0100 +@@ -59,6 +59,11 @@ + #include + #include "md4_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; + +@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_V + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-int MD4_Init(MD4_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD4) + { + memset (c,0,sizeof(*c)); + c->A=INIT_DATA_A; +diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md4/md4.h +--- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-12 12:36:50.000000000 +0100 +@@ -105,6 +105,9 @@ typedef struct MD4state_st + unsigned int num; + } MD4_CTX; + ++#ifdef OPENSSL_FIPS ++int private_MD4_Init(MD4_CTX *c); ++#endif + int MD4_Init(MD4_CTX *c); + int MD4_Update(MD4_CTX *c, const void *data, size_t len); + int MD4_Final(unsigned char *md, MD4_CTX *c); +diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/crypto/md5/md5_dgst.c +--- openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-12 12:36:50.000000000 +0100 +@@ -59,6 +59,11 @@ + #include + #include "md5_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; + +@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_V + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-int MD5_Init(MD5_CTX *c) ++FIPS_NON_FIPS_MD_Init(MD5) + { + memset (c,0,sizeof(*c)); + c->A=INIT_DATA_A; +diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md5/md5.h +--- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-12 12:36:50.000000000 +0100 +@@ -105,6 +105,9 @@ typedef struct MD5state_st + unsigned int num; + } MD5_CTX; + ++#ifdef OPENSSL_FIPS ++int private_MD5_Init(MD5_CTX *c); ++#endif + int MD5_Init(MD5_CTX *c); + int MD5_Update(MD5_CTX *c, const void *data, size_t len); + int MD5_Final(unsigned char *md, MD5_CTX *c); +diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c +--- openssl-1.0.0-beta4/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-12 12:36:50.000000000 +0100 @@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) /* may be changed as long as 'allow_customize_debug' is set */ @@ -10405,9 +10490,9 @@ diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c /* use default functions from mem_dbg.c */ static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; -diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,80 @@ +/* o_init.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10489,9 +10574,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c + } + + -diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/crypto/opensslconf.h.in ---- openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/opensslconf.h.in 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/crypto/opensslconf.h.in +--- openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-12 12:36:50.000000000 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -10513,9 +10598,9 @@ diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/cr /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c ---- openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c +--- openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-12 12:36:50.000000000 +0100 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -10542,9 +10627,9 @@ diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/cr if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if (!iter) -diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/crypto/rand/md_rand.c ---- openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/md_rand.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/crypto/rand/md_rand.c +--- openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-12 12:36:50.000000000 +0100 @@ -126,6 +126,10 @@ #include @@ -10571,9 +10656,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/cryp #ifdef PREDICT if (rand_predictable) { -diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/crypto/rand/rand_err.c ---- openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/rand_err.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/crypto/rand/rand_err.c +--- openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-12 12:36:50.000000000 +0100 @@ -70,6 +70,13 @@ static ERR_STRING_DATA RAND_str_functs[]= @@ -10606,9 +10691,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/cry {0,NULL} }; -diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/rand/rand.h ---- openssl-1.0.0-beta3/crypto/rand/rand.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rand/rand.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/rand/rand.h +--- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-12 12:36:50.000000000 +0100 @@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -10638,9 +10723,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/ #ifdef __cplusplus } -diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/crypto/rand/rand_lib.c ---- openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/rand_lib.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/crypto/rand/rand_lib.c +--- openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-12 12:36:50.000000000 +0100 @@ -60,6 +60,12 @@ #include #include "cryptlib.h" @@ -10674,9 +10759,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/cry return default_RAND_meth; } -diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc2/rc2.h ---- openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc2/rc2.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc2/rc2.h +--- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-12 12:36:50.000000000 +0100 @@ -79,7 +79,9 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; @@ -10688,9 +10773,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); -diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c ---- openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c +--- openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-12 12:36:50.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -10724,9 +10809,31 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/cryp int i,j; unsigned char *k; RC2_INT *ki; -diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl ---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl +--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-12 12:36:50.000000000 +0100 +@@ -202,4 +202,6 @@ RC4_options: + .string "rc4(8x,char)" + ___ + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; +diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-12 12:36:50.000000000 +0100 +@@ -499,6 +499,8 @@ ___ + + $code =~ s/#([bwd])/$1/gm; + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; + + close STDOUT; +diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl +--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-12 12:36:50.000000000 +0100 @@ -166,8 +166,12 @@ $idx="edx"; &external_label("OPENSSL_ia32cap_P"); @@ -10750,31 +10857,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/ # const char *RC4_options(void); &function_begin_B("RC4_options"); -diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl ---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl 2009-08-11 18:07:30.000000000 +0200 -@@ -202,4 +202,6 @@ RC4_options: - .string "rc4(8x,char)" - ___ - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; -diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl 2009-08-11 18:07:30.000000000 +0200 -@@ -499,6 +499,8 @@ ___ - - $code =~ s/#([bwd])/$1/gm; - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; - - close STDOUT; -diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto/rc4/Makefile ---- openssl-1.0.0-beta3/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/Makefile 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto/rc4/Makefile +--- openssl-1.0.0-beta4/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-12 12:36:50.000000000 +0100 @@ -21,8 +21,8 @@ TEST=rc4test.c APPS= @@ -10786,9 +10871,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto SRC= $(LIBSRC) -diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c 2009-08-11 18:07:30.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c +--- /dev/null 2009-11-04 12:00:58.801002276 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-12 12:36:50.000000000 +0100 @@ -0,0 +1,75 @@ +/* crypto/rc4/rc4_fblk.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10865,9 +10950,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c + } +#endif + -diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc4/rc4.h ---- openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc4/rc4.h +--- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-12 12:36:50.000000000 +0100 @@ -78,6 +78,9 @@ typedef struct rc4_key_st @@ -10878,9 +10963,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, unsigned char *outdata); -diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c ---- openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c +--- openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-12 12:36:50.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rc4_locl.h" @@ -10918,9 +11003,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/cryp unsigned char *cp=(unsigned char *)d; for (i=0;i<256;i++) cp[i]=i; -diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/crypto/ripemd/ripemd.h ---- openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/ripemd/ripemd.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/crypto/ripemd/ripemd.h +--- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-12 12:36:50.000000000 +0100 @@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; @@ -10931,9 +11016,9 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/cry int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-12 12:36:50.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rmd_locl.h" @@ -10955,17 +11040,15 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/c { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c ---- openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c 2009-08-11 18:07:30.000000000 +0200 -@@ -116,6 +116,10 @@ +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-12 12:36:50.000000000 +0100 +@@ -114,6 +114,8 @@ #include #include #include +#include -+#ifdef OPENSSL_FIPS +#include -+#endif #ifndef RSA_NULL @@ -11218,9 +11301,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypt rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_err.c ---- openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_err.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_err.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-12 12:36:50.000000000 +0100 @@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, @@ -11247,10 +11330,10 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypt {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c ---- openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c 2009-08-11 18:07:30.000000000 +0200 -@@ -67,6 +67,77 @@ +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-12 12:36:50.000000000 +0100 +@@ -67,6 +67,82 @@ #include "cryptlib.h" #include #include @@ -11272,16 +11355,19 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt + const unsigned char tbs[] = "RSA Pairwise Check Data"; + unsigned char *ctbuf = NULL, *ptbuf = NULL; + int len, ret = 0; -+ EVP_PKEY pk; -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = rsa; ++ EVP_PKEY *pk; ++ ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, rsa); + + /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(&pk, tbs, -1, ++ if (!fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(&pk, tbs, -1, ++ || !fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) -+ || !fips_pkey_signature_test(&pk, tbs, -1, ++ || !fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + goto err; + /* Now perform pairwise consistency encrypt/decrypt test */ @@ -11321,6 +11407,8 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt + OPENSSL_free(ctbuf); + if (ptbuf) + OPENSSL_free(ptbuf); ++ if (pk) ++ EVP_PKEY_free(pk); + + return ret; + } @@ -11328,7 +11416,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); -@@ -90,6 +161,23 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -90,6 +166,23 @@ static int rsa_builtin_keygen(RSA *rsa, int bitsp,bitsq,ok= -1,n=0; BN_CTX *ctx=NULL; @@ -11352,7 +11440,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -@@ -201,6 +289,17 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -201,6 +294,17 @@ static int rsa_builtin_keygen(RSA *rsa, p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; @@ -11370,9 +11458,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt ok=1; err: if (ok == -1) -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rsa/rsa.h ---- openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa.h 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rsa/rsa.h +--- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-12 12:36:50.000000000 +0100 @@ -74,6 +74,21 @@ #error RSA is disabled. #endif @@ -11442,9 +11530,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rs #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c ---- openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips 2008-08-06 17:54:14.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips 2009-08-05 17:04:16.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-12 12:36:50.000000000 +0100 @@ -80,6 +80,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -11520,63 +11608,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypt return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } -@@ -422,51 +462,8 @@ err: - BN_CTX_end(ctx); - if (in_ctx == NULL) - BN_CTX_free(ctx); -+ if(rsa->e == NULL) -+ BN_free(e); - - return ret; - } -- --int RSA_memory_lock(RSA *r) -- { -- int i,j,k,off; -- char *p; -- BIGNUM *bn,**t[6],*b; -- BN_ULONG *ul; -- -- if (r->d == NULL) return(1); -- t[0]= &r->d; -- t[1]= &r->p; -- t[2]= &r->q; -- t[3]= &r->dmp1; -- t[4]= &r->dmq1; -- t[5]= &r->iqmp; -- k=sizeof(BIGNUM)*6; -- off=k/sizeof(BN_ULONG)+1; -- j=1; -- for (i=0; i<6; i++) -- j+= (*t[i])->top; -- if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL) -- { -- RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE); -- return(0); -- } -- bn=(BIGNUM *)p; -- ul=(BN_ULONG *)&(p[off]); -- for (i=0; i<6; i++) -- { -- b= *(t[i]); -- *(t[i])= &(bn[i]); -- memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM)); -- bn[i].flags=BN_FLG_STATIC_DATA; -- bn[i].d=ul; -- memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top); -- ul+=b->top; -- BN_clear_free(b); -- } -- -- /* I should fix this so it can still be done */ -- r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC); -- -- r->bignum_data=p; -- return(1); -- } -diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c ---- openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c +--- openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-12 12:36:50.000000000 +0100 @@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -11608,9 +11642,57 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/cryp if (i <= 0) goto err; -diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha1dgst.c ---- openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha1dgst.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha_dgst.c +--- openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-12 12:36:50.000000000 +0100 +@@ -57,6 +57,12 @@ + */ + + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#include + #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) + + #undef SHA_1 +diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sha/sha.h +--- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-12 12:36:50.000000000 +0100 +@@ -106,6 +106,9 @@ typedef struct SHAstate_st + } SHA_CTX; + + #ifndef OPENSSL_NO_SHA0 ++#ifdef OPENSSL_FIPS ++int private_SHA_Init(SHA_CTX *c); ++#endif + int SHA_Init(SHA_CTX *c); + int SHA_Update(SHA_CTX *c, const void *data, size_t len); + int SHA_Final(unsigned char *md, SHA_CTX *c); +diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/crypto/sha/sha_locl.h +--- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-12 12:36:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-12 12:36:50.000000000 +0100 +@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, + #define INIT_DATA_h3 0x10325476UL + #define INIT_DATA_h4 0xc3d2e1f0UL + ++#if defined(SHA_0) && defined(OPENSSL_FIPS) ++FIPS_NON_FIPS_MD_Init(SHA) ++#else + int HASH_INIT (SHA_CTX *c) ++#endif + { ++#if defined(SHA_1) && defined(OPENSSL_FIPS) ++ FIPS_selftest_check(); ++#endif + memset (c,0,sizeof(*c)); + c->h0=INIT_DATA_h0; + c->h1=INIT_DATA_h1; +diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha1dgst.c +--- openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-12 12:36:50.000000000 +0100 @@ -63,6 +63,10 @@ #define SHA_1 @@ -11622,9 +11704,9 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/cryp const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; -diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto/sha/sha256.c ---- openssl-1.0.0-beta3/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha256.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto/sha/sha256.c +--- openssl-1.0.0-beta4/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-12 12:36:50.000000000 +0100 @@ -12,12 +12,19 @@ #include @@ -11655,9 +11737,9 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto/sha/sha512.c ---- openssl-1.0.0-beta3/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha512.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto/sha/sha512.c +--- openssl-1.0.0-beta4/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-12 12:36:50.000000000 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -11698,58 +11780,10 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto asm ("rotrdi %0,%1,%2" \ : "=r"(ret) \ : "r"(a),"K"(n)); ret; }) -diff -up openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha_dgst.c ---- openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha_dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -57,6 +57,12 @@ - */ - - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#include - #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) - - #undef SHA_1 -diff -up openssl-1.0.0-beta3/crypto/sha/sha.h.fips openssl-1.0.0-beta3/crypto/sha/sha.h ---- openssl-1.0.0-beta3/crypto/sha/sha.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/sha/sha.h 2009-08-11 18:07:30.000000000 +0200 -@@ -106,6 +106,9 @@ typedef struct SHAstate_st - } SHA_CTX; - - #ifndef OPENSSL_NO_SHA0 -+#ifdef OPENSSL_FIPS -+int private_SHA_Init(SHA_CTX *c); -+#endif - int SHA_Init(SHA_CTX *c); - int SHA_Update(SHA_CTX *c, const void *data, size_t len); - int SHA_Final(unsigned char *md, SHA_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta3/crypto/sha/sha_locl.h ---- openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/sha/sha_locl.h 2009-08-11 18:07:30.000000000 +0200 -@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, - #define INIT_DATA_h3 0x10325476UL - #define INIT_DATA_h4 0xc3d2e1f0UL - -+#if defined(SHA_0) && defined(OPENSSL_FIPS) -+FIPS_NON_FIPS_MD_Init(SHA) -+#else - int HASH_INIT (SHA_CTX *c) -+#endif - { -+#if defined(SHA_1) && defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset (c,0,sizeof(*c)); - c->h0=INIT_DATA_h0; - c->h1=INIT_DATA_h1; -diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org ---- openssl-1.0.0-beta3/Makefile.org.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/Makefile.org 2009-08-11 18:07:30.000000000 +0200 -@@ -109,6 +109,9 @@ LIBKRB5= +diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org +--- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/Makefile.org 2009-11-12 12:36:50.000000000 +0100 +@@ -110,6 +110,9 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= @@ -11759,7 +11793,7 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org DIRS= crypto ssl engines apps test tools ENGDIRS= ccgost SHLIBDIRS= crypto ssl -@@ -121,7 +124,7 @@ SDIRS= \ +@@ -122,7 +125,7 @@ SDIRS= \ bn ec rsa dsa ecdsa dh ecdh dso engine \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ @@ -11768,7 +11802,7 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org # keep in mind that the above list is adjusted by ./Configure # according to no-xxx arguments... -@@ -204,6 +207,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS +@@ -206,6 +209,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ WP_ASM_OBJ='$(WP_ASM_OBJ)' \ PERLASM_SCHEME='$(PERLASM_SCHEME)' \ @@ -11776,124 +11810,9 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.0-beta3/ssl/s23_clnt.c.fips openssl-1.0.0-beta3/ssl/s23_clnt.c ---- openssl-1.0.0-beta3/ssl/s23_clnt.c.fips 2009-04-07 19:01:07.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s23_clnt.c 2009-08-11 18:07:30.000000000 +0200 -@@ -332,6 +332,14 @@ static int ssl23_client_hello(SSL *s) - version_major = TLS1_VERSION_MAJOR; - version_minor = TLS1_VERSION_MINOR; - } -+#ifdef OPENSSL_FIPS -+ else if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - else if (version == SSL3_VERSION) - { - version_major = SSL3_VERSION_MAJOR; -@@ -615,6 +623,14 @@ static int ssl23_get_server_hello(SSL *s - if ((p[2] == SSL3_VERSION_MINOR) && - !(s->options & SSL_OP_NO_SSLv3)) - { -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif - s->version=SSL3_VERSION; - s->method=SSLv3_client_method(); - } -diff -up openssl-1.0.0-beta3/ssl/s23_srvr.c.fips openssl-1.0.0-beta3/ssl/s23_srvr.c ---- openssl-1.0.0-beta3/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s23_srvr.c 2009-08-11 18:07:30.000000000 +0200 -@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) - } - } - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (s->version < TLS1_VERSION)) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif -+ - if (s->state == SSL23_ST_SR_CLNT_HELLO_B) - { - /* we have SSLv3/TLSv1 in an SSLv2 header -diff -up openssl-1.0.0-beta3/ssl/s3_clnt.c.fips openssl-1.0.0-beta3/ssl/s3_clnt.c ---- openssl-1.0.0-beta3/ssl/s3_clnt.c.fips 2009-06-16 18:39:20.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_clnt.c 2009-08-11 18:07:30.000000000 +0200 -@@ -156,6 +156,10 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #ifndef OPENSSL_NO_DH - #include - #endif -@@ -1524,6 +1528,8 @@ int ssl3_get_key_exchange(SSL *s) - q=md_buf; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta3/ssl/s3_enc.c.fips openssl-1.0.0-beta3/ssl/s3_enc.c ---- openssl-1.0.0-beta3/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_enc.c 2009-08-11 18:07:30.000000000 +0200 -@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * - #endif - k=0; - EVP_MD_CTX_init(&m5); -+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_init(&s1); - for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) - { - s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); -+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); - EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); - } -@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in - return 0; - } - EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_copy_ex(&ctx,d); - n=EVP_MD_CTX_size(&ctx); - if (n < 0) -diff -up openssl-1.0.0-beta3/ssl/s3_srvr.c.fips openssl-1.0.0-beta3/ssl/s3_srvr.c ---- openssl-1.0.0-beta3/ssl/s3_srvr.c.fips 2009-06-26 17:04:22.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_srvr.c 2009-08-11 18:07:30.000000000 +0200 -@@ -1674,6 +1674,8 @@ int ssl3_send_server_key_exchange(SSL *s - j=0; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_ciph.c ---- openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips 2009-04-07 14:10:59.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_ciph.c +--- openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-12 12:36:50.000000000 +0100 @@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -11916,10 +11835,10 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_cip { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG -diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib.c ---- openssl-1.0.0-beta3/ssl/ssl_lib.c.fips 2009-06-30 13:57:24.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-08-11 18:07:30.000000000 +0200 -@@ -1470,6 +1470,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib.c +--- openssl-1.0.0-beta4/ssl/ssl_lib.c.fips 2009-10-16 15:41:52.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-12 12:36:50.000000000 +0100 +@@ -1471,6 +1471,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m return(NULL); } @@ -11934,9 +11853,9 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib. if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); -diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest.c ---- openssl-1.0.0-beta3/ssl/ssltest.c.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssltest.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest.c +--- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-12 12:36:50.000000000 +0100 @@ -265,6 +265,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); @@ -12011,9 +11930,124 @@ diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest. if(s->version == TLS1_VERSION) FIPS_allow_md5(0); # endif -diff -up openssl-1.0.0-beta3/ssl/t1_enc.c.fips openssl-1.0.0-beta3/ssl/t1_enc.c ---- openssl-1.0.0-beta3/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/t1_enc.c 2009-08-11 18:07:30.000000000 +0200 +diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_clnt.c +--- openssl-1.0.0-beta4/ssl/s23_clnt.c.fips 2009-08-05 17:29:14.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-12 12:36:50.000000000 +0100 +@@ -335,6 +335,14 @@ static int ssl23_client_hello(SSL *s) + version_major = TLS1_VERSION_MAJOR; + version_minor = TLS1_VERSION_MINOR; + } ++#ifdef OPENSSL_FIPS ++ else if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + else if (version == SSL3_VERSION) + { + version_major = SSL3_VERSION_MAJOR; +@@ -618,6 +626,14 @@ static int ssl23_get_server_hello(SSL *s + if ((p[2] == SSL3_VERSION_MINOR) && + !(s->options & SSL_OP_NO_SSLv3)) + { ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif + s->version=SSL3_VERSION; + s->method=SSLv3_client_method(); + } +diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srvr.c +--- openssl-1.0.0-beta4/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-12 12:36:50.000000000 +0100 +@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) + } + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (s->version < TLS1_VERSION)) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif ++ + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) + { + /* we have SSLv3/TLSv1 in an SSLv2 header +diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt.c +--- openssl-1.0.0-beta4/ssl/s3_clnt.c.fips 2009-10-30 15:06:18.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-12 12:36:50.000000000 +0100 +@@ -156,6 +156,10 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #ifndef OPENSSL_NO_DH + #include + #endif +@@ -1530,6 +1534,8 @@ int ssl3_get_key_exchange(SSL *s) + q=md_buf; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); +diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c +--- openssl-1.0.0-beta4/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-12 12:36:50.000000000 +0100 +@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * + #endif + k=0; + EVP_MD_CTX_init(&m5); ++ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_init(&s1); + for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) + { + s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); ++ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); + EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); + } +@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in + return 0; + } + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_copy_ex(&ctx,d); + n=EVP_MD_CTX_size(&ctx); + if (n < 0) +diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr.c +--- openssl-1.0.0-beta4/ssl/s3_srvr.c.fips 2009-10-30 14:22:44.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-12 12:36:50.000000000 +0100 +@@ -1679,6 +1679,8 @@ int ssl3_send_server_key_exchange(SSL *s + j=0; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); +diff -up openssl-1.0.0-beta4/ssl/t1_enc.c.fips openssl-1.0.0-beta4/ssl/t1_enc.c +--- openssl-1.0.0-beta4/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 ++++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-12 12:36:50.000000000 +0100 @@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md HMAC_CTX_init(&ctx); diff --git a/openssl-1.0.0-beta3-redhat.patch b/openssl-1.0.0-beta4-redhat.patch similarity index 92% rename from openssl-1.0.0-beta3-redhat.patch rename to openssl-1.0.0-beta4-redhat.patch index bd6b9af..4356e41 100644 --- a/openssl-1.0.0-beta3-redhat.patch +++ b/openssl-1.0.0-beta4-redhat.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200 -+++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200 -@@ -331,32 +331,32 @@ my %table=( +diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure +--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100 ++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100 +@@ -336,32 +336,32 @@ my %table=( #### # *-generic* is endian-neutral target, but ./config is free to # throw in -D[BL]_ENDIAN, whichever appropriate... @@ -22,14 +22,14 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure -"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)", ++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", ++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", #### SPARC Linux setups # Ray Miller has patiently @@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure #### Alpha Linux with GNU C and Compaq C setups # Special notes: # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you -@@ -370,8 +370,8 @@ my %table=( +@@ -375,8 +375,8 @@ my %table=( # # # diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch new file mode 100644 index 0000000..271dbe7 --- /dev/null +++ b/openssl-1.0.0-beta4-reneg-err.patch @@ -0,0 +1,93 @@ +Better error reporting for unsafe renegotiation. +diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c +--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100 +@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, + {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, + {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, ++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, ++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, + {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, +@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, + {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, + {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, ++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, + {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, + {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, + {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"}, +diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h +--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100 +@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void); + #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 + #define SSL_F_SSL_NEW 186 + #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 ++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 + #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 ++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 + #define SSL_F_SSL_PEEK 270 + #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 + #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 +@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 + #define SSL_R_UNKNOWN_SSL_VERSION 254 + #define SSL_R_UNKNOWN_STATE 255 ++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 + #define SSL_R_UNSUPPORTED_CIPHER 256 + #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 + #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326 +diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c +--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100 +@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s) + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + #else ++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); ++ goto err; ++ } + /* we are talking sslv2 */ + /* we need to clean up the SSLv3/TLSv1 setup and put in the + * sslv2 stuff. */ +diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c +--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100 +@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, + { + /* We should always see one extension: the renegotiate extension */ + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + return 1; +@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, + if (s->new_session && !renegotiate_seen + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { ++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } +@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + { + /* We should always see one extension: the renegotiate extension */ + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + #endif +@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + #endif diff --git a/openssl-1.0.0-beta4-reneg.patch b/openssl-1.0.0-beta4-reneg.patch new file mode 100644 index 0000000..92e206d --- /dev/null +++ b/openssl-1.0.0-beta4-reneg.patch @@ -0,0 +1,237 @@ +diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c +--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200 ++++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100 +@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c + extname = "server ticket"; + break; + ++ case TLSEXT_TYPE_renegotiate: ++ extname = "renegotiate"; ++ break; ++ + #ifdef TLSEXT_TYPE_opaque_prf_input + case TLSEXT_TYPE_opaque_prf_input: + extname = "opaque PRF input"; +diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c +--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100 ++++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100 +@@ -343,6 +343,7 @@ static void sc_usage(void) + BIO_printf(bio_err," -status - request certificate status from server\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + #endif ++ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); + } + + #ifndef OPENSSL_NO_TLSEXT +@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv) + #endif + else if (strcmp(*argv,"-serverpref") == 0) + off|=SSL_OP_CIPHER_SERVER_PREFERENCE; ++ else if (strcmp(*argv,"-legacy_renegotiation") == 0) ++ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + else if (strcmp(*argv,"-cipher") == 0) + { + if (--argc < 1) goto bad; +diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c +--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100 ++++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100 +@@ -491,6 +491,7 @@ static void sv_usage(void) + BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); ++ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); + #endif + } + +@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[]) + verify_return_error = 1; + else if (strcmp(*argv,"-serverpref") == 0) + { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } ++ else if (strcmp(*argv,"-legacy_renegotiation") == 0) ++ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + else if (strcmp(*argv,"-cipher") == 0) + { + if (--argc < 1) goto bad; +diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h +--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100 +@@ -201,6 +201,9 @@ extern "C" { + # define TLSEXT_TYPE_opaque_prf_input ?? */ + #endif + ++/* Temporary extension type */ ++#define TLSEXT_TYPE_renegotiate 0xff01 ++ + /* NameType value from RFC 3546 */ + #define TLSEXT_NAMETYPE_host_name 0 + /* status request value from RFC 3546 */ +diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c +--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100 +@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex + ret+=size_str; + } + ++ /* Add the renegotiation option: TODOEKR switch */ ++ { ++ int el; ++ ++ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) ++ { ++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ if((limit - p - 4 - el) < 0) return NULL; ++ ++ s2n(TLSEXT_TYPE_renegotiate,ret); ++ s2n(el,ret); ++ ++ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) ++ { ++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ ret += el; ++ } ++ + #ifndef OPENSSL_NO_EC + if (s->tlsext_ecpointformatlist != NULL) + { +@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex + s2n(TLSEXT_TYPE_server_name,ret); + s2n(0,ret); + } ++ ++ if(s->s3->send_connection_binding) ++ { ++ int el; ++ ++ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) ++ { ++ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ if((limit - p - 4 - el) < 0) return NULL; ++ ++ s2n(TLSEXT_TYPE_renegotiate,ret); ++ s2n(el,ret); ++ ++ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) ++ { ++ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ ret += el; ++ } ++ + #ifndef OPENSSL_NO_EC + if (s->tlsext_ecpointformatlist != NULL) + { +@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, + unsigned short size; + unsigned short len; + unsigned char *data = *p; ++ int renegotiate_seen = 0; ++ + s->servername_done = 0; + s->tlsext_status_type = -1; ++ s->s3->send_connection_binding = 0; + + if (data >= (d+n-2)) ++ { ++ if (s->new_session ++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ /* We should always see one extension: the renegotiate extension */ ++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ return 0; ++ } + return 1; ++ } + n2s(data,len); + + if (data > (d+n-len)) +@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, + return 0; + } + } ++ else if (type == TLSEXT_TYPE_renegotiate) ++ { ++ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) ++ return 0; ++ renegotiate_seen = 1; ++ } + else if (type == TLSEXT_TYPE_status_request + && s->ctx->tlsext_status_cb) + { +@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, + /* session ticket processed earlier */ + data+=size; + } ++ ++ if (s->new_session && !renegotiate_seen ++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ return 0; ++ } ++ + + *p = data; + return 1; +@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s, + unsigned short size; + unsigned short len; + unsigned char *data = *p; +- + int tlsext_servername = 0; ++ int renegotiate_seen = 0; + + if (data >= (d+n-2)) ++ { ++ /* Because the client does not see any renegotiation during an ++ attack, we must enforce this on all server hellos, even the ++ first */ ++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ /* We should always see one extension: the renegotiate extension */ ++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ return 0; ++ } + return 1; ++ } + + n2s(data,len); + +@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, + /* Set flag to expect CertificateStatus message */ + s->tlsext_status_expected = 1; + } +- ++ else if (type == TLSEXT_TYPE_renegotiate) ++ { ++ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) ++ return 0; ++ renegotiate_seen = 1; ++ } + data+=size; + } + +@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s, + return 0; + } + ++ if (!renegotiate_seen ++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ return 0; ++ } ++ + if (!s->hit && tlsext_servername == 1) + { + if (s->tlsext_hostname) diff --git a/openssl-1.0.0-beta4-version.patch b/openssl-1.0.0-beta4-version.patch new file mode 100644 index 0000000..ab12be0 --- /dev/null +++ b/openssl-1.0.0-beta4-version.patch @@ -0,0 +1,14 @@ +We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist +on having the same beta status of OpenSSL library as they were built against. +diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h +--- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100 +@@ -25,7 +25,7 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-#define OPENSSL_VERSION_NUMBER 0x10000004L ++#define OPENSSL_VERSION_NUMBER 0x10000003L + #ifdef OPENSSL_FIPS + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009" + #else diff --git a/sources b/sources index ccd2532..8a2c648 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9926dcf78e797a12d8e3ffd7a018824b openssl-1.0.0-beta3-usa.tar.bz2 +1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2 From 839965ca759eefd9840512f6ab4cdd63eed45d13 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:18:49 +0000 Subject: [PATCH 15/28] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c31d194..129151e 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: mingw32-openssl -# $Id$ +# $Id: Makefile,v 1.1 2009/02/08 21:52:20 kevin Exp $ NAME := mingw32-openssl SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 45fb3a2724685762b803b552c94107432594ca24 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Thu, 26 Nov 2009 07:00:46 +0000 Subject: [PATCH 16/28] - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) - Dropped the patch to fix non-fips mingw build, as it's now merged into fips patch from native openssl --- mingw32-openssl-1.0.0-beta4-nofips.patch | 130 ------- mingw32-openssl.spec | 12 +- openssl-1.0.0-beta4-dtls-ipv6.patch | 219 ++++++++++++ openssl-1.0.0-beta4-fips.patch | 420 ++++++++++++----------- 4 files changed, 447 insertions(+), 334 deletions(-) delete mode 100644 mingw32-openssl-1.0.0-beta4-nofips.patch create mode 100644 openssl-1.0.0-beta4-dtls-ipv6.patch diff --git a/mingw32-openssl-1.0.0-beta4-nofips.patch b/mingw32-openssl-1.0.0-beta4-nofips.patch deleted file mode 100644 index fba1b6f..0000000 --- a/mingw32-openssl-1.0.0-beta4-nofips.patch +++ /dev/null @@ -1,130 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-22 19:07:58.000000000 +0200 -@@ -65,7 +65,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include "fips_locl.h" - - static int dsa_builtin_keygen(DSA *dsa); -diff -up openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - - #ifdef OPENSSL_FIPS -diff -up openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - #include - -diff -up openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -59,7 +59,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - #include - #include -diff -up openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - - #ifdef OPENSSL_FIPS -diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand.c ---- openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-22 19:07:58.000000000 +0200 -@@ -76,7 +76,9 @@ - # endif - #endif - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - #include - -diff -up openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - #include - #include -diff -up openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c ---- openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-22 19:07:58.000000000 +0200 -@@ -49,7 +49,9 @@ - - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - #include - #include - -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-22 19:07:58.000000000 +0200 -@@ -115,7 +115,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS - #include -+#endif - - #ifndef RSA_NULL - diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 3f8f216..a956103 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -31,7 +31,7 @@ Name: mingw32-openssl Version: 1.0.0 -Release: 0.5.