From ec2806a386e1651e50f472aaf0e152569f3b7929 Mon Sep 17 00:00:00 2001 From: Erik van Pienbroek Date: Sun, 24 Mar 2013 20:50:27 +0100 Subject: [PATCH] Update to 1.0.1e (RHBZ #920868) Synced patches with native openssl-1.0.1e-4.fc19 --- .gitignore | 1 + mingw-openssl.spec | 49 +- openssl-0.9.8j-env-nozlib.patch | 13 - openssl-1.0.0-beta4-default-paths.patch | 77 -- openssl-1.0.0-fips-pkcs8.patch | 189 ----- openssl-1.0.1-version.patch | 12 - openssl-1.0.1c-backports.patch | 106 --- openssl-1.0.1c-backports2.patch | 103 --- openssl-1.0.1c-ccm-init-str.patch | 11 - openssl-1.0.1c-default-paths.patch | 100 +++ openssl-1.0.1c-dh-1024.patch | 61 ++ openssl-1.0.1e-backports.patch | 256 +++++++ openssl-1.0.1e-bad-mac.patch | 33 + openssl-1.0.1e-env-zlib.patch | 38 + ...1c-fips.patch => openssl-1.0.1e-fips.patch | 723 +++++++++--------- openssl-1.0.1e-issuer-hash.patch | 11 + ...atch => openssl-1.0.1e-secure-getenv.patch | 70 +- openssl-fix-pod2man-failure.patch | 211 ----- openssl-mingw64-dont-use-secure-getenv.patch | 11 + renew-dummy-cert | 42 + sources | 2 +- 21 files changed, 960 insertions(+), 1159 deletions(-) delete mode 100644 openssl-0.9.8j-env-nozlib.patch delete mode 100644 openssl-1.0.0-beta4-default-paths.patch delete mode 100644 openssl-1.0.0-fips-pkcs8.patch delete mode 100644 openssl-1.0.1c-backports.patch delete mode 100644 openssl-1.0.1c-backports2.patch delete mode 100644 openssl-1.0.1c-ccm-init-str.patch create mode 100644 openssl-1.0.1c-default-paths.patch create mode 100644 openssl-1.0.1c-dh-1024.patch create mode 100644 openssl-1.0.1e-backports.patch create mode 100644 openssl-1.0.1e-bad-mac.patch create mode 100644 openssl-1.0.1e-env-zlib.patch rename openssl-1.0.1c-fips.patch => openssl-1.0.1e-fips.patch (95%) create mode 100644 openssl-1.0.1e-issuer-hash.patch rename openssl-1.0.1c-secure-getenv.patch => openssl-1.0.1e-secure-getenv.patch (66%) delete mode 100644 openssl-fix-pod2man-failure.patch create mode 100644 openssl-mingw64-dont-use-secure-getenv.patch create mode 100755 renew-dummy-cert diff --git a/.gitignore b/.gitignore index 895e390..d72a084 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.0d-usa.tar.bz2 /openssl-1.0.1c-usa.tar.xz +/openssl-1.0.1e-usa.tar.xz diff --git a/mingw-openssl.spec b/mingw-openssl.spec index 4bea039..128fa7f 100644 --- a/mingw-openssl.spec +++ b/mingw-openssl.spec @@ -23,8 +23,8 @@ %global thread_test_threads %{?threads:%{threads}}%{!?threads:1} Name: mingw-openssl -Version: 1.0.1c -Release: 3%{?dist} +Version: 1.0.1e +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -38,6 +38,7 @@ Source0: openssl-%{version}-usa.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert +Source7: renew-dummy-cert Source8: openssl-thread-test.c Source9: opensslconf-new.h Source10: opensslconf-new-warning.h @@ -52,11 +53,9 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch -# Fix FTBFS against latest pod2man -# Patch found at http://www.mail-archive.com/openssl-dev@openssl.org/msg29210.html -Patch10: openssl-fix-pod2man-failure.patch # Bug fixes -Patch23: openssl-1.0.0-beta4-default-paths.patch +Patch23: openssl-1.0.1c-default-paths.patch +Patch24: openssl-1.0.1e-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch @@ -64,8 +63,8 @@ Patch35: openssl-0.9.8j-version-add-engines.patch Patch36: openssl-1.0.0e-doc-noeof.patch Patch38: openssl-1.0.1-beta2-ssl-op-all.patch Patch39: openssl-1.0.1c-ipv6-apps.patch -Patch40: openssl-1.0.1c-fips.patch -Patch45: openssl-0.9.8j-env-nozlib.patch +Patch40: openssl-1.0.1e-fips.patch +Patch45: openssl-1.0.1e-env-zlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.1a-algo-doc.patch Patch50: openssl-1.0.1-beta2-dtls1-abi.patch @@ -76,13 +75,12 @@ Patch60: openssl-1.0.0d-apps-dgst.patch Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch65: openssl-1.0.0e-chil-fixes.patch Patch66: openssl-1.0.1-pkgconfig-krb5.patch -Patch67: openssl-1.0.0-fips-pkcs8.patch -Patch68: openssl-1.0.1c-secure-getenv.patch +Patch68: openssl-1.0.1e-secure-getenv.patch +Patch69: openssl-1.0.1c-dh-1024.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch -Patch82: openssl-1.0.1c-backports.patch -Patch83: openssl-1.0.1c-ccm-init-str.patch -Patch84: openssl-1.0.1c-backports2.patch +Patch82: openssl-1.0.1e-backports.patch +Patch83: openssl-1.0.1e-bad-mac.patch # MinGW-specific patches. # Rename *eay32.dll to lib*.dll @@ -94,8 +92,10 @@ Patch102: mingw32-openssl-1.0.0d-sfx.patch Patch103: mingw-openssl-drop-unneeded-reference-to-dlfcn-h.patch # Mingw-w64 compatibility patch Patch104: openssl_mingw64_install_fix.patch -# Prevent a build failure which occurs becuase we don't have FIPS enabled +# Prevent a build failure which occurs because we don't have FIPS enabled Patch105: mingw-openssl-fix-fips-build-failure.patch +# The function secure_getenv is a GNU extension which isn't available on Windows +Patch106: openssl-mingw64-dont-use-secure-getenv.patch BuildArch: noarch @@ -197,10 +197,10 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost %patch7 -p1 -b .timezone -%patch8 -p1 -b .perlfind +%patch8 -p1 -b .perlfind %{?_rawbuild} %patch9 -p1 -b .aliasing -%patch10 -p1 -b .pod2man %patch23 -p1 -b .default-paths +%patch24 -p1 -b .issuer-hash %patch33 -p1 -b .ca-dir %patch34 -p1 -b .x509 @@ -209,7 +209,7 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch38 -p1 -b .op-all #patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips -%patch45 -p1 -b .env-nozlib +%patch45 -p1 -b .env-zlib %patch47 -p1 -b .warning %patch49 -p1 -b .algo-doc %patch50 -p1 -b .dtls1-abi @@ -220,13 +220,12 @@ Static version of the MinGW port of the OpenSSL toolkit. #patch63 -p1 -b .starttls %patch65 -p1 -b .chil %patch66 -p1 -b .krb5 -%patch67 -p1 -b .pkcs8 #patch68 -p1 -b .secure-getenv +%patch69 -p1 -b .dh1024 %patch81 -p1 -b .padlock64 %patch82 -p1 -b .backports -%patch83 -p1 -b .init-str -%patch84 -p1 -b .backports2 +%patch83 -p1 -b .bad-mac # MinGW specific patches %patch101 -p1 -b .mingw-libversion @@ -234,6 +233,10 @@ Static version of the MinGW port of the OpenSSL toolkit. %patch103 -p0 -b .dlfcn %patch104 -p0 -b .mingw64 %patch105 -p1 -b .fips_mingw +%patch106 -p1 -b .secure_getenv_mingw + +sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h + # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -416,10 +419,12 @@ chmod 0755 $RPM_BUILD_ROOT%{mingw64_libdir}/libssl.dll.a mkdir -p $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/Makefile install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert +install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/certs/renew-dummy-cert mkdir -p $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/Makefile install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/make-dummy-cert +install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/tls/certs/renew-dummy-cert # Pick a CA script. pushd $RPM_BUILD_ROOT%{mingw32_sysconfdir}/pki/tls/misc @@ -475,6 +480,10 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private %changelog +* Sun Mar 24 2013 Erik van Pienbroek - 1.0.1e-1 +- Update to 1.0.1e (RHBZ #920868) +- Synced patches with native openssl-1.0.1e-4.fc19 + * Thu Feb 14 2013 Fedora Release Engineering - 1.0.1c-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild diff --git a/openssl-0.9.8j-env-nozlib.patch b/openssl-0.9.8j-env-nozlib.patch deleted file mode 100644 index 65af5a8..0000000 --- a/openssl-0.9.8j-env-nozlib.patch +++ /dev/null @@ -1,13 +0,0 @@ -Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set. -diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c ---- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100 -+++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100 -@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo - - MemCheck_off(); - ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); -- if (ssl_comp_methods != NULL) -+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) - { - comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); - if (comp != NULL) diff --git a/openssl-1.0.0-beta4-default-paths.patch b/openssl-1.0.0-beta4-default-paths.patch deleted file mode 100644 index 0b48a27..0000000 --- a/openssl-1.0.0-beta4-default-paths.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c ---- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100 -@@ -889,12 +889,13 @@ bad: - if (!set_cert_key_stuff(ctx,cert,key)) - goto end; - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - #ifndef OPENSSL_NO_TLSEXT -diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c ---- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100 -@@ -1408,12 +1408,13 @@ bad: - } - #endif - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - if (vpm) - SSL_CTX_set1_param(ctx, vpm); -@@ -1465,8 +1466,11 @@ bad: - else - SSL_CTX_sess_set_cache_size(ctx2,128); - -- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx2))) -+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx2)) - { - ERR_print_errors(bio_err); - } -diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c ---- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100 -@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv) - - SSL_load_error_strings(); - -- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(tm_ctx))) -+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - if (tm_cipher == NULL) diff --git a/openssl-1.0.0-fips-pkcs8.patch b/openssl-1.0.0-fips-pkcs8.patch deleted file mode 100644 index dd7e36a..0000000 --- a/openssl-1.0.0-fips-pkcs8.patch +++ /dev/null @@ -1,189 +0,0 @@ -diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c ---- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 2006-11-06 20:53:37.000000000 +0100 -+++ openssl-1.0.0/crypto/pem/pem_all.c 2012-04-26 17:17:35.765317652 +0200 -@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN - - IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE, - PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE) -+#ifdef OPENSSL_FIPS - -+static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+ { -+ if (FIPS_mode()) -+ return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, -+ (char *)kstr, klen, cb, u); -+ else -+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, -+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), -+ bp,x,enc,kstr,klen,cb,u); -+ } -+ -+#ifndef OPENSSL_NO_FP_API -+static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+ { -+ if (FIPS_mode()) -+ return PEM_write_PKCS8PrivateKey(fp, x, enc, -+ (char *)kstr, klen, cb, u); -+ else -+ return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey, -+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), -+ fp,x,enc,kstr,klen,cb,u); -+ } -+#endif -+ -+#endif - - #ifndef OPENSSL_NO_RSA - -@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS - - #endif - -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_RSA(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ -+ EVP_PKEY_set1_RSA(k, x); -+ -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) -+ -+#endif -+ - IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) - IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) - -@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, - return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ - } - -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_DSA(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_DSA(k, x); -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) -+ -+#endif -+ - IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) - - #ifndef OPENSSL_NO_FP_API -@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b - - IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) - -+ -+ -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_EC_KEY(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_EC_KEY(k, x); -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) - -+#endif -+ - IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) - - #ifndef OPENSSL_NO_FP_API diff --git a/openssl-1.0.1-version.patch b/openssl-1.0.1-version.patch index 4b8f584..831aa61 100644 --- a/openssl-1.0.1-version.patch +++ b/openssl-1.0.1-version.patch @@ -18,18 +18,6 @@ diff -up openssl-1.0.1/crypto/cversion.c.version openssl-1.0.1/crypto/cversion.c +__asm__(".symver _original_SSLeay,SSLeay@"); +__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1"); -diff -up openssl-1.0.1/crypto/opensslv.h.version openssl-1.0.1/crypto/opensslv.h ---- openssl-1.0.1/crypto/opensslv.h.version 2012-03-14 20:58:19.914337879 +0100 -+++ openssl-1.0.1/crypto/opensslv.h 2012-03-14 20:58:20.630352536 +0100 -@@ -83,7 +83,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "1.0.0" -+#define SHLIB_VERSION_NUMBER "1.0.1c" - - - #endif /* HEADER_OPENSSLV_H */ diff -up openssl-1.0.1/Makefile.shared.version openssl-1.0.1/Makefile.shared --- openssl-1.0.1/Makefile.shared.version 2012-03-14 20:58:20.553350959 +0100 +++ openssl-1.0.1/Makefile.shared 2012-03-14 20:58:20.631352556 +0100 diff --git a/openssl-1.0.1c-backports.patch b/openssl-1.0.1c-backports.patch deleted file mode 100644 index cc3c3ec..0000000 --- a/openssl-1.0.1c-backports.