Accepting request 874306 from security:tls

OBS-URL: https://build.opensuse.org/request/show/874306 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=21
2021-03-03 17:33:24 +00:00 · 2021-03-03 17:33:24 +00:00 · 9548fda780
commit 9548fda780
parent e594dc44e4 a13839c7c6
13 changed files with 794 additions and 492 deletions
--- a/openssl-1.1.0-issuer-hash.patch
+++ b/openssl-1.1.0-issuer-hash.patch
@ -1,12 +1,12 @@
-Index: openssl-1.1.1d/crypto/x509/x509_cmp.c
+Index: openssl-1.1.1j/crypto/x509/x509_cmp.c
 ===================================================================
--- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c	2019-09-10 15:13:07.000000000 +0200
+--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c
-+++ openssl-1.1.1d/crypto/x509/x509_cmp.c	2020-01-23 13:45:11.404634047 +0100
+++ openssl-1.1.1j/crypto/x509/x509_cmp.c
@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has
     if (ctx == NULL)
         goto err;
 +    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
-     if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+     if (f == NULL)
         goto err;
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@ -1,8 +1,8 @@
-Index: openssl-1.1.1e/crypto/err/openssl.txt
+Index: openssl-1.1.1j/crypto/err/openssl.txt
 ===================================================================
--- openssl-1.1.1e.orig/crypto/err/openssl.txt	2020-03-20 14:37:07.940876078 +0100
+--- openssl-1.1.1j.orig/crypto/err/openssl.txt
-+++ openssl-1.1.1e/crypto/err/openssl.txt	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/crypto/err/openssl.txt
-@@ -753,6 +753,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
+@@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
 EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
 EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
 EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@ -12,7 +12,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
 EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
 EVP_F_EVP_MD_SIZE:162:EVP_MD_size
 EVP_F_EVP_OPENINIT:102:EVP_OpenInit
-@@ -815,12 +818,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
+@@ -816,12 +819,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
 EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
 EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
 EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@ -44,7 +44,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
 KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
 KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
 KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
-@@ -832,6 +854,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
+@@ -833,6 +855,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
 KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
 KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
 KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@ -52,15 +52,15 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
 KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
 OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
 OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
-@@ -2284,6 +2307,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
+@@ -2290,6 +2313,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
 EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
 	operation not supported for this keytype
 EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
 +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
 EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
 EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
 EVP_R_PBKDF2_ERROR:181:pbkdf2 error
- EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
+@@ -2327,6 +2351,7 @@ KDF_R_MISSING_SEED:106:missing seed
@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed
 KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
 KDF_R_VALUE_ERROR:108:value error
 KDF_R_VALUE_MISSING:102:value missing
@ -68,10 +68,10 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
 OBJ_R_OID_EXISTS:102:oid exists
 OBJ_R_UNKNOWN_NID:101:unknown nid
 OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
-Index: openssl-1.1.1e/crypto/evp/build.info
+Index: openssl-1.1.1j/crypto/evp/build.info
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/build.info	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/build.info
-+++ openssl-1.1.1e/crypto/evp/build.info	2020-03-20 14:37:08.204877468 +0100
+++ openssl-1.1.1j/crypto/evp/build.info
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
         p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
         bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@ -82,10 +82,10 @@ Index: openssl-1.1.1e/crypto/evp/build.info
         e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
         e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
         e_chacha20_poly1305.c cmeth_lib.c
-Index: openssl-1.1.1e/crypto/evp/evp_err.c
+Index: openssl-1.1.1j/crypto/evp/evp_err.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/evp_err.c	2020-03-20 14:37:08.036876583 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_err.c
-+++ openssl-1.1.1e/crypto/evp/evp_err.c	2020-03-20 14:37:08.204877468 +0100
+++ openssl-1.1.1j/crypto/evp/evp_err.c
@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
      "EVP_EncryptFinal_ex"},
@ -117,13 +117,13 @@ Index: openssl-1.1.1e/crypto/evp/evp_err.c
     "operaton not initialized"},
 +    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
 +    "parameter too large"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
     "output would overflow"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
