diff --git a/.gitignore b/.gitignore index c95d3b0..92a4102 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.1a-usa.tar.xz /openssl-1.0.1b-usa.tar.xz /openssl-1.0.1c-usa.tar.xz +/openssl-1.0.1e-usa.tar.xz diff --git a/openssl-1.0.0-fips-pkcs8.patch b/openssl-1.0.0-fips-pkcs8.patch deleted file mode 100644 index dd7e36a..0000000 --- a/openssl-1.0.0-fips-pkcs8.patch +++ /dev/null @@ -1,189 +0,0 @@ -diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c ---- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 2006-11-06 20:53:37.000000000 +0100 -+++ openssl-1.0.0/crypto/pem/pem_all.c 2012-04-26 17:17:35.765317652 +0200 -@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN - - IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE, - PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE) -+#ifdef OPENSSL_FIPS - -+static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+ { -+ if (FIPS_mode()) -+ return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, -+ (char *)kstr, klen, cb, u); -+ else -+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, -+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), -+ bp,x,enc,kstr,klen,cb,u); -+ } -+ -+#ifndef OPENSSL_NO_FP_API -+static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+ { -+ if (FIPS_mode()) -+ return PEM_write_PKCS8PrivateKey(fp, x, enc, -+ (char *)kstr, klen, cb, u); -+ else -+ return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey, -+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), -+ fp,x,enc,kstr,klen,cb,u); -+ } -+#endif -+ -+#endif - - #ifndef OPENSSL_NO_RSA - -@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS - - #endif - -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_RSA(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ -+ EVP_PKEY_set1_RSA(k, x); -+ -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) -+ -+#endif -+ - IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) - IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) - -@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, - return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ - } - -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_DSA(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_DSA(k, x); -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) -+ -+#endif -+ - IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) - - #ifndef OPENSSL_NO_FP_API -@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b - - IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) - -+ -+ -+#ifdef OPENSSL_FIPS -+ -+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_EC_KEY(k, x); -+ -+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_FP_API -+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, -+ unsigned char *kstr, int klen, -+ pem_password_cb *cb, void *u) -+{ -+ EVP_PKEY *k; -+ int ret; -+ k = EVP_PKEY_new(); -+ if (!k) -+ return 0; -+ EVP_PKEY_set1_EC_KEY(k, x); -+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); -+ EVP_PKEY_free(k); -+ return ret; -+} -+#endif -+ -+#else -+ - IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) - -+#endif -+ - IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) - - #ifndef OPENSSL_NO_FP_API diff --git a/openssl-1.0.1c-backports.patch b/openssl-1.0.1c-backports.patch deleted file mode 100644 index cc3c3ec..0000000 --- a/openssl-1.0.1c-backports.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c ---- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports 2012-02-28 15:47:16.000000000 +0100 -+++ openssl-1.0.1c/crypto/asn1/x_pubkey.c 2012-05-15 17:44:14.584128501 +0200 -@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k - CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); - if (key->pkey) - { -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); - EVP_PKEY_free(ret); - ret = key->pkey; - } - else -+ { - key->pkey = ret; -- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ } - CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); - - return ret; -diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c ---- openssl-1.0.1c/ssl/s3_lib.c.backports 2012-04-17 17:20:17.000000000 +0200 -+++ openssl-1.0.1c/ssl/s3_lib.c 2012-05-15 17:42:43.880139566 +0200 -@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, /* not implemented (non-ephemeral DH) */ - TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES128, - SSL_SHA256, -@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, /* not implemented (non-ephemeral DH) */ - TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, - TLS1_CK_DH_DSS_WITH_AES_256_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES256, - SSL_SHA256, -@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, - TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, - TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES128GCM, - SSL_AEAD, -@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 0, - TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, - TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, -- SSL_kDHr, -+ SSL_kDHd, - SSL_aDH, - SSL_AES256GCM, - SSL_AEAD, -@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES128, - SSL_SHA256, -@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES256, - SSL_SHA384, -@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES128GCM, - SSL_AEAD, -@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - 1, - TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, -- SSL_kECDHe, -+ SSL_kECDHr, - SSL_aECDH, - SSL_AES256GCM, - SSL_AEAD, -diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c ---- openssl-1.0.1c/ssl/s3_pkt.c.backports 2012-04-17 15:20:19.000000000 +0200 -+++ openssl-1.0.1c/ssl/s3_pkt.c 2012-05-15 17:43:48.470555889 +0200 -@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ - * bytes and record version number > TLS 1.0 - */ - if (s->state == SSL3_ST_CW_CLNT_HELLO_B -+ && !s->renegotiate - && TLS1_get_version(s) > TLS1_VERSION) - *(p++) = 0x1; - else diff --git a/openssl-1.0.1c-backports2.patch b/openssl-1.0.1c-backports2.patch deleted file mode 100644 index 2e849bc..0000000 --- a/openssl-1.0.1c-backports2.patch +++ /dev/null @@ -1,385 +0,0 @@ -diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c ---- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100 -+++ openssl-1.0.1c/apps/cms.c 2012-11-14 20:27:50.240211707 +0100 -@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv) - else if (!strcmp(*args,"-camellia256")) - cipher = EVP_camellia_256_cbc(); - #endif -+ else if (!strcmp (*args, "-debug_decrypt")) -+ flags |= CMS_DEBUG_DECRYPT; - else if (!strcmp (*args, "-text")) - flags |= CMS_TEXT; - else if (!strcmp (*args, "-nointern")) -@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv) - ret = 4; - if (operation == SMIME_DECRYPT) - { -+ if (flags & CMS_DEBUG_DECRYPT) -+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); - - if (secret_key) - { -diff -up openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 openssl-1.0.1c/crypto/asn1/a_strex.c ---- openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 2011-01-03 02:30:58.000000000 +0100 -+++ openssl-1.0.1c/crypto/asn1/a_strex.c 2012-11-20 22:13:05.722766980 +0100 -@@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char ** - if(mbflag == -1) return -1; - mbflag |= MBSTRING_FLAG; - stmp.data = NULL; -+ stmp.length = 0; - ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); - if(ret < 0) return ret; - *out = stmp.data; -diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h ---- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-11-14 20:27:49.696199811 +0100 -+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-11-14 20:27:50.240211707 +0100 -@@ -282,16 +282,23 @@ extern "C" { - # endif - # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) - # if defined(__GNUC__) && __GNUC__>=2 --# define BN_UMULT_HIGH(a,b) ({ \ -+# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */ -+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) -+# define BN_UMULT_LOHI(low,high,a,b) ({ \ -+ __uint128_t ret=(__uint128_t)(a)*(b); \ -+ (high)=ret>>64; (low)=ret; }) -+# else -+# define BN_UMULT_HIGH(a,b) ({ \ - register BN_ULONG ret; \ - asm ("dmultu %1,%2" \ - : "=h"(ret) \ - : "r"(a), "r"(b) : "l"); \ - ret; }) --# define BN_UMULT_LOHI(low,high,a,b) \ -+# define BN_UMULT_LOHI(low,high,a,b)\ - asm ("dmultu %2,%3" \ - : "=l"(low),"=h"(high) \ - : "r"(a), "r"(b)); -+# endif - # endif - # endif /* cpu */ - #endif /* OPENSSL_NO_ASM */ -diff -up openssl-1.0.1c/crypto/evp/e_aes.c.backports2 openssl-1.0.1c/crypto/evp/e_aes.c ---- openssl-1.0.1c/crypto/evp/e_aes.c.backports2 2012-11-14 20:27:50.238211664 +0100 -+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-11-20 22:10:06.350891703 +0100 -@@ -968,8 +968,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - - if (!gctx->iv_set) - return -1; -- if (!ctx->encrypt && gctx->taglen < 0) -- return -1; - if (in) - { - if (out == NULL) -@@ -1011,6 +1009,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - { - if (!ctx->encrypt) - { -+ if (gctx->taglen < 0) -+ return -1; - if (CRYPTO_gcm128_finish(&gctx->gcm, - ctx->buf, gctx->taglen) != 0) - return -1; -diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c ---- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100 -+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-11-14 20:27:50.241211729 +0100 -@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT - void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; - #endif - -- if (ctx->mres) -+ if (ctx->mres || ctx->ares) - GCM_MUL(ctx,Xi); - - if (is_endian.little) { -diff -up openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl ---- openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 2012-11-14 20:27:50.293212866 +0100 -+++ openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl 2012-11-20 22:20:15.015041719 +0100 -@@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) { - $code.=<<___; - teq $Xi,sp - bne .L_00_15 @ [((11+4)*5+2)*3] -+ sub sp,sp,#25*4 - ___ - &BODY_00_15(@V); unshift(@V,pop(@V)); - &BODY_16_19(@V); unshift(@V,pop(@V)); -@@ -186,7 +187,6 @@ ___ - $code.=<<___; - - ldr $K,.LK_20_39 @ [+15+16*4] -- sub sp,sp,#25*4 - cmn sp,#0 @ [+3], clear carry to denote 20_39 - .L_20_39_or_60_79: - ___ -diff -up openssl-1.0.1c/ssl/s3_srvr.c.backports2 openssl-1.0.1c/ssl/s3_srvr.c ---- openssl-1.0.1c/ssl/s3_srvr.c.backports2 2012-04-15 19:23:41.000000000 +0200 -+++ openssl-1.0.1c/ssl/s3_srvr.c 2012-11-20 22:23:21.684755182 +0100 -@@ -1181,7 +1181,7 @@ int ssl3_get_client_hello(SSL *s) - goto f_err; - } - } -- if (ssl_check_clienthello_tlsext(s) <= 0) { -+ if (ssl_check_clienthello_tlsext_early(s) <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } -@@ -1403,6 +1403,16 @@ int ssl3_get_client_hello(SSL *s) - * s->tmp.new_cipher - the new cipher to use. - */ - -+ /* Handles TLS extensions that we couldn't check earlier */ -+ if (s->version >= SSL3_VERSION) -+ { -+ if (ssl_check_clienthello_tlsext_late(s) <= 0) -+ { -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); -+ goto err; -+ } -+ } -+ - if (ret < 0) ret=1; - if (0) - { -diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c ---- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200 -+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-11-14 20:27:50.241211729 +0100 -@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT - { - /* Set digest values to defaults */ - #ifndef OPENSSL_NO_DSA -- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); -+ cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_RSA - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_ECDSA -- cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); -+ cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); - #endif - } - -diff -up openssl-1.0.1c/ssl/ssl_lib.c.backports2 openssl-1.0.1c/ssl/ssl_lib.c ---- openssl-1.0.1c/ssl/ssl_lib.c.backports2 2012-01-05 11:22:39.000000000 +0100 -+++ openssl-1.0.1c/ssl/ssl_lib.c 2012-11-20 22:25:29.243509755 +0100 -@@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 - #endif - - /* THIS NEEDS CLEANING UP */ --X509 *ssl_get_server_send_cert(SSL *s) -+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) - { - unsigned long alg_k,alg_a; - CERT *c; -@@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(SSL *s) - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); - return(NULL); - } -- if (c->pkeys[i].x509 == NULL) return(NULL); - -- return(c->pkeys[i].x509); -+ return c->pkeys + i; -+ } -+ -+X509 *ssl_get_server_send_cert(const SSL *s) -+ { -+ CERT_PKEY *cpk; -+ cpk = ssl_get_server_send_pkey(s); -+ if (!cpk) -+ return NULL; -+ return cpk->x509; - } - - EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) -@@ -2780,7 +2788,9 @@ void ssl_clear_cipher_ctx(SSL *s) - /* Fix this function so that it takes an optional type parameter */ - X509 *SSL_get_certificate(const SSL *s) - { -- if (s->cert != NULL) -+ if (s->server) -+ return(ssl_get_server_send_cert(s)); -+ else if (s->cert != NULL) - return(s->cert->key->x509); - else - return(NULL); -diff -up openssl-1.0.1c/ssl/ssl_locl.h.backports2 openssl-1.0.1c/ssl/ssl_locl.h ---- openssl-1.0.1c/ssl/ssl_locl.h.backports2 2012-11-14 20:27:50.056207682 +0100 -+++ openssl-1.0.1c/ssl/ssl_locl.h 2012-11-20 22:25:29.244509777 +0100 -@@ -814,7 +814,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_O - int ssl_undefined_function(SSL *s); - int ssl_undefined_void_function(void); - int ssl_undefined_const_function(const SSL *s); --X509 *ssl_get_server_send_cert(SSL *); -+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); -+X509 *ssl_get_server_send_cert(const SSL *); - EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); - int ssl_cert_type(X509 *x,EVP_PKEY *pkey); - void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); -@@ -1065,7 +1066,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); - int ssl_prepare_clienthello_tlsext(SSL *s); - int ssl_prepare_serverhello_tlsext(SSL *s); --int ssl_check_clienthello_tlsext(SSL *s); -+int ssl_check_clienthello_tlsext_early(SSL *s); -+int ssl_check_clienthello_tlsext_late(SSL *s); - int ssl_check_serverhello_tlsext(SSL *s); - - #ifndef