diff --git a/.gitignore b/.gitignore index 8966853..b527faa 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.2f-hobbled.tar.xz /openssl-1.0.2g-hobbled.tar.xz /openssl-1.0.2h-hobbled.tar.xz +/openssl-1.0.2i-hobbled.tar.xz diff --git a/openssl-1.0.2a-chil-fixes.patch b/openssl-1.0.2a-chil-fixes.patch deleted file mode 100644 index ebd2429..0000000 --- a/openssl-1.0.2a-chil-fixes.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c ---- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200 -@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char - UI *ui; - void *callback_data = NULL; - UI_METHOD *ui_method = NULL; -+ /* Despite what the documentation says prompt_info can be -+ * an empty string. -+ */ -+ if (prompt_info && !*prompt_info) -+ prompt_info = NULL; - - if (cactx) { - if (cactx->ui_method) -@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char - ui = UI_new_method(ui_method); - - if (ui) { -- char answer; -+ char answer = '\0'; - char buf[BUFSIZ]; - /* - * Despite what the documentation says wrong_info can be an empty diff --git a/openssl-1.0.2a-enc-fail.patch b/openssl-1.0.2a-enc-fail.patch deleted file mode 100644 index 1dac66d..0000000 --- a/openssl-1.0.2a-enc-fail.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c ---- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200 -@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i - break; - } - } else { -- EVP_CipherUpdate(&(ctx->cipher), -- (unsigned char *)ctx->buf, &ctx->buf_len, -- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i); -- ctx->cont = 1; -+ if (!EVP_CipherUpdate(&(ctx->cipher), -+ (unsigned char *)ctx->buf, &ctx->buf_len, -+ (unsigned char *)&(ctx->buf[BUF_OFFSET]), -+ i)) { -+ ctx->ok = 0; -+ ctx->cont = 0; -+ } else -+ ctx->cont = 1; - /* - * Note: it is possible for EVP_CipherUpdate to decrypt zero - * bytes because this is or looks like the final block: if this -@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char - ctx->buf_off = 0; - while (inl > 0) { - n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl; -- EVP_CipherUpdate(&(ctx->cipher), -- (unsigned char *)ctx->buf, &ctx->buf_len, -- (unsigned char *)in, n); -+ if (!EVP_CipherUpdate(&(ctx->cipher), -+ (unsigned char *)ctx->buf, &ctx->buf_len, -+ (unsigned char *)in, n)) { -+ BIO_copy_next_retry(b); -+ ctx->ok = 0; -+ return ret - inl; -+ } - inl -= n; - in += n; - -@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo - case BIO_CTRL_RESET: - ctx->ok = 1; - ctx->finished = 0; -- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, -- ctx->cipher.encrypt); -+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, -+ ctx->cipher.encrypt)) -+ ctx->ok = 0; - ret = BIO_ctrl(b->next_bio, cmd, num, ptr); - break; - case BIO_CTRL_EOF: /* More to read */ -@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI - - b->init = 1; - ctx = (BIO_ENC_CTX *)b->ptr; -- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e); -+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e)) -+ ctx->ok = 0; - - if (b->callback != NULL) - b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L); diff --git a/openssl-1.0.2h-dtls-bad-ver.patch b/openssl-1.0.2h-dtls-bad-ver.patch deleted file mode 100644 index 19fb577..0000000 --- a/openssl-1.0.2h-dtls-bad-ver.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver openssl-1.0.2h/ssl/ssl_lib.c ---- openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver 2016-05-03 18:06:45.000000000 +0200 -+++ openssl-1.0.2h/ssl/ssl_lib.c 2016-08-10 13:47:33.995530954 +0200 -@@ -1828,7 +1828,7 @@ int SSL_export_keying_material(SSL *s, u - const unsigned char *p, size_t plen, - int use_context) - { -- if (s->version < TLS1_VERSION) -+ if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) - return -1; - - return s->method->ssl3_enc->export_keying_material(s, out, olen, label, diff --git a/openssl-1.0.2i-chil-fixes.patch b/openssl-1.0.2i-chil-fixes.patch new file mode 100644 index 0000000..c7f1820 --- /dev/null +++ b/openssl-1.0.2i-chil-fixes.patch @@ -0,0 +1,15 @@ +diff -up openssl-1.0.2i/engines/e_chil.c.chil openssl-1.0.2i/engines/e_chil.c +--- openssl-1.0.2i/engines/e_chil.c.chil 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/engines/e_chil.c 2016-09-22 13:49:32.532017102 +0200 +@@ -1274,6 +1274,11 @@ static int hwcrhk_insert_card(const char + UI *ui; + void *callback_data = NULL; + UI_METHOD *ui_method = NULL; ++ /* Despite what the documentation says prompt_info can be ++ * an empty string. ++ */ ++ if (prompt_info && !*prompt_info) ++ prompt_info = NULL; + + if (cactx) { + if (cactx->ui_method) diff --git a/openssl-1.0.2i-enc-fail.patch b/openssl-1.0.2i-enc-fail.patch new file mode 100644 index 0000000..819a3fc --- /dev/null +++ b/openssl-1.0.2i-enc-fail.patch @@ -0,0 +1,25 @@ +diff -up openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2i/crypto/evp/bio_enc.c +--- openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/bio_enc.c 2016-09-22 13:58:24.592381002 +0200 +@@ -307,8 +307,9 @@ static long enc_ctrl(BIO *b, int cmd, lo + case BIO_CTRL_RESET: + ctx->ok = 1; + ctx->finished = 0; +- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, +- ctx->cipher.encrypt); ++ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, ++ ctx->cipher.encrypt)) ++ ctx->ok = 0; + ret = BIO_ctrl(b->next_bio, cmd, num, ptr); + break; + case BIO_CTRL_EOF: /* More to read */ +@@ -430,7 +431,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI + + b->init = 1; + ctx = (BIO_ENC_CTX *)b->ptr; +- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e); ++ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e)) ++ ctx->ok = 0; + + if (b->callback != NULL) + b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L); diff --git a/openssl-1.0.2h-fips.patch b/openssl-1.0.2i-fips.patch similarity index 95% rename from openssl-1.0.2h-fips.patch rename to openssl-1.0.2i-fips.patch index e291dd9..591c788 100644 --- a/openssl-1.0.2h-fips.patch +++ b/openssl-1.0.2i-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2h/apps/speed.c.fips openssl-1.0.2h/apps/speed.c ---- openssl-1.0.2h/apps/speed.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/apps/speed.c 2016-05-03 16:57:58.819320945 +0200 +diff -up openssl-1.0.2i/apps/speed.c.fips openssl-1.0.2i/apps/speed.c +--- openssl-1.0.2i/apps/speed.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/speed.c 2016-09-22 13:35:57.007220767 +0200 @@ -197,7 +197,6 @@ # ifdef OPENSSL_DOING_MAKEDEPEND # undef AES_set_encrypt_key @@ -133,9 +133,9 @@ diff -up openssl-1.0.2h/apps/speed.c.fips openssl-1.0.2h/apps/speed.c HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...", 16, EVP_md5(), NULL); -diff -up openssl-1.0.2h/Configure.fips openssl-1.0.2h/Configure ---- openssl-1.0.2h/Configure.fips 2016-05-03 16:57:58.783320095 +0200 -+++ openssl-1.0.2h/Configure 2016-05-03 16:57:58.819320945 +0200 +diff -up openssl-1.0.2i/Configure.fips openssl-1.0.2i/Configure +--- openssl-1.0.2i/Configure.fips 2016-09-22 13:35:56.993220444 +0200 ++++ openssl-1.0.2i/Configure 2016-09-22 13:35:57.008220790 +0200 @@ -1067,11 +1067,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -148,7 +148,7 @@ diff -up openssl-1.0.2h/Configure.fips openssl-1.0.2h/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1560,7 +1555,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1556,7 +1551,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -156,7 +156,7 @@ diff -up openssl-1.0.2h/Configure.fips openssl-1.0.2h/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1763,9 +1757,12 @@ while () +@@ -1768,9 +1762,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -170,9 +170,9 @@ diff -up openssl-1.0.2h/Configure.fips openssl-1.0.2h/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.2h/crypto/aes/aes_misc.c.fips openssl-1.0.2h/crypto/aes/aes_misc.c ---- openssl-1.0.2h/crypto/aes/aes_misc.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/aes/aes_misc.c 2016-05-03 16:57:58.819320945 +0200 +diff -up openssl-1.0.2i/crypto/aes/aes_misc.c.fips openssl-1.0.2i/crypto/aes/aes_misc.c +--- openssl-1.0.2i/crypto/aes/aes_misc.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/aes/aes_misc.c 2016-09-22 13:35:57.008220790 +0200 @@ -70,17 +70,11 @@ const char *AES_options(void) int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -191,9 +191,9 @@ diff -up openssl-1.0.2h/crypto/aes/aes_misc.c.fips openssl-1.0.2h/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.2h/crypto/cmac/cmac.c.fips openssl-1.0.2h/crypto/cmac/cmac.c ---- openssl-1.0.2h/crypto/cmac/cmac.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/cmac/cmac.c 2016-05-03 16:57:58.819320945 +0200 +diff -up openssl-1.0.2i/crypto/cmac/cmac.c.fips openssl-1.0.2i/crypto/cmac/cmac.c +--- openssl-1.0.2i/crypto/cmac/cmac.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/cmac/cmac.c 2016-09-22 13:35:57.008220790 +0200 @@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -250,9 +250,9 @@ diff -up openssl-1.0.2h/crypto/cmac/cmac.c.fips openssl-1.0.2h/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.2h/crypto/crypto.h.fips openssl-1.0.2h/crypto/crypto.h ---- openssl-1.0.2h/crypto/crypto.h.fips 2016-05-03 16:57:58.673317497 +0200 -+++ openssl-1.0.2h/crypto/crypto.h 2016-05-03 16:57:58.820320969 +0200 +diff -up openssl-1.0.2i/crypto/crypto.h.fips openssl-1.0.2i/crypto/crypto.h +--- openssl-1.0.2i/crypto/crypto.h.fips 2016-09-22 13:35:56.890218070 +0200 ++++ openssl-1.0.2i/crypto/crypto.h 2016-09-22 13:35:57.008220790 +0200 @@ -600,24 +600,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -298,9 +298,9 @@ diff -up openssl-1.0.2h/crypto/crypto.h.fips openssl-1.0.2h/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.2h/crypto/des/des.h.fips openssl-1.0.2h/crypto/des/des.h ---- openssl-1.0.2h/crypto/des/des.h.fips 2016-05-03 16:57:58.709318347 +0200 -+++ openssl-1.0.2h/crypto/des/des.h 2016-05-03 16:57:58.820320969 +0200 +diff -up openssl-1.0.2i/crypto/des/des.h.fips openssl-1.0.2i/crypto/des/des.h +--- openssl-1.0.2i/crypto/des/des.h.fips 2016-09-22 13:35:56.918218715 +0200 ++++ openssl-1.0.2i/crypto/des/des.h 2016-09-22 13:35:57.008220790 +0200 @@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); @@ -312,9 +312,9 @@ diff -up openssl-1.0.2h/crypto/des/des.h.fips openssl-1.0.2h/crypto/des/des.h void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -diff -up openssl-1.0.2h/crypto/des/set_key.c.fips openssl-1.0.2h/crypto/des/set_key.c ---- openssl-1.0.2h/crypto/des/set_key.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/des/set_key.c 2016-05-03 16:57:58.820320969 +0200 +diff -up openssl-1.0.2i/crypto/des/set_key.c.fips openssl-1.0.2i/crypto/des/set_key.c +--- openssl-1.0.2i/crypto/des/set_key.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/des/set_key.c 2016-09-22 13:35:57.008220790 +0200 @@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock } @@ -331,9 +331,9 @@ diff -up openssl-1.0.2h/crypto/des/set_key.c.fips openssl-1.0.2h/crypto/des/set_ { static const int shifts2[16] = { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; -diff -up openssl-1.0.2h/crypto/dh/dh_gen.c.fips openssl-1.0.2h/crypto/dh/dh_gen.c ---- openssl-1.0.2h/crypto/dh/dh_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dh/dh_gen.c 2016-05-03 16:57:58.820320969 +0200 +diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips openssl-1.0.2i/crypto/dh/dh_gen.c +--- openssl-1.0.2i/crypto/dh/dh_gen.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:35:57.009220813 +0200 @@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if (ret->meth->generate_params) @@ -364,9 +364,9 @@ diff -up openssl-1.0.2h/crypto/dh/dh_gen.c.fips openssl-1.0.2h/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.0.2h/crypto/dh/dh.h.fips openssl-1.0.2h/crypto/dh/dh.h ---- openssl-1.0.2h/crypto/dh/dh.h.fips 2016-05-03 16:57:58.622316293 +0200 -+++ openssl-1.0.2h/crypto/dh/dh.h 2016-05-03 16:57:58.820320969 +0200 +diff -up openssl-1.0.2i/crypto/dh/dh.h.fips openssl-1.0.2i/crypto/dh/dh.h +--- openssl-1.0.2i/crypto/dh/dh.h.fips 2016-09-22 13:35:56.863217447 +0200 ++++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:35:57.009220813 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif @@ -376,9 +376,9 @@ diff -up openssl-1.0.2h/crypto/dh/dh.h.fips openssl-1.0.2h/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 /* -diff -up openssl-1.0.2h/crypto/dh/dh_key.c.fips openssl-1.0.2h/crypto/dh/dh_key.c ---- openssl-1.0.2h/crypto/dh/dh_key.