diff --git a/.gitignore b/.gitignore index f82b1db..097821a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1c-usa.tar.xz /openssl-1.0.1e-usa.tar.xz /openssl-1.0.1e-hobbled.tar.xz +/openssl-1.0.1g-hobbled.tar.xz diff --git a/openssl-1.0.1e-backports.patch b/openssl-1.0.1e-backports.patch deleted file mode 100644 index abe3017..0000000 --- a/openssl-1.0.1e-backports.patch +++ /dev/null @@ -1,345 +0,0 @@ -diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c ---- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200 -@@ -167,6 +167,7 @@ start: - #ifndef OPENSSL_NO_RSA - if (strcmp(name,PEM_STRING_RSA) == 0) - { -+ d2i=(D2I_OF(void))d2i_RSAPrivateKey; - if (xi->x_pkey != NULL) - { - if (!sk_X509_INFO_push(ret,xi)) goto err; -diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200 -+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200 -@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT - pm = RSA_NO_PADDING; - else if (!strcmp(value, "oeap")) - pm = RSA_PKCS1_OAEP_PADDING; -+ else if (!strcmp(value, "oaep")) -+ pm = RSA_PKCS1_OAEP_PADDING; - else if (!strcmp(value, "x931")) - pm = RSA_X931_PADDING; - else if (!strcmp(value, "pss")) -diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c ---- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200 -+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200 -@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct - X509_CRL *crl = NULL, *dcrl = NULL; - X509 *x; - int ok, cnum; -+ unsigned int last_reasons; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); - ctx->current_cert = x; -@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct - ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) - { -+ last_reasons = ctx->current_reasons; - /* Try to retrieve relevant CRL */ - if (ctx->get_crl) - ok = ctx->get_crl(ctx, &crl, x); -@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct - X509_CRL_free(dcrl); - crl = NULL; - dcrl = NULL; -+ /* If reasons not updated we wont get anywhere by -+ * another iteration, so exit loop. -+ */ -+ if (last_reasons == ctx->current_reasons) -+ { -+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; -+ ok = ctx->verify_cb(0, ctx); -+ goto err; -+ } - } - err: - X509_CRL_free(crl); -diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c ---- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200 -@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c - - int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) - { -+ x->cert_info->enc.modified = 1; - return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), - x->cert_info->signature, - x->sig_alg, x->signature, x->cert_info, ctx); -@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY - - int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) - { -+ x->crl->enc.modified = 1; - return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), - x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx); - } -diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod ---- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl - an application specific error. This will never be returned unless explicitly - set by an application. - -+=back -+ - =head1 NOTES - - The above functions should be used instead of directly referencing the fields -diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod ---- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -44,17 +44,17 @@ The following return values can occur: - - =over 4 - --=item 1 -- --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -- - =item 0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - -+=item 1 -+ -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. -+ - =item E0 - - The TLS/SSL handshake was not successful because a fatal error occurred either -diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod ---- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -41,17 +41,17 @@ The following return values can occur: - - =over 4 - --=item 1 -- --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -- - =item 0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - -+=item 1 -+ -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. -+ - =item E0 - - The TLS/SSL handshake was not successful, because a fatal error occurred either -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -66,16 +66,16 @@ values: - - =over 4 - --=item 1 -- --The operation succeeded. -- - =item 0 - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - -+=item 1 -+ -+The operation succeeded. -+ - =back - - =head1 EXAMPLES -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ---- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_ - - Return values from the server callback are interpreted as follows: - -+=over 4 -+ - =item > 0 - - PSK identity was found and the server callback has provided the PSK -@@ -99,4 +101,6 @@ completely. - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. - -+=back -+ - =cut -diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod ---- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200 -@@ -45,17 +45,17 @@ The following return values can occur: - - =over 4 - --=item 1 -- --The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been --established. -- - =item 0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - -+=item 1 -+ -+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -+established. -+ - =item E0 - - The TLS/SSL handshake was not successful because a fatal error occurred either -diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod ---- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200 -@@ -92,11 +92,6 @@ The following return values can occur: - - =over 4 - --=item 1 -- --The shutdown was successfully completed. The "close notify" alert was sent --and the peer's "close notify" alert was received. -- - =item 0 - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, -@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - -+=item 1 -+ -+The shutdown was successfully completed. The "close notify" alert was sent -+and the peer's "close notify" alert was received. -+ - =item -1 - - The shutdown was not successful because a fatal error occurred either -diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c ---- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200 -@@ -196,6 +196,7 @@ void dtls1_free(SSL *s) - pqueue_free(s->d1->buffered_app_data.q); - - OPENSSL_free(s->d1); -+ s->d1 = NULL; - } - - void dtls1_clear(SSL *s) -diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c ---- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200 -@@ -847,6 +847,12 @@ start: - } - } - -+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) -+ { -+ rr->length = 0; -+ goto start; -+ } -+ - /* we now have a packet which can be read and processed */ - - if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, -@@ -1051,6 +1057,7 @@ start: - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) - { -+ s->d1->handshake_read_seq++; - s->new_session = 1; - ssl3_renegotiate(s); - if (ssl3_renegotiate_check(s)) -diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c ---- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200 -@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s) - case SSL3_ST_SW_HELLO_REQ_B: - - s->shutdown=0; -+ dtls1_clear_record_buffer(s); - dtls1_start_timer(s); - ret=dtls1_send_hello_request(s); - if (ret <= 0) goto end; -- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; -+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; - s->state=SSL3_ST_SW_FLUSH; - s->init_num=0; - -diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c ---- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200 -@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. -diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c ---- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200 -@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); - - ret->extra_certs=NULL; -- ret->comp_methods=SSL_COMP_get_compression_methods(); -+ /* No compression for DTLS */ -+ if (meth->version != DTLS1_VERSION) -+ ret->comp_methods=SSL_COMP_get_compression_methods(); - - ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - -@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s) - /* Fix this function so that it takes an optional type parameter */ - X509 *SSL_get_certificate(const SSL *s) - { -- if (s->server) -- return(ssl_get_server_send_cert(s)); -- else if (s->cert != NULL) -+ if (s->cert != NULL) - return(s->cert->key->x509); - else - return(NULL); -diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl -index 3b6c469..e8a7518 100644 ---- a/crypto/x86cpuid.pl -+++ b/crypto/x86cpuid.pl -@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - &inc ("esi"); # number of cores - - &mov ("eax",1); -+ &xor ("ecx","ecx"); - &cpuid (); - &bt ("edx",28); - &jnc (&label("generic")); -@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - - &set_label("nocacheinfo"); - &mov ("eax",1); -+ &xor ("ecx","ecx"); - &cpuid (); - &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0 - &cmp ("ebp",0); diff --git a/openssl-1.0.1e-bad-mac.patch b/openssl-1.0.1e-bad-mac.patch deleted file mode 100644 index 06d284e..0000000 --- a/openssl-1.0.1e-bad-mac.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov -Date: Mon, 18 Mar 2013 19:29:41 +0100 -Subject: [PATCH] e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI - plaforms. - -PR: 3002 -(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc) ---- - crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c -index 483e04b..fb2c884 100644 ---- a/crypto/evp/e_aes_cbc_hmac_sha1.c -+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c -@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - - if (res!=SHA_CBLOCK) continue; - -- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); -+ /* j is not incremented yet */ -+ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); - data->u[SHA_LBLOCK-1] |= bitlen&mask; - sha1_block_data_order(&key->md,data,1); -- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); -+ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); - pmac->u[0] |= key->md.h0 & mask; - pmac->u[1] |= key->md.h1 & mask; - pmac->u[2] |= key->md.h2 & mask; --- -1.7.9.5 - diff --git a/openssl-1.0.1e-cve-2013-4353.patch b/openssl-1.0.1e-cve-2013-4353.patch deleted file mode 100644 index 5f96116..0000000 --- a/openssl-1.0.1e-cve-2013-4353.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix for TLS record tampering bug. A carefully crafted invalid -handshake could crash OpenSSL with a NULL pointer exception. -Thanks to Anton Johansson for reporting this issues. -(CVE-2013-4353) -diff --git a/ssl/s3_both.c b/ssl/s3_both.c -index 1e5dcab..53b9390 100644 ---- a/ssl/s3_both.c -+++ b/ssl/s3_both.c -@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s) - { - const char *sender; - int slen; -- -+ /* If no new cipher setup return immediately: other functions will -+ * set the appropriate error. -+ */ -+ if (s->s3->tmp.new_cipher == NULL) -+ return; - if (s->state & SSL_ST_CONNECT) - { - sender=s->method->ssl3_enc->server_finished_label; diff --git a/openssl-1.0.1e-cve-2013-6449.patch b/openssl-1.0.1e-cve-2013-6449.patch deleted file mode 100644 index d80a178..0000000 --- a/openssl-1.0.1e-cve-2013-6449.patch +++ /dev/null @@ -1,111 +0,0 @@ -Use version in SSL_METHOD not SSL structure. - -When deciding whether to use TLS 1.2 PRF and record hash algorithms -use the version number in the corresponding SSL_METHOD structure -instead of the SSL structure. The SSL structure version is sometimes -inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. -(CVE-2013-6449) - -Also preventively check EVP errors for handshake digests. - -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index bf832bb..c4ef273 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. - long ssl_get_algorithm2(SSL *s) - { - long alg2 = s->s3->tmp.new_cipher->algorithm2; -- if (TLS1_get_version(s) >= TLS1_2_VERSION && -+ if (s->method->version == TLS1_2_VERSION && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; -diff --git a/ssl/s3_both.c b/ssl/s3_both.c -index ead01c8..1e5dcab 100644 ---- a/ssl/s3_both.c -+++ b/ssl/s3_both.c -@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) - - i=s->method->ssl3_enc->final_finish_mac(s, - sender,slen,s->s3->tmp.finish_md); -+ if (i == 0) -+ return 0; - s->s3->tmp.finish_md_len = i; - memcpy(p, s->s3->tmp.finish_md, i); - p+=i; -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index 804291e..c4bc4e7 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); - if (version != s->version) - { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); -- if ((s->version & 0xFF00) == (version & 0xFF00)) -+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) - /* Send back error using their minor version number :-) */ - s->version = (unsigned short)version; - al=SSL_AD_PROTOCOL_VERSION; -@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) - slen=s->method->ssl3_enc->client_finished_label_len; - } - -- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, -+ i = s->method->ssl3_enc->final_finish_mac(s, - sender,slen,s->s3->tmp.peer_finish_md); -+ if (i == 0) -+ { -+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ s->s3->tmp.peer_finish_md_len = i; - - return(1); - } -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index