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c ---- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports 2012-02-28 15:47:16.000000000 +0100 -+++ openssl-1.0.1c/crypto/asn1/x_pubkey.c 2012-05-15 17:44:14.584128501 +0200 -@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k - CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); - if (key->pkey) - { -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); - EVP_PKEY_free(ret); - ret = key->pkey; - } - else -+ { - key->pkey = ret; -- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ } - CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); - - return ret; -diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c ---- openssl-1.0.1c/ssl/s3_lib.c.backports 2012-04-17 17:20:17.000000000 +0200 -+++ openssl-1.0.1c/ssl/s3_lib.c 2012-05-15 17:42:43.880139566 +0200 -@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, /* not implemented (non-ephemeral DH) */ - TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES128, - SSL_SHA256, -@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, /* not implemented (non-ephemeral DH) */ - TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, - TLS1_CK_DH_DSS_WITH_AES_256_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES256, - SSL_SHA256, -@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, - TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES128GCM, - SSL_AEAD, -@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, - TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, - TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES256GCM, - SSL_AEAD, -@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES128, - SSL_SHA256, -@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, -@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, -@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, -diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c ---- openssl-1.0.1c/ssl/s3_pkt.c.backports 2012-04-17 15:20:19.000000000 +0200 -+++ openssl-1.0.1c/ssl/s3_pkt.c 2012-05-15 17:43:48.470555889 +0200 -@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ - * bytes and record version number > TLS 1.0 - */ - if (s->state == SSL3_ST_CW_CLNT_HELLO_B -+ && !s->renegotiate - && TLS1_get_version(s) > TLS1_VERSION) - *(p++) = 0x1; - else diff --git a/openssl-1.0.1c-backports2.patch b/openssl-1.0.1c-backports2.patch deleted file mode 100644 index a6477e7..0000000 --- a/openssl-1.0.1c-backports2.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c ---- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100 -+++ openssl-1.0.1c/apps/cms.c 2012-09-07 10:34:42.000000000 +0200 -@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv) - else if (!strcmp(*args,"-camellia256")) - cipher = EVP_camellia_256_cbc(); - #endif -+ else if (!strcmp (*args, "-debug_decrypt")) -+ flags |= CMS_DEBUG_DECRYPT; - else if (!strcmp (*args, "-text")) - flags |= CMS_TEXT; - else if (!strcmp (*args, "-nointern")) -@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv) - ret = 4; - if (operation == SMIME_DECRYPT) - { -+ if (flags & CMS_DEBUG_DECRYPT) -+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); - - if (secret_key) - { -diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h ---- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-09-06 17:25:22.000000000 +0200 -+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-09-07 10:22:43.000000000 +0200 -@@ -282,16 +282,23 @@ extern "C" { - # endif - # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) - # if defined(__GNUC__) && __GNUC__>=2 --# define BN_UMULT_HIGH(a,b) ({ \ -+# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */ -+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) -+# define BN_UMULT_LOHI(low,high,a,b) ({ \ -+ __uint128_t ret=(__uint128_t)(a)*(b); \ -+ (high)=ret>>64; (low)=ret; }) -+# else -+# define BN_UMULT_HIGH(a,b) ({ \ - register BN_ULONG ret; \ - asm ("dmultu %1,%2" \ - : "=h"(ret) \ - : "r"(a), "r"(b) : "l"); \ - ret; }) --# define BN_UMULT_LOHI(low,high,a,b) \ -+# define BN_UMULT_LOHI(low,high,a,b)\ - asm ("dmultu %2,%3" \ - : "=l"(low),"=h"(high) \ - : "r"(a), "r"(b)); -+# endif - # endif - # endif /* cpu */ - #endif /* OPENSSL_NO_ASM */ -diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c ---- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100 -+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-09-07 10:24:56.000000000 +0200 -@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT - void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; - #endif - -- if (ctx->mres) -+ if (ctx->mres || ctx->ares) - GCM_MUL(ctx,Xi); - - if (is_endian.little) { -diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c ---- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200 -+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-09-07 10:33:54.000000000 +0200 -@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT - { - /* Set digest values to defaults */ - #ifndef OPENSSL_NO_DSA -- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); -+ cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_RSA - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_ECDSA -- cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); -+ cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); - #endif - } - -diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c ---- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100 -+++ openssl-1.0.1c/ssl/t1_lib.c 2012-09-07 10:33:54.000000000 +0200 -@@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u - */ - #ifndef OPENSSL_NO_DSA - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) -- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); -+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) -@@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u - #endif - #ifndef OPENSSL_NO_ECDSA - if (!c->pkeys[SSL_PKEY_ECC].digest) -- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); -+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); - #endif - return 1; - } diff --git a/openssl-1.0.1c-ccm-init-str.patch b/openssl-1.0.1c-ccm-init-str.patch deleted file mode 100644 index bc89723..0000000 --- a/openssl-1.0.1c-ccm-init-str.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c ---- openssl-1.0.1c/crypto/evp/e_aes.c.init-str 2012-09-06 17:20:45.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-09-06 17:18:30.000000000 +0200 -@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C - vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f)vpaes_encrypt); -+ cctx->str = NULL; - cctx->key_set = 1; - break; - } diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch new file mode 100644 index 0000000..364128d --- /dev/null +++ b/openssl-1.0.1c-default-paths.patch @@ -0,0 +1,100 @@ +diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c +--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100 +@@ -1166,12 +1166,19 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + #ifndef OPENSSL_NO_TLSEXT +diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c +--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100 +@@ -1565,13 +1565,21 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } ++ + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + +@@ -1622,8 +1630,11 @@ bad: + else + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c +--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 ++++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100 +@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + if (tm_cipher == NULL) diff --git a/openssl-1.0.1c-dh-1024.patch b/openssl-1.0.1c-dh-1024.patch new file mode 100644 index 0000000..89f0f04 --- /dev/null +++ b/openssl-1.0.1c-dh-1024.patch @@ -0,0 +1,61 @@ +diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c +--- openssl-1.0.1c/apps/s_server.c.dh1024 2012-11-14 20:27:50.000000000 +0100 ++++ openssl-1.0.1c/apps/s_server.c 2012-11-15 20:56:15.247774465 +0100 +@@ -222,27 +222,31 @@ static void s_server_init(void); + #endif + + #ifndef OPENSSL_NO_DH +-static unsigned char dh512_p[]={ +- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, +- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, +- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, +- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, +- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, +- 0x47,0x74,0xE8,0x33, +- }; +-static unsigned char dh512_g[]={ +- 0x02, +- }; +- +-static DH *get_dh512(void) ++static DH *get_dh1024() + { +- DH *dh=NULL; ++ static unsigned char dh1024_p[]={ ++ 0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63, ++ 0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79, ++ 0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C, ++ 0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF, ++ 0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB, ++ 0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3, ++ 0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED, ++ 0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23, ++ 0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05, ++ 0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4, ++ 0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93, ++ }; ++ static unsigned char dh1024_g[]={ ++ 0x02, ++ }; ++ DH *dh; + + if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); +- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); ++ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); ++ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); + if ((dh->p == NULL) || (dh->g == NULL)) +- return(NULL); ++ { DH_free(dh); return(NULL); } + return(dh); + } + #endif +@@ -1657,7 +1661,7 @@ bad: + else + { + BIO_printf(bio_s_out,"Using default temp DH parameters\n"); +- dh=get_dh512(); ++ dh=get_dh1024(); + } + (void)BIO_flush(bio_s_out); + diff --git a/openssl-1.0.1e-backports.patch b/openssl-1.0.1e-backports.patch new file mode 100644 index 0000000..d6b7224 --- /dev/null +++ b/openssl-1.0.1e-backports.patch @@ -0,0 +1,256 @@ +From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001 +From: Nick Alcock +Date: Fri, 15 Feb 2013 17:44:11 +0000 +Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man + 2.5.0+ + +podlators 2.5.0 has switched to dying on POD syntax errors. This means +that a bunch of long-standing erroneous POD in the openssl documentation +now leads to fatal errors from pod2man, halting installation. + +Unfortunately POD constraints mean that you have to sort numeric lists +in ascending order if they start with 1: you cannot do 1, 0, 2 even if +you want 1 to appear first. I've reshuffled such (alas, I wish there +were a better way but I don't know of one). +(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b) +--- + doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++ + doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++---- + doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++ + doc/ssl/SSL_accept.pod | 10 +++++----- + doc/ssl/SSL_connect.pod | 10 +++++----- + doc/ssl/SSL_do_handshake.pod | 10 +++++----- + doc/ssl/SSL_shutdown.pod | 10 +++++----- + 7 files changed, 30 insertions(+), 24 deletions(-) + +diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod +index a883f6c..60e8332 100644 +--- a/doc/crypto/X509_STORE_CTX_get_error.pod ++++ b/doc/crypto/X509_STORE_CTX_get_error.pod +@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled. + an application specific error. This will never be returned unless explicitly + set by an application. + ++=back ++ + =head1 NOTES + + The above functions should be used instead of directly referencing the fields +diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod +index 632b556..5e66133 100644 +--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod ++++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod +@@ -66,16 +66,16 @@ values: + + =over 4 + +-=item 1 +- +-The operation succeeded. +- + =item 0 + + A failure while manipulating the STACK_OF(X509_NAME) object occurred or + the X509_NAME could not be extracted from B. Check the error stack + to find out the reason. + ++=item 1 ++ ++The operation succeeded. ++ + =back + + =head1 EXAMPLES +diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +index b80e25b..7e60df5 100644 +--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ++++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return + + Return