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dh/dh_key.c 2016-05-03 16:57:58.821320992 +0200 +diff -up openssl-1.0.2i/crypto/dh/dh_key.c.fips openssl-1.0.2i/crypto/dh/dh_key.c +--- openssl-1.0.2i/crypto/dh/dh_key.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dh/dh_key.c 2016-09-22 13:35:57.009220813 +0200 @@ -61,6 +61,9 @@ #include #include @@ -446,9 +446,9 @@ diff -up openssl-1.0.2h/crypto/dh/dh_key.c.fips openssl-1.0.2h/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2h/crypto/dh/dh_lib.c.fips openssl-1.0.2h/crypto/dh/dh_lib.c ---- openssl-1.0.2h/crypto/dh/dh_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dh/dh_lib.c 2016-05-03 16:57:58.821320992 +0200 +diff -up openssl-1.0.2i/crypto/dh/dh_lib.c.fips openssl-1.0.2i/crypto/dh/dh_lib.c +--- openssl-1.0.2i/crypto/dh/dh_lib.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dh/dh_lib.c 2016-09-22 13:35:57.009220813 +0200 @@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH const DH_METHOD *DH_get_default_method(void) { @@ -464,9 +464,9 @@ diff -up openssl-1.0.2h/crypto/dh/dh_lib.c.fips openssl-1.0.2h/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.2h/crypto/dsa/dsa_err.c.fips openssl-1.0.2h/crypto/dsa/dsa_err.c ---- openssl-1.0.2h/crypto/dsa/dsa_err.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_err.c 2016-05-03 16:57:58.821320992 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_err.c.fips openssl-1.0.2i/crypto/dsa/dsa_err.c +--- openssl-1.0.2i/crypto/dsa/dsa_err.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_err.c 2016-09-22 13:35:57.009220813 +0200 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[] {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -485,9 +485,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_err.c.fips openssl-1.0.2h/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_gen.c ---- openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_gen.c 2016-05-03 16:57:58.821320992 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips openssl-1.0.2i/crypto/dsa/dsa_gen.c +--- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:42:54.389840662 +0200 @@ -91,6 +91,16 @@ # include # endif @@ -505,7 +505,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, -@@ -106,97 +116,165 @@ int DSA_generate_parameters_ex(DSA *ret, +@@ -106,83 +116,146 @@ int DSA_generate_parameters_ex(DSA *ret, if (ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); @@ -692,6 +692,8 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ + *p_ret = p = BN_CTX_get(ctx); test = BN_CTX_get(ctx); + if (test == NULL) +@@ -191,15 +264,20 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_lshift(test, BN_value_one(), bits - 1)) goto err; @@ -711,10 +713,10 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ - if (!seed_len || !seed_in) { + if (!seed_len) { - if (RAND_pseudo_bytes(seed, qsize) < 0) + if (RAND_bytes(seed, qsize) <= 0) goto err; seed_is_random = 1; -@@ -206,29 +284,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -209,29 +287,18 @@ int dsa_builtin_paramgen(DSA *ret, size_ * be bad */ } memcpy(buf, seed, qsize); @@ -747,7 +749,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, seed_is_random, cb); if (r > 0) -@@ -236,8 +303,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -239,8 +306,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (r != 0) goto err; @@ -756,7 +758,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ } if (!BN_GENCB_call(cb, 2, 0)) -@@ -245,19 +310,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -248,19 +313,16 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 3, 0)) goto err; @@ -779,7 +781,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ for (k = 0; k <= n; k++) { /* * obtain "SEED + offset + k" by incrementing: -@@ -271,36 +333,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -274,36 +336,37 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) goto err; @@ -825,7 +827,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); if (r > 0) goto end; /* found it */ -@@ -308,12 +371,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -311,12 +374,12 @@ int dsa_builtin_paramgen(DSA *ret, size_ goto err; } @@ -841,7 +843,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ break; } } -@@ -321,7 +384,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -324,7 +387,33 @@ int dsa_builtin_paramgen(DSA *ret, size_ if (!BN_GENCB_call(cb, 2, 1)) goto err; @@ -876,7 +878,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ /* Set r0=(p-1)/q */ if (!BN_sub(test, p, BN_value_one())) goto err; -@@ -350,46 +439,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -353,46 +442,14 @@ int dsa_builtin_paramgen(DSA *ret, size_ ok = 1; err: if (ok) { @@ -923,7 +925,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ /* * This is a parameter generation algorithm for the DSA2 algorithm as * described in FIPS 186-3. -@@ -415,14 +472,6 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -418,14 +475,6 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX mctx; unsigned int h = 2; @@ -938,9 +940,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_gen.c.fips openssl-1.0.2h/crypto/dsa/dsa_ EVP_MD_CTX_init(&mctx); if (evpmd == NULL) { -diff -up openssl-1.0.2h/crypto/dsa/dsa.h.fips openssl-1.0.2h/crypto/dsa/dsa.h ---- openssl-1.0.2h/crypto/dsa/dsa.h.fips 2016-05-03 16:57:58.513313719 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa.h 2016-05-03 16:57:58.821320992 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips openssl-1.0.2i/crypto/dsa/dsa.h +--- openssl-1.0.2i/crypto/dsa/dsa.h.fips 2016-09-22 13:35:56.789215742 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:35:57.010220836 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 # endif @@ -1008,9 +1010,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa.h.fips openssl-1.0.2h/crypto/dsa/dsa.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 -diff -up openssl-1.0.2h/crypto/dsa/dsa_key.c.fips openssl-1.0.2h/crypto/dsa/dsa_key.c ---- openssl-1.0.2h/crypto/dsa/dsa_key.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_key.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips openssl-1.0.2i/crypto/dsa/dsa_key.c +--- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:35:57.010220836 +0200 @@ -66,6 +66,34 @@ # ifdef OPENSSL_FIPS @@ -1086,9 +1088,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_key.c.fips openssl-1.0.2h/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.0.2h/crypto/dsa/dsa_lib.c.fips openssl-1.0.2h/crypto/dsa/dsa_lib.c ---- openssl-1.0.2h/crypto/dsa/dsa_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_lib.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_lib.c.fips openssl-1.0.2i/crypto/dsa/dsa_lib.c +--- openssl-1.0.2i/crypto/dsa/dsa_lib.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_lib.c 2016-09-22 13:35:57.010220836 +0200 @@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME const DSA_METHOD *DSA_get_default_method(void) { @@ -1104,9 +1106,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_lib.c.fips openssl-1.0.2h/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.2h/crypto/dsa/dsa_locl.h.fips openssl-1.0.2h/crypto/dsa/dsa_locl.h ---- openssl-1.0.2h/crypto/dsa/dsa_locl.h.fips 2016-05-03 16:57:58.515313767 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_locl.h 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_locl.h.fips openssl-1.0.2i/crypto/dsa/dsa_locl.h +--- openssl-1.0.2i/crypto/dsa/dsa_locl.h.fips 2016-09-22 13:35:56.790215765 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_locl.h 2016-09-22 13:35:57.010220836 +0200 @@ -56,7 +56,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, @@ -1116,9 +1118,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_locl.h.fips openssl-1.0.2h/crypto/dsa/dsa int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2h/crypto/dsa/dsa_ossl.c ---- openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2i/crypto/dsa/dsa_ossl.c +--- openssl-1.0.2i/crypto/dsa/dsa_ossl.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_ossl.c 2016-09-22 13:35:57.010220836 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1158,7 +1160,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2h/crypto/dsa/dsa BN_init(&m); BN_init(&xr); -@@ -330,6 +346,18 @@ static int dsa_do_verify(const unsigned +@@ -335,6 +351,18 @@ static int dsa_do_verify(const unsigned DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); return -1; } @@ -1177,7 +1179,7 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2h/crypto/dsa/dsa if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -410,6 +438,9 @@ static int dsa_do_verify(const unsigned +@@ -415,6 +443,9 @@ static int dsa_do_verify(const unsigned static int dsa_init(DSA *dsa) { @@ -1187,9 +1189,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2h/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return (1); } -diff -up openssl-1.0.2h/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2h/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.2h/crypto/dsa/dsa_pmeth.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsa_pmeth.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2i/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.2i/crypto/dsa/dsa_pmeth.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_pmeth.c 2016-09-22 13:35:57.010220836 +0200 @@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1199,9 +1201,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2h/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.2h/crypto/dsa/dsatest.c.fips openssl-1.0.2h/crypto/dsa/dsatest.c ---- openssl-1.0.2h/crypto/dsa/dsatest.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/dsa/dsatest.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/dsa/dsatest.c.fips openssl-1.0.2i/crypto/dsa/dsatest.c +--- openssl-1.0.2i/crypto/dsa/dsatest.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsatest.c 2016-09-22 13:35:57.010220836 +0200 @@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1285,9 +1287,9 @@ diff -up openssl-1.0.2h/crypto/dsa/dsatest.c.fips openssl-1.0.2h/crypto/dsa/dsat goto end; } if (h != 2) { -diff -up openssl-1.0.2h/crypto/engine/eng_all.c.fips openssl-1.0.2h/crypto/engine/eng_all.c ---- openssl-1.0.2h/crypto/engine/eng_all.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/engine/eng_all.c 2016-05-03 16:57:58.822321016 +0200 +diff -up openssl-1.0.2i/crypto/engine/eng_all.c.fips openssl-1.0.2i/crypto/engine/eng_all.c +--- openssl-1.0.2i/crypto/engine/eng_all.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/engine/eng_all.c 2016-09-22 13:35:57.011220859 +0200 @@ -59,11 +59,25 @@ #include "cryptlib.h" @@ -1314,9 +1316,9 @@ diff -up openssl-1.0.2h/crypto/engine/eng_all.c.fips openssl-1.0.2h/crypto/engin #if 0 /* * There's no longer any need for an "openssl" ENGINE unless, one day, it -diff -up openssl-1.0.2h/crypto/evp/c_allc.c.fips openssl-1.0.2h/crypto/evp/c_allc.c ---- openssl-1.0.2h/crypto/evp/c_allc.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/c_allc.c 2016-05-03 16:57:58.823321039 +0200 +diff -up openssl-1.0.2i/crypto/evp/c_allc.c.fips openssl-1.0.2i/crypto/evp/c_allc.c +--- openssl-1.0.2i/crypto/evp/c_allc.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/c_allc.c 2016-09-22 13:35:57.011220859 +0200 @@ -65,6 +65,10 @@ void OpenSSL_add_all_ciphers(void) { @@ -1393,9 +1395,9 @@ diff -up openssl-1.0.2h/crypto/evp/c_allc.c.fips openssl-1.0.2h/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.2h/crypto/evp/c_alld.c.fips openssl-1.0.2h/crypto/evp/c_alld.c ---- openssl-1.0.2h/crypto/evp/c_alld.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/c_alld.c 2016-05-03 16:57:58.823321039 +0200 +diff -up openssl-1.0.2i/crypto/evp/c_alld.c.fips openssl-1.0.2i/crypto/evp/c_alld.c +--- openssl-1.0.2i/crypto/evp/c_alld.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/c_alld.c 2016-09-22 13:35:57.011220859 +0200 @@ -64,51 +64,81 @@ void OpenSSL_add_all_digests(void) @@ -1501,9 +1503,9 @@ diff -up openssl-1.0.2h/crypto/evp/c_alld.c.fips openssl-1.0.2h/crypto/evp/c_all + } #endif } -diff -up openssl-1.0.2h/crypto/evp/digest.c.fips openssl-1.0.2h/crypto/evp/digest.c ---- openssl-1.0.2h/crypto/evp/digest.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/digest.c 2016-05-03 16:59:54.090042781 +0200 +diff -up openssl-1.0.2i/crypto/evp/digest.c.fips openssl-1.0.2i/crypto/evp/digest.c +--- openssl-1.0.2i/crypto/evp/digest.