%{beta}%{?dist} +Release: 0.6.%{beta}%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -83,6 +83,7 @@ Patch60: openssl-1.0.0-beta4-reneg.patch Patch61: openssl-1.0.0-beta4-client-reneg.patch Patch62: openssl-1.0.0-beta4-backports.patch Patch63: openssl-1.0.0-beta4-reneg-err.patch +Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch # MinGW-specific patches. # Use MINGW32_CFLAGS (set below) in Configure script @@ -94,8 +95,6 @@ Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch # Ugly patch to fix a compilation error (the linker can't find # some symbols mentioned in an autogenerated .def file) Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch -# Fix build without fips -Patch106: mingw32-openssl-1.0.0-beta4-nofips.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -189,12 +188,12 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch61 -p1 -b .client-reneg %patch62 -p1 -b .backports %patch63 -p1 -b .reneg-err +%patch64 -p1 -b .dtls-ipv6 %patch100 -p1 -b .mingw-configure %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx %patch105 -p0 -b .mingw-linker-fix -%patch106 -p1 -b .mingw-nofips # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -353,6 +352,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 +- Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) +- Dropped the patch to fix non-fips mingw build, + as it's now merged into fips patch from native openssl + * Sun Nov 22 2009 Kalev Lember - 1.0.0-0.5.beta4 - Updated to version 1.0.0 beta 4 - Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4) diff --git a/openssl-1.0.0-beta4-dtls-ipv6.patch b/openssl-1.0.0-beta4-dtls-ipv6.patch new file mode 100644 index 0000000..1173f1a --- /dev/null +++ b/openssl-1.0.0-beta4-dtls-ipv6.patch @@ -0,0 +1,219 @@ +diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c +--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100 +@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr) + if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) + { + OPENSSL_assert(sa.len.s<=sizeof(sa.from)); +- sa.len.i = (unsigned int)sa.len.s; ++ sa.len.i = (int)sa.len.s; ++ /* use sa.len.i from this point */ + } + if (ret == INVALID_SOCKET) + { +diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c +--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100 +@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp= + + typedef struct bio_dgram_data_st + { ++ union { ++ struct sockaddr sa; ++ struct sockaddr_in sa_in; + #if OPENSSL_USE_IPV6 +- struct sockaddr_storage peer; +-#else +- struct sockaddr_in peer; ++ struct sockaddr_in6 sa_in6; + #endif ++ } peer; + unsigned int connected; + unsigned int _errno; + unsigned int mtu; +@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out, + int ret=0; + bio_dgram_data *data = (bio_dgram_data *)b->ptr; + ++ struct { ++ /* ++ * See commentary in b_sock.c. ++ */ ++ union { size_t s; int i; } len; ++ union { ++ struct sockaddr sa; ++ struct sockaddr_in sa_in; + #if OPENSSL_USE_IPV6 +- struct sockaddr_storage peer; +-#else +- struct sockaddr_in peer; ++ struct sockaddr_in6 sa_in6; + #endif +- int peerlen = sizeof(peer); ++ } peer; ++ } sa; ++ ++ sa.len.s=0; ++ sa.len.i=sizeof(sa.peer); + + if (out != NULL) + { + clear_socket_error(); +- memset(&peer, 0x00, peerlen); +- /* Last arg in recvfrom is signed on some platforms and +- * unsigned on others. It is of type socklen_t on some +- * but this is not universal. Cast to (void *) to avoid +- * compiler warnings. +- */ ++ memset(&sa.peer, 0x00, sizeof(sa.peer)); + dgram_adjust_rcv_timeout(b); +- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen); ++ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len); ++ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) ++ { ++ OPENSSL_assert(sa.len.s<=sizeof(sa.peer)); ++ sa.len.i = (int)sa.len.s; ++ } + dgram_reset_rcv_timeout(b); + + if ( ! data->connected && ret >= 0) +- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer); ++ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer); + + BIO_clear_retry_flags(b); + if (ret < 0) +@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha + if ( data->connected ) + ret=writesocket(b->num,in,inl); + else +-#if OPENSSL_USE_IPV6 +- if (data->peer.ss_family == AF_INET) + #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); ++ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer)); + #else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#endif +- else +-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); +-#else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); +-#endif +-#else +-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#endif ++ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer)); + #endif + + BIO_clear_retry_flags(b); +@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, + else + { + #endif ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + #if 0 + } + #endif +@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, + if ( to != NULL) + { + data->connected = 1; ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + } + else + { + data->connected = 0; +-#if OPENSSL_USE_IPV6 +- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage)); +-#else +- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in)); +-#endif ++ memset(&(data->peer), 0x00, sizeof(data->peer)); + } + break; + case BIO_CTRL_DGRAM_GET_PEER: + to = (struct sockaddr *) ptr; +- ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in))); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage)); +- ret = sizeof(struct sockaddr_storage); +-#else +- memcpy(to, &(data->peer), sizeof(struct sockaddr_in)); +- ret = sizeof(struct sockaddr_in); +-#endif ++ case AF_INET6: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6))); ++ break; ++#endif ++ default: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa))); ++ break; ++ } + break; + case BIO_CTRL_DGRAM_SET_PEER: + to = (struct sockaddr *) ptr; +- ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer), to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + break; + case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: + memcpy(&(data->next_timeout), ptr, sizeof(struct timeval)); diff --git a/openssl-1.0.0-beta4-fips.patch b/openssl-1.0.0-beta4-fips.patch index bc81d71..41b3d1f 100644 --- a/openssl-1.0.0-beta4-fips.patch +++ b/openssl-1.0.0-beta4-fips.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/Configure.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/Configure 2009-11-23 08:32:31.000000000 +0100 @@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml my $processor=""; my $default_ranlib; @@ -45,7 +45,7 @@ diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto/bf/bf_skey.c --- openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,10 +59,15 @@ #include #include @@ -64,8 +64,8 @@ diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto int i; BF_LONG *p,ri,in[2]; diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypto/bf/blowfish.h ---- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-23 08:32:31.000000000 +0100 @@ -104,7 +104,9 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; @@ -78,8 +78,8 @@ diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypt void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/bn.h ---- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-23 08:32:31.000000000 +0100 @@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); @@ -99,8 +99,8 @@ diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/b void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,272 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -376,7 +376,7 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c + diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/bn/Makefile --- openssl-1.0.0-beta4/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-23 08:32:31.000000000 +0100 @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ @@ -395,7 +395,7 @@ diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/ diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl --- openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-23 08:32:31.000000000 +0100 @@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; } &function_end("Camellia_Ekeygen"); @@ -423,8 +423,8 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0- @SBOX=( diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4/crypto/camellia/camellia.h ---- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-23 08:32:31.000000000 +0100 @@ -88,6 +88,11 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; @@ -438,8 +438,8 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4 CAMELLIA_KEY *key); diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,68 @@ +/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* ==================================================================== @@ -511,7 +511,7 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c +#endif diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c --- openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-23 08:32:31.000000000 +0100 @@ -52,11 +52,20 @@ #include #include @@ -535,7 +535,7 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta return -1; diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/crypto/camellia/Makefile --- openssl-1.0.0-beta4/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-23 08:32:31.000000000 +0100 @@ -23,9 +23,9 @@ APPS= LIB=$(TOP)/libcrypto.a @@ -549,8 +549,8 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/c SRC= $(LIBSRC) diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/cast/cast.h ---- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-23 08:32:31.000000000 +0100 @@ -83,7 +83,9 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; @@ -564,7 +564,7 @@ diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/ int enc); diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypto/cast/c_skey.c --- openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-23 08:32:31.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -587,8 +587,8 @@ diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypt CAST_LONG x[16]; CAST_LONG z[16]; diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/crypto.h ---- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-23 08:32:31.000000000 +0100 @@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) @@ -661,7 +661,7 @@ diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/cry /* Function codes. */ diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/dh/dh_err.c --- openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-23 08:32:31.000000000 +0100 @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, @@ -681,7 +681,7 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/ {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/dh/dh_gen.c --- openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-23 08:32:31.000000000 +0100 @@ -65,6 +65,10 @@ #include "cryptlib.h" #include @@ -715,8 +715,8 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/ if (ctx == NULL) goto err; BN_CTX_start(ctx); diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/dh.h ---- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-23 08:32:31.000000000 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -745,7 +745,7 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/d } diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/dh/dh_key.c --- openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-23 08:32:31.000000000 +0100 @@ -61,6 +61,9 @@ #include #include @@ -797,7 +797,7 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/ } diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c --- openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-23 08:32:31.000000000 +0100 @@ -77,8 +77,12 @@ #include "cryptlib.h" #include @@ -834,8 +834,8 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypt qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/dsa/dsa.h ---- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-23 08:32:31.000000000 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -894,14 +894,16 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/ds #ifdef __cplusplus diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c --- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-12 12:36:50.000000000 +0100 -@@ -63,9 +63,53 @@ ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-23 08:33:32.000000000 +0100 +@@ -63,9 +63,55 @@ #include #include #include +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include "fips_locl.h" static int dsa_builtin_keygen(DSA *dsa); @@ -949,7 +951,7 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypt int DSA_generate_key(DSA *dsa) { if(dsa->meth->dsa_keygen) -@@ -79,6 +123,14 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -79,6 +125,14 @@ static int dsa_builtin_keygen(DSA *dsa) BN_CTX *ctx=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -964,7 +966,7 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypt if ((ctx=BN_CTX_new()) == NULL) goto err; if (dsa->priv_key == NULL) -@@ -117,6 +169,15 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -117,6 +171,15 @@ static int dsa_builtin_keygen(DSA *dsa) dsa->priv_key=priv_key; dsa->pub_key=pub_key; @@ -982,7 +984,7 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypt err: diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c --- openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-23 08:32:31.000000000 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1056,7 +1058,7 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/cryp } diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypto/err/err_all.c --- openssl-1.0.0-beta4/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-23 08:32:31.000000000 +0100 @@ -96,6 +96,9 @@ #include #include @@ -1079,7 +1081,7 @@ diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypt #endif diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto/evp/digest.c --- openssl-1.0.0-beta4/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-23 08:32:31.000000000 +0100 @@ -116,6 +116,7 @@ #ifndef OPENSSL_NO_ENGINE #include @@ -1180,7 +1182,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto ret=ctx->digest->final(ctx,md); diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/evp/e_aes.c --- openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-23 08:32:31.000000000 +0100 @@ -69,32 +69,29 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, @@ -1235,7 +1237,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/ const unsigned char *iv, int enc) diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/crypto/evp/e_camellia.c --- openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-23 08:32:31.000000000 +0100 @@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, EVP_CIPHER_get_asn1_iv, NULL) @@ -1247,7 +1249,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/cr IMPLEMENT_CAMELLIA_CFBR(192,1) diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto/evp/e_des3.c --- openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-23 08:32:31.000000000 +0100 @@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH } @@ -1294,7 +1296,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto/evp/e_null.c --- openssl-1.0.0-beta4/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-23 08:32:31.000000000 +0100 @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, @@ -1306,7 +1308,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto NULL, diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypto/evp/evp_enc.c --- openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-23 08:32:31.000000000 +0100 @@ -68,8 +68,53 @@ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -1401,7 +1403,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypt } diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypto/evp/evp_err.c --- openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-23 08:32:31.000000000 +0100 @@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, @@ -1411,8 +1413,8 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/evp/evp.h ---- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-23 08:32:31.000000000 +0100 @@ -75,6 +75,10 @@ #include #endif @@ -1491,7 +1493,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/ev #define EVP_R_EXPECTING_AN_RSA_KEY 127 diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypto/evp/evp_lib.c --- openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-23 08:32:31.000000000 +0100 @@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ if (c->cipher->set_asn1_parameters != NULL) @@ -1540,8 +1542,8 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt + return (ctx->flags & flags); + } diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/crypto/evp/evp_locl.h ---- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-23 08:32:31.000000000 +0100 @@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ {\ @@ -1593,7 +1595,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/cryp { diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss.c --- openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-23 08:32:31.000000000 +0100 @@ -81,7 +81,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, @@ -1605,7 +1607,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/ final, diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss1.c --- openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-23 08:32:31.000000000 +0100 @@ -82,7 +82,7 @@ static const EVP_MD dss1_md= NID_dsa, NID_dsaWithSHA1, @@ -1617,7 +1619,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto final, diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto/evp/m_sha1.c --- openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-23 08:32:31.000000000 +0100 @@ -82,7 +82,8 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, @@ -1670,7 +1672,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto final512, diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/evp/names.c --- openssl-1.0.0-beta4/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-23 08:32:31.000000000 +0100 @@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; @@ -1695,7 +1697,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/ if (r == 0) return(0); diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto/evp/p_sign.c --- openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-23 08:32:31.000000000 +0100 @@ -61,6 +61,7 @@ #include #include @@ -1729,7 +1731,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto *siglen = sltmp; diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/crypto/evp/p_verify.c --- openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-23 08:32:31.000000000 +0100 @@ -61,6 +61,7 @@ #include #include @@ -1762,8 +1764,8 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/cryp err: EVP_PKEY_CTX_free(pkctx); diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -2705,8 +2707,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3411,8 +3413,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,537 @@ +#include + @@ -3952,8 +3954,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -4186,8 +4188,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4580,8 +4582,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4954,8 +4956,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5335,8 +5337,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5727,8 +5729,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -6074,8 +6076,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h + } + diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,7 @@ +#include + @@ -6085,8 +6087,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c +static void *dummy=&dummy; +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,137 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -6226,9 +6228,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h +#endif + } diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,101 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,103 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -6280,7 +6282,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include + +#ifdef OPENSSL_FIPS @@ -6331,8 +6335,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,419 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6754,9 +6758,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,137 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,139 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -6808,7 +6812,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include +#include + @@ -6895,9 +6901,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,184 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,186 @@ +/* crypto/dsa/dsatest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -6959,7 +6965,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c +#include +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include +#include +#include @@ -7083,8 +7091,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7250,9 +7258,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,135 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * @@ -7304,7 +7312,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include + +#ifdef OPENSSL_FIPS @@ -7389,9 +7399,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,410 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,412 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * @@ -7470,7 +7480,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c +# endif +#endif +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS @@ -7803,8 +7815,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,77 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7884,9 +7896,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,371 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,373 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -7938,7 +7950,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include +#include + @@ -8259,8 +8273,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,248 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8511,9 +8525,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,439 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,441 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. + * @@ -8565,7 +8579,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include +#include +#include @@ -8954,8 +8970,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c + +#endif /* def OPENSSL_FIPS */ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,281 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -9239,9 +9255,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c + + } diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-12 12:36:50.000000000 +0100 -@@ -0,0 +1,97 @@ +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-23 08:33:32.000000000 +0100 +@@ -0,0 +1,99 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -9293,7 +9309,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c + +#include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif +#include +#include + @@ -9340,8 +9358,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,173 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9517,8 +9535,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c + + diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10109,8 +10127,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c + +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,72 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10185,8 +10203,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -10271,7 +10289,7 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile + diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/hmac/hmac.c --- openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-23 08:32:31.000000000 +0100 @@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo if (key != NULL) @@ -10298,8 +10316,8 @@ diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/ + } + diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/hmac/hmac.h ---- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-23 08:32:31.000000000 +0100 @@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md unsigned int *md_len); int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); @@ -10310,7 +10328,7 @@ diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/ } diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Makefile --- openssl-1.0.0-beta4/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-23 08:32:31.000000000 +0100 @@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i LIB= $(TOP)/libcrypto.a @@ -10331,7 +10349,7 @@ diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Mak diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c --- openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -61,6 +61,11 @@ #include #include @@ -10354,8 +10372,8 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/cry c->num=0; c->pad_type=1; diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2.h ---- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-23 08:32:31.000000000 +0100 @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; @@ -10369,7 +10387,7 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/ int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/crypto/md2/md2_dgst.c --- openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -62,6 +62,11 @@ #include #include @@ -10392,8 +10410,8 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/cryp c->num=0; memset(c->state,0,sizeof c->state); diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md2/md2.h ---- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-23 08:32:31.000000000 +0100 @@ -81,6 +81,9 @@ typedef struct MD2state_st } MD2_CTX; @@ -10406,7 +10424,7 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md int MD2_Final(unsigned char *md, MD2_CTX *c); diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/crypto/md4/md4_dgst.c --- openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "md4_locl.h" @@ -10429,8 +10447,8 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/cryp memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md4/md4.h ---- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-23 08:32:31.000000000 +0100 @@ -105,6 +105,9 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; @@ -10443,7 +10461,7 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md int MD4_Final(unsigned char *md, MD4_CTX *c); diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/crypto/md5/md5_dgst.c --- openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "md5_locl.h" @@ -10466,8 +10484,8 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/cryp memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md5/md5.h ---- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-23 08:32:31.000000000 +0100 @@ -105,6 +105,9 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; @@ -10480,7 +10498,7 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md int MD5_Final(unsigned char *md, MD5_CTX *c); diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c --- openssl-1.0.0-beta4/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-23 08:32:31.000000000 +0100 @@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) /* may be changed as long as 'allow_customize_debug' is set */ @@ -10491,8 +10509,8 @@ diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,80 @@ +/* o_init.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10576,7 +10594,7 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c + diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/crypto/opensslconf.h.in --- openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-23 08:32:31.000000000 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -10600,7 +10618,7 @@ diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/cr diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c --- openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -10629,7 +10647,7 @@ diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/cr if (!iter) diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/crypto/rand/md_rand.c --- openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-23 08:32:31.000000000 +0100 @@ -126,6 +126,10 @@ #include @@ -10658,7 +10676,7 @@ diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/cryp { diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/crypto/rand/rand_err.c --- openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-23 08:32:31.000000000 +0100 @@ -70,6 +70,13 @@ static ERR_STRING_DATA RAND_str_functs[]= @@ -10692,8 +10710,8 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/cry }; diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/rand/rand.h ---- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-23 08:32:31.000000000 +0100 @@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -10725,7 +10743,7 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/ } diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/crypto/rand/rand_lib.c --- openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-23 08:32:31.000000000 +0100 @@ -60,6 +60,12 @@ #include #include "cryptlib.h" @@ -10760,8 +10778,8 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/cry } diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc2/rc2.h ---- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-23 08:32:31.000000000 +0100 @@ -79,7 +79,9 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; @@ -10775,7 +10793,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc int enc); diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c --- openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-23 08:32:31.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -10811,7 +10829,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/cryp RC2_INT *ki; diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl --- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-23 08:32:31.000000000 +0100 @@ -202,4 +202,6 @@ RC4_options: .string "rc4(8x,char)" ___ @@ -10821,7 +10839,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta print $code; diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl --- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-23 08:32:31.000000000 +0100 @@ -499,6 +499,8 @@ ___ $code =~ s/#([bwd])/$1/gm; @@ -10833,7 +10851,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-bet close STDOUT; diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl --- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-23 08:32:31.000000000 +0100 @@ -166,8 +166,12 @@ $idx="edx"; &external_label("OPENSSL_ia32cap_P"); @@ -10859,7 +10877,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/ &function_begin_B("RC4_options"); diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto/rc4/Makefile --- openssl-1.0.0-beta4/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-23 08:32:31.000000000 +0100 @@ -21,8 +21,8 @@ TEST=rc4test.c APPS= @@ -10872,8 +10890,8 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto SRC= $(LIBSRC) diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c ---- /dev/null 2009-11-04 12:00:58.801002276 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-12 12:36:50.000000000 +0100 +--- /dev/null 2009-11-20 08:30:43.534002215 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-23 08:32:31.000000000 +0100 @@ -0,0 +1,75 @@ +/* crypto/rc4/rc4_fblk.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10951,8 +10969,8 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c +#endif + diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc4/rc4.h ---- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-23 08:32:31.000000000 +0100 @@ -78,6 +78,9 @@ typedef struct rc4_key_st @@ -10965,7 +10983,7 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc unsigned char *outdata); diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c --- openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rc4_locl.h" @@ -11004,8 +11022,8 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/cryp for (i=0;i<256;i++) cp[i]=i; diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/crypto/ripemd/ripemd.h ---- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-23 08:32:31.000000000 +0100 @@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; @@ -11018,7 +11036,7 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/cry int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c --- openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rmd_locl.h" @@ -11042,17 +11060,19 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/c c->A=RIPEMD160_A; diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c --- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-12 12:36:50.000000000 +0100 -@@ -114,6 +114,8 @@ ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-23 08:33:32.000000000 +0100 +@@ -114,6 +114,10 @@ #include #include #include +#include ++#ifdef OPENSSL_FIPS +#include ++#endif #ifndef RSA_NULL -@@ -138,7 +140,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={ +@@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={ BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ RSA_eay_init, RSA_eay_finish, @@ -11061,7 +11081,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt NULL, 0, /* rsa_sign */ 0, /* rsa_verify */ -@@ -150,6 +152,16 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) +@@ -150,6 +154,16 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) return(&rsa_pkcs1_eay_meth); } @@ -11078,7 +11098,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { -@@ -158,6 +170,23 @@ static int RSA_eay_public_encrypt(int fl +@@ -158,6 +172,23 @@ static int RSA_eay_public_encrypt(int fl unsigned char *buf=NULL; BN_CTX *ctx=NULL; @@ -11102,7 +11122,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -223,9 +252,7 @@ static int RSA_eay_public_encrypt(int fl +@@ -223,9 +254,7 @@ static int RSA_eay_public_encrypt(int fl goto err; } @@ -11113,7 +11133,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; -@@ -355,6 +382,23 @@ static int RSA_eay_private_encrypt(int f +@@ -355,6 +384,23 @@ static int RSA_eay_private_encrypt(int f int local_blinding = 0; BN_BLINDING *blinding = NULL; @@ -11137,7 +11157,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if ((ctx=BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); -@@ -432,9 +476,7 @@ static int RSA_eay_private_encrypt(int f +@@ -432,9 +478,7 @@ static int RSA_eay_private_encrypt(int f else d= rsa->d; @@ -11148,7 +11168,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, rsa->_method_mod_n)) goto err; -@@ -488,6 +530,23 @@ static int RSA_eay_private_decrypt(int f +@@ -488,6 +532,23 @@ static int RSA_eay_private_decrypt(int f int local_blinding = 0; BN_BLINDING *blinding = NULL; @@ -11172,7 +11192,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); -@@ -555,9 +614,7 @@ static int RSA_eay_private_decrypt(int f +@@ -555,9 +616,7 @@ static int RSA_eay_private_decrypt(int f else d = rsa->d; @@ -11183,7 +11203,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, rsa->_method_mod_n)) goto err; -@@ -617,6 +674,23 @@ static int RSA_eay_public_decrypt(int fl +@@ -617,6 +676,23 @@ static int RSA_eay_public_decrypt(int fl unsigned char *buf=NULL; BN_CTX *ctx=NULL; @@ -11207,7 +11227,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -667,9 +741,7 @@ static int RSA_eay_public_decrypt(int fl +@@ -667,9 +743,7 @@ static int RSA_eay_public_decrypt(int fl goto err; } @@ -11218,7 +11238,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; -@@ -717,6 +789,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c +@@ -717,6 +791,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c BIGNUM *r1,*m1,*vrfy; BIGNUM local_dmp1,local_dmq1,local_c,local_r1; BIGNUM *dmp1,*dmq1,*c,*pr1; @@ -11226,7 +11246,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt int ret=0; BN_CTX_start(ctx); -@@ -724,41 +797,31 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c +@@ -724,41 +799,31 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c m1 = BN_CTX_get(ctx); vrfy = BN_CTX_get(ctx); @@ -11291,7 +11311,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt /* compute I mod q */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) -@@ -875,6 +938,9 @@ err: +@@ -875,6 +940,9 @@ err: static int RSA_eay_init(RSA *rsa) { @@ -11303,7 +11323,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt } diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_err.c --- openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-23 08:32:31.000000000 +0100 @@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, @@ -11332,7 +11352,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c --- openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-23 08:32:31.000000000 +0100 @@ -67,6 +67,82 @@ #include "cryptlib.h" #include @@ -11459,8 +11479,8 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypt err: if (ok == -1) diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rsa/rsa.h ---- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-23 08:32:31.000000000 +0100 @@ -74,6 +74,21 @@ #error RSA is disabled. #endif @@ -11532,7 +11552,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rs #define RSA_R_P_NOT_PRIME 128 diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c --- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips 2009-08-05 17:04:16.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-23 08:32:31.000000000 +0100 @@ -80,6 +80,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -11610,7 +11630,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c --- openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-23 08:32:31.000000000 +0100 @@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -11644,7 +11664,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/cryp diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha_dgst.c --- openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -57,6 +57,12 @@ */ @@ -11659,8 +11679,8 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/cryp #undef SHA_1 diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sha/sha.h ---- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-23 08:32:31.000000000 +0100 @@ -106,6 +106,9 @@ typedef struct SHAstate_st } SHA_CTX; @@ -11672,8 +11692,8 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sh int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/crypto/sha/sha_locl.h ---- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-12 12:36:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-23 08:32:31.000000000 +0100 @@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h3 0x10325476UL #define INIT_DATA_h4 0xc3d2e1f0UL @@ -11692,7 +11712,7 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/cryp c->h1=INIT_DATA_h1; diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha1dgst.c --- openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-23 08:32:31.000000000 +0100 @@ -63,6 +63,10 @@ #define SHA_1 @@ -11706,7 +11726,7 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/cryp diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto/sha/sha256.c --- openssl-1.0.0-beta4/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-23 08:32:31.000000000 +0100 @@ -12,12 +12,19 @@ #include @@ -11739,7 +11759,7 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto/sha/sha512.c --- openssl-1.0.0-beta4/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-23 08:32:31.000000000 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -11781,8 +11801,8 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto : "=r"(ret) \ : "r"(a),"K"(n)); ret; }) diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org ---- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/Makefile.org 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/Makefile.org 2009-11-23 08:32:31.000000000 +0100 @@ -110,6 +110,9 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= @@ -11812,7 +11832,7 @@ diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org # which in turn eliminates ambiguities in variable treatment with -e. diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_ciph.c --- openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-23 08:32:31.000000000 +0100 @@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -11837,7 +11857,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_cip #ifdef CIPHER_DEBUG diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib.c --- openssl-1.0.0-beta4/ssl/ssl_lib.c.fips 2009-10-16 15:41:52.