OPENSSL_NO_HEARTBEATS -diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c ---- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100 -+++ openssl-1.0.1c/ssl/t1_lib.c 2012-11-20 22:25:29.244509777 +0100 -@@ -1763,7 +1763,7 @@ int ssl_prepare_serverhello_tlsext(SSL * - return 1; - } - --int ssl_check_clienthello_tlsext(SSL *s) -+int ssl_check_clienthello_tlsext_early(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; -@@ -1782,42 +1782,12 @@ int ssl_check_clienthello_tlsext(SSL *s) - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - -- /* If status request then ask callback what to do. -- * Note: this must be called after servername callbacks in case -- * the certificate has changed. -- */ -- if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) -- { -- int r; -- r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); -- switch (r) -- { -- /* We don't want to send a status request response */ -- case SSL_TLSEXT_ERR_NOACK: -- s->tlsext_status_expected = 0; -- break; -- /* status request response should be sent */ -- case SSL_TLSEXT_ERR_OK: -- if (s->tlsext_ocsp_resp) -- s->tlsext_status_expected = 1; -- else -- s->tlsext_status_expected = 0; -- break; -- /* something bad happened */ -- case SSL_TLSEXT_ERR_ALERT_FATAL: -- ret = SSL_TLSEXT_ERR_ALERT_FATAL; -- al = SSL_AD_INTERNAL_ERROR; -- goto err; -- } -- } -- else -- s->tlsext_status_expected = 0; -- - #ifdef TLSEXT_TYPE_opaque_prf_input - { - /* This sort of belongs into ssl_prepare_serverhello_tlsext(), - * but we might be sending an alert in response to the client hello, -- * so this has to happen here in ssl_check_clienthello_tlsext(). */ -+ * so this has to happen here in -+ * ssl_check_clienthello_tlsext_early(). */ - - int r = 1; - -@@ -1869,8 +1839,8 @@ int ssl_check_clienthello_tlsext(SSL *s) - } - } - --#endif - err: -+#endif - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: -@@ -1888,6 +1858,71 @@ int ssl_check_clienthello_tlsext(SSL *s) - } - } - -+int ssl_check_clienthello_tlsext_late(SSL *s) -+ { -+ int ret = SSL_TLSEXT_ERR_OK; -+ int al; -+ -+ /* If status request then ask callback what to do. -+ * Note: this must be called after servername callbacks in case -+ * the certificate has changed, and must be called after the cipher -+ * has been chosen because this may influence which certificate is sent -+ */ -+ if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) -+ { -+ int r; -+ CERT_PKEY *certpkey; -+ certpkey = ssl_get_server_send_pkey(s); -+ /* If no certificate can't return certificate status */ -+ if (certpkey == NULL) -+ { -+ s->tlsext_status_expected = 0; -+ return 1; -+ } -+ /* Set current certificate to one we will use so -+ * SSL_get_certificate et al can pick it up. -+ */ -+ s->cert->key = certpkey; -+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); -+ switch (r) -+ { -+ /* We don't want to send a status request response */ -+ case SSL_TLSEXT_ERR_NOACK: -+ s->tlsext_status_expected = 0; -+ break; -+ /* status request response should be sent */ -+ case SSL_TLSEXT_ERR_OK: -+ if (s->tlsext_ocsp_resp) -+ s->tlsext_status_expected = 1; -+ else -+ s->tlsext_status_expected = 0; -+ break; -+ /* something bad happened */ -+ case SSL_TLSEXT_ERR_ALERT_FATAL: -+ ret = SSL_TLSEXT_ERR_ALERT_FATAL; -+ al = SSL_AD_INTERNAL_ERROR; -+ goto err; -+ } -+ } -+ else -+ s->tlsext_status_expected = 0; -+ -+ err: -+ switch (ret) -+ { -+ case SSL_TLSEXT_ERR_ALERT_FATAL: -+ ssl3_send_alert(s,SSL3_AL_FATAL,al); -+ return -1; -+ -+ case SSL_TLSEXT_ERR_ALERT_WARNING: -+ ssl3_send_alert(s,SSL3_AL_WARNING,al); -+ return 1; -+ -+ default: -+ return 1; -+ } -+ } -+ - int ssl_check_serverhello_tlsext(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; -@@ -2414,7 +2449,7 @@ int tls1_process_sigalgs(SSL *s, const u - */ - #ifndef OPENSSL_NO_DSA - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) -- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); -+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - #endif - #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) -@@ -2425,7 +2460,7 @@ int tls1_process_sigalgs(SSL *s, const u - #endif - #ifndef OPENSSL_NO_ECDSA - if (!c->pkeys[SSL_PKEY_ECC].digest) -- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); -+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); - #endif - return 1; - } diff --git a/openssl-1.0.1c-ccm-init-str.patch b/openssl-1.0.1c-ccm-init-str.patch deleted file mode 100644 index bc89723..0000000 --- a/openssl-1.0.1c-ccm-init-str.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c ---- openssl-1.0.1c/crypto/evp/e_aes.c.init-str 2012-09-06 17:20:45.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-09-06 17:18:30.000000000 +0200 -@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C - vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f)vpaes_encrypt); -+ cctx->str = NULL; - cctx->key_set = 1; - break; - } diff --git a/openssl-1.0.1c-issuer-hash.patch b/openssl-1.0.1c-issuer-hash.patch deleted file mode 100644 index f911501..0000000 --- a/openssl-1.0.1c-issuer-hash.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c ---- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200 -+++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100 -@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has - char *f; - - EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); - ret=strlen(f); - if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) diff --git a/openssl-1.0.1c-manfix.patch b/openssl-1.0.1c-manfix.patch deleted file mode 100644 index c4053d9..0000000 --- a/openssl-1.0.1c-manfix.patch +++ /dev/null @@ -1,474 +0,0 @@ -diff -up openssl-1.0.1c/doc/apps/verify.pod.manfix openssl-1.0.1c/doc/apps/verify.pod ---- openssl-1.0.1c/doc/apps/verify.pod.manfix 2010-02-23 15:09:22.000000000 +0100 -+++ openssl-1.0.1c/doc/apps/verify.pod 2013-01-30 17:36:15.277264650 +0100 -@@ -54,35 +54,37 @@ in PEM format concatenated together. - =item B<-untrusted file> - - A file of untrusted certificates. The file should contain multiple certificates -+in PEM format concatenated together. - - =item B<-purpose purpose> - --the intended use for the certificate. Without this option no chain verification --will be done. Currently accepted uses are B, B, --B, B, B. See the B --section for more information. -+The intended use for the certificate. If this option is not specified, -+B will not consider certificate purpose during chain verification. -+Currently accepted uses are B, B, B, -+B, B. See the B section for more -+information. - - =item B<-help> - --prints out a usage message. -+Print out a usage message. - - =item B<-verbose> - --print extra information about the operations being performed. -+Print extra information about the operations being performed. - - =item B<-issuer_checks> - --print out diagnostics relating to searches for the issuer certificate --of the current certificate. This shows why each candidate issuer --certificate was rejected. However the presence of rejection messages --does not itself imply that anything is wrong: during the normal --verify process several rejections may take place. -+Print out diagnostics relating to searches for the issuer certificate of the -+current certificate. This shows why each candidate issuer certificate was -+rejected. The presence of rejection messages does not itself imply that -+anything is wrong; during the normal verification process, several -+rejections may take place. - - =item B<-policy arg> - --Enable policy processing and add B to the user-initial-policy-set --(see RFC3280 et al). The policy B can be an object name an OID in numeric --form. This argument can appear more than once. -+Enable policy processing and add B to the user-initial-policy-set (see -+RFC5280). The policy B can be an object name an OID in numeric form. -+This argument can appear more than once. - - =item B<-policy_check> - -@@ -90,41 +92,40 @@ Enables certificate policy processing. - - =item B<-explicit_policy> - --Set policy variable require-explicit-policy (see RFC3280 et al). -+Set policy variable require-explicit-policy (see RFC5280). - - =item B<-inhibit_any> - --Set policy variable inhibit-any-policy (see RFC3280 et al). -+Set policy variable inhibit-any-policy (see RFC5280). - - =item B<-inhibit_map> - --Set policy variable inhibit-policy-mapping (see RFC3280 et al). -+Set policy variable inhibit-policy-mapping (see RFC5280). - - =item B<-policy_print> - --Print out diagnostics, related to policy checking -+Print out diagnostics related to policy processing. - - =item B<-crl_check> - --Checks end entity certificate validity by attempting to lookup a valid CRL. -+Checks end entity certificate validity by attempting to look up a valid CRL. - If a valid CRL cannot be found an error occurs. - - =item B<-crl_check_all> - - Checks the validity of B certificates in the chain by attempting --to lookup valid CRLs. -+to look up valid CRLs. - - =item B<-ignore_critical> - - Normally if an unhandled critical extension is present which is not --supported by OpenSSL the certificate is rejected (as required by --RFC3280 et al). If this option is set critical extensions are --ignored. -+supported by OpenSSL the certificate is rejected (as required by RFC5280). -+If this option is set critical extensions are ignored. - - =item B<-x509_strict> - --Disable workarounds for broken certificates which have to be disabled --for strict X.509 compliance. -+For strict X.509 compliance, disable non-compliant workarounds for broken -+certificates. - - =item B<-extended_crl> - -@@ -142,16 +143,15 @@ because it doesn't add any security. - - =item B<-> - --marks the last option. All arguments following this are assumed to be -+Indicates the last option. All arguments following this are assumed to be - certificate files. This is useful if the first certificate filename begins - with a B<->. - - =item B - --one or more certificates to verify. If no certificate filenames are included --then an attempt is made to read a certificate from standard input. They should --all be in PEM format. -- -+One or more certificates to verify. If no certificates are given, B -+will attempt to read a certificate from standard input. Certificates must be -+in PEM format. - - =back - -diff -up openssl-1.0.1c/doc/apps/x509.pod.manfix openssl-1.0.1c/doc/apps/x509.pod ---- openssl-1.0.1c/doc/apps/x509.pod.manfix 2013-01-10 10:26:11.000000000 +0100 -+++ openssl-1.0.1c/doc/apps/x509.pod 2013-01-30 17:35:38.952458133 +0100 -@@ -29,6 +29,7 @@ B B - [B<-purpose>] - [B<-dates>] - [B<-modulus>] -+[B<-pubkey>] - [B<-fingerprint>] - [B<-alias>] - [B<-noout>] -@@ -136,6 +137,10 @@ section for more information. - - this option prevents output of the encoded version of the request. - -+=item B<-pubkey> -+ -+outputs the the certificate's SubjectPublicKeyInfo block in PEM format. -+ - =item B<-modulus> - - this option prints out the value of the modulus of the public key -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod.manfix 2009-10-01 01:40:47.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_CTX_ctrl.pod 2013-01-30 17:36:05.381045128 +0100 -@@ -117,7 +117,7 @@ L, - L, - L, --L, -+L, - L - L - -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod.manfix 2009-10-01 01:40:48.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_decrypt.pod 2013-01-30 17:36:05.381045128 +0100 -@@ -83,7 +83,7 @@ L, - L, - L, --L, -+L, - L - - =head1 HISTORY -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod.manfix 2009-10-01 01:40:48.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_derive.pod 2013-01-30 17:36:05.381045128 +0100 -@@ -84,7 +84,7 @@ L, - L, - L, --L, -+L, - - =head1 HISTORY - -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod.manfix 2009-10-01 01:40:48.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_encrypt.pod 2013-01-30 17:36:05.382045143 +0100 -@@ -83,7 +83,7 @@ L, - L, - L, --L, -+L, - L - - =head1 HISTORY -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod.manfix 2009-10-01 01:40:48.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_get_default_digest.pod 2013-01-30 17:36:05.382045143 +0100 -@@ -32,7 +32,7 @@ public key algorithm. - L, - L, - L, --L, -+L, - - =head1 HISTORY - -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod.manfix 2009-10-01 01:40:49.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_keygen.pod 2013-01-30 17:36:05.382045143 +0100 -@@ -151,7 +151,7 @@ L, - L, - L, --L, -+L, - L - - =head1 HISTORY -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod.manfix 2009-10-01 01:40:50.