e5a8b3f..52efed3 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) - (s->version != DTLS1_VERSION && s->client_version < s->version)) - { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); -- if ((s->client_version>>8) == SSL3_VERSION_MAJOR) -+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR && -+ !s->enc_write_ctx && !s->write_hash) - { - /* similar to ssl3_get_record, send alert using remote version number */ - s->version = s->client_version; -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 809ad2e..72015f5 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, - if (mask & ssl_get_algorithm2(s)) - { - int hashsize = EVP_MD_size(md); -- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) -+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; -+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) - { - /* internal error: 'buf' is too small for this cipersuite! */ - err = 1; - } - else - { -- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); -- EVP_DigestFinal_ex(&ctx,q,&i); -- if (i != (unsigned int)hashsize) /* can't really happen */ -+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || -+ !EVP_DigestFinal_ex(&ctx,q,&i) || -+ (i != (unsigned int)hashsize)) - err = 1; -- q+=i; -+ q+=hashsize; - } - } - } --- -1.8.3.1 - diff --git a/openssl-1.0.1e-cve-2013-6450.patch b/openssl-1.0.1e-cve-2013-6450.patch deleted file mode 100644 index fa096c8..0000000 --- a/openssl-1.0.1e-cve-2013-6450.patch +++ /dev/null @@ -1,85 +0,0 @@ -Fix DTLS retransmission from previous session. - -For DTLS we might need to retransmit messages from the previous session -so keep a copy of write context in DTLS retransmission buffers instead -of replacing it after sending CCS. CVE-2013-6450. - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 65ec001..7a5596a 100644 ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) - static void - dtls1_hm_fragment_free(hm_fragment *frag) - { -+ -+ if (frag->msg_header.is_ccs) -+ { -+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); -+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); -+ } - if (frag->fragment) OPENSSL_free(frag->fragment); - if (frag->reassembly) OPENSSL_free(frag->reassembly); - OPENSSL_free(frag); -diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index 96ce9a7..e485907 100644 ---- a/ssl/ssl_locl.h -+++ b/ssl/ssl_locl.h -@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; - extern SSL3_ENC_METHOD SSLv3_enc_data; - extern SSL3_ENC_METHOD DTLSv1_enc_data; - -+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) -+ - #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ - s_get_meth) \ - const SSL_METHOD *func_name(void) \ -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 72015f5..56db834 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) - s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else - s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; -- if (s->enc_write_ctx != NULL) -+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) - reuse_dd = 1; -- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) -+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) - goto err; -- else -- /* make sure it's intialized in case we exit later with an error */ -- EVP_CIPHER_CTX_init(s->enc_write_ctx); - dd= s->enc_write_ctx; -- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); -+ if (SSL_IS_DTLS(s)) -+ { -+ mac_ctx = EVP_MD_CTX_create(); -+ if (!mac_ctx) -+ goto err; -+ s->write_hash = mac_ctx; -+ } -+ else -+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); - #ifndef OPENSSL_NO_COMP - if (s->compress != NULL) - { -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index 6fc469f..d14e8e4 100644 ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count, - - void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) - { -- EVP_MD_CTX_cleanup(ctx); -- OPENSSL_free(ctx); -+ if (ctx) -+ { -+ EVP_MD_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } - } - - /* This call frees resources associated with the context */ diff --git a/openssl-1.0.1e-req-keylen.patch b/openssl-1.0.1e-req-keylen.patch deleted file mode 100644 index 1574bb8..0000000 --- a/openssl-1.0.1e-req-keylen.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up openssl-1.0.1e/apps/req.c.keylen openssl-1.0.1e/apps/req.c ---- openssl-1.0.1e/apps/req.c.keylen 2014-02-12 14:58:29.000000000 +0100 -+++ openssl-1.0.1e/apps/req.c 2014-02-14 13:52:48.692325000 +0100 -@@ -644,6 +644,12 @@ bad: - if (inrand) - app_RAND_load_files(inrand); - -+ if (newkey <= 0) -+ { -+ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) -+ newkey=DEFAULT_KEY_LENGTH; -+ } -+ - if (keyalg) - { - genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, -@@ -651,12 +657,6 @@ bad: - if (!genctx) - goto end; - } -- -- if (newkey <= 0) -- { -- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) -- newkey=DEFAULT_KEY_LENGTH; -- } - - if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) - { -@@ -1649,6 +1649,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO - keylen = atol(p + 1); - *pkeylen = keylen; - } -+ else -+ keylen = *pkeylen; - } - else if (p) - paramfile = p + 1; diff --git a/openssl-1.0.1e-ssl2-no-ec.patch b/openssl-1.0.1e-ssl2-no-ec.patch new file mode 100644 index 0000000..81ad472 --- /dev/null +++ b/openssl-1.0.1e-ssl2-no-ec.patch @@ -0,0 +1,17 @@ +diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c +--- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200 +@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C + long l; + + /* We can write SSLv2 and SSLv3 ciphers */ ++ /* but no ECC ciphers */ ++ if (c->algorithm_mkey == SSL_kECDHr || ++ c->algorithm_mkey == SSL_kECDHe || ++ c->algorithm_mkey == SSL_kEECDH || ++ c->algorithm_auth == SSL_aECDH || ++ c->algorithm_auth == SSL_aECDSA) ++ return 0; + if (p != NULL) + { + l=c->id; diff --git a/openssl-1.0.1e-3des-strength.patch b/openssl-1.0.1g-3des-strength.patch similarity index 82% rename from openssl-1.0.1e-3des-strength.patch rename to openssl-1.0.1g-3des-strength.patch index 7375b47..aec054d 100644 --- a/openssl-1.0.1e-3des-strength.patch +++ b/openssl-1.0.1g-3des-strength.patch @@ -1,9 +1,6 @@ -Although the real strength is rather 112 bits we use 128 here as -we do not want to sort it behind more obscure ciphers. -AES-128 is preferred anyway. -diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c ---- openssl-1.0.1e/ssl/s2_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/s2_lib.c 2014-01-22 16:32:45.791700322 +0100 +diff -up openssl-1.0.1g/ssl/s2_lib.c.3des-strength openssl-1.0.1g/ssl/s2_lib.c +--- openssl-1.0.1g/ssl/s2_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/ssl/s2_lib.c 2014-05-06 16:33:45.646358418 +0200 @@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip SSL_SSLV2, SSL_NOT_EXP|SSL_HIGH, @@ -13,9 +10,9 @@ diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c 168, }, -diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c ---- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2014-01-17 11:41:11.000000000 +0100 -+++ openssl-1.0.1e/ssl/s3_lib.c 2014-01-22 16:31:14.713666777 +0100 +diff -up openssl-1.0.1g/ssl/s3_lib.c.3des-strength openssl-1.0.1g/ssl/s3_lib.c +--- openssl-1.0.1g/ssl/s3_lib.c.3des-strength 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/ssl/s3_lib.c 2014-05-06 16:38:05.887374872 +0200 @@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, @@ -90,7 +87,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c @@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 128, diff --git a/openssl-1.0.1e-fips.patch b/openssl-1.0.1g-fips.patch similarity index 95% rename from openssl-1.0.1e-fips.patch rename to openssl-1.0.1g-fips.patch index f5496a0..26b1e86 100644 --- a/openssl-1.0.1e-fips.patch +++ b/openssl-1.0.1g-fips.patch @@ -1,31 +1,6 @@ -diff -up openssl-1.0.1e/apps/pkcs12.c.fips openssl-1.0.1e/apps/pkcs12.c ---- openssl-1.0.1e/apps/pkcs12.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/pkcs12.c 2013-10-04 11:48:04.172693955 +0200 -@@ -67,6 +67,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - #define PROG pkcs12_main - -@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv) - - apps_startup(); - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */ -+#endif -+ - enc = EVP_des_ede3_cbc(); - if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); - -diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c ---- openssl-1.0.1e/apps/speed.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/apps/speed.c 2013-10-04 11:49:56.384227859 +0200 +diff -up openssl-1.0.1g/apps/speed.c.fips openssl-1.0.1g/apps/speed.c +--- openssl-1.0.1g/apps/speed.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/apps/speed.c 2014-05-06 16:29:50.536922993 +0200 @@ -195,7 +195,6 @@ #ifdef OPENSSL_DOING_MAKEDEPEND #undef AES_set_encrypt_key @@ -151,10 +126,10 @@ diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c HMAC_Init_ex(&hctx,(unsigned char *)"This is a key...", 16,EVP_md5(), NULL); -diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure ---- openssl-1.0.1e/Configure.fips 2013-10-04 11:48:04.153693526 +0200 -+++ openssl-1.0.1e/Configure 2013-10-04 11:48:04.173693978 +0200 -@@ -995,11 +995,6 @@ if (defined($disabled{"md5"}) || defined +diff -up openssl-1.0.1g/Configure.fips openssl-1.0.1g/Configure +--- openssl-1.0.1g/Configure.fips 2014-05-06 16:29:50.523922693 +0200 ++++ openssl-1.0.1g/Configure 2014-05-06 16:29:50.536922993 +0200 +@@ -997,11 +997,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -166,7 +141,7 @@ diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1474,7 +1469,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1476,7 +1471,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -174,7 +149,7 @@ diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1661,9 +1655,12 @@ while () +@@ -1663,9 +1657,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -188,9 +163,9 @@ diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes_misc.c ---- openssl-1.0.1e/crypto/aes/aes_misc.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/aes/aes_misc.c 2013-10-04 11:48:04.173693978 +0200 +diff -up openssl-1.0.1g/crypto/aes/aes_misc.c.fips openssl-1.0.1g/crypto/aes/aes_misc.c +--- openssl-1.0.1g/crypto/aes/aes_misc.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/aes/aes_misc.c 2014-05-06 16:29:50.536922993 +0200 @@ -69,17 +69,11 @@ const char *AES_options(void) { int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -209,9 +184,9 @@ diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac.c ---- openssl-1.0.1e/crypto/cmac/cmac.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/cmac/cmac.c 2013-10-04 11:48:04.173693978 +0200 +diff -up openssl-1.0.1g/crypto/cmac/cmac.c.fips openssl-1.0.1g/crypto/cmac/cmac.c +--- openssl-1.0.1g/crypto/cmac/cmac.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/cmac/cmac.c 2014-05-06 16:29:50.537923016 +0200 @@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -260,9 +235,9 @@ diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h ---- openssl-1.0.1e/crypto/crypto.h.fips 2013-10-04 11:48:04.058691381 +0200 -+++ openssl-1.0.1e/crypto/crypto.h 2013-10-04 11:48:04.173693978 +0200 +diff -up openssl-1.0.1g/crypto/crypto.h.fips openssl-1.0.1g/crypto/crypto.h +--- openssl-1.0.1g/crypto/crypto.h.fips 2014-05-06 16:29:50.419920288 +0200 ++++ openssl-1.0.1g/crypto/crypto.h 2014-05-06 16:29:50.537923016 +0200 @@ -553,24 +553,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -308,9 +283,9 @@ diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h ---- openssl-1.0.1e/crypto/des/des.h.fips 2013-10-04 11:48:04.088692058 +0200 -+++ openssl-1.0.1e/crypto/des/des.h 2013-10-04 11:48:04.173693978 +0200 +diff -up openssl-1.0.1g/crypto/des/des.h.fips openssl-1.0.1g/crypto/des/des.h +--- openssl-1.0.1g/crypto/des/des.h.fips 2014-05-06 16:29:50.449920982 +0200 ++++ openssl-1.0.1g/crypto/des/des.h 2014-05-06 16:29:50.537923016 +0200 @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); @@ -321,9 +296,9 @@ diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h void DES_string_to_key(const char *str,DES_cblock *key); void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, -diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_key.c ---- openssl-1.0.1e/crypto/des/set_key.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/des/set_key.c 2013-10-04 11:48:04.174694001 +0200 +diff -up openssl-1.0.1g/crypto/des/set_key.c.fips openssl-1.0.1g/crypto/des/set_key.c +--- openssl-1.0.1g/crypto/des/set_key.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/des/set_key.c 2014-05-06 16:29:50.537923016 +0200 @@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock } @@ -338,9 +313,9 @@ diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_ { static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; register DES_LONG c,d,t,s,t2; -diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen.c ---- openssl-1.0.1e/crypto/dh/dh_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-10-04 11:48:04.174694001 +0200 +diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips openssl-1.0.1g/crypto/dh/dh_gen.c +--- openssl-1.0.1g/crypto/dh/dh_gen.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dh/dh_gen.c 2014-05-06 16:29:50.537923016 +0200 @@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if(ret->meth->generate_params) @@ -374,9 +349,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen. ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h ---- openssl-1.0.1e/crypto/dh/dh.h.fips 2014-02-06 18:04:19.000000000 +0100 -+++ openssl-1.0.1e/crypto/dh/dh.h 2014-02-11 16:01:17.039345356 +0100 +diff -up openssl-1.0.1g/crypto/dh/dh.h.fips openssl-1.0.1g/crypto/dh/dh.h +--- openssl-1.0.1g/crypto/dh/dh.h.fips 2014-05-06 16:29:50.394919710 +0200 ++++ openssl-1.0.1g/crypto/dh/dh.h 2014-05-06 16:29:50.537923016 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -394,9 +369,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h DH * d2i_DHparams(DH **a,const unsigned char **pp, long length); int i2d_DHparams(const DH *a,unsigned char **pp); #ifndef OPENSSL_NO_FP_API -diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key.c ---- openssl-1.0.1e/crypto/dh/dh_key.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dh/dh_key.c 2014-02-11 15:57:55.266840301 +0100 +diff -up openssl-1.0.1g/crypto/dh/dh_key.c.fips openssl-1.0.1g/crypto/dh/dh_key.c +--- openssl-1.0.1g/crypto/dh/dh_key.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dh/dh_key.c 2014-05-06 16:29:50.538923040 +0200 @@ -61,6 +61,9 @@ #include #include @@ -477,9 +452,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib.c ---- openssl-1.0.1e/crypto/dh/dh_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dh/dh_lib.c 2013-10-04 11:48:04.174694001 +0200 +diff -up openssl-1.0.1g/crypto/dh/dh_lib.c.fips openssl-1.0.1g/crypto/dh/dh_lib.c +--- openssl-1.0.1g/crypto/dh/dh_lib.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dh/dh_lib.c 2014-05-06 16:29:50.538923040 +0200 @@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v { if(!default_DH_method) @@ -495,9 +470,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_err.c ---- openssl-1.0.1e/crypto/dsa/dsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_err.c 2013-10-04 11:48:04.174694001 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_err.c.fips openssl-1.0.1g/crypto/dsa/dsa_err.c +--- openssl-1.0.1g/crypto/dsa/dsa_err.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_err.c 2014-05-06 16:29:50.538923040 +0200 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]= {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -516,9 +491,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, -diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_gen.c ---- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips openssl-1.0.1g/crypto/dsa/dsa_gen.c +--- openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_gen.c 2014-05-06 16:29:50.538923040 +0200 @@ -85,6 +85,14 @@ #include #endif @@ -925,9 +900,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_ } if (mont != NULL) BN_MONT_CTX_free(mont); return ok; -diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h ---- openssl-1.0.1e/crypto/dsa/dsa.h.fips 2013-10-04 11:48:03.956689078 +0200 -+++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips openssl-1.0.1g/crypto/dsa/dsa.h +--- openssl-1.0.1g/crypto/dsa/dsa.h.fips 2014-05-06 16:29:50.316917907 +0200 ++++ openssl-1.0.1g/crypto/dsa/dsa.h 2014-05-06 16:29:50.538923040 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -988,9 +963,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_key.c ---- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips openssl-1.0.1g/crypto/dsa/dsa_key.c +--- openssl-1.0.1g/crypto/dsa/dsa_key.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_key.c 2014-05-06 16:29:50.539923063 +0200 @@ -66,6 +66,35 @@ #ifdef OPENSSL_FIPS @@ -1069,9 +1044,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_ ok=1; err: -diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_lib.c ---- openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_lib.c 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_lib.c.fips openssl-1.0.1g/crypto/dsa/dsa_lib.c +--- openssl-1.0.1g/crypto/dsa/dsa_lib.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_lib.c 2014-05-06 16:29:50.539923063 +0200 @@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method { if(!default_DSA_method) @@ -1087,18 +1062,18 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips openssl-1.0.1e/crypto/dsa/dsa_locl.h ---- openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips 2013-10-04 11:48:03.958689123 +0200 -+++ openssl-1.0.1e/crypto/dsa/dsa_locl.h 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_locl.h.fips openssl-1.0.1g/crypto/dsa/dsa_locl.h +--- openssl-1.0.1g/crypto/dsa/dsa_locl.h.fips 2014-05-06 16:29:50.317917930 +0200 ++++ openssl-1.0.1g/crypto/dsa/dsa_locl.h 2014-05-06 16:29:50.539923063 +0200 @@ -56,5 +56,4 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, - unsigned char *seed_out, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa_ossl.c ---- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1g/crypto/dsa/dsa_ossl.c +--- openssl-1.0.1g/crypto/dsa/dsa_ossl.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_ossl.c 2014-05-06 16:29:50.539923063 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1172,9 +1147,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_pmeth.c 2013-10-04 11:48:04.175694023 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1g/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.1g/crypto/dsa/dsa_pmeth.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c 2014-05-06 16:29:50.539923063 +0200 @@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1184,9 +1159,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsatest.c ---- openssl-1.0.1e/crypto/dsa/dsatest.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsatest.c 2013-10-04 11:48:04.176694045 +0200 +diff -up openssl-1.0.1g/crypto/dsa/dsatest.c.fips openssl-1.0.1g/crypto/dsa/dsatest.c +--- openssl-1.0.1g/crypto/dsa/dsatest.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dsa/dsatest.c 2014-05-06 16:29:50.539923063 +0200 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1271,9 +1246,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsat goto end; } if (h != 2) -diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engine/eng_all.c ---- openssl-1.0.1e/crypto/engine/eng_all.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-10-04 11:48:04.176694045 +0200 +diff -up openssl-1.0.1g/crypto/engine/eng_all.c.fips openssl-1.0.1g/crypto/engine/eng_all.c +--- openssl-1.0.1g/crypto/engine/eng_all.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/engine/eng_all.c 2014-05-06 16:29:50.539923063 +0200 @@ -58,11 +58,25 @@ #include "cryptlib.h" @@ -1300,9 +1275,9 @@ diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engin #if 0 /* There's no longer any need for an "openssl" ENGINE unless, one day, * it is the *only* way for standard builtin implementations to be be -diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_allc.c ---- openssl-1.0.1e/crypto/evp/c_allc.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/c_allc.c 2013-10-04 11:48:04.176694045 +0200 +diff -up openssl-1.0.1g/crypto/evp/c_allc.c.fips openssl-1.0.1g/crypto/evp/c_allc.c +--- openssl-1.0.1g/crypto/evp/c_allc.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/c_allc.c 2014-05-06 16:29:50.540923086 +0200 @@ -65,6 +65,11 @@ void OpenSSL_add_all_ciphers(void) { @@ -1376,9 +1351,9 @@ diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_alld.c ---- openssl-1.0.1e/crypto/evp/c_alld.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/c_alld.c 2013-10-04 11:48:04.176694045 +0200 +diff -up openssl-1.0.1g/crypto/evp/c_alld.c.fips openssl-1.0.1g/crypto/evp/c_alld.c +--- openssl-1.0.1g/crypto/evp/c_alld.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/c_alld.c 2014-05-06 16:29:50.540923086 +0200 @@ -64,6 +64,11 @@ void OpenSSL_add_all_digests(void) @@ -1424,9 +1399,9 @@ diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/digest.c ---- openssl-1.0.1e/crypto/evp/digest.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/digest.c 2013-10-04 11:48:04.176694045 +0200 +diff -up openssl-1.0.1g/crypto/evp/digest.c.fips openssl-1.0.1g/crypto/evp/digest.c +--- openssl-1.0.1g/crypto/evp/digest.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/digest.c 2014-05-06 16:29:50.540923086 +0200 @@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1549,7 +1524,7 @@ diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/diges } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) -@@ -373,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) +@@ -376,7 +417,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { @@ -1557,7 +1532,7 @@ diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/diges /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ -@@ -386,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -389,7 +429,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } @@ -1565,7 +1540,7 @@ diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/diges if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE -@@ -395,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -398,9 +437,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif @@ -1575,9 +1550,9 @@ diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/diges memset(ctx,'\0',sizeof *ctx); return 1; -diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes.c ---- openssl-1.0.1e/crypto/evp/e_aes.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/e_aes.c 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/e_aes.c.fips openssl-1.0.1g/crypto/evp/e_aes.c +--- openssl-1.0.1g/crypto/evp/e_aes.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/e_aes.c 2014-05-06 16:29:50.540923086 +0200 @@ -56,7 +56,6 @@ #include #include @@ -1595,7 +1570,7 @@ diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes. && arg < 12) return 0; #endif -@@ -1128,7 +1127,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -1134,7 +1133,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; #ifdef OPENSSL_FIPS /* Requirement of SP800-38E */ @@ -1604,14 +1579,14 @@ diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes. (len > (1UL<<20)*16)) { EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -@@ -1311,4 +1310,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm +@@ -1317,4 +1316,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) #endif -#endif -diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des3.c ---- openssl-1.0.1e/crypto/evp/e_des3.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/e_des3.c 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/e_des3.c.fips openssl-1.0.1g/crypto/evp/e_des3.c +--- openssl-1.0.1g/crypto/evp/e_des3.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/e_des3.c 2014-05-06 16:29:50.540923086 +0200 @@ -65,8 +65,6 @@ #include #include @@ -1670,9 +1645,9 @@ diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des } #endif -#endif -diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_null.c ---- openssl-1.0.1e/crypto/evp/e_null.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/e_null.c 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/e_null.c.fips openssl-1.0.1g/crypto/evp/e_null.c +--- openssl-1.0.1g/crypto/evp/e_null.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/e_null.c 2014-05-06 16:29:50.540923086 +0200 @@ -61,8 +61,6 @@ #include #include @@ -1696,9 +1671,9 @@ diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_nul return 1; } -#endif -diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_enc.c ---- openssl-1.0.1e/crypto/evp/evp_enc.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/evp_enc.c 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/evp_enc.c.fips openssl-1.0.1g/crypto/evp/evp_enc.c +--- openssl-1.0.1g/crypto/evp/evp_enc.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/evp_enc.c 2014-05-06 16:29:50.541923109 +0200 @@ -69,17 +69,58 @@ #endif #include "evp_locl.h" @@ -1847,9 +1822,9 @@ diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_ memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h ---- openssl-1.0.1e/crypto/evp/evp.h.fips 2013-10-04 11:48:04.071691675 +0200 -+++ openssl-1.0.1e/crypto/evp/evp.h 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/evp.h.fips openssl-1.0.1g/crypto/evp/evp.h +--- openssl-1.0.1g/crypto/evp/evp.h.fips 2014-05-06 16:29:50.432920589 +0200 ++++ openssl-1.0.1g/crypto/evp/evp.h 2014-05-06 16:29:50.541923109 +0200 @@ -75,6 +75,10 @@ #include #endif @@ -1902,9 +1877,9 @@ diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h /* Cipher handles any and all padding logic as well * as finalisation. */ -diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_lib.c ---- openssl-1.0.1e/crypto/evp/evp_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/evp_lib.c 2013-10-04 11:48:04.177694068 +0200 +diff -up openssl-1.0.1g/crypto/evp/evp_lib.c.fips openssl-1.0.1g/crypto/evp/evp_lib.c +--- openssl-1.0.1g/crypto/evp/evp_lib.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/evp_lib.c 2014-05-06 16:29:50.541923109 +0200 @@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1915,9 +1890,9 @@ diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx,out,in,inl); } -diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp_locl.h ---- openssl-1.0.1e/crypto/evp/evp_locl.h.fips 2013-10-04 11:48:04.067691584 +0200 -+++ openssl-1.0.1e/crypto/evp/evp_locl.h 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/evp_locl.h.fips openssl-1.0.1g/crypto/evp/evp_locl.h +--- openssl-1.0.1g/crypto/evp/evp_locl.h.fips 2014-05-06 16:29:50.428920496 +0200 ++++ openssl-1.0.1g/crypto/evp/evp_locl.h 2014-05-06 16:29:50.541923109 +0200 @@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -1952,9 +1927,9 @@ diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp #define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makefile ---- openssl-1.0.1e/crypto/evp/Makefile.