values from the server callback are interpreted as follows: + ++=over 4 ++ + =item > 0 + + PSK identity was found and the server callback has provided the PSK +@@ -99,4 +101,6 @@ completely. + PSK identity was not found. An "unknown_psk_identity" alert message + will be sent and the connection setup fails. + ++=back ++ + =cut +diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod +index cc724c0..b1c34d1 100644 +--- a/doc/ssl/SSL_accept.pod ++++ b/doc/ssl/SSL_accept.pod +@@ -44,17 +44,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful because a fatal error occurred either +diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod +index cc56ebb..946ca89 100644 +--- a/doc/ssl/SSL_connect.pod ++++ b/doc/ssl/SSL_connect.pod +@@ -41,17 +41,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful, because a fatal error occurred either +diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod +index 2435764..7f8cf24 100644 +--- a/doc/ssl/SSL_do_handshake.pod ++++ b/doc/ssl/SSL_do_handshake.pod +@@ -45,17 +45,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful because a fatal error occurred either +diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod +index 89911ac..42a89b7 100644 +--- a/doc/ssl/SSL_shutdown.pod ++++ b/doc/ssl/SSL_shutdown.pod +@@ -92,11 +92,6 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The shutdown was successfully completed. The "close notify" alert was sent +-and the peer's "close notify" alert was received. +- + =item 0 + + The shutdown is not yet finished. Call SSL_shutdown() for a second time, +@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed. + The output of L may be misleading, as an + erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. + ++=item 1 ++ ++The shutdown was successfully completed. The "close notify" alert was sent ++and the peer's "close notify" alert was received. ++ + =item -1 + + The shutdown was not successful because a fatal error occurred either +-- +1.7.9.5 + +From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Mon, 11 Feb 2013 18:24:03 +0000 +Subject: [PATCH] Fix for SSL_get_certificate + +Now we set the current certificate to the one used by a server +there is no need to call ssl_get_server_send_cert which will +fail if we haven't sent a certificate yet. +--- + ssl/ssl_lib.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 14d143d..ff5a85a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) + /* Fix this function so that it takes an optional type parameter */ + X509 *SSL_get_certificate(const SSL *s) + { +- if (s->server) +- return(ssl_get_server_send_cert(s)); +- else if (s->cert != NULL) ++ if (s->cert != NULL) + return(s->cert->key->x509); + else + return(NULL); +-- +1.7.9.5 + +From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: [PATCH] Check DTLS_BAD_VER for version number. + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +PR:2984 +(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) +--- + ssl/s3_cbc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. +-- +1.7.9.5 + diff --git a/openssl-1.0.1e-bad-mac.patch b/openssl-1.0.1e-bad-mac.patch new file mode 100644 index 0000000..06d284e --- /dev/null +++ b/openssl-1.0.1e-bad-mac.patch @@ -0,0 +1,33 @@ +From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 18 Mar 2013 19:29:41 +0100 +Subject: [PATCH] e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI + plaforms. + +PR: 3002 +(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc) +--- + crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index 483e04b..fb2c884 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + if (res!=SHA_CBLOCK) continue; + +- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); ++ /* j is not incremented yet */ ++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); +- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); ++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; +-- +1.7.9.5 + diff --git a/openssl-1.0.1e-env-zlib.patch b/openssl-1.0.1e-env-zlib.patch new file mode 100644 index 0000000..b702acb --- /dev/null +++ b/openssl-1.0.1e-env-zlib.patch @@ -0,0 +1,38 @@ +diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod +--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100 +@@ -47,6 +47,13 @@ Once the identities of the compression m + been standardized, the compression API will most likely be changed. Using + it in the current state is not recommended. + ++It is also not recommended to use compression if data transfered contain ++untrusted parts that can be manipulated by an attacker as he could then ++get information about the encrypted data. See the CRIME attack. For ++that reason the default loading of the zlib compression method is ++disabled and enabled only if the environment variable B ++is present during the library initialization. ++ + =head1 RETURN VALUES + + SSL_COMP_add_compression_method() may return the following values: +diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c +--- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100 +@@ -140,6 +140,8 @@ + * OTHERWISE. + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include + #include + #ifndef OPENSSL_NO_COMP +@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo + + MemCheck_off(); + ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL) ++ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) + { + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) diff --git a/openssl-1.0.1c-fips.patch b/openssl-1.0.1e-fips.patch similarity index 95% rename from openssl-1.0.1c-fips.patch rename to openssl-1.0.1e-fips.patch index 9d56a13..0175754 100644 --- a/openssl-1.0.1c-fips.patch +++ b/openssl-1.0.1e-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1c/apps/pkcs12.c.fips openssl-1.0.1c/apps/pkcs12.c ---- openssl-1.0.1c/apps/pkcs12.c.fips 2011-03-13 19:20:23.000000000 +0100 -+++ openssl-1.0.1c/apps/pkcs12.c 2012-07-12 21:49:25.316351789 +0200 +diff -up openssl-1.0.1e/apps/pkcs12.c.fips openssl-1.0.1e/apps/pkcs12.c +--- openssl-1.0.1e/apps/pkcs12.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/pkcs12.c 2013-02-19 12:47:33.714118364 +0100 @@ -67,6 +67,9 @@ #include #include @@ -23,9 +23,9 @@ diff -up openssl-1.0.1c/apps/pkcs12.c.fips openssl-1.0.1c/apps/pkcs12.c enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); -diff -up openssl-1.0.1c/apps/speed.c.fips openssl-1.0.1c/apps/speed.c ---- openssl-1.0.1c/apps/speed.c.fips 2012-01-11 22:49:16.000000000 +0100 -+++ openssl-1.0.1c/apps/speed.c 2012-07-12 21:49:25.317351811 +0200 +diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c +--- openssl-1.0.1e/apps/speed.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/speed.c 2013-02-19 12:47:33.715118384 +0100 @@ -195,7 +195,6 @@ #ifdef OPENSSL_DOING_MAKEDEPEND #undef AES_set_encrypt_key @@ -123,10 +123,10 @@ diff -up openssl-1.0.1c/apps/speed.c.fips openssl-1.0.1c/apps/speed.c #endif #ifndef OPENSSL_NO_RSA memset(rsa_c,0,sizeof(rsa_c)); -diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure ---- openssl-1.0.1c/Configure.fips 2012-07-12 21:49:25.276350889 +0200 -+++ openssl-1.0.1c/Configure 2012-07-12 21:49:25.319351855 +0200 -@@ -993,11 +993,6 @@ if (defined($disabled{"md5"}) || defined +diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure +--- openssl-1.0.1e/Configure.fips 2013-02-19 12:47:33.670117470 +0100 ++++ openssl-1.0.1e/Configure 2013-02-19 12:47:33.716118405 +0100 +@@ -995,11 +995,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -138,7 +138,7 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1472,7 +1467,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1474,7 +1469,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -146,7 +146,7 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1659,9 +1653,12 @@ while () +@@ -1661,9 +1655,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -160,9 +160,9 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.1c/crypto/aes/aes_misc.c.fips openssl-1.0.1c/crypto/aes/aes_misc.c ---- openssl-1.0.1c/crypto/aes/aes_misc.c.fips 2011-06-05 19:36:33.000000000 +0200 -+++ openssl-1.0.1c/crypto/aes/aes_misc.c 2012-07-12 21:49:25.319351855 +0200 +diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes_misc.c +--- openssl-1.0.1e/crypto/aes/aes_misc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/aes/aes_misc.c 2013-02-19 12:47:33.717118426 +0100 @@ -69,17 +69,11 @@ const char *AES_options(void) { int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -181,9 +181,9 @@ diff -up openssl-1.0.1c/crypto/aes/aes_misc.c.fips openssl-1.0.1c/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.1c/crypto/cmac/cmac.c.fips openssl-1.0.1c/crypto/cmac/cmac.c ---- openssl-1.0.1c/crypto/cmac/cmac.c.fips 2012-04-11 17:11:16.000000000 +0200 -+++ openssl-1.0.1c/crypto/cmac/cmac.c 2012-07-12 21:49:25.319351855 +0200 +diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac.c +--- openssl-1.0.1e/crypto/cmac/cmac.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/cmac/cmac.c 2013-02-19 12:47:33.717118426 +0100 @@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -232,9 +232,9 @@ diff -up openssl-1.0.1c/crypto/cmac/cmac.c.fips openssl-1.0.1c/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h ---- openssl-1.0.1c/crypto/crypto.h.fips 2012-07-12 21:49:25.048345760 +0200 -+++ openssl-1.0.1c/crypto/crypto.h 2012-07-12 21:49:25.320351878 +0200 +diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h +--- openssl-1.0.1e/crypto/crypto.h.fips 2013-02-19 12:47:33.444112876 +0100 ++++ openssl-1.0.1e/crypto/crypto.h 2013-02-19 12:47:33.718118447 +0100 @@ -553,24 +553,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -270,7 +270,7 @@ diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h #define fips_cipher_abort(alg) while(0) #endif -@@ -580,6 +585,9 @@ void OPENSSL_init(void); +@@ -587,6 +592,9 @@ int CRYPTO_memcmp(const void *a, const v */ void ERR_load_CRYPTO_strings(void); @@ -280,9 +280,9 @@ diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.1c/crypto/des/des.h.fips openssl-1.0.1c/crypto/des/des.h ---- openssl-1.0.1c/crypto/des/des.h.fips 2012-07-12 21:49:25.124347469 +0200 -+++ openssl-1.0.1c/crypto/des/des.h 2012-07-12 21:49:25.320351878 +0200 +diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h +--- openssl-1.0.1e/crypto/des/des.h.fips 2013-02-19 12:47:33.516114340 +0100 ++++ openssl-1.0.1e/crypto/des/des.h 2013-02-19 12:47:33.718118447 +0100 @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); @@ -293,10 +293,10 @@ diff -up openssl-1.0.1c/crypto/des/des.h.fips openssl-1.0.1c/crypto/des/des.h void DES_string_to_key(const char *str,DES_cblock *key); void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, -diff -up openssl-1.0.1c/crypto/des/set_key.c.fips openssl-1.0.1c/crypto/des/set_key.c ---- openssl-1.0.1c/crypto/des/set_key.c.fips 2011-06-01 18:54:04.000000000 +0200 -+++ openssl-1.0.1c/crypto/des/set_key.c 2012-07-12 21:49:25.321351901 +0200 -@@ -337,13 +337,6 @@ int DES_set_key_checked(const_DES_cblock +diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_key.c +--- openssl-1.0.1e/crypto/des/set_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/des/set_key.c 2013-02-19 12:47:33.719118468 +0100 +@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock } void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) @@ -310,9 +310,9 @@ diff -up openssl-1.0.1c/crypto/des/set_key.c.fips openssl-1.0.1c/crypto/des/set_ { static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; register DES_LONG c,d,t,s,t2; -diff -up openssl-1.0.1c/crypto/dh/dh_gen.c.fips openssl-1.0.1c/crypto/dh/dh_gen.c ---- openssl-1.0.1c/crypto/dh/dh_gen.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dh/dh_gen.c 2012-07-12 21:49:25.321351901 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen.c +--- openssl-1.0.1e/crypto/dh/dh_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-02-19 12:47:33.719118468 +0100 @@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if(ret->meth->generate_params) @@ -346,9 +346,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_gen.c.fips openssl-1.0.1c/crypto/dh/dh_gen. ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.1c/crypto/dh/dh.h.fips openssl-1.0.1c/crypto/dh/dh.h ---- openssl-1.0.1c/crypto/dh/dh.h.fips 2012-07-12 21:49:24.986344365 +0200 -+++ openssl-1.0.1c/crypto/dh/dh.h 2012-07-12 21:49:25.322351924 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h +--- openssl-1.0.1e/crypto/dh/dh.h.fips 2013-02-19 12:47:33.388111739 +0100 ++++ openssl-1.0.1e/crypto/dh/dh.h 2013-02-19 12:47:33.719118468 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -358,9 +358,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh.h.fips openssl-1.0.1c/crypto/dh/dh.h #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH * implementation now uses constant time -diff -up openssl-1.0.1c/crypto/dh/dh_key.c.fips openssl-1.0.1c/crypto/dh/dh_key.c ---- openssl-1.0.1c/crypto/dh/dh_key.c.fips 2011-11-14 15:16:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/dh/dh_key.c 2012-07-12 21:49:25.322351924 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key.c +--- openssl-1.0.1e/crypto/dh/dh_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_key.c 2013-02-19 12:47:33.720118488 +0100 @@ -61,6 +61,9 @@ #include #include @@ -419,9 +419,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_key.c.fips openssl-1.0.1c/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1c/crypto/dh/dh_lib.c.fips openssl-1.0.1c/crypto/dh/dh_lib.c ---- openssl-1.0.1c/crypto/dh/dh_lib.c.fips 2011-06-20 21:41:11.000000000 +0200 -+++ openssl-1.0.1c/crypto/dh/dh_lib.c 2012-07-12 21:49:25.323351947 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib.c +--- openssl-1.0.1e/crypto/dh/dh_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_lib.c 2013-02-19 12:47:33.720118488 +0100 @@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v { if(!default_DH_method) @@ -437,9 +437,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_lib.c.fips openssl-1.0.1c/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.1c/crypto/dsa/dsa_err.c.fips openssl-1.0.1c/crypto/dsa/dsa_err.c ---- openssl-1.0.1c/crypto/dsa/dsa_err.c.fips 2011-10-10 01:13:49.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_err.c 2012-07-12 21:49:25.323351947 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_err.c +--- openssl-1.0.1e/crypto/dsa/dsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_err.c 2013-02-19 12:47:33.720118488 +0100 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]= {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -458,9 +458,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_err.c.fips openssl-1.0.1c/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, -diff -up openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips openssl-1.0.1c/crypto/dsa/dsa_gen.c ---- openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_gen.c 2012-07-12 21:49:25.324351969 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_gen.c +--- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-02-19 12:47:33.721118508 +0100 @@ -85,6 +85,14 @@ #include #endif @@ -867,9 +867,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips openssl-1.0.1c/crypto/dsa/dsa_ } if (mont != NULL) BN_MONT_CTX_free(mont); return ok; -diff -up openssl-1.0.1c/crypto/dsa/dsa.h.fips openssl-1.0.1c/crypto/dsa/dsa.h ---- openssl-1.0.1c/crypto/dsa/dsa.h.fips 2012-07-12 21:49:24.798340136 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa.h 2012-07-12 21:49:25.324351969 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h +--- openssl-1.0.1e/crypto/dsa/dsa.h.fips 2013-02-19 12:47:33.205108020 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-02-19 12:47:33.721118508 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -930,9 +930,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa.h.fips openssl-1.0.1c/crypto/dsa/dsa.h #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_key.c ---- openssl-1.0.1c/crypto/dsa/dsa_key.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_key.c 2012-07-12 21:46:56.000000000 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_key.c +--- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-02-19 12:47:33.722118528 +0100 @@ -66,6 +66,35 @@ #ifdef OPENSSL_FIPS @@ -945,7 +945,7 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_ + unsigned char tbs[] = "DSA Pairwise Check Data"; + int ret = 0; + -+ if ((pk=EVP_PKEY_new()) != NULL) ++ if ((pk=EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_set1_DSA(pk, dsa); @@ -1011,9 +1011,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_ ok=1; err: -diff -up openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips openssl-1.0.1c/crypto/dsa/dsa_lib.c ---- openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips 2011-11-14 15:16:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/dsa/dsa_lib.c 2012-07-12 21:49:25.325351991 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_lib.c +--- openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_lib.c 2013-02-19 12:47:33.722118528 +0100 @@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method { if(!default_DSA_method) @@ -1029,18 +1029,18 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips openssl-1.0.1c/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.1c/crypto/dsa/dsa_locl.h.fips openssl-1.0.1c/crypto/dsa/dsa_locl.h ---- openssl-1.0.1c/crypto/dsa/dsa_locl.h.fips 2012-07-12 21:49:24.802340226 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_locl.h 2012-07-12 21:49:25.325351991 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips openssl-1.0.1e/crypto/dsa/dsa_locl.h +--- openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips 2013-02-19 12:47:33.209108100 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_locl.h 2013-02-19 12:47:33.722118528 +0100 @@ -56,5 +56,4 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, - unsigned char *seed_out, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1c/crypto/dsa/dsa_ossl.c ---- openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips 2011-02-01 13:53:47.000000000 +0100 -+++ openssl-1.0.1c/crypto/dsa/dsa_ossl.c 2012-07-12 21:49:25.326352013 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa_ossl.c +--- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2013-02-19 12:47:33.723118548 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1114,9 +1114,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1c/crypto/dsa/dsa dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1c/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips 2011-06-20 22:05:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_pmeth.c 2012-07-12 21:49:25.326352013 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_pmeth.c 2013-02-19 12:47:33.723118548 +0100 @@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1126,9 +1126,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1c/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.1c/crypto/dsa/dsatest.c.fips openssl-1.0.1c/crypto/dsa/dsatest.c ---- openssl-1.0.1c/crypto/dsa/dsatest.c.fips 2008-08-06 17:54:11.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsatest.c 2012-07-12 21:49:25.327352035 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsatest.c +--- openssl-1.0.1e/crypto/dsa/dsatest.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsatest.c 2013-02-19 12:47:33.723118548 +0100 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1213,9 +1213,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsatest.c.fips openssl-1.0.1c/crypto/dsa/dsat goto end; } if (h != 2) -diff -up openssl-1.0.1c/crypto/engine/eng_all.c.fips openssl-1.0.1c/crypto/engine/eng_all.c ---- openssl-1.0.1c/crypto/engine/eng_all.c.fips 2011-08-10 20:53:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/engine/eng_all.c 2012-07-12 21:49:25.327352035 +0200 +diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engine/eng_all.c +--- openssl-1.0.1e/crypto/engine/eng_all.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-02-19 12:47:33.724118569 +0100 @@ -58,11 +58,25 @@ #include "cryptlib.h" @@ -1242,32 +1242,9 @@ diff -up openssl-1.0.1c/crypto/engine/eng_all.c.fips openssl-1.0.1c/crypto/engin #if 0 /* There's no longer any need for an "openssl" ENGINE unless, one day, * it is the *only* way for standard builtin implementations to be be -diff -up openssl-1.0.1c/crypto/err/err_all.c.fips openssl-1.0.1c/crypto/err/err_all.c ---- openssl-1.0.1c/crypto/err/err_all.c.fips 2011-06-21 18:58:10.000000000 +0200 -+++ openssl-1.0.1c/crypto/err/err_all.c 2012-07-12 21:49:25.327352035 +0200 -@@ -96,6 +96,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - #ifndef OPENSSL_NO_CMS - #include - #endif -@@ -153,6 +156,9 @@ void ERR_load_crypto_strings(void) - #endif - ERR_load_OCSP_strings(); - ERR_load_UI_strings(); -+#ifdef OPENSSL_FIPS -+ ERR_load_FIPS_strings(); -+#endif - #ifndef OPENSSL_NO_CMS - ERR_load_CMS_strings(); - #endif -diff -up openssl-1.0.1c/crypto/evp/c_allc.c.fips openssl-1.0.1c/crypto/evp/c_allc.c ---- openssl-1.0.1c/crypto/evp/c_allc.c.fips 2011-11-14 22:13:35.000000000 +0100 -+++ openssl-1.0.1c/crypto/evp/c_allc.c 2012-07-12 21:49:25.328352058 +0200 +diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_allc.c +--- openssl-1.0.1e/crypto/evp/c_allc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/c_allc.c 2013-02-19 12:47:33.725118589 +0100 @@ -65,6 +65,11 @@ void OpenSSL_add_all_ciphers(void) { @@ -1341,9 +1318,9 @@ diff -up openssl-1.0.1c/crypto/evp/c_allc.c.fips openssl-1.0.1c/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1c/crypto/evp/c_alld.c.fips openssl-1.0.1c/crypto/evp/c_alld.c ---- openssl-1.0.1c/crypto/evp/c_alld.c.fips 2009-07-08 10:50:53.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/c_alld.c 2012-07-12 21:49:25.328352058 +0200 +diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_alld.c +--- openssl-1.0.1e/crypto/evp/c_alld.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/c_alld.c 2013-02-19 12:47:33.725118589 +0100 @@ -64,6 +64,11 @@ void OpenSSL_add_all_digests(void) @@ -1389,9 +1366,9 @@ diff -up openssl-1.0.1c/crypto/evp/c_alld.c.fips openssl-1.0.1c/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/digest.c ---- openssl-1.0.1c/crypto/evp/digest.c.fips 2011-05-29 17:55:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/digest.c 2012-07-12 21:49:25.329352081 +0200 +diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/digest.c +--- openssl-1.0.1e/crypto/evp/digest.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/digest.c 2013-02-19 12:51:41.276779877 +0100 @@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1491,7 +1468,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges } /* The caller can assume that this removes any secret data from the context */ -@@ -263,10 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns +@@ -263,11 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { @@ -1499,14 +1476,14 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges - return FIPS_digestfinal(ctx, md, size); -#else int ret; + +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif -+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) -@@ -278,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, +@@ -279,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; @@ -1514,7 +1491,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) -@@ -372,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) +@@ -373,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { @@ -1522,7 +1499,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ -@@ -385,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -386,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } @@ -1530,7 +1507,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE -@@ -394,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -395,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif @@ -1540,9 +1517,9 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges memset(ctx,'\0',sizeof *ctx); return 1; -diff -up openssl-1.0.1c/crypto/evp/e_aes.c.fips openssl-1.0.1c/crypto/evp/e_aes.c ---- openssl-1.0.1c/crypto/evp/e_aes.c.fips 2011-11-15 13:19:56.000000000 +0100 -+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes.c +--- openssl-1.0.1e/crypto/evp/e_aes.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_aes.c 2013-02-19 12:47:33.726118609 +0100 @@ -56,7 +56,6 @@ #include #include @@ -1569,14 +1546,14 @@ diff -up openssl-1.0.1c/crypto/evp/e_aes.c.fips openssl-1.0.1c/crypto/evp/e_aes. (len > (1UL<<20)*16)) { EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -@@ -1310,4 +1309,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm +@@ -1311,4 +1310,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/e_des3.c.fips openssl-1.0.1c/crypto/evp/e_des3.c ---- openssl-1.0.1c/crypto/evp/e_des3.c.fips 2011-05-29 01:01:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_des3.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des3.c +--- openssl-1.0.1e/crypto/evp/e_des3.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_des3.c 2013-02-19 12:47:33.727118629 +0100 @@ -65,8 +65,6 @@ #include #include @@ -1635,9 +1612,9 @@ diff -up openssl-1.0.1c/crypto/evp/e_des3.c.fips openssl-1.0.1c/crypto/evp/e_des } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/e_null.c.fips openssl-1.0.1c/crypto/evp/e_null.c ---- openssl-1.0.1c/crypto/evp/e_null.c.fips 2011-06-20 22:00:10.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_null.