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/digest.c 2016-09-22 13:45:40.054658929 +0200 @@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1585,7 +1587,7 @@ diff -up openssl-1.0.2h/crypto/evp/digest.c.fips openssl-1.0.2h/crypto/evp/diges if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); ctx->md_data = NULL; -@@ -238,25 +285,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c +@@ -238,23 +285,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) return 1; @@ -1604,38 +1606,26 @@ diff -up openssl-1.0.2h/crypto/evp/digest.c.fips openssl-1.0.2h/crypto/evp/diges int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { #ifdef OPENSSL_FIPS -- return FIPS_digestupdate(ctx, data, count); --#else -- return ctx->update(ctx, data, count); +- if (FIPS_mode()) +- return FIPS_digestupdate(ctx, data, count); + FIPS_selftest_check(); #endif -+ return ctx->update(ctx, data, count); + return ctx->update(ctx, data, count); } - - /* The caller can assume that this removes any secret data from the context */ -@@ -271,11 +308,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns - /* The caller can assume that this removes any secret data from the context */ +@@ -272,11 +309,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { --#ifdef OPENSSL_FIPS -- return FIPS_digestfinal(ctx, md, size); --#else int ret; - -+#ifdef OPENSSL_FIPS ++ + #ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_digestfinal(ctx, md, size); + FIPS_selftest_check(); -+#endif + #endif +- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -@@ -286,7 +323,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, - } - memset(ctx->md_data, 0, ctx->digest->ctx_size); - return ret; --#endif - } - - int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) @@ -375,7 +411,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) @@ -1662,9 +1652,9 @@ diff -up openssl-1.0.2h/crypto/evp/digest.c.fips openssl-1.0.2h/crypto/evp/diges memset(ctx, '\0', sizeof *ctx); return 1; -diff -up openssl-1.0.2h/crypto/evp/e_aes.c.fips openssl-1.0.2h/crypto/evp/e_aes.c ---- openssl-1.0.2h/crypto/evp/e_aes.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/e_aes.c 2016-05-03 16:57:58.823321039 +0200 +diff -up openssl-1.0.2i/crypto/evp/e_aes.c.fips openssl-1.0.2i/crypto/evp/e_aes.c +--- openssl-1.0.2i/crypto/evp/e_aes.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/e_aes.c 2016-09-22 13:35:57.011220859 +0200 @@ -60,9 +60,6 @@ # include "modes_lcl.h" # include @@ -1702,9 +1692,9 @@ diff -up openssl-1.0.2h/crypto/evp/e_aes.c.fips openssl-1.0.2h/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, ctx->iv); -diff -up openssl-1.0.2h/crypto/evp/e_des3.c.fips openssl-1.0.2h/crypto/evp/e_des3.c ---- openssl-1.0.2h/crypto/evp/e_des3.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/e_des3.c 2016-05-03 16:57:58.823321039 +0200 +diff -up openssl-1.0.2i/crypto/evp/e_des3.c.fips openssl-1.0.2i/crypto/evp/e_des3.c +--- openssl-1.0.2i/crypto/evp/e_des3.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/e_des3.c 2016-09-22 13:35:57.012220882 +0200 @@ -65,10 +65,6 @@ # include # include @@ -1716,9 +1706,9 @@ diff -up openssl-1.0.2h/crypto/evp/e_des3.c.fips openssl-1.0.2h/crypto/evp/e_des typedef struct { union { double align; -diff -up openssl-1.0.2h/crypto/evp/e_null.c.fips openssl-1.0.2h/crypto/evp/e_null.c ---- openssl-1.0.2h/crypto/evp/e_null.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/e_null.c 2016-05-03 16:57:58.824321063 +0200 +diff -up openssl-1.0.2i/crypto/evp/e_null.c.fips openssl-1.0.2i/crypto/evp/e_null.c +--- openssl-1.0.2i/crypto/evp/e_null.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/e_null.c 2016-09-22 13:35:57.012220882 +0200 @@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c static const EVP_CIPHER n_cipher = { NID_undef, @@ -1728,9 +1718,9 @@ diff -up openssl-1.0.2h/crypto/evp/e_null.c.fips openssl-1.0.2h/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.0.2h/crypto/evp/evp_enc.c.fips openssl-1.0.2h/crypto/evp/evp_enc.c ---- openssl-1.0.2h/crypto/evp/evp_enc.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/evp_enc.c 2016-05-03 16:57:58.824321063 +0200 +diff -up openssl-1.0.2i/crypto/evp/evp_enc.c.fips openssl-1.0.2i/crypto/evp/evp_enc.c +--- openssl-1.0.2i/crypto/evp/evp_enc.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/evp_enc.c 2016-09-22 13:46:12.998418222 +0200 @@ -69,16 +69,73 @@ #endif #include "evp_locl.h" @@ -1830,7 +1820,7 @@ diff -up openssl-1.0.2h/crypto/evp/evp_enc.c.fips openssl-1.0.2h/crypto/evp/evp_ -#ifdef OPENSSL_FIPS - if (FIPS_mode()) { -- const EVP_CIPHER *fcipher; +- const EVP_CIPHER *fcipher = NULL; - if (cipher) - fcipher = evp_get_fips_cipher(cipher); - if (fcipher) @@ -1898,9 +1888,9 @@ diff -up openssl-1.0.2h/crypto/evp/evp_enc.c.fips openssl-1.0.2h/crypto/evp/evp_ memset(c, 0, sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.2h/crypto/evp/evp.h.fips openssl-1.0.2h/crypto/evp/evp.h ---- openssl-1.0.2h/crypto/evp/evp.h.fips 2016-05-03 16:57:58.690317899 +0200 -+++ openssl-1.0.2h/crypto/evp/evp.h 2016-05-03 16:57:58.824321063 +0200 +diff -up openssl-1.0.2i/crypto/evp/evp.h.fips openssl-1.0.2i/crypto/evp/evp.h +--- openssl-1.0.2i/crypto/evp/evp.h.fips 2016-09-22 13:35:56.902218346 +0200 ++++ openssl-1.0.2i/crypto/evp/evp.h 2016-09-22 13:35:57.012220882 +0200 @@ -122,6 +122,10 @@ extern "C" { #endif @@ -1954,9 +1944,9 @@ diff -up openssl-1.0.2h/crypto/evp/evp.h.fips openssl-1.0.2h/crypto/evp/evp.h /* * Cipher handles any and all padding logic as well as finalisation. */ -diff -up openssl-1.0.2h/crypto/evp/evp_lib.c.fips openssl-1.0.2h/crypto/evp/evp_lib.c ---- openssl-1.0.2h/crypto/evp/evp_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/evp_lib.c 2016-05-03 16:57:58.824321063 +0200 +diff -up openssl-1.0.2i/crypto/evp/evp_lib.c.fips openssl-1.0.2i/crypto/evp/evp_lib.c +--- openssl-1.0.2i/crypto/evp/evp_lib.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/evp_lib.c 2016-09-22 13:35:57.012220882 +0200 @@ -60,10 +60,6 @@ #include "cryptlib.h" #include @@ -2042,9 +2032,9 @@ diff -up openssl-1.0.2h/crypto/evp/evp_lib.c.fips openssl-1.0.2h/crypto/evp/evp_ return md->flags; } -diff -up openssl-1.0.2h/crypto/evp/evp_locl.h.fips openssl-1.0.2h/crypto/evp/evp_locl.h ---- openssl-1.0.2h/crypto/evp/evp_locl.h.fips 2016-05-03 16:57:58.684317757 +0200 -+++ openssl-1.0.2h/crypto/evp/evp_locl.h 2016-05-03 16:57:58.824321063 +0200 +diff -up openssl-1.0.2i/crypto/evp/evp_locl.h.fips openssl-1.0.2i/crypto/evp/evp_locl.h +--- openssl-1.0.2i/crypto/evp/evp_locl.h.fips 2016-09-22 13:35:56.898218254 +0200 ++++ openssl-1.0.2i/crypto/evp/evp_locl.h 2016-09-22 13:35:57.013220905 +0200 @@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -2078,9 +2068,9 @@ diff -up openssl-1.0.2h/crypto/evp/evp_locl.h.fips openssl-1.0.2h/crypto/evp/evp # define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.2h/crypto/evp/m_dss.c.fips openssl-1.0.2h/crypto/evp/m_dss.c ---- openssl-1.0.2h/crypto/evp/m_dss.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/m_dss.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/m_dss.c.fips openssl-1.0.2i/crypto/evp/m_dss.c +--- openssl-1.0.2i/crypto/evp/m_dss.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/m_dss.c 2016-09-22 13:35:57.013220905 +0200 @@ -86,7 +86,7 @@ static const EVP_MD dsa_md = { NID_dsaWithSHA, NID_dsaWithSHA, @@ -2090,9 +2080,9 @@ diff -up openssl-1.0.2h/crypto/evp/m_dss.c.fips openssl-1.0.2h/crypto/evp/m_dss. init, update, final, -diff -up openssl-1.0.2h/crypto/evp/m_dss1.c.fips openssl-1.0.2h/crypto/evp/m_dss1.c ---- openssl-1.0.2h/crypto/evp/m_dss1.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/m_dss1.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/m_dss1.c.fips openssl-1.0.2i/crypto/evp/m_dss1.c +--- openssl-1.0.2i/crypto/evp/m_dss1.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/m_dss1.c 2016-09-22 13:35:57.013220905 +0200 @@ -87,7 +87,7 @@ static const EVP_MD dss1_md = { NID_dsa, NID_dsaWithSHA1, @@ -2102,9 +2092,9 @@ diff -up openssl-1.0.2h/crypto/evp/m_dss1.c.fips openssl-1.0.2h/crypto/evp/m_dss init, update, final, -diff -up openssl-1.0.2h/crypto/evp/m_md2.c.fips openssl-1.0.2h/crypto/evp/m_md2.c ---- openssl-1.0.2h/crypto/evp/m_md2.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/m_md2.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/m_md2.c.fips openssl-1.0.2i/crypto/evp/m_md2.c +--- openssl-1.0.2i/crypto/evp/m_md2.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/m_md2.c 2016-09-22 13:35:57.013220905 +0200 @@ -68,6 +68,7 @@ # ifndef OPENSSL_NO_RSA # include @@ -2113,9 +2103,9 @@ diff -up openssl-1.0.2h/crypto/evp/m_md2.c.fips openssl-1.0.2h/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { -diff -up openssl-1.0.2h/crypto/evp/m_sha1.c.fips openssl-1.0.2h/crypto/evp/m_sha1.c ---- openssl-1.0.2h/crypto/evp/m_sha1.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/m_sha1.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/m_sha1.c.fips openssl-1.0.2i/crypto/evp/m_sha1.c +--- openssl-1.0.2i/crypto/evp/m_sha1.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/m_sha1.c 2016-09-22 13:35:57.013220905 +0200 @@ -87,7 +87,8 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -2166,9 +2156,9 @@ diff -up openssl-1.0.2h/crypto/evp/m_sha1.c.fips openssl-1.0.2h/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.0.2h/crypto/evp/p_sign.c.fips openssl-1.0.2h/crypto/evp/p_sign.c ---- openssl-1.0.2h/crypto/evp/p_sign.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/p_sign.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/p_sign.c.fips openssl-1.0.2i/crypto/evp/p_sign.c +--- openssl-1.0.2i/crypto/evp/p_sign.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/p_sign.c 2016-09-22 13:35:57.013220905 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2200,9 +2190,9 @@ diff -up openssl-1.0.2h/crypto/evp/p_sign.c.fips openssl-1.0.2h/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.2h/crypto/evp/p_verify.c.fips openssl-1.0.2h/crypto/evp/p_verify.c ---- openssl-1.0.2h/crypto/evp/p_verify.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/evp/p_verify.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/evp/p_verify.c.fips openssl-1.0.2i/crypto/evp/p_verify.c +--- openssl-1.0.2i/crypto/evp/p_verify.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/evp/p_verify.c 2016-09-22 13:35:57.013220905 +0200 @@ -61,6 +61,7 @@ #include #include @@ -2234,9 +2224,9 @@ diff -up openssl-1.0.2h/crypto/evp/p_verify.c.fips openssl-1.0.2h/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.2h/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_aes_selftest.c.fips 2016-05-03 16:57:58.825321086 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_aes_selftest.c 2016-05-03 16:57:58.825321086 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_aes_selftest.c.fips 2016-09-22 13:35:57.013220905 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_aes_selftest.c 2016-09-22 13:35:57.013220905 +0200 @@ -0,0 +1,365 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2603,9 +2593,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2h/cryp +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips.c.fips openssl-1.0.2h/crypto/fips/fips.c ---- openssl-1.0.2h/crypto/fips/fips.c.fips 2016-05-03 16:57:58.826321110 +0200 -+++ openssl-1.0.2h/crypto/fips/fips.c 2016-05-03 16:57:58.826321110 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips.c.fips openssl-1.0.2i/crypto/fips/fips.c +--- openssl-1.0.2i/crypto/fips/fips.c.fips 2016-09-22 13:35:57.014220928 +0200 ++++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:35:57.014220928 +0200 @@ -0,0 +1,483 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3090,9 +3080,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips.c.fips openssl-1.0.2h/crypto/fips/fips. +# endif + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c.fips 2016-05-03 16:57:58.826321110 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c 2016-05-03 16:57:58.826321110 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c.fips 2016-09-22 13:35:57.014220928 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c 2016-09-22 13:35:57.014220928 +0200 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3250,9 +3240,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2h/cry + return rv; +} +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_des_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_des_selftest.c.fips 2016-05-03 16:57:58.826321110 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_des_selftest.c 2016-05-03 16:57:58.826321110 