-     "partially overlapping buffers"},
+Index: openssl-1.1.1j/crypto/evp/evp_local.h
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
 Index: openssl-1.1.1e/crypto/evp/evp_local.h
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/evp_local.h	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_local.h
-+++ openssl-1.1.1e/crypto/evp/evp_local.h	2020-03-20 16:12:26.722928201 +0100
+++ openssl-1.1.1j/crypto/evp/evp_local.h
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
     unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
 } /* EVP_CIPHER_CTX */ ;
@ -136,10 +136,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_local.h
 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                              int passlen, ASN1_TYPE *param,
                              const EVP_CIPHER *c, const EVP_MD *md,
-Index: openssl-1.1.1e/crypto/evp/evp_pbe.c
+Index: openssl-1.1.1j/crypto/evp/evp_pbe.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/evp_pbe.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_pbe.c
-+++ openssl-1.1.1e/crypto/evp/evp_pbe.c	2020-03-20 14:37:08.204877468 +0100
+++ openssl-1.1.1j/crypto/evp/evp_pbe.c
@@ -12,6 +12,7 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
@ -148,10 +148,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_pbe.c
 #include "evp_local.h"
 /* Password based encryption (PBE) functions */
-Index: openssl-1.1.1e/crypto/evp/kdf_lib.c
+Index: openssl-1.1.1j/crypto/evp/kdf_lib.c
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/crypto/evp/kdf_lib.c	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/crypto/evp/kdf_lib.c
@@ -0,0 +1,165 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -318,10 +318,10 @@ Index: openssl-1.1.1e/crypto/evp/kdf_lib.c
 +    return ctx->kmeth->derive(ctx->impl, key, keylen);
 +}
 +
-Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c
+Index: openssl-1.1.1j/crypto/evp/p5_crpt2.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/p5_crpt2.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/p5_crpt2.c
-+++ openssl-1.1.1e/crypto/evp/p5_crpt2.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/evp/p5_crpt2.c
@@ -1,5 +1,5 @@
 /*
 - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -470,10 +470,10 @@ Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c
 }
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c
+Index: openssl-1.1.1j/crypto/evp/pbe_scrypt.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/pbe_scrypt.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/pbe_scrypt.c
-+++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c
@@ -7,135 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
@ -744,10 +744,10 @@ Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c
 }
 +
 #endif
-Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c
+Index: openssl-1.1.1j/crypto/evp/pkey_kdf.c
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/crypto/evp/pkey_kdf.c	2020-03-20 16:11:56.326769377 +0100
+++ openssl-1.1.1j/crypto/evp/pkey_kdf.c
@@ -0,0 +1,255 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1004,10 +1004,10 @@ Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c
 +    pkey_kdf_ctrl_str
 +};
 +
-Index: openssl-1.1.1e/include/crypto/evp.h
+Index: openssl-1.1.1j/include/crypto/evp.h
 ===================================================================
--- openssl-1.1.1e.orig/include/crypto/evp.h	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/include/crypto/evp.h
-+++ openssl-1.1.1e/include/crypto/evp.h	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/include/crypto/evp.h
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
 extern const EVP_PKEY_METHOD poly1305_pkey_meth;
 extern const EVP_PKEY_METHOD siphash_pkey_meth;
@ -1033,19 +1033,19 @@ Index: openssl-1.1.1e/include/crypto/evp.h
 struct evp_md_st {
     int type;
     int pkey_type;
-Index: openssl-1.1.1e/crypto/kdf/build.info
+Index: openssl-1.1.1j/crypto/kdf/build.info
 ===================================================================
--- openssl-1.1.1e.orig/crypto/kdf/build.info	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/build.info
-+++ openssl-1.1.1e/crypto/kdf/build.info	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/crypto/kdf/build.info
@@ -1,3 +1,3 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
 -        tls1_prf.c kdf_err.c hkdf.c scrypt.c
 +        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
-Index: openssl-1.1.1e/crypto/kdf/hkdf.c
+Index: openssl-1.1.1j/crypto/kdf/hkdf.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/kdf/hkdf.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/hkdf.c
-+++ openssl-1.1.1e/crypto/kdf/hkdf.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/hkdf.c
@@ -8,32 +8,33 @@
  */
@ -1512,10 +1512,10 @@ Index: openssl-1.1.1e/crypto/kdf/hkdf.c
  err:
     OPENSSL_cleanse(prev, sizeof(prev));
-Index: openssl-1.1.1e/crypto/kdf/kdf_err.c
+Index: openssl-1.1.1j/crypto/kdf/kdf_err.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/kdf/kdf_err.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/kdf_err.c
-+++ openssl-1.1.1e/crypto/kdf/kdf_err.c	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
@ -1571,10 +1571,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_err.c
     {0, NULL}
 };
-Index: openssl-1.1.1e/crypto/kdf/kdf_local.h
+Index: openssl-1.1.1j/crypto/kdf/kdf_local.h
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/crypto/kdf/kdf_local.h	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_local.h
@@ -0,0 +1,22 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1598,10 +1598,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_local.h