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_null.c +--- openssl-1.0.1e/crypto/evp/e_null.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_null.c 2013-02-19 12:47:33.727118629 +0100 @@ -61,8 +61,6 @@ #include #include @@ -1661,9 +1638,9 @@ diff -up openssl-1.0.1c/crypto/evp/e_null.c.fips openssl-1.0.1c/crypto/evp/e_nul return 1; } -#endif -diff -up openssl-1.0.1c/crypto/evp/evp_enc.c.fips openssl-1.0.1c/crypto/evp/evp_enc.c ---- openssl-1.0.1c/crypto/evp/evp_enc.c.fips 2012-04-20 02:07:48.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_enc.c 2012-07-12 21:49:25.331352127 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_enc.c +--- openssl-1.0.1e/crypto/evp/evp_enc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_enc.c 2013-02-19 12:47:33.728118649 +0100 @@ -69,17 +69,58 @@ #endif #include "evp_locl.h" @@ -1812,9 +1789,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_enc.c.fips openssl-1.0.1c/crypto/evp/evp_ memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.1c/crypto/evp/evp.h.fips openssl-1.0.1c/crypto/evp/evp.h ---- openssl-1.0.1c/crypto/evp/evp.h.fips 2012-07-12 21:49:25.081346502 +0200 -+++ openssl-1.0.1c/crypto/evp/evp.h 2012-07-12 21:49:25.332352149 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h +--- openssl-1.0.1e/crypto/evp/evp.h.fips 2013-02-19 12:47:33.474113487 +0100 ++++ openssl-1.0.1e/crypto/evp/evp.h 2013-02-19 12:47:33.728118649 +0100 @@ -75,6 +75,10 @@ #include #endif @@ -1867,9 +1844,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp.h.fips openssl-1.0.1c/crypto/evp/evp.h /* Cipher handles any and all padding logic as well * as finalisation. */ -diff -up openssl-1.0.1c/crypto/evp/evp_lib.c.fips openssl-1.0.1c/crypto/evp/evp_lib.c ---- openssl-1.0.1c/crypto/evp/evp_lib.c.fips 2011-05-29 04:32:05.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_lib.c 2012-07-12 21:49:25.332352149 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_lib.c +--- openssl-1.0.1e/crypto/evp/evp_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_lib.c 2013-02-19 12:47:33.729118669 +0100 @@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1880,9 +1857,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_lib.c.fips openssl-1.0.1c/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx,out,in,inl); } -diff -up openssl-1.0.1c/crypto/evp/evp_locl.h.fips openssl-1.0.1c/crypto/evp/evp_locl.h ---- openssl-1.0.1c/crypto/evp/evp_locl.h.fips 2012-07-12 21:49:25.071346278 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_locl.h 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp_locl.h +--- openssl-1.0.1e/crypto/evp/evp_locl.h.fips 2013-02-19 12:47:33.465113304 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_locl.h 2013-02-19 12:47:33.729118669 +0100 @@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -1917,9 +1894,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_locl.h.fips openssl-1.0.1c/crypto/evp/evp #define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makefile ---- openssl-1.0.1c/crypto/evp/Makefile.fips 2012-04-26 12:42:19.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/Makefile 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makefile +--- openssl-1.0.1e/crypto/evp/Makefile.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/Makefile 2013-02-19 12:53:25.468917386 +0100 @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ @@ -1928,7 +1905,7 @@ diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makef + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c - LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ + LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \ @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ @@ -1938,9 +1915,9 @@ diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makef e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o SRC= $(LIBSRC) -diff -up openssl-1.0.1c/crypto/evp/m_dss1.c.fips openssl-1.0.1c/crypto/evp/m_dss1.c ---- openssl-1.0.1c/crypto/evp/m_dss1.c.fips 2011-06-01 17:11:00.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_dss1.c 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss1.c +--- openssl-1.0.1e/crypto/evp/m_dss1.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_dss1.c 2013-02-19 12:47:33.730118689 +0100 @@ -68,8 +68,6 @@ #include #endif @@ -1964,9 +1941,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_dss1.c.fips openssl-1.0.1c/crypto/evp/m_dss } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/m_dss.c.fips openssl-1.0.1c/crypto/evp/m_dss.c ---- openssl-1.0.1c/crypto/evp/m_dss.c.fips 2011-06-01 17:11:00.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_dss.c 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss.c +--- openssl-1.0.1e/crypto/evp/m_dss.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_dss.c 2013-02-19 12:47:33.730118689 +0100 @@ -66,7 +66,6 @@ #endif @@ -1989,9 +1966,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_dss.c.fips openssl-1.0.1c/crypto/evp/m_dss. } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/m_md2.c.fips openssl-1.0.1c/crypto/evp/m_md2.c ---- openssl-1.0.1c/crypto/evp/m_md2.c.fips 2005-07-16 14:37:32.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_md2.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2.c +--- openssl-1.0.1e/crypto/evp/m_md2.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_md2.c 2013-02-19 12:47:33.731118710 +0100 @@ -68,6 +68,7 @@ #ifndef OPENSSL_NO_RSA #include @@ -2000,9 +1977,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_md2.c.fips openssl-1.0.1c/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { return MD2_Init(ctx->md_data); } -diff -up openssl-1.0.1c/crypto/evp/m_sha1.c.fips openssl-1.0.1c/crypto/evp/m_sha1.c ---- openssl-1.0.1c/crypto/evp/m_sha1.c.fips 2011-05-29 01:01:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_sha1.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha1.c +--- openssl-1.0.1e/crypto/evp/m_sha1.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_sha1.c 2013-02-19 12:47:33.731118710 +0100 @@ -59,8 +59,6 @@ #include #include "cryptlib.h" @@ -2067,9 +2044,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_sha1.c.fips openssl-1.0.1c/crypto/evp/m_sha #endif /* ifndef OPENSSL_NO_SHA512 */ -#endif -diff -up openssl-1.0.1c/crypto/evp/p_sign.c.fips openssl-1.0.1c/crypto/evp/p_sign.c ---- openssl-1.0.1c/crypto/evp/p_sign.c.fips 2011-06-09 18:02:39.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/p_sign.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sign.c +--- openssl-1.0.1e/crypto/evp/p_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/p_sign.c 2013-02-19 12:47:33.731118710 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2101,9 +2078,9 @@ diff -up openssl-1.0.1c/crypto/evp/p_sign.c.fips openssl-1.0.1c/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.1c/crypto/evp/p_verify.c.fips openssl-1.0.1c/crypto/evp/p_verify.c ---- openssl-1.0.1c/crypto/evp/p_verify.c.fips 2011-06-09 18:02:39.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/p_verify.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_verify.c +--- openssl-1.0.1e/crypto/evp/p_verify.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/p_verify.c 2013-02-19 12:47:33.732118731 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2135,9 +2112,9 @@ diff -up openssl-1.0.1c/crypto/evp/p_verify.c.fips openssl-1.0.1c/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips 2013-02-19 12:47:33.732118731 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c 2013-02-19 12:47:33.732118731 +0100 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3078,9 +3055,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1c/crypt + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips 2013-02-19 12:47:33.732118731 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c 2013-02-19 12:47:33.732118731 +0100 @@ -0,0 +1,517 @@ +/* fips_cmactest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3599,9 +3576,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -4305,9 +4282,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,292 @@ +/* fips/dh/fips_dhvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4601,9 +4578,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1c/crypto/ + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,416 @@ +/* fips/rand/fips_drbgvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5021,9 +4998,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1c/crypt + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,537 @@ +#include + @@ -5562,9 +5539,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1c/crypto + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,571 @@ +/* fips/aes/fips_gcmtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6137,9 +6114,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1c/cryp +} + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -6371,9 +6348,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1c/crypto + return 0; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6765,9 +6742,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7139,9 +7116,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1c/cry + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7520,9 +7497,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1c/cry + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7912,9 +7889,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1c/crypto/fips/cavs/fips_utl.h ---- openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_utl.h 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/fips/cavs/fips_utl.h +--- openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_utl.h 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -8259,9 +8236,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1c/crypto/f +#endif + } + -diff -up openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_aes_selftest.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_aes_selftest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,359 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8622,9 +8599,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips.c.fips openssl-1.0.1c/crypto/fips/fips.c ---- openssl-1.0.1c/crypto/fips/fips.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips.c +--- openssl-1.0.1e/crypto/fips/fips.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/fips.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,489 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9115,9 +9092,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips.c.fips openssl-1.0.1c/crypto/fips/fips. + + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,161 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9280,9 +9257,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1c/cry + return rv; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_des_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_des_selftest.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_des_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_des_selftest.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,147 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9431,9 +9408,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1c/cryp + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,436 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9871,9 +9848,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1c/crypto/f + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_hash.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_hash.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,378 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10253,9 +10230,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1c/crypto/ + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,281 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10538,9 +10515,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1c/crypto/ + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_lib.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_lib.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,578 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -11120,9 +11097,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1c/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_rand.