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_des_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_des_selftest.c.fips 2016-09-22 13:35:57.014220928 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_des_selftest.c 2016-09-22 13:35:57.014220928 +0200 @@ -0,0 +1,138 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -3392,9 +3382,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2h/cryp + return ret; +} +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c.fips 2016-05-03 16:57:58.826321110 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c 2016-05-03 16:57:58.826321110 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c.fips 2016-09-22 13:35:57.014220928 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c 2016-09-22 13:35:57.014220928 +0200 @@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3811,9 +3801,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2h/crypto/f + + return 1; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_hash.c.fips 2016-05-03 16:57:58.826321110 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_hash.c 2016-05-03 16:57:58.826321110 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_hash.c.fips 2016-09-22 13:35:57.014220928 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_hash.c 2016-09-22 13:35:57.014220928 +0200 @@ -0,0 +1,358 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4173,9 +4163,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2h/crypto/ + + return 1; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c.fips 2016-05-03 16:57:58.827321134 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c 2016-05-03 16:57:58.827321134 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c.fips 2016-09-22 13:35:57.015220951 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c 2016-09-22 13:35:57.015220951 +0200 @@ -0,0 +1,270 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4447,9 +4437,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2h/crypto/ + + return 1; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_lib.c.fips 2016-05-03 16:57:58.827321134 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_lib.c 2016-05-03 16:57:58.827321134 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_lib.c.fips 2016-09-22 13:35:57.015220951 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_lib.c 2016-09-22 13:35:57.015220951 +0200 @@ -0,0 +1,553 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -5004,9 +4994,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2h/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_rand.c.fips 2016-05-03 16:57:58.827321134 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_rand.c 2016-05-03 16:57:58.827321134 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips 2016-09-22 13:35:57.015220951 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_rand.c 2016-09-22 13:35:57.015220951 +0200 @@ -0,0 +1,166 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5174,9 +5164,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2h/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c.fips 2016-05-03 16:57:58.827321134 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c 2016-05-03 16:57:58.827321134 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c.fips 2016-09-22 13:35:57.015220951 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c 2016-09-22 13:35:57.015220951 +0200 @@ -0,0 +1,827 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6005,9 +5995,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2h/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h.fips 2016-05-03 16:57:58.828321157 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h 2016-05-03 16:57:58.828321157 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h.fips 2016-09-22 13:35:57.016220974 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h 2016-09-22 13:35:57.016220974 +0200 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7800,9 +7790,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2h/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c.fips 2016-05-03 16:57:58.828321157 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c 2016-05-03 16:57:58.828321157 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c.fips 2016-09-22 13:35:57.016220974 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c 2016-09-22 13:35:57.016220974 +0200 @@ -0,0 +1,192 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7996,9 +7986,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2h/cryp + return ret; +} +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_enc.c.fips openssl-1.0.2h/crypto/fips/fips_enc.c ---- openssl-1.0.2h/crypto/fips/fips_enc.c.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_enc.c 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_enc.c.fips openssl-1.0.2i/crypto/fips/fips_enc.c +--- openssl-1.0.2i/crypto/fips/fips_enc.c.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_enc.c 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8189,9 +8179,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_enc.c.fips openssl-1.0.2h/crypto/fips/f + + } +} -diff -up openssl-1.0.2h/crypto/fips/fips.h.fips openssl-1.0.2h/crypto/fips/fips.h ---- openssl-1.0.2h/crypto/fips/fips.h.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips.h 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips.h.fips openssl-1.0.2i/crypto/fips/fips.h +--- openssl-1.0.2i/crypto/fips/fips.h.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,278 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8471,9 +8461,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips.h.fips openssl-1.0.2h/crypto/fips/fips. +} +# endif +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8609,9 +8599,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2h/cry + return 1; +} +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_locl.h.fips openssl-1.0.2h/crypto/fips/fips_locl.h ---- openssl-1.0.2h/crypto/fips/fips_locl.h.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_locl.h 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_locl.h.fips openssl-1.0.2i/crypto/fips/fips_locl.h +--- openssl-1.0.2i/crypto/fips/fips_locl.h.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_locl.h 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8684,9 +8674,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_locl.h.fips openssl-1.0.2h/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_md.c.fips openssl-1.0.2h/crypto/fips/fips_md.c ---- openssl-1.0.2h/crypto/fips/fips_md.c.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_md.c 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_md.c.fips openssl-1.0.2i/crypto/fips/fips_md.c +--- openssl-1.0.2i/crypto/fips/fips_md.c.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_md.c 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8832,9 +8822,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_md.c.fips openssl-1.0.2h/crypto/fips/fi + return NULL; + } +} -diff -up openssl-1.0.2h/crypto/fips/fips_post.c.fips openssl-1.0.2h/crypto/fips/fips_post.c ---- openssl-1.0.2h/crypto/fips/fips_post.c.fips 2016-05-03 16:57:58.829321181 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_post.c 2016-05-03 16:57:58.829321181 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips openssl-1.0.2i/crypto/fips/fips_post.c +--- openssl-1.0.2i/crypto/fips/fips_post.c.fips 2016-09-22 13:35:57.017220997 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:35:57.017220997 +0200 @@ -0,0 +1,201 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9037,9 +9027,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_post.c.fips openssl-1.0.2h/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_rand.c.fips openssl-1.0.2h/crypto/fips/fips_rand.c ---- openssl-1.0.2h/crypto/fips/fips_rand.c.fips 2016-05-03 16:57:58.830321204 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rand.c 2016-05-03 16:57:58.830321204 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rand.c.fips openssl-1.0.2i/crypto/fips/fips_rand.c +--- openssl-1.0.2i/crypto/fips/fips_rand.c.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rand.c 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,428 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -9469,9 +9459,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rand.c.fips openssl-1.0.2h/crypto/fips/ +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_rand.h.fips openssl-1.0.2h/crypto/fips/fips_rand.h ---- openssl-1.0.2h/crypto/fips/fips_rand.h.fips 2016-05-03 16:57:58.830321204 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rand.h 2016-05-03 16:57:58.830321204 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rand.h.fips openssl-1.0.2i/crypto/fips/fips_rand.h +--- openssl-1.0.2i/crypto/fips/fips_rand.h.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rand.h 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9636,9 +9626,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rand.h.fips openssl-1.0.2h/crypto/fips/ +# endif +# endif +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2h/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.2h/crypto/fips/fips_rand_lcl.h.fips 2016-05-03 16:57:58.830321204 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rand_lcl.h 2016-05-03 16:57:58.830321204 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2i/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.2i/crypto/fips/fips_rand_lcl.h.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rand_lcl.h 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,213 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9853,9 +9843,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2h/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.2h/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2h/crypto/fips/fips_rand_lib.c ---- openssl-1.0.2h/crypto/fips/fips_rand_lib.c.fips 2016-05-03 16:57:58.830321204 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rand_lib.c 2016-05-03 16:57:58.830321204 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2i/crypto/fips/fips_rand_lib.c +--- openssl-1.0.2i/crypto/fips/fips_rand_lib.c.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rand_lib.c 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,181 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -10038,9 +10028,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2h/crypto/f + } + return 0; +} -diff -up openssl-1.0.2h/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_rand_selftest.c.fips 2016-05-03 16:57:58.830321204 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rand_selftest.c 2016-05-03 16:57:58.830321204 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_rand_selftest.c.