update to the 1.1.1c release

This commit is contained in:
Tomas Mraz 2019-05-29 17:23:31 +02:00
parent b3060e5f2d
commit 31d61b19d5
12 changed files with 319 additions and 2463 deletions

1
.gitignore vendored
View File

@ -43,3 +43,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1-hobbled.tar.xz /openssl-1.1.1-hobbled.tar.xz
/openssl-1.1.1a-hobbled.tar.xz /openssl-1.1.1a-hobbled.tar.xz
/openssl-1.1.1b-hobbled.tar.xz /openssl-1.1.1b-hobbled.tar.xz
/openssl-1.1.1c-hobbled.tar.xz

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
@ -728,6 +728,75 @@ err:
BN_CTX_free(ctx); BN_CTX_free(ctx);
return r; return r;
} }
/*
* Tests a point known to cause an incorrect underflow in an old version of
* ecp_nist521.c
*/
static int underflow_test(void)
{
BN_CTX *ctx = NULL;
EC_GROUP *grp = NULL;
EC_POINT *P = NULL, *Q = NULL, *R = NULL;
BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
BIGNUM *k = NULL;
int testresult = 0;
const char *x1str =
"1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
"b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
const char *p521m1 =
"1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
ctx = BN_CTX_new();
if (!TEST_ptr(ctx))
return 0;
BN_CTX_start(ctx);
x1 = BN_CTX_get(ctx);
y1 = BN_CTX_get(ctx);
z1 = BN_CTX_get(ctx);
x2 = BN_CTX_get(ctx);
y2 = BN_CTX_get(ctx);
k = BN_CTX_get(ctx);
if (!TEST_ptr(k))
goto err;
grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
P = EC_POINT_new(grp);
Q = EC_POINT_new(grp);
R = EC_POINT_new(grp);
if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
goto err;
if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
|| !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
|| !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
|| !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
|| !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
y1, z1, ctx))
|| !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
|| !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
|| !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
|| !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
goto err;
if (!TEST_int_eq(BN_cmp(x1, x2), 0)
|| !TEST_int_eq(BN_cmp(y1, y2), 0))
goto err;
testresult = 1;
err:
BN_CTX_end(ctx);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
EC_GROUP_free(grp);
BN_CTX_free(ctx);
return testresult;
}
# endif # endif
static const unsigned char p521_named[] = { static const unsigned char p521_named[] = {
@ -835,6 +904,7 @@ int setup_tests(void)
# endif # endif
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
ADD_TEST(underflow_test);
# endif # endif
ADD_ALL_TESTS(internal_curve_test, crv_len); ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len); ADD_ALL_TESTS(internal_curve_test_method, crv_len);