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,172 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -11296,9 +11273,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1c/crypto/ + return &rand_drbg_meth; + } + -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,862 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -12162,9 +12139,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1c/cry + return rv; + } + -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips 2012-07-12 21:49:25.341352351 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h 2012-07-12 21:49:25.341352351 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips 2013-02-19 12:47:33.738118852 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h 2013-02-19 12:47:33.738118852 +0100 @@ -0,0 +1,2335 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14501,9 +14478,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1c/cry + 0xc2,0xd6,0xfd,0xa5 + }; + -diff -up openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,193 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14698,9 +14675,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1c/cryp + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_enc.c.fips openssl-1.0.1c/crypto/fips/fips_enc.c ---- openssl-1.0.1c/crypto/fips/fips_enc.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_enc.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/fips_enc.c +--- openssl-1.0.1e/crypto/fips/fips_enc.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_enc.c 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,191 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -14893,9 +14870,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_enc.c.fips openssl-1.0.1c/crypto/fips/f + } + } + -diff -up openssl-1.0.1c/crypto/fips/fips.h.fips openssl-1.0.1c/crypto/fips/fips.h ---- openssl-1.0.1c/crypto/fips/fips.h.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips.h 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips.h +--- openssl-1.0.1e/crypto/fips/fips.h.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips.h 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,279 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -15176,9 +15153,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips.h.fips openssl-1.0.1c/crypto/fips/fips. +} +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -15317,9 +15294,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1c/cry + return 1; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_locl.h.fips openssl-1.0.1c/crypto/fips/fips_locl.h ---- openssl-1.0.1c/crypto/fips/fips_locl.h.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_locl.h 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/fips_locl.h +--- openssl-1.0.1e/crypto/fips/fips_locl.h.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_locl.h 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15392,9 +15369,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_locl.h.fips openssl-1.0.1c/crypto/fips/ +} +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_md.c.fips openssl-1.0.1c/crypto/fips/fips_md.c ---- openssl-1.0.1c/crypto/fips/fips_md.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_md.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fips_md.c +--- openssl-1.0.1e/crypto/fips/fips_md.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_md.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,145 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -15541,9 +15518,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_md.c.fips openssl-1.0.1c/crypto/fips/fi + return NULL; + } + } -diff -up openssl-1.0.1c/crypto/fips/fips_post.c.fips openssl-1.0.1c/crypto/fips/fips_post.c ---- openssl-1.0.1c/crypto/fips/fips_post.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_post.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/fips_post.c +--- openssl-1.0.1e/crypto/fips/fips_post.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,205 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15750,9 +15727,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_post.c.fips openssl-1.0.1c/crypto/fips/ + return 1; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand.c.fips openssl-1.0.1c/crypto/fips/fips_rand.c ---- openssl-1.0.1c/crypto/fips/fips_rand.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/fips_rand.c +--- openssl-1.0.1e/crypto/fips/fips_rand.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,457 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -16211,9 +16188,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand.c.fips openssl-1.0.1c/crypto/fips/ +} + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand.h.fips openssl-1.0.1c/crypto/fips/fips_rand.h ---- openssl-1.0.1c/crypto/fips/fips_rand.h.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand.h 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/fips_rand.h +--- openssl-1.0.1e/crypto/fips/fips_rand.h.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand.h 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -16360,9 +16337,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand.h.fips openssl-1.0.1c/crypto/fips/ +#endif +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1c/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_lcl.h 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_lcl.h 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,219 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -16583,9 +16560,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1c/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1c/crypto/fips/fips_rand_lib.c ---- openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_lib.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/fips/fips_rand_lib.c +--- openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_lib.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,191 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -16778,9 +16755,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1c/crypto/f + } + return 0; + } -diff -up openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_selftest.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,183 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -16965,9 +16942,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_randtest.c.fips openssl-1.0.1c/crypto/fips/fips_randtest.c ---- openssl-1.0.1c/crypto/fips/fips_randtest.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_randtest.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/fips/fips_randtest.c +--- openssl-1.0.1e/crypto/fips/fips_randtest.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_randtest.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,250 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -17219,9 +17196,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_randtest.c.fips openssl-1.0.1c/crypto/f + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -17667,9 +17644,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,282 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -17953,9 +17930,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1c/crypto/ + return 0; + + } -diff -up openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_sha_selftest.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_sha_selftest.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,140 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18097,9 +18074,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18281,9 +18258,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1c/c + } + + -diff -up openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips openssl-1.0.1c/crypto/fips/fips_test_suite.c ---- openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips 2012-07-12 21:49:25.346352464 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_test_suite.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto/fips/fips_test_suite.c +--- openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips 2013-02-19 12:47:33.743118955 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_test_suite.c 2013-02-19 12:47:33.743118955 +0100 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18873,9 +18850,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips openssl-1.0.1c/crypto + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/Makefile.fips openssl-1.0.1c/crypto/fips/Makefile ---- openssl-1.0.1c/crypto/fips/Makefile.fips 2012-07-12 21:49:25.346352464 +0200 -+++ openssl-1.0.1c/crypto/fips/Makefile 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Makefile +--- openssl-1.0.1e/crypto/fips/Makefile.fips 2013-02-19 12:47:33.743118955 +0100 ++++ openssl-1.0.1e/crypto/fips/Makefile 2013-02-19 12:47:33.743118955 +0100 @@ -0,0 +1,340 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -19217,9 +19194,9 @@ diff -up openssl-1.0.1c/crypto/fips/Makefile.fips openssl-1.0.1c/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.1c/crypto/hmac/hmac.c.fips openssl-1.0.1c/crypto/hmac/hmac.c ---- openssl-1.0.1c/crypto/hmac/hmac.c.fips 2011-06-12 17:07:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/hmac/hmac.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac.c +--- openssl-1.0.1e/crypto/hmac/hmac.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/hmac/hmac.c 2013-02-19 12:47:33.743118955 +0100 @@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -19282,9 +19259,9 @@ diff -up openssl-1.0.1c/crypto/hmac/hmac.c.fips openssl-1.0.1c/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.1c/crypto/md2/md2_dgst.c.fips openssl-1.0.1c/crypto/md2/md2_dgst.c ---- openssl-1.0.1c/crypto/md2/md2_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md2/md2_dgst.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2_dgst.c +--- openssl-1.0.1e/crypto/md2/md2_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md2/md2_dgst.c 2013-02-19 12:47:33.743118955 +0100 @@ -62,6 +62,11 @@ #include #include @@ -19306,9 +19283,9 @@ diff -up openssl-1.0.1c/crypto/md2/md2_dgst.c.fips openssl-1.0.1c/crypto/md2/md2 { c->num=0; memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.1c/crypto/md4/md4_dgst.c.fips openssl-1.0.1c/crypto/md4/md4_dgst.c ---- openssl-1.0.1c/crypto/md4/md4_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md4/md4_dgst.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4_dgst.c +--- openssl-1.0.1e/crypto/md4/md4_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md4/md4_dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19318,9 +19295,9 @@ diff -up openssl-1.0.1c/crypto/md4/md4_dgst.c.fips openssl-1.0.1c/crypto/md4/md4 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.fips openssl-1.0.1c/crypto/md5/md5_dgst.c ---- openssl-1.0.1c/crypto/md5/md5_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5_dgst.c +--- openssl-1.0.1e/crypto/md5/md5_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19330,9 +19307,9 @@ diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.fips openssl-1.0.1c/crypto/md5/md5 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1c/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/mdc2/mdc2dgst.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/mdc2/mdc2dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -19342,9 +19319,9 @@ diff -up openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1c/crypto/mdc2/m { c->num=0; c->pad_type=1; -diff -up openssl-1.0.1c/crypto/o_fips.c.fips openssl-1.0.1c/crypto/o_fips.c ---- openssl-1.0.1c/crypto/o_fips.c.fips 2012-04-20 16:42:54.000000000 +0200 -+++ openssl-1.0.1c/crypto/o_fips.c 2012-07-12 20:39:19.000000000 +0200 +diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c +--- openssl-1.0.1e/crypto/o_fips.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/o_fips.c 2013-02-19 12:47:33.744118975 +0100 @@ -79,6 +79,8 @@ int FIPS_mode_set(int r) #ifndef FIPS_AUTH_USER_PASS #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -19354,9 +19331,9 @@ diff -up openssl-1.0.1c/crypto/o_fips.c.fips openssl-1.0.1c/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.1c/crypto/o_init.c.fips openssl-1.0.1c/crypto/o_init.c ---- openssl-1.0.1c/crypto/o_init.c.fips 2011-05-26 16:19:19.000000000 +0200 -+++ openssl-1.0.1c/crypto/o_init.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c +--- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 12:47:33.744118975 +0100 @@ -55,28 +55,63 @@ #include #include @@ -19425,9 +19402,9 @@ diff -up openssl-1.0.1c/crypto/o_init.c.fips openssl-1.0.1c/crypto/o_init.c + { + OPENSSL_init_library(); + } -diff -up openssl-1.0.1c/crypto/opensslconf.h.in.fips openssl-1.0.1c/crypto/opensslconf.h.in ---- openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/opensslconf.h.in 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opensslconf.h.in +--- openssl-1.0.1e/crypto/opensslconf.h.in.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/opensslconf.h.in 2013-02-19 12:47:33.744118975 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -19449,9 +19426,9 @@ diff -up openssl-1.0.1c/crypto/opensslconf.h.in.fips openssl-1.0.1c/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1c/crypto/pkcs12/p12_crt.c ---- openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.1c/crypto/pkcs12/p12_crt.