 +                int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
 +                int cmd, const char *md_name);
 +
-Index: openssl-1.1.1e/crypto/kdf/kdf_util.c
+Index: openssl-1.1.1j/crypto/kdf/kdf_util.c
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/crypto/kdf/kdf_util.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_util.c
@@ -0,0 +1,73 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1676,10 +1676,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_util.c
 +    return call_ctrl(ctrl, impl, cmd, md);
 +}
 +
-Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c
+Index: openssl-1.1.1j/crypto/kdf/pbkdf2.c
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/crypto/kdf/pbkdf2.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/pbkdf2.c
@@ -0,0 +1,264 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1945,10 +1945,10 @@ Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c
 +    HMAC_CTX_free(hctx_tpl);
 +    return ret;
 +}
-Index: openssl-1.1.1e/crypto/kdf/scrypt.c
+Index: openssl-1.1.1j/crypto/kdf/scrypt.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/kdf/scrypt.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/scrypt.c
-+++ openssl-1.1.1e/crypto/kdf/scrypt.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/scrypt.c
@@ -8,25 +8,34 @@
  */
@ -2537,10 +2537,10 @@ Index: openssl-1.1.1e/crypto/kdf/scrypt.c
 +}
 #endif
-Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c
+Index: openssl-1.1.1j/crypto/kdf/tls1_prf.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/kdf/tls1_prf.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/tls1_prf.c
-+++ openssl-1.1.1e/crypto/kdf/tls1_prf.c	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/crypto/kdf/tls1_prf.c
@@ -8,11 +8,15 @@
  */
@ -2824,10 +2824,10 @@ Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c
             OPENSSL_clear_free(tmp, olen);
             return 0;
         }
-Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
+Index: openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
@@ -0,0 +1,217 @@
 +=pod
 +
@ -3046,10 +3046,10 @@ Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
@@ -0,0 +1,180 @@
 +=pod
 +
@ -3231,10 +3231,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
@@ -0,0 +1,78 @@
 +=pod
 +
@ -3314,10 +3314,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
@@ -0,0 +1,149 @@
 +=pod
 +
@ -3468,10 +3468,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
@@ -0,0 +1,142 @@
 +=pod
 +
@ -3615,11 +3615,11 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/include/openssl/evperr.h
+Index: openssl-1.1.1j/include/openssl/evperr.h
 ===================================================================
--- openssl-1.1.1e.orig/include/openssl/evperr.h	2020-03-20 14:37:08.084876835 +0100
+--- openssl-1.1.1j.orig/include/openssl/evperr.h
-+++ openssl-1.1.1e/include/openssl/evperr.h	2020-03-20 14:37:08.208877488 +0100
+++ openssl-1.1.1j/include/openssl/evperr.h
-@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
+@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE                   219
 # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
 # define EVP_F_EVP_ENCRYPTUPDATE                          167
@ -3629,7 +3629,7 @@ Index: openssl-1.1.1e/include/openssl/evperr.h
 # define EVP_F_EVP_MD_CTX_COPY_EX                         110
 # define EVP_F_EVP_MD_SIZE                                162
 # define EVP_F_EVP_OPENINIT                               102
-@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
+@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_PKCS5_V2_PBE_KEYIVGEN                      118
 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN                   164
 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN                   180
@ -3643,18 +3643,18 @@ Index: openssl-1.1.1e/include/openssl/evperr.h
 # define EVP_F_UPDATE                                     173
 /*
-@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void);
+@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
 # define EVP_R_OPERATON_NOT_INITIALIZED                   151
 +# define EVP_R_PARAMETER_TOO_LARGE                        187
 # define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
 # define EVP_R_PARTIALLY_OVERLAPPING                      162
 # define EVP_R_PBKDF2_ERROR                               181
- # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
+Index: openssl-1.1.1j/include/openssl/kdferr.h
 Index: openssl-1.1.1e/include/openssl/kdferr.h
 ===================================================================
--- openssl-1.1.1e.orig/include/openssl/kdferr.h	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/include/openssl/kdferr.h
-+++ openssl-1.1.1e/include/openssl/kdferr.h	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/include/openssl/kdferr.h
@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
 /*
  * KDF function codes.
@ -3694,10 +3694,10 @@ Index: openssl-1.1.1e/include/openssl/kdferr.h
 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE                   112
 #endif
-Index: openssl-1.1.1e/include/openssl/kdf.h
+Index: openssl-1.1.1j/include/openssl/kdf.h
 ===================================================================
--- openssl-1.1.1e.orig/include/openssl/kdf.h	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/include/openssl/kdf.h
-+++ openssl-1.1.1e/include/openssl/kdf.h	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/include/openssl/kdf.h
@@ -10,10 +10,50 @@
 #ifndef HEADER_KDF_H
 # define HEADER_KDF_H
@ -3776,10 +3776,10 @@ Index: openssl-1.1.1e/include/openssl/kdf.h
 }
 # endif
 #endif
-Index: openssl-1.1.1e/include/openssl/ossl_typ.h