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-23 08:32:31.000000000 +0100 @@ -1471,6 +1471,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m return(NULL); } @@ -11854,8 +11874,8 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib. { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest.c ---- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-12 12:36:50.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-12 12:36:50.000000000 +0100 +--- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-23 08:32:31.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-23 08:32:31.000000000 +0100 @@ -265,6 +265,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); @@ -11932,7 +11952,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. # endif diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_clnt.c --- openssl-1.0.0-beta4/ssl/s23_clnt.c.fips 2009-08-05 17:29:14.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-23 08:32:31.000000000 +0100 @@ -335,6 +335,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; @@ -11965,7 +11985,7 @@ diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_cln } diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srvr.c --- openssl-1.0.0-beta4/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-23 08:32:31.000000000 +0100 @@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) } } @@ -11984,7 +12004,7 @@ diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srv /* we have SSLv3/TLSv1 in an SSLv2 header diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt.c --- openssl-1.0.0-beta4/ssl/s3_clnt.c.fips 2009-10-30 15:06:18.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-23 08:32:31.000000000 +0100 @@ -156,6 +156,10 @@ #include #include @@ -12007,7 +12027,7 @@ diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c --- openssl-1.0.0-beta4/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-23 08:32:31.000000000 +0100 @@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * #endif k=0; @@ -12035,7 +12055,7 @@ diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c if (n < 0) diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr.c --- openssl-1.0.0-beta4/ssl/s3_srvr.c.fips 2009-10-30 14:22:44.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-23 08:32:31.000000000 +0100 @@ -1679,6 +1679,8 @@ int ssl3_send_server_key_exchange(SSL *s j=0; for (num=2; num > 0; num--) @@ -12047,7 +12067,7 @@ diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); diff -up openssl-1.0.0-beta4/ssl/t1_enc.c.fips openssl-1.0.0-beta4/ssl/t1_enc.c --- openssl-1.0.0-beta4/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-12 12:36:50.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-23 08:32:31.000000000 +0100 @@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md HMAC_CTX_init(&ctx); From 205ba0063b05d6a609dcc7dcb961c143c0730d64 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 19 Jun 2010 19:33:41 +0000 Subject: [PATCH 17/28] - Updated to openssl 1.0.0a - Synced patches with Fedora native openssl-1.0.0a-1 --- .cvsignore | 2 +- mingw32-openssl.spec | 55 +- openssl-1.0.0-beta4-aesni.patch | 2388 +++++++++++++++++ openssl-1.0.0-beta4-backports.patch | 45 - openssl-1.0.0-beta4-binutils.patch | 56 - openssl-1.0.0-beta4-client-reneg.patch | 35 - openssl-1.0.0-beta4-dtls-ipv6.patch | 219 -- openssl-1.0.0-beta4-reneg-err.patch | 93 - openssl-1.0.0-beta4-reneg.patch | 237 -- openssl-1.0.0-beta4-version.patch | 14 - ...=> openssl-1.0.0-beta5-cipher-change.patch | 14 +- ...ch => openssl-1.0.0-beta5-enginesdir.patch | 24 +- ...tch => openssl-1.0.0-beta5-ipv6-apps.patch | 105 +- ...> openssl-1.0.0-beta5-readme-warning.patch | 22 +- openssl-1.0.0-name-hash.patch | 22 + openssl-1.0.0-timezone.patch | 21 + ...a4-fips.patch => openssl-1.0.0a-fips.patch | 1009 +++---- ...ode.patch => openssl-1.0.0a-fipsmode.patch | 49 +- openssl-1.0.0a-version.patch | 13 + sources | 2 +- 20 files changed, 3127 insertions(+), 1298 deletions(-) create mode 100644 openssl-1.0.0-beta4-aesni.patch delete mode 100644 openssl-1.0.0-beta4-backports.patch delete mode 100644 openssl-1.0.0-beta4-binutils.patch delete mode 100644 openssl-1.0.0-beta4-client-reneg.patch delete mode 100644 openssl-1.0.0-beta4-dtls-ipv6.patch delete mode 100644 openssl-1.0.0-beta4-reneg-err.patch delete mode 100644 openssl-1.0.0-beta4-reneg.patch delete mode 100644 openssl-1.0.0-beta4-version.patch rename openssl-1.0.0-beta3-cipher-change.patch => openssl-1.0.0-beta5-cipher-change.patch (61%) rename openssl-1.0.0-beta4-enginesdir.patch => openssl-1.0.0-beta5-enginesdir.patch (63%) rename openssl-1.0.0-beta3-ipv6-apps.patch => openssl-1.0.0-beta5-ipv6-apps.patch (86%) rename openssl-0.9.8j-readme-warning.patch => openssl-1.0.0-beta5-readme-warning.patch (55%) create mode 100644 openssl-1.0.0-name-hash.patch create mode 100644 openssl-1.0.0-timezone.patch rename openssl-1.0.0-beta4-fips.patch => openssl-1.0.0a-fips.patch (90%) rename openssl-1.0.0-beta3-fipsmode.patch => openssl-1.0.0a-fipsmode.patch (80%) create mode 100644 openssl-1.0.0a-version.patch diff --git a/.cvsignore b/.cvsignore index 3819647..f4623d7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssl-1.0.0-beta4-usa.tar.bz2 +openssl-1.0.0a-usa.tar.bz2 diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index a956103..79cc7af 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -18,8 +18,6 @@ # 1.0.0 soversion = 10 %global soversion 10 -%global beta beta4 - # Enable the tests. # These only work some of the time, but fail randomly at other times # (although I have had them complete a few times, so I don't think @@ -30,16 +28,17 @@ %global thread_test_threads %{?threads:%{threads}}%{!?threads:1} Name: mingw32-openssl -Version: 1.0.0 -Release: 0.6.%{beta}%{?dist} +Version: 1.0.0a +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL Group: Development/Libraries URL: http://www.openssl.org/ -# Use the hobble-openssl script to create the source file. -Source0: openssl-%{version}-%{beta}-usa.tar.bz2 +# We remove certain patented algorithms from the openssl source tarball +# with the hobble-openssl script which is included below. +Source0: openssl-%{version}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate @@ -53,37 +52,33 @@ Source10: opensslconf-new-warning.h Patch0: openssl-1.0.0-beta4-redhat.patch Patch1: openssl-1.0.0-beta3-defaults.patch Patch3: openssl-1.0.0-beta3-soversion.patch -Patch4: openssl-1.0.0-beta4-enginesdir.patch +Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch +Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch -Patch24: openssl-1.0.0-beta4-binutils.patch +Patch24: openssl-0.9.8j-bad-mime.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch -Patch38: openssl-1.0.0-beta3-cipher-change.patch +Patch38: openssl-1.0.0-beta5-cipher-change.patch # Disabled this because it uses getaddrinfo which is lacking on Windows. -#Patch39: openssl-1.0.0-beta3-ipv6-apps.patch -Patch40: openssl-1.0.0-beta4-fips.patch +#Patch39: openssl-1.0.0-beta5-ipv6-apps.patch +Patch40: openssl-1.0.0a-fips.patch Patch41: openssl-1.0.0-beta3-fipscheck.patch -Patch43: openssl-1.0.0-beta3-fipsmode.patch +Patch43: openssl-1.0.0a-fipsmode.patch Patch44: openssl-1.0.0-beta3-fipsrng.patch Patch45: openssl-0.9.8j-env-nozlib.patch -Patch47: openssl-0.9.8j-readme-warning.patch -Patch48: openssl-0.9.8j-bad-mime.patch +Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch -Patch51: openssl-1.0.0-beta4-version.patch +Patch51: openssl-1.0.0a-version.patch +Patch52: openssl-1.0.0-beta4-aesni.patch +Patch53: openssl-1.0.0-name-hash.patch # Backported fixes including security fixes -Patch60: openssl-1.0.0-beta4-reneg.patch -# This one is not backported but has to be applied after reneg patch -Patch61: openssl-1.0.0-beta4-client-reneg.patch -Patch62: openssl-1.0.0-beta4-backports.patch -Patch63: openssl-1.0.0-beta4-reneg-err.patch -Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch # MinGW-specific patches. # Use MINGW32_CFLAGS (set below) in Configure script @@ -154,7 +149,7 @@ Static version of the MinGW port of the OpenSSL toolkit. %prep -%setup -q -n openssl-%{version}-%{beta} +%setup -q -n openssl-%{version} %{SOURCE1} > /dev/null %patch0 -p1 -b .redhat @@ -163,9 +158,10 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch4 -p1 -b .enginesdir %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost +%patch7 -p1 -b .timezone %patch23 -p1 -b .default-paths -%patch24 -p1 -b .binutils +%patch24 -p1 -b .bad-mime %patch32 -p1 -b .ia64 #patch33 is applied after make test @@ -179,16 +175,11 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch44 -p1 -b .fipsrng %patch45 -p1 -b .env-nozlib %patch47 -p1 -b .warning -%patch48 -p1 -b .bad-mime %patch49 -p1 -b .algo-doc %patch50 -p1 -b .dtls1-abi %patch51 -p1 -b .version - -%patch60 -p1 -b .reneg -%patch61 -p1 -b .client-reneg -%patch62 -p1 -b .backports -%patch63 -p1 -b .reneg-err -%patch64 -p1 -b .dtls-ipv6 +%patch52 -p1 -b .aesni +%patch53 -p1 -b .name-hash %patch100 -p1 -b .mingw-configure %patch101 -p1 -b .mingw-libversion @@ -352,6 +343,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat Jun 19 2010 Kalev Lember - 1.0.0a-1 +- Updated to openssl 1.0.0a +- Synced patches with Fedora native openssl-1.0.0a-1 + * Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) - Dropped the patch to fix non-fips mingw build, diff --git a/openssl-1.0.0-beta4-aesni.patch b/openssl-1.0.0-beta4-aesni.patch new file mode 100644 index 0000000..f57918b --- /dev/null +++ b/openssl-1.0.0-beta4-aesni.patch @@ -0,0 +1,2388 @@ +diff -up openssl-1.0.0-beta4/Configure.aesni openssl-1.0.0-beta4/Configure +--- openssl-1.0.0-beta4/Configure.aesni 2010-01-07 23:38:31.000000000 +0100 ++++ openssl-1.0.0-beta4/Configure 2010-01-12 22:18:06.000000000 +0100 +@@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket"; + my $bits1="THIRTY_TWO_BIT "; + my $bits2="SIXTY_FOUR_BIT "; + +-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o"; ++my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o"; + + my $x86_elf_asm="$x86_asm:elf"; + +-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o"; ++my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o"; + my $ia64_asm="ia64cpuid.o:bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::void"; + my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::void"; + my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::void"; +@@ -491,7 +491,7 @@ my %table=( + # + # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64 + "VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32", +-"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", ++"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", + # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement + # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE' + "VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32", +@@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/) + if ($aes_obj =~ /\.o$/) + { + $cflags.=" -DAES_ASM"; ++ $aes_obj =~ s/\s*aesni\-x86\.o// if ($no_sse2); + } + else { + $aes_obj=$aes_enc; +diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl +--- openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni 2010-01-12 22:18:06.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl 2010-01-12 22:18:06.000000000 +0100 +@@ -0,0 +1,765 @@ ++#!/usr/bin/env perl ++ ++# ==================================================================== ++# Written by Andy Polyakov for the OpenSSL ++# project. The module is, however, dual licensed under OpenSSL and ++# CRYPTOGAMS licenses depending on where you obtain it. For further ++# details see http://www.openssl.org/~appro/cryptogams/. ++# ==================================================================== ++# ++# This module implements support for Intel AES-NI extension. In ++# OpenSSL context it's used with Intel engine, but can also be used as ++# drop-in replacement for crypto/aes/asm/aes-586.pl [see below for ++# details]. ++ ++$PREFIX="aesni"; # if $PREFIX is set to "AES", the script ++ # generates drop-in replacement for ++ # crypto/aes/asm/aes-586.pl:-) ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++push(@INC,"${dir}","${dir}../../perlasm"); ++require "x86asm.pl"; ++ ++&asm_init($ARGV[0],$0); ++ ++$movekey = eval($RREFIX eq "aseni" ? "*movaps" : "*movups"); ++ ++$len="eax"; ++$rounds="ecx"; ++$key="edx"; ++$inp="esi"; ++$out="edi"; ++$rounds_="ebx"; # backup copy for $rounds ++$key_="ebp"; # backup copy for $key ++ ++$inout0="xmm0"; ++$inout1="xmm1"; ++$inout2="xmm2"; ++$rndkey0="xmm3"; ++$rndkey1="xmm4"; ++$ivec="xmm5"; ++$in0="xmm6"; ++$in1="xmm7"; $inout3="xmm7"; ++ ++# Inline version of internal aesni_[en|de]crypt1 ++sub aesni_inline_generate1 ++{ my $p=shift; ++ ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ &$movekey ($rndkey1,&QWP(16,$key)); ++ &lea ($key,&DWP(32,$key)); ++ &pxor ($inout0,$rndkey0); ++ &set_label("${p}1_loop"); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &dec ($rounds); ++ &$movekey ($rndkey1,&QWP(0,$key)); ++ &lea ($key,&DWP(16,$key)); ++ &jnz (&label("${p}1_loop")); ++ eval"&aes${p}last ($inout0,$rndkey1)"; ++} ++ ++sub aesni_generate1 # fully unrolled loop ++{ my $p=shift; ++ ++ &function_begin_B("_aesni_${p}rypt1"); ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ &$movekey ($rndkey1,&QWP(0x10,$key)); ++ &cmp ($rounds,11); ++ &pxor ($inout0,$rndkey0); ++ &$movekey ($rndkey0,&QWP(0x20,$key)); ++ &lea ($key,&DWP(0x30,$key)); ++ &jb (&label("${p}128")); ++ &lea ($key,&DWP(0x20,$key)); ++ &je (&label("${p}192")); ++ &lea ($key,&DWP(0x20,$key)); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(-0x40,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(-0x30,$key)); ++ &set_label("${p}192"); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(-0x20,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(-0x10,$key)); ++ &set_label("${p}128"); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(0,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(0x10,$key)); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(0x20,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(0x30,$key)); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(0x40,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(0x50,$key)); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(0x60,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &$movekey ($rndkey0,&QWP(0x70,$key)); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ eval"&aes${p}last ($inout0,$rndkey0)"; ++ &ret(); ++ &function_end_B("_aesni_${p}rypt1"); ++} ++ ++# void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key); ++# &aesni_generate1("dec"); ++&function_begin_B("${PREFIX}_encrypt"); ++ &mov ("eax",&wparam(0)); ++ &mov ($key,&wparam(2)); ++ &movups ($inout0,&QWP(0,"eax")); ++ &mov ($rounds,&DWP(240,$key)); ++ &mov ("eax",&wparam(1)); ++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1"); ++ &movups (&QWP(0,"eax"),$inout0); ++ &ret (); ++&function_end_B("${PREFIX}_encrypt"); ++ ++# void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key); ++# &aesni_generate1("dec"); ++&function_begin_B("${PREFIX}_decrypt"); ++ &mov ("eax",&wparam(0)); ++ &mov ($key,&wparam(2)); ++ &movups ($inout0,&QWP(0,"eax")); ++ &mov ($rounds,&DWP(240,$key)); ++ &mov ("eax",&wparam(1)); ++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt1"); ++ &movups (&QWP(0,"eax"),$inout0); ++ &ret (); ++&function_end_B("${PREFIX}_decrypt"); ++ ++# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave ++# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec] ++# latency is 6, it turned out that it can be scheduled only every ++# *second* cycle. Thus 3x interleave is the one providing optimal ++# utilization, i.e. when subroutine's throughput is virtually same as ++# of non-interleaved subroutine [for number of input blocks up to 3]. ++# This is why it makes no sense to implement 2x subroutine. As soon ++# as/if Intel improves throughput by making it possible to schedule ++# the instructions in question *every* cycles I would have to ++# implement 6x interleave and use it in loop... ++sub aesni_generate3 ++{ my $p=shift; ++ ++ &function_begin_B("_aesni_${p}rypt3"); ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ &shr ($rounds,1); ++ &$movekey ($rndkey1,&QWP(16,$key)); ++ &lea ($key,&DWP(32,$key)); ++ &pxor ($inout0,$rndkey0); ++ &pxor ($inout1,$rndkey0); ++ &pxor ($inout2,$rndkey0); ++ &jmp (&label("${p}3_loop")); ++ &set_label("${p}3_loop",16); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ eval"&aes${p} ($inout1,$rndkey1)"; ++ &dec ($rounds); ++ eval"&aes${p} ($inout2,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(16,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &lea ($key,&DWP(32,$key)); ++ eval"&aes${p} ($inout1,$rndkey0)"; ++ eval"&aes${p} ($inout2,$rndkey0)"; ++ &jnz (&label("${p}3_loop")); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ eval"&aes${p} ($inout1,$rndkey1)"; ++ eval"&aes${p} ($inout2,$rndkey1)"; ++ eval"&aes${p}last ($inout0,$rndkey0)"; ++ eval"&aes${p}last ($inout1,$rndkey0)"; ++ eval"&aes${p}last ($inout2,$rndkey0)"; ++ &ret(); ++ &function_end_B("_aesni_${p}rypt3"); ++} ++ ++# 4x interleave is implemented to improve small block performance, ++# most notably [and naturally] 4 block by ~30%. One can argue that one ++# should have implemented 5x as well, but improvement would be <20%, ++# so it's not worth it... ++sub aesni_generate4 ++{ my $p=shift; ++ ++ &function_begin_B("_aesni_${p}rypt4"); ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ &$movekey ($rndkey1,&QWP(16,$key)); ++ &shr ($rounds,1); ++ &lea ($key,&DWP(32,$key)); ++ &pxor ($inout0,$rndkey0); ++ &pxor ($inout1,$rndkey0); ++ &pxor ($inout2,$rndkey0); ++ &pxor ($inout3,$rndkey0); ++ &jmp (&label("${p}3_loop")); ++ &set_label("${p}3_loop",16); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ eval"&aes${p} ($inout1,$rndkey1)"; ++ &dec ($rounds); ++ eval"&aes${p} ($inout2,$rndkey1)"; ++ eval"&aes${p} ($inout3,$rndkey1)"; ++ &$movekey ($rndkey1,&QWP(16,$key)); ++ eval"&aes${p} ($inout0,$rndkey0)"; ++ &lea ($key,&DWP(32,$key)); ++ eval"&aes${p} ($inout1,$rndkey0)"; ++ eval"&aes${p} ($inout2,$rndkey0)"; ++ eval"&aes${p} ($inout3,$rndkey0)"; ++ &jnz (&label("${p}3_loop")); ++ eval"&aes${p} ($inout0,$rndkey1)"; ++ &$movekey ($rndkey0,&QWP(0,$key)); ++ eval"&aes${p} ($inout1,$rndkey1)"; ++ eval"&aes${p} ($inout2,$rndkey1)"; ++ eval"&aes${p} ($inout3,$rndkey1)"; ++ eval"&aes${p}last ($inout0,$rndkey0)"; ++ eval"&aes${p}last ($inout1,$rndkey0)"; ++ eval"&aes${p}last ($inout2,$rndkey0)"; ++ eval"&aes${p}last ($inout3,$rndkey0)"; ++ &ret(); ++ &function_end_B("_aesni_${p}rypt4"); ++} ++&aesni_generate3("enc") if ($PREFIX eq "aesni"); ++&aesni_generate3("dec"); ++&aesni_generate4("enc") if ($PREFIX eq "aesni"); ++&aesni_generate4("dec"); ++ ++if ($PREFIX eq "aesni") { ++# void aesni_ecb_encrypt (const void *in, void *out, ++# size_t length, const AES_KEY *key, ++# int enc); ++&function_begin("aesni_ecb_encrypt"); ++ &mov ($inp,&wparam(0)); ++ &mov ($out,&wparam(1)); ++ &mov ($len,&wparam(2)); ++ &mov ($key,&wparam(3)); ++ &mov ($rounds,&wparam(4)); ++ &cmp ($len,16); ++ &jb (&label("ecb_ret")); ++ &and ($len,-16); ++ &test ($rounds,$rounds) ++ &mov ($rounds,&DWP(240,$key)); ++ &mov ($key_,$key); # backup $key ++ &mov ($rounds_,$rounds); # backup $rounds ++ &jz (&label("ecb_decrypt")); ++ ++ &sub ($len,0x40); ++ &jbe (&label("ecb_enc_tail")); ++ &jmp (&label("ecb_enc_loop3")); ++ ++&set_label("ecb_enc_loop3",16); ++ &movups ($inout0,&QWP(0,$inp)); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &call ("_aesni_encrypt3"); ++ &sub ($len,0x30); ++ &lea ($inp,&DWP(0x30,$inp)); ++ &lea ($out,&DWP(0x30,$out)); ++ &movups (&QWP(-0x30,$out),$inout0); ++ &mov ($key,$key_); # restore $key ++ &movups (&QWP(-0x20,$out),$inout1); ++ &mov ($rounds,$rounds_); # restore $rounds ++ &movups (&QWP(-0x10,$out),$inout2); ++ &ja (&label("ecb_enc_loop3")); ++ ++&set_label("ecb_enc_tail"); ++ &add ($len,0x40); ++ &jz (&label("ecb_ret")); ++ ++ &cmp ($len,0x10); ++ &movups ($inout0,&QWP(0,$inp)); ++ &je (&label("ecb_enc_one")); ++ &cmp ($len,0x20); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &je (&label("ecb_enc_two")); ++ &cmp ($len,0x30); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &je (&label("ecb_enc_three")); ++ &movups ($inout3,&QWP(0x30,$inp)); ++ &call ("_aesni_encrypt4"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movups (&QWP(0x20,$out),$inout2); ++ &movups (&QWP(0x30,$out),$inout3); ++ jmp (&label("ecb_ret")); ++ ++&set_label("ecb_enc_one",16); ++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1"); ++ &movups (&QWP(0,$out),$inout0); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_enc_two",16); ++ &call ("_aesni_encrypt3"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_enc_three",16); ++ &call ("_aesni_encrypt3"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movups (&QWP(0x20,$out),$inout2); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_decrypt",16); ++ &sub ($len,0x40); ++ &jbe (&label("ecb_dec_tail")); ++ &jmp (&label("ecb_dec_loop3")); ++ ++&set_label("ecb_dec_loop3",16); ++ &movups ($inout0,&QWP(0,$inp)); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &call ("_aesni_decrypt3"); ++ &sub ($len,0x30); ++ &lea ($inp,&DWP(0x30,$inp)); ++ &lea ($out,&DWP(0x30,$out)); ++ &movups (&QWP(-0x30,$out),$inout0); ++ &mov ($key,$key_); # restore $key ++ &movups (&QWP(-0x20,$out),$inout1); ++ &mov ($rounds,$rounds_); # restore $rounds ++ &movups (&QWP(-0x10,$out),$inout2); ++ &ja (&label("ecb_dec_loop3")); ++ ++&set_label("ecb_dec_tail"); ++ &add ($len,0x40); ++ &jz (&label("ecb_ret")); ++ ++ &cmp ($len,0x10); ++ &movups ($inout0,&QWP(0,$inp)); ++ &je (&label("ecb_dec_one")); ++ &cmp ($len,0x20); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &je (&label("ecb_dec_two")); ++ &cmp ($len,0x30); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &je (&label("ecb_dec_three")); ++ &movups ($inout3,&QWP(0x30,$inp)); ++ &call ("_aesni_decrypt4"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movups (&QWP(0x20,$out),$inout2); ++ &movups (&QWP(0x30,$out),$inout3); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_dec_one",16); ++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3"); ++ &movups (&QWP(0,$out),$inout0); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_dec_two",16); ++ &call ("_aesni_decrypt3"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &jmp (&label("ecb_ret")); ++ ++&set_label("ecb_dec_three",16); ++ &call ("_aesni_decrypt3"); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movups (&QWP(0x20,$out),$inout2); ++ ++&set_label("ecb_ret"); ++&function_end("aesni_ecb_encrypt"); ++} ++ ++# void $PREFIX_cbc_encrypt (const void *inp, void *out, ++# size_t length, const AES_KEY *key, ++# unsigned char *ivp,const int enc); ++&function_begin("${PREFIX}_cbc_encrypt"); ++ &mov ($inp,&wparam(0)); ++ &mov ($out,&wparam(1)); ++ &mov ($len,&wparam(2)); ++ &mov ($key,&wparam(3)); ++ &test ($len,$len); ++ &mov ($key_,&wparam(4)); ++ &jz (&label("cbc_ret")); ++ ++ &cmp (&wparam(5),0); ++ &movups ($ivec,&QWP(0,$key_)); # load IV ++ &mov ($rounds,&DWP(240,$key)); ++ &mov ($key_,$key); # backup $key ++ &mov ($rounds_,$rounds); # backup $rounds ++ &je (&label("cbc_decrypt")); ++ ++ &movaps ($inout0,$ivec); ++ &cmp ($len,16); ++ &jb (&label("cbc_enc_tail")); ++ &sub ($len,16); ++ &jmp (&label("cbc_enc_loop")); ++ ++&set_label("cbc_enc_loop",16); ++ &movups ($ivec,&QWP(0,$inp)); ++ &lea ($inp,&DWP(16,$inp)); ++ &pxor ($inout0,$ivec); ++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt3"); ++ &sub ($len,16); ++ &lea ($out,&DWP(16,$out)); ++ &mov ($rounds,$rounds_); # restore $rounds ++ &mov ($key,$key_); # restore $key ++ &movups (&QWP(-16,$out),$inout0); ++ &jnc (&label("cbc_enc_loop")); ++ &add ($len,16); ++ &jnz (&label("cbc_enc_tail")); ++ &movaps ($ivec,$inout0); ++ &jmp (&label("cbc_ret")); ++ ++&set_label("cbc_enc_tail"); ++ &mov ("ecx",$len); # zaps $rounds ++ &data_word(0xA4F3F689); # rep movsb ++ &mov ("ecx",16); # zero tail ++ &sub ("ecx",$len); ++ &xor ("eax","eax"); # zaps $len ++ &data_word(0xAAF3F689); # rep stosb ++ &lea ($out,&DWP(-16,$out)); # rewind $out by 1 block ++ &mov ($rounds,$rounds_); # restore $rounds ++ &mov ($inp,$out); # $inp and $out are the same ++ &mov ($key,$key_); # restore $key ++ &jmp (&label("cbc_enc_loop")); ++ ++&set_label("cbc_decrypt",16); ++ &sub ($len,0x40); ++ &jbe (&label("cbc_dec_tail")); ++ &jmp (&label("cbc_dec_loop3")); ++ ++&set_label("cbc_dec_loop3",16); ++ &movups ($inout0,&QWP(0,$inp)); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &movaps ($in0,$inout0); ++ &movaps ($in1,$inout1); ++ &call ("_aesni_decrypt3"); ++ &sub ($len,0x30); ++ &lea ($inp,&DWP(0x30,$inp)); ++ &lea ($out,&DWP(0x30,$out)); ++ &pxor ($inout0,$ivec); ++ &pxor ($inout1,$in0); ++ &movups ($ivec,&QWP(-0x10,$inp)); ++ &pxor ($inout2,$in1); ++ &movups (&QWP(-0x30,$out),$inout0); ++ &mov ($rounds,$rounds_) # restore $rounds ++ &movups (&QWP(-0x20,$out),$inout1); ++ &mov ($key,$key_); # restore $key ++ &movups (&QWP(-0x10,$out),$inout2); ++ &ja (&label("cbc_dec_loop3")); ++ ++&set_label("cbc_dec_tail"); ++ &add ($len,0x40); ++ &jz (&label("cbc_ret")); ++ ++ &movups ($inout0,&QWP(0,$inp)); ++ &cmp ($len,0x10); ++ &movaps ($in0,$inout0); ++ &jbe (&label("cbc_dec_one")); ++ &movups ($inout1,&QWP(0x10,$inp)); ++ &cmp ($len,0x20); ++ &movaps ($in1,$inout1); ++ &jbe (&label("cbc_dec_two")); ++ &movups ($inout2,&QWP(0x20,$inp)); ++ &cmp ($len,0x30); ++ &jbe (&label("cbc_dec_three")); ++ &movups ($inout3,&QWP(0x30,$inp)); ++ &call ("_aesni_decrypt4"); ++ &movups ($rndkey0,&QWP(0x10,$inp)); ++ &movups ($rndkey1,&QWP(0x20,$inp)); ++ &pxor ($inout0,$ivec); ++ &pxor ($inout1,$in0); ++ &movups ($ivec,&QWP(0x30,$inp)); ++ &movups (&QWP(0,$out),$inout0); ++ &pxor ($inout2,$rndkey0); ++ &pxor ($inout3,$rndkey1); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movups (&QWP(0x20,$out),$inout2); ++ &movaps ($inout0,$inout3); ++ &lea ($out,&DWP(0x30,$out)); ++ &jmp (&label("cbc_dec_tail_collected")); ++ ++&set_label("cbc_dec_one"); ++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3"); ++ &pxor ($inout0,$ivec); ++ &movaps ($ivec,$in0); ++ &jmp (&label("cbc_dec_tail_collected")); ++ ++&set_label("cbc_dec_two"); ++ &call ("_aesni_decrypt3"); ++ &pxor ($inout0,$ivec); ++ &pxor ($inout1,$in0); ++ &movups (&QWP(0,$out),$inout0); ++ &movaps ($inout0,$inout1); ++ &movaps ($ivec,$in1); ++ &lea ($out,&DWP(0x10,$out)); ++ &jmp (&label("cbc_dec_tail_collected")); ++ ++&set_label("cbc_dec_three"); ++ &call ("_aesni_decrypt3"); ++ &pxor ($inout0,$ivec); ++ &pxor ($inout1,$in0); ++ &pxor ($inout2,$in1); ++ &movups (&QWP(0,$out),$inout0); ++ &movups (&QWP(0x10,$out),$inout1); ++ &movaps ($inout0,$inout2); ++ &movups ($ivec,&QWP(0x20,$inp)); ++ &lea ($out,&DWP(0x20,$out)); ++ ++&set_label("cbc_dec_tail_collected"); ++ &and ($len,15); ++ &jnz (&label("cbc_dec_tail_partial")); ++ &movups (&QWP(0,$out),$inout0); ++ &jmp (&label("cbc_ret")); ++ ++&set_label("cbc_dec_tail_partial"); ++ &mov ($key_,"esp"); ++ &sub ("esp",16); ++ &and ("esp",-16); ++ &movaps (&QWP(0,"esp"),$inout0); ++ &mov ($inp,"esp"); ++ &mov ("ecx",$len); ++ &data_word(0xA4F3F689); # rep movsb ++ &mov ("esp",$key_); ++ ++&set_label("cbc_ret"); ++ &mov ($key_,&wparam(4)); ++ &movups (&QWP(0,$key_),$ivec); # output IV ++&function_end("${PREFIX}_cbc_encrypt"); ++ ++# Mechanical port from aesni-x86_64.pl. ++# ++# _aesni_set_encrypt_key is private interface, ++# input: ++# "eax" const unsigned char *userKey ++# $rounds int bits ++# $key AES_KEY *key ++# output: ++# "eax" return code ++# $round rounds ++ ++&function_begin_B("_aesni_set_encrypt_key"); ++ &test ("eax","eax"); ++ &jz (&label("bad_pointer")); ++ &test ($key,$key); ++ &jz (&label("bad_pointer")); ++ ++ &movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey ++ &pxor ("xmm4","xmm4"); # low dword of xmm4 is assumed 0 ++ &lea ($key,&DWP(16,$key)); ++ &cmp ($rounds,256); ++ &je (&label("14rounds")); ++ &cmp ($rounds,192); ++ &je (&label("12rounds")); ++ &cmp ($rounds,128); ++ &jne (&label("bad_keybits")); ++ ++&set_label("10rounds",16); ++ &mov ($rounds,9); ++ &$movekey (&QWP(-16,$key),"xmm0"); # round 0 ++ &aeskeygenassist("xmm1","xmm0",0x01); # round 1 ++ &call (&label("key_128_cold")); ++ &aeskeygenassist("xmm1","xmm0",0x2); # round 2 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x04); # round 3 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x08); # round 4 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x10); # round 5 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x20); # round 6 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x40); # round 7 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x80); # round 8 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x1b); # round 9 ++ &call (&label("key_128")); ++ &aeskeygenassist("xmm1","xmm0",0x36); # round 10 ++ &call (&label("key_128")); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &mov (&DWP(80,$key),$rounds); ++ &xor ("eax","eax"); ++ &ret(); ++ ++&set_label("key_128",16); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &lea ($key,&DWP(16,$key)); ++&set_label("key_128_cold"); ++ &shufps ("xmm4","xmm0",0b00010000); ++ &pxor ("xmm0","xmm4"); ++ &shufps ("xmm4","xmm0",0b10001100,); ++ &pxor ("xmm0","xmm4"); ++ &pshufd ("xmm1","xmm1",0b11111111); # critical path ++ &pxor ("xmm0","xmm1"); ++ &ret(); ++ ++&set_label("12rounds",16); ++ &movq ("xmm2",&QWP(16,"eax")); # remaining 1/3 of *userKey ++ &mov ($rounds,11); ++ &$movekey (&QWP(-16,$key),"xmm0") # round 0 ++ &aeskeygenassist("xmm1","xmm2",0x01); # round 1,2 ++ &call (&label("key_192a_cold")); ++ &aeskeygenassist("xmm1","xmm2",0x02); # round 2,3 ++ &call (&label("key_192b")); ++ &aeskeygenassist("xmm1","xmm2",0x04); # round 4,5 ++ &call (&label("key_192a")); ++ &aeskeygenassist("xmm1","xmm2",0x08); # round 5,6 ++ &call (&label("key_192b")); ++ &aeskeygenassist("xmm1","xmm2",0x10); # round 7,8 ++ &call (&label("key_192a")); ++ &aeskeygenassist("xmm1","xmm2",0x20); # round 8,9 ++ &call (&label("key_192b")); ++ &aeskeygenassist("xmm1","xmm2",0x40); # round 10,11 ++ &call (&label("key_192a")); ++ &aeskeygenassist("xmm1","xmm2",0x80); # round 11,12 ++ &call (&label("key_192b")); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &mov (&DWP(48,$key),$rounds); ++ &xor ("eax","eax"); ++ &ret(); ++ ++&set_label("key_192a",16); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &lea ($key,&DWP(16,$key)); ++&set_label("key_192a_cold",16); ++ &movaps ("xmm5","xmm2"); ++&set_label("key_192b_warm"); ++ &shufps ("xmm4","xmm0",0b00010000); ++ &movaps ("xmm3","xmm2"); ++ &pxor ("xmm0","xmm4"); ++ &shufps ("xmm4","xmm0",0b10001100); ++ &pslldq ("xmm3",4); ++ &pxor ("xmm0","xmm4"); ++ &pshufd ("xmm1","xmm1",0b01010101); # critical path ++ &pxor ("xmm2","xmm3"); ++ &pxor ("xmm0","xmm1"); ++ &pshufd ("xmm3","xmm0",0b11111111); ++ &pxor ("xmm2","xmm3"); ++ &ret(); ++ ++&set_label("key_192b",16); ++ &movaps ("xmm3","xmm0"); ++ &shufps ("xmm5","xmm0",0b01000100); ++ &$movekey (&QWP(0,$key),"xmm5"); ++ &shufps ("xmm3","xmm2",0b01001110); ++ &$movekey (&QWP(16,$key),"xmm3"); ++ &lea ($key,&DWP(32,$key)); ++ &jmp (&label("key_192b_warm")); ++ ++&set_label("14rounds",16); ++ &movups ("xmm2",&QWP(16,"eax")); # remaining half of *userKey ++ &mov ($rounds,13); ++ &lea ($key,&DWP(16,$key)); ++ &$movekey (&QWP(-32,$key),"xmm0"); # round 0 ++ &$movekey (&QWP(-16,$key),"xmm2"); # round 1 ++ &aeskeygenassist("xmm1","xmm2",0x01); # round 2 ++ &call (&label("key_256a_cold")); ++ &aeskeygenassist("xmm1","xmm0",0x01); # round 3 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x02); # round 4 ++ &call (&label("key_256a")); ++ &aeskeygenassist("xmm1","xmm0",0x02); # round 5 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x04); # round 6 ++ &call (&label("key_256a")); ++ &aeskeygenassist("xmm1","xmm0",0x04); # round 7 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x08); # round 8 ++ &call (&label("key_256a")); ++ &aeskeygenassist("xmm1","xmm0",0x08); # round 9 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x10); # round 10 ++ &call (&label("key_256a")); ++ &aeskeygenassist("xmm1","xmm0",0x10); # round 11 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x20); # round 12 ++ &call (&label("key_256a")); ++ &aeskeygenassist("xmm1","xmm0",0x20); # round 13 ++ &call (&label("key_256b")); ++ &aeskeygenassist("xmm1","xmm2",0x40); # round 14 ++ &call (&label("key_256a")); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &mov (&DWP(16,$key),$rounds); ++ &xor ("eax","eax"); ++ &ret(); ++ ++&set_label("key_256a",16); ++ &$movekey (&QWP(0,$key),"xmm2"); ++ &lea ($key,&DWP(16,$key)); ++&set_label("key_256a_cold"); ++ &shufps ("xmm4","xmm0",0b00010000); ++ &pxor ("xmm0","xmm4"); ++ &shufps ("xmm4","xmm0",0b10001100); ++ &pxor ("xmm0","xmm4"); ++ &pshufd ("xmm1","xmm1",0b11111111); # critical path ++ &pxor ("xmm0","xmm1"); ++ &ret(); ++ ++&set_label("key_256b",16); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ &lea ($key,&DWP(16,$key)); ++ ++ &shufps ("xmm4","xmm2",0b00010000); ++ &pxor ("xmm2","xmm4"); ++ &shufps ("xmm4","xmm2",0b10001100); ++ &pxor ("xmm2","xmm4"); ++ &pshufd ("xmm1","xmm1",0b10101010); # critical path ++ &pxor ("xmm2","xmm1"); ++ &ret(); ++ ++&set_label("bad_pointer",4); ++ &mov ("eax",-1); ++ &ret (); ++&set_label("bad_keybits",4); ++ &mov ("eax",-2); ++ &ret (); ++&function_end_B("_aesni_set_encrypt_key"); ++ ++# int $PREFIX_set_encrypt_key (const unsigned char *userKey, int bits, ++# AES_KEY *key) ++&function_begin_B("${PREFIX}_set_encrypt_key"); ++ &mov ("eax",&wparam(0)); ++ &mov ($rounds,&wparam(1)); ++ &mov ($key,&wparam(2)); ++ &call ("_aesni_set_encrypt_key"); ++ &ret (); ++&function_end_B("${PREFIX}_set_encrypt_key"); ++ ++# int $PREFIX_set_decrypt_key (const unsigned char *userKey, int bits, ++# AES_KEY *key) ++&function_begin_B("${PREFIX}_set_decrypt_key"); ++ &mov ("eax",&wparam(0)); ++ &mov ($rounds,&wparam(1)); ++ &mov ($key,&wparam(2)); ++ &call ("_aesni_set_encrypt_key"); ++ &mov ($key,&wparam(2)); ++ &shl ($rounds,4) # rounds-1 after _aesni_set_encrypt_key ++ &test ("eax","eax"); ++ &jnz (&label("dec_key_ret")); ++ &lea ("eax",&DWP(16,$key,$rounds)); # end of key schedule ++ ++ &$movekey ("xmm0",&QWP(0,$key)); # just swap ++ &$movekey ("xmm1",&QWP(0,"eax")); ++ &$movekey (&QWP(0,"eax"),"xmm0"); ++ &$movekey (&QWP(0,$key),"xmm1"); ++ &lea ($key,&DWP(16,$key)); ++ &lea ("eax",&DWP(-16,"eax")); ++ ++&set_label("dec_key_inverse"); ++ &$movekey ("xmm0",&QWP(0,$key)); # swap and inverse ++ &$movekey ("xmm1",&QWP(0,"eax")); ++ &aesimc ("xmm0","xmm0"); ++ &aesimc ("xmm1","xmm1"); ++ &lea ($key,&DWP(16,$key)); ++ &lea ("eax",&DWP(-16,"eax")); ++ &cmp ("eax",$key); ++ &$movekey (&QWP(16,"eax"),"xmm0"); ++ &$movekey (&QWP(-16,$key),"xmm1"); ++ &ja (&label("dec_key_inverse")); ++ ++ &$movekey ("xmm0",&QWP(0,$key)); # inverse middle ++ &aesimc ("xmm0","xmm0"); ++ &$movekey (&QWP(0,$key),"xmm0"); ++ ++ &xor ("eax","eax"); # return success ++&set_label("dec_key_ret"); ++ &ret (); ++&function_end_B("${PREFIX}_set_decrypt_key"); ++&asciz("AES for Intel AES-NI, CRYPTOGAMS by "); ++ ++&asm_finish(); +diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl +--- openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-01-12 22:18:06.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl 2010-01-12 22:18:06.000000000 +0100 +@@ -0,0 +1,991 @@ ++#!/usr/bin/env perl ++# ++# ==================================================================== ++# Written by Andy Polyakov for the OpenSSL ++# project. The module is, however, dual licensed under OpenSSL and ++# CRYPTOGAMS licenses depending on where you obtain it. For further ++# details see http://www.openssl.org/~appro/cryptogams/. ++# ==================================================================== ++# ++# This module implements support for Intel AES-NI extension. In ++# OpenSSL context it's used with Intel engine, but can also be used as ++# drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for ++# details]. ++ ++$PREFIX="aesni"; # if $PREFIX is set to "AES", the script ++ # generates drop-in replacement for ++ # crypto/aes/asm/aes-x86_64.pl:-) ++ ++$flavour = shift; ++$output = shift; ++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } ++ ++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or ++die "can't locate x86_64-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour $output"; ++ ++$movkey = $PREFIX eq "aesni" ? "movaps" : "movups"; ++@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order ++ ("%rdi","%rsi","%rdx","%rcx"); # Unix order ++ ++$code=".text\n"; ++ ++$rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!! ++# this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ... ++$inp="%rdi"; ++$out="%rsi"; ++$len="%rdx"; ++$key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!! ++$ivp="%r8"; # cbc ++ ++$rnds_="%r10d"; # backup copy for $rounds ++$key_="%r11"; # backup copy for $key ++ ++# %xmm register layout ++$inout0="%xmm0"; $inout1="%xmm1"; ++$inout2="%xmm2"; $inout3="%xmm3"; ++$rndkey0="%xmm4"; $rndkey1="%xmm5"; ++ ++$iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt ++$in1="%xmm8"; $in2="%xmm9"; ++ ++# Inline version of internal aesni_[en|de]crypt1. ++# ++# Why folded loop? Because aes[enc|dec] is slow enough to accommodate ++# cycles which take care of loop variables... ++{ my $sn; ++sub aesni_generate1 { ++my ($p,$key,$rounds)=@_; ++++$sn; ++$code.=<<___; ++ $movkey ($key),$rndkey0 ++ $movkey 16($key),$rndkey1 ++ lea 32($key),$key ++ pxor $rndkey0,$inout0 ++.Loop_${p}1_$sn: ++ aes${p} $rndkey1,$inout0 ++ dec $rounds ++ $movkey ($key),$rndkey1 ++ lea 16($key),$key ++ jnz .Loop_${p}1_$sn # loop body is 16 bytes ++ aes${p}last $rndkey1,$inout0 ++___ ++}} ++# void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key); ++# ++{ my ($inp,$out,$key) = @_4args; ++ ++$code.=<<___; ++.globl ${PREFIX}_encrypt ++.type ${PREFIX}_encrypt,\@abi-omnipotent ++.align 16 ++${PREFIX}_encrypt: ++ movups ($inp),$inout0 # load input ++ mov 240($key),$rounds # pull $rounds ++___ ++ &aesni_generate1("enc",$key,$rounds); ++$code.=<<___; ++ movups $inout0,($out) # output ++ ret ++.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt ++ ++.globl ${PREFIX}_decrypt ++.type ${PREFIX}_decrypt,\@abi-omnipotent ++.align 16 ++${PREFIX}_decrypt: ++ movups ($inp),$inout0 # load input ++ mov 240($key),$rounds # pull $rounds ++___ ++ &aesni_generate1("dec",$key,$rounds); ++$code.=<<___; ++ movups $inout0,($out) # output ++ ret ++.size ${PREFIX}_decrypt, .-${PREFIX}_decrypt ++___ ++} ++ ++# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave ++# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec] ++# latency is 6, it turned out that it can be scheduled only every ++# *second* cycle. Thus 3x interleave is the one providing optimal ++# utilization, i.e. when subroutine's throughput is virtually same as ++# of non-interleaved subroutine [for number of input blocks up to 3]. ++# This is why it makes no sense to implement 2x subroutine. As soon ++# as/if Intel improves throughput by making it possible to schedule ++# the instructions in question *every* cycles I would have to ++# implement 6x interleave and use it in loop... ++sub aesni_generate3 { ++my $dir=shift; ++# As already mentioned it takes in $key and $rounds, which are *not* ++# preserved. $inout[0-2] is cipher/clear text... ++$code.=<<___; ++.type _aesni_${dir}rypt3,\@abi-omnipotent ++.align 16 ++_aesni_${dir}rypt3: ++ $movkey ($key),$rndkey0 ++ shr \$1,$rounds ++ $movkey 16($key),$rndkey1 ++ lea 32($key),$key ++ pxor $rndkey0,$inout0 ++ pxor $rndkey0,$inout1 ++ pxor $rndkey0,$inout2 ++ ++.L${dir}_loop3: ++ aes${dir} $rndkey1,$inout0 ++ $movkey ($key),$rndkey0 ++ aes${dir} $rndkey1,$inout1 ++ dec $rounds ++ aes${dir} $rndkey1,$inout2 ++ aes${dir} $rndkey0,$inout0 ++ $movkey 16($key),$rndkey1 ++ aes${dir} $rndkey0,$inout1 ++ lea 32($key),$key ++ aes${dir} $rndkey0,$inout2 ++ jnz .L${dir}_loop3 ++ ++ aes${dir} $rndkey1,$inout0 ++ $movkey ($key),$rndkey0 ++ aes${dir} $rndkey1,$inout1 ++ aes${dir} $rndkey1,$inout2 ++ aes${dir}last $rndkey0,$inout0 ++ aes${dir}last $rndkey0,$inout1 ++ aes${dir}last $rndkey0,$inout2 ++ ret ++.size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3 ++___ ++} ++# 4x interleave is implemented to improve small block performance, ++# most notably [and naturally] 4 block by ~30%. One can argue that one ++# should have implemented 5x as well, but improvement would be <20%, ++# so it's not worth it... ++sub aesni_generate4 { ++my $dir=shift; ++# As already mentioned it takes in $key and $rounds, which are *not* ++# preserved. $inout[0-3] is cipher/clear text... ++$code.