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_sign.pod 2013-01-30 17:36:05.383045149 +0100 -@@ -86,7 +86,7 @@ L, - L, - L, --L, -+L, - L - - =head1 HISTORY -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod.manfix 2010-12-02 14:45:25.000000000 +0100 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_verify.pod 2013-01-30 17:36:05.383045149 +0100 -@@ -81,7 +81,7 @@ L, - L, - L, --L, -+L, - L - - =head1 HISTORY -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod.manfix openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod.manfix 2013-01-30 17:36:05.383045149 +0100 -+++ openssl-1.0.1c/doc/crypto/EVP_PKEY_verify_recover.pod 2013-01-30 17:36:05.383045149 +0100 -@@ -0,0 +1,103 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx); -+ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, -+ unsigned char *rout, size_t *routlen, -+ const unsigned char *sig, size_t siglen); -+ -+=head1 DESCRIPTION -+ -+The EVP_PKEY_verify_recover_init() function initializes a public key algorithm -+context using key B for a verify recover operation. -+ -+The EVP_PKEY_verify_recover() function recovers signed data -+using B. The signature is specified using the B and -+B parameters. If B is B then the maximum size of the output -+buffer is written to the B parameter. If B is not B then -+before the call the B parameter should contain the length of the -+B buffer, if the call is successful recovered data is written to -+B and the amount of data written to B. -+ -+=head1 NOTES -+ -+Normally an application is only interested in whether a signature verification -+operation is successful in those cases the EVP_verify() function should be -+used. -+ -+Sometimes however it is useful to obtain the data originally signed using a -+signing operation. Only certain public key algorithms can recover a signature -+in this way (for example RSA in PKCS padding mode). -+ -+After the call to EVP_PKEY_verify_recover_init() algorithm specific control -+operations can be performed to set any appropriate parameters for the -+operation. -+ -+The function EVP_PKEY_verify_recover() can be called more than once on the same -+context if several operations are performed using the same parameters. -+ -+=head1 RETURN VALUES -+ -+EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success -+and 0 or a negative value for failure. In particular a return value of -2 -+indicates the operation is not supported by the public key algorithm. -+ -+=head1 EXAMPLE -+ -+Recover digest originally signed using PKCS#1 and SHA256 digest: -+ -+ #include -+ #include -+ -+ EVP_PKEY_CTX *ctx; -+ unsigned char *rout, *sig; -+ size_t routlen, siglen; -+ EVP_PKEY *verify_key; -+ /* NB: assumes verify_key, sig and siglen are already set up -+ * and that verify_key is an RSA public key -+ */ -+ ctx = EVP_PKEY_CTX_new(verify_key); -+ if (!ctx) -+ /* Error occurred */ -+ if (EVP_PKEY_verify_recover_init(ctx) <= 0) -+ /* Error */ -+ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) -+ /* Error */ -+ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) -+ /* Error */ -+ -+ /* Determine buffer length */ -+ if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0) -+ /* Error */ -+ -+ rout = OPENSSL_malloc(routlen); -+ -+ if (!rout) -+ /* malloc failure */ -+ -+ if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) -+ /* Error */ -+ -+ /* Recovered data is routlen bytes written to buffer rout */ -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+These functions were first added to OpenSSL 1.0.0. -+ -+=cut -diff -up openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod.manfix openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod ---- openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod.manfix 2009-10-18 17:28:59.000000000 +0200 -+++ openssl-1.0.1c/doc/crypto/X509_STORE_CTX_get_error.pod 2013-01-30 17:34:16.315630759 +0100 -@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl - an application specific error. This will never be returned unless explicitly - set by an application. - -+=back -+ - =head1 NOTES - - The above functions should be used instead of directly referencing the fields -diff -up openssl-1.0.1c/doc/crypto/EVP_PKEY_verifyrecover.pod /dev/null ---- openssl-1.0.1c/doc/crypto/EVP_PKEY_verifyrecover.pod -+++ /dev/null -@@ -1,103 +0,0 @@ --=pod -- --=head1 NAME -- --EVP_PKEY_verifyrecover_init, EVP_PKEY_verifyrecover - recover signature using a public key algorithm -- --=head1 SYNOPSIS -- -- #include -- -- int EVP_PKEY_verifyrecover_init(EVP_PKEY_CTX *ctx); -- int EVP_PKEY_verifyrecover(EVP_PKEY_CTX *ctx, -- unsigned char *rout, size_t *routlen, -- const unsigned char *sig, size_t siglen); -- --=head1 DESCRIPTION -- --The EVP_PKEY_verifyrecover_init() function initializes a public key algorithm --context using key B for a verify recover operation. -- --The EVP_PKEY_verifyrecover() function recovers signed data --using B. The signature is specified using the B and --B parameters. If B is B then the maximum size of the output --buffer is written to the B parameter. If B is not B then --before the call the B parameter should contain the length of the --B buffer, if the call is successful recovered data is written to --B and the amount of data written to B. -- --=head1 NOTES -- --Normally an application is only interested in whether a signature verification --operation is successful in those cases the EVP_verify() function should be --used. -- --Sometimes however it is useful to obtain the data originally signed using a --signing operation. Only certain public key algorithms can recover a signature --in this way (for example RSA in PKCS padding mode). -- --After the call to EVP_PKEY_verifyrecover_init() algorithm specific control --operations can be performed to set any appropriate parameters for the --operation. -- --The function EVP_PKEY_verifyrecover() can be called more than once on the same --context if several operations are performed using the same parameters. -- --=head1 RETURN VALUES -- --EVP_PKEY_verifyrecover_init() and EVP_PKEY_verifyrecover() return 1 for success --and 0 or a negative value for failure. In particular a return value of -2 --indicates the operation is not supported by the public key algorithm. -- --=head1 EXAMPLE -- --Recover digest originally signed using PKCS#1 and SHA256 digest: -- -- #include -- #include -- -- EVP_PKEY_CTX *ctx; -- unsigned char *rout, *sig; -- size_t routlen, siglen; -- EVP_PKEY *verify_key; -- /* NB: assumes verify_key, sig and siglen are already set up -- * and that verify_key is an RSA public key -- */ -- ctx = EVP_PKEY_CTX_new(verify_key); -- if (!ctx) -- /* Error occurred */ -- if (EVP_PKEY_verifyrecover_init(ctx) <= 0) -- /* Error */ -- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) -- /* Error */ -- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) -- /* Error */ -- -- /* Determine buffer length */ -- if (EVP_PKEY_verifyrecover(ctx, NULL, &routlen, sig, siglen) <= 0) -- /* Error */ -- -- rout = OPENSSL_malloc(routlen); -- -- if (!rout) -- /* malloc failure */ -- -- if (EVP_PKEY_verifyrecover(ctx, rout, &routlen, sig, siglen) <= 0) -- /* Error */ -- -- /* Recovered data is routlen bytes written to buffer rout */ -- --=head1 SEE ALSO -- --L, --L, --L, --L, --L, --L -- --=head1 HISTORY -- --These functions were first added to OpenSSL 1.0.0. -- --=cut --- - diff --git a/openssl-1.0.1c-verify-error.patch b/openssl-1.0.1c-verify-error.patch deleted file mode 100644 index 3bdcb48..0000000 --- a/openssl-1.0.1c-verify-error.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 5bb6d96558ff6013826e3362f4c81513e3df23ff Mon Sep 17 00:00:00 2001 -From: Ben Laurie -Date: Thu, 13 Dec 2012 15:48:42 +0000 -Subject: [PATCH] Make verify return errors. - ---- - CHANGES | 3 +++ - Makefile.org | 2 +- - apps/verify.c | 16 ++++++++++++---- - test/Makefile | 2 +- - 4 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/Makefile.org b/Makefile.org -index 55273ea..43d16cb 100644 ---- a/Makefile.org -+++ b/Makefile.org -@@ -444,7 +444,7 @@ rehash.time: certs apps - [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ - OPENSSL_DEBUG_MEMORY=on; \ - export OPENSSL OPENSSL_DEBUG_MEMORY; \ -- $(PERL) tools/c_rehash certs) && \ -+ $(PERL) tools/c_rehash certs/demo) && \ - touch rehash.time; \ - else :; fi - -diff --git a/apps/verify.c b/apps/verify.c -index 0f34b86..893670f 100644 ---- a/apps/verify.c -+++ b/apps/verify.c -@@ -222,11 +222,19 @@ int MAIN(int argc, char **argv) - goto end; - } - -- if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e); -+ ret = 0; -+ if (argc < 1) -+ { -+ if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e)) -+ ret = -1; -+ } - else -+ { - for (i=0; i +Date: Fri, 15 Feb 2013 17:44:11 +0000 +Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man + 2.5.0+ + +podlators 2.5.0 has switched to dying on POD syntax errors. This means +that a bunch of long-standing erroneous POD in the openssl documentation +now leads to fatal errors from pod2man, halting installation. + +Unfortunately POD constraints mean that you have to sort numeric lists +in ascending order if they start with 1: you cannot do 1, 0, 2 even if +you want 1 to appear first. I've reshuffled such (alas, I wish there +were a better way but I don't know of one). +(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b) +--- + doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++ + doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++---- + doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++ + doc/ssl/SSL_accept.pod | 10 +++++----- + doc/ssl/SSL_connect.pod | 10 +++++----- + doc/ssl/SSL_do_handshake.pod | 10 +++++----- + doc/ssl/SSL_shutdown.pod | 10 +++++----- + 7 files changed, 30 insertions(+), 24 deletions(-) + +diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod +index a883f6c..60e8332 100644 +--- a/doc/crypto/X509_STORE_CTX_get_error.pod ++++ b/doc/crypto/X509_STORE_CTX_get_error.pod +@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled. + an application specific error. This will never be returned unless explicitly + set by an application. + ++=back ++ + =head1 NOTES + + The above functions should be used instead of directly referencing the fields +diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod +index 632b556..5e66133 100644 +--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod ++++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod +@@ -66,16 +66,16 @@ values: + + =over 4 + +-=item 1 +- +-The operation succeeded. +- + =item 0 + + A failure while manipulating the STACK_OF(X509_NAME) object occurred or + the X509_NAME could not be extracted from B. Check the error stack + to find out the reason. + ++=item 1 ++ ++The operation succeeded. ++ + =back + + =head1 EXAMPLES +diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +index b80e25b..7e60df5 100644 +--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ++++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return + + Return values from the server callback are interpreted as follows: + ++=over 4 ++ + =item > 0 + + PSK identity was found and the server callback has provided the PSK +@@ -99,4 +101,6 @@ completely. + PSK identity was not found. An "unknown_psk_identity" alert message + will be sent and the connection setup fails. + ++=back ++ + =cut +diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod +index cc724c0..b1c34d1 100644 +--- a/doc/ssl/SSL_accept.pod ++++ b/doc/ssl/SSL_accept.pod +@@ -44,17 +44,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful because a fatal error occurred either +diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod +index cc56ebb..946ca89 100644 +--- a/doc/ssl/SSL_connect.pod ++++ b/doc/ssl/SSL_connect.pod +@@ -41,17 +41,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful, because a fatal error occurred either +diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod +index 2435764..7f8cf24 100644 +--- a/doc/ssl/SSL_do_handshake.pod ++++ b/doc/ssl/SSL_do_handshake.pod +@@ -45,17 +45,17 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +-established. +- + =item 0 + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + ++=item 1 ++ ++The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been ++established. ++ + =item E0 + + The TLS/SSL handshake was not successful because a fatal error occurred either +diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod +index 89911ac..42a89b7 100644 +--- a/doc/ssl/SSL_shutdown.pod ++++ b/doc/ssl/SSL_shutdown.pod +@@ -92,11 +92,6 @@ The following return values can occur: + + =over 4 + +-=item 1 +- +-The shutdown was successfully completed. The "close notify" alert was sent +-and the peer's "close notify" alert was received. +- + =item 0 + + The shutdown is not yet finished. Call SSL_shutdown() for a second time, +@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed. + The output of L may be misleading, as an + erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. + ++=item 1 ++ ++The shutdown was successfully completed. The "close notify" alert was sent ++and the peer's "close notify" alert was received. ++ + =item -1 + + The shutdown was not successful because a fatal error occurred either +-- +1.7.9.5 + +From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Mon, 11 Feb 2013 18:24:03 +0000 +Subject: [PATCH] Fix for SSL_get_certificate + +Now we set the current certificate to the one used by a server +there is no need to call ssl_get_server_send_cert which will +fail if we haven't sent a certificate yet. +--- + ssl/ssl_lib.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 14d143d..ff5a85a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) + /* Fix this function so that it takes an optional type parameter */ + X509 *SSL_get_certificate(const SSL *s) + { +- if (s->server) +- return(ssl_get_server_send_cert(s)); +- else if (s->cert != NULL) ++ if (s->cert != NULL) + return(s->cert->key->x509); + else + return(NULL); +-- +1.7.9.5 + +From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: [PATCH] Check DTLS_BAD_VER for version number. + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +PR:2984 +(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) +--- + ssl/s3_cbc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. +-- +1.7.9.5 + diff --git a/openssl-1.0.1c-fips.patch b/openssl-1.0.1e-fips.patch similarity index 95% rename from openssl-1.0.1c-fips.patch rename to openssl-1.0.1e-fips.patch index e1e6200..0175754 100644 --- a/openssl-1.0.1c-fips.patch +++ b/openssl-1.0.1e-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1c/apps/pkcs12.c.fips openssl-1.0.1c/apps/pkcs12.c ---- openssl-1.0.1c/apps/pkcs12.c.fips 2011-03-13 19:20:23.000000000 +0100 -+++ openssl-1.0.1c/apps/pkcs12.c 2012-07-12 21:49:25.316351789 +0200 +diff -up openssl-1.0.1e/apps/pkcs12.c.fips openssl-1.0.1e/apps/pkcs12.c +--- openssl-1.0.1e/apps/pkcs12.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/pkcs12.c 2013-02-19 12:47:33.714118364 +0100 @@ -67,6 +67,9 @@ #include #include @@ -23,9 +23,9 @@ diff -up openssl-1.0.1c/apps/pkcs12.c.fips openssl-1.0.1c/apps/pkcs12.c enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); -diff -up openssl-1.0.1c/apps/speed.c.fips openssl-1.0.1c/apps/speed.c ---- openssl-1.0.1c/apps/speed.c.fips 2012-01-11 22:49:16.000000000 +0100 -+++ openssl-1.0.1c/apps/speed.c 2012-07-12 21:49:25.317351811 +0200 +diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c +--- openssl-1.0.1e/apps/speed.