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1e/crypto/pkcs12/p12_crt.c +--- openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs12/p12_crt.c 2013-02-19 12:47:33.744118975 +0100 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -19478,9 +19455,9 @@ diff -up openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1c/crypto/pkcs1 if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if (!iter) -diff -up openssl-1.0.1c/crypto/rand/md_rand.c.fips openssl-1.0.1c/crypto/rand/md_rand.c ---- openssl-1.0.1c/crypto/rand/md_rand.c.fips 2011-01-26 15:55:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md_rand.c +--- openssl-1.0.1e/crypto/rand/md_rand.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-02-19 12:47:33.745118995 +0100 @@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -19493,9 +19470,9 @@ diff -up openssl-1.0.1c/crypto/rand/md_rand.c.fips openssl-1.0.1c/crypto/rand/md { RAND_poll(); initialized = 1; -diff -up openssl-1.0.1c/crypto/rand/rand.h.fips openssl-1.0.1c/crypto/rand/rand.h ---- openssl-1.0.1c/crypto/rand/rand.h.fips 2012-07-12 21:49:24.769339483 +0200 -+++ openssl-1.0.1c/crypto/rand/rand.h 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand.h +--- openssl-1.0.1e/crypto/rand/rand.h.fips 2013-02-19 12:47:33.176107430 +0100 ++++ openssl-1.0.1e/crypto/rand/rand.h 2013-02-19 12:47:33.745118995 +0100 @@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -19534,9 +19511,9 @@ diff -up openssl-1.0.1c/crypto/rand/rand.h.fips openssl-1.0.1c/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1c/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/ripemd/rmd_dgst.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/ripemd/rmd_dgst.c 2013-02-19 12:47:33.745118995 +0100 @@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160" void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); # endif @@ -19546,9 +19523,9 @@ diff -up openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1c/crypto/ripe { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1c/crypto/rsa/rsa_crpt.c ---- openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips 2011-06-02 20:22:42.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_crpt.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa_crpt.c +--- openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_crpt.c 2013-02-19 12:47:33.745118995 +0100 @@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const RSA *rsa, int padding) { @@ -19575,9 +19552,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1c/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_eay.c ---- openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips 2011-10-19 16:58:59.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_eay.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_eay.c +--- openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_eay.c 2013-02-19 12:47:33.745118995 +0100 @@ -114,6 +114,10 @@ #include #include @@ -19698,22 +19675,6 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -847,12 +923,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c - if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; - - /* If p < q it is occasionally possible for the correction of -- * adding 'p' if r0 is negative above to leave the result still -+ * adding 'p' if r0 is negative above to leave the result still - * negative. This can break the private key operations: the following - * second correction should *always* correct this rare occurrence. - * This will *never* happen with OpenSSL generated keys because -- * they ensure p > q [steve] -- */ -+ * they ensure p > q [steve] -+ */ - if (BN_is_negative(r0)) - if (!BN_add(r0,r0,rsa->p)) goto err; - if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; @@ -897,6 +973,9 @@ err: static int RSA_eay_init(RSA *rsa) @@ -19724,9 +19685,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_ rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.1c/crypto/rsa/rsa_err.c.fips openssl-1.0.1c/crypto/rsa/rsa_err.c ---- openssl-1.0.1c/crypto/rsa/rsa_err.c.fips 2011-10-10 01:13:50.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_err.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_err.c +--- openssl-1.0.1e/crypto/rsa/rsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_err.c 2013-02-19 12:47:33.746119015 +0100 @@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -19736,9 +19697,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_err.c.fips openssl-1.0.1c/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, -diff -up openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips openssl-1.0.1c/crypto/rsa/rsa_gen.c ---- openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips 2011-06-09 15:18:07.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_gen.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_gen.c +--- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-02-19 12:47:33.746119015 +0100 @@ -69,6 +69,78 @@ #include #ifdef OPENSSL_FIPS @@ -19880,9 +19841,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips openssl-1.0.1c/crypto/rsa/rsa_ ok=1; err: if (ok == -1) -diff -up openssl-1.0.1c/crypto/rsa/rsa.h.fips openssl-1.0.1c/crypto/rsa/rsa.h ---- openssl-1.0.1c/crypto/rsa/rsa.h.fips 2012-07-12 21:49:25.093346772 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa.h 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h +--- openssl-1.0.1e/crypto/rsa/rsa.h.fips 2013-02-19 12:47:33.485113710 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa.h 2013-02-19 12:47:33.746119015 +0100 @@ -164,6 +164,8 @@ struct rsa_st # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 #endif @@ -19967,9 +19928,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa.h.fips openssl-1.0.1c/crypto/rsa/rsa.h #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips openssl-1.0.1c/crypto/rsa/rsa_lib.c ---- openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips 2011-06-20 21:41:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_lib.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_lib.c +--- openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_lib.c 2013-02-19 12:47:33.746119015 +0100 @@ -84,6 +84,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -20045,9 +20006,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips openssl-1.0.1c/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1c/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips 2012-02-15 15:14:01.000000000 +0100 -+++ openssl-1.0.1c/crypto/rsa/rsa_pmeth.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-02-19 12:47:33.746119015 +0100 @@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -20091,9 +20052,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1c/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips openssl-1.0.1c/crypto/rsa/rsa_sign.c ---- openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips 2012-02-15 15:00:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/rsa/rsa_sign.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa_sign.c +--- openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_sign.c 2013-02-19 12:47:33.747119035 +0100 @@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -20125,9 +20086,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips openssl-1.0.1c/crypto/rsa/rsa if (i <= 0) goto err; /* Oddball MDC2 case: signature can be OCTET STRING. -diff -up openssl-1.0.1c/crypto/sha/sha256.c.fips openssl-1.0.1c/crypto/sha/sha256.c ---- openssl-1.0.1c/crypto/sha/sha256.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/sha/sha256.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha256.c +--- openssl-1.0.1e/crypto/sha/sha256.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/sha/sha256.c 2013-02-19 12:47:33.747119035 +0100 @@ -12,12 +12,19 @@ #include @@ -20158,9 +20119,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha256.c.fips openssl-1.0.1c/crypto/sha/sha25 memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.1c/crypto/sha/sha512.c.fips openssl-1.0.1c/crypto/sha/sha512.c ---- openssl-1.0.1c/crypto/sha/sha512.c.fips 2011-11-14 21:58:01.000000000 +0100 -+++ openssl-1.0.1c/crypto/sha/sha512.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha512.c +--- openssl-1.0.1e/crypto/sha/sha512.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/sha/sha512.c 2013-02-19 12:47:33.747119035 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -20192,9 +20153,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha512.c.fips openssl-1.0.1c/crypto/sha/sha51 c->h[0]=U64(0x6a09e667f3bcc908); c->h[1]=U64(0xbb67ae8584caa73b); c->h[2]=U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.1c/crypto/sha/sha.h.fips openssl-1.0.1c/crypto/sha/sha.h ---- openssl-1.0.1c/crypto/sha/sha.h.fips 2012-07-12 21:49:24.581335255 +0200 -+++ openssl-1.0.1c/crypto/sha/sha.h 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h +--- openssl-1.0.1e/crypto/sha/sha.h.fips 2013-02-19 12:47:32.986103568 +0100 ++++ openssl-1.0.1e/crypto/sha/sha.h 2013-02-19 12:47:33.747119035 +0100 @@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char * void SHA_Transform(SHA_CTX *c, const unsigned char *data); #endif @@ -20227,9 +20188,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha.h.fips openssl-1.0.1c/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.1c/crypto/sha/sha_locl.h.fips openssl-1.0.1c/crypto/sha/sha_locl.h ---- openssl-1.0.1c/crypto/sha/sha_locl.h.fips 2012-07-12 21:49:24.587335390 +0200 -+++ openssl-1.0.1c/crypto/sha/sha_locl.h 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha_locl.h +--- openssl-1.0.1e/crypto/sha/sha_locl.h.fips 2013-02-19 12:47:32.991103670 +0100 ++++ openssl-1.0.1e/crypto/sha/sha_locl.h 2013-02-19 12:47:33.747119035 +0100 @@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h4 0xc3d2e1f0UL @@ -20246,9 +20207,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha_locl.h.fips openssl-1.0.1c/crypto/sha/sha memset (c,0,sizeof(*c)); c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; -diff -up openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1c/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips 2011-06-01 15:39:45.000000000 +0200 -+++ openssl-1.0.1c/crypto/whrlpool/wp_dgst.c 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/whrlpool/wp_dgst.c 2013-02-19 12:47:33.748119055 +0100 @@ -55,7 +55,7 @@ #include #include @@ -20258,9 +20219,9 @@ diff -up openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1c/crypto/whr { memset (c,0,sizeof(*c)); return(1); -diff -up openssl-1.0.1c/Makefile.org.fips openssl-1.0.1c/Makefile.org ---- openssl-1.0.1c/Makefile.org.fips 2012-07-12 21:49:25.285351091 +0200 -+++ openssl-1.0.1c/Makefile.org 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org +--- openssl-1.0.1e/Makefile.org.fips 2013-02-19 12:47:33.678117634 +0100 ++++ openssl-1.0.1e/Makefile.org 2013-02-19 12:47:33.748119055 +0100 @@ -136,6 +136,9 @@ FIPSCANLIB= BASEADDR= @@ -20288,9 +20249,9 @@ diff -up openssl-1.0.1c/Makefile.org.fips openssl-1.0.1c/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.1c/ssl/ssl_algs.c.fips openssl-1.0.1c/ssl/ssl_algs.c ---- openssl-1.0.1c/ssl/ssl_algs.c.fips 2012-01-15 14:42:50.000000000 +0100 -+++ openssl-1.0.1c/ssl/ssl_algs.c 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/ssl/ssl_algs.c.fips openssl-1.0.1e/ssl/ssl_algs.c +--- openssl-1.0.1e/ssl/ssl_algs.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_algs.c 2013-02-19 12:47:33.748119055 +0100 @@ -64,6 +64,12 @@ int SSL_library_init(void) { @@ -20304,7 +20265,7 @@ diff -up openssl-1.0.1c/ssl/ssl_algs.c.fips openssl-1.0.1c/ssl/ssl_algs.c #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -136,6 +142,50 @@ int SSL_library_init(void) +@@ -137,6 +143,50 @@ int SSL_library_init(void) EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif diff --git a/openssl-1.0.1e-issuer-hash.patch b/openssl-1.0.1e-issuer-hash.patch new file mode 100644 index 0000000..0f3bfdb --- /dev/null +++ b/openssl-1.0.1e-issuer-hash.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c +--- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100 +@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has + char *f; + + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1e-secure-getenv.patch similarity index 66% rename from openssl-1.0.1c-secure-getenv.patch rename to openssl-1.0.1e-secure-getenv.patch index 8338fb4..eb8034d 100644 --- a/openssl-1.0.1c-secure-getenv.patch +++ b/openssl-1.0.1e-secure-getenv.