=<<___; ++.type _aesni_${dir}rypt4,\@abi-omnipotent ++.align 16 ++_aesni_${dir}rypt4: ++ $movkey ($key),$rndkey0 ++ shr \$1,$rounds ++ $movkey 16($key),$rndkey1 ++ lea 32($key),$key ++ pxor $rndkey0,$inout0 ++ pxor $rndkey0,$inout1 ++ pxor $rndkey0,$inout2 ++ pxor $rndkey0,$inout3 ++ ++.L${dir}_loop4: ++ aes${dir} $rndkey1,$inout0 ++ $movkey ($key),$rndkey0 ++ aes${dir} $rndkey1,$inout1 ++ dec $rounds ++ aes${dir} $rndkey1,$inout2 ++ aes${dir} $rndkey1,$inout3 ++ aes${dir} $rndkey0,$inout0 ++ $movkey 16($key),$rndkey1 ++ aes${dir} $rndkey0,$inout1 ++ lea 32($key),$key ++ aes${dir} $rndkey0,$inout2 ++ aes${dir} $rndkey0,$inout3 ++ jnz .L${dir}_loop4 ++ ++ aes${dir} $rndkey1,$inout0 ++ $movkey ($key),$rndkey0 ++ aes${dir} $rndkey1,$inout1 ++ aes${dir} $rndkey1,$inout2 ++ aes${dir} $rndkey1,$inout3 ++ aes${dir}last $rndkey0,$inout0 ++ aes${dir}last $rndkey0,$inout1 ++ aes${dir}last $rndkey0,$inout2 ++ aes${dir}last $rndkey0,$inout3 ++ ret ++.size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4 ++___ ++} ++&aesni_generate3("enc") if ($PREFIX eq "aesni"); ++&aesni_generate3("dec"); ++&aesni_generate4("enc") if ($PREFIX eq "aesni"); ++&aesni_generate4("dec"); ++ ++if ($PREFIX eq "aesni") { ++# void aesni_ecb_encrypt (const void *in, void *out, ++# size_t length, const AES_KEY *key, ++# int enc); ++$code.=<<___; ++.globl aesni_ecb_encrypt ++.type aesni_ecb_encrypt,\@function,5 ++.align 16 ++aesni_ecb_encrypt: ++ cmp \$16,$len # check length ++ jb .Lecb_ret ++ ++ mov 240($key),$rounds # pull $rounds ++ and \$-16,$len ++ mov $key,$key_ # backup $key ++ test %r8d,%r8d # 5th argument ++ mov $rounds,$rnds_ # backup $rounds ++ jz .Lecb_decrypt ++#--------------------------- ECB ENCRYPT ------------------------------# ++ sub \$0x40,$len ++ jbe .Lecb_enc_tail ++ jmp .Lecb_enc_loop3 ++.align 16 ++.Lecb_enc_loop3: ++ movups ($inp),$inout0 ++ movups 0x10($inp),$inout1 ++ movups 0x20($inp),$inout2 ++ call _aesni_encrypt3 ++ sub \$0x30,$len ++ lea 0x30($inp),$inp ++ lea 0x30($out),$out ++ movups $inout0,-0x30($out) ++ mov $rnds_,$rounds # restore $rounds ++ movups $inout1,-0x20($out) ++ mov $key_,$key # restore $key ++ movups $inout2,-0x10($out) ++ ja .Lecb_enc_loop3 ++ ++.Lecb_enc_tail: ++ add \$0x40,$len ++ jz .Lecb_ret ++ ++ cmp \$0x10,$len ++ movups ($inp),$inout0 ++ je .Lecb_enc_one ++ cmp \$0x20,$len ++ movups 0x10($inp),$inout1 ++ je .Lecb_enc_two ++ cmp \$0x30,$len ++ movups 0x20($inp),$inout2 ++ je .Lecb_enc_three ++ movups 0x30($inp),$inout3 ++ call _aesni_encrypt4 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ movups $inout2,0x20($out) ++ movups $inout3,0x30($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_enc_one: ++___ ++ &aesni_generate1("enc",$key,$rounds); ++$code.=<<___; ++ movups $inout0,($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_enc_two: ++ call _aesni_encrypt3 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_enc_three: ++ call _aesni_encrypt3 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ movups $inout2,0x20($out) ++ jmp .Lecb_ret ++ #--------------------------- ECB DECRYPT ------------------------------# ++.align 16 ++.Lecb_decrypt: ++ sub \$0x40,$len ++ jbe .Lecb_dec_tail ++ jmp .Lecb_dec_loop3 ++.align 16 ++.Lecb_dec_loop3: ++ movups ($inp),$inout0 ++ movups 0x10($inp),$inout1 ++ movups 0x20($inp),$inout2 ++ call _aesni_decrypt3 ++ sub \$0x30,$len ++ lea 0x30($inp),$inp ++ lea 0x30($out),$out ++ movups $inout0,-0x30($out) ++ mov $rnds_,$rounds # restore $rounds ++ movups $inout1,-0x20($out) ++ mov $key_,$key # restore $key ++ movups $inout2,-0x10($out) ++ ja .Lecb_dec_loop3 ++ ++.Lecb_dec_tail: ++ add \$0x40,$len ++ jz .Lecb_ret ++ ++ cmp \$0x10,$len ++ movups ($inp),$inout0 ++ je .Lecb_dec_one ++ cmp \$0x20,$len ++ movups 0x10($inp),$inout1 ++ je .Lecb_dec_two ++ cmp \$0x30,$len ++ movups 0x20($inp),$inout2 ++ je .Lecb_dec_three ++ movups 0x30($inp),$inout3 ++ call _aesni_decrypt4 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ movups $inout2,0x20($out) ++ movups $inout3,0x30($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_dec_one: ++___ ++ &aesni_generate1("dec",$key,$rounds); ++$code.=<<___; ++ movups $inout0,($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_dec_two: ++ call _aesni_decrypt3 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ jmp .Lecb_ret ++.align 16 ++.Lecb_dec_three: ++ call _aesni_decrypt3 ++ movups $inout0,($out) ++ movups $inout1,0x10($out) ++ movups $inout2,0x20($out) ++ ++.Lecb_ret: ++ ret ++.size aesni_ecb_encrypt,.-aesni_ecb_encrypt ++___ ++} ++ ++# void $PREFIX_cbc_encrypt (const void *inp, void *out, ++# size_t length, const AES_KEY *key, ++# unsigned char *ivp,const int enc); ++$reserved = $win64?0x40:-0x18; # used in decrypt ++$code.=<<___; ++.globl ${PREFIX}_cbc_encrypt ++.type ${PREFIX}_cbc_encrypt,\@function,6 ++.align 16 ++${PREFIX}_cbc_encrypt: ++ test $len,$len # check length ++ jz .Lcbc_ret ++ ++ mov 240($key),$rnds_ # pull $rounds ++ mov $key,$key_ # backup $key ++ test %r9d,%r9d # 6th argument ++ jz .Lcbc_decrypt ++#--------------------------- CBC ENCRYPT ------------------------------# ++ movups ($ivp),$inout0 # load iv as initial state ++ cmp \$16,$len ++ mov $rnds_,$rounds ++ jb .Lcbc_enc_tail ++ sub \$16,$len ++ jmp .Lcbc_enc_loop ++.align 16 ++.Lcbc_enc_loop: ++ movups ($inp),$inout1 # load input ++ lea 16($inp),$inp ++ pxor $inout1,$inout0 ++___ ++ &aesni_generate1("enc",$key,$rounds); ++$code.=<<___; ++ sub \$16,$len ++ lea 16($out),$out ++ mov $rnds_,$rounds # restore $rounds ++ mov $key_,$key # restore $key ++ movups $inout0,-16($out) # store output ++ jnc .Lcbc_enc_loop ++ add \$16,$len ++ jnz .Lcbc_enc_tail ++ movups $inout0,($ivp) ++ jmp .Lcbc_ret ++ ++.Lcbc_enc_tail: ++ mov $len,%rcx # zaps $key ++ xchg $inp,$out # $inp is %rsi and $out is %rdi now ++ .long 0x9066A4F3 # rep movsb ++ mov \$16,%ecx # zero tail ++ sub $len,%rcx ++ xor %eax,%eax ++ .long 0x9066AAF3 # rep stosb ++ lea -16(%rdi),%rdi # rewind $out by 1 block ++ mov $rnds_,$rounds # restore $rounds ++ mov %rdi,%rsi # $inp and $out are the same ++ mov $key_,$key # restore $key ++ xor $len,$len # len=16 ++ jmp .Lcbc_enc_loop # one more spin ++ #--------------------------- CBC DECRYPT ------------------------------# ++.align 16 ++.Lcbc_decrypt: ++___ ++$code.=<<___ if ($win64); ++ lea -0x58(%rsp),%rsp ++ movaps %xmm6,(%rsp) ++ movaps %xmm7,0x10(%rsp) ++ movaps %xmm8,0x20(%rsp) ++ movaps %xmm9,0x30(%rsp) ++.Lcbc_decrypt_body: ++___ ++$code.=<<___; ++ movups ($ivp),$iv ++ sub \$0x40,$len ++ mov $rnds_,$rounds ++ jbe .Lcbc_dec_tail ++ jmp .Lcbc_dec_loop3 ++.align 16 ++.Lcbc_dec_loop3: ++ movups ($inp),$inout0 ++ movups 0x10($inp),$inout1 ++ movups 0x20($inp),$inout2 ++ movaps $inout0,$in0 ++ movaps $inout1,$in1 ++ movaps $inout2,$in2 ++ call _aesni_decrypt3 ++ sub \$0x30,$len ++ lea 0x30($inp),$inp ++ lea 0x30($out),$out ++ pxor $iv,$inout0 ++ pxor $in0,$inout1 ++ movaps $in2,$iv ++ pxor $in1,$inout2 ++ movups $inout0,-0x30($out) ++ mov $rnds_,$rounds # restore $rounds ++ movups $inout1,-0x20($out) ++ mov $key_,$key # restore $key ++ movups $inout2,-0x10($out) ++ ja .Lcbc_dec_loop3 ++ ++.Lcbc_dec_tail: ++ add \$0x40,$len ++ movups $iv,($ivp) ++ jz .Lcbc_dec_ret ++ ++ movups ($inp),$inout0 ++ cmp \$0x10,$len ++ movaps $inout0,$in0 ++ jbe .Lcbc_dec_one ++ movups 0x10($inp),$inout1 ++ cmp \$0x20,$len ++ movaps $inout1,$in1 ++ jbe .Lcbc_dec_two ++ movups 0x20($inp),$inout2 ++ cmp \$0x30,$len ++ movaps $inout2,$in2 ++ jbe .Lcbc_dec_three ++ movups 0x30($inp),$inout3 ++ call _aesni_decrypt4 ++ pxor $iv,$inout0 ++ movups 0x30($inp),$iv ++ pxor $in0,$inout1 ++ movups $inout0,($out) ++ pxor $in1,$inout2 ++ movups $inout1,0x10($out) ++ pxor $in2,$inout3 ++ movups $inout2,0x20($out) ++ movaps $inout3,$inout0 ++ lea 0x30($out),$out ++ jmp .Lcbc_dec_tail_collected ++.align 16 ++.Lcbc_dec_one: ++___ ++ &aesni_generate1("dec",$key,$rounds); ++$code.=<<___; ++ pxor $iv,$inout0 ++ movaps $in0,$iv ++ jmp .Lcbc_dec_tail_collected ++.align 16 ++.Lcbc_dec_two: ++ call _aesni_decrypt3 ++ pxor $iv,$inout0 ++ pxor $in0,$inout1 ++ movups $inout0,($out) ++ movaps $in1,$iv ++ movaps $inout1,$inout0 ++ lea 0x10($out),$out ++ jmp .Lcbc_dec_tail_collected ++.align 16 ++.Lcbc_dec_three: ++ call _aesni_decrypt3 ++ pxor $iv,$inout0 ++ pxor $in0,$inout1 ++ movups $inout0,($out) ++ pxor $in1,$inout2 ++ movups $inout1,0x10($out) ++ movaps $in2,$iv ++ movaps $inout2,$inout0 ++ lea 0x20($out),$out ++ jmp .Lcbc_dec_tail_collected ++.align 16 ++.Lcbc_dec_tail_collected: ++ and \$15,$len ++ movups $iv,($ivp) ++ jnz .Lcbc_dec_tail_partial ++ movups $inout0,($out) ++ jmp .Lcbc_dec_ret ++.Lcbc_dec_tail_partial: ++ movaps $inout0,$reserved(%rsp) ++ mov $out,%rdi ++ mov $len,%rcx ++ lea $reserved(%rsp),%rsi ++ .long 0x9066A4F3 # rep movsb ++ ++.Lcbc_dec_ret: ++___ ++$code.=<<___ if ($win64); ++ movaps (%rsp),%xmm6 ++ movaps 0x10(%rsp),%xmm7 ++ movaps 0x20(%rsp),%xmm8 ++ movaps 0x30(%rsp),%xmm9 ++ lea 0x58(%rsp),%rsp ++___ ++$code.=<<___; ++.Lcbc_ret: ++ ret ++.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt ++___ ++ ++# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey, ++# int bits, AES_KEY *key) ++{ my ($inp,$bits,$key) = @_4args; ++ $bits =~ s/%r/%e/; ++ ++$code.=<<___; ++.globl ${PREFIX}_set_decrypt_key ++.type ${PREFIX}_set_decrypt_key,\@abi-omnipotent ++.align 16 ++${PREFIX}_set_decrypt_key: ++ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8 ++ call _aesni_set_encrypt_key ++ shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key ++ test %eax,%eax ++ jnz .Ldec_key_ret ++ lea 16($key,$bits),$inp # points at the end of key schedule ++ ++ $movkey ($key),%xmm0 # just swap ++ $movkey ($inp),%xmm1 ++ $movkey %xmm0,($inp) ++ $movkey %xmm1,($key) ++ lea 16($key),$key ++ lea -16($inp),$inp ++ ++.Ldec_key_inverse: ++ $movkey ($key),%xmm0 # swap and inverse ++ $movkey ($inp),%xmm1 ++ aesimc %xmm0,%xmm0 ++ aesimc %xmm1,%xmm1 ++ lea 16($key),$key ++ lea -16($inp),$inp ++ cmp $key,$inp ++ $movkey %xmm0,16($inp) ++ $movkey %xmm1,-16($key) ++ ja .Ldec_key_inverse ++ ++ $movkey ($key),%xmm0 # inverse middle ++ aesimc %xmm0,%xmm0 ++ $movkey %xmm0,($inp) ++.Ldec_key_ret: ++ add \$8,%rsp ++ ret ++.LSEH_end_set_decrypt_key: ++.size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key ++___ ++ ++# This is based on submission by ++# ++# Huang Ying ++# Vinodh Gopal ++# Kahraman Akdemir ++# ++# Agressively optimized in respect to aeskeygenassist's critical path ++# and is contained in %xmm0-5 to meet Win64 ABI requirement. ++# ++$code.=<<___; ++.globl ${PREFIX}_set_encrypt_key ++.type ${PREFIX}_set_encrypt_key,\@abi-omnipotent ++.align 16 ++${PREFIX}_set_encrypt_key: ++_aesni_set_encrypt_key: ++ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8 ++ test $inp,$inp ++ mov \$-1,%rax ++ jz .Lenc_key_ret ++ test $key,$key ++ jz .Lenc_key_ret ++ ++ movups ($inp),%xmm0 # pull first 128 bits of *userKey ++ pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0 ++ lea 16($key),%rax ++ cmp \$256,$bits ++ je .L14rounds ++ cmp \$192,$bits ++ je .L12rounds ++ cmp \$128,$bits ++ jne .Lbad_keybits ++ ++.L10rounds: ++ mov \$9,$bits # 10 rounds for 128-bit key ++ $movkey %xmm0,($key) # round 0 ++ aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1 ++ call .Lkey_expansion_128_cold ++ aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9 ++ call .Lkey_expansion_128 ++ aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10 ++ call .Lkey_expansion_128 ++ $movkey %xmm0,(%rax) ++ mov $bits,80(%rax) # 240(%rdx) ++ xor %eax,%eax ++ jmp .Lenc_key_ret ++ ++.align 16 ++.L12rounds: ++ movq 16($inp),%xmm2 # remaining 1/3 of *userKey ++ mov \$11,$bits # 12 rounds for 192 ++ $movkey %xmm0,($key) # round 0 ++ aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2 ++ call .Lkey_expansion_192a_cold ++ aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3 ++ call .Lkey_expansion_192b ++ aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5 ++ call .Lkey_expansion_192a ++ aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6 ++ call .Lkey_expansion_192b ++ aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8 ++ call .Lkey_expansion_192a ++ aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9 ++ call .Lkey_expansion_192b ++ aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11 ++ call .Lkey_expansion_192a ++ aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12 ++ call .Lkey_expansion_192b ++ $movkey %xmm0,(%rax) ++ mov $bits,48(%rax) # 240(%rdx) ++ xor %rax, %rax ++ jmp .Lenc_key_ret ++ ++.align 16 ++.L14rounds: ++ movups 16($inp),%xmm2 # remaning half of *userKey ++ mov \$13,$bits # 14 rounds for 256 ++ lea 16(%rax),%rax ++ $movkey %xmm0,($key) # round 0 ++ $movkey %xmm2,16($key) # round 1 ++ aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2 ++ call .Lkey_expansion_256a_cold ++ aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4 ++ call .Lkey_expansion_256a ++ aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6 ++ call .Lkey_expansion_256a ++ aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8 ++ call .Lkey_expansion_256a ++ aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10 ++ call .Lkey_expansion_256a ++ aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12 ++ call .Lkey_expansion_256a ++ aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13 ++ call .Lkey_expansion_256b ++ aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14 ++ call .Lkey_expansion_256a ++ $movkey %xmm0,(%rax) ++ mov $bits,16(%rax) # 240(%rdx) ++ xor %rax,%rax ++ jmp .Lenc_key_ret ++ ++.align 16 ++.Lbad_keybits: ++ mov \$-2,%rax ++.Lenc_key_ret: ++ add \$8,%rsp ++ ret ++.LSEH_end_set_encrypt_key: ++ ++.align 16 ++.Lkey_expansion_128: ++ $movkey %xmm0,(%rax) ++ lea 16(%rax),%rax ++.Lkey_expansion_128_cold: ++ shufps \$0b00010000,%xmm0,%xmm4 ++ pxor %xmm4, %xmm0 ++ shufps \$0b10001100,%xmm0,%xmm4 ++ pxor %xmm4, %xmm0 ++ pshufd \$0b11111111,%xmm1,%xmm1 # critical path ++ pxor %xmm1,%xmm0 ++ ret ++ ++.align 16 ++.Lkey_expansion_192a: ++ $movkey %xmm0,(%rax) ++ lea 16(%rax),%rax ++.Lkey_expansion_192a_cold: ++ movaps %xmm2, %xmm5 ++.Lkey_expansion_192b_warm: ++ shufps \$0b00010000,%xmm0,%xmm4 ++ movaps %xmm2,%xmm3 ++ pxor %xmm4,%xmm0 ++ shufps \$0b10001100,%xmm0,%xmm4 ++ pslldq \$4,%xmm3 ++ pxor %xmm4,%xmm0 ++ pshufd \$0b01010101,%xmm1,%xmm1 # critical path ++ pxor %xmm3,%xmm2 ++ pxor %xmm1,%xmm0 ++ pshufd \$0b11111111,%xmm0,%xmm3 ++ pxor %xmm3,%xmm2 ++ ret ++ ++.align 16 ++.Lkey_expansion_192b: ++ movaps %xmm0,%xmm3 ++ shufps \$0b01000100,%xmm0,%xmm5 ++ $movkey %xmm5,(%rax) ++ shufps \$0b01001110,%xmm2,%xmm3 ++ $movkey %xmm3,16(%rax) ++ lea 32(%rax),%rax ++ jmp .Lkey_expansion_192b_warm ++ ++.align 16 ++.Lkey_expansion_256a: ++ $movkey %xmm2,(%rax) ++ lea 16(%rax),%rax ++.Lkey_expansion_256a_cold: ++ shufps \$0b00010000,%xmm0,%xmm4 ++ pxor %xmm4,%xmm0 ++ shufps \$0b10001100,%xmm0,%xmm4 ++ pxor %xmm4,%xmm0 ++ pshufd \$0b11111111,%xmm1,%xmm1 # critical path ++ pxor %xmm1,%xmm0 ++ ret ++ ++.align 16 ++.Lkey_expansion_256b: ++ $movkey %xmm0,(%rax) ++ lea 16(%rax),%rax ++ ++ shufps \$0b00010000,%xmm2,%xmm4 ++ pxor %xmm4,%xmm2 ++ shufps \$0b10001100,%xmm2,%xmm4 ++ pxor %xmm4,%xmm2 ++ pshufd \$0b10101010,%xmm1,%xmm1 # critical path ++ pxor %xmm1,%xmm2 ++ ret ++.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key ++___ ++} ++ ++$code.=<<___; ++.asciz "AES for Intel AES-NI, CRYPTOGAMS by " ++.align 64 ++___ ++ ++# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, ++# CONTEXT *context,DISPATCHER_CONTEXT *disp) ++if ($win64) { ++$rec="%rcx"; ++$frame="%rdx"; ++$context="%r8"; ++$disp="%r9"; ++ ++$code.=<<___; ++.extern __imp_RtlVirtualUnwind ++.type cbc_se_handler,\@abi-omnipotent ++.align 16 ++cbc_se_handler: ++ push %rsi ++ push %rdi ++ push %rbx ++ push %rbp ++ push %r12 ++ push %r13 ++ push %r14 ++ push %r15 ++ pushfq ++ sub \$64,%rsp ++ ++ mov 152($context),%rax # pull context->Rsp ++ mov 248($context),%rbx # pull context->Rip ++ ++ lea .Lcbc_decrypt(%rip),%r10 ++ cmp %r10,%rbx # context->Rip<"prologue" label ++ jb .Lin_prologue ++ ++ lea .Lcbc_decrypt_body(%rip),%r10 ++ cmp %r10,%rbx # context->RipRip>="epilogue" label ++ jae .Lin_prologue ++ ++ lea 0(%rax),%rsi # top of stack ++ lea 512($context),%rdi # &context.Xmm6 ++ mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax) ++ .long 0xa548f3fc # cld; rep movsq ++ lea 0x58(%rax),%rax # adjust stack pointer ++ jmp .Lin_prologue ++ ++.Lrestore_rax: ++ mov 120($context),%rax ++.Lin_prologue: ++ mov 8(%rax),%rdi ++ mov 16(%rax),%rsi ++ mov %rax,152($context) # restore context->Rsp ++ mov %rsi,168($context) # restore context->Rsi ++ mov %rdi,176($context) # restore context->Rdi ++ ++ jmp .Lcommon_seh_exit ++.size cbc_se_handler,.-cbc_se_handler ++ ++.type ecb_se_handler,\@abi-omnipotent ++.align 16 ++ecb_se_handler: ++ push %rsi ++ push %rdi ++ push %rbx ++ push %rbp ++ push %r12 ++ push %r13 ++ push %r14 ++ push %r15 ++ pushfq ++ sub \$64,%rsp ++ ++ mov 152($context),%rax # pull context->Rsp ++ mov 8(%rax),%rdi ++ mov 16(%rax),%rsi ++ mov %rsi,168($context) # restore context->Rsi ++ mov %rdi,176($context) # restore context->Rdi ++ ++.Lcommon_seh_exit: ++ ++ mov 40($disp),%rdi # disp->ContextRecord ++ mov $context,%rsi # context ++ mov \$154,%ecx # sizeof(CONTEXT) ++ .long 0xa548f3fc # cld; rep movsq ++ ++ mov $disp,%rsi ++ xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER ++ mov 8(%rsi),%rdx # arg2, disp->ImageBase ++ mov 0(%rsi),%r8 # arg3, disp->ControlPc ++ mov 16(%rsi),%r9 # arg4, disp->FunctionEntry ++ mov 40(%rsi),%r10 # disp->ContextRecord ++ lea 56(%rsi),%r11 # &disp->HandlerData ++ lea 24(%rsi),%r12 # &disp->EstablisherFrame ++ mov %r10,32(%rsp) # arg5 ++ mov %r11,40(%rsp) # arg6 ++ mov %r12,48(%rsp) # arg7 ++ mov %rcx,56(%rsp) # arg8, (NULL) ++ call *__imp_RtlVirtualUnwind(%rip) ++ ++ mov \$1,%eax # ExceptionContinueSearch ++ add \$64,%rsp ++ popfq ++ pop %r15 ++ pop %r14 ++ pop %r13 ++ pop %r12 ++ pop %rbp ++ pop %rbx ++ pop %rdi ++ pop %rsi ++ ret ++.size cbc_se_handler,.-cbc_se_handler ++ ++.section .pdata ++.align 4 ++ .rva .LSEH_begin_${PREFIX}_ecb_encrypt ++ .rva .LSEH_end_${PREFIX}_ecb_encrypt ++ .rva .LSEH_info_ecb ++ ++ .rva .LSEH_begin_${PREFIX}_cbc_encrypt ++ .rva .LSEH_end_${PREFIX}_cbc_encrypt ++ .rva .LSEH_info_cbc ++ ++ .rva ${PREFIX}_set_decrypt_key ++ .rva .LSEH_end_set_decrypt_key ++ .rva .LSEH_info_key ++ ++ .rva ${PREFIX}_set_encrypt_key ++ .rva .LSEH_end_set_encrypt_key ++ .rva .LSEH_info_key ++.section .xdata ++.align 8 ++.LSEH_info_ecb: ++ .byte 9,0,0,0 ++ .rva ecb_se_handler ++.LSEH_info_cbc: ++ .byte 9,0,0,0 ++ .rva cbc_se_handler ++.LSEH_info_key: ++ .byte 0x01,0x04,0x01,0x00 ++ .byte 0x04,0x02,0x00,0x00 ++___ ++} ++ ++sub rex { ++ local *opcode=shift; ++ my ($dst,$src)=@_; ++ ++ if ($dst>=8 || $src>=8) { ++ $rex=0x40; ++ $rex|=0x04 if($dst>=8); ++ $rex|=0x01 if($src>=8); ++ push @opcode,$rex; ++ } ++} ++ ++sub aesni { ++ my $line=shift; ++ my @opcode=(0x66); ++ ++ if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) { ++ rex(\@opcode,$4,$3); ++ push @opcode,0x0f,0x3a,0xdf; ++ push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M ++ my $c=$2; ++ push @opcode,$c=~/^0/?oct($c):$c; ++ return ".byte\t".join(',',@opcode); ++ } ++ elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) { ++ my %opcodelet = ( ++ "aesimc" => 0xdb, ++ "aesenc" => 0xdc, "aesenclast" => 0xdd, ++ "aesdec" => 0xde, "aesdeclast" => 0xdf ++ ); ++ return undef if (!defined($opcodelet{$1})); ++ rex(\@opcode,$3,$2); ++ push @opcode,0x0f,0x38,$opcodelet{$1}; ++ push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M ++ return ".byte\t".join(',',@opcode); ++ } ++ return $line; ++} ++ ++$code =~ s/\`([^\`]*)\`/eval($1)/gem; ++$code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem; ++ ++print $code; ++ ++close STDOUT; +diff -up openssl-1.0.0-beta4/crypto/aes/Makefile.aesni openssl-1.0.0-beta4/crypto/aes/Makefile +--- openssl-1.0.0-beta4/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/aes/Makefile 2010-01-12 22:18:06.000000000 +0100 +@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S + + aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl + $(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ ++aesni-x86.s: asm/aesni-x86.pl ../perlasm/x86asm.pl ++ $(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ + + aes-x86_64.s: asm/aes-x86_64.pl + $(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) > $@ ++aesni-x86_64.s: asm/aesni-x86_64.pl ++ $(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@ + + aes-sparcv9.s: asm/aes-sparcv9.pl + $(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@ +diff -up openssl-1.0.0-beta4/crypto/engine/eng_aesni.c.aesni openssl-1.0.0-beta4/crypto/engine/eng_aesni.c +--- openssl-1.0.0-beta4/crypto/engine/eng_aesni.c.aesni 2010-01-12 22:18:06.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/engine/eng_aesni.c 2010-01-12 22:18:06.000000000 +0100 +@@ -0,0 +1,413 @@ ++/* ++ * Support for Intel AES-NI intruction set ++ * Author: Huang Ying ++ * ++ * Intel AES-NI is a new set of Single Instruction Multiple Data ++ * (SIMD) instructions that are going to be introduced in the next ++ * generation of Intel processor, as of 2009. These instructions ++ * enable fast and secure data encryption and decryption, using the ++ * Advanced Encryption Standard (AES), defined by FIPS Publication ++ * number 197. The architecture introduces six instructions that ++ * offer full hardware support for AES. Four of them support high ++ * performance data encryption and decryption, and the other two ++ * instructions support the AES key expansion procedure. ++ * ++ * The white paper can be downloaded from: ++ * http://softwarecommunity.intel.com/isn/downloads/intelavx/AES-Instructions-Set_WP.pdf ++ * ++ * This file is based on engines/e_padlock.c ++ */ ++ ++/* ==================================================================== ++ * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++ ++#include ++ ++#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AES_NI) && !defined(OPENSSL_NO_AES) ++ ++#include ++#include "cryptlib.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* AES-NI is available *ONLY* on some x86 CPUs. Not only that it ++ doesn't exist elsewhere, but it even can't be compiled on other ++ platforms! */ ++#undef COMPILE_HW_AESNI ++#if (defined(__x86_64) || defined(__x86_64__) || \ ++ defined(_M_AMD64) || defined(_M_X64) || \ ++ defined(OPENSSL_IA32_SSE2)) && !defined(OPENSSL_NO_ASM) ++#define COMPILE_HW_AESNI ++static ENGINE *ENGINE_aesni (void); ++#endif ++ ++void ENGINE_load_aesni (void) ++{ ++/* On non-x86 CPUs it just returns. */ ++#ifdef COMPILE_HW_AESNI ++ ENGINE *toadd = ENGINE_aesni(); ++ if (!toadd) ++ return; ++ ENGINE_add (toadd); ++ ENGINE_register_complete (toadd); ++ ENGINE_free (toadd); ++ ERR_clear_error (); ++#endif ++} ++ ++#ifdef COMPILE_HW_AESNI ++int aesni_set_encrypt_key(const unsigned char *userKey, int bits, ++ AES_KEY *key); ++int aesni_set_decrypt_key(const unsigned char *userKey, int bits, ++ AES_KEY *key); ++ ++void aesni_encrypt(const unsigned char *in, unsigned char *out, ++ const AES_KEY *key); ++void aesni_decrypt(const unsigned char *in, unsigned char *out, ++ const AES_KEY *key); ++ ++void aesni_ecb_encrypt(const unsigned char *in, ++ unsigned char *out, ++ size_t length, ++ const AES_KEY *key, ++ int enc); ++void aesni_cbc_encrypt(const unsigned char *in, ++ unsigned char *out, ++ size_t length, ++ const AES_KEY *key, ++ unsigned char *ivec, int enc); ++ ++/* Function for ENGINE detection and control */ ++static int aesni_init(ENGINE *e); ++ ++/* Cipher Stuff */ ++static int aesni_ciphers(ENGINE *e, const EVP_CIPHER **cipher, ++ const int **nids, int nid); ++ ++#define AESNI_MIN_ALIGN 16 ++#define AESNI_ALIGN(x) \ ++ ((void *)(((unsigned long)(x)+AESNI_MIN_ALIGN-1)&~(AESNI_MIN_ALIGN-1))) ++ ++/* Engine names */ ++static const char aesni_id[] = "aesni", ++ aesni_name[] = "Intel AES-NI engine", ++ no_aesni_name[] = "Intel AES-NI engine (no-aesni)"; ++ ++/* ===== Engine "management" functions ===== */ ++ ++#if defined(_WIN32) ++typedef unsigned __int64 IA32CAP; ++#else ++typedef unsigned long long IA32CAP; ++#endif ++ ++/* Prepare the ENGINE structure for registration */ ++static int ++aesni_bind_helper(ENGINE *e) ++{ ++ int engage; ++ if (sizeof(OPENSSL_ia32cap_P) > 4) { ++ engage = (OPENSSL_ia32cap_P >> 57) & 1; ++ } else { ++ IA32CAP OPENSSL_ia32_cpuid(void); ++ engage = (OPENSSL_ia32_cpuid() >> 57) & 1; ++ } ++ ++ /* Register everything or return with an error */ ++ if (!ENGINE_set_id(e, aesni_id) || ++ !ENGINE_set_name(e, engage ? aesni_name : no_aesni_name) || ++ ++ !ENGINE_set_init_function(e, aesni_init) || ++ (engage && !ENGINE_set_ciphers (e, aesni_ciphers)) ++ ) ++ return 0; ++ ++ /* Everything looks good */ ++ return 1; ++} ++ ++/* Constructor */ ++static ENGINE * ++ENGINE_aesni(void) ++{ ++ ENGINE *eng = ENGINE_new(); ++ ++ if (!eng) { ++ return NULL; ++ } ++ ++ if (!aesni_bind_helper(eng)) { ++ ENGINE_free(eng); ++ return NULL; ++ } ++ ++ return eng; ++} ++ ++/* Check availability of the engine */ ++static int ++aesni_init(ENGINE *e) ++{ ++ return 1; ++} ++ ++#if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb) ++#define NID_aes_128_cfb NID_aes_128_cfb128 ++#endif ++ ++#if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb) ++#define NID_aes_128_ofb NID_aes_128_ofb128 ++#endif ++ ++#if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb) ++#define NID_aes_192_cfb NID_aes_192_cfb128 ++#endif ++ ++#if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb) ++#define NID_aes_192_ofb NID_aes_192_ofb128 ++#endif ++ ++#if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb) ++#define NID_aes_256_cfb NID_aes_256_cfb128 ++#endif ++ ++#if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb) ++#define NID_aes_256_ofb NID_aes_256_ofb128 ++#endif ++ ++/* List of supported ciphers. */ ++static int aesni_cipher_nids[] = { ++ NID_aes_128_ecb, ++ NID_aes_128_cbc, ++ NID_aes_128_cfb, ++ NID_aes_128_ofb, ++ ++ NID_aes_192_ecb, ++ NID_aes_192_cbc, ++ NID_aes_192_cfb, ++ NID_aes_192_ofb, ++ ++ NID_aes_256_ecb, ++ NID_aes_256_cbc, ++ NID_aes_256_cfb, ++ NID_aes_256_ofb, ++}; ++static int aesni_cipher_nids_num = ++ (sizeof(aesni_cipher_nids)/sizeof(aesni_cipher_nids[0])); ++ ++typedef struct ++{ ++ AES_KEY ks; ++ unsigned int _pad1[3]; ++} AESNI_KEY; ++ ++static int ++aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *user_key, ++ const unsigned char *iv, int enc) ++{ ++ int ret; ++ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data); ++ ++ if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE ++ || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE ++ || enc) ++ ret=aesni_set_encrypt_key(user_key, ctx->key_len * 8, key); ++ else ++ ret=aesni_set_decrypt_key(user_key, ctx->key_len * 8, key); ++ ++ if(ret < 0) { ++ EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static int aesni_cipher_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data); ++ aesni_ecb_encrypt(in, out, inl, key, ctx->encrypt); ++ return 1; ++} ++static int aesni_cipher_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data); ++ aesni_cbc_encrypt(in, out, inl, key, ++ ctx->iv, ctx->encrypt); ++ return 1; ++} ++static int aesni_cipher_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data); ++ CRYPTO_cfb128_encrypt(in, out, inl, key, ctx->iv, ++ &ctx->num, ctx->encrypt, ++ (block128_f)aesni_encrypt); ++ return 1; ++} ++static int aesni_cipher_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data); ++ CRYPTO_ofb128_encrypt(in, out, inl, key, ctx->iv, ++ &ctx->num, (block128_f)aesni_encrypt); ++ return 1; ++} ++ ++#define AES_BLOCK_SIZE 16 ++ ++#define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE ++#define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE ++#define EVP_CIPHER_block_size_OFB 1 ++#define EVP_CIPHER_block_size_CFB 1 ++ ++/* Declaring so many ciphers by hand would be a pain. ++ Instead introduce a bit of preprocessor magic :-) */ ++#define DECLARE_AES_EVP(ksize,lmode,umode) \ ++static const EVP_CIPHER aesni_##ksize##_##lmode = { \ ++ NID_aes_##ksize##_##lmode, \ ++ EVP_CIPHER_block_size_##umode, \ ++ ksize / 8, \ ++ AES_BLOCK_SIZE, \ ++ 0 | EVP_CIPH_##umode##_MODE, \ ++ aesni_init_key, \ ++ aesni_cipher_##lmode, \ ++ NULL, \ ++ sizeof(AESNI_KEY), \ ++ EVP_CIPHER_set_asn1_iv, \ ++ EVP_CIPHER_get_asn1_iv, \ ++ NULL, \ ++ NULL \ ++} ++ ++DECLARE_AES_EVP(128,ecb,ECB); ++DECLARE_AES_EVP(128,cbc,CBC); ++DECLARE_AES_EVP(128,cfb,CFB); ++DECLARE_AES_EVP(128,ofb,OFB); ++ ++DECLARE_AES_EVP(192,ecb,ECB); ++DECLARE_AES_EVP(192,cbc,CBC); ++DECLARE_AES_EVP(192,cfb,CFB); ++DECLARE_AES_EVP(192,ofb,OFB); ++ ++DECLARE_AES_EVP(256,ecb,ECB); ++DECLARE_AES_EVP(256,cbc,CBC); ++DECLARE_AES_EVP(256,cfb,CFB); ++DECLARE_AES_EVP(256,ofb,OFB); ++ ++static int ++aesni_ciphers (ENGINE *e, const EVP_CIPHER **cipher, ++ const int **nids, int nid) ++{ ++ /* No specific cipher => return a list of supported nids ... */ ++ if (!cipher) { ++ *nids = aesni_cipher_nids; ++ return aesni_cipher_nids_num; ++ } ++ ++ /* ... or the requested "cipher" otherwise */ ++ switch (nid) { ++ case NID_aes_128_ecb: ++ *cipher = &aesni_128_ecb; ++ break; ++ case NID_aes_128_cbc: ++ *cipher = &aesni_128_cbc; ++ break; ++ case NID_aes_128_cfb: ++ *cipher = &aesni_128_cfb; ++ break; ++ case NID_aes_128_ofb: ++ *cipher = &aesni_128_ofb; ++ break; ++ ++ case NID_aes_192_ecb: ++ *cipher = &aesni_192_ecb; ++ break; ++ case NID_aes_192_cbc: ++ *cipher = &aesni_192_cbc; ++ break; ++ case NID_aes_192_cfb: ++ *cipher = &aesni_192_cfb; ++ break; ++ case NID_aes_192_ofb: ++ *cipher = &aesni_192_ofb; ++ break; ++ ++ case NID_aes_256_ecb: ++ *cipher = &aesni_256_ecb; ++ break; ++ case NID_aes_256_cbc: ++ *cipher = &aesni_256_cbc; ++ break; ++ case NID_aes_256_cfb: ++ *cipher = &aesni_256_cfb; ++ break; ++ case NID_aes_256_ofb: ++ *cipher = &aesni_256_ofb; ++ break; ++ ++ default: ++ /* Sorry, we don't support this NID */ ++ *cipher = NULL; ++ return 0; ++ } ++ ++ return 1; ++} ++ ++#endif /* COMPILE_HW_AESNI */ ++#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */ +diff -up openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni openssl-1.0.0-beta4/crypto/engine/eng_all.c +--- openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni 2010-01-07 23:38:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/engine/eng_all.c 2010-01-12 22:18:06.000000000 +0100 +@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void) + #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)) + ENGINE_load_cryptodev(); + #endif ++#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) ++ ENGINE_load_aesni(); ++#endif + ENGINE_load_dynamic(); + #ifndef OPENSSL_NO_STATIC_ENGINE + #ifndef OPENSSL_NO_HW +diff -up openssl-1.0.0-beta4/crypto/engine/engine.h.aesni openssl-1.0.0-beta4/crypto/engine/engine.h +--- openssl-1.0.0-beta4/crypto/engine/engine.h.aesni 2010-01-07 23:38:30.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/engine/engine.h 2010-01-12 22:18:06.000000000 +0100 +@@ -342,6 +342,7 @@ void ENGINE_load_gost(void); + #endif + #endif + void ENGINE_load_cryptodev(void); ++void ENGINE_load_aesni(void); + void ENGINE_load_builtin_engines(void); + + /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation +diff -up openssl-1.0.0-beta4/crypto/engine/Makefile.aesni openssl-1.0.0-beta4/crypto/engine/Makefile +--- openssl-1.0.0-beta4/crypto/engine/Makefile.aesni 2008-06-04 13:01:29.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/engine/Makefile 2010-01-12 22:18:06.000000000 +0100 +@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e + eng_table.c eng_pkey.c eng_fat.c eng_all.c \ + tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ + tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \ +- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c ++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \ ++ eng_aesni.c + LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ + eng_table.o eng_pkey.o eng_fat.o eng_all.o \ + tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \ + tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \ +- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o ++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \ ++ eng_aesni.o + + SRC= $(LIBSRC) + +diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni openssl-1.0.0-beta4/crypto/evp/evp_err.c +--- openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni 2010-01-07 23:38:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2010-01-12 22:18:06.000000000 +0100 +@@ -1,6 +1,6 @@ + /* crypto/evp/evp_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -70,6 +70,7 @@ + + static ERR_STRING_DATA EVP_str_functs[]= + { ++{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"}, + {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, + {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, + {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, +@@ -85,7 +86,7 @@ static ERR_STRING_DATA EVP_str_functs[]= + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +-{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"}, ++{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, + {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, + {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, + {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"}, +diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.aesni openssl-1.0.0-beta4/crypto/evp/evp.h +--- openssl-1.0.0-beta4/crypto/evp/evp.h.aesni 2010-01-07 23:38:31.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/evp/evp.h 2010-01-12 22:18:06.000000000 +0100 +@@ -1162,6 +1162,7 @@ void ERR_load_EVP_strings(void); + /* Error codes for the EVP functions. */ + + /* Function codes. */ ++#define EVP_F_AESNI_INIT_KEY 163 + #define EVP_F_AES_INIT_KEY 133 + #define EVP_F_CAMELLIA_INIT_KEY 159 + #define EVP_F_D2I_PKEY 100 +diff -up openssl-1.0.0-beta4/test/test_aesni.aesni openssl-1.0.0-beta4/test/test_aesni +--- openssl-1.0.0-beta4/test/test_aesni.aesni 2010-01-12 22:18:06.000000000 +0100 ++++ openssl-1.0.0-beta4/test/test_aesni 2010-01-12 22:18:06.000000000 +0100 +@@ -0,0 +1,69 @@ ++#!/bin/sh ++ ++PROG=$1 ++ ++if [ -x $PROG ]; then ++ if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then ++ : ++ else ++ echo "$PROG is not OpenSSL executable" ++ exit 1 ++ fi ++else ++ echo "$PROG is not executable" ++ exit 1; ++fi ++ ++if $PROG engine aesni | grep -v no-aesni; then ++ ++ HASH=`cat $PROG | $PROG dgst -hex` ++ ++ AES_ALGS=" aes-128-ecb aes-192-ecb aes-256-ecb \ ++ aes-128-cbc aes-192-cbc aes-256-cbc \ ++ aes-128-cfb aes-192-cfb aes-256-cfb \ ++ aes-128-ofb aes-192-ofb aes-256-ofb" ++ BUFSIZE="16 32 48 64 80 96 128 144 999" ++ ++ nerr=0 ++ ++ for alg in $AES_ALGS; do ++ echo $alg ++ for bufsize in $BUFSIZE; do ++ TEST=`( cat $PROG | \ ++ $PROG enc -e -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \ ++ $PROG enc -d -k "$HASH" -$alg | \ ++ $PROG dgst -hex ) 2>/dev/null` ++ if [ "$TEST" != "$HASH" ]; then ++ echo "-$alg/$bufsize encrypt test failed" ++ nerr=`expr $nerr + 1` ++ fi ++ done ++ for bufsize in $BUFSIZE; do ++ TEST=`( cat $PROG | \ ++ $PROG enc -e -k "$HASH" -$alg | \ ++ $PROG enc -d -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \ ++ $PROG dgst -hex ) 2>/dev/null` ++ if [ "$TEST" != "$HASH" ]; then ++ echo "-$alg/$bufsize decrypt test failed" ++ nerr=`expr $nerr + 1` ++ fi ++ done ++ TEST=`( cat $PROG | \ ++ $PROG enc -e -k "$HASH" -$alg -engine aesni | \ ++ $PROG enc -d -k "$HASH" -$alg -engine aesni | \ ++ $PROG dgst -hex ) 2>/dev/null` ++ if [ "$TEST" != "$HASH" ]; then ++ echo "-$alg en/decrypt test failed" ++ nerr=`expr $nerr + 1` ++ fi ++ done ++ ++ if [ $nerr -gt 0 ]; then ++ echo "AESNI engine test failed." ++ exit 1; ++ fi ++else ++ echo "AESNI engine is not available" ++fi ++ ++exit 0 diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch deleted file mode 100644 index ad4c7e4..0000000 --- a/openssl-1.0.0-beta4-backports.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c ---- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100 -@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK - } - else ret= *a; - -- ret->save_type=type; -- ret->type=EVP_PKEY_type(type); -- switch (ret->type) -+ if (!EVP_PKEY_set_type(ret, type)) -+ { -+ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB); -+ goto err; -+ } -+ -+ switch (EVP_PKEY_id(ret)) - { - #ifndef OPENSSL_NO_RSA - case EVP_PKEY_RSA: -diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c ---- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100 -@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey, - #ifndef OPENSSL_NO_ENGINE - /* If we have an ENGINE release it */ - if (pkey->engine) -+ { - ENGINE_finish(pkey->engine); -+ pkey->engine = NULL; -+ } - #endif - } - if (str) -diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c ---- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100 -@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, - offset= -offset; - } - atm.type=ctm->type; -+ atm.flags = 0; - atm.length=sizeof(buff2); - atm.data=(unsigned char *)buff2; - diff --git a/openssl-1.0.0-beta4-binutils.patch b/openssl-1.0.0-beta4-binutils.patch deleted file mode 100644 index d39b2e6..0000000 --- a/openssl-1.0.0-beta4-binutils.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl ---- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100 -@@ -19,6 +19,7 @@ my $code; - sub round1_step - { - my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_; -+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal - $code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1); - $code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1); - $code .