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/speed.c 2013-02-19 12:47:33.715118384 +0100 @@ -195,7 +195,6 @@ #ifdef OPENSSL_DOING_MAKEDEPEND #undef AES_set_encrypt_key @@ -123,10 +123,10 @@ diff -up openssl-1.0.1c/apps/speed.c.fips openssl-1.0.1c/apps/speed.c #endif #ifndef OPENSSL_NO_RSA memset(rsa_c,0,sizeof(rsa_c)); -diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure ---- openssl-1.0.1c/Configure.fips 2012-07-12 21:49:25.276350889 +0200 -+++ openssl-1.0.1c/Configure 2012-07-12 21:49:25.319351855 +0200 -@@ -993,11 +993,6 @@ if (defined($disabled{"md5"}) || defined +diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure +--- openssl-1.0.1e/Configure.fips 2013-02-19 12:47:33.670117470 +0100 ++++ openssl-1.0.1e/Configure 2013-02-19 12:47:33.716118405 +0100 +@@ -995,11 +995,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"ssl2"} = "forced"; } @@ -138,7 +138,7 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure # RSAX ENGINE sets default non-FIPS RSA method. if ($fips) { -@@ -1472,7 +1467,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b +@@ -1474,7 +1469,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b if ($fips) { $openssl_other_defines.="#define OPENSSL_FIPS\n"; @@ -146,7 +146,7 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure } $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1659,9 +1653,12 @@ while () +@@ -1661,9 +1655,12 @@ while () s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; @@ -160,9 +160,9 @@ diff -up openssl-1.0.1c/Configure.fips openssl-1.0.1c/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.1c/crypto/aes/aes_misc.c.fips openssl-1.0.1c/crypto/aes/aes_misc.c ---- openssl-1.0.1c/crypto/aes/aes_misc.c.fips 2011-06-05 19:36:33.000000000 +0200 -+++ openssl-1.0.1c/crypto/aes/aes_misc.c 2012-07-12 21:49:25.319351855 +0200 +diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes_misc.c +--- openssl-1.0.1e/crypto/aes/aes_misc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/aes/aes_misc.c 2013-02-19 12:47:33.717118426 +0100 @@ -69,17 +69,11 @@ const char *AES_options(void) { int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) @@ -181,9 +181,9 @@ diff -up openssl-1.0.1c/crypto/aes/aes_misc.c.fips openssl-1.0.1c/crypto/aes/aes -#endif return private_AES_set_decrypt_key(userKey, bits, key); } -diff -up openssl-1.0.1c/crypto/cmac/cmac.c.fips openssl-1.0.1c/crypto/cmac/cmac.c ---- openssl-1.0.1c/crypto/cmac/cmac.c.fips 2012-04-11 17:11:16.000000000 +0200 -+++ openssl-1.0.1c/crypto/cmac/cmac.c 2012-07-12 21:49:25.319351855 +0200 +diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac.c +--- openssl-1.0.1e/crypto/cmac/cmac.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/cmac/cmac.c 2013-02-19 12:47:33.717118426 +0100 @@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void) void CMAC_CTX_cleanup(CMAC_CTX *ctx) @@ -232,9 +232,9 @@ diff -up openssl-1.0.1c/crypto/cmac/cmac.c.fips openssl-1.0.1c/crypto/cmac/cmac. if (ctx->nlast_block == -1) return 0; bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h ---- openssl-1.0.1c/crypto/crypto.h.fips 2012-07-12 21:49:25.048345760 +0200 -+++ openssl-1.0.1c/crypto/crypto.h 2012-07-12 21:49:25.320351878 +0200 +diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h +--- openssl-1.0.1e/crypto/crypto.h.fips 2013-02-19 12:47:33.444112876 +0100 ++++ openssl-1.0.1e/crypto/crypto.h 2013-02-19 12:47:33.718118447 +0100 @@ -553,24 +553,29 @@ int FIPS_mode_set(int r); void OPENSSL_init(void); @@ -270,7 +270,7 @@ diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h #define fips_cipher_abort(alg) while(0) #endif -@@ -580,6 +585,9 @@ void OPENSSL_init(void); +@@ -587,6 +592,9 @@ int CRYPTO_memcmp(const void *a, const v */ void ERR_load_CRYPTO_strings(void); @@ -280,9 +280,9 @@ diff -up openssl-1.0.1c/crypto/crypto.h.fips openssl-1.0.1c/crypto/crypto.h /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.1c/crypto/des/des.h.fips openssl-1.0.1c/crypto/des/des.h ---- openssl-1.0.1c/crypto/des/des.h.fips 2012-07-12 21:49:25.124347469 +0200 -+++ openssl-1.0.1c/crypto/des/des.h 2012-07-12 21:49:25.320351878 +0200 +diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h +--- openssl-1.0.1e/crypto/des/des.h.fips 2013-02-19 12:47:33.516114340 +0100 ++++ openssl-1.0.1e/crypto/des/des.h 2013-02-19 12:47:33.718118447 +0100 @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); @@ -293,10 +293,10 @@ diff -up openssl-1.0.1c/crypto/des/des.h.fips openssl-1.0.1c/crypto/des/des.h void DES_string_to_key(const char *str,DES_cblock *key); void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, -diff -up openssl-1.0.1c/crypto/des/set_key.c.fips openssl-1.0.1c/crypto/des/set_key.c ---- openssl-1.0.1c/crypto/des/set_key.c.fips 2011-06-01 18:54:04.000000000 +0200 -+++ openssl-1.0.1c/crypto/des/set_key.c 2012-07-12 21:49:25.321351901 +0200 -@@ -337,13 +337,6 @@ int DES_set_key_checked(const_DES_cblock +diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_key.c +--- openssl-1.0.1e/crypto/des/set_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/des/set_key.c 2013-02-19 12:47:33.719118468 +0100 +@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock } void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) @@ -310,9 +310,9 @@ diff -up openssl-1.0.1c/crypto/des/set_key.c.fips openssl-1.0.1c/crypto/des/set_ { static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; register DES_LONG c,d,t,s,t2; -diff -up openssl-1.0.1c/crypto/dh/dh_gen.c.fips openssl-1.0.1c/crypto/dh/dh_gen.c ---- openssl-1.0.1c/crypto/dh/dh_gen.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dh/dh_gen.c 2012-07-12 21:49:25.321351901 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen.c +--- openssl-1.0.1e/crypto/dh/dh_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-02-19 12:47:33.719118468 +0100 @@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i #endif if(ret->meth->generate_params) @@ -346,9 +346,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_gen.c.fips openssl-1.0.1c/crypto/dh/dh_gen. ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.1c/crypto/dh/dh.h.fips openssl-1.0.1c/crypto/dh/dh.h ---- openssl-1.0.1c/crypto/dh/dh.h.fips 2012-07-12 21:49:24.986344365 +0200 -+++ openssl-1.0.1c/crypto/dh/dh.h 2012-07-12 21:49:25.322351924 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h +--- openssl-1.0.1e/crypto/dh/dh.h.fips 2013-02-19 12:47:33.388111739 +0100 ++++ openssl-1.0.1e/crypto/dh/dh.h 2013-02-19 12:47:33.719118468 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -358,9 +358,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh.h.fips openssl-1.0.1c/crypto/dh/dh.h #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH * implementation now uses constant time -diff -up openssl-1.0.1c/crypto/dh/dh_key.c.fips openssl-1.0.1c/crypto/dh/dh_key.c ---- openssl-1.0.1c/crypto/dh/dh_key.c.fips 2011-11-14 15:16:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/dh/dh_key.c 2012-07-12 21:49:25.322351924 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key.c +--- openssl-1.0.1e/crypto/dh/dh_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_key.c 2013-02-19 12:47:33.720118488 +0100 @@ -61,6 +61,9 @@ #include #include @@ -419,9 +419,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_key.c.fips openssl-1.0.1c/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1c/crypto/dh/dh_lib.c.fips openssl-1.0.1c/crypto/dh/dh_lib.c ---- openssl-1.0.1c/crypto/dh/dh_lib.c.fips 2011-06-20 21:41:11.000000000 +0200 -+++ openssl-1.0.1c/crypto/dh/dh_lib.c 2012-07-12 21:49:25.323351947 +0200 +diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib.c +--- openssl-1.0.1e/crypto/dh/dh_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dh/dh_lib.c 2013-02-19 12:47:33.720118488 +0100 @@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v { if(!default_DH_method) @@ -437,9 +437,9 @@ diff -up openssl-1.0.1c/crypto/dh/dh_lib.c.fips openssl-1.0.1c/crypto/dh/dh_lib. } return default_DH_method; } -diff -up openssl-1.0.1c/crypto/dsa/dsa_err.c.fips openssl-1.0.1c/crypto/dsa/dsa_err.c ---- openssl-1.0.1c/crypto/dsa/dsa_err.c.fips 2011-10-10 01:13:49.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_err.c 2012-07-12 21:49:25.323351947 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_err.c +--- openssl-1.0.1e/crypto/dsa/dsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_err.c 2013-02-19 12:47:33.720118488 +0100 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]= {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -458,9 +458,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_err.c.fips openssl-1.0.1c/crypto/dsa/dsa_ {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, -diff -up openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips openssl-1.0.1c/crypto/dsa/dsa_gen.c ---- openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_gen.c 2012-07-12 21:49:25.324351969 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_gen.c +--- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-02-19 12:47:33.721118508 +0100 @@ -85,6 +85,14 @@ #include #endif @@ -867,9 +867,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_gen.c.fips openssl-1.0.1c/crypto/dsa/dsa_ } if (mont != NULL) BN_MONT_CTX_free(mont); return ok; -diff -up openssl-1.0.1c/crypto/dsa/dsa.h.fips openssl-1.0.1c/crypto/dsa/dsa.h ---- openssl-1.0.1c/crypto/dsa/dsa.h.fips 2012-07-12 21:49:24.798340136 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa.h 2012-07-12 21:49:25.324351969 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h +--- openssl-1.0.1e/crypto/dsa/dsa.h.fips 2013-02-19 12:47:33.205108020 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-02-19 12:47:33.721118508 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -930,9 +930,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa.h.fips openssl-1.0.1c/crypto/dsa/dsa.h #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_key.c ---- openssl-1.0.1c/crypto/dsa/dsa_key.c.fips 2011-06-09 17:21:46.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_key.c 2012-07-12 21:46:56.000000000 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_key.c +--- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-02-19 12:47:33.722118528 +0100 @@ -66,6 +66,35 @@ #ifdef OPENSSL_FIPS @@ -1011,9 +1011,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_ ok=1; err: -diff -up openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips openssl-1.0.1c/crypto/dsa/dsa_lib.c ---- openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips 2011-11-14 15:16:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/dsa/dsa_lib.c 2012-07-12 21:49:25.325351991 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_lib.c +--- openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_lib.c 2013-02-19 12:47:33.722118528 +0100 @@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method { if(!default_DSA_method) @@ -1029,18 +1029,18 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_lib.c.fips openssl-1.0.1c/crypto/dsa/dsa_ } return default_DSA_method; } -diff -up openssl-1.0.1c/crypto/dsa/dsa_locl.h.fips openssl-1.0.1c/crypto/dsa/dsa_locl.h ---- openssl-1.0.1c/crypto/dsa/dsa_locl.h.fips 2012-07-12 21:49:24.802340226 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_locl.h 2012-07-12 21:49:25.325351991 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips openssl-1.0.1e/crypto/dsa/dsa_locl.h +--- openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips 2013-02-19 12:47:33.209108100 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_locl.h 2013-02-19 12:47:33.722118528 +0100 @@ -56,5 +56,4 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, - unsigned char *seed_out, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); -diff -up openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1c/crypto/dsa/dsa_ossl.c ---- openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips 2011-02-01 13:53:47.000000000 +0100 -+++ openssl-1.0.1c/crypto/dsa/dsa_ossl.c 2012-07-12 21:49:25.326352013 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa_ossl.c +--- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2013-02-19 12:47:33.723118548 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1114,9 +1114,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1c/crypto/dsa/dsa dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1c/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips 2011-06-20 22:05:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsa_pmeth.c 2012-07-12 21:49:25.326352013 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/dsa_pmeth.c +--- openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_pmeth.c 2013-02-19 12:47:33.723118548 +0100 @@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT if (!dsa) return 0; @@ -1126,9 +1126,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1c/crypto/dsa/ds if (ret) EVP_PKEY_assign_DSA(pkey, dsa); else -diff -up openssl-1.0.1c/crypto/dsa/dsatest.c.fips openssl-1.0.1c/crypto/dsa/dsatest.c ---- openssl-1.0.1c/crypto/dsa/dsatest.c.fips 2008-08-06 17:54:11.000000000 +0200 -+++ openssl-1.0.1c/crypto/dsa/dsatest.c 2012-07-12 21:49:25.327352035 +0200 +diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsatest.c +--- openssl-1.0.1e/crypto/dsa/dsatest.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsatest.c 2013-02-19 12:47:33.723118548 +0100 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ @@ -1213,9 +1213,9 @@ diff -up openssl-1.0.1c/crypto/dsa/dsatest.c.fips openssl-1.0.1c/crypto/dsa/dsat goto end; } if (h != 2) -diff -up openssl-1.0.1c/crypto/engine/eng_all.c.fips openssl-1.0.1c/crypto/engine/eng_all.c ---- openssl-1.0.1c/crypto/engine/eng_all.c.fips 2011-08-10 20:53:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/engine/eng_all.c 2012-07-12 21:49:25.327352035 +0200 +diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engine/eng_all.c +--- openssl-1.0.1e/crypto/engine/eng_all.