+Index: openssl-1.1.1j/include/openssl/ossl_typ.h
 ===================================================================
--- openssl-1.1.1e.orig/include/openssl/ossl_typ.h	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/include/openssl/ossl_typ.h
-+++ openssl-1.1.1e/include/openssl/ossl_typ.h	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/include/openssl/ossl_typ.h
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
 typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
 typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@ -3789,10 +3789,10 @@ Index: openssl-1.1.1e/include/openssl/ossl_typ.h
 typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
 typedef struct hmac_ctx_st HMAC_CTX;
-Index: openssl-1.1.1e/test/build.info
+Index: openssl-1.1.1j/test/build.info
 ===================================================================
--- openssl-1.1.1e.orig/test/build.info	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/test/build.info
-+++ openssl-1.1.1e/test/build.info	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/build.info
@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bio_callback_test bio_memleak_test \
@ -3814,10 +3814,10 @@ Index: openssl-1.1.1e/test/build.info
   SOURCE[x509_time_test]=x509_time_test.c
   INCLUDE[x509_time_test]=../include
   DEPEND[x509_time_test]=../libcrypto libtestutil.a
-Index: openssl-1.1.1e/test/evp_kdf_test.c
+Index: openssl-1.1.1j/test/evp_kdf_test.c
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/test/evp_kdf_test.c	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/evp_kdf_test.c
@@ -0,0 +1,237 @@
 +/*
 + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -4056,10 +4056,10 @@ Index: openssl-1.1.1e/test/evp_kdf_test.c
 +#endif
 +    return 1;
 +}
-Index: openssl-1.1.1e/test/evp_test.c
+Index: openssl-1.1.1j/test/evp_test.c
 ===================================================================
--- openssl-1.1.1e.orig/test/evp_test.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/test/evp_test.c
-+++ openssl-1.1.1e/test/evp_test.c	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/evp_test.c
@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
     encode_test_run,
 };
@ -4271,10 +4271,10 @@ Index: openssl-1.1.1e/test/evp_test.c
     &keypair_test_method,
     &keygen_test_method,
     &mac_test_method,
-Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c
+Index: openssl-1.1.1j/test/pkey_meth_kdf_test.c
 ===================================================================
--- openssl-1.1.1e.orig/test/pkey_meth_kdf_test.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/test/pkey_meth_kdf_test.c
-+++ openssl-1.1.1e/test/pkey_meth_kdf_test.c	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/pkey_meth_kdf_test.c
@@ -1,5 +1,5 @@
 /*
 - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -4478,10 +4478,10 @@ Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c
 }
 #endif
-Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
+Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
 ===================================================================
--- openssl-1.1.1e.orig/test/recipes/30-test_evp_data/evpkdf.txt	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpkdf.txt
-+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt	2020-03-20 16:12:06.574822921 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
@@ -1,5 +1,5 @@
 #
 -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@ -4880,10 +4880,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
 +Ctrl.digest = digest:sha512
 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14
 +
-Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
+Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
@@ -0,0 +1,305 @@
 +#
 +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5190,10 +5190,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
 +Ctrl.p = p:1
 +Result = INTERNAL_ERROR
 +
-Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
+Index: openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
 ===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+--- /dev/null
-+++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
@@ -0,0 +1,13 @@
 +#! /usr/bin/env perl
 +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5208,10 +5208,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
 +use OpenSSL::Test::Simple;
 +
 +simple_test("test_evp_kdf", "evp_kdf_test");
-Index: openssl-1.1.1e/test/recipes/30-test_evp.t
+Index: openssl-1.1.1j/test/recipes/30-test_evp.t
 ===================================================================
--- openssl-1.1.1e.orig/test/recipes/30-test_evp.t	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/test/recipes/30-test_evp.t
-+++ openssl-1.1.1e/test/recipes/30-test_evp.t	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
 setup("test_evp");
@ -5221,11 +5221,11 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp.t
     "evpcase.txt", "evpccmcavs.txt" );
 plan tests => scalar(@files);
-Index: openssl-1.1.1e/util/libcrypto.num
+Index: openssl-1.1.1j/util/libcrypto.num
 ===================================================================
--- openssl-1.1.1e.orig/util/libcrypto.num	2020-03-20 14:37:08.088876857 +0100
+--- openssl-1.1.1j.orig/util/libcrypto.num
-+++ openssl-1.1.1e/util/libcrypto.num	2020-03-20 16:11:58.798782289 +0100
+++ openssl-1.1.1j/util/libcrypto.num
-@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength
+@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength
 FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
@ -5237,10 +5237,10 @@ Index: openssl-1.1.1e/util/libcrypto.num