= <= (d+n-2)) - { -+#if 0 - /* Because the client does not see any renegotiation during an - attack, we must enforce this on all server hellos, even the - first */ -@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -+#endif - return 1; - } - -@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, - return 0; - } - -+#if 0 - if (!renegotiate_seen - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -+#endif - - if (!s->hit && tlsext_servername == 1) - { diff --git a/openssl-1.0.0-beta4-dtls-ipv6.patch b/openssl-1.0.0-beta4-dtls-ipv6.patch deleted file mode 100644 index 1173f1a..0000000 --- a/openssl-1.0.0-beta4-dtls-ipv6.patch +++ /dev/null @@ -1,219 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c ---- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100 -@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr) - if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) - { - OPENSSL_assert(sa.len.s<=sizeof(sa.from)); -- sa.len.i = (unsigned int)sa.len.s; -+ sa.len.i = (int)sa.len.s; -+ /* use sa.len.i from this point */ - } - if (ret == INVALID_SOCKET) - { -diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c ---- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100 -@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp= - - typedef struct bio_dgram_data_st - { -+ union { -+ struct sockaddr sa; -+ struct sockaddr_in sa_in; - #if OPENSSL_USE_IPV6 -- struct sockaddr_storage peer; --#else -- struct sockaddr_in peer; -+ struct sockaddr_in6 sa_in6; - #endif -+ } peer; - unsigned int connected; - unsigned int _errno; - unsigned int mtu; -@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out, - int ret=0; - bio_dgram_data *data = (bio_dgram_data *)b->ptr; - -+ struct { -+ /* -+ * See commentary in b_sock.c. -+ */ -+ union { size_t s; int i; } len; -+ union { -+ struct sockaddr sa; -+ struct sockaddr_in sa_in; - #if OPENSSL_USE_IPV6 -- struct sockaddr_storage peer; --#else -- struct sockaddr_in peer; -+ struct sockaddr_in6 sa_in6; - #endif -- int peerlen = sizeof(peer); -+ } peer; -+ } sa; -+ -+ sa.len.s=0; -+ sa.len.i=sizeof(sa.peer); - - if (out != NULL) - { - clear_socket_error(); -- memset(&peer, 0x00, peerlen); -- /* Last arg in recvfrom is signed on some platforms and -- * unsigned on others. It is of type socklen_t on some -- * but this is not universal. Cast to (void *) to avoid -- * compiler warnings. -- */ -+ memset(&sa.peer, 0x00, sizeof(sa.peer)); - dgram_adjust_rcv_timeout(b); -- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen); -+ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len); -+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) -+ { -+ OPENSSL_assert(sa.len.s<=sizeof(sa.peer)); -+ sa.len.i = (int)sa.len.s; -+ } - dgram_reset_rcv_timeout(b); - - if ( ! data->connected && ret >= 0) -- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer); -+ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer); - - BIO_clear_retry_flags(b); - if (ret < 0) -@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha - if ( data->connected ) - ret=writesocket(b->num,in,inl); - else --#if OPENSSL_USE_IPV6 -- if (data->peer.ss_family == AF_INET) - #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); -+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer)); - #else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#endif -- else --#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); --#else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); --#endif --#else --#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#endif -+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer)); - #endif - - BIO_clear_retry_flags(b); -@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, - else - { - #endif -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - #if 0 - } - #endif -@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, - if ( to != NULL) - { - data->connected = 1; -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - } - else - { - data->connected = 0; --#if OPENSSL_USE_IPV6 -- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage)); --#else -- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in)); --#endif -+ memset(&(data->peer), 0x00, sizeof(data->peer)); - } - break; - case BIO_CTRL_DGRAM_GET_PEER: - to = (struct sockaddr *) ptr; -- -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in))); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage)); -- ret = sizeof(struct sockaddr_storage); --#else -- memcpy(to, &(data->peer), sizeof(struct sockaddr_in)); -- ret = sizeof(struct sockaddr_in); --#endif -+ case AF_INET6: -+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6))); -+ break; -+#endif -+ default: -+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa))); -+ break; -+ } - break; - case BIO_CTRL_DGRAM_SET_PEER: - to = (struct sockaddr *) ptr; -- -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer), to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - break; - case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: - memcpy(&(data->next_timeout), ptr, sizeof(struct timeval)); diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch deleted file mode 100644 index 271dbe7..0000000 --- a/openssl-1.0.0-beta4-reneg-err.patch +++ /dev/null @@ -1,93 +0,0 @@ -Better error reporting for unsafe renegotiation. -diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c ---- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100 -@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]= - {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, - {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, -+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, -+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, -@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, - {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, - {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, -+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, - {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, - {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, - {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"}, -diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h ---- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100 -@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void); - #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 - #define SSL_F_SSL_NEW 186 - #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 -+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 - #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 -+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 - #define SSL_F_SSL_PEEK 270 - #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 - #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 -@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 - #define SSL_R_UNKNOWN_SSL_VERSION 254 - #define SSL_R_UNKNOWN_STATE 255 -+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 - #define SSL_R_UNSUPPORTED_CIPHER 256 - #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 - #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326 -diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c ---- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100 -@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s) - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); - goto err; - #else -+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -+ goto err; -+ } - /* we are talking sslv2 */ - /* we need to clean up the SSLv3/TLSv1 setup and put in the - * sslv2 stuff. */ -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100 -@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, - { - /* We should always see one extension: the renegotiate extension */ - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - return 1; -@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, - if (s->new_session && !renegotiate_seen - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { -+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - { - /* We should always see one extension: the renegotiate extension */ - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - #endif -@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - #endif diff --git a/openssl-1.0.0-beta4-reneg.patch b/openssl-1.0.0-beta4-reneg.patch deleted file mode 100644 index 92e206d..0000000 --- a/openssl-1.0.0-beta4-reneg.patch +++ /dev/null @@ -1,237 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c ---- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100 -@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c - extname = "server ticket"; - break; - -+ case TLSEXT_TYPE_renegotiate: -+ extname = "renegotiate"; -+ break; -+ - #ifdef TLSEXT_TYPE_opaque_prf_input - case TLSEXT_TYPE_opaque_prf_input: - extname = "opaque PRF input"; -diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c ---- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100 -@@ -343,6 +343,7 @@ static void sc_usage(void) - BIO_printf(bio_err," -status - request certificate status from server\n"); - BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); - #endif -+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); - } - - #ifndef OPENSSL_NO_TLSEXT -@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv) - #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; -+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) -+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; -diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c ---- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100 -@@ -491,6 +491,7 @@ static void sv_usage(void) - BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); - BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); -+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); - #endif - } - -@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[]) - verify_return_error = 1; - else if (strcmp(*argv,"-serverpref") == 0) - { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } -+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) -+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; -diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h ---- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100 -@@ -201,6 +201,9 @@ extern "C" { - # define TLSEXT_TYPE_opaque_prf_input ?? */ - #endif - -+/* Temporary extension type */ -+#define TLSEXT_TYPE_renegotiate 0xff01 -+ - /* NameType value from RFC 3546 */ - #define TLSEXT_NAMETYPE_host_name 0 - /* status request value from RFC 3546 */ -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100 -@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex - ret+=size_str; - } - -+ /* Add the renegotiation option: TODOEKR switch */ -+ { -+ int el; -+ -+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) -+ { -+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ if((limit - p - 4 - el) < 0) return NULL; -+ -+ s2n(TLSEXT_TYPE_renegotiate,ret); -+ s2n(el,ret); -+ -+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) -+ { -+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ ret += el; -+ } -+ - #ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL) - { -@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex - s2n(TLSEXT_TYPE_server_name,ret); - s2n(0,ret); - } -+ -+ if(s->s3->send_connection_binding) -+ { -+ int el; -+ -+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) -+ { -+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ if((limit - p - 4 - el) < 0) return NULL; -+ -+ s2n(TLSEXT_TYPE_renegotiate,ret); -+ s2n(el,ret); -+ -+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) -+ { -+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ ret += el; -+ } -+ - #ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL) - { -@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, - unsigned short size; - unsigned short len; - unsigned char *data = *p; -+ int renegotiate_seen = 0; -+ - s->servername_done = 0; - s->tlsext_status_type = -1; -+ s->s3->send_connection_binding = 0; - - if (data >= (d+n-2)) -+ { -+ if (s->new_session -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ /* We should always see one extension: the renegotiate extension */ -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } - return 1; -+ } - n2s(data,len); - - if (data > (d+n-len)) -@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, - return 0; - } - } -+ else if (type == TLSEXT_TYPE_renegotiate) -+ { -+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) -+ return 0; -+ renegotiate_seen = 1; -+ } - else if (type == TLSEXT_TYPE_status_request - && s->ctx->tlsext_status_cb) - { -@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, - /* session ticket processed earlier */ - data+=size; - } -+ -+ if (s->new_session && !renegotiate_seen -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } -+ - - *p = data; - return 1; -@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s, - unsigned short size; - unsigned short len; - unsigned char *data = *p; -- - int tlsext_servername = 0; -+ int renegotiate_seen = 0; - - if (data >= (d+n-2)) -+ { -+ /* Because the client does not see any renegotiation during an -+ attack, we must enforce this on all server hellos, even the -+ first */ -+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ /* We should always see one extension: the renegotiate extension */ -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } - return 1; -+ } - - n2s(data,len); - -@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, - /* Set flag to expect CertificateStatus message */ - s->tlsext_status_expected = 1; - } -- -+ else if (type == TLSEXT_TYPE_renegotiate) -+ { -+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) -+ return 0; -+ renegotiate_seen = 1; -+ } - data+=size; - } - -@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s, - return 0; - } - -+ if (!renegotiate_seen -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } -+ - if (!s->hit && tlsext_servername == 1) - { - if (s->tlsext_hostname) diff --git a/openssl-1.0.0-beta4-version.patch b/openssl-1.0.0-beta4-version.patch deleted file mode 100644 index ab12be0..0000000 --- a/openssl-1.0.0-beta4-version.patch +++ /dev/null @@ -1,14 +0,0 @@ -We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist -on having the same beta status of OpenSSL library as they were built against. -diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h ---- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100 -@@ -25,7 +25,7 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --#define OPENSSL_VERSION_NUMBER 0x10000004L -+#define OPENSSL_VERSION_NUMBER 0x10000003L - #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009" - #else diff --git a/openssl-1.0.0-beta3-cipher-change.patch b/openssl-1.0.0-beta5-cipher-change.patch similarity index 61% rename from openssl-1.0.0-beta3-cipher-change.patch rename to openssl-1.0.0-beta5-cipher-change.patch index 8fe7ada..2e8343b 100644 --- a/openssl-1.0.0-beta3-cipher-change.patch +++ b/openssl-1.0.0-beta5-cipher-change.patch @@ -1,16 +1,16 @@ -diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h ---- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200 -@@ -511,7 +511,7 @@ typedef struct ssl_session_st - - #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L +diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h +--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100 +@@ -513,7 +513,7 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L + /* Allow initial connection to servers that don't support RI */ + #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -@@ -528,7 +528,7 @@ typedef struct ssl_session_st +@@ -530,7 +530,7 @@ typedef struct ssl_session_st /* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */ diff --git a/openssl-1.0.0-beta4-enginesdir.patch b/openssl-1.0.0-beta5-enginesdir.patch similarity index 63% rename from openssl-1.0.0-beta4-enginesdir.patch rename to openssl-1.0.0-beta5-enginesdir.patch index 0a304ce..d942d6e 100644 --- a/openssl-1.0.0-beta4-enginesdir.patch +++ b/openssl-1.0.0-beta5-enginesdir.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100 +diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure +--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100 ++++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100 @@ -622,6 +622,7 @@ my $idx_multilib = $idx++; my $prefix=""; my $libdir=""; @@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure elsif (/^--install.prefix=(.*)$/) { $install_prefix=$1; -@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/; +@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/; $openssldir=$prefix . "/ssl" if $openssldir eq ""; $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; @@ -29,18 +29,18 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure print "IsMK1MF=$IsMK1MF\n"; -@@ -1676,7 +1681,7 @@ while () - # $foo is to become "$prefix/lib$multilib/engines"; - # as Makefile.org and engines/Makefile are adapted for - # $multilib suffix. -- my $foo = "$prefix/lib/engines"; +@@ -1673,7 +1678,7 @@ while () + } + elsif (/^#define\s+ENGINESDIR/) + { +- my $foo = "$prefix/$libdir/engines"; + my $foo = "$enginesdir"; $foo =~ s/\\/\\\\/g; print OUT "#define ENGINESDIR \"$foo\"\n"; } -diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile ---- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100 -+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100 +diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile +--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100 ++++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100 @@ -124,7 +124,7 @@ install: sfx=".so"; \ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ diff --git a/openssl-1.0.0-beta3-ipv6-apps.patch b/openssl-1.0.0-beta5-ipv6-apps.patch similarity index 86% rename from openssl-1.0.0-beta3-ipv6-apps.patch rename to openssl-1.0.0-beta5-ipv6-apps.patch index 690bc98..4304c01 100644 --- a/openssl-1.0.0-beta3-ipv6-apps.patch +++ b/openssl-1.0.0-beta5-ipv6-apps.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h ---- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200 +diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h +--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 ++++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100 @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" @@ -23,10 +23,10 @@ diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); -diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c ---- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200 -@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv) +diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c +--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 ++++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100 +@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv) int cbuf_len,cbuf_off; int sbuf_len,sbuf_off; fd_set readfds,writefds; @@ -35,7 +35,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/ int full_log=1; char *host=SSL_HOST_NAME; char *cert_file=NULL,*key_file=NULL; -@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv) +@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-port") == 0) { if (--argc < 1) goto bad; @@ -51,7 +51,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/ goto bad; } else if (strcmp(*argv,"-verify") == 0) -@@ -956,7 +955,7 @@ bad: +@@ -967,7 +966,7 @@ bad: re_start: @@ -60,10 +60,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/ { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); -diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c ---- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200 -+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200 -@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[]) +diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c +--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 ++++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100 +@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[]) { X509_VERIFY_PARAM *vpm = NULL; int badarg = 0; @@ -72,7 +72,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/ char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; char *dhfile = NULL; -@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[]) +@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[]) (strcmp(*argv,"-accept") == 0)) { if (--argc < 1) goto bad; @@ -82,7 +82,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/ } else if (strcmp(*argv,"-verify") == 0) { -@@ -1685,9 +1684,9 @@ bad: +@@ -1700,9 +1699,9 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); (void)BIO_flush(bio_s_out); if (www) @@ -94,10 +94,10 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/ print_stats(bio_s_out,ctx); ret=0; end: -diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c ---- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200 -@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha +diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c +--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200 ++++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100 +@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); @@ -108,7 +108,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/ static int do_accept(int acc_sock, int *sock, char **host); static int host_ip(char *str, unsigned char ip[4]); -@@ -228,58 +226,70 @@ static int ssl_sock_init(void) +@@ -234,58 +232,70 @@ static int ssl_sock_init(void) return(1); } @@ -217,7 +217,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/ { int sock; char *name = NULL; -@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r +@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r } } @@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/ #if defined SOL_SOCKET && defined SO_REUSEADDR { int j = 1; -@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i +@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i (void *) &j, sizeof j); } #endif @@ -337,11 +337,10 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/ int len; /* struct linger ling; */ -@@ -425,137 +443,62 @@ redoit: - if (i < 0) { perror("keepalive"); return(0); } +@@ -432,136 +450,58 @@ redoit: */ -- if (host == NULL) goto end; + if (host == NULL) goto end; -#ifndef BIT_FIELD_LIMITS - /* I should use WSAAsyncGetHostByName() under windows */ - h1=gethostbyaddr((char *)&from.sin_addr.s_addr, @@ -351,50 +350,44 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/ - sizeof(struct in_addr),AF_INET); -#endif - if (h1 == NULL) -+ if (host == NULL) - { -- BIO_printf(bio_err,"bad gethostbyaddr\n"); -- *host=NULL; -- /* return(0); */ -- } -- else -- { -- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) -- { -- perror("OPENSSL_malloc"); -+ *sock=ret; - return(0); - } -- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); - -- h2=GetHostByName(*host); -- if (h2 == NULL) ++ + if (getnameinfo((struct sockaddr *)&from, sizeof(from), + buffer, sizeof(buffer), + NULL, 0, 0)) - { -- BIO_printf(bio_err,"gethostbyname failure\n"); + { +- BIO_printf(bio_err,"bad gethostbyaddr\n"); + BIO_printf(bio_err,"getnameinfo failed\n"); -+ *host=NULL; + *host=NULL; + /* return(0); */ + } + else + { +- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) ++ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) + { + perror("OPENSSL_malloc"); return(0); } +- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); +- +- h2=GetHostByName(*host); +- if (h2 == NULL) +- { +- BIO_printf(bio_err,"gethostbyname failure\n"); +- return(0); +- } - i=0; - if (h2->h_addrtype != AF_INET) -+ else - { +- { - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) -+ { -+ perror("OPENSSL_malloc"); - return(0); - } -- } --end: +- return(0); +- } + strcpy(*host, buffer); + } + end: *sock=ret; return(1); } -+ } -int extract_host_port(char *str, char **host_ptr, unsigned char *ip, - short *port_ptr) diff --git a/openssl-0.9.8j-readme-warning.patch b/openssl-1.0.0-beta5-readme-warning.patch similarity index 55% rename from openssl-0.9.8j-readme-warning.patch rename to openssl-1.0.0-beta5-readme-warning.patch index 411e6bd..0d89720 100644 --- a/openssl-0.9.8j-readme-warning.patch +++ b/openssl-1.0.0-beta5-readme-warning.patch @@ -1,7 +1,7 @@ -diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README ---- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100 -+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100 -@@ -5,6 +5,31 @@ +diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README +--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100 ++++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100 +@@ -5,6 +5,35 @@ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. @@ -15,9 +15,15 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README + + This version also contains a few differences from the upstream code + some of which are: -+ * The FIPS integrity verification check is implemented differently -+ from the upstream FIPS validated OpenSSL module. It verifies -+ HMAC-SHA256 checksum of the whole libcrypto shared library. ++ * There are added changes forward ported from the upstream OpenSSL ++ 0.9.8 FIPS branch however the FIPS integrity verification check ++ is implemented differently from the upstream FIPS validated OpenSSL ++ module. It verifies HMAC-SHA256 checksum of the whole shared ++ libraries. For this reason the changes are ported to files in the ++ crypto directory and not in a separate fips subdirectory. Also ++ note that the FIPS integrity verification check requires unmodified ++ libcrypto and libssl shared library files which means that it will ++ fail if these files are modified for example by prelink. + * The module respects the kernel FIPS flag /proc/sys/crypto/fips and + tries to initialize the FIPS mode if it is set to 1 aborting if the + FIPS mode could not be initialized. It is also possible to force the @@ -27,8 +33,6 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README + will not automatically load the built in compression method ZLIB + when initialized. Applications can still explicitely ask for ZLIB + compression method. -+ * There is added a support for EAP-FAST through TLS extension. This code -+ is backported from OpenSSL upstream development branch. + DESCRIPTION ----------- diff --git a/openssl-1.0.0-name-hash.patch b/openssl-1.0.0-name-hash.patch new file mode 100644 index 0000000..9098c0a --- /dev/null +++ b/openssl-1.0.0-name-hash.patch @@ -0,0 +1,22 @@ +diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c +--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100 ++++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200 +@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA + { + unsigned long ret=0; + unsigned char md[16]; ++ EVP_MD_CTX ctx; + + /* Make sure X509_NAME structure contains valid cached encoding */ + i2d_X509_NAME(x,NULL); +- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); ++ ++ EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL) ++ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length) ++ && EVP_DigestFinal_ex(&ctx, md, NULL); ++ EVP_MD_CTX_cleanup(&ctx); + + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/openssl-1.0.0-timezone.patch b/openssl-1.0.0-timezone.patch new file mode 100644 index 0000000..b1d6682 --- /dev/null +++ b/openssl-1.0.0-timezone.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org +--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200 ++++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200 +@@ -609,7 +609,7 @@ install_docs: + sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ +- sh -c "$$pod2man \ ++ sh -c "TZ=UTC $$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ +@@ -626,7 +626,7 @@ install_docs: + sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ +- sh -c "$$pod2man \ ++ sh -c "TZ=UTC $$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ diff --git a/openssl-1.0.0-beta4-fips.patch b/openssl-1.0.0a-fips.patch similarity index 90% rename from openssl-1.0.0-beta4-fips.patch rename to openssl-1.0.0a-fips.patch index 41b3d1f..421e507 100644 --- a/openssl-1.0.0-beta4-fips.patch +++ b/openssl-1.0.0a-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/Configure.fips openssl-1.0.0a/Configure +--- openssl-1.0.0a/Configure.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/Configure 2010-06-04 12:25:15.000000000 +0200 @@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml my $processor=""; my $default_ranlib; @@ -43,9 +43,9 @@ diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto/bf/bf_skey.c ---- openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/bf/bf_skey.c.fips openssl-1.0.0a/crypto/bf/bf_skey.c +--- openssl-1.0.0a/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 ++++ openssl-1.0.0a/crypto/bf/bf_skey.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,10 +59,15 @@ #include #include @@ -63,9 +63,9 @@ diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto { int i; BF_LONG *p,ri,in[2]; -diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypto/bf/blowfish.h ---- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/bf/blowfish.h.fips openssl-1.0.0a/crypto/bf/blowfish.h +--- openssl-1.0.0a/crypto/bf/blowfish.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/bf/blowfish.h 2010-06-04 12:25:15.000000000 +0200 @@ -104,7 +104,9 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; @@ -77,9 +77,9 @@ diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypt void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); -diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/bn.h ---- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/bn/bn.h.fips openssl-1.0.0a/crypto/bn/bn.h +--- openssl-1.0.0a/crypto/bn/bn.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/bn/bn.h 2010-06-04 12:25:15.000000000 +0200 @@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); @@ -98,9 +98,9 @@ diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/b BN_MONT_CTX *BN_MONT_CTX_new(void ); void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, -diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/bn/bn_x931p.c.fips openssl-1.0.0a/crypto/bn/bn_x931p.c +--- openssl-1.0.0a/crypto/bn/bn_x931p.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/bn/bn_x931p.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,272 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -374,9 +374,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c + + } + -diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/bn/Makefile ---- openssl-1.0.0-beta4/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/bn/Makefile.fips openssl-1.0.0a/crypto/bn/Makefile +--- openssl-1.0.0a/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 ++++ openssl-1.0.0a/crypto/bn/Makefile 2010-06-04 12:25:15.000000000 +0200 @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ @@ -393,9 +393,9 @@ diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/ SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl ---- openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0a/crypto/camellia/asm/cmll-x86.pl +--- openssl-1.0.0a/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 ++++ openssl-1.0.0a/crypto/camellia/asm/cmll-x86.pl 2010-06-04 12:25:15.000000000 +0200 @@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; } &function_end("Camellia_Ekeygen"); @@ -422,9 +422,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0- } @SBOX=( -diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4/crypto/camellia/camellia.h ---- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/camellia/camellia.h.fips openssl-1.0.0a/crypto/camellia/camellia.h +--- openssl-1.0.0a/crypto/camellia/camellia.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/camellia/camellia.h 2010-06-04 12:25:15.000000000 +0200 @@ -88,6 +88,11 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; @@ -437,9 +437,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4 int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); -diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0a/crypto/camellia/cmll_fblk.c +--- openssl-1.0.0a/crypto/camellia/cmll_fblk.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/camellia/cmll_fblk.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,68 @@ +/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* ==================================================================== @@ -509,9 +509,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c + return private_Camellia_set_key(userKey, bits, key); + } +#endif -diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c ---- openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/camellia/cmll_misc.c.fips openssl-1.0.0a/crypto/camellia/cmll_misc.c +--- openssl-1.0.0a/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 ++++ openssl-1.0.0a/crypto/camellia/cmll_misc.c 2010-06-04 12:25:15.000000000 +0200 @@ -52,11 +52,20 @@ #include #include @@ -533,9 +533,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta { if(!userKey || !key) return -1; -diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/crypto/camellia/Makefile ---- openssl-1.0.0-beta4/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/camellia/Makefile.fips openssl-1.0.0a/crypto/camellia/Makefile +--- openssl-1.0.0a/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0a/crypto/camellia/Makefile 2010-06-04 12:25:15.000000000 +0200 @@ -23,9 +23,9 @@ APPS= LIB=$(TOP)/libcrypto.a @@ -548,9 +548,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/c SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/cast/cast.h ---- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/cast/cast.h.fips openssl-1.0.0a/crypto/cast/cast.h +--- openssl-1.0.0a/crypto/cast/cast.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/cast/cast.h 2010-06-04 12:25:15.000000000 +0200 @@ -83,7 +83,9 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; @@ -560,11 +560,11 @@ diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/ +void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); +#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); - void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, + void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, int enc); -diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypto/cast/c_skey.c ---- openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/cast/c_skey.c.fips openssl-1.0.0a/crypto/cast/c_skey.c +--- openssl-1.0.0a/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 ++++ openssl-1.0.0a/crypto/cast/c_skey.c 2010-06-04 12:25:15.000000000 +0200 @@ -57,6 +57,11 @@ */ @@ -586,13 +586,14 @@ diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypt { CAST_LONG x[16]; CAST_LONG z[16]; -diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/crypto.h ---- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-23 08:32:31.000000000 +0100 -@@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin - unsigned long *OPENSSL_ia32cap_loc(void); +diff -up openssl-1.0.0a/crypto/crypto.h.fips openssl-1.0.0a/crypto/crypto.h +--- openssl-1.0.0a/crypto/crypto.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/crypto.h 2010-06-04 12:25:15.000000000 +0200 +@@ -547,12 +547,70 @@ unsigned long *OPENSSL_ia32cap_loc(void) #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) + int OPENSSL_isservice(void); ++ +#ifdef OPENSSL_FIPS +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ + alg " previous FIPS forbidden algorithm error ignored"); @@ -659,9 +660,9 @@ diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/cry /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/dh/dh_err.c ---- openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dh/dh_err.c.fips openssl-1.0.0a/crypto/dh/dh_err.c +--- openssl-1.0.0a/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 ++++ openssl-1.0.0a/crypto/dh/dh_err.c 2010-06-04 12:25:15.000000000 +0200 @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, @@ -679,9 +680,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/ {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, -diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/dh/dh_gen.c ---- openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dh/dh_gen.c.fips openssl-1.0.0a/crypto/dh/dh_gen.c +--- openssl-1.0.0a/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/dh/dh_gen.c 2010-06-04 12:25:15.000000000 +0200 @@ -65,6 +65,10 @@ #include "cryptlib.h" #include @@ -714,9 +715,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/ ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/dh.h ---- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dh/dh.h.fips openssl-1.0.0a/crypto/dh/dh.h +--- openssl-1.0.0a/crypto/dh/dh.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/dh/dh.h 2010-06-04 12:25:15.000000000 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -743,9 +744,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/d #ifdef __cplusplus } -diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/dh/dh_key.c ---- openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dh/dh_key.c.fips openssl-1.0.0a/crypto/dh/dh_key.c +--- openssl-1.0.0a/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 ++++ openssl-1.0.0a/crypto/dh/dh_key.c 2010-06-04 12:25:15.000000000 +0200 @@ -61,6 +61,9 @@ #include #include @@ -795,9 +796,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/ dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dsa/dsa_gen.c.fips openssl-1.0.0a/crypto/dsa/dsa_gen.c +--- openssl-1.0.0a/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 ++++ openssl-1.0.0a/crypto/dsa/dsa_gen.c 2010-06-04 12:25:15.000000000 +0200 @@ -77,8 +77,12 @@ #include "cryptlib.h" #include @@ -833,9 +834,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypt if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/dsa/dsa.h ---- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dsa/dsa.h.fips openssl-1.0.0a/crypto/dsa/dsa.h +--- openssl-1.0.0a/crypto/dsa/dsa.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/dsa/dsa.h 2010-06-04 12:25:15.000000000 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -892,9 +893,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/ds #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dsa/dsa_key.c.fips openssl-1.0.0a/crypto/dsa/dsa_key.c +--- openssl-1.0.0a/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 ++++ openssl-1.0.0a/crypto/dsa/dsa_key.c 2010-06-04 12:25:15.000000000 +0200 @@ -63,9 +63,55 @@ #include #include @@ -982,9 +983,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypt ok=1; err: -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0a/crypto/dsa/dsa_ossl.c +--- openssl-1.0.0a/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 ++++ openssl-1.0.0a/crypto/dsa/dsa_ossl.c 2010-06-04 12:25:15.000000000 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1056,9 +1057,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/cryp dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypto/err/err_all.c ---- openssl-1.0.0-beta4/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/err/err_all.c.fips openssl-1.0.0a/crypto/err/err_all.c +--- openssl-1.0.0a/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 ++++ openssl-1.0.0a/crypto/err/err_all.c 2010-06-04 12:25:15.000000000 +0200 @@ -96,6 +96,9 @@ #include #include @@ -1079,9 +1080,9 @@ diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypt #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif -diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto/evp/digest.c ---- openssl-1.0.0-beta4/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/digest.c.fips openssl-1.0.0a/crypto/evp/digest.c +--- openssl-1.0.0a/crypto/evp/digest.c.fips 2010-03-05 14:33:43.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/digest.c 2010-06-04 12:25:15.000000000 +0200 @@ -116,6 +116,7 @@ #ifndef OPENSSL_NO_ENGINE #include @@ -1090,7 +1091,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { -@@ -137,9 +138,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons +@@ -138,9 +139,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1141,7 +1142,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto #ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing -@@ -195,6 +237,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c +@@ -197,6 +239,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c #endif if (ctx->digest != type) { @@ -1160,7 +1161,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto if (ctx->digest && ctx->digest->ctx_size) OPENSSL_free(ctx->md_data); ctx->digest=type; -@@ -222,6 +276,9 @@ skip_to_init: +@@ -230,6 +284,9 @@ skip_to_init: int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -1170,7 +1171,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto return ctx->update(ctx,data,count); } -@@ -238,6 +295,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns +@@ -246,6 +303,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { int ret; @@ -1180,9 +1181,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); -diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/evp/e_aes.c ---- openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/e_aes.c.fips openssl-1.0.0a/crypto/evp/e_aes.c +--- openssl-1.0.0a/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/e_aes.c 2010-06-04 12:25:15.000000000 +0200 @@ -69,32 +69,29 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, @@ -1235,9 +1236,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/crypto/evp/e_camellia.c ---- openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/e_camellia.c.fips openssl-1.0.0a/crypto/evp/e_camellia.c +--- openssl-1.0.0a/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/e_camellia.c 2010-06-04 12:25:15.000000000 +0200 @@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, EVP_CIPHER_get_asn1_iv, NULL) @@ -1247,9 +1248,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/cr IMPLEMENT_CAMELLIA_CFBR(128,1) IMPLEMENT_CAMELLIA_CFBR(192,1) -diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto/evp/e_des3.c ---- openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/e_des3.c.fips openssl-1.0.0a/crypto/evp/e_des3.c +--- openssl-1.0.0a/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/e_des3.c 2010-06-04 12:25:15.000000000 +0200 @@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH } @@ -1294,9 +1295,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto/evp/e_null.c ---- openssl-1.0.0-beta4/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/e_null.c.fips openssl-1.0.0a/crypto/evp/e_null.c +--- openssl-1.0.0a/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/e_null.c 2010-06-04 12:25:15.000000000 +0200 @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, @@ -1306,9 +1307,20 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto null_init_key, null_cipher, NULL, -diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypto/evp/evp_enc.c ---- openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/e_rc4.c.fips openssl-1.0.0a/crypto/evp/e_rc4.c +--- openssl-1.0.0a/crypto/evp/e_rc4.c.fips 2008-10-31 20:48:24.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/e_rc4.c 2010-06-04 12:25:15.000000000 +0200 +@@ -64,6 +64,7 @@ + #include + #include + #include ++#include "evp_locl.h" + + /* FIXME: surely this is available elsewhere? */ + #define EVP_RC4_KEY_SIZE 16 +diff -up openssl-1.0.0a/crypto/evp/evp_enc.c.fips openssl-1.0.0a/crypto/evp/evp_enc.c +--- openssl-1.0.0a/crypto/evp/evp_enc.c.fips 2010-03-01 02:52:47.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/evp_enc.c 2010-06-04 12:25:15.000000000 +0200 @@ -68,8 +68,53 @@ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -1401,10 +1413,10 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypt if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } -diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypto/evp/evp_err.c ---- openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-23 08:32:31.000000000 +0100 -@@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] +diff -up openssl-1.0.0a/crypto/evp/evp_err.c.fips openssl-1.0.0a/crypto/evp/evp_err.c +--- openssl-1.0.0a/crypto/evp/evp_err.c.fips 2010-02-07 14:41:23.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/evp_err.c 2010-06-04 12:25:15.000000000 +0200 +@@ -155,6 +155,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, @@ -1412,9 +1424,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, -diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/evp/evp.h ---- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/evp.h.fips openssl-1.0.0a/crypto/evp/evp.h +--- openssl-1.0.0a/crypto/evp/evp.