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/Makefile 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/Makefile.fips openssl-1.0.1g/crypto/evp/Makefile +--- openssl-1.0.1g/crypto/evp/Makefile.fips 2014-04-07 18:55:33.000000000 +0200 ++++ openssl-1.0.1g/crypto/evp/Makefile 2014-05-06 16:29:50.541923109 +0200 @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ @@ -1973,9 +1948,9 @@ diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makef e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o SRC= $(LIBSRC) -diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss.c ---- openssl-1.0.1e/crypto/evp/m_dss.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/m_dss.c 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/m_dss.c.fips openssl-1.0.1g/crypto/evp/m_dss.c +--- openssl-1.0.1g/crypto/evp/m_dss.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/m_dss.c 2014-05-06 16:29:50.542923132 +0200 @@ -66,7 +66,6 @@ #endif @@ -1998,9 +1973,9 @@ diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss. } #endif -#endif -diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss1.c ---- openssl-1.0.1e/crypto/evp/m_dss1.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/m_dss1.c 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/m_dss1.c.fips openssl-1.0.1g/crypto/evp/m_dss1.c +--- openssl-1.0.1g/crypto/evp/m_dss1.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/m_dss1.c 2014-05-06 16:29:50.542923132 +0200 @@ -68,8 +68,6 @@ #include #endif @@ -2024,9 +1999,9 @@ diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss } #endif -#endif -diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2.c ---- openssl-1.0.1e/crypto/evp/m_md2.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/m_md2.c 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/m_md2.c.fips openssl-1.0.1g/crypto/evp/m_md2.c +--- openssl-1.0.1g/crypto/evp/m_md2.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/m_md2.c 2014-05-06 16:29:50.542923132 +0200 @@ -68,6 +68,7 @@ #ifndef OPENSSL_NO_RSA #include @@ -2035,9 +2010,9 @@ diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { return MD2_Init(ctx->md_data); } -diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha1.c ---- openssl-1.0.1e/crypto/evp/m_sha1.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/m_sha1.c 2013-10-04 11:48:04.178694091 +0200 +diff -up openssl-1.0.1g/crypto/evp/m_sha1.c.fips openssl-1.0.1g/crypto/evp/m_sha1.c +--- openssl-1.0.1g/crypto/evp/m_sha1.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/m_sha1.c 2014-05-06 16:29:50.542923132 +0200 @@ -59,8 +59,6 @@ #include #include "cryptlib.h" @@ -2102,9 +2077,9 @@ diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha #endif /* ifndef OPENSSL_NO_SHA512 */ -#endif -diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sign.c ---- openssl-1.0.1e/crypto/evp/p_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/p_sign.c 2013-10-04 11:48:04.179694114 +0200 +diff -up openssl-1.0.1g/crypto/evp/p_sign.c.fips openssl-1.0.1g/crypto/evp/p_sign.c +--- openssl-1.0.1g/crypto/evp/p_sign.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/p_sign.c 2014-05-06 16:29:50.542923132 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2136,9 +2111,9 @@ diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_verify.c ---- openssl-1.0.1e/crypto/evp/p_verify.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/evp/p_verify.c 2013-10-04 11:48:04.179694114 +0200 +diff -up openssl-1.0.1g/crypto/evp/p_verify.c.fips openssl-1.0.1g/crypto/evp/p_verify.c +--- openssl-1.0.1g/crypto/evp/p_verify.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/evp/p_verify.c 2014-05-06 16:29:50.542923132 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2170,9 +2145,9 @@ diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips 2013-10-04 11:48:04.179694114 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c 2013-10-04 11:48:04.179694114 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_aesavs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_aesavs.c.fips 2014-05-06 16:29:50.543923155 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_aesavs.c 2014-05-06 16:29:50.543923155 +0200 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3113,9 +3088,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypt + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips 2013-10-04 11:48:04.179694114 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c 2013-10-04 11:48:04.179694114 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_cmactest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_cmactest.c.fips 2014-05-06 16:29:50.543923155 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_cmactest.c 2014-05-06 16:29:50.543923155 +0200 @@ -0,0 +1,517 @@ +/* fips_cmactest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3634,9 +3609,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/cry + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips 2013-10-04 11:48:04.180694136 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c 2013-10-04 11:48:04.180694136 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_desmovs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_desmovs.c.fips 2014-05-06 16:29:50.543923155 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_desmovs.c 2014-05-06 16:29:50.543923155 +0200 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -4340,9 +4315,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/cryp + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips 2013-10-04 11:48:04.180694136 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c 2013-10-04 11:48:04.180694136 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_dhvs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_dhvs.c.fips 2014-05-06 16:29:50.543923155 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_dhvs.c 2014-05-06 16:29:50.543923155 +0200 @@ -0,0 +1,292 @@ +/* fips/dh/fips_dhvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4636,9 +4611,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/ + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips 2013-10-04 11:48:04.180694136 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c 2013-10-04 11:48:04.180694136 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_drbgvs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_drbgvs.c.fips 2014-05-06 16:29:50.544923178 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_drbgvs.c 2014-05-06 16:29:50.544923178 +0200 @@ -0,0 +1,416 @@ +/* fips/rand/fips_drbgvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5056,9 +5031,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypt + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips 2013-10-04 11:48:04.180694136 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c 2013-10-04 11:48:04.180694136 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_dssvs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_dssvs.c.fips 2014-05-06 16:29:50.544923178 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_dssvs.c 2014-05-06 16:29:50.544923178 +0200 @@ -0,0 +1,537 @@ +#include + @@ -5597,9 +5572,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips 2013-10-04 11:48:04.181694158 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c 2013-10-04 11:48:04.181694158 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_gcmtest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_gcmtest.c.fips 2014-05-06 16:29:50.544923178 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_gcmtest.c 2014-05-06 16:29:50.544923178 +0200 @@ -0,0 +1,571 @@ +/* fips/aes/fips_gcmtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6172,9 +6147,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/cryp +} + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips 2013-10-04 11:48:04.181694158 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c 2013-10-04 11:48:04.181694158 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_rngvs.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_rngvs.c.fips 2014-05-06 16:29:50.544923178 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_rngvs.c 2014-05-06 16:29:50.544923178 +0200 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -6406,9 +6381,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto + return 0; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips 2013-10-04 11:48:04.181694158 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c 2013-10-04 11:48:04.181694158 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_rsagtest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_rsagtest.c.fips 2014-05-06 16:29:50.545923201 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_rsagtest.c 2014-05-06 16:29:50.545923201 +0200 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6800,9 +6775,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/cry + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips 2013-10-04 11:48:04.181694158 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c 2013-10-04 11:48:04.181694158 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_rsastest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_rsastest.c.fips 2014-05-06 16:29:50.545923201 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_rsastest.c 2014-05-06 16:29:50.545923201 +0200 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7174,9 +7149,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/cry + return ret; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips 2013-10-04 11:48:04.181694158 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c 2013-10-04 11:48:04.181694158 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_rsavtest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_rsavtest.c.fips 2014-05-06 16:29:50.545923201 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_rsavtest.c 2014-05-06 16:29:50.545923201 +0200 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7555,9 +7530,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/cry + return ret; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c ---- openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips 2013-10-04 11:48:04.182694181 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c 2013-10-04 11:48:04.182694181 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1g/crypto/fips/cavs/fips_shatest.c +--- openssl-1.0.1g/crypto/fips/cavs/fips_shatest.c.fips 2014-05-06 16:29:50.545923201 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_shatest.c 2014-05-06 16:29:50.545923201 +0200 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7947,9 +7922,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/cryp + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/fips/cavs/fips_utl.h ---- openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips 2013-10-04 11:48:04.182694181 +0200 -+++ openssl-1.0.1e/crypto/fips/cavs/fips_utl.h 2013-10-04 11:48:04.182694181 +0200 +diff -up openssl-1.0.1g/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1g/crypto/fips/cavs/fips_utl.h +--- openssl-1.0.1g/crypto/fips/cavs/fips_utl.h.fips 2014-05-06 16:29:50.545923201 +0200 ++++ openssl-1.0.1g/crypto/fips/cavs/fips_utl.h 2014-05-06 16:29:50.545923201 +0200 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -8294,9 +8269,9 @@ diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/f +#endif + } + -diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips 2013-10-04 11:48:04.182694181 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_aes_selftest.c 2013-10-04 11:48:04.182694181 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_aes_selftest.c.fips 2014-05-06 16:29:50.546923224 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_aes_selftest.c 2014-05-06 16:29:50.546923224 +0200 @@ -0,0 +1,359 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8657,10 +8632,10 @@ diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/cryp + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips.c ---- openssl-1.0.1e/crypto/fips/fips.c.fips 2013-10-04 11:48:04.182694181 +0200 -+++ openssl-1.0.1e/crypto/fips/fips.c 2013-10-04 11:48:04.182694181 +0200 -@@ -0,0 +1,489 @@ +diff -up openssl-1.0.1g/crypto/fips/fips.c.fips openssl-1.0.1g/crypto/fips/fips.c +--- openssl-1.0.1g/crypto/fips/fips.c.fips 2014-05-06 16:29:50.546923224 +0200 ++++ openssl-1.0.1g/crypto/fips/fips.c 2014-05-06 16:33:24.309865160 +0200 +@@ -0,0 +1,491 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -8990,6 +8965,8 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips. + } + free(buf); + free(hex); ++ } else { ++ rv = -1; + } + +end: @@ -9150,9 +9127,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips. + + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips 2013-10-04 11:48:04.183694204 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c 2013-10-04 11:48:04.183694204 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_cmac_selftest.c.fips 