 +EVP_KDF_ctrl_str                        6595	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_size                            6596	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_derive                          6597	1_1_1b	EXIST::FUNCTION:
-Index: openssl-1.1.1e/util/private.num
+Index: openssl-1.1.1j/util/private.num
 ===================================================================
--- openssl-1.1.1e.orig/util/private.num	2020-03-20 14:37:07.856875635 +0100
+--- openssl-1.1.1j.orig/util/private.num
-+++ openssl-1.1.1e/util/private.num	2020-03-20 14:37:08.212877511 +0100
+++ openssl-1.1.1j/util/private.num
@@ -22,6 +22,7 @@ CRYPTO_EX_dup
 CRYPTO_EX_free                          datatype
 CRYPTO_EX_new                           datatype
@ -5249,10 +5249,10 @@ Index: openssl-1.1.1e/util/private.num
 EVP_PKEY_gen_cb                         datatype
 EVP_PKEY_METHOD                         datatype
 EVP_PKEY_ASN1_METHOD                    datatype
-Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
+Index: openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/e_chacha20_poly1305.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/e_chacha20_poly1305.c
-+++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c	2020-03-20 16:12:44.271019899 +0100
+++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
@@ -14,8 +14,8 @@
 # include <openssl/evp.h>
@ -5263,10 +5263,10 @@ Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
 # include "crypto/chacha.h"
 typedef struct {
-Index: openssl-1.1.1e/crypto/evp/encode.c
+Index: openssl-1.1.1j/crypto/evp/encode.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/evp/encode.c	2020-03-17 15:31:17.000000000 +0100
+--- openssl-1.1.1j.orig/crypto/evp/encode.c
-+++ openssl-1.1.1e/crypto/evp/encode.c	2020-03-20 16:15:09.491778701 +0100
+++ openssl-1.1.1j/crypto/evp/encode.c
@@ -11,8 +11,8 @@
 #include <limits.h>
 #include "internal/cryptlib.h"
--- a/openssl-1.1.1-fips-post-rand.patch
+++ b/openssl-1.1.1-fips-post-rand.patch
@ -1,7 +1,7 @@
-Index: openssl-1.1.1e/crypto/fips/fips.c
+Index: openssl-1.1.1i/crypto/fips/fips.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/fips/fips.c	2020-03-20 14:08:12.235758574 +0100
+--- openssl-1.1.1i.orig/crypto/fips/fips.c	2020-12-08 16:46:23.666760618 +0100
-+++ openssl-1.1.1e/crypto/fips/fips.c	2020-03-20 14:08:13.787766679 +0100
+++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-08 16:46:25.626772700 +0100
@@ -68,6 +68,7 @@
 # include <openssl/fips.h>
@ -52,10 +52,10 @@ Index: openssl-1.1.1e/crypto/fips/fips.c
         ret = 1;
         goto end;
     }
-Index: openssl-1.1.1e/include/crypto/fips_int.h
+Index: openssl-1.1.1i/include/crypto/fips_int.h
 ===================================================================
--- openssl-1.1.1e.orig/include/crypto/fips_int.h	2020-03-20 14:08:12.239758595 +0100
+--- openssl-1.1.1i.orig/include/crypto/fips_int.h	2020-12-08 16:46:23.666760618 +0100
-+++ openssl-1.1.1e/include/crypto/fips_int.h	2020-03-20 14:08:13.787766679 +0100
+++ openssl-1.1.1i/include/crypto/fips_int.h	2020-12-08 16:46:25.626772700 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
 int FIPS_selftest_drbg(void);
 int FIPS_selftest_cmac(void);
@ -65,10 +65,10 @@ Index: openssl-1.1.1e/include/crypto/fips_int.h
 int fips_pkey_signature_test(EVP_PKEY *pkey,
                                  const unsigned char *tbs, int tbslen,
                                  const unsigned char *kat,
-Index: openssl-1.1.1e/include/crypto/rand.h
+Index: openssl-1.1.1i/include/crypto/rand.h
 ===================================================================
--- openssl-1.1.1e.orig/include/crypto/rand.h	2020-03-20 14:08:12.239758595 +0100
+--- openssl-1.1.1i.orig/include/crypto/rand.h	2020-12-08 16:46:23.670760642 +0100
-+++ openssl-1.1.1e/include/crypto/rand.h	2020-03-20 14:08:13.791766699 +0100
+++ openssl-1.1.1i/include/crypto/rand.h	2020-12-08 16:46:25.626772700 +0100
@@ -24,6 +24,7 @@
 typedef struct rand_pool_st RAND_POOL;
@ -77,11 +77,11 @@ Index: openssl-1.1.1e/include/crypto/rand.h
 void rand_drbg_cleanup_int(void);
 void drbg_delete_thread_state(void);
-Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
+Index: openssl-1.1.1i/crypto/rand/drbg_lib.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/rand/drbg_lib.c	2020-03-20 14:08:12.239758595 +0100
+--- openssl-1.1.1i.orig/crypto/rand/drbg_lib.c	2020-12-08 16:46:23.670760642 +0100
-+++ openssl-1.1.1e/crypto/rand/drbg_lib.c	2020-03-20 14:08:13.791766699 +0100
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-08 16:46:25.626772700 +0100
-@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
 }
@ -102,10 +102,10 @@ Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
 /* Implements the default OpenSSL RAND_add() method */
 static int drbg_add(const void *buf, int num, double randomness)
 {
-Index: openssl-1.1.1e/crypto/rand/rand_unix.c
+Index: openssl-1.1.1i/crypto/rand/rand_unix.c
 ===================================================================
--- openssl-1.1.1e.orig/crypto/rand/rand_unix.c	2020-03-20 14:08:12.239758595 +0100
+--- openssl-1.1.1i.orig/crypto/rand/rand_unix.c	2020-12-08 16:46:23.670760642 +0100
-+++ openssl-1.1.1e/crypto/rand/rand_unix.c	2020-03-20 14:08:41.763912735 +0100
+++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-08 16:47:33.695192297 +0100
@@ -17,10 +17,12 @@
 #include <openssl/crypto.h>
 #include "rand_local.h"
@ -119,7 +119,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
 # ifdef DEVRANDOM_WAIT
 #  include <sys/shm.h>
 #  include <sys/utsname.h>
-@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
  * syscall_random(): Try to get random data using a system call
  * returns the number of bytes returned in buf, or < 0 on error.