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c ---- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200 -+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-09-10 20:20:24.803968961 +0200 +diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c +--- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100 @@ -63,6 +63,8 @@ # define NDEBUG #endif @@ -28,9 +28,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/cryp } #if 0 /* There's no way to provide error checking with this function, so -diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c ---- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100 -+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-09-10 20:22:46.228970661 +0200 +diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c +--- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100 @@ -56,6 +56,8 @@ * */ @@ -51,9 +51,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/cryp return BUF_strdup(file); len = strlen(X509_get_default_cert_area()); -diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c ---- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100 -+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-09-10 20:20:46.106452027 +0200 +diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c +--- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100 @@ -61,6 +61,8 @@ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ @@ -75,9 +75,9 @@ diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/cr #endif iterator = ENGINE_by_id("dynamic"); if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || -diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c ---- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-09-10 20:10:26.079391932 +0200 -+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-09-10 20:20:31.383118153 +0200 +diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c +--- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100 ++++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -96,9 +96,9 @@ diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypt OpenSSLDie(__FILE__, __LINE__, \ "Digest MD5 forbidden in FIPS mode!"); return private_MD5_Init(c); -diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c ---- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-09-10 20:10:26.066391638 +0200 -+++ openssl-1.0.1c/crypto/o_init.c 2012-09-10 20:23:27.634908822 +0200 +diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c +--- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100 ++++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100 @@ -52,6 +52,8 @@ * */ @@ -117,19 +117,19 @@ diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_in { buf[0] = '1'; } -diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c ---- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100 -+++ openssl-1.0.1c/crypto/rand/randfile.c 2012-09-10 20:20:40.708329617 +0200 -@@ -58,6 +58,8 @@ - - /* We need to define this to get macros like S_IFBLK and S_IFCHR */ +diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c +--- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100 +@@ -60,6 +60,8 @@ + #if !defined(OPENSSL_SYS_VXWORKS) #define _XOPEN_SOURCE 500 + #endif +/* for secure_getenv */ +#define _GNU_SOURCE #include #include -@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si +@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si struct stat sb; #endif @@ -139,7 +139,7 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp if (s != NULL && *s && strlen(s) + 1 < size) { if (BUF_strlcpy(buf,s,size) >= size) -@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si +@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si } else { @@ -149,9 +149,9 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp #ifdef DEFAULT_HOME if (s == NULL) { -diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c ---- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-09-10 20:21:16.641144451 +0200 +diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c +--- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -170,9 +170,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto if (dir) ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); else -diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c ---- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-09-10 20:10:26.016390503 +0200 -+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-09-10 20:21:07.748942806 +0200 +diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c +--- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100 ++++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -191,9 +191,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypt if (file) ok = (X509_load_cert_crl_file(ctx,file, X509_FILETYPE_PEM) != 0); -diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c ---- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200 -+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-09-10 20:20:55.951675283 +0200 +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -212,9 +212,9 @@ diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/cryp allow_proxy_certs = 1; purpose = ctx->param->purpose; } -diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c ---- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100 -+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-09-10 20:21:26.759373897 +0200 +diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c +--- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100 @@ -6,6 +6,8 @@ * Implementation of control commands for GOST engine * * OpenSSL 0.9.9 libraries required * diff --git a/openssl-fix-pod2man-failure.patch b/openssl-fix-pod2man-failure.patch deleted file mode 100644 index 7b91033..0000000 --- a/openssl-fix-pod2man-failure.patch +++ /dev/null @@ -1,211 +0,0 @@ ---- a/doc/ssl/SSL_CTX_set_client_CA_list.pod -+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod -@@ -66,16 +66,16 @@ - - =over 4 - --=item 1 -- --The operation succeeded. -- - =item 0 - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - -+=item 1 -+ -+The operation succeeded. -+ - =back - - =head1 EXAMPLES - ---- a/doc/ssl/SSL_accept.pod -+++ b/doc/ssl/SSL_accept.pod -@@ -44,10 +44,13 @@ - - =over 4 - --=item 1 -+=item E0 - --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -+The TLS/SSL handshake was not successful because a fatal error occurred either -+at the protocol level or a connection failure occurred. The shutdown was -+not clean. It can also occur of action is need to continue the operation -+for non-blocking BIOs. Call SSL_get_error() with the return value B -+to find out the reason. - - =item 0 - -@@ -55,13 +58,10 @@ - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item E0 -+=item 1 - --The TLS/SSL handshake was not successful because a fatal error occurred either --at the protocol level or a connection failure occurred. The shutdown was --not clean. It can also occur of action is need to continue the operation --for non-blocking BIOs. Call SSL_get_error() with the return value B --to find out the reason. -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. - - =back - - ---- a/doc/ssl/SSL_connect.pod -+++ b/doc/ssl/SSL_connect.pod -@@ -41,10 +41,13 @@ - - =over 4 - --=item 1 -+=item E0 - --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -+The TLS/SSL handshake was not successful, because a fatal error occurred either -+at the protocol level or a connection failure occurred. The shutdown was -+not clean. It can also occur of action is need to continue the operation -+for non-blocking BIOs. Call SSL_get_error() with the return value B -+to find out the reason. - - =item 0 - -@@ -52,13 +55,10 @@ - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item E0 -+=item 1 - --The TLS/SSL handshake was not successful, because a fatal error occurred either --at the protocol level or a connection failure occurred. The shutdown was --not clean. It can also occur of action is need to continue the operation --for non-blocking BIOs. Call SSL_get_error() with the return value B --to find out the reason. -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. - - =back - - ---- a/doc/ssl/SSL_do_handshake.pod -+++ b/doc/ssl/SSL_do_handshake.pod -@@ -45,10 +45,13 @@ - - =over 4 - --=item 1 -+=item E0 - --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -+The TLS/SSL handshake was not successful because a fatal error occurred either -+at the protocol level or a connection failure occurred. The shutdown was -+not clean. It can also occur of action is need to continue the operation -+for non-blocking BIOs. Call SSL_get_error() with the return value B -+to find out the reason. - - =item 0 - -@@ -56,13 +59,10 @@ - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item E0 -+=item 1 - --The TLS/SSL handshake was not successful because a fatal error occurred either --at the protocol level or a connection failure occurred. The shutdown was --not clean. It can also occur of action is need to continue the operation --for non-blocking BIOs. Call SSL_get_error() with the return value B --to find out the reason. -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. - - =back - - ---- a/doc/ssl/SSL_shutdown.pod -+++ b/doc/ssl/SSL_shutdown.pod -@@ -92,10 +92,13 @@ - - =over 4 - --=item 1 -+=item -1 - --The shutdown was successfully completed. The "close notify" alert was sent --and the peer's "close notify" alert was received. -+The shutdown was not successful because a fatal error occurred either -+at the protocol level or a connection failure occurred. It can also occur if -+action is need to continue the operation for non-blocking BIOs. -+Call L with the return value B -+to find out the reason. - - =item 0 - -@@ -104,13 +107,10 @@ - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - --=item -1 -+=item 1 - --The shutdown was not successful because a fatal error occurred either --at the protocol level or a connection failure occurred. It can also occur if --action is need to continue the operation for non-blocking BIOs. --Call L with the return value B --to find out the reason. -+The shutdown was successfully completed. The "close notify" alert was sent -+and the peer's "close notify" alert was received. - - =back - - ---- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -@@ -81,6 +81,13 @@ - - Return values from the server callback are interpreted as follows: - -+=over 4 -+ -+=item 0 -+ -+PSK identity was not found. An "unknown_psk_identity" alert message -+will be sent and the connection setup fails. -+ - =item > 0 - - PSK identity was found and the server callback has provided the PSK -@@ -94,9 +101,6 @@ - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -- --PSK identity was not found. An "unknown_psk_identity" alert message --will be sent and the connection setup fails. -+=back - - =cut - ---- a/doc/crypto/X509_STORE_CTX_get_error.pod -+++ b/doc/crypto/X509_STORE_CTX_get_error.pod -@@ -278,6 +278,8 @@ - an application specific error. This will never be returned unless explicitly - set by an application. - -+=back -+ - =head1 NOTES - - The above functions should be used instead of directly referencing the fields diff --git a/openssl-mingw64-dont-use-secure-getenv.patch b/openssl-mingw64-dont-use-secure-getenv.patch new file mode 100644 index 0000000..c8a752a --- /dev/null +++ b/openssl-mingw64-dont-use-secure-getenv.patch @@ -0,0 +1,11 @@ +--- openssl-1.0.1e/ssl/ssl_ciph.c.orig 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-03-24 20:39:53.425122737 +0100 +@@ -455,7 +457,7 @@ + + MemCheck_off(); + ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) ++ if (ssl_comp_methods != NULL && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) + { + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) diff --git a/renew-dummy-cert b/renew-dummy-cert new file mode 100755 index 0000000..50f9931 --- /dev/null +++ b/renew-dummy-cert @@ -0,0 +1,42 @@ +#!/bin/bash + +if [ $# -eq 0 ]; then + echo $"Usage: `basename $0` filename" 1>&2 + exit 1 +fi + +PEM=$1 +REQ=`/bin/mktemp /tmp/openssl.XXXXXX` +KEY=`/bin/mktemp /tmp/openssl.XXXXXX` +CRT=`/bin/mktemp /tmp/openssl.XXXXXX` +NEW=${PEM}_ + +trap "rm -f $REQ $KEY $CRT $NEW" SIGINT + +if [ ! -f $PEM ]; then + echo "$PEM: file not found" 1>&2 + exit 1 +fi + +let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2) +let SERIAL++ + +umask 077 + +OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'` + +openssl rsa -inform pem -in $PEM -out $KEY +openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ +openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \ + -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT + +(cat $KEY ; echo "" ; cat $CRT) > $NEW + +chown $OWNER $NEW + +mv -f $NEW $PEM + +rm -f $REQ $KEY $CRT + +exit 0 + diff --git a/sources b/sources index ed53453..f4ba3a1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3b75bb21452767ed1779fbce32625b95 openssl-1.0.1c-usa.tar.xz +641677c116865e60601677329b514e2d openssl-1.0.1e-usa.tar.xz