2014-05-06 16:29:50.546923224 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_cmac_selftest.c 2014-05-06 16:29:50.546923224 +0200 @@ -0,0 +1,161 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9315,9 +9292,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/cry + return rv; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_des_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips 2013-10-04 11:48:04.183694204 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_des_selftest.c 2013-10-04 11:48:04.183694204 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_des_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_des_selftest.c.fips 2014-05-06 16:29:50.546923224 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_des_selftest.c 2014-05-06 16:29:50.546923224 +0200 @@ -0,0 +1,147 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9466,9 +9443,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/cryp + return ret; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips 2013-10-04 11:48:04.183694204 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c 2013-10-04 11:48:04.183694204 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_ctr.c.fips 2014-05-06 16:29:50.546923224 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_ctr.c 2014-05-06 16:29:50.546923224 +0200 @@ -0,0 +1,436 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9906,9 +9883,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/f + + return 1; + } -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips 2013-10-04 11:48:04.183694204 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_hash.c 2013-10-04 11:48:04.183694204 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_hash.c.fips 2014-05-06 16:29:50.547923248 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_hash.c 2014-05-06 16:29:50.547923248 +0200 @@ -0,0 +1,378 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10288,9 +10265,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/ + + return 1; + } -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips 2013-10-04 11:48:04.183694204 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c 2013-10-04 11:48:04.183694204 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_hmac.c.fips 2014-05-06 16:29:50.547923248 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_hmac.c 2014-05-06 16:29:50.547923248 +0200 @@ -0,0 +1,281 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10573,9 +10550,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/ + + return 1; + } -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips 2013-10-04 11:48:04.184694226 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_lib.c 2013-10-04 11:48:04.184694226 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_lib.c.fips 2014-05-06 16:29:50.547923248 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_lib.c 2014-05-06 16:29:50.547923248 +0200 @@ -0,0 +1,578 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -11155,9 +11132,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; + } -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips 2013-10-04 11:48:04.184694226 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-10-04 11:48:04.184694226 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips 2014-05-06 16:29:50.547923248 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c 2014-05-06 16:29:50.547923248 +0200 @@ -0,0 +1,172 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -11331,9 +11308,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/ + return &rand_drbg_meth; + } + -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips 2013-10-04 11:48:04.184694226 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c 2013-10-04 11:48:04.184694226 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_selftest.c.fips 2014-05-06 16:29:50.548923271 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_selftest.c 2014-05-06 16:29:50.548923271 +0200 @@ -0,0 +1,862 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -12197,9 +12174,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/cry + return rv; + } + -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips 2013-10-04 11:48:04.185694249 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h 2013-10-04 11:48:04.185694249 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1g/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.1g/crypto/fips/fips_drbg_selftest.h.fips 2014-05-06 16:29:50.548923271 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_selftest.h 2014-05-06 16:29:50.548923271 +0200 @@ -0,0 +1,2335 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14536,9 +14513,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/cry + 0xc2,0xd6,0xfd,0xa5 + }; + -diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips 2013-10-04 11:48:04.185694249 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c 2013-10-04 11:48:04.185694249 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_dsa_selftest.c.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_dsa_selftest.c 2014-05-06 16:29:50.548923271 +0200 @@ -0,0 +1,193 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14733,9 +14710,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/cryp + return ret; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/fips_enc.c ---- openssl-1.0.1e/crypto/fips/fips_enc.c.fips 2013-10-04 11:48:04.185694249 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_enc.c 2013-10-04 11:48:04.185694249 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_enc.c.fips openssl-1.0.1g/crypto/fips/fips_enc.c +--- openssl-1.0.1g/crypto/fips/fips_enc.c.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_enc.c 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,191 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -14928,9 +14905,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/f + } + } + -diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips.h ---- openssl-1.0.1e/crypto/fips/fips.h.fips 2013-10-04 11:48:04.186694271 +0200 -+++ openssl-1.0.1e/crypto/fips/fips.h 2013-10-04 11:48:04.186694271 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips.h.fips openssl-1.0.1g/crypto/fips/fips.h +--- openssl-1.0.1g/crypto/fips/fips.h.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips.h 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,279 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -15211,9 +15188,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips. +} +#endif +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips 2013-10-04 11:48:04.186694271 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c 2013-10-04 11:48:04.186694271 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_hmac_selftest.c.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_hmac_selftest.c 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -15352,9 +15329,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/cry + return 1; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/fips_locl.h ---- openssl-1.0.1e/crypto/fips/fips_locl.h.fips 2013-10-04 11:48:04.186694271 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_locl.h 2013-10-04 11:48:04.186694271 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_locl.h.fips openssl-1.0.1g/crypto/fips/fips_locl.h +--- openssl-1.0.1g/crypto/fips/fips_locl.h.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_locl.h 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15427,9 +15404,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/ +} +#endif +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fips_md.c ---- openssl-1.0.1e/crypto/fips/fips_md.c.fips 2013-10-04 11:48:04.186694271 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_md.c 2013-10-04 11:48:04.186694271 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_md.c.fips openssl-1.0.1g/crypto/fips/fips_md.c +--- openssl-1.0.1g/crypto/fips/fips_md.c.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_md.c 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,145 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -15576,9 +15553,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fi + return NULL; + } + } -diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/fips_post.c ---- openssl-1.0.1e/crypto/fips/fips_post.c.fips 2013-10-04 11:48:04.186694271 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-10-04 11:48:04.186694271 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips openssl-1.0.1g/crypto/fips/fips_post.c +--- openssl-1.0.1g/crypto/fips/fips_post.c.fips 2014-05-06 16:29:50.549923294 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_post.c 2014-05-06 16:29:50.549923294 +0200 @@ -0,0 +1,205 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15785,9 +15762,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/ + return 1; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/fips_rand.c ---- openssl-1.0.1e/crypto/fips/fips_rand.c.fips 2013-10-04 11:48:04.187694294 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rand.c 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rand.c.fips openssl-1.0.1g/crypto/fips/fips_rand.c +--- openssl-1.0.1g/crypto/fips/fips_rand.c.fips 2014-05-06 16:29:50.550923317 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rand.c 2014-05-06 16:29:50.550923317 +0200 @@ -0,0 +1,457 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -16246,9 +16223,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/ +} + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/fips_rand.h ---- openssl-1.0.1e/crypto/fips/fips_rand.h.fips 2013-10-04 11:48:04.187694294 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rand.h 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rand.h.fips openssl-1.0.1g/crypto/fips/fips_rand.h +--- openssl-1.0.1g/crypto/fips/fips_rand.h.fips 2014-05-06 16:29:50.550923317 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rand.h 2014-05-06 16:29:50.550923317 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -16395,9 +16372,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/ +#endif +#endif +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips 2013-10-04 11:48:04.187694294 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rand_lcl.h 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1g/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.1g/crypto/fips/fips_rand_lcl.h.fips 2014-05-06 16:29:50.550923317 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h 2014-05-06 16:29:50.550923317 +0200 @@ -0,0 +1,219 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -16618,9 +16595,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/fips/fips_rand_lib.c ---- openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips 2013-10-04 11:48:04.187694294 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rand_lib.c 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1g/crypto/fips/fips_rand_lib.c +--- openssl-1.0.1g/crypto/fips/fips_rand_lib.c.fips 2014-05-06 16:29:50.550923317 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rand_lib.c 2014-05-06 16:29:50.550923317 +0200 @@ -0,0 +1,191 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -16813,9 +16790,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/f + } + return 0; + } -diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips 2013-10-04 11:48:04.187694294 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rand_selftest.c 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_rand_selftest.c.fips 2014-05-06 16:29:50.550923317 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rand_selftest.c 2014-05-06 16:29:50.550923317 +0200 @@ -0,0 +1,183 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -17000,9 +16977,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/cry + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/fips/fips_randtest.c ---- openssl-1.0.1e/crypto/fips/fips_randtest.c.fips 2013-10-04 11:48:04.188694316 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_randtest.c 2013-10-04 11:48:04.187694294 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_randtest.c.fips openssl-1.0.1g/crypto/fips/fips_randtest.c +--- openssl-1.0.1g/crypto/fips/fips_randtest.c.fips 2014-05-06 16:29:50.551923340 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_randtest.c 2014-05-06 16:29:50.551923340 +0200 @@ -0,0 +1,250 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -17254,9 +17231,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/f + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips 2013-10-04 11:48:04.188694316 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2013-10-04 11:48:04.188694316 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips 2014-05-06 16:29:50.551923340 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c 2014-05-06 16:29:50.551923340 +0200 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -17702,9 +17679,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/cryp + } + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips 2013-10-04 11:48:04.188694316 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c 2013-10-04 11:48:04.188694316 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c.fips 2014-05-06 16:29:50.551923340 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c 2014-05-06 16:29:50.551923340 +0200 @@ -0,0 +1,282 