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/evp.h 2010-06-04 12:25:15.000000000 +0200 @@ -75,6 +75,10 @@ #include #endif @@ -1457,33 +1469,26 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/ev #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */ -@@ -330,6 +336,14 @@ struct evp_cipher_st +@@ -330,12 +336,16 @@ struct evp_cipher_st #define EVP_CIPH_NO_PADDING 0x100 /* cipher handles random key generation */ #define EVP_CIPH_RAND_KEY 0x200 +-/* cipher has its own additional copying logic */ +-#define EVP_CIPH_CUSTOM_COPY 0x400 +/* Note if suitable for use in FIPS mode */ +#define EVP_CIPH_FLAG_FIPS 0x400 +/* Allow non FIPS cipher in FIPS mode */ +#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 -+/* Allow use default ASN1 get/set iv */ -+#define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 -+/* Buffer length in bits not bytes: CFB1 mode only */ -+#define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 + /* Allow use default ASN1 get/set iv */ + #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 + /* Buffer length in bits not bytes: CFB1 mode only */ + #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 ++/* cipher has its own additional copying logic */ ++#define EVP_CIPH_CUSTOM_COPY 0x4000 /* ctrl() values */ -@@ -507,6 +521,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ - const unsigned char *salt, const unsigned char *data, - int datal, int count, unsigned char *key,unsigned char *iv); - -+void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); -+void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); -+int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx,int flags); -+ - int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, - const unsigned char *key, const unsigned char *iv); - int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, -@@ -1225,6 +1243,7 @@ void ERR_load_EVP_strings(void); +@@ -1239,6 +1249,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 #define EVP_R_DIFFERENT_PARAMETERS 153 @@ -1491,9 +1496,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/ev #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 -diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypto/evp/evp_lib.c ---- openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/evp_lib.c.fips openssl-1.0.0a/crypto/evp/evp_lib.c +--- openssl-1.0.0a/crypto/evp/evp_lib.c.fips 2010-01-26 15:33:51.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/evp_lib.c 2010-06-04 12:25:15.000000000 +0200 @@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ if (c->cipher->set_asn1_parameters != NULL) @@ -1512,7 +1517,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt else ret=-1; return(ret); -@@ -180,6 +184,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ +@@ -186,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { @@ -1522,43 +1527,10 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt return ctx->cipher->do_cipher(ctx,out,in,inl); } -@@ -289,3 +296,18 @@ int EVP_MD_CTX_test_flags(const EVP_MD_C - { - return (ctx->flags & flags); - } -+ -+void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags) -+ { -+ ctx->flags |= flags; -+ } -+ -+void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags) -+ { -+ ctx->flags &= ~flags; -+ } -+ -+int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) -+ { -+ return (ctx->flags & flags); -+ } -diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/crypto/evp/evp_locl.h ---- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-23 08:32:31.000000000 +0100 -@@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER - static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ - {\ - size_t chunk=EVP_MAXCHUNK;\ -- if (cbits==1) chunk>>=3;\ -+ if (cbits==1 && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)) chunk>>=3;\ - if (inl=chunk)\ - {\ -- cprefix##_cfb##cbits##_encrypt(in, out, (long)(cbits==1?chunk*8:chunk), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ -+ cprefix##_cfb##cbits##_encrypt(in, out, (long)(cbits==1 && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)?chunk*8:chunk), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ - inl-=chunk;\ - in +=chunk;\ - out+=chunk;\ -@@ -254,14 +254,29 @@ const EVP_CIPHER *EVP_##cname##_ecb(void +diff -up openssl-1.0.0a/crypto/evp/evp_locl.h.fips openssl-1.0.0a/crypto/evp/evp_locl.h +--- openssl-1.0.0a/crypto/evp/evp_locl.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/evp_locl.h 2010-06-04 12:25:15.000000000 +0200 +@@ -254,14 +254,32 @@ const EVP_CIPHER *EVP_##cname##_ecb(void #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) @@ -1580,6 +1552,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/cryp +#define CAST_set_key private_CAST_set_key +#define RC5_32_set_key private_RC5_32_set_key +#define BF_set_key private_BF_set_key ++#define SEED_set_key private_SEED_set_key +#define Camellia_set_key private_Camellia_set_key +#define idea_set_encrypt_key private_idea_set_encrypt_key + @@ -1588,14 +1561,16 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/cryp +#define MD2_Init private_MD2_Init +#define MDC2_Init private_MDC2_Init +#define SHA_Init private_SHA_Init ++#define RIPEMD160_Init private_RIPEMD160_Init ++#define WHIRLPOOL_Init private_WHIRLPOOL_Init + +#endif struct evp_pkey_ctx_st { -diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss.c ---- openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/m_dss.c.fips openssl-1.0.0a/crypto/evp/m_dss.c +--- openssl-1.0.0a/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_dss.c 2010-06-04 12:25:15.000000000 +0200 @@ -81,7 +81,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, @@ -1605,9 +1580,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/ init, update, final, -diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss1.c ---- openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/m_dss1.c.fips openssl-1.0.0a/crypto/evp/m_dss1.c +--- openssl-1.0.0a/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_dss1.c 2010-06-04 12:25:15.000000000 +0200 @@ -82,7 +82,7 @@ static const EVP_MD dss1_md= NID_dsa, NID_dsaWithSHA1, @@ -1617,9 +1592,64 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto init, update, final, -diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto/evp/m_sha1.c ---- openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/m_mdc2.c.fips openssl-1.0.0a/crypto/evp/m_mdc2.c +--- openssl-1.0.0a/crypto/evp/m_mdc2.c.fips 2010-02-02 14:36:05.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/m_mdc2.c 2010-06-04 12:25:15.000000000 +0200 +@@ -68,6 +68,7 @@ + #ifndef OPENSSL_NO_RSA + #include + #endif ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return MDC2_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/m_md2.c.fips openssl-1.0.0a/crypto/evp/m_md2.c +--- openssl-1.0.0a/crypto/evp/m_md2.c.fips 2005-07-16 14:37:32.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_md2.c 2010-06-04 12:25:15.000000000 +0200 +@@ -68,6 +68,7 @@ + #ifndef OPENSSL_NO_RSA + #include + #endif ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return MD2_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/m_md4.c.fips openssl-1.0.0a/crypto/evp/m_md4.c +--- openssl-1.0.0a/crypto/evp/m_md4.c.fips 2005-07-16 14:37:32.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_md4.c 2010-06-04 12:25:15.000000000 +0200 +@@ -68,6 +68,7 @@ + #ifndef OPENSSL_NO_RSA + #include + #endif ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return MD4_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/m_md5.c.fips openssl-1.0.0a/crypto/evp/m_md5.c +--- openssl-1.0.0a/crypto/evp/m_md5.c.fips 2005-07-16 14:37:32.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_md5.c 2010-06-04 12:25:15.000000000 +0200 +@@ -68,6 +68,7 @@ + #ifndef OPENSSL_NO_RSA + #include + #endif ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return MD5_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/m_ripemd.c.fips openssl-1.0.0a/crypto/evp/m_ripemd.c +--- openssl-1.0.0a/crypto/evp/m_ripemd.c.fips 2005-07-16 14:37:32.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/m_ripemd.c 2010-06-04 12:25:15.000000000 +0200 +@@ -68,6 +68,7 @@ + #ifndef OPENSSL_NO_RSA + #include + #endif ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return RIPEMD160_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/m_sha1.c.fips openssl-1.0.0a/crypto/evp/m_sha1.c +--- openssl-1.0.0a/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/m_sha1.c 2010-06-04 12:25:15.000000000 +0200 @@ -82,7 +82,8 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, @@ -1670,9 +1700,20 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto init512, update512, final512, -diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/evp/names.c ---- openssl-1.0.0-beta4/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/m_wp.c.fips openssl-1.0.0a/crypto/evp/m_wp.c +--- openssl-1.0.0a/crypto/evp/m_wp.c.fips 2005-11-30 21:57:23.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/m_wp.c 2010-06-04 12:25:15.000000000 +0200 +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include "evp_locl.h" + + static int init(EVP_MD_CTX *ctx) + { return WHIRLPOOL_Init(ctx->md_data); } +diff -up openssl-1.0.0a/crypto/evp/names.c.fips openssl-1.0.0a/crypto/evp/names.c +--- openssl-1.0.0a/crypto/evp/names.c.fips 2010-03-06 21:47:45.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/names.c 2010-06-04 12:25:15.000000000 +0200 @@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; @@ -1695,9 +1736,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/ name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); if (r == 0) return(0); -diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto/evp/p_sign.c ---- openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/p_sign.c.fips openssl-1.0.0a/crypto/evp/p_sign.c +--- openssl-1.0.0a/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/p_sign.c 2010-06-04 12:25:15.000000000 +0200 @@ -61,6 +61,7 @@ #include #include @@ -1729,9 +1770,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/crypto/evp/p_verify.c ---- openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/evp/p_verify.c.fips openssl-1.0.0a/crypto/evp/p_verify.c +--- openssl-1.0.0a/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/p_verify.c 2010-06-04 12:25:15.000000000 +0200 @@ -61,6 +61,7 @@ #include #include @@ -1763,9 +1804,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/cryp i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_aesavs.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_aesavs.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_aesavs.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -2706,9 +2747,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_desmovs.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_desmovs.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_desmovs.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3412,9 +3453,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_dssvs.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_dssvs.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_dssvs.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,537 @@ +#include + @@ -3953,9 +3994,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_rngvs.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_rngvs.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_rngvs.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -4187,9 +4228,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c + return 0; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_rsagtest.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_rsagtest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_rsagtest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4581,9 +4622,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_rsastest.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_rsastest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_rsastest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4955,9 +4996,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_rsavtest.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_rsavtest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_rsavtest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5336,9 +5377,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.0a/crypto/fips/cavs/fips_shatest.c +--- openssl-1.0.0a/crypto/fips/cavs/fips_shatest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_shatest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5728,9 +5769,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.0a/crypto/fips/cavs/fips_utl.h +--- openssl-1.0.0a/crypto/fips/cavs/fips_utl.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/cavs/fips_utl.h 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -6075,9 +6116,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h +#endif + } + -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips_err.c.fips openssl-1.0.0a/crypto/fips_err.c +--- openssl-1.0.0a/crypto/fips_err.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips_err.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,7 @@ +#include + @@ -6086,9 +6127,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c +#else +static void *dummy=&dummy; +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips_err.h.fips openssl-1.0.0a/crypto/fips_err.h +--- openssl-1.0.0a/crypto/fips_err.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips_err.h 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,137 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -6227,9 +6268,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h + } +#endif + } -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_aes_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_aes_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,103 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6334,9 +6375,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips.c.fips openssl-1.0.0a/crypto/fips/fips.c +--- openssl-1.0.0a/crypto/fips/fips.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,419 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6757,9 +6798,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c + + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_des_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_des_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_des_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,139 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6900,9 +6941,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_dsa_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_dsa_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,186 @@ +/* crypto/dsa/dsatest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -7090,9 +7131,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips.h.fips openssl-1.0.0a/crypto/fips/fips.h +--- openssl-1.0.0a/crypto/fips/fips.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips.h 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7257,9 +7298,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_hmac_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_hmac_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -7398,9 +7439,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c + return 1; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_rand.c.fips openssl-1.0.0a/crypto/fips/fips_rand.c +--- openssl-1.0.0a/crypto/fips/fips_rand.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_rand.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,412 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -7814,9 +7855,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c +} + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_rand.h.fips openssl-1.0.0a/crypto/fips/fips_rand.h +--- openssl-1.0.0a/crypto/fips/fips_rand.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_rand.h 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,77 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7895,9 +7936,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h +#endif +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_rand_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_rand_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,373 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8272,9 +8313,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_randtest.c.fips openssl-1.0.0a/crypto/fips/fips_randtest.c +--- openssl-1.0.0a/crypto/fips/fips_randtest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_randtest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,248 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8524,9 +8565,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_rsa_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_rsa_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,441 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -8969,9 +9010,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c + } + +#endif /* def OPENSSL_FIPS */ -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.0a/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.0a/crypto/fips/fips_rsa_x931g.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_rsa_x931g.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,281 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -9254,9 +9295,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c + return 0; + + } -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_sha1_selftest.c.fips openssl-1.0.0a/crypto/fips/fips_sha1_selftest.c +--- openssl-1.0.0a/crypto/fips/fips_sha1_selftest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_sha1_selftest.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,99 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9357,9 +9398,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_standalone_sha1.c.fips openssl-1.0.0a/crypto/fips/fips_standalone_sha1.c +--- openssl-1.0.0a/crypto/fips/fips_standalone_sha1.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_standalone_sha1.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,173 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9534,9 +9575,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c + } + + -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/fips_test_suite.c.fips openssl-1.0.0a/crypto/fips/fips_test_suite.c +--- openssl-1.0.0a/crypto/fips/fips_test_suite.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/fips_test_suite.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10126,9 +10167,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips_locl.h.fips openssl-1.0.0a/crypto/fips_locl.h +--- openssl-1.0.0a/crypto/fips_locl.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips_locl.h 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,72 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10202,9 +10243,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/fips/Makefile.fips openssl-1.0.0a/crypto/fips/Makefile +--- openssl-1.0.0a/crypto/fips/Makefile.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/fips/Makefile 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -10287,9 +10328,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile + +# DO NOT DELETE THIS LINE -- make depend depends on it. + -diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/hmac/hmac.c ---- openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/hmac/hmac.c.fips openssl-1.0.0a/crypto/hmac/hmac.c +--- openssl-1.0.0a/crypto/hmac/hmac.c.fips 2010-01-26 15:33:52.000000000 +0100 ++++ openssl-1.0.0a/crypto/hmac/hmac.c 2010-06-04 12:25:15.000000000 +0200 @@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo if (key != NULL) @@ -10304,31 +10345,9 @@ diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/ reset=1; j=EVP_MD_block_size(md); OPENSSL_assert(j <= (int)sizeof(ctx->key)); -@@ -209,3 +216,10 @@ unsigned char *HMAC(const EVP_MD *evp_md - return NULL; - } - -+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) -+ { -+ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); -+ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); -+ EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); -+ } -+ -diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/hmac/hmac.h ---- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-23 08:32:31.000000000 +0100 -@@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md - unsigned int *md_len); - int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); - -+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); - - #ifdef __cplusplus - } -diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Makefile ---- openssl-1.0.0-beta4/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/Makefile.fips openssl-1.0.0a/crypto/Makefile +--- openssl-1.0.0a/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 ++++ openssl-1.0.0a/crypto/Makefile 2010-06-04 12:25:15.000000000 +0200 @@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i LIB= $(TOP)/libcrypto.a @@ -10347,9 +10366,9 @@ diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Mak ALL= $(GENERAL) $(SRC) $(HEADER) -diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0a/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.0a/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 ++++ openssl-1.0.0a/crypto/mdc2/mdc2dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -61,6 +61,11 @@ #include #include @@ -10371,9 +10390,9 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/cry { c->num=0; c->pad_type=1; -diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2.h ---- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/mdc2/mdc2.h.fips openssl-1.0.0a/crypto/mdc2/mdc2.h +--- openssl-1.0.0a/crypto/mdc2/mdc2.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/mdc2/mdc2.h 2010-06-04 12:25:15.000000000 +0200 @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; @@ -10385,9 +10404,9 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/ int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/crypto/md2/md2_dgst.c ---- openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md2/md2_dgst.c.fips openssl-1.0.0a/crypto/md2/md2_dgst.c +--- openssl-1.0.0a/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 ++++ openssl-1.0.0a/crypto/md2/md2_dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -62,6 +62,11 @@ #include #include @@ -10409,9 +10428,9 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/cryp { c->num=0; memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md2/md2.h ---- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md2/md2.h.fips openssl-1.0.0a/crypto/md2/md2.h +--- openssl-1.0.0a/crypto/md2/md2.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/md2/md2.h 2010-06-04 12:25:15.000000000 +0200 @@ -81,6 +81,9 @@ typedef struct MD2state_st } MD2_CTX; @@ -10422,9 +10441,9 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); int MD2_Final(unsigned char *md, MD2_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/crypto/md4/md4_dgst.c ---- openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md4/md4_dgst.c.fips openssl-1.0.0a/crypto/md4/md4_dgst.c +--- openssl-1.0.0a/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0a/crypto/md4/md4_dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "md4_locl.h" @@ -10446,9 +10465,9 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/cryp { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md4/md4.h ---- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md4/md4.h.fips openssl-1.0.0a/crypto/md4/md4.h +--- openssl-1.0.0a/crypto/md4/md4.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/md4/md4.h 2010-06-04 12:25:15.000000000 +0200 @@ -105,6 +105,9 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; @@ -10459,9 +10478,9 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, size_t len); int MD4_Final(unsigned char *md, MD4_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/crypto/md5/md5_dgst.c ---- openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md5/md5_dgst.c.fips openssl-1.0.0a/crypto/md5/md5_dgst.c +--- openssl-1.0.0a/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0a/crypto/md5/md5_dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "md5_locl.h" @@ -10483,9 +10502,9 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/cryp { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md5/md5.h ---- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/md5/md5.h.fips openssl-1.0.0a/crypto/md5/md5.h +--- openssl-1.0.0a/crypto/md5/md5.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/md5/md5.h 2010-06-04 12:25:15.000000000 +0200 @@ -105,6 +105,9 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; @@ -10496,9 +10515,9 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, size_t len); int MD5_Final(unsigned char *md, MD5_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c ---- openssl-1.0.0-beta4/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/mem.c.fips openssl-1.0.0a/crypto/mem.c +--- openssl-1.0.0a/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 ++++ openssl-1.0.0a/crypto/mem.c 2010-06-04 12:25:15.000000000 +0200 @@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) /* may be changed as long as 'allow_customize_debug' is set */ @@ -10508,9 +10527,9 @@ diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c /* use default functions from mem_dbg.c */ static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; -diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/o_init.c.fips openssl-1.0.0a/crypto/o_init.c +--- openssl-1.0.0a/crypto/o_init.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,80 @@ +/* o_init.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10592,9 +10611,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c + } + + -diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/crypto/opensslconf.h.in ---- openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/opensslconf.h.in.fips openssl-1.0.0a/crypto/opensslconf.h.in +--- openssl-1.0.0a/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 ++++ openssl-1.0.0a/crypto/opensslconf.h.in 2010-06-04 12:25:15.000000000 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -10616,9 +10635,9 @@ diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/cr /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c ---- openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0a/crypto/pkcs12/p12_crt.c +--- openssl-1.0.0a/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 ++++ openssl-1.0.0a/crypto/pkcs12/p12_crt.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -10645,9 +10664,9 @@ diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/cr if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if (!iter) -diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/crypto/rand/md_rand.c ---- openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rand/md_rand.c.fips openssl-1.0.0a/crypto/rand/md_rand.c +--- openssl-1.0.0a/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 ++++ openssl-1.0.0a/crypto/rand/md_rand.c 2010-06-04 12:25:15.000000000 +0200 @@ -126,6 +126,10 @@ #include @@ -10674,9 +10693,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/cryp #ifdef PREDICT if (rand_predictable) { -diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/crypto/rand/rand_err.c ---- openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rand/rand_err.c.fips openssl-1.0.0a/crypto/rand/rand_err.c +--- openssl-1.0.0a/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 ++++ openssl-1.0.0a/crypto/rand/rand_err.c 2010-06-04 12:25:15.000000000 +0200 @@ -70,6 +70,13 @@ static ERR_STRING_DATA RAND_str_functs[]= @@ -10709,9 +10728,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/cry {0,NULL} }; -diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/rand/rand.h ---- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rand/rand.h.fips openssl-1.0.0a/crypto/rand/rand.h +--- openssl-1.0.0a/crypto/rand/rand.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/rand/rand.h 2010-06-04 12:25:15.000000000 +0200 @@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -10741,9 +10760,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/ #ifdef __cplusplus } -diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/crypto/rand/rand_lib.c ---- openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rand/rand_lib.c.fips openssl-1.0.0a/crypto/rand/rand_lib.c +--- openssl-1.0.0a/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 ++++ openssl-1.0.0a/crypto/rand/rand_lib.c 2010-06-04 12:25:15.000000000 +0200 @@ -60,6 +60,12 @@ #include #include "cryptlib.h" @@ -10777,9 +10796,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/cry return default_RAND_meth; } -diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc2/rc2.h ---- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc2/rc2.h.fips openssl-1.0.0a/crypto/rc2/rc2.h +--- openssl-1.0.0a/crypto/rc2/rc2.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/rc2/rc2.h 2010-06-04 12:25:15.000000000 +0200 @@ -79,7 +79,9 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; @@ -10791,9 +10810,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); -diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c ---- openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc2/rc2_skey.c.fips openssl-1.0.0a/crypto/rc2/rc2_skey.c +--- openssl-1.0.0a/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 ++++ openssl-1.0.0a/crypto/rc2/rc2_skey.c 2010-06-04 12:25:15.000000000 +0200 @@ -57,6 +57,11 @@ */ @@ -10827,9 +10846,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/cryp int i,j; unsigned char *k; RC2_INT *ki; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0a/crypto/rc4/asm/rc4-s390x.pl +--- openssl-1.0.0a/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 ++++ openssl-1.0.0a/crypto/rc4/asm/rc4-s390x.pl 2010-06-04 12:25:15.000000000 +0200 @@ -202,4 +202,6 @@ RC4_options: .string "rc4(8x,char)" ___ @@ -10837,9 +10856,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta +$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); + print $code; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0a/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.0.0a/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 ++++ openssl-1.0.0a/crypto/rc4/asm/rc4-x86_64.pl 2010-06-04 12:25:15.000000000 +0200 @@ -499,6 +499,8 @@ ___ $code =~ s/#([bwd])/$1/gm; @@ -10849,9 +10868,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-bet print $code; close STDOUT; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0a/crypto/rc4/asm/rc4-586.pl +--- openssl-1.0.0a/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 ++++ openssl-1.0.0a/crypto/rc4/asm/rc4-586.pl 2010-06-04 12:25:15.000000000 +0200 @@ -166,8 +166,12 @@ $idx="edx"; &external_label("OPENSSL_ia32cap_P"); @@ -10875,9 +10894,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/ # const char *RC4_options(void); &function_begin_B("RC4_options"); -diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto/rc4/Makefile ---- openssl-1.0.0-beta4/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/Makefile.fips openssl-1.0.0a/crypto/rc4/Makefile +--- openssl-1.0.0a/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 ++++ openssl-1.0.0a/crypto/rc4/Makefile 2010-06-04 12:25:15.000000000 +0200 @@ -21,8 +21,8 @@ TEST=rc4test.c APPS= @@ -10889,9 +10908,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto SRC= $(LIBSRC) -diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/rc4_fblk.c.fips openssl-1.0.0a/crypto/rc4/rc4_fblk.c +--- openssl-1.0.0a/crypto/rc4/rc4_fblk.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/rc4/rc4_fblk.c 2010-06-04 12:25:15.000000000 +0200 @@ -0,0 +1,75 @@ +/* crypto/rc4/rc4_fblk.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10968,9 +10987,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c + } +#endif + -diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc4/rc4.h ---- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/rc4.h.fips openssl-1.0.0a/crypto/rc4/rc4.h +--- openssl-1.0.0a/crypto/rc4/rc4.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/rc4/rc4.h 2010-06-04 12:25:15.000000000 +0200 @@ -78,6 +78,9 @@ typedef struct rc4_key_st @@ -10981,9 +11000,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, unsigned char *outdata); -diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c ---- openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rc4/rc4_skey.c.fips openssl-1.0.0a/crypto/rc4/rc4_skey.c +--- openssl-1.0.0a/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0a/crypto/rc4/rc4_skey.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "rc4_locl.h" @@ -11021,9 +11040,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/cryp unsigned char *cp=(unsigned char *)d; for (i=0;i<256;i++) cp[i]=i; -diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/crypto/ripemd/ripemd.h ---- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/ripemd/ripemd.h.fips openssl-1.0.0a/crypto/ripemd/ripemd.h +--- openssl-1.0.0a/crypto/ripemd/ripemd.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/ripemd/ripemd.h 2010-06-04 12:25:15.000000000 +0200 @@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; @@ -11034,9 +11053,9 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/cry int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0a/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.0a/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0a/crypto/ripemd/rmd_dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "rmd_locl.h" @@ -11058,9 +11077,9 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/c { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa_eay.c.fips openssl-1.0.0a/crypto/rsa/rsa_eay.c +--- openssl-1.0.0a/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 ++++ openssl-1.0.0a/crypto/rsa/rsa_eay.c 2010-06-04 12:25:15.000000000 +0200 @@ -114,6 +114,10 @@ #include #include @@ -11321,9 +11340,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_err.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa_err.c.fips openssl-1.0.0a/crypto/rsa/rsa_err.c +--- openssl-1.0.0a/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 ++++ openssl-1.0.0a/crypto/rsa/rsa_err.c 2010-06-04 12:25:15.000000000 +0200 @@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, @@ -11350,9 +11369,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa_gen.c.fips openssl-1.0.0a/crypto/rsa/rsa_gen.c +--- openssl-1.0.0a/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 ++++ openssl-1.0.0a/crypto/rsa/rsa_gen.c 2010-06-04 12:25:15.000000000 +0200 @@ -67,6 +67,82 @@ #include "cryptlib.h" #include @@ -11478,9 +11497,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypt ok=1; err: if (ok == -1) -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rsa/rsa.h ---- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa.h.fips openssl-1.0.0a/crypto/rsa/rsa.h +--- openssl-1.0.0a/crypto/rsa/rsa.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/rsa/rsa.h 2010-06-04 12:25:15.000000000 +0200 @@ -74,6 +74,21 @@ #error RSA is disabled. #endif @@ -11550,9 +11569,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rs #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips 2009-08-05 17:04:16.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa_lib.c.fips openssl-1.0.0a/crypto/rsa/rsa_lib.c +--- openssl-1.0.0a/crypto/rsa/rsa_lib.c.fips 2009-12-09 14:38:20.000000000 +0100 ++++ openssl-1.0.0a/crypto/rsa/rsa_lib.c 2010-06-04 12:25:15.000000000 +0200 @@ -80,6 +80,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -11600,7 +11619,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt ret->pad=0; ret->version=0; -@@ -285,6 +311,13 @@ int RSA_public_encrypt(int flen, const u +@@ -294,6 +320,13 @@ int RSA_public_encrypt(int flen, const u int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -11614,7 +11633,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); } -@@ -297,6 +330,13 @@ int RSA_private_decrypt(int flen, const +@@ -306,6 +339,13 @@ int RSA_private_decrypt(int flen, const int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -11628,9 +11647,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/rsa/rsa_sign.c.fips openssl-1.0.0a/crypto/rsa/rsa_sign.c +--- openssl-1.0.0a/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 ++++ openssl-1.0.0a/crypto/rsa/rsa_sign.c 2010-06-04 12:25:15.000000000 +0200 @@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -11662,9 +11681,54 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/cryp if (i <= 0) goto err; -diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha_dgst.c ---- openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/seed/seed.c.fips openssl-1.0.0a/crypto/seed/seed.c +--- openssl-1.0.0a/crypto/seed/seed.c.fips 2008-12-16 08:41:21.000000000 +0100 ++++ openssl-1.0.0a/crypto/seed/seed.c 2010-06-04 12:25:15.000000000 +0200 +@@ -34,6 +34,9 @@ + + #include + #include "seed_locl.h" ++#ifdef OPENSSL_FIPS ++#include ++#endif + + static const seed_word SS[4][256] = { { + 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0, 0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124, +@@ -193,7 +196,18 @@ static const seed_word KC[] = { + KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; + #endif + ++#ifdef OPENSSL_FIPS + void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) ++ { ++ if (FIPS_mode()) ++ FIPS_BAD_ABORT(SEED) ++ private_SEED_set_key(rawkey, ks); ++ } ++ ++void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) ++#else ++void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) ++#endif + { + seed_word x1, x2, x3, x4; + seed_word t0, t1; +diff -up openssl-1.0.0a/crypto/seed/seed.h.fips openssl-1.0.0a/crypto/seed/seed.h +--- openssl-1.0.0a/crypto/seed/seed.h.fips 2010-06-04 12:25:14.000000000 +0200 ++++ openssl-1.0.0a/crypto/seed/seed.h 2010-06-04 12:25:15.000000000 +0200 +@@ -117,6 +117,9 @@ typedef struct seed_key_st { + } SEED_KEY_SCHEDULE; + + ++#ifdef OPENSSL_FIPS ++void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); ++#endif + void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); + + void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); +diff -up openssl-1.0.0a/crypto/sha/sha_dgst.c.fips openssl-1.0.0a/crypto/sha/sha_dgst.c +--- openssl-1.0.0a/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0a/crypto/sha/sha_dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -57,6 +57,12 @@ */ @@ -11678,9 +11742,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/cryp #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) #undef SHA_1 -diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sha/sha.h ---- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/sha/sha.h.fips openssl-1.0.0a/crypto/sha/sha.h +--- openssl-1.0.0a/crypto/sha/sha.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/sha/sha.h 2010-06-04 12:25:15.000000000 +0200 @@ -106,6 +106,9 @@ typedef struct SHAstate_st } SHA_CTX; @@ -11691,9 +11755,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sh int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/crypto/sha/sha_locl.h ---- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/sha/sha_locl.h.fips openssl-1.0.0a/crypto/sha/sha_locl.h +--- openssl-1.0.0a/crypto/sha/sha_locl.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/sha/sha_locl.h 2010-06-04 12:25:15.000000000 +0200 @@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h3 0x10325476UL #define INIT_DATA_h4 0xc3d2e1f0UL @@ -11710,9 +11774,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/cryp memset (c,0,sizeof(*c)); c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; -diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha1dgst.c ---- openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/sha/sha1dgst.c.fips openssl-1.0.0a/crypto/sha/sha1dgst.c +--- openssl-1.0.0a/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0a/crypto/sha/sha1dgst.c 2010-06-04 12:25:15.000000000 +0200 @@ -63,6 +63,10 @@ #define SHA_1 @@ -11724,9 +11788,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/cryp const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; -diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto/sha/sha256.c ---- openssl-1.0.0-beta4/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/sha/sha256.c.fips openssl-1.0.0a/crypto/sha/sha256.c +--- openssl-1.0.0a/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0a/crypto/sha/sha256.c 2010-06-04 12:25:15.000000000 +0200 @@ -12,12 +12,19 @@ #include @@ -11757,9 +11821,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto/sha/sha512.c ---- openssl-1.0.0-beta4/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/sha/sha512.c.fips openssl-1.0.0a/crypto/sha/sha512.c +--- openssl-1.0.0a/crypto/sha/sha512.c.fips 2009-12-30 12:53:33.000000000 +0100 ++++ openssl-1.0.0a/crypto/sha/sha512.c 2010-06-04 12:25:15.000000000 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -11791,18 +11855,39 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) /* maintain dword order required by assembler module */ unsigned int *h = (unsigned int *)c->h; -@@ -380,7 +390,7 @@ static const SHA_LONG64 K512[80] = { - ((SHA_LONG64)hi)<<32|lo; }) - # endif - # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) --# define ROTR(a,n) ({ unsigned long ret; \ -+# define ROTR(a,n) ({ SHA_LONG64 ret; \ - asm ("rotrdi %0,%1,%2" \ - : "=r"(ret) \ - : "r"(a),"K"(n)); ret; }) -diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org ---- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/Makefile.org 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/crypto/whrlpool/whrlpool.h.fips openssl-1.0.0a/crypto/whrlpool/whrlpool.h +--- openssl-1.0.0a/crypto/whrlpool/whrlpool.h.