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-02-19 12:47:33.724118569 +0100 @@ -58,11 +58,25 @@ #include "cryptlib.h" @@ -1242,32 +1242,9 @@ diff -up openssl-1.0.1c/crypto/engine/eng_all.c.fips openssl-1.0.1c/crypto/engin #if 0 /* There's no longer any need for an "openssl" ENGINE unless, one day, * it is the *only* way for standard builtin implementations to be be -diff -up openssl-1.0.1c/crypto/err/err_all.c.fips openssl-1.0.1c/crypto/err/err_all.c ---- openssl-1.0.1c/crypto/err/err_all.c.fips 2011-06-21 18:58:10.000000000 +0200 -+++ openssl-1.0.1c/crypto/err/err_all.c 2012-07-12 21:49:25.327352035 +0200 -@@ -96,6 +96,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - #ifndef OPENSSL_NO_CMS - #include - #endif -@@ -153,6 +156,9 @@ void ERR_load_crypto_strings(void) - #endif - ERR_load_OCSP_strings(); - ERR_load_UI_strings(); -+#ifdef OPENSSL_FIPS -+ ERR_load_FIPS_strings(); -+#endif - #ifndef OPENSSL_NO_CMS - ERR_load_CMS_strings(); - #endif -diff -up openssl-1.0.1c/crypto/evp/c_allc.c.fips openssl-1.0.1c/crypto/evp/c_allc.c ---- openssl-1.0.1c/crypto/evp/c_allc.c.fips 2011-11-14 22:13:35.000000000 +0100 -+++ openssl-1.0.1c/crypto/evp/c_allc.c 2012-07-12 21:49:25.328352058 +0200 +diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_allc.c +--- openssl-1.0.1e/crypto/evp/c_allc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/c_allc.c 2013-02-19 12:47:33.725118589 +0100 @@ -65,6 +65,11 @@ void OpenSSL_add_all_ciphers(void) { @@ -1341,9 +1318,9 @@ diff -up openssl-1.0.1c/crypto/evp/c_allc.c.fips openssl-1.0.1c/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1c/crypto/evp/c_alld.c.fips openssl-1.0.1c/crypto/evp/c_alld.c ---- openssl-1.0.1c/crypto/evp/c_alld.c.fips 2009-07-08 10:50:53.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/c_alld.c 2012-07-12 21:49:25.328352058 +0200 +diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_alld.c +--- openssl-1.0.1e/crypto/evp/c_alld.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/c_alld.c 2013-02-19 12:47:33.725118589 +0100 @@ -64,6 +64,11 @@ void OpenSSL_add_all_digests(void) @@ -1389,9 +1366,9 @@ diff -up openssl-1.0.1c/crypto/evp/c_alld.c.fips openssl-1.0.1c/crypto/evp/c_all + } +#endif } -diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/digest.c ---- openssl-1.0.1c/crypto/evp/digest.c.fips 2011-05-29 17:55:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/digest.c 2012-07-12 21:49:25.329352081 +0200 +diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/digest.c +--- openssl-1.0.1e/crypto/evp/digest.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/digest.c 2013-02-19 12:51:41.276779877 +0100 @@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1491,7 +1468,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges } /* The caller can assume that this removes any secret data from the context */ -@@ -263,10 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns +@@ -263,11 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { @@ -1499,14 +1476,14 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges - return FIPS_digestfinal(ctx, md, size); -#else int ret; + +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif -+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) -@@ -278,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, +@@ -279,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; @@ -1514,7 +1491,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) -@@ -372,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) +@@ -373,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { @@ -1522,7 +1499,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ -@@ -385,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -386,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } @@ -1530,7 +1507,7 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges if (ctx->pctx) EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE -@@ -394,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) +@@ -395,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif @@ -1540,9 +1517,9 @@ diff -up openssl-1.0.1c/crypto/evp/digest.c.fips openssl-1.0.1c/crypto/evp/diges memset(ctx,'\0',sizeof *ctx); return 1; -diff -up openssl-1.0.1c/crypto/evp/e_aes.c.fips openssl-1.0.1c/crypto/evp/e_aes.c ---- openssl-1.0.1c/crypto/evp/e_aes.c.fips 2011-11-15 13:19:56.000000000 +0100 -+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes.c +--- openssl-1.0.1e/crypto/evp/e_aes.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_aes.c 2013-02-19 12:47:33.726118609 +0100 @@ -56,7 +56,6 @@ #include #include @@ -1569,14 +1546,14 @@ diff -up openssl-1.0.1c/crypto/evp/e_aes.c.fips openssl-1.0.1c/crypto/evp/e_aes. (len > (1UL<<20)*16)) { EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -@@ -1310,4 +1309,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm +@@ -1311,4 +1310,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/e_des3.c.fips openssl-1.0.1c/crypto/evp/e_des3.c ---- openssl-1.0.1c/crypto/evp/e_des3.c.fips 2011-05-29 01:01:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_des3.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des3.c +--- openssl-1.0.1e/crypto/evp/e_des3.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_des3.c 2013-02-19 12:47:33.727118629 +0100 @@ -65,8 +65,6 @@ #include #include @@ -1635,9 +1612,9 @@ diff -up openssl-1.0.1c/crypto/evp/e_des3.c.fips openssl-1.0.1c/crypto/evp/e_des } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/e_null.c.fips openssl-1.0.1c/crypto/evp/e_null.c ---- openssl-1.0.1c/crypto/evp/e_null.c.fips 2011-06-20 22:00:10.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/e_null.c 2012-07-12 21:49:25.330352104 +0200 +diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_null.c +--- openssl-1.0.1e/crypto/evp/e_null.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/e_null.c 2013-02-19 12:47:33.727118629 +0100 @@ -61,8 +61,6 @@ #include #include @@ -1661,9 +1638,9 @@ diff -up openssl-1.0.1c/crypto/evp/e_null.c.fips openssl-1.0.1c/crypto/evp/e_nul return 1; } -#endif -diff -up openssl-1.0.1c/crypto/evp/evp_enc.c.fips openssl-1.0.1c/crypto/evp/evp_enc.c ---- openssl-1.0.1c/crypto/evp/evp_enc.c.fips 2012-04-20 02:07:48.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_enc.c 2012-07-12 21:49:25.331352127 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_enc.c +--- openssl-1.0.1e/crypto/evp/evp_enc.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_enc.c 2013-02-19 12:47:33.728118649 +0100 @@ -69,17 +69,58 @@ #endif #include "evp_locl.h" @@ -1812,9 +1789,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_enc.c.fips openssl-1.0.1c/crypto/evp/evp_ memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } -diff -up openssl-1.0.1c/crypto/evp/evp.h.fips openssl-1.0.1c/crypto/evp/evp.h ---- openssl-1.0.1c/crypto/evp/evp.h.fips 2012-07-12 21:49:25.081346502 +0200 -+++ openssl-1.0.1c/crypto/evp/evp.h 2012-07-12 21:49:25.332352149 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h +--- openssl-1.0.1e/crypto/evp/evp.h.fips 2013-02-19 12:47:33.474113487 +0100 ++++ openssl-1.0.1e/crypto/evp/evp.h 2013-02-19 12:47:33.728118649 +0100 @@ -75,6 +75,10 @@ #include #endif @@ -1867,9 +1844,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp.h.fips openssl-1.0.1c/crypto/evp/evp.h /* Cipher handles any and all padding logic as well * as finalisation. */ -diff -up openssl-1.0.1c/crypto/evp/evp_lib.c.fips openssl-1.0.1c/crypto/evp/evp_lib.c ---- openssl-1.0.1c/crypto/evp/evp_lib.c.fips 2011-05-29 04:32:05.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_lib.c 2012-07-12 21:49:25.332352149 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_lib.c +--- openssl-1.0.1e/crypto/evp/evp_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_lib.c 2013-02-19 12:47:33.729118669 +0100 @@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1880,9 +1857,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_lib.c.fips openssl-1.0.1c/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx,out,in,inl); } -diff -up openssl-1.0.1c/crypto/evp/evp_locl.h.fips openssl-1.0.1c/crypto/evp/evp_locl.h ---- openssl-1.0.1c/crypto/evp/evp_locl.h.fips 2012-07-12 21:49:25.071346278 +0200 -+++ openssl-1.0.1c/crypto/evp/evp_locl.h 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp_locl.h +--- openssl-1.0.1e/crypto/evp/evp_locl.h.fips 2013-02-19 12:47:33.465113304 +0100 ++++ openssl-1.0.1e/crypto/evp/evp_locl.h 2013-02-19 12:47:33.729118669 +0100 @@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ @@ -1917,9 +1894,9 @@ diff -up openssl-1.0.1c/crypto/evp/evp_locl.h.fips openssl-1.0.1c/crypto/evp/evp #define Camellia_set_key private_Camellia_set_key #endif -diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makefile ---- openssl-1.0.1c/crypto/evp/Makefile.fips 2012-04-26 12:42:19.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/Makefile 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makefile +--- openssl-1.0.1e/crypto/evp/Makefile.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/Makefile 2013-02-19 12:53:25.468917386 +0100 @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ @@ -1928,7 +1905,7 @@ diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makef + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c - LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ + LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \ @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ @@ -1938,9 +1915,9 @@ diff -up openssl-1.0.1c/crypto/evp/Makefile.fips openssl-1.0.1c/crypto/evp/Makef e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o SRC= $(LIBSRC) -diff -up openssl-1.0.1c/crypto/evp/m_dss1.c.fips openssl-1.0.1c/crypto/evp/m_dss1.c ---- openssl-1.0.1c/crypto/evp/m_dss1.c.fips 2011-06-01 17:11:00.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_dss1.c 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss1.c +--- openssl-1.0.1e/crypto/evp/m_dss1.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_dss1.c 2013-02-19 12:47:33.730118689 +0100 @@ -68,8 +68,6 @@ #include #endif @@ -1964,9 +1941,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_dss1.c.fips openssl-1.0.1c/crypto/evp/m_dss } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/m_dss.c.fips openssl-1.0.1c/crypto/evp/m_dss.c ---- openssl-1.0.1c/crypto/evp/m_dss.c.fips 2011-06-01 17:11:00.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_dss.c 2012-07-12 21:49:25.333352171 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss.c +--- openssl-1.0.1e/crypto/evp/m_dss.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_dss.c 2013-02-19 12:47:33.730118689 +0100 @@ -66,7 +66,6 @@ #endif @@ -1989,9 +1966,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_dss.c.fips openssl-1.0.1c/crypto/evp/m_dss. } #endif -#endif -diff -up openssl-1.0.1c/crypto/evp/m_md2.c.fips openssl-1.0.1c/crypto/evp/m_md2.c ---- openssl-1.0.1c/crypto/evp/m_md2.c.fips 2005-07-16 14:37:32.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_md2.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2.c +--- openssl-1.0.1e/crypto/evp/m_md2.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_md2.c 2013-02-19 12:47:33.731118710 +0100 @@ -68,6 +68,7 @@ #ifndef OPENSSL_NO_RSA #include @@ -2000,9 +1977,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_md2.c.fips openssl-1.0.1c/crypto/evp/m_md2. static int init(EVP_MD_CTX *ctx) { return MD2_Init(ctx->md_data); } -diff -up openssl-1.0.1c/crypto/evp/m_sha1.c.fips openssl-1.0.1c/crypto/evp/m_sha1.c ---- openssl-1.0.1c/crypto/evp/m_sha1.c.fips 2011-05-29 01:01:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/m_sha1.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha1.c +--- openssl-1.0.1e/crypto/evp/m_sha1.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/m_sha1.c 2013-02-19 12:47:33.731118710 +0100 @@ -59,8 +59,6 @@ #include #include "cryptlib.h" @@ -2067,9 +2044,9 @@ diff -up openssl-1.0.1c/crypto/evp/m_sha1.c.fips openssl-1.0.1c/crypto/evp/m_sha #endif /* ifndef OPENSSL_NO_SHA512 */ -#endif -diff -up openssl-1.0.1c/crypto/evp/p_sign.c.fips openssl-1.0.1c/crypto/evp/p_sign.c ---- openssl-1.0.1c/crypto/evp/p_sign.c.fips 2011-06-09 18:02:39.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/p_sign.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sign.c +--- openssl-1.0.1e/crypto/evp/p_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/p_sign.c 2013-02-19 12:47:33.731118710 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2101,9 +2078,9 @@ diff -up openssl-1.0.1c/crypto/evp/p_sign.c.fips openssl-1.0.1c/crypto/evp/p_sig if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.1c/crypto/evp/p_verify.c.fips openssl-1.0.1c/crypto/evp/p_verify.c ---- openssl-1.0.1c/crypto/evp/p_verify.c.fips 2011-06-09 18:02:39.000000000 +0200 -+++ openssl-1.0.1c/crypto/evp/p_verify.c 2012-07-12 21:49:25.334352193 +0200 +diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_verify.c +--- openssl-1.0.1e/crypto/evp/p_verify.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/p_verify.c 2013-02-19 12:47:33.732118731 +0100 @@ -61,6 +61,7 @@ #include #include @@ -2135,9 +2112,9 @@ diff -up openssl-1.0.1c/crypto/evp/p_verify.c.fips openssl-1.0.1c/crypto/evp/p_v i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips 2013-02-19 12:47:33.732118731 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c 2013-02-19 12:47:33.732118731 +0100 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3078,9 +3055,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1c/crypt + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips 2013-02-19 12:47:33.732118731 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c 2013-02-19 12:47:33.732118731 +0100 @@ -0,0 +1,517 @@ +/* fips_cmactest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3599,9 +3576,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips 2012-07-12 21:49:25.335352215 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c 2012-07-12 21:49:25.335352215 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -4305,9 +4282,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,292 @@ +/* fips/dh/fips_dhvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4601,9 +4578,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1c/crypto/ + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,416 @@ +/* fips/rand/fips_drbgvs.