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -17988,9 +17965,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/ + return 0; + + } -diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips 2013-10-04 11:48:04.188694316 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_sha_selftest.c 2013-10-04 11:48:04.188694316 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1g/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_sha_selftest.c.fips 2014-05-06 16:29:50.551923340 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_sha_selftest.c 2014-05-06 16:29:50.551923340 +0200 @@ -0,0 +1,140 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18132,9 +18109,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/cryp + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips 2013-10-04 11:48:04.188694316 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c 2013-10-04 11:48:04.188694316 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1g/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.1g/crypto/fips/fips_standalone_hmac.c.fips 2014-05-06 16:29:50.551923340 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_standalone_hmac.c 2014-05-06 16:29:50.551923340 +0200 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18316,9 +18293,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/c + } + + -diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto/fips/fips_test_suite.c ---- openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips 2013-10-04 11:48:04.189694339 +0200 -+++ openssl-1.0.1e/crypto/fips/fips_test_suite.c 2013-10-04 11:48:04.189694339 +0200 +diff -up openssl-1.0.1g/crypto/fips/fips_test_suite.c.fips openssl-1.0.1g/crypto/fips/fips_test_suite.c +--- openssl-1.0.1g/crypto/fips/fips_test_suite.c.fips 2014-05-06 16:29:50.552923363 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_test_suite.c 2014-05-06 16:29:50.552923363 +0200 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18908,9 +18885,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto + } + +#endif -diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Makefile ---- openssl-1.0.1e/crypto/fips/Makefile.fips 2013-10-04 11:48:04.189694339 +0200 -+++ openssl-1.0.1e/crypto/fips/Makefile 2013-10-04 11:48:04.189694339 +0200 +diff -up openssl-1.0.1g/crypto/fips/Makefile.fips openssl-1.0.1g/crypto/fips/Makefile +--- openssl-1.0.1g/crypto/fips/Makefile.fips 2014-05-06 16:29:50.552923363 +0200 ++++ openssl-1.0.1g/crypto/fips/Makefile 2014-05-06 16:29:50.552923363 +0200 @@ -0,0 +1,340 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -19252,9 +19229,9 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac.c ---- openssl-1.0.1e/crypto/hmac/hmac.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/hmac/hmac.c 2013-10-04 11:48:04.189694339 +0200 +diff -up openssl-1.0.1g/crypto/hmac/hmac.c.fips openssl-1.0.1g/crypto/hmac/hmac.c +--- openssl-1.0.1g/crypto/hmac/hmac.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/hmac/hmac.c 2014-05-06 16:29:50.552923363 +0200 @@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -19317,9 +19294,9 @@ diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/mdc2/mdc2dgst.c 2013-10-04 11:48:04.189694339 +0200 +diff -up openssl-1.0.1g/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1g/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.1g/crypto/mdc2/mdc2dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/mdc2/mdc2dgst.c 2014-05-06 16:29:50.552923363 +0200 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -19329,9 +19306,9 @@ diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/m { c->num=0; c->pad_type=1; -diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2_dgst.c ---- openssl-1.0.1e/crypto/md2/md2_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/md2/md2_dgst.c 2013-10-04 11:48:04.189694339 +0200 +diff -up openssl-1.0.1g/crypto/md2/md2_dgst.c.fips openssl-1.0.1g/crypto/md2/md2_dgst.c +--- openssl-1.0.1g/crypto/md2/md2_dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/md2/md2_dgst.c 2014-05-06 16:29:50.552923363 +0200 @@ -62,6 +62,11 @@ #include #include @@ -19353,9 +19330,9 @@ diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2 { c->num=0; memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4_dgst.c ---- openssl-1.0.1e/crypto/md4/md4_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/md4/md4_dgst.c 2013-10-04 11:48:04.190694362 +0200 +diff -up openssl-1.0.1g/crypto/md4/md4_dgst.c.fips openssl-1.0.1g/crypto/md4/md4_dgst.c +--- openssl-1.0.1g/crypto/md4/md4_dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/md4/md4_dgst.c 2014-05-06 16:29:50.552923363 +0200 @@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19365,9 +19342,9 @@ diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5_dgst.c ---- openssl-1.0.1e/crypto/md5/md5_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-10-04 11:48:04.190694362 +0200 +diff -up openssl-1.0.1g/crypto/md5/md5_dgst.c.fips openssl-1.0.1g/crypto/md5/md5_dgst.c +--- openssl-1.0.1g/crypto/md5/md5_dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/md5/md5_dgst.c 2014-05-06 16:29:50.553923386 +0200 @@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19377,9 +19354,9 @@ diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c ---- openssl-1.0.1e/crypto/o_fips.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/o_fips.c 2013-10-04 11:48:04.190694362 +0200 +diff -up openssl-1.0.1g/crypto/o_fips.c.fips openssl-1.0.1g/crypto/o_fips.c +--- openssl-1.0.1g/crypto/o_fips.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/o_fips.c 2014-05-06 16:29:50.553923386 +0200 @@ -79,6 +79,8 @@ int FIPS_mode_set(int r) #ifndef FIPS_AUTH_USER_PASS #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -19389,9 +19366,9 @@ diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c ---- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/o_init.c 2013-10-04 11:48:04.190694362 +0200 +diff -up openssl-1.0.1g/crypto/o_init.c.fips openssl-1.0.1g/crypto/o_init.c +--- openssl-1.0.1g/crypto/o_init.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/o_init.c 2014-05-06 16:29:50.553923386 +0200 @@ -55,28 +55,68 @@ #include #include @@ -19465,9 +19442,9 @@ diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c + { + OPENSSL_init_library(); + } -diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opensslconf.h.in ---- openssl-1.0.1e/crypto/opensslconf.h.in.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/opensslconf.h.in 2013-10-04 11:48:04.190694362 +0200 +diff -up openssl-1.0.1g/crypto/opensslconf.h.in.fips openssl-1.0.1g/crypto/opensslconf.h.in +--- openssl-1.0.1g/crypto/opensslconf.h.in.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/opensslconf.h.in 2014-05-06 16:29:50.553923386 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -19489,39 +19466,10 @@ diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1e/crypto/pkcs12/p12_crt.c ---- openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/pkcs12/p12_crt.c 2013-10-04 11:48:04.190694362 +0200 -@@ -59,6 +59,10 @@ - #include - #include "cryptlib.h" - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - - static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); -@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char * - - /* Set defaults */ - if (!nid_cert) -+ { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -+ else -+#endif - nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; -+ } - if (!nid_key) - nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - if (!iter) -diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md_rand.c ---- openssl-1.0.1e/crypto/rand/md_rand.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-10-04 11:48:04.190694362 +0200 -@@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch +diff -up openssl-1.0.1g/crypto/rand/md_rand.c.fips openssl-1.0.1g/crypto/rand/md_rand.c +--- openssl-1.0.1g/crypto/rand/md_rand.c.fips 2014-04-07 18:54:21.000000000 +0200 ++++ openssl-1.0.1g/crypto/rand/md_rand.c 2014-05-06 16:29:50.553923386 +0200 +@@ -395,7 +395,10 @@ static int ssleay_rand_bytes(unsigned ch CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -19533,10 +19481,10 @@ diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md { RAND_poll(); initialized = 1; -diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand.h ---- openssl-1.0.1e/crypto/rand/rand.h.fips 2013-10-04 11:48:03.945688829 +0200 -+++ openssl-1.0.1e/crypto/rand/rand.h 2013-10-04 11:48:04.190694362 +0200 -@@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void); +diff -up openssl-1.0.1g/crypto/rand/rand.h.fips openssl-1.0.1g/crypto/rand/rand.h +--- openssl-1.0.1g/crypto/rand/rand.h.fips 2014-05-06 16:29:50.303917606 +0200 ++++ openssl-1.0.1g/crypto/rand/rand.h 2014-05-06 16:29:50.553923386 +0200 +@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ /* Function codes. */ @@ -19554,9 +19502,11 @@ diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand. #define RAND_F_SSLEAY_RAND_BYTES 100 /* Reason codes. */ +-#define RAND_R_DUAL_EC_DRBG_DISABLED 104 -#define RAND_R_ERROR_INITIALISING_DRBG 102 -#define RAND_R_ERROR_INSTANTIATING_DRBG 103 -#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101 ++#define RAND_R_DUAL_EC_DRBG_DISABLED 114 +#define RAND_R_ERROR_INITIALISING_DRBG 112 +#define RAND_R_ERROR_INSTANTIATING_DRBG 113 +#define RAND_R_NON_FIPS_METHOD 105 @@ -19574,9 +19524,9 @@ diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/ripemd/rmd_dgst.c 2013-10-04 11:48:04.191694385 +0200 +diff -up openssl-1.0.1g/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1g/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.1g/crypto/ripemd/rmd_dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/ripemd/rmd_dgst.c 2014-05-06 16:29:50.553923386 +0200 @@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160" void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); # endif @@ -19586,9 +19536,9 @@ diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripe { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa_crpt.c ---- openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_crpt.c 2013-10-04 11:48:04.191694385 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1g/crypto/rsa/rsa_crpt.c +--- openssl-1.0.1g/crypto/rsa/rsa_crpt.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_crpt.c 2014-05-06 16:29:50.554923409 +0200 @@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const RSA *rsa, int padding) { @@ -19615,9 +19565,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_eay.c ---- openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_eay.c 2013-10-04 11:48:04.191694385 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_eay.c.fips openssl-1.0.1g/crypto/rsa/rsa_eay.c +--- openssl-1.0.1g/crypto/rsa/rsa_eay.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_eay.c 2014-05-06 16:29:50.554923409 +0200 @@ -114,6 +114,10 @@ #include #include @@ -19748,9 +19698,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_ rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_err.c ---- openssl-1.0.1e/crypto/rsa/rsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_err.c 2013-10-04 11:48:04.191694385 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_err.c.fips openssl-1.0.1g/crypto/rsa/rsa_err.c +--- openssl-1.0.1g/crypto/rsa/rsa_err.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_err.c 2014-05-06 16:29:50.554923409 +0200 @@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -19760,9 +19710,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, -diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_gen.c ---- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-10-04 11:48:04.191694385 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips openssl-1.0.1g/crypto/rsa/rsa_gen.c +--- openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_gen.c 2014-05-06 16:29:50.554923409 +0200 @@ -69,6 +69,78 @@ #include #ifdef OPENSSL_FIPS @@ -19904,9 +19854,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_ ok=1; err: if (ok == -1) -diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h ---- openssl-1.0.1e/crypto/rsa/rsa.h.fips 2013-10-04 11:48:04.075691765 +0200 -+++ openssl-1.0.1e/crypto/rsa/rsa.h 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa.h.fips openssl-1.0.1g/crypto/rsa/rsa.h +--- openssl-1.0.1g/crypto/rsa/rsa.h.fips 2014-05-06 16:29:50.436920681 +0200 ++++ openssl-1.0.1g/crypto/rsa/rsa.h 2014-05-06 16:29:50.554923409 +0200 @@ -164,6 +164,8 @@ struct rsa_st # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 #endif @@ -19991,9 +19941,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_lib.c ---- openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_lib.c 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_lib.c.fips openssl-1.0.1g/crypto/rsa/rsa_lib.c +--- openssl-1.0.1g/crypto/rsa/rsa_lib.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_lib.c 2014-05-06 16:29:50.554923409 +0200 @@ -84,6 +84,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -20069,9 +20019,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1g/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.1g/crypto/rsa/rsa_pmeth.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c 2014-05-06 16:29:50.555923432 +0200 @@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -20115,9 +20065,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa_sign.c ---- openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_sign.c 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/rsa/rsa_sign.c.fips openssl-1.0.1g/crypto/rsa/rsa_sign.c +--- openssl-1.0.1g/crypto/rsa/rsa_sign.