  */
@ -128,15 +128,15 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
 {
     /*
      * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
+@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
-      * - Linux since 3.17 with glibc 2.25
+      * Note: Sometimes getentropy() can be provided but not implemented
-      * - FreeBSD since 12.0 (1200061)
+      * internally. So we need to check errno for ENOSYS
      */
 +#  if 0
 #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
+@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
     if (p_getentropy.p != NULL)
         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
 #  endif
@ -150,7 +150,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
 #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
     return sysctl_random(buf, buflen);
 #  else
-@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
     size_t entropy_available;
 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
@ -160,7 +160,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
     {
         size_t bytes_needed;
         unsigned char *buffer;
-@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
         while (bytes_needed != 0 && attempts-- > 0) {
             buffer = rand_pool_add_begin(pool, bytes_needed);
@ -169,7 +169,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
             if (bytes > 0) {
                 rand_pool_add_end(pool, bytes, 8 * bytes);
                 bytes_needed -= bytes;
-@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
             int attempts = 3;
             const int fd = get_random_device(i);
@ -181,7 +181,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
             while (bytes_needed != 0 && attempts-- > 0) {
                 buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
             return entropy_available;
     }
 #   endif
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
--- a/openssl-1.1.1h.tar.gz
+++ b/openssl-1.1.1h.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9
 size 9810045
--- a/openssl-1.1.1h.tar.gz.asc
+++ b/openssl-1.1.1h.tar.gz.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g
 RJFkgAf/cEJVx8pptVMXRtbh9aBl73I12y+xURVt0WJ7Z6Uwotisq9otypUQH1kb
 H7IULXo7SnCjpouJQzAKCh8muv7jz7yquL19q0s4uh46Qdz57tIdfJap/F/eGwR8
 wPnciGtl9P+8uSsPTro9VlEjQRCTvGKXna35V3CilXx2zpP3X9izcUed8Irfcp0o
 eWi9W0NhG4HJZOA7RNbfp8fGLCpfp364z1fcXeQFaZFdtiqdl5qKQ0/rt52ji+fs
 M71jFvhPU3jyb921cFWO6CQN9O9+MUu02AWCYIm2VPkcqrhOQ5JoCyPsnv3ClE1v
 X0TYTMIwnqNZ9UZsgsnIzAg2VxZDDw==
 =kMzM
 -----END PGP SIGNATURE-----
--- a/openssl-1.1.1j.tar.gz
+++ b/openssl-1.1.1j.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
 size 9823161
--- a/openssl-1.1.1j.tar.gz.asc
+++ b/openssl-1.1.1j.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g
 RJE55AgAuAYlKdgDPQHfh7gyLmFl+fnO91iF8oaN/W4vFaAO2i3a/rwQayOOGWjh
 UR4lUayR8ZLg+9p+69OGxogRd9mPp9YnZYSyLt/TO6BQcU9++CUIVYLgntUDiMzg
 +doHvzWx7d9O070KBGb6+AwdUR2xZ29w+hcnq7DJ1xcLlbSj4iXzM1KapCEVlI08
 gHw9UpIy3LASfx9CgiPK1FdKcelpRp4VvUDU4i2QgKzVtQrOLXv7InDBqIiLpwi5
 PP0fAFnxQR1l7PgIF0T+dEyrz5xt60+6JpRaU8WIGqfrN+U4CuxKBvHW2ce7MgWz
 oOIJ/1B7o5spKou6eKqm3gMP53J4hw==
 =vzFe
 -----END PGP SIGNATURE-----
--- a/openssl-1_1-disable-test_srp-sslapi.patch
+++ b/openssl-1_1-disable-test_srp-sslapi.patch
@ -0,0 +1,13 @@
 Index: openssl-1.1.1i/test/sslapitest.c
 ===================================================================
 --- openssl-1.1.1i.orig/test/sslapitest.c
 +++ openssl-1.1.1i/test/sslapitest.c
@@ -6766,7 +6766,7 @@ int setup_tests(void)
 #endif
     ADD_ALL_TESTS(test_ssl_clear, 2);
     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
 -#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
 +#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) && 0
     ADD_ALL_TESTS(test_srp, 6);
 #endif
     ADD_ALL_TESTS(test_info_callback, 6);
--- a/openssl-1_1-seclevel.patch
+++ b/openssl-1_1-seclevel.patch
@ -0,0 +1,160 @@
 diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
 --- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
 +++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
 }
 static const int minbits_table[] = { 80, 112, 128, 192, 256 };
 +static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
 /*
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
         return 0;
 -
 -    return secbits >= minbits_table[level - 1];
 +    /*
 +     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
 +     * disable SHA1 flag is not set.