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5021,9 +4998,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1c/crypt + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips 2013-02-19 12:47:33.733118752 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c 2013-02-19 12:47:33.733118752 +0100 @@ -0,0 +1,537 @@ +#include + @@ -5562,9 +5539,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1c/crypto + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips 2012-07-12 21:49:25.336352238 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c 2012-07-12 21:49:25.336352238 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,571 @@ +/* fips/aes/fips_gcmtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6137,9 +6114,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1c/cryp +} + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -6371,9 +6348,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1c/crypto + return 0; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -6765,9 +6742,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips 2013-02-19 12:47:33.734118772 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c 2013-02-19 12:47:33.734118772 +0100 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7139,9 +7116,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1c/cry + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips 2012-07-12 21:49:25.337352261 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c 2012-07-12 21:49:25.337352261 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7520,9 +7497,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1c/cry + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c ---- openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c +--- openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7912,9 +7889,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1c/crypto/fips/cavs/fips_utl.h ---- openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/cavs/fips_utl.h 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/fips/cavs/fips_utl.h +--- openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/cavs/fips_utl.h 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -8259,9 +8236,9 @@ diff -up openssl-1.0.1c/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1c/crypto/f +#endif + } + -diff -up openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_aes_selftest.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_aes_selftest.c 2013-02-19 12:47:33.735118792 +0100 @@ -0,0 +1,359 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8622,9 +8599,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips.c.fips openssl-1.0.1c/crypto/fips/fips.c ---- openssl-1.0.1c/crypto/fips/fips.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips.c 2012-07-12 21:49:25.338352284 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips.c +--- openssl-1.0.1e/crypto/fips/fips.c.fips 2013-02-19 12:47:33.735118792 +0100 ++++ openssl-1.0.1e/crypto/fips/fips.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,489 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9115,9 +9092,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips.c.fips openssl-1.0.1c/crypto/fips/fips. + + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips 2012-07-12 21:49:25.338352284 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,161 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9280,9 +9257,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1c/cry + return rv; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_des_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_des_selftest.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_des_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_des_selftest.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,147 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9431,9 +9408,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1c/cryp + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,436 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -9871,9 +9848,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1c/crypto/f + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_hash.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_hash.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hash.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips 2013-02-19 12:47:33.736118812 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_hash.c 2013-02-19 12:47:33.736118812 +0100 @@ -0,0 +1,378 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10253,9 +10230,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1c/crypto/ + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips 2012-07-12 21:49:25.339352307 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c 2012-07-12 21:49:25.339352307 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,281 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10538,9 +10515,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1c/crypto/ + + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_lib.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_lib.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_lib.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_lib.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,578 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -11120,9 +11097,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1c/crypto/f + memcpy(dctx->lb, out, dctx->blocklength); + return 1; + } -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_rand.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_rand.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_rand.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,172 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -11296,9 +11273,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1c/crypto/ + return &rand_drbg_meth; + } + -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips 2012-07-12 21:49:25.340352329 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c 2012-07-12 21:49:25.340352329 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips 2013-02-19 12:47:33.737118832 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c 2013-02-19 12:47:33.737118832 +0100 @@ -0,0 +1,862 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -12162,9 +12139,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1c/cry + return rv; + } + -diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h ---- openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips 2012-07-12 21:49:25.341352351 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h 2012-07-12 21:49:25.341352351 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h +--- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips 2013-02-19 12:47:33.738118852 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h 2013-02-19 12:47:33.738118852 +0100 @@ -0,0 +1,2335 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14501,9 +14478,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1c/cry + 0xc2,0xd6,0xfd,0xa5 + }; + -diff -up openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,193 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -14698,9 +14675,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1c/cryp + return ret; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_enc.c.fips openssl-1.0.1c/crypto/fips/fips_enc.c ---- openssl-1.0.1c/crypto/fips/fips_enc.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_enc.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/fips_enc.c +--- openssl-1.0.1e/crypto/fips/fips_enc.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_enc.c 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,191 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -14893,9 +14870,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_enc.c.fips openssl-1.0.1c/crypto/fips/f + } + } + -diff -up openssl-1.0.1c/crypto/fips/fips.h.fips openssl-1.0.1c/crypto/fips/fips.h ---- openssl-1.0.1c/crypto/fips/fips.h.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips.h 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips.h +--- openssl-1.0.1e/crypto/fips/fips.h.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips.h 2013-02-19 12:47:33.739118872 +0100 @@ -0,0 +1,279 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -15176,9 +15153,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips.h.fips openssl-1.0.1c/crypto/fips/fips. +} +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips 2012-07-12 21:49:25.342352373 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c 2012-07-12 21:49:25.342352373 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -15317,9 +15294,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1c/cry + return 1; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_locl.h.fips openssl-1.0.1c/crypto/fips/fips_locl.h ---- openssl-1.0.1c/crypto/fips/fips_locl.h.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_locl.h 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/fips_locl.h +--- openssl-1.0.1e/crypto/fips/fips_locl.h.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_locl.h 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15392,9 +15369,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_locl.h.fips openssl-1.0.1c/crypto/fips/ +} +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_md.c.fips openssl-1.0.1c/crypto/fips/fips_md.c ---- openssl-1.0.1c/crypto/fips/fips_md.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_md.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fips_md.c +--- openssl-1.0.1e/crypto/fips/fips_md.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_md.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,145 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -15541,9 +15518,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_md.c.fips openssl-1.0.1c/crypto/fips/fi + return NULL; + } + } -diff -up openssl-1.0.1c/crypto/fips/fips_post.c.fips openssl-1.0.1c/crypto/fips/fips_post.c ---- openssl-1.0.1c/crypto/fips/fips_post.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_post.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/fips_post.c +--- openssl-1.0.1e/crypto/fips/fips_post.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,205 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -15750,9 +15727,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_post.c.fips openssl-1.0.1c/crypto/fips/ + return 1; + } +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand.c.fips openssl-1.0.1c/crypto/fips/fips_rand.c ---- openssl-1.0.1c/crypto/fips/fips_rand.c.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/fips_rand.c +--- openssl-1.0.1e/crypto/fips/fips_rand.c.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand.c 2013-02-19 12:47:33.740118893 +0100 @@ -0,0 +1,457 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -16211,9 +16188,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand.c.fips openssl-1.0.1c/crypto/fips/ +} + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand.h.fips openssl-1.0.1c/crypto/fips/fips_rand.h ---- openssl-1.0.1c/crypto/fips/fips_rand.h.fips 2012-07-12 21:49:25.343352395 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand.h 2012-07-12 21:49:25.343352395 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/fips_rand.h +--- openssl-1.0.1e/crypto/fips/fips_rand.h.fips 2013-02-19 12:47:33.740118893 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand.h 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -16360,9 +16337,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand.h.fips openssl-1.0.1c/crypto/fips/ +#endif +#endif +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1c/crypto/fips/fips_rand_lcl.h ---- openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_lcl.h 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/fips/fips_rand_lcl.h +--- openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_lcl.h 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,219 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -16583,9 +16560,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1c/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1c/crypto/fips/fips_rand_lib.c ---- openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_lib.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/fips/fips_rand_lib.c +--- openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_lib.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,191 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -16778,9 +16755,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1c/crypto/f + } + return 0; + } -diff -up openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rand_selftest.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,183 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -16965,9 +16942,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1c/cry + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_randtest.c.fips openssl-1.0.1c/crypto/fips/fips_randtest.c ---- openssl-1.0.1c/crypto/fips/fips_randtest.c.fips 2012-07-12 21:49:25.344352418 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_randtest.c 2012-07-12 21:49:25.344352418 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/fips/fips_randtest.c +--- openssl-1.0.1e/crypto/fips/fips_randtest.c.fips 2013-02-19 12:47:33.741118914 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_randtest.c 2013-02-19 12:47:33.741118914 +0100 @@ -0,0 +1,250 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -17219,9 +17196,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_randtest.c.fips openssl-1.0.1c/crypto/f + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,444 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -17667,9 +17644,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,282 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -17953,9 +17930,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1c/crypto/ + return 0; + + } -diff -up openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1c/crypto/fips/fips_sha_selftest.c ---- openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_sha_selftest.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_sha_selftest.c +--- openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_sha_selftest.