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rsa/rsa_sign.c 2014-05-06 16:29:50.555923432 +0200 @@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -20149,9 +20099,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa if (i <= 0) goto err; /* Oddball MDC2 case: signature can be OCTET STRING. -diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h ---- openssl-1.0.1e/crypto/sha/sha.h.fips 2013-10-04 11:48:03.867687068 +0200 -+++ openssl-1.0.1e/crypto/sha/sha.h 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/sha/sha.h.fips openssl-1.0.1g/crypto/sha/sha.h +--- openssl-1.0.1g/crypto/sha/sha.h.fips 2014-05-06 16:29:50.224915780 +0200 ++++ openssl-1.0.1g/crypto/sha/sha.h 2014-05-06 16:29:50.555923432 +0200 @@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char * void SHA_Transform(SHA_CTX *c, const unsigned char *data); #endif @@ -20184,9 +20134,9 @@ diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha_locl.h ---- openssl-1.0.1e/crypto/sha/sha_locl.h.fips 2013-10-04 11:48:03.870687135 +0200 -+++ openssl-1.0.1e/crypto/sha/sha_locl.h 2013-10-04 11:48:04.192694407 +0200 +diff -up openssl-1.0.1g/crypto/sha/sha_locl.h.fips openssl-1.0.1g/crypto/sha/sha_locl.h +--- openssl-1.0.1g/crypto/sha/sha_locl.h.fips 2014-05-06 16:29:50.226915826 +0200 ++++ openssl-1.0.1g/crypto/sha/sha_locl.h 2014-05-06 16:29:50.555923432 +0200 @@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h4 0xc3d2e1f0UL @@ -20203,9 +20153,9 @@ diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha memset (c,0,sizeof(*c)); c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; -diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha256.c ---- openssl-1.0.1e/crypto/sha/sha256.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/sha/sha256.c 2013-10-04 11:48:04.193694429 +0200 +diff -up openssl-1.0.1g/crypto/sha/sha256.c.fips openssl-1.0.1g/crypto/sha/sha256.c +--- openssl-1.0.1g/crypto/sha/sha256.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/sha/sha256.c 2014-05-06 16:29:50.555923432 +0200 @@ -12,12 +12,19 @@ #include @@ -20236,9 +20186,9 @@ diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha25 memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha512.c ---- openssl-1.0.1e/crypto/sha/sha512.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/sha/sha512.c 2013-10-04 11:48:04.193694429 +0200 +diff -up openssl-1.0.1g/crypto/sha/sha512.c.fips openssl-1.0.1g/crypto/sha/sha512.c +--- openssl-1.0.1g/crypto/sha/sha512.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/sha/sha512.c 2014-05-06 16:29:50.555923432 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -20270,9 +20220,9 @@ diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha51 c->h[0]=U64(0x6a09e667f3bcc908); c->h[1]=U64(0xbb67ae8584caa73b); c->h[2]=U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/whrlpool/wp_dgst.c 2013-10-04 11:48:04.193694429 +0200 +diff -up openssl-1.0.1g/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1g/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.1g/crypto/whrlpool/wp_dgst.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/whrlpool/wp_dgst.c 2014-05-06 16:29:50.555923432 +0200 @@ -55,7 +55,7 @@ #include #include @@ -20282,9 +20232,9 @@ diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whr { memset (c,0,sizeof(*c)); return(1); -diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org ---- openssl-1.0.1e/Makefile.org.fips 2013-10-04 11:48:04.157693616 +0200 -+++ openssl-1.0.1e/Makefile.org 2013-10-04 11:48:04.193694429 +0200 +diff -up openssl-1.0.1g/Makefile.org.fips openssl-1.0.1g/Makefile.org +--- openssl-1.0.1g/Makefile.org.fips 2014-05-06 16:29:50.519922600 +0200 ++++ openssl-1.0.1g/Makefile.org 2014-05-06 16:29:50.556923456 +0200 @@ -136,6 +136,9 @@ FIPSCANLIB= BASEADDR= @@ -20312,10 +20262,10 @@ diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.1e/ssl/d1_srvr.c.fips openssl-1.0.1e/ssl/d1_srvr.c ---- openssl-1.0.1e/ssl/d1_srvr.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-10-04 11:48:04.193694429 +0200 -@@ -1372,6 +1372,8 @@ int dtls1_send_server_key_exchange(SSL * +diff -up openssl-1.0.1g/ssl/d1_srvr.c.fips openssl-1.0.1g/ssl/d1_srvr.c +--- openssl-1.0.1g/ssl/d1_srvr.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/ssl/d1_srvr.c 2014-05-06 16:29:50.556923456 +0200 +@@ -1383,6 +1383,8 @@ int dtls1_send_server_key_exchange(SSL * j=0; for (num=2; num > 0; num--) { @@ -20324,9 +20274,9 @@ diff -up openssl-1.0.1e/ssl/d1_srvr.c.fips openssl-1.0.1e/ssl/d1_srvr.c EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.1e/ssl/ssl_algs.c.fips openssl-1.0.1e/ssl/ssl_algs.c ---- openssl-1.0.1e/ssl/ssl_algs.c.fips 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/ssl_algs.c 2013-10-04 11:48:04.193694429 +0200 +diff -up openssl-1.0.1g/ssl/ssl_algs.c.fips openssl-1.0.1g/ssl/ssl_algs.c +--- openssl-1.0.1g/ssl/ssl_algs.c.fips 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/ssl/ssl_algs.c 2014-05-06 16:29:50.556923456 +0200 @@ -64,6 +64,12 @@ int SSL_library_init(void) { diff --git a/openssl-1.0.1e-new-fips-reqs.patch b/openssl-1.0.1g-new-fips-reqs.patch similarity index 91% rename from openssl-1.0.1e-new-fips-reqs.patch rename to openssl-1.0.1g-new-fips-reqs.patch index 4afdde1..9f2fe9b 100644 --- a/openssl-1.0.1e-new-fips-reqs.patch +++ b/openssl-1.0.1g-new-fips-reqs.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/bn_rand.c ---- openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs 2013-02-11 16:02:47.000000000 +0100 -+++ openssl-1.0.1e/crypto/bn/bn_rand.c 2014-02-13 16:50:34.280893285 +0100 +diff -up openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1g/crypto/bn/bn_rand.c +--- openssl-1.0.1g/crypto/bn/bn_rand.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/bn/bn_rand.c 2014-05-06 16:22:21.432540283 +0200 @@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM goto err; } @@ -17,9 +17,9 @@ diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/b if (pseudorand) { -diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_gen.c ---- openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs 2013-12-18 12:17:09.748636614 +0100 -+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-12-18 12:17:09.798637687 +0100 +diff -up openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_gen.c +--- openssl-1.0.1g/crypto/dh/dh_gen.c.fips-reqs 2014-05-06 16:22:21.253536145 +0200 ++++ openssl-1.0.1g/crypto/dh/dh_gen.c 2014-05-06 16:22:21.432540283 +0200 @@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret, return 0; } @@ -29,9 +29,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh { DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; -diff -up openssl-1.0.1e/crypto/dh/dh.h.fips-reqs openssl-1.0.1e/crypto/dh/dh.h ---- openssl-1.0.1e/crypto/dh/dh.h.fips-reqs 2013-12-18 12:17:09.748636614 +0100 -+++ openssl-1.0.1e/crypto/dh/dh.h 2013-12-18 12:17:09.798637687 +0100 +diff -up openssl-1.0.1g/crypto/dh/dh.h.fips-reqs openssl-1.0.1g/crypto/dh/dh.h +--- openssl-1.0.1g/crypto/dh/dh.h.fips-reqs 2014-05-06 16:22:21.253536145 +0200 ++++ openssl-1.0.1g/crypto/dh/dh.h 2014-05-06 16:22:21.432540283 +0200 @@ -78,6 +78,7 @@ #endif @@ -40,9 +40,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh.h.fips-reqs openssl-1.0.1e/crypto/dh/dh.h #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH -diff -up openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_check.c ---- openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/dh/dh_check.c 2013-12-18 12:17:09.799637708 +0100 +diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/dh_check.c +--- openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/dh/dh_check.c 2014-05-06 16:22:21.432540283 +0200 @@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const BN_sub_word(q,1); if (BN_cmp(pub_key,q)>=0) @@ -77,9 +77,9 @@ diff -up openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1e/crypto/dh/ ok = 1; err: if (q != NULL) BN_free(q); -diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1e/crypto/dsa/dsa_gen.c ---- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips-reqs 2013-12-18 12:17:09.749636636 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-12-18 12:17:09.799637708 +0100 +diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_gen.c +--- openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs 2014-05-06 16:22:21.254536168 +0200 ++++ openssl-1.0.1g/crypto/dsa/dsa_gen.c 2014-05-06 16:22:21.432540283 +0200 @@ -159,7 +159,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ } @@ -88,9 +88,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1e/crypto/dsa (bits != 2048 || qbits != 224) && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) -diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1e/crypto/dsa/dsa.h ---- openssl-1.0.1e/crypto/dsa/dsa.h.fips-reqs 2013-12-18 12:17:09.749636636 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-12-18 12:17:09.799637708 +0100 +diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa.h +--- openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs 2014-05-06 16:22:21.254536168 +0200 ++++ openssl-1.0.1g/crypto/dsa/dsa.h 2014-05-06 16:22:21.432540283 +0200 @@ -89,6 +89,7 @@ #endif @@ -112,9 +112,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1e/crypto/dsa/dsa #define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) -diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1e/crypto/dsa/dsa_key.c ---- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips-reqs 2013-12-18 12:17:09.797637665 +0100 -+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-18 12:17:09.799637708 +0100 +diff -up openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_key.c +--- openssl-1.0.1g/crypto/dsa/dsa_key.c.fips-reqs 2014-05-06 16:22:21.427540169 +0200 ++++ openssl-1.0.1g/crypto/dsa/dsa_key.c 2014-05-06 16:22:21.433540307 +0200 @@ -127,7 +127,7 @@ static int dsa_builtin_keygen(DSA *dsa) #ifdef OPENSSL_FIPS @@ -124,9 +124,9 @@ diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1e/crypto/dsa { DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); goto err; -diff -up openssl-1.0.1e/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_dh_selftest.c.fips-reqs 2013-12-18 17:06:36.575114314 +0100 -+++ openssl-1.0.1e/crypto/fips/fips_dh_selftest.c 2013-12-18 17:26:14.409036334 +0100 +diff -up openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_dh_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-05-06 16:22:21.433540307 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_dh_selftest.c 2014-05-06 16:22:21.433540307 +0200 @@ -0,0 +1,162 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -290,9 +290,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1e/ + return ret; + } +#endif -diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips-reqs 2013-12-18 12:17:09.757636808 +0100 -+++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-12-18 18:53:33.263711297 +0100 +diff -up openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.1g/crypto/fips/fips_drbg_rand.c.fips-reqs 2014-05-06 16:22:21.263536376 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c 2014-05-06 16:22:21.433540307 +0200 @@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char int rv = 0; unsigned char *adin = NULL; @@ -373,9 +373,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1e/cr } static const RAND_METHOD rand_drbg_meth = -diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-reqs openssl-1.0.1e/crypto/fips/fips.h ---- openssl-1.0.1e/crypto/fips/fips.h.fips-reqs 2013-12-18 12:17:09.000000000 +0100 -+++ openssl-1.0.1e/crypto/fips/fips.h 2013-12-18 17:13:00.928586689 +0100 +diff -up openssl-1.0.1g/crypto/fips/fips.h.fips-reqs openssl-1.0.1g/crypto/fips/fips.h +--- openssl-1.0.1g/crypto/fips/fips.h.fips-reqs 2014-05-06 16:22:21.421540031 +0200 ++++ openssl-1.0.1g/crypto/fips/fips.h 2014-05-06 16:22:21.433540307 +0200 @@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void); int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); @@ -384,9 +384,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-reqs openssl-1.0.1e/crypto/fips/ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_post.c ---- openssl-1.0.1e/crypto/fips/fips_post.c.fips-reqs 2013-12-18 12:17:09.000000000 +0100 -+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-12-18 17:12:26.721832716 +0100 +diff -up openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_post.c +--- openssl-1.0.1g/crypto/fips/fips_post.c.fips-reqs 2014-05-06 16:22:21.420540008 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_post.c 2014-05-06 16:22:21.433540307 +0200 @@ -99,6 +99,8 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_dsa()) @@ -396,9 +396,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1e/crypto/ if (!FIPS_selftest_ecdh()) rv = 0; return rv; -diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-03-14 14:47:18.809259727 +0100 -+++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2014-03-14 15:37:26.295687852 +0100 +diff -up openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-05-06 16:22:21.267536469 +0200 ++++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c 2014-05-06 16:22:21.434540330 +0200 @@ -60,69 +60,113 @@ #ifdef OPENSSL_FIPS @@ -1129,9 +1129,9 @@ diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1e RSA_free(key); return ret; } -diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-reqs openssl-1.0.1e/crypto/fips/Makefile ---- openssl-1.0.1e/crypto/fips/Makefile.fips-reqs 2013-12-18 12:17:20.000000000 +0100 -+++ openssl-1.0.1e/crypto/fips/Makefile 2013-12-18 17:14:20.348337362 +0100 +diff -up openssl-1.0.1g/crypto/fips/Makefile.fips-reqs openssl-1.0.1g/crypto/fips/Makefile +--- openssl-1.0.1g/crypto/fips/Makefile.fips-reqs 2014-05-06 16:22:21.420540008 +0200 ++++ openssl-1.0.1g/crypto/fips/Makefile 2014-05-06 16:22:21.434540330 +0200 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -1150,10 +1150,10 @@ diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-reqs openssl-1.0.1e/crypto/fip LIBCRYPTO=-L.. -lcrypto -diff -up openssl-1.0.1e/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1e/crypto/modes/gcm128.c ---- openssl-1.0.1e/crypto/modes/gcm128.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/modes/gcm128.c 2013-12-18 12:17:09.800637730 +0100 -@@ -898,6 +898,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT +diff -up openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1g/crypto/modes/gcm128.c +--- openssl-1.0.1g/crypto/modes/gcm128.c.fips-reqs 2014-04-06 17:55:01.000000000 +0200 ++++ openssl-1.0.1g/crypto/modes/gcm128.c 2014-05-06 16:22:21.434540330 +0200 +@@ -906,6 +906,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT # endif #endif @@ -1164,7 +1164,7 @@ diff -up openssl-1.0.1e/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1e/crypto/mo #if 0 n = (unsigned int)mlen%16; /* alternative to ctx->mres */ #endif -@@ -1200,6 +1204,10 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_C +@@ -1269,6 +1273,10 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_C # endif #endif @@ -1175,10 +1175,10 @@ diff -up openssl-1.0.1e/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1e/crypto/mo mlen += len; if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen 0); @@ -1242,7 +1242,7 @@ diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips-reqs openssl-1.0.1e/crypto/ra EVP_MD_CTX_init(&m); for (i=0; i 0) { -@@ -515,10 +494,11 @@ static int ssleay_rand_bytes(unsigned ch +@@ -524,16 +497,11 @@ static int ssleay_rand_bytes(unsigned ch MD_Init(&m); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Update(&m,local_md,MD_DIGEST_LENGTH); -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); +-#ifdef OPENSSL_FIPS +- if (!FIPS_mode()) +-#endif +- CRYPTO_w_lock(CRYPTO_LOCK_RAND); + locked = private_RAND_lock(1); MD_Update(&m,md,MD_DIGEST_LENGTH); MD_Final(&m,md); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); +-#ifdef OPENSSL_FIPS +- if (!FIPS_mode()) +-#endif +- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (locked) + private_RAND_lock(0); EVP_MD_CTX_cleanup(&m); if (ok) -@@ -548,32 +528,10 @@ static int ssleay_rand_pseudo_bytes(unsi +@@ -563,32 +531,10 @@ static int ssleay_rand_pseudo_bytes(unsi static int ssleay_rand_status(void) { @@ -1345,7 +1358,7 @@ diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips-reqs openssl-1.0.1e/crypto/ra if (!initialized) { -@@ -583,13 +541,8 @@ static int ssleay_rand_status(void) +@@ -598,13 +544,8 @@ static int ssleay_rand_status(void) ret = entropy >= ENTROPY_NEEDED; @@ -1361,9 +1374,9 @@ diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips-reqs openssl-1.0.1e/crypto/ra return ret; } -diff -up openssl-1.0.1e/crypto/rand/rand.h.fips-reqs openssl-1.0.1e/crypto/rand/rand.h ---- openssl-1.0.1e/crypto/rand/rand.h.fips-reqs 2013-12-18 12:17:09.764636958 +0100 -+++ openssl-1.0.1e/crypto/rand/rand.h 2013-12-18 12:17:09.800637730 +0100 +diff -up openssl-1.0.1g/crypto/rand/rand.h.fips-reqs openssl-1.0.1g/crypto/rand/rand.h +--- openssl-1.0.1g/crypto/rand/rand.h.fips-reqs 2014-05-06 16:22:21.269536515 +0200 ++++ openssl-1.0.1g/crypto/rand/rand.h 2014-05-06 16:22:21.435540353 +0200 @@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i int RAND_init_fips(void); #endif @@ -1373,9 +1386,9 @@ diff -up openssl-1.0.1e/crypto/rand/rand.h.fips-reqs openssl-1.0.1e/crypto/rand/ /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. -diff -up openssl-1.0.1e/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1e/crypto/rand/rand_lcl.h ---- openssl-1.0.1e/crypto/rand/rand_lcl.h.fips-reqs 2013-12-18 12:17:09.507631447 +0100 -+++ openssl-1.0.1e/crypto/rand/rand_lcl.h 2013-12-18 12:17:09.800637730 +0100 +diff -up openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1g/crypto/rand/rand_lcl.h +--- openssl-1.0.1g/crypto/rand/rand_lcl.h.fips-reqs 2014-05-06 16:22:21.021530782 +0200 ++++ openssl-1.0.1g/crypto/rand/rand_lcl.h 2014-05-06 16:22:21.435540353 +0200 @@ -112,7 +112,7 @@ #ifndef HEADER_RAND_LCL_H #define HEADER_RAND_LCL_H @@ -1385,9 +1398,9 @@ diff -up openssl-1.0.1e/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1e/crypto/r #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) -diff -up openssl-1.0.1e/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1e/crypto/rand/rand_lib.c ---- openssl-1.0.1e/crypto/rand/rand_lib.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/crypto/rand/rand_lib.c 2013-12-18 18:16:45.625850730 +0100 +diff -up openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1g/crypto/rand/rand_lib.c +--- openssl-1.0.1g/crypto/rand/rand_lib.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/crypto/rand/rand_lib.c 2014-05-06 16:22:21.435540353 +0200 @@ -181,6 +181,41 @@ int RAND_status(void) return 0; } @@ -1447,9 +1460,9 @@ diff -up openssl-1.0.1e/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1e/crypto/r return 1; } -diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1e/crypto/rsa/rsa_gen.c ---- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips-reqs 2013-12-18 12:17:09.764636958 +0100 -+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-12-19 17:40:58.483154314 +0100 +diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa/rsa_gen.c +--- openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs 2014-05-06 16:22:21.270536538 +0200 ++++ openssl-1.0.1g/crypto/rsa/rsa_gen.c 2014-05-06 16:22:21.436540376 +0200 @@ -1,5 +1,6 @@ /* crypto/rsa/rsa_gen.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -1717,9 +1730,9 @@ diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1e/crypto/rsa ok=1; err: if (ok == -1) -diff -up openssl-1.0.1e/ssl/t1_enc.c.fips-reqs openssl-1.0.1e/ssl/t1_enc.c ---- openssl-1.0.1e/ssl/t1_enc.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100 -+++ openssl-1.0.1e/ssl/t1_enc.c 2013-12-18 12:17:09.801637751 +0100 +diff -up openssl-1.0.1g/ssl/t1_enc.c.fips-reqs openssl-1.0.1g/ssl/t1_enc.c +--- openssl-1.0.1g/ssl/t1_enc.c.fips-reqs 2014-03-17 17:14:20.000000000 +0100 ++++ openssl-1.0.1g/ssl/t1_enc.c 2014-05-06 16:22:21.436540376 +0200 @@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask, err: return ret; diff --git a/openssl-1.0.1-beta2-ssl-op-all.patch b/openssl-1.0.1g-ssl-op-all.patch similarity index 66% rename from openssl-1.0.1-beta2-ssl-op-all.patch rename to openssl-1.0.1g-ssl-op-all.patch index 3259d8c..f6473d6 100644 --- a/openssl-1.0.1-beta2-ssl-op-all.patch +++ b/openssl-1.0.1g-ssl-op-all.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h ---- openssl-1.0.1-beta2/ssl/ssl.h.op-all 2012-02-02 12:49:00.828035916 +0100 -+++ openssl-1.0.1-beta2/ssl/ssl.h 2012-02-02 12:52:27.297818182 +0100 -@@ -540,7 +540,7 @@ struct ssl_session_st +diff -up openssl-1.0.1g/ssl/ssl.h.op-all openssl-1.0.1g/ssl/ssl.h +--- openssl-1.0.1g/ssl/ssl.h.op-all 2014-05-06 16:03:37.400554125 +0200 ++++ openssl-1.0.1g/ssl/ssl.h 2014-05-06 16:06:21.688352245 +0200 +@@ -549,7 +549,7 @@ struct ssl_session_st #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L @@ -9,8 +9,8 @@ diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -@@ -558,7 +558,7 @@ struct ssl_session_st + #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L +@@ -569,7 +569,7 @@ struct ssl_session_st /* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */ diff --git a/openssl.git-96db902.patch b/openssl.git-96db902.patch deleted file mode 100644 index 6fed32a..0000000 --- a/openssl.git-96db902.patch +++ /dev/null @@ -1,108 +0,0 @@ -From: Dr. Stephen Henson -Date: Sat, 5 Apr 2014 23:51:06 +0000 (+0100) -Subject: Add heartbeat extension bounds check. -X-Git-Tag: OpenSSL_1_0_1g~3 -X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=96db902 - -Add heartbeat extension bounds check. - -A missing bounds check in the handling of the TLS heartbeat extension -can be used to reveal up to 64k of memory to a connected client or -server. - -Thanks for Neel Mehta of Google Security for discovering this bug and to -Adam Langley and Bodo Moeller for -preparing the fix (CVE-2014-0160) ---- - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 7a5596a..2e8cf68 100644 ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; -+ unsigned int write_length = 1 /* heartbeat type */ + -+ 2 /* heartbeat length */ + -+ payload + padding; - int r; - -+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) -+ return 0; -+ - /* Allocate memory for the response, size is 1 byte - * message type, plus 2 bytes payload length, plus - * payload, plus padding - */ -- buffer = OPENSSL_malloc(1 + 2 + payload + padding); -+ buffer = OPENSSL_malloc(write_length); - bp = buffer; - - /* Enter response type, length and copy payload */ -@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) - /* Random padding */ - RAND_pseudo_bytes(bp, padding); - -- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); -+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); - - if (r >= 0 && s->msg_callback) - s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, -- buffer, 3 + payload + padding, -+ buffer, write_length, - s, s->msg_callback_arg); - - OPENSSL_free(buffer); -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index b82fada..bddffd9 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s) - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; diff --git a/openssl.spec b/openssl.spec index e807e50..28da9e2 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.1e -Release: 44%{?dist} +Version: 1.0.1g +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -57,9 +57,9 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch Patch36: openssl-1.0.0e-doc-noeof.patch -Patch38: openssl-1.0.1-beta2-ssl-op-all.patch +Patch38: openssl-1.0.1g-ssl-op-all.patch Patch39: openssl-1.0.1c-ipv6-apps.patch -Patch40: openssl-1.0.1e-fips.patch +Patch40: openssl-1.0.1g-fips.patch Patch45: openssl-1.0.1e-env-zlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.1a-algo-doc.patch @@ -79,23 +79,16 @@ Patch72: openssl-1.0.1e-fips-ctor.patch Patch73: openssl-1.0.1e-ecc-suiteb.patch Patch74: openssl-1.0.1e-no-md5-verify.patch Patch75: openssl-1.0.1e-compat-symbols.patch -Patch76: openssl-1.0.1e-new-fips-reqs.patch +Patch76: openssl-1.0.1g-new-fips-reqs.patch Patch77: openssl-1.0.1e-weak-ciphers.patch -Patch78: openssl-1.0.1e-3des-strength.patch -Patch79: openssl-1.0.1e-req-keylen.patch +Patch78: openssl-1.0.1g-3des-strength.patch Patch90: openssl-1.0.1e-enc-fail.patch +Patch91: openssl-1.0.1e-ssl2-no-ec.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch -Patch82: openssl-1.0.1e-backports.patch -Patch83: openssl-1.0.1e-bad-mac.patch Patch84: openssl-1.0.1e-trusted-first.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch -Patch86: openssl-1.0.1e-cve-2013-6449.patch -Patch87: openssl-1.0.1e-cve-2013-6450.patch -Patch88: openssl-1.0.1e-cve-2013-4353.patch Patch89: openssl-1.0.1e-ephemeral-key-size.patch -# upstream patch for CVE-2014-0160 -Patch100: openssl.git-96db902.patch License: OpenSSL Group: System Environment/Libraries @@ -203,6 +196,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch68 -p1 -b .secure-getenv %patch69 -p1 -b .dh1024 %patch70 -p1 -b .fips-ec +%patch71 -p1 -b .manfix %patch72 -p1 -b .fips-ctor %patch73 -p1 -b .suiteb %patch74 -p1 -b .no-md5-verify @@ -210,20 +204,13 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch76 -p1 -b .fips-reqs %patch77 -p1 -b .weak-ciphers %patch78 -p1 -b .3des-strength -%patch79 -p1 -b .keylen %patch90 -p1 -b .enc-fail +%patch91 -p1 -b .ssl2noec %patch81 -p1 -b .padlock64 -%patch82 -p1 -b .backports -%patch71 -p1 -b .manfix -%patch83 -p1 -b .bad-mac %patch84 -p1 -b .trusted-first %patch85 -p1 -b .armcap -%patch86 -p1 -b .hash-crash -%patch87 -p1 -b .dtls1-mitm -%patch88 -p1 -b .handshake-crash %patch89 -p1 -b .ephemeral -%patch100 -p1 -b .CVE-2014-0160 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -490,6 +477,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Wed May 7 2014 Tomáš Mráz 1.0.1g-1 +- new upstream release 1.0.1g +- do not include ECC ciphersuites in SSLv2 client hello (#1090952) +- fail on hmac integrity check if the .hmac file is empty + * Mon Apr 07 2014 Dennis Gilmore - 1.0.1e-44 - pull in upstream patch for CVE-2014-0160 - removed CHANGES file portion from patch for expediency diff --git a/sources b/sources index 556dcb4..30690e0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6115ae0bb61b481a9195baef72514c2e openssl-1.0.1e-hobbled.tar.xz +3de4f91702dfa545d577912a065fb250 openssl-1.0.1g-hobbled.tar.xz