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rand_selftest.c 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,176 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10218,9 +10208,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2h/cry +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_randtest.c.fips openssl-1.0.2h/crypto/fips/fips_randtest.c ---- openssl-1.0.2h/crypto/fips/fips_randtest.c.fips 2016-05-03 16:57:58.831321228 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_randtest.c 2016-05-03 16:57:58.831321228 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_randtest.c.fips openssl-1.0.2i/crypto/fips/fips_randtest.c +--- openssl-1.0.2i/crypto/fips/fips_randtest.c.fips 2016-09-22 13:35:57.018221020 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_randtest.c 2016-09-22 13:35:57.018221020 +0200 @@ -0,0 +1,247 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -10469,9 +10459,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_randtest.c.fips openssl-1.0.2h/crypto/f +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c.fips 2016-05-03 16:57:58.831321228 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c 2016-05-03 16:57:58.831321228 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips 2016-09-22 13:35:57.019221043 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:35:57.019221043 +0200 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -10917,9 +10907,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2h/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c.fips 2016-05-03 16:57:58.831321228 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c 2016-05-03 16:57:58.831321228 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c.fips 2016-09-22 13:35:57.019221043 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c 2016-09-22 13:35:57.019221043 +0200 @@ -0,0 +1,273 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -11194,9 +11184,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2h/crypto/ + return 0; + +} -diff -up openssl-1.0.2h/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2h/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.2h/crypto/fips/fips_sha_selftest.c.fips 2016-05-03 16:57:58.831321228 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_sha_selftest.c 2016-05-03 16:57:58.831321228 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_sha_selftest.c.fips 2016-09-22 13:35:57.019221043 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_sha_selftest.c 2016-09-22 13:35:57.019221043 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11343,9 +11333,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2h/cryp +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c.fips 2016-05-03 16:57:58.831321228 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c 2016-05-03 16:57:58.831321228 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c.fips 2016-09-22 13:35:57.019221043 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c 2016-09-22 13:35:57.019221043 +0200 @@ -0,0 +1,268 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11615,9 +11605,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2h/c +#endif + return 0; +} -diff -up openssl-1.0.2h/crypto/fips/fips_test_suite.c.fips openssl-1.0.2h/crypto/fips/fips_test_suite.c ---- openssl-1.0.2h/crypto/fips/fips_test_suite.c.fips 2016-05-03 16:57:58.832321252 +0200 -+++ openssl-1.0.2h/crypto/fips/fips_test_suite.c 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/fips/fips_test_suite.c.fips openssl-1.0.2i/crypto/fips/fips_test_suite.c +--- openssl-1.0.2i/crypto/fips/fips_test_suite.c.fips 2016-09-22 13:35:57.020221066 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_test_suite.c 2016-09-22 13:35:57.019221043 +0200 @@ -0,0 +1,639 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -12258,9 +12248,9 @@ diff -up openssl-1.0.2h/crypto/fips/fips_test_suite.c.fips openssl-1.0.2h/crypto +} + +#endif -diff -up openssl-1.0.2h/crypto/fips/Makefile.fips openssl-1.0.2h/crypto/fips/Makefile ---- openssl-1.0.2h/crypto/fips/Makefile.fips 2016-05-03 16:57:58.832321252 +0200 -+++ openssl-1.0.2h/crypto/fips/Makefile 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/fips/Makefile.fips openssl-1.0.2i/crypto/fips/Makefile +--- openssl-1.0.2i/crypto/fips/Makefile.fips 2016-09-22 13:35:57.020221066 +0200 ++++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:35:57.020221066 +0200 @@ -0,0 +1,341 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -12603,9 +12593,9 @@ diff -up openssl-1.0.2h/crypto/fips/Makefile.fips openssl-1.0.2h/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.2h/crypto/hmac/hmac.c.fips openssl-1.0.2h/crypto/hmac/hmac.c ---- openssl-1.0.2h/crypto/hmac/hmac.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/hmac/hmac.c 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/hmac/hmac.c.fips openssl-1.0.2i/crypto/hmac/hmac.c +--- openssl-1.0.2i/crypto/hmac/hmac.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/hmac/hmac.c 2016-09-22 13:35:57.020221066 +0200 @@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -12668,9 +12658,9 @@ diff -up openssl-1.0.2h/crypto/hmac/hmac.c.fips openssl-1.0.2h/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.2h/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2h/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.2h/crypto/mdc2/mdc2dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/mdc2/mdc2dgst.c 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2i/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.2i/crypto/mdc2/mdc2dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/mdc2/mdc2dgst.c 2016-09-22 13:35:57.020221066 +0200 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -12680,9 +12670,9 @@ diff -up openssl-1.0.2h/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2h/crypto/mdc2/m { c->num = 0; c->pad_type = 1; -diff -up openssl-1.0.2h/crypto/md2/md2_dgst.c.fips openssl-1.0.2h/crypto/md2/md2_dgst.c ---- openssl-1.0.2h/crypto/md2/md2_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/md2/md2_dgst.c 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/md2/md2_dgst.c.fips openssl-1.0.2i/crypto/md2/md2_dgst.c +--- openssl-1.0.2i/crypto/md2/md2_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/md2/md2_dgst.c 2016-09-22 13:35:57.020221066 +0200 @@ -62,6 +62,11 @@ #include #include @@ -12704,9 +12694,9 @@ diff -up openssl-1.0.2h/crypto/md2/md2_dgst.c.fips openssl-1.0.2h/crypto/md2/md2 { c->num = 0; memset(c->state, 0, sizeof c->state); -diff -up openssl-1.0.2h/crypto/md4/md4_dgst.c.fips openssl-1.0.2h/crypto/md4/md4_dgst.c ---- openssl-1.0.2h/crypto/md4/md4_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/md4/md4_dgst.c 2016-05-03 16:57:58.832321252 +0200 +diff -up openssl-1.0.2i/crypto/md4/md4_dgst.c.fips openssl-1.0.2i/crypto/md4/md4_dgst.c +--- openssl-1.0.2i/crypto/md4/md4_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/md4/md4_dgst.c 2016-09-22 13:35:57.020221066 +0200 @@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12716,9 +12706,9 @@ diff -up openssl-1.0.2h/crypto/md4/md4_dgst.c.fips openssl-1.0.2h/crypto/md4/md4 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2h/crypto/md5/md5_dgst.c.fips openssl-1.0.2h/crypto/md5/md5_dgst.c ---- openssl-1.0.2h/crypto/md5/md5_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/md5/md5_dgst.c 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.fips openssl-1.0.2i/crypto/md5/md5_dgst.c +--- openssl-1.0.2i/crypto/md5/md5_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:35:57.020221066 +0200 @@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -12728,9 +12718,9 @@ diff -up openssl-1.0.2h/crypto/md5/md5_dgst.c.fips openssl-1.0.2h/crypto/md5/md5 { memset(c, 0, sizeof(*c)); c->A = INIT_DATA_A; -diff -up openssl-1.0.2h/crypto/o_fips.c.fips openssl-1.0.2h/crypto/o_fips.c ---- openssl-1.0.2h/crypto/o_fips.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/o_fips.c 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/o_fips.c.fips openssl-1.0.2i/crypto/o_fips.c +--- openssl-1.0.2i/crypto/o_fips.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/o_fips.c 2016-09-22 13:35:57.020221066 +0200 @@ -80,6 +80,8 @@ int FIPS_mode_set(int r) # ifndef FIPS_AUTH_USER_PASS # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -12740,9 +12730,9 @@ diff -up openssl-1.0.2h/crypto/o_fips.c.fips openssl-1.0.2h/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.2h/crypto/o_init.c.fips openssl-1.0.2h/crypto/o_init.c ---- openssl-1.0.2h/crypto/o_init.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/o_init.c 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/o_init.c.fips openssl-1.0.2i/crypto/o_init.c +--- openssl-1.0.2i/crypto/o_init.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:38:19.150496906 +0200 @@ -56,8 +56,37 @@ #include #include @@ -12781,7 +12771,7 @@ diff -up openssl-1.0.2h/crypto/o_init.c.fips openssl-1.0.2h/crypto/o_init.c #endif /* -@@ -65,19 +94,26 @@ +@@ -65,22 +94,26 @@ * sets FIPS callbacks */ @@ -12794,6 +12784,9 @@ diff -up openssl-1.0.2h/crypto/o_init.c.fips openssl-1.0.2h/crypto/o_init.c done = 1; #ifdef OPENSSL_FIPS - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); +-# ifndef OPENSSL_NO_DEPRECATED +- FIPS_crypto_set_id_callback(CRYPTO_thread_id); +-# endif - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); RAND_init_fips(); @@ -12812,9 +12805,9 @@ diff -up openssl-1.0.2h/crypto/o_init.c.fips openssl-1.0.2h/crypto/o_init.c +{ + OPENSSL_init_library(); +} -diff -up openssl-1.0.2h/crypto/opensslconf.h.in.fips openssl-1.0.2h/crypto/opensslconf.h.in ---- openssl-1.0.2h/crypto/opensslconf.h.in.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/opensslconf.h.in 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/opensslconf.h.in.fips openssl-1.0.2i/crypto/opensslconf.h.in +--- openssl-1.0.2i/crypto/opensslconf.h.in.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/opensslconf.h.in 2016-09-22 13:35:57.021221089 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -12836,9 +12829,9 @@ diff -up openssl-1.0.2h/crypto/opensslconf.h.in.fips openssl-1.0.2h/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.2h/crypto/rand/md_rand.c.fips openssl-1.0.2h/crypto/rand/md_rand.c ---- openssl-1.0.2h/crypto/rand/md_rand.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rand/md_rand.c 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/rand/md_rand.c.fips openssl-1.0.2i/crypto/rand/md_rand.c +--- openssl-1.0.2i/crypto/rand/md_rand.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rand/md_rand.c 2016-09-22 13:35:57.021221089 +0200 @@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -12851,9 +12844,9 @@ diff -up openssl-1.0.2h/crypto/rand/md_rand.c.fips openssl-1.0.2h/crypto/rand/md RAND_poll(); initialized = 1; } -diff -up openssl-1.0.2h/crypto/rand/rand.h.fips openssl-1.0.2h/crypto/rand/rand.h ---- openssl-1.0.2h/crypto/rand/rand.h.fips 2016-05-03 16:57:58.501313436 +0200 -+++ openssl-1.0.2h/crypto/rand/rand.h 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/rand/rand.h.fips openssl-1.0.2i/crypto/rand/rand.h +--- openssl-1.0.2i/crypto/rand/rand.h.fips 2016-09-22 13:35:56.777215465 +0200 ++++ openssl-1.0.2i/crypto/rand/rand.h 2016-09-22 13:35:57.021221089 +0200 @@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -12894,9 +12887,9 @@ diff -up openssl-1.0.2h/crypto/rand/rand.h.fips openssl-1.0.2h/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.2h/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2h/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.2h/crypto/ripemd/rmd_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/ripemd/rmd_dgst.c 2016-05-03 16:57:58.833321275 +0200 +diff -up openssl-1.0.2i/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2i/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.2i/crypto/ripemd/rmd_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/ripemd/rmd_dgst.c 2016-09-22 13:35:57.021221089 +0200 @@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX * void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num); #endif @@ -12906,9 +12899,9 @@ diff -up openssl-1.0.2h/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2h/crypto/ripe { memset(c, 0, sizeof(*c)); c->A = RIPEMD160_A; -diff -up openssl-1.0.2h/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2h/crypto/rsa/rsa_crpt.c ---- openssl-1.0.2h/crypto/rsa/rsa_crpt.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_crpt.c 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2i/crypto/rsa/rsa_crpt.c +--- openssl-1.0.2i/crypto/rsa/rsa_crpt.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_crpt.c 2016-09-22 13:35:57.021221089 +0200 @@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const unsigned char *to, RSA *rsa, int padding) { @@ -12935,9 +12928,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2h/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.2h/crypto/rsa/rsa_eay.c.fips openssl-1.0.2h/crypto/rsa/rsa_eay.c ---- openssl-1.0.2h/crypto/rsa/rsa_eay.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_eay.c 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_eay.c.fips openssl-1.0.2i/crypto/rsa/rsa_eay.c +--- openssl-1.0.2i/crypto/rsa/rsa_eay.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_eay.c 2016-09-22 13:35:57.022221112 +0200 @@ -114,6 +114,10 @@ #include #include @@ -13060,9 +13053,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_eay.c.fips openssl-1.0.2h/crypto/rsa/rsa_ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; return (1); } -diff -up openssl-1.0.2h/crypto/rsa/rsa_err.c.fips openssl-1.0.2h/crypto/rsa/rsa_err.c ---- openssl-1.0.2h/crypto/rsa/rsa_err.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_err.c 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_err.c.fips openssl-1.0.2i/crypto/rsa/rsa_err.c +--- openssl-1.0.2i/crypto/rsa/rsa_err.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_err.c 2016-09-22 13:35:57.022221112 +0200 @@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[] {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -13072,9 +13065,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_err.c.fips openssl-1.0.2h/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, -diff -up openssl-1.0.2h/crypto/rsa/rsa_gen.c.fips openssl-1.0.2h/crypto/rsa/rsa_gen.c ---- openssl-1.0.2h/crypto/rsa/rsa_gen.