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,140 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18097,9 +18074,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1c/cryp + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c ---- openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips 2012-07-12 21:49:25.345352441 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c 2012-07-12 21:49:25.345352441 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c +--- openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips 2013-02-19 12:47:33.742118935 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c 2013-02-19 12:47:33.742118935 +0100 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18281,9 +18258,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1c/c + } + + -diff -up openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips openssl-1.0.1c/crypto/fips/fips_test_suite.c ---- openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips 2012-07-12 21:49:25.346352464 +0200 -+++ openssl-1.0.1c/crypto/fips/fips_test_suite.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto/fips/fips_test_suite.c +--- openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips 2013-02-19 12:47:33.743118955 +0100 ++++ openssl-1.0.1e/crypto/fips/fips_test_suite.c 2013-02-19 12:47:33.743118955 +0100 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -18873,9 +18850,9 @@ diff -up openssl-1.0.1c/crypto/fips/fips_test_suite.c.fips openssl-1.0.1c/crypto + } + +#endif -diff -up openssl-1.0.1c/crypto/fips/Makefile.fips openssl-1.0.1c/crypto/fips/Makefile ---- openssl-1.0.1c/crypto/fips/Makefile.fips 2012-07-12 21:49:25.346352464 +0200 -+++ openssl-1.0.1c/crypto/fips/Makefile 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Makefile +--- openssl-1.0.1e/crypto/fips/Makefile.fips 2013-02-19 12:47:33.743118955 +0100 ++++ openssl-1.0.1e/crypto/fips/Makefile 2013-02-19 12:47:33.743118955 +0100 @@ -0,0 +1,340 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -19217,9 +19194,9 @@ diff -up openssl-1.0.1c/crypto/fips/Makefile.fips openssl-1.0.1c/crypto/fips/Mak +fips_sha_selftest.o: ../../include/openssl/safestack.h +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff -up openssl-1.0.1c/crypto/hmac/hmac.c.fips openssl-1.0.1c/crypto/hmac/hmac.c ---- openssl-1.0.1c/crypto/hmac/hmac.c.fips 2011-06-12 17:07:26.000000000 +0200 -+++ openssl-1.0.1c/crypto/hmac/hmac.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac.c +--- openssl-1.0.1e/crypto/hmac/hmac.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/hmac/hmac.c 2013-02-19 12:47:33.743118955 +0100 @@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; @@ -19282,9 +19259,9 @@ diff -up openssl-1.0.1c/crypto/hmac/hmac.c.fips openssl-1.0.1c/crypto/hmac/hmac. EVP_MD_CTX_cleanup(&ctx->i_ctx); EVP_MD_CTX_cleanup(&ctx->o_ctx); EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff -up openssl-1.0.1c/crypto/md2/md2_dgst.c.fips openssl-1.0.1c/crypto/md2/md2_dgst.c ---- openssl-1.0.1c/crypto/md2/md2_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md2/md2_dgst.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2_dgst.c +--- openssl-1.0.1e/crypto/md2/md2_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md2/md2_dgst.c 2013-02-19 12:47:33.743118955 +0100 @@ -62,6 +62,11 @@ #include #include @@ -19306,9 +19283,9 @@ diff -up openssl-1.0.1c/crypto/md2/md2_dgst.c.fips openssl-1.0.1c/crypto/md2/md2 { c->num=0; memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.1c/crypto/md4/md4_dgst.c.fips openssl-1.0.1c/crypto/md4/md4_dgst.c ---- openssl-1.0.1c/crypto/md4/md4_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md4/md4_dgst.c 2012-07-12 21:49:25.346352464 +0200 +diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4_dgst.c +--- openssl-1.0.1e/crypto/md4/md4_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md4/md4_dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19318,9 +19295,9 @@ diff -up openssl-1.0.1c/crypto/md4/md4_dgst.c.fips openssl-1.0.1c/crypto/md4/md4 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.fips openssl-1.0.1c/crypto/md5/md5_dgst.c ---- openssl-1.0.1c/crypto/md5/md5_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200 -+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5_dgst.c +--- openssl-1.0.1e/crypto/md5/md5_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L @@ -19330,9 +19307,9 @@ diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.fips openssl-1.0.1c/crypto/md5/md5 { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1c/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/mdc2/mdc2dgst.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/mdc2/mdc2dgst.c 2013-02-19 12:47:33.744118975 +0100 @@ -76,7 +76,7 @@ *((c)++)=(unsigned char)(((l)>>24L)&0xff)) @@ -19342,9 +19319,9 @@ diff -up openssl-1.0.1c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1c/crypto/mdc2/m { c->num=0; c->pad_type=1; -diff -up openssl-1.0.1c/crypto/o_fips.c.fips openssl-1.0.1c/crypto/o_fips.c ---- openssl-1.0.1c/crypto/o_fips.c.fips 2012-04-20 16:42:54.000000000 +0200 -+++ openssl-1.0.1c/crypto/o_fips.c 2012-07-12 20:39:19.000000000 +0200 +diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c +--- openssl-1.0.1e/crypto/o_fips.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/o_fips.c 2013-02-19 12:47:33.744118975 +0100 @@ -79,6 +79,8 @@ int FIPS_mode_set(int r) #ifndef FIPS_AUTH_USER_PASS #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" @@ -19354,9 +19331,9 @@ diff -up openssl-1.0.1c/crypto/o_fips.c.fips openssl-1.0.1c/crypto/o_fips.c if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) return 0; if (r) -diff -up openssl-1.0.1c/crypto/o_init.c.fips openssl-1.0.1c/crypto/o_init.c ---- openssl-1.0.1c/crypto/o_init.c.fips 2011-05-26 16:19:19.000000000 +0200 -+++ openssl-1.0.1c/crypto/o_init.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c +--- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 12:47:33.744118975 +0100 @@ -55,28 +55,63 @@ #include #include @@ -19425,9 +19402,9 @@ diff -up openssl-1.0.1c/crypto/o_init.c.fips openssl-1.0.1c/crypto/o_init.c + { + OPENSSL_init_library(); + } -diff -up openssl-1.0.1c/crypto/opensslconf.h.in.fips openssl-1.0.1c/crypto/opensslconf.h.in ---- openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/opensslconf.h.in 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opensslconf.h.in +--- openssl-1.0.1e/crypto/opensslconf.h.in.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/opensslconf.h.in 2013-02-19 12:47:33.744118975 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -19449,9 +19426,9 @@ diff -up openssl-1.0.1c/crypto/opensslconf.h.in.fips openssl-1.0.1c/crypto/opens /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1c/crypto/pkcs12/p12_crt.c ---- openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.1c/crypto/pkcs12/p12_crt.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1e/crypto/pkcs12/p12_crt.c +--- openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs12/p12_crt.c 2013-02-19 12:47:33.744118975 +0100 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -19478,9 +19455,9 @@ diff -up openssl-1.0.1c/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1c/crypto/pkcs1 if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if (!iter) -diff -up openssl-1.0.1c/crypto/rand/md_rand.c.fips openssl-1.0.1c/crypto/rand/md_rand.c ---- openssl-1.0.1c/crypto/rand/md_rand.c.fips 2011-01-26 15:55:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-07-12 21:49:25.347352487 +0200 +diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md_rand.c +--- openssl-1.0.1e/crypto/rand/md_rand.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-02-19 12:47:33.745118995 +0100 @@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; @@ -19493,9 +19470,9 @@ diff -up openssl-1.0.1c/crypto/rand/md_rand.c.fips openssl-1.0.1c/crypto/rand/md { RAND_poll(); initialized = 1; -diff -up openssl-1.0.1c/crypto/rand/rand.h.fips openssl-1.0.1c/crypto/rand/rand.h ---- openssl-1.0.1c/crypto/rand/rand.h.fips 2012-07-12 21:49:24.769339483 +0200 -+++ openssl-1.0.1c/crypto/rand/rand.h 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand.h +--- openssl-1.0.1e/crypto/rand/rand.h.fips 2013-02-19 12:47:33.176107430 +0100 ++++ openssl-1.0.1e/crypto/rand/rand.h 2013-02-19 12:47:33.745118995 +0100 @@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -19534,9 +19511,9 @@ diff -up openssl-1.0.1c/crypto/rand/rand.h.fips openssl-1.0.1c/crypto/rand/rand. #ifdef __cplusplus } -diff -up openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1c/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/ripemd/rmd_dgst.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/ripemd/rmd_dgst.c 2013-02-19 12:47:33.745118995 +0100 @@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160" void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); # endif @@ -19546,9 +19523,9 @@ diff -up openssl-1.0.1c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1c/crypto/ripe { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1c/crypto/rsa/rsa_crpt.c ---- openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips 2011-06-02 20:22:42.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_crpt.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa_crpt.c +--- openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_crpt.c 2013-02-19 12:47:33.745118995 +0100 @@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const RSA *rsa, int padding) { @@ -19575,9 +19552,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1c/crypto/rsa/rsa return -1; } #endif -diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_eay.c ---- openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips 2011-10-19 16:58:59.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_eay.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_eay.c +--- openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_eay.c 2013-02-19 12:47:33.745118995 +0100 @@ -114,6 +114,10 @@ #include #include @@ -19698,22 +19675,6 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -847,12 +923,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c - if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; - - /* If p < q it is occasionally possible for the correction of -- * adding 'p' if r0 is negative above to leave the result still -+ * adding 'p' if r0 is negative above to leave the result still - * negative. This can break the private key operations: the following - * second correction should *always* correct this rare occurrence. - * This will *never* happen with OpenSSL generated keys because -- * they ensure p > q [steve] -- */ -+ * they ensure p > q [steve] -+ */ - if (BN_is_negative(r0)) - if (!BN_add(r0,r0,rsa->p)) goto err; - if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; @@ -897,6 +973,9 @@ err: static int RSA_eay_init(RSA *rsa) @@ -19724,9 +19685,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_eay.c.fips openssl-1.0.1c/crypto/rsa/rsa_ rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.1c/crypto/rsa/rsa_err.c.fips openssl-1.0.1c/crypto/rsa/rsa_err.c ---- openssl-1.0.1c/crypto/rsa/rsa_err.c.fips 2011-10-10 01:13:50.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_err.c 2012-07-12 21:49:25.348352509 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_err.c +--- openssl-1.0.1e/crypto/rsa/rsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_err.c 2013-02-19 12:47:33.746119015 +0100 @@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, @@ -19736,9 +19697,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_err.c.fips openssl-1.0.1c/crypto/rsa/rsa_ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, -diff -up openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips openssl-1.0.1c/crypto/rsa/rsa_gen.c ---- openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips 2011-06-09 15:18:07.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_gen.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_gen.c +--- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-02-19 12:47:33.746119015 +0100 @@ -69,6 +69,78 @@ #include #ifdef OPENSSL_FIPS @@ -19880,9 +19841,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_gen.c.fips openssl-1.0.1c/crypto/rsa/rsa_ ok=1; err: if (ok == -1) -diff -up openssl-1.0.1c/crypto/rsa/rsa.h.fips openssl-1.0.1c/crypto/rsa/rsa.h ---- openssl-1.0.1c/crypto/rsa/rsa.h.fips 2012-07-12 21:49:25.093346772 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa.h 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h +--- openssl-1.0.1e/crypto/rsa/rsa.h.fips 2013-02-19 12:47:33.485113710 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa.h 2013-02-19 12:47:33.746119015 +0100 @@ -164,6 +164,8 @@ struct rsa_st # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 #endif @@ -19967,9 +19928,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa.h.fips openssl-1.0.1c/crypto/rsa/rsa.h #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips openssl-1.0.1c/crypto/rsa/rsa_lib.c ---- openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips 2011-06-20 21:41:13.000000000 +0200 -+++ openssl-1.0.1c/crypto/rsa/rsa_lib.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_lib.c +--- openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_lib.c 2013-02-19 12:47:33.746119015 +0100 @@ -84,6 +84,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -20045,9 +20006,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_lib.c.fips openssl-1.0.1c/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1c/crypto/rsa/rsa_pmeth.c ---- openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips 2012-02-15 15:14:01.000000000 +0100 -+++ openssl-1.0.1c/crypto/rsa/rsa_pmeth.c 2012-07-12 21:49:25.349352531 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rsa_pmeth.c +--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-02-19 12:47:33.746119015 +0100 @@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c RSA_R_INVALID_DIGEST_LENGTH); return -1; @@ -20091,9 +20052,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1c/crypto/rsa/rs if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); -diff -up openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips openssl-1.0.1c/crypto/rsa/rsa_sign.c ---- openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips 2012-02-15 15:00:09.000000000 +0100 -+++ openssl-1.0.1c/crypto/rsa/rsa_sign.