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/crypto/whrlpool/whrlpool.h 2010-06-04 12:25:15.000000000 +0200 +@@ -24,6 +24,9 @@ typedef struct { + } WHIRLPOOL_CTX; + + #ifndef OPENSSL_NO_WHIRLPOOL ++#ifdef OPENSSL_FIPS ++int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c); ++#endif + int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); + int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); + void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); +diff -up openssl-1.0.0a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.0a/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.0a/crypto/whrlpool/wp_dgst.c.fips 2008-12-29 13:35:49.000000000 +0100 ++++ openssl-1.0.0a/crypto/whrlpool/wp_dgst.c 2010-06-04 12:25:15.000000000 +0200 +@@ -53,8 +53,12 @@ + + #include "wp_locl.h" + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif + +-int WHIRLPOOL_Init (WHIRLPOOL_CTX *c) ++FIPS_NON_FIPS_MD_Init(WHIRLPOOL) + { + memset (c,0,sizeof(*c)); + return(1); +diff -up openssl-1.0.0a/Makefile.org.fips openssl-1.0.0a/Makefile.org +--- openssl-1.0.0a/Makefile.org.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/Makefile.org 2010-06-04 12:25:15.000000000 +0200 @@ -110,6 +110,9 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= @@ -11830,9 +11915,9 @@ diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_ciph.c ---- openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/ssl/ssl_ciph.c.fips openssl-1.0.0a/ssl/ssl_ciph.c +--- openssl-1.0.0a/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 ++++ openssl-1.0.0a/ssl/ssl_ciph.c 2010-06-04 12:25:15.000000000 +0200 @@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -11855,10 +11940,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_cip { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG -diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib.c ---- openssl-1.0.0-beta4/ssl/ssl_lib.c.fips 2009-10-16 15:41:52.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-23 08:32:31.000000000 +0100 -@@ -1471,6 +1471,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +diff -up openssl-1.0.0a/ssl/ssl_lib.c.fips openssl-1.0.0a/ssl/ssl_lib.c +--- openssl-1.0.0a/ssl/ssl_lib.c.fips 2010-02-17 20:43:46.000000000 +0100 ++++ openssl-1.0.0a/ssl/ssl_lib.c 2010-06-04 12:25:15.000000000 +0200 +@@ -1521,6 +1521,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m return(NULL); } @@ -11873,10 +11958,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib. if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); -diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest.c ---- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-23 08:32:31.000000000 +0100 -@@ -265,6 +265,9 @@ static void sv_usage(void) +diff -up openssl-1.0.0a/ssl/ssltest.c.fips openssl-1.0.0a/ssl/ssltest.c +--- openssl-1.0.0a/ssl/ssltest.c.fips 2010-06-04 12:25:15.000000000 +0200 ++++ openssl-1.0.0a/ssl/ssltest.c 2010-06-04 12:25:15.000000000 +0200 +@@ -268,6 +268,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); @@ -11886,7 +11971,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); fprintf(stderr," -proxy - allow proxy certificates\n"); -@@ -484,6 +487,9 @@ int main(int argc, char *argv[]) +@@ -487,6 +490,9 @@ int main(int argc, char *argv[]) #endif STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; int test_cipherlist = 0; @@ -11896,7 +11981,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. verbose = 0; debug = 0; -@@ -515,7 +521,16 @@ int main(int argc, char *argv[]) +@@ -518,7 +524,16 @@ int main(int argc, char *argv[]) while (argc >= 1) { @@ -11914,7 +11999,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; -@@ -711,6 +726,20 @@ bad: +@@ -714,6 +729,20 @@ bad: EXIT(1); } @@ -11935,7 +12020,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. if (print_time) { if (!bio_pair) -@@ -2153,12 +2182,12 @@ static int MS_CALLBACK app_verify_callba +@@ -2156,12 +2185,12 @@ static int MS_CALLBACK app_verify_callba } #ifndef OPENSSL_NO_X509_VERIFY @@ -11950,10 +12035,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. if(s->version == TLS1_VERSION) FIPS_allow_md5(0); # endif -diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_clnt.c ---- openssl-1.0.0-beta4/ssl/s23_clnt.c.fips 2009-08-05 17:29:14.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-23 08:32:31.000000000 +0100 -@@ -335,6 +335,14 @@ static int ssl23_client_hello(SSL *s) +diff -up openssl-1.0.0a/ssl/s23_clnt.c.fips openssl-1.0.0a/ssl/s23_clnt.c +--- openssl-1.0.0a/ssl/s23_clnt.c.fips 2010-02-16 15:20:40.000000000 +0100 ++++ openssl-1.0.0a/ssl/s23_clnt.c 2010-06-04 12:25:15.000000000 +0200 +@@ -334,6 +334,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } @@ -11968,7 +12053,7 @@ diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_cln else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; -@@ -618,6 +626,14 @@ static int ssl23_get_server_hello(SSL *s +@@ -617,6 +625,14 @@ static int ssl23_get_server_hello(SSL *s if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { @@ -11983,10 +12068,10 @@ diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_cln s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } -diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srvr.c ---- openssl-1.0.0-beta4/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-23 08:32:31.000000000 +0100 -@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) +diff -up openssl-1.0.0a/ssl/s23_srvr.c.fips openssl-1.0.0a/ssl/s23_srvr.c +--- openssl-1.0.0a/ssl/s23_srvr.c.fips 2010-02-16 15:20:40.000000000 +0100 ++++ openssl-1.0.0a/ssl/s23_srvr.c 2010-06-04 12:25:15.000000000 +0200 +@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s) } } @@ -12002,9 +12087,9 @@ diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srv if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header -diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt.c ---- openssl-1.0.0-beta4/ssl/s3_clnt.c.fips 2009-10-30 15:06:18.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/ssl/s3_clnt.c.fips openssl-1.0.0a/ssl/s3_clnt.c +--- openssl-1.0.0a/ssl/s3_clnt.c.fips 2010-02-28 01:24:24.000000000 +0100 ++++ openssl-1.0.0a/ssl/s3_clnt.c 2010-06-04 12:25:15.000000000 +0200 @@ -156,6 +156,10 @@ #include #include @@ -12016,7 +12101,7 @@ diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt. #ifndef OPENSSL_NO_DH #include #endif -@@ -1530,6 +1534,8 @@ int ssl3_get_key_exchange(SSL *s) +@@ -1546,6 +1550,8 @@ int ssl3_get_key_exchange(SSL *s) q=md_buf; for (num=2; num > 0; num--) { @@ -12025,9 +12110,9 @@ diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt. EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c ---- openssl-1.0.0-beta4/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0a/ssl/s3_enc.c.fips openssl-1.0.0a/ssl/s3_enc.c +--- openssl-1.0.0a/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 ++++ openssl-1.0.0a/ssl/s3_enc.c 2010-06-04 12:25:15.000000000 +0200 @@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * #endif k=0; @@ -12053,10 +12138,10 @@ diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c EVP_MD_CTX_copy_ex(&ctx,d); n=EVP_MD_CTX_size(&ctx); if (n < 0) -diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr.c ---- openssl-1.0.0-beta4/ssl/s3_srvr.c.fips 2009-10-30 14:22:44.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-23 08:32:31.000000000 +0100 -@@ -1679,6 +1679,8 @@ int ssl3_send_server_key_exchange(SSL *s +diff -up openssl-1.0.0a/ssl/s3_srvr.c.fips openssl-1.0.0a/ssl/s3_srvr.c +--- openssl-1.0.0a/ssl/s3_srvr.c.fips 2010-02-28 00:04:10.000000000 +0100 ++++ openssl-1.0.0a/ssl/s3_srvr.c 2010-06-04 12:25:15.000000000 +0200 +@@ -1752,6 +1752,8 @@ int ssl3_send_server_key_exchange(SSL *s j=0; for (num=2; num > 0; num--) { @@ -12065,15 +12150,15 @@ diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr. EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta4/ssl/t1_enc.c.fips openssl-1.0.0-beta4/ssl/t1_enc.c ---- openssl-1.0.0-beta4/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-23 08:32:31.000000000 +0100 -@@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md +diff -up openssl-1.0.0a/ssl/t1_enc.c.fips openssl-1.0.0a/ssl/t1_enc.c +--- openssl-1.0.0a/ssl/t1_enc.c.fips 2010-05-17 13:26:56.000000000 +0200 ++++ openssl-1.0.0a/ssl/t1_enc.c 2010-06-04 13:28:01.000000000 +0200 +@@ -170,6 +170,8 @@ static int tls1_P_hash(const EVP_MD *md, HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); + HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); - HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); - if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); + if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL)) + goto err; + if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL)) diff --git a/openssl-1.0.0-beta3-fipsmode.patch b/openssl-1.0.0a-fipsmode.patch similarity index 80% rename from openssl-1.0.0-beta3-fipsmode.patch rename to openssl-1.0.0a-fipsmode.patch index 2fbf0a6..352e74e 100644 --- a/openssl-1.0.0-beta3-fipsmode.patch +++ b/openssl-1.0.0a-fipsmode.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta3/crypto/engine/eng_all.c ---- openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/engine/eng_all.c 2009-08-11 17:37:16.000000000 +0200 +diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c +--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200 ++++ openssl-1.0.0a/crypto/engine/eng_all.c 2010-06-04 13:32:13.000000000 +0200 @@ -58,9 +58,23 @@ #include "cryptlib.h" @@ -25,9 +25,9 @@ diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta #if 0 /* There's no longer any need for an "openssl" ENGINE unless, one day, * it is the *only* way for standard builtin implementations to be be -diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_allc.c ---- openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode 2007-04-24 01:48:28.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/c_allc.c 2009-08-11 17:42:34.000000000 +0200 +diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c +--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:12:24.000000000 +0100 ++++ openssl-1.0.0a/crypto/evp/c_allc.c 2010-06-04 13:32:13.000000000 +0200 @@ -65,6 +65,11 @@ void OpenSSL_add_all_ciphers(void) { @@ -40,7 +40,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/cr #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); EVP_add_cipher(EVP_des_cfb1()); -@@ -219,4 +224,61 @@ void OpenSSL_add_all_ciphers(void) +@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); #endif @@ -102,9 +102,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/cr + } +#endif } -diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_alld.c ---- openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/c_alld.c 2009-08-11 17:54:08.000000000 +0200 +diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c +--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200 ++++ openssl-1.0.0a/crypto/evp/c_alld.c 2010-06-04 13:32:13.000000000 +0200 @@ -64,6 +64,11 @@ void OpenSSL_add_all_digests(void) @@ -117,11 +117,10 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/cr #ifndef OPENSSL_NO_MD4 EVP_add_digest(EVP_md4()); #endif -@@ -110,5 +115,33 @@ void OpenSSL_add_all_digests(void) - #endif +@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void) #ifndef OPENSSL_NO_WHIRLPOOL EVP_add_digest(EVP_whirlpool()); -+#endif + #endif +#ifdef OPENSSL_FIPS + } + else @@ -149,11 +148,11 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/cr + EVP_add_digest(EVP_sha512()); +#endif + } - #endif ++#endif } -diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto/o_init.c ---- openssl-1.0.0-beta3/crypto/o_init.c.fipsmode 2009-08-11 17:28:25.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 17:39:06.000000000 +0200 +diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c +--- openssl-1.0.0a/crypto/o_init.c.fipsmode 2010-06-04 13:32:13.000000000 +0200 ++++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 13:32:13.000000000 +0200 @@ -59,6 +59,43 @@ #include #include @@ -206,9 +205,9 @@ diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto done = 1; } #endif -diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl_algs.c ---- openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode 2009-07-08 10:50:53.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_algs.c 2009-08-11 18:01:13.000000000 +0200 +diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c +--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode 2010-04-07 15:18:30.000000000 +0200 ++++ openssl-1.0.0a/ssl/ssl_algs.c 2010-06-04 13:32:48.000000000 +0200 @@ -64,6 +64,12 @@ int SSL_library_init(void) { @@ -222,7 +221,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -115,6 +121,40 @@ int SSL_library_init(void) +@@ -127,6 +133,48 @@ int SSL_library_init(void) EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif @@ -249,6 +248,14 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl + EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); +#endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) + EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); diff --git a/openssl-1.0.0a-version.patch b/openssl-1.0.0a-version.patch new file mode 100644 index 0000000..75a0233 --- /dev/null +++ b/openssl-1.0.0a-version.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.0a/crypto/opensslv.h.version openssl-1.0.0a/crypto/opensslv.h +--- openssl-1.0.0a/crypto/opensslv.h.version 2010-06-04 13:28:52.000000000 +0200 ++++ openssl-1.0.0a/crypto/opensslv.h 2010-06-04 13:29:42.000000000 +0200 +@@ -25,7 +25,8 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-#define OPENSSL_VERSION_NUMBER 0x1000001fL ++/* we have to keep the version number to not break the abi */ ++#define OPENSSL_VERSION_NUMBER 0x10000003L + #ifdef OPENSSL_FIPS + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0a-fips 1 Jun 2010" + #else diff --git a/sources b/sources index 8a2c648..f42b68d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2 +36a9936e1791566b205daa7cb4bea074 openssl-1.0.0a-usa.tar.bz2 From f943b6e544a0be7f6a6f3b1cf2896c4191659a73 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 19 Jun 2010 19:46:13 +0000 Subject: [PATCH 18/28] Use sed to fix up cflags instead of unmaintainable patch --- mingw32-openssl-1.0.0-beta3-configure.patch | 12 ------------ mingw32-openssl.spec | 8 ++++---- 2 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 mingw32-openssl-1.0.0-beta3-configure.patch diff --git a/mingw32-openssl-1.0.0-beta3-configure.patch b/mingw32-openssl-1.0.0-beta3-configure.patch deleted file mode 100644 index 8f4679e..0000000 --- a/mingw32-openssl-1.0.0-beta3-configure.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.0.0-beta3/Configure.mingw-configure openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.mingw-configure 2009-08-29 21:20:14.000000000 +0300 -+++ openssl-1.0.0-beta3/Configure 2009-08-29 21:23:14.000000000 +0300 -@@ -498,7 +498,7 @@ my %table=( - "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", - - # MinGW --"mingw", "gcc:-mno-cygwin -DL_ENDIAN -DOPENSSL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a", -+"mingw", "gcc:-DL_ENDIAN -DOPENSSL_NO_CAPIENG -Wall \$(MINGW32_CFLAGS) -DMK1MF_BUILD:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:\$(MINGW32_CFLAGS):.dll.a", - # As for OPENSSL_USE_APPLINK. Applink makes it possible to use .dll - # compiled with one compiler with application compiled with another - # compiler. It's possible to engage Applink support in mingw64 build, diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 79cc7af..77e2fa3 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -81,8 +81,6 @@ Patch53: openssl-1.0.0-name-hash.patch # Backported fixes including security fixes # MinGW-specific patches. -# Use MINGW32_CFLAGS (set below) in Configure script -Patch100: mingw32-openssl-1.0.0-beta3-configure.patch # Rename *eay32.dll to lib*.dll Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch # Fix engines/ install target after lib rename @@ -181,11 +179,13 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch52 -p1 -b .aesni %patch53 -p1 -b .name-hash -%patch100 -p1 -b .mingw-configure %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx %patch105 -p0 -b .mingw-linker-fix +# Use _mingw32_cflags instead of hardcoded ones +sed -i -e '/^"mingw"/ s/-fomit-frame-pointer -O3 -march=i486 -Wall/%{_mingw32_cflags}/' Configure + # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -196,7 +196,6 @@ make TABLE PERL=%{__perl} %build # NB: 'no-hw' is vital. MinGW cannot build the hardware drivers # and if you don't have this you'll get an obscure link error. -export MINGW32_CFLAGS="%{_mingw32_cflags}"; \ ./Configure \ --prefix=%{_mingw32_prefix} \ --openssldir=%{_mingw32_sysconfdir}/pki/tls \ @@ -346,6 +345,7 @@ rm -rf $RPM_BUILD_ROOT * Sat Jun 19 2010 Kalev Lember - 1.0.0a-1 - Updated to openssl 1.0.0a - Synced patches with Fedora native openssl-1.0.0a-1 +- Use sed to fix up cflags instead of unmaintainable patch * Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) From 5eeb7effd29d4d2a6d955b8c22c1e462b40c36a7 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 19 Jun 2010 19:50:13 +0000 Subject: [PATCH 19/28] Rebased mingw32 specific patches --- ...tch => mingw32-openssl-1.0.0a-linker-fix.patch | 15 ++++++++------- ...-sfx.patch => mingw32-openssl-1.0.0a-sfx.patch | 8 ++++---- mingw32-openssl.spec | 7 ++++--- 3 files changed, 16 insertions(+), 14 deletions(-) rename mingw32-openssl-1.0.0-beta3-linker-fix.patch => mingw32-openssl-1.0.0a-linker-fix.patch (81%) rename mingw32-openssl-1.0.0-beta3-sfx.patch => mingw32-openssl-1.0.0a-sfx.patch (57%) diff --git a/mingw32-openssl-1.0.0-beta3-linker-fix.patch b/mingw32-openssl-1.0.0a-linker-fix.patch similarity index 81% rename from mingw32-openssl-1.0.0-beta3-linker-fix.patch rename to mingw32-openssl-1.0.0a-linker-fix.patch index eb37823..937cc40 100644 --- a/mingw32-openssl-1.0.0-beta3-linker-fix.patch +++ b/mingw32-openssl-1.0.0a-linker-fix.patch @@ -1,6 +1,7 @@ ---- util/libeay.num.orig 2009-08-29 15:41:45.207820734 +0200 -+++ util/libeay.num 2009-08-29 15:48:03.746817062 +0200 -@@ -1084,7 +1084,6 @@ +diff -up openssl-1.0.0a/util/libeay.num.mingw-linker-fix openssl-1.0.0a/util/libeay.num +--- openssl-1.0.0a/util/libeay.num.mingw-linker-fix 2010-04-13 20:08:50.000000000 +0300 ++++ openssl-1.0.0a/util/libeay.num 2010-06-19 19:03:07.000000000 +0300 +@@ -1084,7 +1084,6 @@ BIO_s_socks4a_connect PROXY_set_connect_mode 1112 NOEXIST::FUNCTION: RAND_SSLeay 1113 EXIST::FUNCTION: RAND_set_rand_method 1114 EXIST::FUNCTION: @@ -8,10 +9,10 @@ bn_sub_words 1116 EXIST::FUNCTION: bn_mul_normal 1117 NOEXIST::FUNCTION: bn_mul_comba8 1118 NOEXIST::FUNCTION: -@@ -2844,17 +2843,8 @@ +@@ -2844,17 +2843,8 @@ sk_is_sorted X509_check_ca 3286 EXIST::FUNCTION: private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION: - HMAC_CTX_set_flags 3288 NOEXIST::FUNCTION: + HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC -private_SHA_Init 3289 NOEXIST::FUNCTION: -private_CAST_set_key 3290 NOEXIST::FUNCTION: -private_RIPEMD160_Init 3291 NOEXIST::FUNCTION: @@ -26,7 +27,7 @@ d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -@@ -3318,7 +3308,6 @@ +@@ -3318,7 +3308,6 @@ X509_policy_check EVP_PKEY_get_attr_by_NID 3721 EXIST::FUNCTION: STORE_set_ex_data 3722 NOEXIST::FUNCTION: ENGINE_get_ECDSA 3723 EXIST::FUNCTION:ENGINE @@ -34,7 +35,7 @@ BN_BLINDING_get_flags 3725 EXIST::FUNCTION: PKCS12_add_cert 3726 EXIST::FUNCTION: STORE_OBJECT_new 3727 NOEXIST::FUNCTION: -@@ -3702,7 +3691,6 @@ +@@ -3702,7 +3691,6 @@ FIPS_rsa_free FIPS_dsa_sig_encode 4089 NOEXIST::FUNCTION: CRYPTO_dbg_remove_all_info 4090 NOEXIST::FUNCTION: OPENSSL_init 4091 NOEXIST::FUNCTION: diff --git a/mingw32-openssl-1.0.0-beta3-sfx.patch b/mingw32-openssl-1.0.0a-sfx.patch similarity index 57% rename from mingw32-openssl-1.0.0-beta3-sfx.patch rename to mingw32-openssl-1.0.0a-sfx.patch index 05e0a3c..c5ddd8f 100644 --- a/mingw32-openssl-1.0.0-beta3-sfx.patch +++ b/mingw32-openssl-1.0.0a-sfx.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.0-beta3/engines/Makefile.mingw-libversion openssl-1.0.0-beta3/engines/Makefile ---- openssl-1.0.0-beta3/engines/Makefile.mingw-libversion 2009-08-29 22:33:22.000000000 +0300 -+++ openssl-1.0.0-beta3/engines/Makefile 2009-08-29 22:34:15.000000000 +0300 -@@ -110,7 +110,10 @@ install: +diff -up openssl-1.0.0a/engines/Makefile.mingw-sfx openssl-1.0.0a/engines/Makefile +--- openssl-1.0.0a/engines/Makefile.mingw-sfx 2010-06-19 21:52:59.000000000 +0300 ++++ openssl-1.0.0a/engines/Makefile 2010-06-19 21:53:34.000000000 +0300 +@@ -111,7 +111,10 @@ install: for l in $(LIBNAMES); do \ ( echo installing $$l; \ pfx=lib; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 77e2fa3..671cfe5 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -84,10 +84,10 @@ Patch53: openssl-1.0.0-name-hash.patch # Rename *eay32.dll to lib*.dll Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch # Fix engines/ install target after lib rename -Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch +Patch102: mingw32-openssl-1.0.0a-sfx.patch # Ugly patch to fix a compilation error (the linker can't find # some symbols mentioned in an autogenerated .def file) -Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch +Patch103: mingw32-openssl-1.0.0a-linker-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -181,7 +181,7 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx -%patch105 -p0 -b .mingw-linker-fix +%patch103 -p1 -b .mingw-linker-fix # Use _mingw32_cflags instead of hardcoded ones sed -i -e '/^"mingw"/ s/-fomit-frame-pointer -O3 -march=i486 -Wall/%{_mingw32_cflags}/' Configure @@ -346,6 +346,7 @@ rm -rf $RPM_BUILD_ROOT - Updated to openssl 1.0.0a - Synced patches with Fedora native openssl-1.0.0a-1 - Use sed to fix up cflags instead of unmaintainable patch +- Rebased mingw32 specific patches * Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) From 637a5e79c4cae6925985b07426cd43b9686f1cd7 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 19 Jun 2010 19:53:35 +0000 Subject: [PATCH 20/28] Disabled capieng to fix build --- mingw32-openssl.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 671cfe5..9711b92 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -201,6 +201,7 @@ make TABLE PERL=%{__perl} --openssldir=%{_mingw32_sysconfdir}/pki/tls \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \ + no-capieng \ no-hw --cross-compile-prefix=%{_mingw32_target}- \ --enginesdir=%{_mingw32_libdir}/openssl/engines \ shared mingw @@ -347,6 +348,7 @@ rm -rf $RPM_BUILD_ROOT - Synced patches with Fedora native openssl-1.0.0a-1 - Use sed to fix up cflags instead of unmaintainable patch - Rebased mingw32 specific patches +- Disabled capieng to fix build * Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) From e550fc601adcffc3a0c28e1710c2c3e7e6e00a9f Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 19 Jun 2010 20:08:08 +0000 Subject: [PATCH 21/28] Properly regenerate def files with mkdef.pl and drop linker-fix.patch --- mingw32-openssl-1.0.0a-linker-fix.patch | 45 ------------------------- mingw32-openssl.spec | 9 ++--- 2 files changed, 5 insertions(+), 49 deletions(-) delete mode 100644 mingw32-openssl-1.0.0a-linker-fix.patch diff --git a/mingw32-openssl-1.0.0a-linker-fix.patch b/mingw32-openssl-1.0.0a-linker-fix.patch deleted file mode 100644 index 937cc40..0000000 --- a/mingw32-openssl-1.0.0a-linker-fix.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up openssl-1.0.0a/util/libeay.num.mingw-linker-fix openssl-1.0.0a/util/libeay.num ---- openssl-1.0.0a/util/libeay.num.mingw-linker-fix 2010-04-13 20:08:50.000000000 +0300 -+++ openssl-1.0.0a/util/libeay.num 2010-06-19 19:03:07.000000000 +0300 -@@ -1084,7 +1084,6 @@ BIO_s_socks4a_connect - PROXY_set_connect_mode 1112 NOEXIST::FUNCTION: - RAND_SSLeay 1113 EXIST::FUNCTION: - RAND_set_rand_method 1114 EXIST::FUNCTION: --RSA_memory_lock 1115 EXIST::FUNCTION:RSA - bn_sub_words 1116 EXIST::FUNCTION: - bn_mul_normal 1117 NOEXIST::FUNCTION: - bn_mul_comba8 1118 NOEXIST::FUNCTION: -@@ -2844,17 +2843,8 @@ sk_is_sorted - X509_check_ca 3286 EXIST::FUNCTION: - private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION: - HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC --private_SHA_Init 3289 NOEXIST::FUNCTION: --private_CAST_set_key 3290 NOEXIST::FUNCTION: --private_RIPEMD160_Init 3291 NOEXIST::FUNCTION: - private_RC5_32_set_key 3292 NOEXIST::FUNCTION: --private_MD5_Init 3293 NOEXIST::FUNCTION: --private_RC4_set_key 3294 NOEXIST::FUNCTION: - private_MDC2_Init 3295 NOEXIST::FUNCTION: --private_RC2_set_key 3296 NOEXIST::FUNCTION: --private_MD4_Init 3297 NOEXIST::FUNCTION: --private_BF_set_key 3298 NOEXIST::FUNCTION: --private_MD2_Init 3299 NOEXIST::FUNCTION: - d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: - PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: - PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -@@ -3318,7 +3308,6 @@ X509_policy_check - EVP_PKEY_get_attr_by_NID 3721 EXIST::FUNCTION: - STORE_set_ex_data 3722 NOEXIST::FUNCTION: - ENGINE_get_ECDSA 3723 EXIST::FUNCTION:ENGINE --EVP_ecdsa 3724 EXIST::FUNCTION:SHA - BN_BLINDING_get_flags 3725 EXIST::FUNCTION: - PKCS12_add_cert 3726 EXIST::FUNCTION: - STORE_OBJECT_new 3727 NOEXIST::FUNCTION: -@@ -3702,7 +3691,6 @@ FIPS_rsa_free - FIPS_dsa_sig_encode 4089 NOEXIST::FUNCTION: - CRYPTO_dbg_remove_all_info 4090 NOEXIST::FUNCTION: - OPENSSL_init 4091 NOEXIST::FUNCTION: --private_Camellia_set_key 4092 NOEXIST::FUNCTION: - CRYPTO_strdup 4093 EXIST::FUNCTION: - JPAKE_STEP3A_process 4094 EXIST::FUNCTION:JPAKE - JPAKE_STEP1_release 4095 EXIST::FUNCTION:JPAKE diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 9711b92..139f6bf 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -85,9 +85,6 @@ Patch53: openssl-1.0.0-name-hash.patch Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch # Fix engines/ install target after lib rename Patch102: mingw32-openssl-1.0.0a-sfx.patch -# Ugly patch to fix a compilation error (the linker can't find -# some symbols mentioned in an autogenerated .def file) -Patch103: mingw32-openssl-1.0.0a-linker-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -181,7 +178,6 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx -%patch103 -p1 -b .mingw-linker-fix # Use _mingw32_cflags instead of hardcoded ones sed -i -e '/^"mingw"/ s/-fomit-frame-pointer -O3 -march=i486 -Wall/%{_mingw32_cflags}/' Configure @@ -207,6 +203,10 @@ make TABLE PERL=%{__perl} shared mingw # --with-krb5-flavor=MIT # -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} + +# Regenerate def files as we disabled some algorithms above +perl util/mkdef.pl crypto ssl update + make depend make all build-shared @@ -349,6 +349,7 @@ rm -rf $RPM_BUILD_ROOT - Use sed to fix up cflags instead of unmaintainable patch - Rebased mingw32 specific patches - Disabled capieng to fix build +- Properly regenerate def files with mkdef.pl and drop linker-fix.patch * Thu Nov 26 2009 Kalev Lember - 1.0.0-0.6.beta4 - Merged patches from native Fedora openssl (up to 1.0.0-0.16.beta4) From 9b7f6325d5fd780021c086743455db212f8df649 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 29 Jul 2010 03:22:01 +0000 Subject: [PATCH 22/28] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- import.log | 1 - 3 files changed, 22 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile delete mode 100644 import.log diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 129151e..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: mingw32-openssl -# $Id: Makefile,v 1.1 2009/02/08 21:52:20 kevin Exp $ -NAME := mingw32-openssl -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/import.log b/import.log deleted file mode 100644 index b837e05..0000000 --- a/import.log +++ /dev/null @@ -1 +0,0 @@ -mingw32-openssl-0_9_8j-2_fc11:HEAD:mingw32-openssl-0.9.8j-2.fc11.src.rpm:1234171576 From 12211a16f77ad80c918d7a390e9cf3cf842e80bb Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Tue, 8 Feb 2011 12:59:02 -0600 Subject: [PATCH 23/28] - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 139f6bf..5119453 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -29,7 +29,7 @@ Name: mingw32-openssl Version: 1.0.0a -Release: 1%{?dist} +Release: 2%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -343,6 +343,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Feb 08 2011 Fedora Release Engineering - 1.0.0a-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + * Sat Jun 19 2010 Kalev Lember - 1.0.0a-1 - Updated to openssl 1.0.0a - Synced patches with Fedora native openssl-1.0.0a-1 From 69fef3cef18ad1efde16f488b6bd76df7481851e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 3 Mar 2011 14:45:50 +0000 Subject: [PATCH 24/28] Bump and rebuild. --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 5119453..6ec0cb2 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -29,7 +29,7 @@ Name: mingw32-openssl Version: 1.0.0a -Release: 2%{?dist} +Release: 3%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -343,6 +343,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Mar 3 2011 Kai Tietz - 1.0.0a-3 +- Bump and rebuild. + * Tue Feb 08 2011 Fedora Release Engineering - 1.0.0a-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild From f9c5c21b08ad12888bc636791b9737435b742991 Mon Sep 17 00:00:00 2001 From: Kai Tietz Date: Fri, 4 Mar 2011 11:03:42 +0100 Subject: [PATCH 25/28] CVE-2011-0014 openssl: OCSP stapling vulnerability fix for https://bugzilla.redhat.com/show_bug.cgi?id=676070 --- mingw32-openssl.spec | 5 +++++ openssl-1.0.0a-sslt1lib.patch | 28 ++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 openssl-1.0.0a-sslt1lib.patch diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 6ec0cb2..91b336b 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -59,6 +59,7 @@ Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch Patch24: openssl-0.9.8j-bad-mime.patch +Patch25: openssl-1.0.0a-sslt1lib.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch @@ -157,6 +158,7 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch23 -p1 -b .default-paths %patch24 -p1 -b .bad-mime +%patch25 -p1 -b .sslt1lib %patch32 -p1 -b .ia64 #patch33 is applied after make test @@ -343,6 +345,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Mar 04 2011 Kai Tietz +- Fixes for CVE-2011-0014 openssl: OCSP stapling vulnerability + * Thu Mar 3 2011 Kai Tietz - 1.0.0a-3 - Bump and rebuild. diff --git a/openssl-1.0.0a-sslt1lib.patch b/openssl-1.0.0a-sslt1lib.patch new file mode 100644 index 0000000..2e7d2ff --- /dev/null +++ b/openssl-1.0.0a-sslt1lib.patch @@ -0,0 +1,28 @@ +--- openssl-1.0.0a/ssl/t1_lib.c 25 Nov 2010 12:28:28 -0000 1.64.2.17 ++++ openssl-1.0.0a/ssl/t1_lib.c 8 Feb 2011 00:00:00 -0000 +@@ -917,6 +917,7 @@ + } + n2s(data, idsize); + dsize -= 2 + idsize; ++ size -= 2 + idsize; + if (dsize < 0) + { + *al = SSL_AD_DECODE_ERROR; +@@ -955,9 +956,14 @@ + } + + /* Read in request_extensions */ ++ if (size < 2) ++ { ++ *al = SSL_AD_DECODE_ERROR; ++ return 0; ++ } + n2s(data,dsize); + size -= 2; +- if (dsize > size) ++ if (dsize != size) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + + From ca8adb3bca50e4440fe70fdbd945009e6229ff88 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Sat, 23 Apr 2011 13:30:28 +0300 Subject: [PATCH 26/28] Update to 1.0.0d Synced patches with Fedora native openssl-1.0.0d-2. --- .gitignore | 1 + hobble-openssl | 6 +- ....patch => mingw32-openssl-1.0.0d-sfx.patch | 8 +- mingw32-openssl.spec | 38 +- openssl-1.0.0-beta5-cipher-change.patch | 2 +- openssl-1.0.0a-manfix.patch | 21 + openssl-1.0.0a-sslt1lib.patch | 28 -- openssl-1.0.0a-version.patch | 13 - ...-aesni.patch => openssl-1.0.0b-aesni.patch | 78 ++-- ...ps.patch => openssl-1.0.0b-ipv6-apps.patch | 39 +- openssl-1.0.0c-apps-ipv6listen.patch | 57 +++ openssl-1.0.0c-fips-md5-allow.patch | 20 + openssl-1.0.0c-fips186-3.patch | 384 ++++++++++++++++++ openssl-1.0.0c-pkcs12-fips-default.patch | 25 ++ openssl-1.0.0c-rsa-x931.patch | 36 ++ openssl-1.0.0c-speed-fips.patch | 94 +++++ openssl-1.0.0d-apps-dgst.patch | 110 +++++ openssl-1.0.0d-version.patch | 22 + sources | 2 +- 19 files changed, 864 insertions(+), 120 deletions(-) rename mingw32-openssl-1.0.0a-sfx.patch => mingw32-openssl-1.0.0d-sfx.patch (57%) create mode 100644 openssl-1.0.0a-manfix.patch delete mode 100644 openssl-1.0.0a-sslt1lib.patch delete mode 100644 openssl-1.0.0a-version.patch rename openssl-1.0.0-beta4-aesni.patch => openssl-1.0.0b-aesni.patch (95%) rename openssl-1.0.0-beta5-ipv6-apps.patch => openssl-1.0.0b-ipv6-apps.patch (91%) create mode 100644 openssl-1.0.0c-apps-ipv6listen.patch create mode 100644 openssl-1.0.0c-fips-md5-allow.patch create mode 100644 openssl-1.0.0c-fips186-3.patch create mode 100644 openssl-1.0.0c-pkcs12-fips-default.patch create mode 100644 openssl-1.0.0c-rsa-x931.patch create mode 100644 openssl-1.0.0c-speed-fips.patch create mode 100644 openssl-1.0.0d-apps-dgst.patch create mode 100644 openssl-1.0.0d-version.patch diff --git a/.gitignore b/.gitignore index f4623d7..f82a3fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ openssl-1.0.0a-usa.tar.bz2 +/openssl-1.0.0d-usa.tar.bz2 diff --git a/hobble-openssl b/hobble-openssl index 24b05f9..a8be844 100755 --- a/hobble-openssl +++ b/hobble-openssl @@ -5,9 +5,9 @@ set -e # Clean out patent-or-otherwise-encumbered code. # MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway -# IDEA: 5,214,703 25/05/2010 -# RC5: 5,724,428 03/03/2015 -# EC: ????????? ??/??/2015 +# IDEA: 5,214,703 07/01/2012 +# RC5: 5,724,428 01/11/2015 +# EC: ????????? ??/??/2020 # Remove assembler portions of IDEA, MDC2, and RC5. (find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv) diff --git a/mingw32-openssl-1.0.0a-sfx.patch b/mingw32-openssl-1.0.0d-sfx.patch similarity index 57% rename from mingw32-openssl-1.0.0a-sfx.patch rename to mingw32-openssl-1.0.0d-sfx.patch index c5ddd8f..bd877b3 100644 --- a/mingw32-openssl-1.0.0a-sfx.patch +++ b/mingw32-openssl-1.0.0d-sfx.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0a/engines/Makefile.mingw-sfx openssl-1.0.0a/engines/Makefile ---- openssl-1.0.0a/engines/Makefile.mingw-sfx 2010-06-19 21:52:59.000000000 +0300 -+++ openssl-1.0.0a/engines/Makefile 2010-06-19 21:53:34.000000000 +0300 +diff -up openssl-1.0.0d/engines/Makefile.mingw-sfx openssl-1.0.0d/engines/Makefile +--- openssl-1.0.0d/engines/Makefile.mingw-sfx 2011-04-23 13:04:15.452843560 +0300 ++++ openssl-1.0.0d/engines/Makefile 2011-04-23 13:04:15.689846190 +0300 @@ -111,7 +111,10 @@ install: for l in $(LIBNAMES); do \ ( echo installing $$l; \ @@ -12,4 +12,4 @@ diff -up openssl-1.0.0a/engines/Makefile.mingw-sfx openssl-1.0.0a/engines/Makefi + elif [ "$(PLATFORM)" != "Cygwin" ]; then \ case "$(CFLAGS)" in \ *DSO_BEOS*) sfx=".so";; \ - *DSO_DLFCN*) sfx=".so";; \ + *DSO_DLFCN*) sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 91b336b..48000bd 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -28,8 +28,8 @@ %global thread_test_threads %{?threads:%{threads}}%{!?threads:1} Name: mingw32-openssl -Version: 1.0.0a -Release: 3%{?dist} +Version: 1.0.0d +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -59,7 +59,7 @@ Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch Patch24: openssl-0.9.8j-bad-mime.patch -Patch25: openssl-1.0.0a-sslt1lib.patch +Patch25: openssl-1.0.0a-manfix.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch @@ -67,7 +67,7 @@ Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch Patch38: openssl-1.0.0-beta5-cipher-change.patch # Disabled this because it uses getaddrinfo which is lacking on Windows. -#Patch39: openssl-1.0.0-beta5-ipv6-apps.patch +#Patch39: openssl-1.0.0b-ipv6-apps.patch Patch40: openssl-1.0.0a-fips.patch Patch41: openssl-1.0.0-beta3-fipscheck.patch Patch43: openssl-1.0.0a-fipsmode.patch @@ -76,16 +76,23 @@ Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch -Patch51: openssl-1.0.0a-version.patch -Patch52: openssl-1.0.0-beta4-aesni.patch +Patch51: openssl-1.0.0d-version.patch +Patch52: openssl-1.0.0b-aesni.patch Patch53: openssl-1.0.0-name-hash.patch +Patch54: openssl-1.0.0c-speed-fips.patch +#Patch55: openssl-1.0.0c-apps-ipv6listen.patch +Patch56: openssl-1.0.0c-rsa-x931.patch +Patch57: openssl-1.0.0c-fips186-3.patch +Patch58: openssl-1.0.0c-fips-md5-allow.patch +Patch59: openssl-1.0.0c-pkcs12-fips-default.patch +Patch60: openssl-1.0.0d-apps-dgst.patch # Backported fixes including security fixes # MinGW-specific patches. # Rename *eay32.dll to lib*.dll Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch # Fix engines/ install target after lib rename -Patch102: mingw32-openssl-1.0.0a-sfx.patch +Patch102: mingw32-openssl-1.0.0d-sfx.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -141,7 +148,7 @@ Requires: %{name} = %{version}-%{release} Static version of the MinGW port of the OpenSSL toolkit. -%{_mingw32_debug_package} +%{?_mingw32_debug_package} %prep @@ -158,14 +165,14 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch23 -p1 -b .default-paths %patch24 -p1 -b .bad-mime -%patch25 -p1 -b .sslt1lib +%patch25 -p1 -b .manfix %patch32 -p1 -b .ia64 #patch33 is applied after make test %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines %patch38 -p1 -b .cipher-change -#%patch39 -p1 -b .ipv6-apps +#patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips %patch41 -p1 -b .fipscheck %patch43 -p1 -b .fipsmode @@ -177,6 +184,13 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch51 -p1 -b .version %patch52 -p1 -b .aesni %patch53 -p1 -b .name-hash +%patch54 -p1 -b .spfips +#patch55 -p1 -b .ipv6listen +%patch56 -p1 -b .x931 +%patch57 -p1 -b .fips186-3 +%patch58 -p1 -b .md5-allow +%patch59 -p1 -b .fips-default +%patch60 -p1 -b .dgst %patch101 -p1 -b .mingw-libversion %patch102 -p1 -b .mingw-sfx @@ -345,6 +359,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sat Apr 23 2011 Kalev Lember - 1.0.0d-1 +- Update to 1.0.0d +- Synced patches with Fedora native openssl-1.0.0d-2 + * Fri Mar 04 2011 Kai Tietz - Fixes for CVE-2011-0014 openssl: OCSP stapling vulnerability diff --git a/openssl-1.0.0-beta5-cipher-change.patch b/openssl-1.0.0-beta5-cipher-change.patch index 2e8343b..f3f00cd 100644 --- a/openssl-1.0.0-beta5-cipher-change.patch +++ b/openssl-1.0.0-beta5-cipher-change.patch @@ -6,7 +6,7 @@ diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ ++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ diff --git a/openssl-1.0.0a-manfix.patch b/openssl-1.0.0a-manfix.patch new file mode 100644 index 0000000..0d3dc04 --- /dev/null +++ b/openssl-1.0.0a-manfix.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod +--- openssl-1.0.0a/doc/apps/openssl.pod.manfix 2010-01-21 19:46:28.000000000 +0100 ++++ openssl-1.0.0a/doc/apps/openssl.pod 2010-06-30 14:24:50.000000000 +0200 +@@ -287,8 +287,6 @@ SHA Digest + + SHA-1 Digest + +-=back +- + =item B + + SHA-224 Digest +@@ -305,6 +303,8 @@ SHA-384 Digest + + SHA-512 Digest + ++=back ++ + =head2 ENCODING AND CIPHER COMMANDS + + =over 10 diff --git a/openssl-1.0.0a-sslt1lib.patch b/openssl-1.0.0a-sslt1lib.patch deleted file mode 100644 index 2e7d2ff..0000000 --- a/openssl-1.0.0a-sslt1lib.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- openssl-1.0.0a/ssl/t1_lib.c 25 Nov 2010 12:28:28 -0000 1.64.2.17 -+++ openssl-1.0.0a/ssl/t1_lib.c 8 Feb 2011 00:00:00 -0000 -@@ -917,6 +917,7 @@ - } - n2s(data, idsize); - dsize -= 2 + idsize; -+ size -= 2 + idsize; - if (dsize < 0) - { - *al = SSL_AD_DECODE_ERROR; -@@ -955,9 +956,14 @@ - } - - /* Read in request_extensions */ -+ if (size < 2) -+ { -+ *al = SSL_AD_DECODE_ERROR; -+ return 0; -+ } - n2s(data,dsize); - size -= 2; -- if (dsize > size) -+ if (dsize != size) - { - *al = SSL_AD_DECODE_ERROR; - return 0; - - diff --git a/openssl-1.0.0a-version.patch b/openssl-1.0.0a-version.patch deleted file mode 100644 index 75a0233..0000000 --- a/openssl-1.0.0a-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up openssl-1.0.0a/crypto/opensslv.h.version openssl-1.0.0a/crypto/opensslv.h ---- openssl-1.0.0a/crypto/opensslv.h.version 2010-06-04 13:28:52.000000000 +0200 -+++ openssl-1.0.0a/crypto/opensslv.h 2010-06-04 13:29:42.000000000 +0200 -@@ -25,7 +25,8 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --#define OPENSSL_VERSION_NUMBER 0x1000001fL -+/* we have to keep the version number to not break the abi */ -+#define OPENSSL_VERSION_NUMBER 0x10000003L - #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0a-fips 1 Jun 2010" - #else diff --git a/openssl-1.0.0-beta4-aesni.patch b/openssl-1.0.0b-aesni.patch similarity index 95% rename from openssl-1.0.0-beta4-aesni.patch rename to openssl-1.0.0b-aesni.patch index f57918b..1dda6bf 100644 --- a/openssl-1.0.0-beta4-aesni.patch +++ b/openssl-1.0.0b-aesni.