 +     */
 +    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
 +        return secbits >= minbits_table[level - 1];
 +    return secbits >= minbits_digest_table[level - 1];
 }
 diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
 --- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
 +++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
 =item B<Level 2>
 -Security level set to 112 bits of security. As a result RSA, DSA and DH keys
 -shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
 +Security level set to 112 bits of security with the exception of SHA1 allowed
 +for signatures.
 +As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
 +shorter than 224 bits are prohibited.
 In addition to the level 1 exclusions any cipher suite using RC4 is also
 prohibited. SSL version 3 is also not allowed. Compression is disabled.
 diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
 --- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
 +++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
@@ -27,6 +27,7 @@
 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid, void *other,
                                          void *ex);
 +static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
 static volatile int ssl_x509_store_ctx_idx = -1;
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
     /* Set suite B flags if needed */
 -    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
 +    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
     if (!X509_STORE_CTX_set_ex_data
         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
         goto end;
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
             return 0;
         break;
     default:
 +        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
 +        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
 +            break;
         if (bits < minbits)
             return 0;
     }
     return 1;
 }
 +static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
 +{
 +    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
 +    const CERT *c;
 +
 +    if (FIPS_mode())
 +        return ret;
 +
 +    if (ctx != NULL) {
 +       c = ctx->cert;
 +    } else {
 +       c = s->cert;
 +    }
 +    if (tls1_cert_sigalgs_have_sha1(c))
 +        return 0;
 +    return ret;
 +}
 +
 int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
 {
     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
 diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
 --- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
 +++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
 __owur int tls1_process_sigalgs(SSL *s);
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
 __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
 +int tls1_cert_sigalgs_have_sha1(const CERT *c);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
 #  ifndef OPENSSL_NO_EC
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
 diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
 --- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
 +++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
     return 0;
 }
 +static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
 +{
 +    size_t i;
 +
 +    for (i = 0; i < sigalgslen; i++, sigalgs++) {
 +        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
 +
 +        if (lu == NULL)
 +            continue;
 +        if (lu->hash == NID_sha1)
 +            return 1;
 +    }
 +    return 0;
 +}
 +
 +
 +int tls1_cert_sigalgs_have_sha1(const CERT *c)
 +{
 +    if (c->client_sigalgs != NULL) {
 +        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
 +            return 1;
 +    }
 +    if (c->conf_sigalgs != NULL) {
 +        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
 +            return 1;
 +        return 0;
 +    }
 +    return 1;
 +}
 +
 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
 {
     int sig_nid, use_pc_sigalgs = 0;
 diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
 --- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
 +++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 -ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
 -    "Reject PSS signature using SHA1 and auth level 2");
 +ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
 +    "Reject PSS signature using SHA1 and auth level 3");
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
--- a/openssl-1_1-use-seclevel2-in-tests.patch
+++ b/openssl-1_1-use-seclevel2-in-tests.patch
@ -0,0 +1,38 @@
 Index: openssl-1.1.1d/test/ssl_test.c
 ===================================================================
 --- openssl-1.1.1d.orig/test/ssl_test.c
 +++ openssl-1.1.1d/test/ssl_test.c
@@ -435,6 +440,7 @@ static int test_handshake(int idx)
 #endif
     if (test_ctx->method == SSL_TEST_METHOD_TLS) {
         server_ctx = SSL_CTX_new(TLS_server_method());
 +        SSL_CTX_set_security_level(server_ctx, 1);
         if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx,
                                                      TLS_MAX_VERSION)))
             goto err;
@@ -443,21 +449,25 @@ static int test_handshake(int idx)
             SSL_TEST_SERVERNAME_CB_NONE) {
             if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
                 goto err;
 +            SSL_CTX_set_security_level(server2_ctx, 1);
             if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
                                                          TLS_MAX_VERSION)))
                 goto err;
         }
         client_ctx = SSL_CTX_new(TLS_client_method());
 +        SSL_CTX_set_security_level(client_ctx, 1);
         if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx,
                                                      TLS_MAX_VERSION)))
             goto err;
         if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
             resume_server_ctx = SSL_CTX_new(TLS_server_method());
 +            SSL_CTX_set_security_level(resume_server_ctx, 1);
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
                                                      TLS_MAX_VERSION)))
                 goto err;
             resume_client_ctx = SSL_CTX_new(TLS_client_method());
 +            SSL_CTX_set_security_level(resume_client_ctx, 1);
             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
                                                          TLS_MAX_VERSION)))
                 goto err;
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,82 @@
 -------------------------------------------------------------------
 Fri Feb 19 08:01:01 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 - Update to 1.1.1j
  * Fixed the X509_issuer_and_serial_hash() function. It attempts
    to create a unique hash value based on the issuer and serial
    number data contained within an X509 certificate. However it
    was failing to correctly handle any errors that may occur
    while parsing the issuer field [bsc#1182331, CVE-2021-23841]
  * Fixed the RSA_padding_check_SSLv23() function and the
    RSA_SSLV23_PADDING padding mode to correctly check for
    rollback attacks.
  * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and
    EVP_DecryptUpdate functions. Previously they could overflow the
    output length argument in some cases where the input length is
    close to the maximum permissable length for an integer on the
    platform. In such cases the return value from the function call
    would be 1 (indicating success), but the output length value
    would be negative. This could cause applications to behave
    incorrectly or crash. [bsc#1182333, CVE-2021-23840]
  * Fixed SRP_Calc_client_key so that it runs in constant time.
    The previous implementation called BN_mod_exp without setting
    BN_FLG_CONSTTIME. This could be exploited in a side channel
    attack to recover the password. Since the attack is local host
    only this is outside of the current OpenSSL threat model and
    therefore no CVE is assigned.
 - Rebase patches:
  * openssl-1.1.1-fips.patch
  * openssl-1.1.0-issuer-hash.patch
  * openssl-1.1.1-evp-kdf.patch
 -------------------------------------------------------------------
 Sat Feb  6 14:44:12 UTC 2021 - Jason Sikes <jsikes@suse.com>
 - Removed patch because it was causing problems with other servers.
  * openssl-zero-pad-DHE-public-key.patch
  * bsc#1181796
 -------------------------------------------------------------------
 Thu Feb  4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>
 - Zero pad the DHE public key in ClientKeyExchange for interoperability with
  Windows Server 2019.
  * openssl-zero-pad-DHE-public-key.patch
  * bsc#1181796
  * sourced from https://github.com/openssl/openssl/pull/12331/files
 -------------------------------------------------------------------
 Fri Jan 22 09:05:41 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 - Add version guards for the crypto-policies
 -------------------------------------------------------------------
 Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 - Disable test_srp subsection from 90-test_sslapi.t test
 - Use SECLEVEL 2 in 80-test_ssl_new.t
 - Add patches:
  * openssl-1_1-use-seclevel2-in-tests.patch
  * openssl-1_1-disable-test_srp-sslapi.patch
 -------------------------------------------------------------------
 Fri Jan  8 17:49:33 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 - Allow SHA1 in SECLEVEL 2 in non-FIPS mode
 - Add openssl-1_1-seclevel.patch
 -------------------------------------------------------------------
 Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal <pmonreal@suse.com> 
 - Require the crypto-policies package [bsc#1180051]
 -------------------------------------------------------------------
 Tue Dec  8 15:43:32 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 - Update to 1.1.1i (bsc#1179491)
  * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
 - Refresh openssl-1.1.1-fips-post-rand.patch
 -------------------------------------------------------------------
 Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-1_1
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1h
+Version:        1.1.1j
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
@ -87,7 +87,14 @@ Patch47:        openssl-unknown_dgst.patch
 Patch50:        openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
 Patch51:        openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
 Patch52:        openssl-1.1.1-system-cipherlist.patch
 # PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration
 Patch53:        openssl-1_1-seclevel.patch
 Patch54:        openssl-1_1-use-seclevel2-in-tests.patch
 Patch55:        openssl-1_1-disable-test_srp-sslapi.patch
 BuildRequires:  pkgconfig
 %if 0%{?suse_version} && ! 0%{?sle_version}
 Requires:       crypto-policies
 %endif
 Conflicts:      ssl
 Provides:       ssl
 Provides:       openssl(cli)
@ -211,8 +218,10 @@ make all %{?_smp_mflags}
 %check
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 #export HARNESS_VERBOSE=1
 LD_LIBRARY_PATH=`pwd` make test -j1
-# show cyphers
+
 # show ciphers
 gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
@ -234,21 +243,21 @@ pushd %{buildroot}/%{_mandir}
 #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
 which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
 for i in man?/*; do
-	if test -L $i ; then
+    if test -L $i ; then
-	    LDEST=`readlink $i`
+        LDEST=`readlink $i`
-	    rm -f $i ${i}ssl
+        rm -f $i ${i}ssl
-	    ln -sf ${LDEST}ssl ${i}ssl
+        ln -sf ${LDEST}ssl ${i}ssl
-	else
+    else
-	    mv $i ${i}ssl
+        mv $i ${i}ssl
        fi
-	case "$i" in
+    case "$i" in
-	    *.1)
+        *.1)
-		# these are the pages mentioned in openssl(1). They go into the main package.
+        # these are the pages mentioned in openssl(1). They go into the main package.
-		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
+        echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
-	    *)
+        *)
-		# the rest goes into the openssl-doc package.
+        # the rest goes into the openssl-doc package.
-		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
+        echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
-	esac
+    esac
 done
 popd