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa_sign.c +--- openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_sign.c 2013-02-19 12:47:33.747119035 +0100 @@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -20125,9 +20086,9 @@ diff -up openssl-1.0.1c/crypto/rsa/rsa_sign.c.fips openssl-1.0.1c/crypto/rsa/rsa if (i <= 0) goto err; /* Oddball MDC2 case: signature can be OCTET STRING. -diff -up openssl-1.0.1c/crypto/sha/sha256.c.fips openssl-1.0.1c/crypto/sha/sha256.c ---- openssl-1.0.1c/crypto/sha/sha256.c.fips 2011-06-01 15:39:44.000000000 +0200 -+++ openssl-1.0.1c/crypto/sha/sha256.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha256.c +--- openssl-1.0.1e/crypto/sha/sha256.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/sha/sha256.c 2013-02-19 12:47:33.747119035 +0100 @@ -12,12 +12,19 @@ #include @@ -20158,9 +20119,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha256.c.fips openssl-1.0.1c/crypto/sha/sha25 memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.1c/crypto/sha/sha512.c.fips openssl-1.0.1c/crypto/sha/sha512.c ---- openssl-1.0.1c/crypto/sha/sha512.c.fips 2011-11-14 21:58:01.000000000 +0100 -+++ openssl-1.0.1c/crypto/sha/sha512.c 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha512.c +--- openssl-1.0.1e/crypto/sha/sha512.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/sha/sha512.c 2013-02-19 12:47:33.747119035 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -20192,9 +20153,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha512.c.fips openssl-1.0.1c/crypto/sha/sha51 c->h[0]=U64(0x6a09e667f3bcc908); c->h[1]=U64(0xbb67ae8584caa73b); c->h[2]=U64(0x3c6ef372fe94f82b); -diff -up openssl-1.0.1c/crypto/sha/sha.h.fips openssl-1.0.1c/crypto/sha/sha.h ---- openssl-1.0.1c/crypto/sha/sha.h.fips 2012-07-12 21:49:24.581335255 +0200 -+++ openssl-1.0.1c/crypto/sha/sha.h 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h +--- openssl-1.0.1e/crypto/sha/sha.h.fips 2013-02-19 12:47:32.986103568 +0100 ++++ openssl-1.0.1e/crypto/sha/sha.h 2013-02-19 12:47:33.747119035 +0100 @@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char * void SHA_Transform(SHA_CTX *c, const unsigned char *data); #endif @@ -20227,9 +20188,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha.h.fips openssl-1.0.1c/crypto/sha/sha.h int SHA384_Init(SHA512_CTX *c); int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff -up openssl-1.0.1c/crypto/sha/sha_locl.h.fips openssl-1.0.1c/crypto/sha/sha_locl.h ---- openssl-1.0.1c/crypto/sha/sha_locl.h.fips 2012-07-12 21:49:24.587335390 +0200 -+++ openssl-1.0.1c/crypto/sha/sha_locl.h 2012-07-12 21:49:25.350352553 +0200 +diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha_locl.h +--- openssl-1.0.1e/crypto/sha/sha_locl.h.fips 2013-02-19 12:47:32.991103670 +0100 ++++ openssl-1.0.1e/crypto/sha/sha_locl.h 2013-02-19 12:47:33.747119035 +0100 @@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h4 0xc3d2e1f0UL @@ -20246,9 +20207,9 @@ diff -up openssl-1.0.1c/crypto/sha/sha_locl.h.fips openssl-1.0.1c/crypto/sha/sha memset (c,0,sizeof(*c)); c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; -diff -up openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1c/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips 2011-06-01 15:39:45.000000000 +0200 -+++ openssl-1.0.1c/crypto/whrlpool/wp_dgst.c 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whrlpool/wp_dgst.c +--- openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/whrlpool/wp_dgst.c 2013-02-19 12:47:33.748119055 +0100 @@ -55,7 +55,7 @@ #include #include @@ -20258,9 +20219,9 @@ diff -up openssl-1.0.1c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1c/crypto/whr { memset (c,0,sizeof(*c)); return(1); -diff -up openssl-1.0.1c/Makefile.org.fips openssl-1.0.1c/Makefile.org ---- openssl-1.0.1c/Makefile.org.fips 2012-07-12 21:49:25.285351091 +0200 -+++ openssl-1.0.1c/Makefile.org 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org +--- openssl-1.0.1e/Makefile.org.fips 2013-02-19 12:47:33.678117634 +0100 ++++ openssl-1.0.1e/Makefile.org 2013-02-19 12:47:33.748119055 +0100 @@ -136,6 +136,9 @@ FIPSCANLIB= BASEADDR= @@ -20288,9 +20249,9 @@ diff -up openssl-1.0.1c/Makefile.org.fips openssl-1.0.1c/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.1c/ssl/ssl_algs.c.fips openssl-1.0.1c/ssl/ssl_algs.c ---- openssl-1.0.1c/ssl/ssl_algs.c.fips 2012-01-15 14:42:50.000000000 +0100 -+++ openssl-1.0.1c/ssl/ssl_algs.c 2012-07-12 21:49:25.351352575 +0200 +diff -up openssl-1.0.1e/ssl/ssl_algs.c.fips openssl-1.0.1e/ssl/ssl_algs.c +--- openssl-1.0.1e/ssl/ssl_algs.c.fips 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_algs.c 2013-02-19 12:47:33.748119055 +0100 @@ -64,6 +64,12 @@ int SSL_library_init(void) { @@ -20304,7 +20265,7 @@ diff -up openssl-1.0.1c/ssl/ssl_algs.c.fips openssl-1.0.1c/ssl/ssl_algs.c #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -136,6 +142,50 @@ int SSL_library_init(void) +@@ -137,6 +143,50 @@ int SSL_library_init(void) EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif diff --git a/openssl-1.0.1e-issuer-hash.patch b/openssl-1.0.1e-issuer-hash.patch new file mode 100644 index 0000000..0f3bfdb --- /dev/null +++ b/openssl-1.0.1e-issuer-hash.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c +--- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100 +@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has + char *f; + + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1e-secure-getenv.patch similarity index 66% rename from openssl-1.0.1c-secure-getenv.patch rename to openssl-1.0.1e-secure-getenv.patch index 8338fb4..eb8034d 100644 --- a/openssl-1.0.1c-secure-getenv.patch +++ b/openssl-1.0.1e-secure-getenv.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c ---- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200 -+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-09-10 20:20:24.803968961 +0200 +diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c +--- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100 @@ -63,6 +63,8 @@ # define NDEBUG #endif @@ -28,9 +28,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/cryp } #if 0 /* There's no way to provide error checking with this function, so -diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c ---- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100 -+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-09-10 20:22:46.228970661 +0200 +diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c +--- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100 @@ -56,6 +56,8 @@ * */ @@ -51,9 +51,9 @@ diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/cryp return BUF_strdup(file); len = strlen(X509_get_default_cert_area()); -diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c ---- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100 -+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-09-10 20:20:46.106452027 +0200 +diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c +--- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100 @@ -61,6 +61,8 @@ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ @@ -75,9 +75,9 @@ diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/cr #endif iterator = ENGINE_by_id("dynamic"); if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || -diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c ---- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-09-10 20:10:26.079391932 +0200 -+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-09-10 20:20:31.383118153 +0200 +diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c +--- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100 ++++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -96,9 +96,9 @@ diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypt OpenSSLDie(__FILE__, __LINE__, \ "Digest MD5 forbidden in FIPS mode!"); return private_MD5_Init(c); -diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c ---- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-09-10 20:10:26.066391638 +0200 -+++ openssl-1.0.1c/crypto/o_init.c 2012-09-10 20:23:27.634908822 +0200 +diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c +--- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100 ++++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100 @@ -52,6 +52,8 @@ * */ @@ -117,19 +117,19 @@ diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_in { buf[0] = '1'; } -diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c ---- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100 -+++ openssl-1.0.1c/crypto/rand/randfile.c 2012-09-10 20:20:40.708329617 +0200 -@@ -58,6 +58,8 @@ - - /* We need to define this to get macros like S_IFBLK and S_IFCHR */ +diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c +--- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100 +@@ -60,6 +60,8 @@ + #if !defined(OPENSSL_SYS_VXWORKS) #define _XOPEN_SOURCE 500 + #endif +/* for secure_getenv */ +#define _GNU_SOURCE #include #include -@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si +@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si struct stat sb; #endif @@ -139,7 +139,7 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp if (s != NULL && *s && strlen(s) + 1 < size) { if (BUF_strlcpy(buf,s,size) >= size) -@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si +@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si } else { @@ -149,9 +149,9 @@ diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/cryp #ifdef DEFAULT_HOME if (s == NULL) { -diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c ---- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100 -+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-09-10 20:21:16.641144451 +0200 +diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c +--- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -170,9 +170,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto if (dir) ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); else -diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c ---- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-09-10 20:10:26.016390503 +0200 -+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-09-10 20:21:07.748942806 +0200 +diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c +--- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100 ++++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -191,9 +191,9 @@ diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypt if (file) ok = (X509_load_cert_crl_file(ctx,file, X509_FILETYPE_PEM) != 0); -diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c ---- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200 -+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-09-10 20:20:55.951675283 +0200 +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100 @@ -56,6 +56,8 @@ * [including the GNU Public Licence.] */ @@ -212,9 +212,9 @@ diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/cryp allow_proxy_certs = 1; purpose = ctx->param->purpose; } -diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c ---- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100 -+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-09-10 20:21:26.759373897 +0200 +diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c +--- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100 @@ -6,6 +6,8 @@ * Implementation of control commands for GOST engine * * OpenSSL 0.9.9 libraries required * diff --git a/openssl.spec b/openssl.spec index b5352e3..5b132f0 100644 --- a/openssl.spec +++ b/openssl.spec @@ -20,9 +20,9 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.1c +Version: 1.0.1e # Do not forget to bump SHLIB_VERSION on version upgrades -Release: 12%{?dist} +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -47,7 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes Patch23: openssl-1.0.1c-default-paths.patch -Patch24: openssl-1.0.1c-issuer-hash.patch +Patch24: openssl-1.0.1e-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch @@ -55,7 +55,7 @@ Patch35: openssl-0.9.8j-version-add-engines.patch Patch36: openssl-1.0.0e-doc-noeof.patch Patch38: openssl-1.0.1-beta2-ssl-op-all.patch Patch39: openssl-1.0.1c-ipv6-apps.patch -Patch40: openssl-1.0.1c-fips.patch +Patch40: openssl-1.0.1e-fips.patch Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.1a-algo-doc.patch @@ -67,16 +67,11 @@ Patch60: openssl-1.0.0d-apps-dgst.patch Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch65: openssl-1.0.0e-chil-fixes.patch Patch66: openssl-1.0.1-pkgconfig-krb5.patch -Patch67: openssl-1.0.0-fips-pkcs8.patch -Patch68: openssl-1.0.1c-secure-getenv.patch +Patch68: openssl-1.0.1e-secure-getenv.patch Patch69: openssl-1.0.1c-dh-1024.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch -Patch82: openssl-1.0.1c-backports.patch -Patch83: openssl-1.0.1c-ccm-init-str.patch -Patch84: openssl-1.0.1c-backports2.patch -Patch85: openssl-1.0.1c-manfix.patch -Patch86: openssl-1.0.1c-verify-error.patch +Patch82: openssl-1.0.1e-backports.patch License: OpenSSL Group: System Environment/Libraries @@ -175,16 +170,11 @@ from other formats to the formats used by the OpenSSL toolkit. %patch63 -p1 -b .starttls %patch65 -p1 -b .chil %patch66 -p1 -b .krb5 -%patch67 -p1 -b .pkcs8 %patch68 -p1 -b .secure-getenv %patch69 -p1 -b .dh1024 %patch81 -p1 -b .padlock64 %patch82 -p1 -b .backports -%patch83 -p1 -b .init-str -%patch84 -p1 -b .backports2 -%patch85 -p1 -b .manfix -%patch86 -p1 -b .verify # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -440,6 +430,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Tue Feb 19 2013 Tomas Mraz 1.0.1e-1 +- new upstream version + * Wed Jan 30 2013 Tomas Mraz 1.0.1c-12 - more fixes from upstream - fix errors in manual causing build failure (#904777) diff --git a/sources b/sources index ed53453..f4ba3a1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3b75bb21452767ed1779fbce32625b95 openssl-1.0.1c-usa.tar.xz +641677c116865e60601677329b514e2d openssl-1.0.1e-usa.tar.xz