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_gen.c 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips openssl-1.0.2i/crypto/rsa/rsa_gen.c +--- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:35:57.022221112 +0200 @@ -69,8 +69,80 @@ #include #ifdef OPENSSL_FIPS @@ -13216,9 +13209,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_gen.c.fips openssl-1.0.2h/crypto/rsa/rsa_ ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2h/crypto/rsa/rsa.h.fips openssl-1.0.2h/crypto/rsa/rsa.h ---- openssl-1.0.2h/crypto/rsa/rsa.h.fips 2016-05-03 16:57:58.696318040 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa.h 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa.h.fips openssl-1.0.2i/crypto/rsa/rsa.h +--- openssl-1.0.2i/crypto/rsa/rsa.h.fips 2016-09-22 13:35:56.906218439 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa.h 2016-09-22 13:35:57.022221112 +0200 @@ -168,6 +168,8 @@ struct rsa_st { # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # endif @@ -13315,9 +13308,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa.h.fips openssl-1.0.2h/crypto/rsa/rsa.h # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -diff -up openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips openssl-1.0.2h/crypto/rsa/rsa_lib.c ---- openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_lib.c 2016-05-03 16:57:58.834321299 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_lib.c.fips openssl-1.0.2i/crypto/rsa/rsa_lib.c +--- openssl-1.0.2i/crypto/rsa/rsa_lib.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_lib.c 2016-09-22 13:35:57.022221112 +0200 @@ -84,23 +84,22 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -13363,7 +13356,7 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips openssl-1.0.2h/crypto/rsa/rsa_ mtmp = rsa->meth; if (mtmp->finish) mtmp->finish(rsa); -@@ -165,6 +170,17 @@ RSA *RSA_new_method(ENGINE *engine) +@@ -166,6 +171,17 @@ RSA *RSA_new_method(ENGINE *engine) } } #endif @@ -13381,7 +13374,7 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips openssl-1.0.2h/crypto/rsa/rsa_ ret->pad = 0; ret->version = 0; -@@ -183,7 +199,7 @@ RSA *RSA_new_method(ENGINE *engine) +@@ -184,7 +200,7 @@ RSA *RSA_new_method(ENGINE *engine) ret->blinding = NULL; ret->mt_blinding = NULL; ret->bignum_data = NULL; @@ -13390,9 +13383,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_lib.c.fips openssl-1.0.2h/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE if (ret->engine) -diff -up openssl-1.0.2h/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2h/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.2h/crypto/rsa/rsa_pmeth.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_pmeth.c 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2i/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.2i/crypto/rsa/rsa_pmeth.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_pmeth.c 2016-09-22 13:35:57.022221112 +0200 @@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -13432,9 +13425,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2h/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.2h/crypto/rsa/rsa_sign.c.fips openssl-1.0.2h/crypto/rsa/rsa_sign.c ---- openssl-1.0.2h/crypto/rsa/rsa_sign.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/rsa/rsa_sign.c 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/rsa/rsa_sign.c.fips openssl-1.0.2i/crypto/rsa/rsa_sign.c +--- openssl-1.0.2i/crypto/rsa/rsa_sign.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_sign.c 2016-09-22 13:35:57.023221135 +0200 @@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig, &p); s = tmps; @@ -13473,9 +13466,9 @@ diff -up openssl-1.0.2h/crypto/rsa/rsa_sign.c.fips openssl-1.0.2h/crypto/rsa/rsa if (i <= 0) goto err; -diff -up openssl-1.0.2h/crypto/sha/sha.h.fips openssl-1.0.2h/crypto/sha/sha.h ---- openssl-1.0.2h/crypto/sha/sha.h.fips 2016-05-03 16:57:58.413311358 +0200 -+++ openssl-1.0.2h/crypto/sha/sha.h 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/sha/sha.h.fips openssl-1.0.2i/crypto/sha/sha.h +--- openssl-1.0.2i/crypto/sha/sha.h.fips 2016-09-22 13:35:56.699213667 +0200 ++++ openssl-1.0.2i/crypto/sha/sha.h 2016-09-22 13:35:57.023221135 +0200 @@ -105,9 +105,6 @@ typedef struct SHAstate_st { } SHA_CTX; @@ -13518,9 +13511,9 @@ diff -up openssl-1.0.2h/crypto/sha/sha.h.fips openssl-1.0.2h/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.2h/crypto/sha/sha_locl.h.fips openssl-1.0.2h/crypto/sha/sha_locl.h ---- openssl-1.0.2h/crypto/sha/sha_locl.h.fips 2016-05-03 16:57:58.415311405 +0200 -+++ openssl-1.0.2h/crypto/sha/sha_locl.h 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/sha/sha_locl.h.fips openssl-1.0.2i/crypto/sha/sha_locl.h +--- openssl-1.0.2i/crypto/sha/sha_locl.h.fips 2016-09-22 13:35:56.702213737 +0200 ++++ openssl-1.0.2i/crypto/sha/sha_locl.h 2016-09-22 13:35:57.023221135 +0200 @@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c #define INIT_DATA_h4 0xc3d2e1f0UL @@ -13537,9 +13530,9 @@ diff -up openssl-1.0.2h/crypto/sha/sha_locl.h.fips openssl-1.0.2h/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.0.2h/crypto/sha/sha256.c.fips openssl-1.0.2h/crypto/sha/sha256.c ---- openssl-1.0.2h/crypto/sha/sha256.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/sha/sha256.c 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/sha/sha256.c.fips openssl-1.0.2i/crypto/sha/sha256.c +--- openssl-1.0.2i/crypto/sha/sha256.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/sha/sha256.c 2016-09-22 13:35:57.023221135 +0200 @@ -12,12 +12,19 @@ # include @@ -13570,9 +13563,9 @@ diff -up openssl-1.0.2h/crypto/sha/sha256.c.fips openssl-1.0.2h/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.0.2h/crypto/sha/sha512.c.fips openssl-1.0.2h/crypto/sha/sha512.c ---- openssl-1.0.2h/crypto/sha/sha512.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/sha/sha512.c 2016-05-03 16:57:58.835321323 +0200 +diff -up openssl-1.0.2i/crypto/sha/sha512.c.fips openssl-1.0.2i/crypto/sha/sha512.c +--- openssl-1.0.2i/crypto/sha/sha512.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/sha/sha512.c 2016-09-22 13:35:57.023221135 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -13604,10 +13597,10 @@ diff -up openssl-1.0.2h/crypto/sha/sha512.c.fips openssl-1.0.2h/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.2h/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2h/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.2h/crypto/whrlpool/wp_dgst.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/crypto/whrlpool/wp_dgst.c 2016-05-03 16:57:58.836321346 +0200 -@@ -55,7 +55,7 @@ +diff -up openssl-1.0.2i/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2i/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.2i/crypto/whrlpool/wp_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/whrlpool/wp_dgst.c 2016-09-22 13:35:57.023221135 +0200 +@@ -56,7 +56,7 @@ #include #include @@ -13616,10 +13609,10 @@ diff -up openssl-1.0.2h/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2h/crypto/whr { memset(c, 0, sizeof(*c)); return (1); -diff -up openssl-1.0.2h/Makefile.org.fips openssl-1.0.2h/Makefile.org ---- openssl-1.0.2h/Makefile.org.fips 2016-05-03 16:57:58.791320284 +0200 -+++ openssl-1.0.2h/Makefile.org 2016-05-03 16:57:58.836321346 +0200 -@@ -137,6 +137,9 @@ FIPSCANLIB= +diff -up openssl-1.0.2i/Makefile.org.fips openssl-1.0.2i/Makefile.org +--- openssl-1.0.2i/Makefile.org.fips 2016-09-22 13:35:56.996220513 +0200 ++++ openssl-1.0.2i/Makefile.org 2016-09-22 13:35:57.023221135 +0200 +@@ -138,6 +138,9 @@ FIPSCANLIB= BASEADDR= @@ -13629,7 +13622,7 @@ diff -up openssl-1.0.2h/Makefile.org.fips openssl-1.0.2h/Makefile.org DIRS= crypto ssl engines apps test tools ENGDIRS= ccgost SHLIBDIRS= crypto ssl -@@ -149,7 +152,7 @@ SDIRS= \ +@@ -150,7 +153,7 @@ SDIRS= \ bn ec rsa dsa ecdsa dh ecdh dso engine \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ @@ -13638,7 +13631,7 @@ diff -up openssl-1.0.2h/Makefile.org.fips openssl-1.0.2h/Makefile.org # keep in mind that the above list is adjusted by ./Configure # according to no-xxx arguments... -@@ -239,6 +242,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM) +@@ -241,6 +244,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM) FIPSLIBDIR='${FIPSLIBDIR}' \ FIPSDIR='${FIPSDIR}' \ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ @@ -13646,9 +13639,9 @@ diff -up openssl-1.0.2h/Makefile.org.fips openssl-1.0.2h/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.2h/ssl/ssl_algs.c.fips openssl-1.0.2h/ssl/ssl_algs.c ---- openssl-1.0.2h/ssl/ssl_algs.c.fips 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/ssl/ssl_algs.c 2016-05-03 16:57:58.836321346 +0200 +diff -up openssl-1.0.2i/ssl/ssl_algs.c.fips openssl-1.0.2i/ssl/ssl_algs.c +--- openssl-1.0.2i/ssl/ssl_algs.c.fips 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/ssl/ssl_algs.c 2016-09-22 13:35:57.024221158 +0200 @@ -64,6 +64,11 @@ int SSL_library_init(void) { diff --git a/openssl-1.0.2f-new-fips-reqs.patch b/openssl-1.0.2i-new-fips-reqs.patch similarity index 93% rename from openssl-1.0.2f-new-fips-reqs.patch rename to openssl-1.0.2i-new-fips-reqs.patch index bbad42b..e5d1e80 100644 --- a/openssl-1.0.2f-new-fips-reqs.patch +++ b/openssl-1.0.2i-new-fips-reqs.patch @@ -1,24 +1,23 @@ -diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c ---- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100 -+++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100 -@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM - goto err; +diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/bn_rand.c +--- openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs 2016-09-22 13:54:26.533848449 +0200 ++++ openssl-1.0.2i/crypto/bn/bn_rand.c 2016-09-22 13:56:52.169233060 +0200 +@@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM } -- /* make a random number and set the top and bottom bits */ + /* make a random number and set the top and bottom bits */ - time(&tim); - RAND_add(&tim, sizeof(tim), 0.0); -+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */ -+ /* make a random number and set the top and bottom bits */ ++ if (!FIPS_mode()) { ++ /* in FIPS mode the RNG is always properly seeded or the module fails */ + time(&tim); + RAND_add(&tim, sizeof(tim), 0.0); + } - if (pseudorand) { - if (RAND_pseudo_bytes(buf, bytes) == -1) -diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c ---- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100 -+++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100 + /* We ignore the value of pseudorand and always call RAND_bytes */ + if (RAND_bytes(buf, bytes) <= 0) +diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh_gen.c +--- openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs 2016-09-22 13:54:26.489847426 +0200 ++++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:54:26.533848449 +0200 @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, return 0; } @@ -28,9 +27,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h ---- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100 -+++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100 +diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h +--- openssl-1.0.2i/crypto/dh/dh.h.fips-reqs 2016-09-22 13:54:26.489847426 +0200 ++++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:54:26.534848472 +0200 @@ -78,6 +78,7 @@ # endif @@ -39,9 +38,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 -diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c ---- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100 +diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_gen.c +--- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs 2016-09-22 13:54:26.490847450 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:54:26.534848472 +0200 @@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ } @@ -57,9 +56,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); goto err; } -diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h ---- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100 +diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa.h +--- openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs 2016-09-22 13:54:26.490847450 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:54:26.534848472 +0200 @@ -89,6 +89,7 @@ # endif @@ -80,9 +79,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa * Rabin-Miller */ # define DSA_is_prime(n, callback, cb_arg) \ -diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c ---- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 -+++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100 +diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_key.c +--- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200 ++++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:54:26.534848472 +0200 @@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa) # ifdef OPENSSL_FIPS @@ -92,9 +91,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c ---- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 -+++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100 +diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/fips.c +--- openssl-1.0.2i/crypto/fips/fips.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200 ++++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:54:26.534848472 +0200 @@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons ret = 0; goto end; @@ -128,9 +127,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/ ret = 1; goto end; } -diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100 -+++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100 +diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_dh_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-09-22 13:54:26.535848495 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_dh_selftest.c 2016-09-22 13:54:26.535848495 +0200 @@ -0,0 +1,162 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -294,9 +293,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/ + return ret; +} +#endif -diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/fips.h ---- openssl-1.0.2f/crypto/fips/fips.h.fips-reqs 2016-01-28 16:36:22.806387305 +0100 -+++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 16:36:22.813387467 +0100 +diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/fips.h +--- openssl-1.0.2i/crypto/fips/fips.h.fips-reqs 2016-09-22 13:54:26.527848309 +0200 ++++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:54:26.535848495 +0200 @@ -96,6 +96,7 @@ extern "C" { int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); @@ -305,9 +304,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_post.c ---- openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs 2016-01-28 16:36:22.803387236 +0100 -+++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 16:36:22.813387467 +0100 +diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_post.c +--- openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs 2016-09-22 13:54:26.524848240 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:54:26.535848495 +0200 @@ -99,6 +99,8 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_dsa()) @@ -317,9 +316,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/ if (!FIPS_selftest_ecdh()) rv = 0; return rv; -diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-01-28 16:36:22.778386661 +0100 -+++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-09-22 13:54:26.499847659 +0200 ++++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:54:26.537848542 +0200 @@ -60,68 +60,107 @@ #ifdef OPENSSL_FIPS @@ -974,9 +973,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f RSA_free(key); return ret; } -diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fips/Makefile ---- openssl-1.0.2f/crypto/fips/Makefile.fips-reqs 2016-01-28 16:36:22.803387236 +0100 -+++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fips/Makefile +--- openssl-1.0.2i/crypto/fips/Makefile.fips-reqs 2016-09-22 13:54:26.524848240 +0200 ++++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:54:26.537848542 +0200 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -995,9 +994,9 @@ diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fip LIBCRYPTO=-L.. -lcrypto -diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/rand/rand_lcl.h ---- openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs 2016-01-28 16:36:22.516380636 +0100 -+++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/rand/rand_lcl.h +--- openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs 2016-09-22 13:54:26.261842127 +0200 ++++ openssl-1.0.2i/crypto/rand/rand_lcl.h 2016-09-22 13:54:26.537848542 +0200 @@ -112,7 +112,7 @@ #ifndef HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H @@ -1007,9 +1006,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/r # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/rand/rand_lib.c ---- openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs 2016-01-28 14:38:31.000000000 +0100 -+++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/rand/rand_lib.c +--- openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rand/rand_lib.c 2016-09-22 13:54:26.537848542 +0200 @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, double entropy) { @@ -1033,9 +1032,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/r return 1; } -diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa/rsa_gen.c ---- openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs 2016-01-28 16:36:22.781386731 +0100 -+++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa/rsa_gen.c +--- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs 2016-09-22 13:54:26.502847728 +0200 ++++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:54:26.538848565 +0200 @@ -1,5 +1,6 @@ /* crypto/rsa/rsa_gen.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -1337,9 +1336,9 @@ diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2f/ssl/t1_enc.c.fips-reqs openssl-1.0.2f/ssl/t1_enc.c ---- openssl-1.0.2f/ssl/t1_enc.c.fips-reqs 2016-01-28 14:56:08.000000000 +0100 -+++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 16:36:22.814387489 +0100 +diff -up openssl-1.0.2i/ssl/t1_enc.c.fips-reqs openssl-1.0.2i/ssl/t1_enc.c +--- openssl-1.0.2i/ssl/t1_enc.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/ssl/t1_enc.c 2016-09-22 13:54:26.538848565 +0200 @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, return ret; } diff --git a/openssl-1.0.2a-secure-getenv.patch b/openssl-1.0.2i-secure-getenv.patch similarity index 66% rename from openssl-1.0.2a-secure-getenv.patch rename to openssl-1.0.2i-secure-getenv.patch index f494839..da8728e 100644 --- a/openssl-1.0.2a-secure-getenv.patch +++ b/openssl-1.0.2i-secure-getenv.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c ---- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200 +diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c +--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200 @@ -63,6 +63,8 @@ # define NDEBUG #endif @@ -28,9 +28,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/cryp } #if 0 /* There's no way to provide error checking -diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c ---- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200 +diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c +--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200 @@ -57,6 +57,8 @@ * */ @@ -40,7 +40,7 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp #include #include #include -@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void +@@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void char *file; int len; @@ -49,9 +49,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp if (file) return BUF_strdup(file); -diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c ---- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200 -+++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200 +diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c +--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200 @@ -62,6 +62,8 @@ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ @@ -61,7 +61,7 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr #include "eng_int.h" /* -@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id) +@@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id) */ if (strcmp(id, "dynamic")) { # ifdef OPENSSL_SYS_VMS @@ -74,9 +74,9 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr load_dir = ENGINESDIR; # endif iterator = ENGINE_by_id("dynamic"); -diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c ---- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200 -+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200 +diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c +--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200 ++++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -96,9 +96,9 @@ diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypt OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); return private_MD5_Init(c); } -diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c ---- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200 -+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200 +diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c +--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200 ++++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200 @@ -53,6 +53,8 @@ * */ @@ -117,19 +117,19 @@ diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_in buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c ---- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200 -@@ -60,6 +60,8 @@ - #if !defined(OPENSSL_SYS_VXWORKS) - # define _XOPEN_SOURCE 500 - #endif +diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c +--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200 +@@ -55,6 +55,8 @@ + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ +/* for secure_getenv */ +#define _GNU_SOURCE #include #include -@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si +@@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si struct stat sb; #endif @@ -146,9 +146,9 @@ diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/cryp #ifdef DEFAULT_HOME if (s == NULL) { s = DEFAULT_HOME; -diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c ---- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200 +diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c +--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -167,9 +167,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto if (dir) ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); else -diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c ---- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200 -+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200 +diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c +--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200 ++++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -188,9 +188,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypt if (file) ok = (X509_load_cert_crl_file(ctx, file, X509_FILETYPE_PEM) != 0); -diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c ---- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200 +diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c +--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -200,7 +200,7 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp #include #include #include -@@ -550,7 +552,7 @@ static int check_chain_extensions(X509_S +@@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S * A hack to keep people who don't want to modify their software * happy */ @@ -209,9 +209,9 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp allow_proxy_certs = 1; purpose = ctx->param->purpose; } -diff -up openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2a/engines/ccgost/gost_ctl.c ---- openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/engines/ccgost/gost_ctl.c 2015-04-21 17:19:53.897187577 +0200 +diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c +--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200 @@ -6,6 +6,8 @@ * Implementation of control commands for GOST engine * * OpenSSL 0.9.9 libraries required * diff --git a/openssl-1.0.2h-trusted-first-doc.patch b/openssl-1.0.2i-trusted-first-doc.patch similarity index 69% rename from openssl-1.0.2h-trusted-first-doc.patch rename to openssl-1.0.2i-trusted-first-doc.patch index 8ea85c9..12ea01e 100644 --- a/openssl-1.0.2h-trusted-first-doc.patch +++ b/openssl-1.0.2i-trusted-first-doc.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c ---- openssl-1.0.2h/apps/cms.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/apps/cms.c 2016-05-03 18:01:16.729556976 +0200 +diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c +--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200 @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); @@ -10,9 +10,9 @@ diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c ---- openssl-1.0.2h/apps/ocsp.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/apps/ocsp.c 2016-05-03 18:01:16.730556998 +0200 +diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c +--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200 @@ -537,6 +537,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); @@ -22,10 +22,10 @@ diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-VAfile file validator certificates file\n"); -diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_client.c ---- openssl-1.0.2h/apps/s_client.c.trusted-first 2016-05-03 18:01:16.696556246 +0200 -+++ openssl-1.0.2h/apps/s_client.c 2016-05-03 18:01:16.730556998 +0200 -@@ -333,6 +333,8 @@ static void sc_usage(void) +diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c +--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200 ++++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200 +@@ -330,6 +330,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, @@ -34,9 +34,9 @@ diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_clie " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); -diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c ---- openssl-1.0.2h/apps/smime.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/apps/smime.c 2016-05-03 18:01:16.730556998 +0200 +diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c +--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200 @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); @@ -46,10 +46,10 @@ diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); -diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_server.c ---- openssl-1.0.2h/apps/s_server.c.trusted-first 2016-05-03 18:01:16.666555583 +0200 -+++ openssl-1.0.2h/apps/s_server.c 2016-05-03 18:01:16.731557020 +0200 -@@ -578,6 +578,8 @@ static void sv_usage(void) +diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c +--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200 ++++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200 +@@ -571,6 +571,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, @@ -58,9 +58,9 @@ diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_serv " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); -diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c ---- openssl-1.0.2h/apps/s_time.c.trusted-first 2016-05-03 18:01:16.661555472 +0200 -+++ openssl-1.0.2h/apps/s_time.c 2016-05-03 18:01:16.731557020 +0200 +diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c +--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200 ++++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200 @@ -182,6 +182,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ @@ -69,9 +69,9 @@ diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf("usage: s_time \n\n"); -diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c ---- openssl-1.0.2h/apps/ts.c.trusted-first 2016-05-03 18:01:16.694556202 +0200 -+++ openssl-1.0.2h/apps/ts.c 2016-05-03 18:01:16.731557020 +0200 +diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c +--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200 ++++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200 @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " @@ -81,11 +81,11 @@ diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ -diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c ---- openssl-1.0.2h/apps/verify.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/apps/verify.c 2016-05-03 18:01:16.731557020 +0200 +diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c +--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200 ++++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200 @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) - end: + usage: if (ret == 1) { BIO_printf(bio_err, - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); @@ -93,9 +93,9 @@ diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); -diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/cms.pod ---- openssl-1.0.2h/doc/apps/cms.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/doc/apps/cms.pod 2016-05-03 18:01:16.731557020 +0200 +diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod +--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] @@ -104,7 +104,7 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c [B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] -@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta +@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -117,9 +117,9 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/ocsp.pod ---- openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first 2016-05-03 18:01:16.695556224 +0200 -+++ openssl-1.0.2h/doc/apps/ocsp.pod 2016-05-03 18:02:16.021868012 +0200 +diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod +--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200 ++++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200 @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] @@ -142,9 +142,9 @@ diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/ =item B<-no_alt_chains> See L|verify(1)> manual page for details. -diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/apps/s_client.pod ---- openssl-1.0.2h/doc/apps/s_client.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 -+++ openssl-1.0.2h/doc/apps/s_client.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod +--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200 ++++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200 @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] @@ -153,7 +153,7 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a [B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] -@@ -124,7 +125,7 @@ also used when building the client certi +@@ -125,7 +126,7 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. @@ -162,9 +162,9 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps/smime.pod ---- openssl-1.0.2h/doc/apps/smime.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/doc/apps/smime.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod +--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200 @@ -15,6 +15,9 @@ B B [B<-pk7out>] [B<-[cipher]>] @@ -175,7 +175,7 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps [B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] -@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta +@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B) should be linked to each certificate. @@ -188,9 +188,9 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the -diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/apps/s_server.pod ---- openssl-1.0.2h/doc/apps/s_server.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 -+++ openssl-1.0.2h/doc/apps/s_server.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod +--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200 ++++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] @@ -199,7 +199,7 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a [B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] -@@ -177,6 +178,12 @@ and to use when attempting to build the +@@ -178,6 +179,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. @@ -212,9 +212,9 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a =item B<-no_alt_chains> See the L|verify(1)> manual page for details. -diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/apps/s_time.pod ---- openssl-1.0.2h/doc/apps/s_time.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/doc/apps/s_time.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod +--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200 @@ -14,6 +14,7 @@ B B [B<-key filename>] [B<-CApath directory>] @@ -236,9 +236,9 @@ diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/app =item B<-new> performs the timing test using a new session ID for each connection. -diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts.pod ---- openssl-1.0.2h/doc/apps/ts.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/doc/apps/ts.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod +--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] @@ -260,9 +260,9 @@ diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be -diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/apps/verify.pod ---- openssl-1.0.2h/doc/apps/verify.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 -+++ openssl-1.0.2h/doc/apps/verify.pod 2016-05-03 18:01:16.732557042 +0200 +diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod +--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200 ++++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] @@ -271,7 +271,7 @@ diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/app [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] -@@ -85,6 +86,12 @@ If a valid CRL cannot be found an error +@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. diff --git a/openssl.spec b/openssl.spec index 18121a8..d4a82eb 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,8 +22,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.2h -Release: 3%{?dist} +Version: 1.0.2i +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -56,7 +56,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-1.0.2a-x509.patch Patch35: openssl-1.0.2a-version-add-engines.patch Patch39: openssl-1.0.2a-ipv6-apps.patch -Patch40: openssl-1.0.2h-fips.patch +Patch40: openssl-1.0.2i-fips.patch Patch45: openssl-1.0.2a-env-zlib.patch Patch47: openssl-1.0.2a-readme-warning.patch Patch49: openssl-1.0.1i-algo-doc.patch @@ -66,18 +66,18 @@ Patch56: openssl-1.0.2a-rsa-x931.patch Patch58: openssl-1.0.2a-fips-md5-allow.patch Patch60: openssl-1.0.2a-apps-dgst.patch Patch63: openssl-1.0.2a-xmpp-starttls.patch -Patch65: openssl-1.0.2a-chil-fixes.patch +Patch65: openssl-1.0.2i-chil-fixes.patch Patch66: openssl-1.0.2h-pkgconfig.patch -Patch68: openssl-1.0.2a-secure-getenv.patch +Patch68: openssl-1.0.2i-secure-getenv.patch Patch70: openssl-1.0.2a-fips-ec.patch Patch71: openssl-1.0.2g-manfix.patch Patch72: openssl-1.0.2a-fips-ctor.patch Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch74: openssl-1.0.2a-no-md5-verify.patch Patch75: openssl-1.0.2a-compat-symbols.patch -Patch76: openssl-1.0.2f-new-fips-reqs.patch +Patch76: openssl-1.0.2i-new-fips-reqs.patch Patch78: openssl-1.0.2a-cc-reqs.patch -Patch90: openssl-1.0.2a-enc-fail.patch +Patch90: openssl-1.0.2i-enc-fail.patch Patch92: openssl-1.0.2a-system-cipherlist.patch Patch93: openssl-1.0.2g-disable-sslv2v3.patch Patch94: openssl-1.0.2d-secp256k1.patch @@ -86,8 +86,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch # Backported fixes including security fixes Patch80: openssl-1.0.2e-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch -Patch82: openssl-1.0.2h-trusted-first-doc.patch -Patch83: openssl-1.0.2h-dtls-bad-ver.patch +Patch82: openssl-1.0.2i-trusted-first-doc.patch License: OpenSSL Group: System Environment/Libraries @@ -211,7 +210,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first -%patch83 -p1 -b .dtls-bad-ver sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -457,7 +455,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %dir %{_sysconfdir}/pki/CA/newcerts %{_sysconfdir}/pki/tls/misc/c_* %attr(0755,root,root) %{_bindir}/openssl -%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]* +%attr(0644,root,root) %{_mandir}/man1*/* +%exclude %{_mandir}/man1*/*.pl* +%exclude %{_mandir}/man1*/c_rehash* +%exclude %{_mandir}/man1*/tsget* %attr(0644,root,root) %{_mandir}/man5*/* %attr(0644,root,root) %{_mandir}/man7*/* @@ -494,6 +495,8 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %defattr(-,root,root) %attr(0755,root,root) %{_bindir}/c_rehash %attr(0644,root,root) %{_mandir}/man1*/*.pl* +%attr(0644,root,root) %{_mandir}/man1*/c_rehash* +%attr(0644,root,root) %{_mandir}/man1*/tsget* %{_sysconfdir}/pki/tls/misc/*.pl %{_sysconfdir}/pki/tls/misc/tsget @@ -502,6 +505,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Sep 22 2016 Tomáš Mráz 1.0.2i-1 +- minor upstream release 1.0.2i fixing security issues +- move man pages for perl based scripts to perl subpackage (#1377617) + * Wed Aug 10 2016 Tomáš Mráz 1.0.2h-3 - fix regression in Cisco AnyConnect VPN support (#1354588) diff --git a/sources b/sources index f49534e..9ca7cad 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -020793e7b8901a1ac62d38f3a77f9a0c openssl-1.0.2h-hobbled.tar.xz +449bf5f62fc5d4e712b2405988debaa1 openssl-1.0.2i-hobbled.tar.xz