View File

@ -1,40 +1,38 @@
diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
--- openssl-1.1.1b/apps/speed.c.curves 2019-02-26 15:15:30.000000000 +0100 --- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1b/apps/speed.c 2019-02-28 11:20:42.347170167 +0100 +++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = { @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */ #endif /* OPENSSL_NO_RSA */
-#define R_EC_P160 0 enum {
-#define R_EC_P192 1 - R_EC_P160,
-#define R_EC_P224 2 - R_EC_P192,
-#define R_EC_P256 3 R_EC_P224,
-#define R_EC_P384 4 R_EC_P256,
-#define R_EC_P521 5 R_EC_P384,
-#define R_EC_K163 6 R_EC_P521,
-#define R_EC_K233 7 -#ifndef OPENSSL_NO_EC2M
-#define R_EC_K283 8 - R_EC_K163,
-#define R_EC_K409 9 - R_EC_K233,
-#define R_EC_K571 10 - R_EC_K283,
-#define R_EC_B163 11 - R_EC_K409,
-#define R_EC_B233 12 - R_EC_K571,
-#define R_EC_B283 13 - R_EC_B163,
-#define R_EC_B409 14 - R_EC_B233,
-#define R_EC_B571 15 - R_EC_B283,
-#define R_EC_BRP256R1 16 - R_EC_B409,
-#define R_EC_BRP256T1 17 - R_EC_B571,
-#define R_EC_BRP384R1 18 -#endif
-#define R_EC_BRP384T1 19 - R_EC_BRP256R1,
-#define R_EC_BRP512R1 20 - R_EC_BRP256T1,
-#define R_EC_BRP512T1 21 - R_EC_BRP384R1,
-#define R_EC_X25519 22 - R_EC_BRP384T1,
-#define R_EC_X448 23 - R_EC_BRP512R1,
+#define R_EC_P224 0 - R_EC_BRP512T1,
+#define R_EC_P256 1 R_EC_X25519,
+#define R_EC_P384 2 R_EC_X448
+#define R_EC_P521 3 };
+#define R_EC_X25519 4
+#define R_EC_X448 5
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = { static OPT_PAIR ecdsa_choices[] = {
- {"ecdsap160", R_EC_P160}, - {"ecdsap160", R_EC_P160},
@ -43,6 +41,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdsap256", R_EC_P256}, {"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384}, {"ecdsap384", R_EC_P384},
{"ecdsap521", R_EC_P521}, {"ecdsap521", R_EC_P521},
-# ifndef OPENSSL_NO_EC2M
- {"ecdsak163", R_EC_K163}, - {"ecdsak163", R_EC_K163},
- {"ecdsak233", R_EC_K233}, - {"ecdsak233", R_EC_K233},
- {"ecdsak283", R_EC_K283}, - {"ecdsak283", R_EC_K283},
@ -53,6 +52,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"ecdsab283", R_EC_B283}, - {"ecdsab283", R_EC_B283},
- {"ecdsab409", R_EC_B409}, - {"ecdsab409", R_EC_B409},
- {"ecdsab571", R_EC_B571}, - {"ecdsab571", R_EC_B571},
-# endif
- {"ecdsabrp256r1", R_EC_BRP256R1}, - {"ecdsabrp256r1", R_EC_BRP256R1},
- {"ecdsabrp256t1", R_EC_BRP256T1}, - {"ecdsabrp256t1", R_EC_BRP256T1},
- {"ecdsabrp384r1", R_EC_BRP384R1}, - {"ecdsabrp384r1", R_EC_BRP384R1},
@ -71,6 +71,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdhp256", R_EC_P256}, {"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384}, {"ecdhp384", R_EC_P384},
{"ecdhp521", R_EC_P521}, {"ecdhp521", R_EC_P521},
-# ifndef OPENSSL_NO_EC2M
- {"ecdhk163", R_EC_K163}, - {"ecdhk163", R_EC_K163},
- {"ecdhk233", R_EC_K233}, - {"ecdhk233", R_EC_K233},
- {"ecdhk283", R_EC_K283}, - {"ecdhk283", R_EC_K283},
@ -81,6 +82,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"ecdhb283", R_EC_B283}, - {"ecdhb283", R_EC_B283},
- {"ecdhb409", R_EC_B409}, - {"ecdhb409", R_EC_B409},
- {"ecdhb571", R_EC_B571}, - {"ecdhb571", R_EC_B571},
-# endif
- {"ecdhbrp256r1", R_EC_BRP256R1}, - {"ecdhbrp256r1", R_EC_BRP256R1},
- {"ecdhbrp256t1", R_EC_BRP256T1}, - {"ecdhbrp256t1", R_EC_BRP256T1},
- {"ecdhbrp384r1", R_EC_BRP384R1}, - {"ecdhbrp384r1", R_EC_BRP384R1},
@ -90,7 +92,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"ecdhx25519", R_EC_X25519}, {"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448} {"ecdhx448", R_EC_X448}
}; };
@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv) @@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
unsigned int bits; unsigned int bits;
} test_curves[] = { } test_curves[] = {
/* Prime Curves */ /* Prime Curves */
@ -100,6 +102,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
{"nistp256", NID_X9_62_prime256v1, 256}, {"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384}, {"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521}, {"nistp521", NID_secp521r1, 521},
-# ifndef OPENSSL_NO_EC2M
- /* Binary Curves */ - /* Binary Curves */
- {"nistk163", NID_sect163k1, 163}, - {"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233}, - {"nistk233", NID_sect233k1, 233},
@ -111,6 +114,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
- {"nistb283", NID_sect283r1, 283}, - {"nistb283", NID_sect283r1, 283},
- {"nistb409", NID_sect409r1, 409}, - {"nistb409", NID_sect409r1, 409},
- {"nistb571", NID_sect571r1, 571}, - {"nistb571", NID_sect571r1, 571},
-# endif
- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, - {"brainpoolP256r1", NID_brainpoolP256r1, 256},
- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, - {"brainpoolP256t1", NID_brainpoolP256t1, 256},
- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, - {"brainpoolP384r1", NID_brainpoolP384r1, 384},
@ -120,7 +124,7 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
/* Other and ECDH only ones */ /* Other and ECDH only ones */
{"X25519", NID_X25519, 253}, {"X25519", NID_X25519, 253},
{"X448", NID_X448, 448} {"X448", NID_X448, 448}
@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv) @@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
# endif # endif
# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_EC
@ -133,46 +137,38 @@ diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv) @@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
+#if 0 -# ifndef OPENSSL_NO_EC2M
+# if 0
ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2; ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv) @@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
}
}
} }
- # endif
- ecdh_c[R_EC_P160][0] = count / 1000; - ecdh_c[R_EC_P160][0] = count / 1000;
- for (i = R_EC_P192; i <= R_EC_P521; i++) { - for (i = R_EC_P192; i <= R_EC_P521; i++) {
+#endif
+ ecdh_c[R_EC_P224][0] = count / 1000; + ecdh_c[R_EC_P224][0] = count / 1000;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) { + for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0; ecdh_doit[i] = 0;
@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv) @@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
+#if 0 -# ifndef OPENSSL_NO_EC2M
+# if 0
ecdh_c[R_EC_K163][0] = count / 1000; ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv) diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
} --- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
} +++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
}
+#endif
/* default iteration count for the last two EC Curves */
ecdh_c[R_EC_X25519][0] = count / 1800;
ecdh_c[R_EC_X448][0] = count / 7200;
diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp_smpl.c
--- openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecp_smpl.c 2019-02-28 11:19:30.628479300 +0100
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -185,22 +181,30 @@ diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp
if (ctx == NULL) { if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
diff -up openssl-1.1.1b/test/ecdsatest.c.curves openssl-1.1.1b/test/ecdsatest.c diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
--- openssl-1.1.1b/test/ecdsatest.c.curves 2019-02-26 15:15:30.000000000 +0100 --- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
+++ openssl-1.1.1b/test/ecdsatest.c 2019-02-28 11:19:30.628479300 +0100 +++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
@@ -176,6 +176,7 @@ static int x9_62_tests(void) @@ -32,23 +32,6 @@ typedef struct {
if (!change_rand()) } ecdsa_cavs_kat_t;
goto x962_err;
+#if 0 static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, - /* prime KATs from X9.62 */
"3342403536405981729393488334694600415596881826869351677613", - {NID_X9_62_prime192v1, NID_sha1,
"5735822328888155254683894997897571951568553642892029982342"))) - "616263", /* "abc" */
@@ -186,6 +187,7 @@ static int x9_62_tests(void) - "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
"3238135532097973577080787768312505059318910517550078427819" - "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
"78505179448783"))) - "5ca5c0d69716dfcb3474373902",
goto x962_err; - "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+#endif - "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
# ifndef OPENSSL_NO_EC2M - {NID_X9_62_prime239v1, NID_sha1,
if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, - "616263", /* "abc" */
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"

View File

@ -5221,17 +5221,16 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
+use OpenSSL::Test::Simple; +use OpenSSL::Test::Simple;
+ +
+simple_test("test_evp_kdf", "evp_kdf_test"); +simple_test("test_evp_kdf", "evp_kdf_test");
diff -up openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp.t diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
--- openssl-1.1.1b/test/recipes/30-test_evp.t.evp-kdf 2019-02-26 15:15:30.000000000 +0100 --- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200
+++ openssl-1.1.1b/test/recipes/30-test_evp.t 2019-02-28 13:05:05.659521326 +0100 +++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200
@@ -15,8 +15,8 @@ use OpenSSL::Test qw/:DEFAULT data_file/ @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
setup("test_evp"); setup("test_evp");
my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",
- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", - "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
- "evpcase.txt" ); + "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evpcase.txt", "evpccmcavs.txt" );
+ "evppkey_ecc.txt", "evpcase.txt" );
plan tests => scalar(@files); plan tests => scalar(@files);

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
--- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100 --- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200
+++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100 +++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200
@@ -68,6 +68,7 @@ @@ -68,6 +68,7 @@
# include <openssl/fips.h> # include <openssl/fips.h>
@ -51,10 +51,10 @@ diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/
ret = 1; ret = 1;
goto end; goto end;
} }
diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
--- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100 --- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200
+++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100 +++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200
@@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void); @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void); int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void); int FIPS_selftest_cmac(void);
@ -63,9 +63,9 @@ diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openss
int fips_pkey_signature_test(EVP_PKEY *pkey, int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen, const unsigned char *tbs, int tbslen,
const unsigned char *kat, const unsigned char *kat,
diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
--- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100 --- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100 +++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200
@@ -16,10 +16,12 @@ @@ -16,10 +16,12 @@
#include <openssl/rand.h> #include <openssl/rand.h>
#include "rand_lcl.h" #include "rand_lcl.h"
@ -74,12 +74,13 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
#include <stdio.h> #include <stdio.h>
#include "internal/dso.h" #include "internal/dso.h"
#if defined(__linux) #if defined(__linux)
# include <sys/syscall.h> -# include <asm/unistd.h>
+# include <sys/syscall.h>
+# include <sys/random.h> +# include <sys/random.h>
#endif #endif
#if defined(__FreeBSD__) #if defined(__FreeBSD__)
# include <sys/types.h> # include <sys/types.h>
@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf, @@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call * syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error. * returns the number of bytes returned in buf, or < 0 on error.
*/ */
@ -88,7 +89,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
{ {
/* /*
* Note: 'buflen' equals the size of the buffer which is used by the * Note: 'buflen' equals the size of the buffer which is used by the
@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf, @@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25 * - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061) * - FreeBSD since 12.0 (1200061)
*/ */
@ -96,20 +97,21 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak)); extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf, @@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL) if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif # endif
- -
+# endif +# endif
/* Linux supports this since version 3.17 */ /* Linux supports this since version 3.17 */
# if defined(__linux) && defined(SYS_getrandom) -# if defined(__linux) && defined(__NR_getrandom)
- return syscall(SYS_getrandom, buf, buflen, 0); - return syscall(__NR_getrandom, buf, buflen, 0);
+# if defined(__linux) && defined(SYS_getrandom)
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); + return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen); return sysctl_random(buf, buflen);
# else # else
@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed; size_t bytes_needed;
size_t entropy_available = 0; size_t entropy_available = 0;
unsigned char *buffer; unsigned char *buffer;
@ -121,7 +123,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
{ {
ssize_t bytes; ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */ /* Maximum allowed number of consecutive unsuccessful attempts */
@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@ -130,7 +132,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
if (bytes > 0) { if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes); rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes; bytes_needed -= bytes;
@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3; int attempts = 3;
const int fd = get_random_device(i); const int fd = get_random_device(i);
@ -142,7 +144,7 @@ diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/cr
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
} }
} }
# endif # endif

View File

@ -1,3 +1,15 @@
diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c
--- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200
@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv)
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
# ifndef OPENSSL_NO_RC2
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
# else
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200 --- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200
+++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200 +++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200
@ -985,9 +997,9 @@ diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_all
+ } + }
+#endif +#endif
} }
diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/digest.c diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c
--- openssl-1.1.1b/crypto/evp/digest.c.fips 2019-02-26 15:15:30.000000000 +0100 --- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1b/crypto/evp/digest.c 2019-02-28 11:30:06.803745726 +0100 +++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200
@@ -14,6 +14,9 @@ @@ -14,6 +14,9 @@
#include <openssl/engine.h> #include <openssl/engine.h>
#include "internal/evp_int.h" #include "internal/evp_int.h"
@ -1027,17 +1039,18 @@ diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/diges
if (ctx->digest && ctx->digest->ctx_size) { if (ctx->digest && ctx->digest->ctx_size) {
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
ctx->md_data = NULL; ctx->md_data = NULL;
@@ -150,6 +168,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c @@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{ {
+#ifdef OPENSSL_FIPS +#ifdef OPENSSL_FIPS
+ FIPS_selftest_check(); + FIPS_selftest_check();
+#endif +#endif
return ctx->update(ctx, data, count); +
} if (count == 0)
return 1;
@@ -167,6 +188,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, @@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
{ {
int ret; int ret;
@ -9869,11 +9882,11 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c
+#endif +#endif
+ return 0; + return 0;
+} +}
diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac.c diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c
--- openssl-1.1.1b/crypto/hmac/hmac.c.fips 2019-02-26 15:15:30.000000000 +0100 --- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200
+++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-02-28 11:30:06.817745466 +0100 +++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200
@@ -36,6 +36,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo @@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
} return 0;
if (key != NULL) { if (key != NULL) {
+#ifdef OPENSSL_FIPS +#ifdef OPENSSL_FIPS
@ -11756,13 +11769,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
Cipher = aes-128-xts Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222 Key = 1111111111111111111111111111111122222222222222222222222222222222
diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num
--- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100 --- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200
+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100 +++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200
@@ -4579,3 +4579,38 @@ EVP_PKEY_meth_set_digest_custom @@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom
EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION:
OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO
OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO
EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:

View File

@ -14,24 +14,3 @@ diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/
ret->flags = DEFAULT_CONF_MFLAGS; ret->flags = DEFAULT_CONF_MFLAGS;
return ret; return ret;
diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.regression openssl-1.1.1b/crypto/evp/evp_enc.c
--- openssl-1.1.1b/crypto/evp/evp_enc.c.regression 2019-05-07 11:52:35.982596242 +0200
+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-10 14:30:42.269243383 +0200
@@ -338,7 +338,7 @@ static int evp_EncryptDecryptUpdate(EVP_
bl = ctx->cipher->block_size;
- if (inl <= 0) {
+ if (out != NULL && in == NULL && inl <= 0) {
*outl = 0;
return inl == 0;
}
@@ -491,7 +491,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
cmpl = (cmpl + 7) / 8;
- if (inl <= 0) {
+ if (out != NULL && in == NULL && inl <= 0) {
*outl = 0;
return inl == 0;
}

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-08-22 12:15:54.520742678 +0200 --- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200
+++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl 2018-08-22 12:15:54.554743511 +0200 +++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200
@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man @@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html HTMLDIR=$(DOCDIR)/html
@ -20,15 +20,15 @@ diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist
(map { "-I".$_} @{$config{CPPINCLUDES}}), (map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -} @{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
--- openssl-1.1.1-pre9/Configure.system-cipherlist 2018-08-21 14:14:11.000000000 +0200 --- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1-pre9/Configure 2018-08-22 12:16:46.600018343 +0200 +++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200
@@ -24,7 +24,7 @@ use OpenSSL::Glob; @@ -24,7 +24,7 @@ use OpenSSL::Glob;
my $orig_death_handler = $SIG{__DIE__}; my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler; $SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
# Options: # Options:
# #
@ -50,18 +50,18 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
my $auto_threads=1; # enable threads automatically? true by default my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib; my $default_ranlib;
@@ -817,6 +821,10 @@ while (@argvcopy) @@ -824,6 +828,10 @@ while (@argvcopy)
push @seed_sources, $x; push @seed_sources, $x;
} }
} }
+ elsif (/^--system-ciphers-file=(.*)$/) + elsif (/^--system-ciphers-file=(.*)$/)
+ { + {
+ $config{system_ciphers_file}=$1; + $config{system_ciphers_file}=$1;
+ } + }
elsif (/^--cross-compile-prefix=(.*)$/) elsif (/^--cross-compile-prefix=(.*)$/)
{ {
$user{CROSS_COMPILE}=$1; $user{CROSS_COMPILE}=$1;
@@ -1003,6 +1011,8 @@ if ($target eq "HASH") { @@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
exit 0; exit 0;
} }
@ -70,9 +70,9 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
print "Configuring OpenSSL version $config{version} ($config{version_num}) "; print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
print "for $target\n"; print "for $target\n";
diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
--- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist 2018-08-21 14:14:13.000000000 +0200 --- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1-pre9/doc/man1/ciphers.pod 2018-08-22 12:15:54.555743536 +0200 +++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200
@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s @@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>. The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1
=item B<HIGH> =item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths "High" encryption cipher suites. This currently means those with key lengths
diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
--- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist 2018-08-21 14:14:15.000000000 +0200 --- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1-pre9/include/openssl/ssl.h 2018-08-22 12:15:54.557743585 +0200 +++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200
@@ -186,6 +186,11 @@ extern "C" { @@ -186,6 +186,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not * throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.) * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1 # define SSL_SENT_SHUTDOWN 1
diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
--- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200 --- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:15:54.557743585 +0200 +++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200
@@ -9,6 +9,8 @@ @@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
#include <stdio.h> #include <stdio.h>
#include <ctype.h> #include <ctype.h>
#include <openssl/objects.h> #include <openssl/objects.h>
@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c @@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret; return ret;
} }
@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
const char *rule_p; const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL; const SSL_CIPHER **ca_list = NULL;
@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
#endif #endif
/* /*
@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) { if (co_list == NULL) {
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
} }
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class * in force within each class
*/ */
if (!ssl_cipher_strength_sort(&head, &tail)) { if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
} }
/* /*
@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) { if (ca_list == NULL) {
@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
} }
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc, disabled_mkey, disabled_auth, disabled_enc,
@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */ OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */ if (!ok) { /* Rule processing failure */
@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
} }
/* /*
@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one. * if we cannot get one.
*/ */
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
sk_SSL_CIPHER_free(cipherstack); sk_SSL_CIPHER_free(cipherstack);
return NULL; return NULL;
} }
@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack; *cipher_list = cipherstack;
return cipherstack; return cipherstack;
@ -274,10 +274,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
} }
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
--- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist 2018-08-22 12:15:54.552743462 +0200 --- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200
+++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:15:54.558743609 +0200 +++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200
@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx @@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites, ctx->tls13_ciphersuites,
&(ctx->cipher_list), &(ctx->cipher_list),
&(ctx->cipher_list_by_id), &(ctx->cipher_list_by_id),
@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0; return 0;
@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m @@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (!ssl_create_cipher_list(ret->method, if (!ssl_create_cipher_list(ret->method,
ret->tls13_ciphersuites, ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id, &ret->cipher_list, &ret->cipher_list_by_id,
@ -295,9 +295,9 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2; goto err2;
diff -up openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist openssl-1.1.1b/test/cipherlist_test.c diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
--- openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist 2019-02-28 11:27:15.181936081 +0100 --- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1b/test/cipherlist_test.c 2019-02-28 11:28:53.357111055 +0100 +++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200
@@ -251,7 +251,9 @@ end: @@ -251,7 +251,9 @@ end:
int setup_tests(void) int setup_tests(void)

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
diff -up openssl-1.1.1b/include/openssl/opensslv.h.version-override openssl-1.1.1b/include/openssl/opensslv.h diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
--- openssl-1.1.1b/include/openssl/opensslv.h.version-override 2019-02-28 11:34:56.427361796 +0100 --- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200
+++ openssl-1.1.1b/include/openssl/opensslv.h 2019-02-28 11:35:40.487542747 +0100 +++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200
@@ -40,7 +40,7 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1010102fL # define OPENSSL_VERSION_NUMBER 0x1010103fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b 26 Feb 2019" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b FIPS 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1b Version: 1.1.1c
Release: 10%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -454,6 +454,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed May 29 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
- update to the 1.1.1c release
* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-10 * Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-10
- Another attempt at the AES-CCM regression fix - Another attempt at the AES-CCM regression fix

View File

@ -1 +1 @@
SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1 SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db