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta4/Configure.aesni openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.aesni 2010-01-07 23:38:31.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure +--- openssl-1.0.0b/Configure.aesni 2010-11-16 17:33:22.000000000 +0100 ++++ openssl-1.0.0b/Configure 2010-11-16 17:35:15.000000000 +0100 @@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket"; my $bits1="THIRTY_TWO_BIT "; my $bits2="SIXTY_FOUR_BIT "; @@ -21,10 +21,10 @@ diff -up openssl-1.0.0-beta4/Configure.aesni openssl-1.0.0-beta4/Configure "VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32", -"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", +"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", + "debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32", + "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement - # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE' - "VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32", -@@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/) +@@ -1419,6 +1419,7 @@ if ($rmd160_obj =~ /\.o$/) if ($aes_obj =~ /\.o$/) { $cflags.=" -DAES_ASM"; @@ -32,9 +32,9 @@ diff -up openssl-1.0.0-beta4/Configure.aesni openssl-1.0.0-beta4/Configure } else { $aes_obj=$aes_enc; -diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl ---- openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni 2010-01-12 22:18:06.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl +--- openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni 2010-11-16 17:33:23.000000000 +0100 ++++ openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl 2010-11-16 17:33:23.000000000 +0100 @@ -0,0 +1,765 @@ +#!/usr/bin/env perl + @@ -801,9 +801,9 @@ diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0-bet +&asciz("AES for Intel AES-NI, CRYPTOGAMS by "); + +&asm_finish(); -diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl ---- openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-01-12 22:18:06.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl +--- openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-11-16 17:33:23.000000000 +0100 ++++ openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl 2010-11-16 17:33:23.000000000 +0100 @@ -0,0 +1,991 @@ +#!/usr/bin/env perl +# @@ -1796,9 +1796,9 @@ diff -up openssl-1.0.0-beta4/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0- +print $code; + +close STDOUT; -diff -up openssl-1.0.0-beta4/crypto/aes/Makefile.aesni openssl-1.0.0-beta4/crypto/aes/Makefile ---- openssl-1.0.0-beta4/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/aes/Makefile 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Makefile +--- openssl-1.0.0b/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0b/crypto/aes/Makefile 2010-11-16 17:33:23.000000000 +0100 @@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl @@ -1813,9 +1813,9 @@ diff -up openssl-1.0.0-beta4/crypto/aes/Makefile.aesni openssl-1.0.0-beta4/crypt aes-sparcv9.s: asm/aes-sparcv9.pl $(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@ -diff -up openssl-1.0.0-beta4/crypto/engine/eng_aesni.c.aesni openssl-1.0.0-beta4/crypto/engine/eng_aesni.c ---- openssl-1.0.0-beta4/crypto/engine/eng_aesni.c.aesni 2010-01-12 22:18:06.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/engine/eng_aesni.c 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/engine/eng_aesni.c +--- openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni 2010-11-16 17:33:23.000000000 +0100 ++++ openssl-1.0.0b/crypto/engine/eng_aesni.c 2010-11-16 17:33:23.000000000 +0100 @@ -0,0 +1,413 @@ +/* + * Support for Intel AES-NI intruction set @@ -2230,9 +2230,9 @@ diff -up openssl-1.0.0-beta4/crypto/engine/eng_aesni.c.aesni openssl-1.0.0-beta4 + +#endif /* COMPILE_HW_AESNI */ +#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */ -diff -up openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni openssl-1.0.0-beta4/crypto/engine/eng_all.c ---- openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni 2010-01-07 23:38:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/engine/eng_all.c 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engine/eng_all.c +--- openssl-1.0.0b/crypto/engine/eng_all.c.aesni 2010-11-16 17:33:22.000000000 +0100 ++++ openssl-1.0.0b/crypto/engine/eng_all.c 2010-11-16 17:33:23.000000000 +0100 @@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void) #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)) ENGINE_load_cryptodev(); @@ -2243,10 +2243,10 @@ diff -up openssl-1.0.0-beta4/crypto/engine/eng_all.c.aesni openssl-1.0.0-beta4/c ENGINE_load_dynamic(); #ifndef OPENSSL_NO_STATIC_ENGINE #ifndef OPENSSL_NO_HW -diff -up openssl-1.0.0-beta4/crypto/engine/engine.h.aesni openssl-1.0.0-beta4/crypto/engine/engine.h ---- openssl-1.0.0-beta4/crypto/engine/engine.h.aesni 2010-01-07 23:38:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/engine/engine.h 2010-01-12 22:18:06.000000000 +0100 -@@ -342,6 +342,7 @@ void ENGINE_load_gost(void); +diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engine/engine.h +--- openssl-1.0.0b/crypto/engine/engine.h.aesni 2010-11-16 17:33:22.000000000 +0100 ++++ openssl-1.0.0b/crypto/engine/engine.h 2010-11-16 17:33:23.000000000 +0100 +@@ -338,6 +338,7 @@ void ENGINE_load_gost(void); #endif #endif void ENGINE_load_cryptodev(void); @@ -2254,9 +2254,9 @@ diff -up openssl-1.0.0-beta4/crypto/engine/engine.h.aesni openssl-1.0.0-beta4/cr void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation -diff -up openssl-1.0.0-beta4/crypto/engine/Makefile.aesni openssl-1.0.0-beta4/crypto/engine/Makefile ---- openssl-1.0.0-beta4/crypto/engine/Makefile.aesni 2008-06-04 13:01:29.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/engine/Makefile 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engine/Makefile +--- openssl-1.0.0b/crypto/engine/Makefile.aesni 2010-11-15 15:44:49.000000000 +0100 ++++ openssl-1.0.0b/crypto/engine/Makefile 2010-11-16 17:33:23.000000000 +0100 @@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e eng_table.c eng_pkey.c eng_fat.c eng_all.c \ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ @@ -2274,9 +2274,9 @@ diff -up openssl-1.0.0-beta4/crypto/engine/Makefile.aesni openssl-1.0.0-beta4/cr SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni openssl-1.0.0-beta4/crypto/evp/evp_err.c ---- openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni 2010-01-07 23:38:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp_err.c +--- openssl-1.0.0b/crypto/evp/evp_err.c.aesni 2010-11-16 17:33:22.000000000 +0100 ++++ openssl-1.0.0b/crypto/evp/evp_err.c 2010-11-16 17:33:23.000000000 +0100 @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== @@ -2293,7 +2293,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni openssl-1.0.0-beta4/cryp {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, -@@ -85,7 +86,7 @@ static ERR_STRING_DATA EVP_str_functs[]= +@@ -86,7 +87,7 @@ static ERR_STRING_DATA EVP_str_functs[]= {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, @@ -2302,10 +2302,10 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.aesni openssl-1.0.0-beta4/cryp {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"}, -diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.aesni openssl-1.0.0-beta4/crypto/evp/evp.h ---- openssl-1.0.0-beta4/crypto/evp/evp.h.aesni 2010-01-07 23:38:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2010-01-12 22:18:06.000000000 +0100 -@@ -1162,6 +1162,7 @@ void ERR_load_EVP_strings(void); +diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h +--- openssl-1.0.0b/crypto/evp/evp.h.aesni 2010-11-16 17:33:22.000000000 +0100 ++++ openssl-1.0.0b/crypto/evp/evp.h 2010-11-16 17:33:23.000000000 +0100 +@@ -1167,6 +1167,7 @@ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ @@ -2313,9 +2313,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.aesni openssl-1.0.0-beta4/crypto/e #define EVP_F_AES_INIT_KEY 133 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_D2I_PKEY 100 -diff -up openssl-1.0.0-beta4/test/test_aesni.aesni openssl-1.0.0-beta4/test/test_aesni ---- openssl-1.0.0-beta4/test/test_aesni.aesni 2010-01-12 22:18:06.000000000 +0100 -+++ openssl-1.0.0-beta4/test/test_aesni 2010-01-12 22:18:06.000000000 +0100 +diff -up openssl-1.0.0b/test/test_aesni.aesni openssl-1.0.0b/test/test_aesni +--- openssl-1.0.0b/test/test_aesni.aesni 2010-11-16 17:33:23.000000000 +0100 ++++ openssl-1.0.0b/test/test_aesni 2010-11-16 17:33:23.000000000 +0100 @@ -0,0 +1,69 @@ +#!/bin/sh + diff --git a/openssl-1.0.0-beta5-ipv6-apps.patch b/openssl-1.0.0b-ipv6-apps.patch similarity index 91% rename from openssl-1.0.0-beta5-ipv6-apps.patch rename to openssl-1.0.0b-ipv6-apps.patch index 4304c01..b85a5d8 100644 --- a/openssl-1.0.0-beta5-ipv6-apps.patch +++ b/openssl-1.0.0b-ipv6-apps.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h ---- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 -+++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100 +diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h +--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 ++++ openssl-1.0.0b/apps/s_apps.h 2010-11-16 17:19:29.000000000 +0100 @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" @@ -23,9 +23,9 @@ diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); -diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c ---- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 -+++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100 +diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c +--- openssl-1.0.0b/apps/s_client.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 ++++ openssl-1.0.0b/apps/s_client.c 2010-11-16 17:19:29.000000000 +0100 @@ -389,7 +389,7 @@ int MAIN(int argc, char **argv) int cbuf_len,cbuf_off; int sbuf_len,sbuf_off; @@ -60,9 +60,9 @@ diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/ { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); -diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c ---- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100 -+++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100 +diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c +--- openssl-1.0.0b/apps/s_server.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 ++++ openssl-1.0.0b/apps/s_server.c 2010-11-16 17:19:29.000000000 +0100 @@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[]) { X509_VERIFY_PARAM *vpm = NULL; @@ -94,9 +94,9 @@ diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/ print_stats(bio_s_out,ctx); ret=0; end: -diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c ---- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200 -+++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100 +diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c +--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps 2010-07-05 13:03:22.000000000 +0200 ++++ openssl-1.0.0b/apps/s_socket.c 2010-11-16 17:27:18.000000000 +0100 @@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha static void ssl_sock_cleanup(void); #endif @@ -226,7 +226,7 @@ diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/ { - int ret=0; - struct sockaddr_in server; -- int s= -1,i; +- int s= -1; + struct addrinfo *res, *res0, hints; + char * failed_call = NULL; + char port_name[8]; @@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/ #if defined SOL_SOCKET && defined SO_REUSEADDR { int j = 1; -@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i +@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i (void *) &j, sizeof j); } #endif @@ -294,7 +294,6 @@ diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/ } - /* Make it 128 for linux */ - if (type==SOCK_STREAM && listen(s,128) == -1) goto err; -- i=0; - *sock=s; - ret=1; -err: @@ -328,16 +327,15 @@ diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/ static int do_accept(int acc_sock, int *sock, char **host) { -- int ret,i; -- struct hostent *h1,*h2; -- static struct sockaddr_in from; + static struct sockaddr_storage from; + char buffer[NI_MAXHOST]; -+ int ret; + int ret; +- struct hostent *h1,*h2; +- static struct sockaddr_in from; int len; /* struct linger ling; */ -@@ -432,136 +450,58 @@ redoit: +@@ -432,135 +451,58 @@ redoit: */ if (host == NULL) goto end; @@ -376,7 +374,6 @@ diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/ - BIO_printf(bio_err,"gethostbyname failure\n"); - return(0); - } -- i=0; - if (h2->h_addrtype != AF_INET) - { - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); diff --git a/openssl-1.0.0c-apps-ipv6listen.patch b/openssl-1.0.0c-apps-ipv6listen.patch new file mode 100644 index 0000000..7c3d4a0 --- /dev/null +++ b/openssl-1.0.0c-apps-ipv6listen.patch @@ -0,0 +1,57 @@ +diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c +--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100 ++++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100 +@@ -335,15 +335,16 @@ int do_server(char *port, int type, int + + static int init_server(int *sock, char *port, int type) + { +- struct addrinfo *res, *res0, hints; ++ struct addrinfo *res, *res0 = NULL, hints; + char * failed_call = NULL; +- char port_name[8]; + int s; + int e; + + if (!ssl_sock_init()) return(0); + + memset(&hints, '\0', sizeof(hints)); ++ hints.ai_family = AF_INET6; ++tryipv4: + hints.ai_socktype = type; + hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + +@@ -365,6 +366,12 @@ static int init_server(int *sock, char * + failed_call = "socket"; + goto nextres; + } ++ if (hints.ai_family == AF_INET6) ++ { ++ int j = 0; ++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, ++ (void *) &j, sizeof j); ++ } + #if defined SOL_SOCKET && defined SO_REUSEADDR + { + int j = 1; +@@ -392,9 +399,19 @@ nextres: + close(s); + res = res->ai_next; + } +- freeaddrinfo(res0); ++ if (res0) ++ freeaddrinfo(res0); + +- if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ if (s == INVALID_SOCKET) ++ { ++ if (hints.ai_family == AF_INET6) ++ { ++ hints.ai_family = AF_INET; ++ goto tryipv4; ++ } ++ perror("socket"); ++ return(0); ++ } + + perror(failed_call); + return(0); diff --git a/openssl-1.0.0c-fips-md5-allow.patch b/openssl-1.0.0c-fips-md5-allow.patch new file mode 100644 index 0000000..f9f5e5d --- /dev/null +++ b/openssl-1.0.0c-fips-md5-allow.patch @@ -0,0 +1,20 @@ +diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c +--- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow 2011-02-03 19:53:28.000000000 +0100 ++++ openssl-1.0.0c/crypto/md5/md5_dgst.c 2011-02-03 20:33:14.000000000 +0100 +@@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-FIPS_NON_FIPS_MD_Init(MD5) ++int MD5_Init(MD5_CTX *c) ++#ifdef OPENSSL_FIPS ++ { ++ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) ++ FIPS_BAD_ALGORITHM(alg) ++ return private_MD5_Init(c); ++ } ++int private_MD5_Init(MD5_CTX *c) ++#endif + { + memset (c,0,sizeof(*c)); + c->A=INIT_DATA_A; diff --git a/openssl-1.0.0c-fips186-3.patch b/openssl-1.0.0c-fips186-3.patch new file mode 100644 index 0000000..de3e5ab --- /dev/null +++ b/openssl-1.0.0c-fips186-3.patch @@ -0,0 +1,384 @@ +diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c +--- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 2011-02-03 21:04:14.000000000 +0100 ++++ openssl-1.0.0c/crypto/dsa/dsa_gen.c 2011-02-04 08:54:42.000000000 +0100 +@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ + int ok=0; + unsigned char seed[SHA256_DIGEST_LENGTH]; + unsigned char md[SHA256_DIGEST_LENGTH]; +- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH]; ++ unsigned char buf[SHA256_DIGEST_LENGTH]; + BIGNUM *r0,*W,*X,*c,*test; + BIGNUM *g=NULL,*q=NULL,*p=NULL; + BN_MONT_CTX *mont=NULL; +- int i, k, n=0, m=0, qsize = qbits >> 3; ++ int i, k, b, n=0, m=0, qsize = qbits >> 3; + int counter=0; + int r=0; + BN_CTX *ctx=NULL; +@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_ + goto err; + } + +- if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) ++ if (FIPS_mode() && ++ (bits != 1024 || qbits != 160) && ++ (bits != 2048 || qbits != 224) && ++ (bits != 2048 || qbits != 256) && ++ (bits != 3072 || qbits != 256)) + { +- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); ++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); + goto err; + } + #endif +@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_ + return 0; + + if (evpmd == NULL) +- /* use SHA1 as default */ +- evpmd = EVP_sha1(); ++ { ++ if (qbits <= 160) ++ evpmd = EVP_sha1(); ++ else if (qbits <= 224) ++ evpmd = EVP_sha224(); ++ else ++ evpmd = EVP_sha256(); ++ } + + if (bits < 512) + bits = 512; + + bits = (bits+63)/64*64; + +- /* NB: seed_len == 0 is special case: copy generated seed to +- * seed_in if it is not NULL. +- */ + if (seed_len && (seed_len < (size_t)qsize)) + seed_in = NULL; /* seed buffer too small -- ignore */ + if (seed_len > (size_t)qsize) + seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED, +- * but our internal buffers are restricted to 160 bits*/ ++ * but our internal buffers are restricted to 256 bits*/ + if (seed_in != NULL) + memcpy(seed, seed_in, seed_len); + +@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ + if (!BN_lshift(test,BN_value_one(),bits-1)) + goto err; + ++ /* step 3 n = \lceil bits / qbits \rceil - 1 */ ++ n = (bits+qbits-1)/qbits - 1; ++ /* step 4 b = bits - 1 - n * qbits */ ++ b = bits - 1 - n*qbits; ++ + for (;;) + { + for (;;) /* find q */ + { + int seed_is_random; + +- /* step 1 */ ++ /* step 5 generate seed */ + if(!BN_GENCB_call(cb, 0, m++)) + goto err; + +@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_ + seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ + } + memcpy(buf , seed, qsize); +- memcpy(buf2, seed, qsize); +- /* precompute "SEED + 1" for step 7: */ +- for (i = qsize-1; i >= 0; i--) +- { +- buf[i]++; +- if (buf[i] != 0) +- break; +- } + +- /* step 2 */ ++ /* step 6 U = hash(seed) */ + EVP_Digest(seed, qsize, md, NULL, evpmd, NULL); +- EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL); +- for (i = 0; i < qsize; i++) +- md[i]^=buf2[i]; + +- /* step 3 */ ++ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */ + md[0] |= 0x80; + md[qsize-1] |= 0x01; + if (!BN_bin2bn(md, qsize, q)) + goto err; + +- /* step 4 */ ++ /* step 8 test for prime (64 round of Rabin-Miller) */ + r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, + seed_is_random, cb); + if (r > 0) +@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_ + if (r != 0) + goto err; + +- /* do a callback call */ +- /* step 5 */ + } + + if(!BN_GENCB_call(cb, 2, 0)) goto err; + if(!BN_GENCB_call(cb, 3, 0)) goto err; + +- /* step 6 */ ++ /* step 11 */ + counter=0; +- /* "offset = 2" */ +- +- n=(bits-1)/160; ++ /* "offset = 1" */ + + for (;;) + { + if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) + goto err; + +- /* step 7 */ ++ /* step 11.1, 11.2 obtain W */ + BN_zero(W); +- /* now 'buf' contains "SEED + offset - 1" */ + for (k=0; k<=n; k++) + { + /* obtain "SEED + offset + k" by incrementing: */ +@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_ + + EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL); + +- /* step 8 */ + if (!BN_bin2bn(md, qsize, r0)) + goto err; +- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err; ++ if (k == n) ++ BN_mask_bits(r0,b); ++ if (!BN_lshift(r0,r0,qbits*k)) goto err; + if (!BN_add(W,W,r0)) goto err; + } + +- /* more of step 8 */ +- if (!BN_mask_bits(W,bits-1)) goto err; ++ /* step 11.3 X = W + 2^(L-1) */ + if (!BN_copy(X,W)) goto err; + if (!BN_add(X,X,test)) goto err; + +- /* step 9 */ ++ /* step 11.4 c = X mod 2*q */ + if (!BN_lshift1(r0,q)) goto err; + if (!BN_mod(c,X,r0,ctx)) goto err; ++ ++ /* step 11.5 p = X - (c - 1) */ + if (!BN_sub(r0,c,BN_value_one())) goto err; + if (!BN_sub(p,X,r0)) goto err; + +- /* step 10 */ ++ /* step 11.6 */ + if (BN_cmp(p,test) >= 0) + { +- /* step 11 */ ++ /* step 11.7 */ + r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, + ctx, 1, cb); + if (r > 0) +@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ + goto err; + } + +- /* step 13 */ ++ /* step 11.9 */ + counter++; + /* "offset = offset + n + 1" */ + +- /* step 14 */ +- if (counter >= 4096) break; ++ /* step 12 */ ++ if (counter >= 4*bits) break; + } + } + end: +diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h +--- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 2011-02-03 21:04:14.000000000 +0100 ++++ openssl-1.0.0c/crypto/dsa/dsa.h 2011-02-03 21:04:14.000000000 +0100 +@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void); + #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 + #define DSA_R_DECODE_ERROR 104 + #define DSA_R_INVALID_DIGEST_TYPE 106 ++#define DSA_R_KEY_SIZE_INVALID 113 + #define DSA_R_KEY_SIZE_TOO_SMALL 110 + #define DSA_R_MISSING_PARAMETERS 101 + #define DSA_R_MODULUS_TOO_LARGE 103 +diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c +--- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 2011-02-03 21:14:07.000000000 +0100 ++++ openssl-1.0.0c/crypto/dsa/dsatest.c 2011-02-04 08:40:24.000000000 +0100 +@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int + /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to + * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ + static unsigned char seed[20]={ +- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40, +- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3, ++ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62, ++ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3, + }; + + static unsigned char out_p[]={ +- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa, +- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb, +- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7, +- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5, +- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf, +- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac, +- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2, +- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91, ++ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E, ++ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99, ++ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD, ++ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB, ++ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18, ++ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B, ++ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E, ++ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD, ++ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93, ++ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D, ++ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F, + }; + + static unsigned char out_q[]={ +- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee, +- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e, +- 0xda,0xce,0x91,0x5f, ++ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B, ++ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87, + }; + + static unsigned char out_g[]={ +- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13, +- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00, +- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb, +- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e, +- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf, +- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c, +- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c, +- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02, ++ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C, ++ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE, ++ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36, ++ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13, ++ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C, ++ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D, ++ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9, ++ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F, ++ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E, ++ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41, ++ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29, + }; + + static const unsigned char str1[]="12345678901234567890"; +@@ -157,7 +162,7 @@ int main(int argc, char **argv) + BIO_printf(bio_err,"test generation of DSA parameters\n"); + + BN_GENCB_set(&cb, dsa_cb, bio_err); +- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, ++ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024, + seed, 20, &counter, &h, &cb)) + goto end; + +@@ -170,9 +175,9 @@ int main(int argc, char **argv) + BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h); + + DSA_print(bio_err,dsa,0); +- if (counter != 105) ++ if (counter != 239) + { +- BIO_printf(bio_err,"counter should be 105\n"); ++ BIO_printf(bio_err,"counter should be 239\n"); + goto end; + } + if (h != 2) +diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 2011-02-03 21:04:14.000000000 +0100 ++++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c 2011-02-04 09:03:03.000000000 +0100 +@@ -68,44 +68,42 @@ + + #ifdef OPENSSL_FIPS + +-/* seed, out_p, out_q, out_g are taken the NIST test vectors */ +- + static unsigned char seed[20] = { +- 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34, +- 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a +- }; ++ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62, ++ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3, ++ }; + + static unsigned char out_p[] = { +- 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57, +- 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b, +- 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43, +- 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69, +- 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12, +- 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47, +- 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4, +- 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8, +- 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef, +- 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8, +- 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef ++ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E, ++ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99, ++ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD, ++ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB, ++ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18, ++ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B, ++ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E, ++ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD, ++ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93, ++ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D, ++ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F, + }; + + static unsigned char out_q[] = { +- 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c, +- 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3 ++ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B, ++ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87, + }; + + static unsigned char out_g[] = { +- 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb, +- 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e, +- 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63, +- 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35, +- 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf, +- 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a, +- 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed, +- 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf, +- 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2, +- 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36, +- 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec ++ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C, ++ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE, ++ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36, ++ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13, ++ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C, ++ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D, ++ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9, ++ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F, ++ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E, ++ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41, ++ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29, + }; + + static const unsigned char str1[]="12345678901234567890"; +@@ -133,7 +131,7 @@ int FIPS_selftest_dsa() + goto err; + if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) + goto err; +- if (counter != 378) ++ if (counter != 239) + goto err; + if (h != 2) + goto err; diff --git a/openssl-1.0.0c-pkcs12-fips-default.patch b/openssl-1.0.0c-pkcs12-fips-default.patch new file mode 100644 index 0000000..a671722 --- /dev/null +++ b/openssl-1.0.0c-pkcs12-fips-default.patch @@ -0,0 +1,25 @@ +diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c +--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200 ++++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100 +@@ -67,6 +67,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + + #define PROG pkcs12_main + +@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv) + + apps_startup(); + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */ ++#endif ++ + enc = EVP_des_ede3_cbc(); + if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + diff --git a/openssl-1.0.0c-rsa-x931.patch b/openssl-1.0.0c-rsa-x931.patch new file mode 100644 index 0000000..a60bbcb --- /dev/null +++ b/openssl-1.0.0c-rsa-x931.patch @@ -0,0 +1,36 @@ +diff -up openssl-1.0.0c/apps/genrsa.c.x931 openssl-1.0.0c/apps/genrsa.c +--- openssl-1.0.0c/apps/genrsa.c.x931 2010-03-01 15:22:02.000000000 +0100 ++++ openssl-1.0.0c/apps/genrsa.c 2011-02-01 18:32:05.000000000 +0100 +@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv) + int ret=1; + int i,num=DEFBITS; + long l; ++ int use_x931 = 0; + const EVP_CIPHER *enc=NULL; + unsigned long f4=RSA_F4; + char *outfile=NULL; +@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv) + f4=3; + else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) + f4=RSA_F4; ++ else if (strcmp(*argv,"-x931") == 0) ++ use_x931 = 1; + #ifndef OPENSSL_NO_ENGINE + else if (strcmp(*argv,"-engine") == 0) + { +@@ -273,7 +276,14 @@ bad: + if (!rsa) + goto err; + +- if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) ++ if (use_x931) ++ { ++ if (!BN_set_word(bn, f4)) ++ goto err; ++ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb)) ++ goto err; ++ } ++ else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb)) + goto err; + + app_RAND_write_file(NULL, bio_err); diff --git a/openssl-1.0.0c-speed-fips.patch b/openssl-1.0.0c-speed-fips.patch new file mode 100644 index 0000000..048d673 --- /dev/null +++ b/openssl-1.0.0c-speed-fips.patch @@ -0,0 +1,94 @@ +diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c +--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100 ++++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100 +@@ -100,6 +100,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + #if !defined(OPENSSL_SYS_MSDOS) + #include OPENSSL_UNISTD + #endif +@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv) + #ifndef OPENSSL_NO_RSA + if (strcmp(*argv,"rsa") == 0) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) ++#endif ++ { + rsa_doit[R_RSA_512]=1; ++ } + rsa_doit[R_RSA_1024]=1; + rsa_doit[R_RSA_2048]=1; + rsa_doit[R_RSA_4096]=1; +@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv) + #ifndef OPENSSL_NO_DSA + if (strcmp(*argv,"dsa") == 0) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) ++#endif ++ { + dsa_doit[R_DSA_512]=1; ++ } + dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; + } +@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv) + AES_set_encrypt_key(key32,256,&aes_ks3); + #endif + #ifndef OPENSSL_NO_CAMELLIA ++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) ++ { + Camellia_set_key(key16,128,&camellia_ks1); + Camellia_set_key(ckey24,192,&camellia_ks2); + Camellia_set_key(ckey32,256,&camellia_ks3); ++ } + #endif + #ifndef OPENSSL_NO_IDEA ++ if (doit[D_CBC_IDEA]) ++ { + idea_set_encrypt_key(key16,&idea_ks); ++ } + #endif + #ifndef OPENSSL_NO_SEED ++ if (doit[D_CBC_SEED]) ++ { + SEED_set_key(key16,&seed_ks); ++ } + #endif + #ifndef OPENSSL_NO_RC4 ++ if (doit[D_RC4]) ++ { + RC4_set_key(&rc4_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_RC2 ++ if (doit[D_CBC_RC2]) ++ { + RC2_set_key(&rc2_ks,16,key16,128); ++ } + #endif + #ifndef OPENSSL_NO_RC5 ++ if (doit[D_CBC_RC5]) ++ { + RC5_32_set_key(&rc5_ks,16,key16,12); ++ } + #endif + #ifndef OPENSSL_NO_BF ++ if (doit[D_CBC_BF]) ++ { + BF_set_key(&bf_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_CAST ++ if (doit[D_CBC_CAST]) ++ { + CAST_set_key(&cast_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_RSA + memset(rsa_c,0,sizeof(rsa_c)); diff --git a/openssl-1.0.0d-apps-dgst.patch b/openssl-1.0.0d-apps-dgst.patch new file mode 100644 index 0000000..da20481 --- /dev/null +++ b/openssl-1.0.0d-apps-dgst.patch @@ -0,0 +1,110 @@ +diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c +--- openssl-1.0.0d/apps/ca.c.dgst 2009-12-02 15:41:24.000000000 +0100 ++++ openssl-1.0.0d/apps/ca.c 2011-04-05 21:09:42.000000000 +0200 +@@ -157,7 +157,7 @@ static const char *ca_usage[]={ + " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n", + " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n", + " -days arg - number of days to certify the certificate for\n", +-" -md arg - md to use, one of md2, md5, sha or sha1\n", ++" -md arg - md to use, see openssl dgst -h for list\n", + " -policy arg - The CA 'policy' to support\n", + " -keyfile arg - private key file\n", + " -keyform arg - private key file format (PEM or ENGINE)\n", +diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c +--- openssl-1.0.0d/apps/enc.c.dgst 2010-06-15 19:25:02.000000000 +0200 ++++ openssl-1.0.0d/apps/enc.c 2011-04-05 21:11:54.000000000 +0200 +@@ -302,7 +302,7 @@ bad: + BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k"); + BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile"); + BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md"); +- BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n",""); ++ BIO_printf(bio_err,"%-14s from a passphrase. See openssl dgst -h for list.\n",""); + BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S"); + BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); + BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); +diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c +--- openssl-1.0.0d/apps/req.c.dgst 2010-03-10 14:48:21.000000000 +0100 ++++ openssl-1.0.0d/apps/req.c 2011-04-05 21:12:33.000000000 +0200 +@@ -421,7 +421,7 @@ bad: + #ifndef OPENSSL_NO_ECDSA + BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n"); + #endif +- BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); ++ BIO_printf(bio_err," -[digest] Digest to sign with (see openssl dgst -h for list)\n"); + BIO_printf(bio_err," -config file request template file.\n"); + BIO_printf(bio_err," -subj arg set or modify request subject\n"); + BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n"); +diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c +--- openssl-1.0.0d/apps/ts.c.dgst 2009-10-18 16:42:26.000000000 +0200 ++++ openssl-1.0.0d/apps/ts.c 2011-04-05 21:16:07.000000000 +0200 +@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv) + BIO_printf(bio_err, "usage:\n" + "ts -query [-rand file%cfile%c...] [-config configfile] " + "[-data file_to_hash] [-digest digest_bytes]" +- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " ++ "[-] " + "[-policy object_id] [-no_nonce] [-cert] " + "[-in request.tsq] [-out request.tsq] [-text]\n", + LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); +diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c +--- openssl-1.0.0d/apps/x509.c.dgst 2011-04-05 21:13:42.000000000 +0200 ++++ openssl-1.0.0d/apps/x509.c 2011-04-05 21:13:17.000000000 +0200 +@@ -141,7 +141,7 @@ static const char *x509_usage[]={ + " -set_serial - serial number to use\n", + " -text - print the certificate in text form\n", + " -C - print out C code forms\n", +-" -md2/-md5/-sha1/-mdc2 - digest to use\n", ++" - - digest to use, see openssl dgst -h output for list\n", + " -extfile - configuration file with X509V3 extensions to add\n", + " -extensions - section from config file with X509V3 extensions to add\n", + " -clrext - delete extensions before signing and input certificate\n", +diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod +--- openssl-1.0.0d/doc/apps/ca.pod.dgst 2009-04-10 13:25:53.000000000 +0200 ++++ openssl-1.0.0d/doc/apps/ca.pod 2011-04-05 21:16:39.000000000 +0200 +@@ -160,7 +160,8 @@ the number of days to certify the certif + =item B<-md alg> + + the message digest to use. Possible values include md5, sha1 and mdc2. +-This option also applies to CRLs. ++For full list of digests see openssl dgst -h output. This option also ++applies to CRLs. + + =item B<-policy arg> + +diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod +--- openssl-1.0.0d/doc/apps/ocsp.pod.dgst 2008-02-25 19:11:47.000000000 +0100 ++++ openssl-1.0.0d/doc/apps/ocsp.pod 2011-04-05 21:18:17.000000000 +0200 +@@ -210,7 +210,8 @@ check is not performed. + =item B<-md5|-sha1|-sha256|-ripemod160|...> + + this option sets digest algorithm to use for certificate identification +-in the OCSP request. By default SHA-1 is used. ++in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for ++the list of available algorithms. + + =back + +diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod +--- openssl-1.0.0d/doc/apps/req.pod.dgst 2009-04-10 18:42:28.000000000 +0200 ++++ openssl-1.0.0d/doc/apps/req.pod 2011-04-05 21:20:47.000000000 +0200 +@@ -201,7 +201,8 @@ will not be encrypted. + + this specifies the message digest to sign the request with (such as + B<-md5>, B<-sha1>). This overrides the digest algorithm specified in +-the configuration file. ++the configuration file. For full list of possible digests see openssl ++dgst -h output. + + Some public key algorithms may override this choice. For instance, DSA + signatures always use SHA1, GOST R 34.10 signatures always use +diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod +--- openssl-1.0.0d/doc/apps/x509.pod.dgst 2010-01-12 18:27:11.000000000 +0100 ++++ openssl-1.0.0d/doc/apps/x509.pod 2011-04-05 21:19:56.000000000 +0200 +@@ -101,6 +101,7 @@ the digest to use. This affects any sign + digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not + specified then SHA1 is used. If the key being used to sign with is a DSA key + then this option has no effect: SHA1 is always used with DSA keys. ++For full list of digests see openssl dgst -h output. + + =item B<-engine id> + diff --git a/openssl-1.0.0d-version.patch b/openssl-1.0.0d-version.patch new file mode 100644 index 0000000..da50fb4 --- /dev/null +++ b/openssl-1.0.0d-version.patch @@ -0,0 +1,22 @@ +diff -up openssl-1.0.0d/crypto/opensslv.h.version openssl-1.0.0d/crypto/opensslv.h +--- openssl-1.0.0d/crypto/opensslv.h.version 2011-02-10 14:24:52.000000000 +0100 ++++ openssl-1.0.0d/crypto/opensslv.h 2011-02-10 14:48:00.000000000 +0100 +@@ -25,7 +25,8 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-#define OPENSSL_VERSION_NUMBER 0x1000004fL ++/* we have to keep the version number to not break the abi */ ++#define OPENSSL_VERSION_NUMBER 0x10000003 + #ifdef OPENSSL_FIPS + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips 8 Feb 2011" + #else +@@ -83,7 +84,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "1.0.0" ++#define SHLIB_VERSION_NUMBER "1.0.0d" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/sources b/sources index f42b68d..302a734 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -36a9936e1791566b205daa7cb4bea074 openssl-1.0.0a-usa.tar.bz2 +531c1627ff9701cb8540ee3bd03de5d7 openssl-1.0.0d-usa.tar.bz2 From c4d04a9ac6a08f4b46725ec79fe36aca3b56a2f4 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 04:05:51 -0600 Subject: [PATCH 27/28] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 48000bd..5ae8ca0 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -29,7 +29,7 @@ Name: mingw32-openssl Version: 1.0.0d -Release: 1%{?dist} +Release: 2%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -359,6 +359,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 1.0.0d-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Sat Apr 23 2011 Kalev Lember - 1.0.0d-1 - Update to 1.0.0d - Synced patches with Fedora native openssl-1.0.0d-2 From cd4cb2272f90fe7e779cc69f6653197405733476 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Mon, 27 Feb 2012 21:36:00 +0100 Subject: [PATCH 28/28] Rebuild against the mingw-w64 toolchain --- mingw32-openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec index 5ae8ca0..6406936 100644 --- a/mingw32-openssl.spec +++ b/mingw32-openssl.spec @@ -29,7 +29,7 @@ Name: mingw32-openssl Version: 1.0.0d -Release: 2%{?dist} +Release: 3%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -359,6 +359,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Feb 27 2012 Erik van Pienbroek - 1.0.0d-3 +- Rebuild against the mingw-w64 toolchain + * Fri Jan 13 2012 Fedora Release Engineering - 1.0.0d-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild