Accepting request 874306 from security:tls

OBS-URL: https://build.opensuse.org/request/show/874306
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=21

openssl-1.1.0-issuer-hash.patch

@@ -1,12 +1,12 @@
-Index: openssl-1.1.1d/crypto/x509/x509_cmp.c
+Index: openssl-1.1.1j/crypto/x509/x509_cmp.c
 ===================================================================
---- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/crypto/x509/x509_cmp.c	2020-01-23 13:45:11.404634047 +0100
+--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c
++++ openssl-1.1.1j/crypto/x509/x509_cmp.c
 @@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has
  
      if (ctx == NULL)
          goto err;
 +    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
      f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
-     if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+     if (f == NULL)
          goto err;

openssl-1.1.1-evp-kdf.patch

@@ -1,8 +1,8 @@
-Index: openssl-1.1.1e/crypto/err/openssl.txt
+Index: openssl-1.1.1j/crypto/err/openssl.txt
 ===================================================================
---- openssl-1.1.1e.orig/crypto/err/openssl.txt	2020-03-20 14:37:07.940876078 +0100
-+++ openssl-1.1.1e/crypto/err/openssl.txt	2020-03-20 16:12:06.574822921 +0100
-@@ -753,6 +753,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
+--- openssl-1.1.1j.orig/crypto/err/openssl.txt
++++ openssl-1.1.1j/crypto/err/openssl.txt
+@@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
  EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
  EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
  EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@@ -12,7 +12,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
  EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
  EVP_F_EVP_MD_SIZE:162:EVP_MD_size
  EVP_F_EVP_OPENINIT:102:EVP_OpenInit
-@@ -815,12 +818,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
+@@ -816,12 +819,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
  EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
  EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
  EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@@ -44,7 +44,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
  KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
  KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
  KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
-@@ -832,6 +854,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
+@@ -833,6 +855,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
  KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
  KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
  KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@@ -52,15 +52,15 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
  KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
  OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
  OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
-@@ -2284,6 +2307,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
+@@ -2290,6 +2313,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
  EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
  	operation not supported for this keytype
  EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
 +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
+ EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
  EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
  EVP_R_PBKDF2_ERROR:181:pbkdf2 error
- EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
-@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed
+@@ -2327,6 +2351,7 @@ KDF_R_MISSING_SEED:106:missing seed
  KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
  KDF_R_VALUE_ERROR:108:value error
  KDF_R_VALUE_MISSING:102:value missing
@@ -68,10 +68,10 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt
  OBJ_R_OID_EXISTS:102:oid exists
  OBJ_R_UNKNOWN_NID:101:unknown nid
  OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
-Index: openssl-1.1.1e/crypto/evp/build.info
+Index: openssl-1.1.1j/crypto/evp/build.info
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/build.info	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/build.info	2020-03-20 14:37:08.204877468 +0100
+--- openssl-1.1.1j.orig/crypto/evp/build.info
++++ openssl-1.1.1j/crypto/evp/build.info
 @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
          p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
          bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@@ -82,10 +82,10 @@ Index: openssl-1.1.1e/crypto/evp/build.info
          e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
          e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
          e_chacha20_poly1305.c cmeth_lib.c
-Index: openssl-1.1.1e/crypto/evp/evp_err.c
+Index: openssl-1.1.1j/crypto/evp/evp_err.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/evp_err.c	2020-03-20 14:37:08.036876583 +0100
-+++ openssl-1.1.1e/crypto/evp/evp_err.c	2020-03-20 14:37:08.204877468 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_err.c
++++ openssl-1.1.1j/crypto/evp/evp_err.c
 @@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
      {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
       "EVP_EncryptFinal_ex"},
@@ -117,13 +117,13 @@ Index: openssl-1.1.1e/crypto/evp/evp_err.c
      "operaton not initialized"},
 +    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
 +    "parameter too large"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
+     "output would overflow"},
      {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
-     "partially overlapping buffers"},
-     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
-Index: openssl-1.1.1e/crypto/evp/evp_local.h
+Index: openssl-1.1.1j/crypto/evp/evp_local.h
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/evp_local.h	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/evp_local.h	2020-03-20 16:12:26.722928201 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_local.h
++++ openssl-1.1.1j/crypto/evp/evp_local.h
 @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
      unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
  } /* EVP_CIPHER_CTX */ ;
@@ -136,10 +136,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_local.h
  int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                               int passlen, ASN1_TYPE *param,
                               const EVP_CIPHER *c, const EVP_MD *md,
-Index: openssl-1.1.1e/crypto/evp/evp_pbe.c
+Index: openssl-1.1.1j/crypto/evp/evp_pbe.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/evp_pbe.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/evp_pbe.c	2020-03-20 14:37:08.204877468 +0100
+--- openssl-1.1.1j.orig/crypto/evp/evp_pbe.c
++++ openssl-1.1.1j/crypto/evp/evp_pbe.c
 @@ -12,6 +12,7 @@
  #include <openssl/evp.h>
  #include <openssl/pkcs12.h>
@@ -148,10 +148,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_pbe.c
  #include "evp_local.h"
  
  /* Password based encryption (PBE) functions */
-Index: openssl-1.1.1e/crypto/evp/kdf_lib.c
+Index: openssl-1.1.1j/crypto/evp/kdf_lib.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/crypto/evp/kdf_lib.c	2020-03-20 16:12:06.574822921 +0100
+--- /dev/null
++++ openssl-1.1.1j/crypto/evp/kdf_lib.c
 @@ -0,0 +1,165 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -318,10 +318,10 @@ Index: openssl-1.1.1e/crypto/evp/kdf_lib.c
 +    return ctx->kmeth->derive(ctx->impl, key, keylen);
 +}
 +
-Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c
+Index: openssl-1.1.1j/crypto/evp/p5_crpt2.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/p5_crpt2.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/p5_crpt2.c	2020-03-20 14:37:08.208877488 +0100
+--- openssl-1.1.1j.orig/crypto/evp/p5_crpt2.c
++++ openssl-1.1.1j/crypto/evp/p5_crpt2.c
 @@ -1,5 +1,5 @@
  /*
 - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -470,10 +470,10 @@ Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c
  }
  
  int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c
+Index: openssl-1.1.1j/crypto/evp/pbe_scrypt.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/pbe_scrypt.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c	2020-03-20 14:37:08.208877488 +0100
+--- openssl-1.1.1j.orig/crypto/evp/pbe_scrypt.c
++++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c
 @@ -7,135 +7,12 @@
   * https://www.openssl.org/source/license.html
   */
@@ -744,10 +744,10 @@ Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c
  }
 +
  #endif
-Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c
+Index: openssl-1.1.1j/crypto/evp/pkey_kdf.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/crypto/evp/pkey_kdf.c	2020-03-20 16:11:56.326769377 +0100
+--- /dev/null
++++ openssl-1.1.1j/crypto/evp/pkey_kdf.c
 @@ -0,0 +1,255 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1004,10 +1004,10 @@ Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c
 +    pkey_kdf_ctrl_str
 +};
 +
-Index: openssl-1.1.1e/include/crypto/evp.h
+Index: openssl-1.1.1j/include/crypto/evp.h
 ===================================================================
---- openssl-1.1.1e.orig/include/crypto/evp.h	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/include/crypto/evp.h	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/include/crypto/evp.h
++++ openssl-1.1.1j/include/crypto/evp.h
 @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
  extern const EVP_PKEY_METHOD poly1305_pkey_meth;
  extern const EVP_PKEY_METHOD siphash_pkey_meth;
@@ -1033,19 +1033,19 @@ Index: openssl-1.1.1e/include/crypto/evp.h
  struct evp_md_st {
      int type;
      int pkey_type;
-Index: openssl-1.1.1e/crypto/kdf/build.info
+Index: openssl-1.1.1j/crypto/kdf/build.info
 ===================================================================
---- openssl-1.1.1e.orig/crypto/kdf/build.info	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/kdf/build.info	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/build.info
++++ openssl-1.1.1j/crypto/kdf/build.info
 @@ -1,3 +1,3 @@
  LIBS=../../libcrypto
  SOURCE[../../libcrypto]=\
 -        tls1_prf.c kdf_err.c hkdf.c scrypt.c
 +        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
-Index: openssl-1.1.1e/crypto/kdf/hkdf.c
+Index: openssl-1.1.1j/crypto/kdf/hkdf.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/kdf/hkdf.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/kdf/hkdf.c	2020-03-20 14:37:08.208877488 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/hkdf.c
++++ openssl-1.1.1j/crypto/kdf/hkdf.c
 @@ -8,32 +8,33 @@
   */
  
@@ -1512,10 +1512,10 @@ Index: openssl-1.1.1e/crypto/kdf/hkdf.c
  
   err:
      OPENSSL_cleanse(prev, sizeof(prev));
-Index: openssl-1.1.1e/crypto/kdf/kdf_err.c
+Index: openssl-1.1.1j/crypto/kdf/kdf_err.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/kdf/kdf_err.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/kdf/kdf_err.c	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/kdf_err.c
++++ openssl-1.1.1j/crypto/kdf/kdf_err.c
 @@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
@@ -1571,10 +1571,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_err.c
      {0, NULL}
  };
  
-Index: openssl-1.1.1e/crypto/kdf/kdf_local.h
+Index: openssl-1.1.1j/crypto/kdf/kdf_local.h
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/crypto/kdf/kdf_local.h	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/crypto/kdf/kdf_local.h
 @@ -0,0 +1,22 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1598,10 +1598,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_local.h
 +                int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
 +                int cmd, const char *md_name);
 +
-Index: openssl-1.1.1e/crypto/kdf/kdf_util.c
+Index: openssl-1.1.1j/crypto/kdf/kdf_util.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/crypto/kdf/kdf_util.c	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/crypto/kdf/kdf_util.c
 @@ -0,0 +1,73 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1676,10 +1676,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_util.c
 +    return call_ctrl(ctrl, impl, cmd, md);
 +}
 +
-Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c
+Index: openssl-1.1.1j/crypto/kdf/pbkdf2.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/crypto/kdf/pbkdf2.c	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/crypto/kdf/pbkdf2.c
 @@ -0,0 +1,264 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1945,10 +1945,10 @@ Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c
 +    HMAC_CTX_free(hctx_tpl);
 +    return ret;
 +}
-Index: openssl-1.1.1e/crypto/kdf/scrypt.c
+Index: openssl-1.1.1j/crypto/kdf/scrypt.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/kdf/scrypt.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/kdf/scrypt.c	2020-03-20 14:37:08.208877488 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/scrypt.c
++++ openssl-1.1.1j/crypto/kdf/scrypt.c
 @@ -8,25 +8,34 @@
   */
  
@@ -2537,10 +2537,10 @@ Index: openssl-1.1.1e/crypto/kdf/scrypt.c
 +}
  
  #endif
-Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c
+Index: openssl-1.1.1j/crypto/kdf/tls1_prf.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/kdf/tls1_prf.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/kdf/tls1_prf.c	2020-03-20 14:37:08.208877488 +0100
+--- openssl-1.1.1j.orig/crypto/kdf/tls1_prf.c
++++ openssl-1.1.1j/crypto/kdf/tls1_prf.c
 @@ -8,11 +8,15 @@
   */
  
@@ -2824,10 +2824,10 @@ Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c
              OPENSSL_clear_free(tmp, olen);
              return 0;
          }
-Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
+Index: openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
 @@ -0,0 +1,217 @@
 +=pod
 +
@@ -3046,10 +3046,10 @@ Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
 @@ -0,0 +1,180 @@
 +=pod
 +
@@ -3231,10 +3231,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
 @@ -0,0 +1,78 @@
 +=pod
 +
@@ -3314,10 +3314,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
 @@ -0,0 +1,149 @@
 +=pod
 +
@@ -3468,10 +3468,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
+Index: openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod	2020-03-20 14:37:08.208877488 +0100
+--- /dev/null
++++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
 @@ -0,0 +1,142 @@
 +=pod
 +
@@ -3615,11 +3615,11 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-Index: openssl-1.1.1e/include/openssl/evperr.h
+Index: openssl-1.1.1j/include/openssl/evperr.h
 ===================================================================
---- openssl-1.1.1e.orig/include/openssl/evperr.h	2020-03-20 14:37:08.084876835 +0100
-+++ openssl-1.1.1e/include/openssl/evperr.h	2020-03-20 14:37:08.208877488 +0100
-@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
+--- openssl-1.1.1j.orig/include/openssl/evperr.h
++++ openssl-1.1.1j/include/openssl/evperr.h
+@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void);
  # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE                   219
  # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
  # define EVP_F_EVP_ENCRYPTUPDATE                          167
@@ -3629,7 +3629,7 @@ Index: openssl-1.1.1e/include/openssl/evperr.h
  # define EVP_F_EVP_MD_CTX_COPY_EX                         110
  # define EVP_F_EVP_MD_SIZE                                162
  # define EVP_F_EVP_OPENINIT                               102
-@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
+@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void);
  # define EVP_F_PKCS5_V2_PBE_KEYIVGEN                      118
  # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN                   164
  # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN                   180
@@ -3643,18 +3643,18 @@ Index: openssl-1.1.1e/include/openssl/evperr.h
  # define EVP_F_UPDATE                                     173
  
  /*
-@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void);
+@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void);
  # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
  # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
  # define EVP_R_OPERATON_NOT_INITIALIZED                   151
 +# define EVP_R_PARAMETER_TOO_LARGE                        187
+ # define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
  # define EVP_R_PARTIALLY_OVERLAPPING                      162
  # define EVP_R_PBKDF2_ERROR                               181
- # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
-Index: openssl-1.1.1e/include/openssl/kdferr.h
+Index: openssl-1.1.1j/include/openssl/kdferr.h
 ===================================================================
---- openssl-1.1.1e.orig/include/openssl/kdferr.h	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/include/openssl/kdferr.h	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/include/openssl/kdferr.h
++++ openssl-1.1.1j/include/openssl/kdferr.h
 @@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
  /*
   * KDF function codes.
@@ -3694,10 +3694,10 @@ Index: openssl-1.1.1e/include/openssl/kdferr.h
 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE                   112
  
  #endif
-Index: openssl-1.1.1e/include/openssl/kdf.h
+Index: openssl-1.1.1j/include/openssl/kdf.h
 ===================================================================
---- openssl-1.1.1e.orig/include/openssl/kdf.h	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/include/openssl/kdf.h	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/include/openssl/kdf.h
++++ openssl-1.1.1j/include/openssl/kdf.h
 @@ -10,10 +10,50 @@
  #ifndef HEADER_KDF_H
  # define HEADER_KDF_H
@@ -3776,10 +3776,10 @@ Index: openssl-1.1.1e/include/openssl/kdf.h
  }
  # endif
  #endif
-Index: openssl-1.1.1e/include/openssl/ossl_typ.h
+Index: openssl-1.1.1j/include/openssl/ossl_typ.h
 ===================================================================
---- openssl-1.1.1e.orig/include/openssl/ossl_typ.h	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/include/openssl/ossl_typ.h	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/include/openssl/ossl_typ.h
++++ openssl-1.1.1j/include/openssl/ossl_typ.h
 @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
  typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
  typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@@ -3789,10 +3789,10 @@ Index: openssl-1.1.1e/include/openssl/ossl_typ.h
  typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
  
  typedef struct hmac_ctx_st HMAC_CTX;
-Index: openssl-1.1.1e/test/build.info
+Index: openssl-1.1.1j/test/build.info
 ===================================================================
---- openssl-1.1.1e.orig/test/build.info	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/test/build.info	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/test/build.info
++++ openssl-1.1.1j/test/build.info
 @@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
            ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
            bio_callback_test bio_memleak_test \
@@ -3814,10 +3814,10 @@ Index: openssl-1.1.1e/test/build.info
    SOURCE[x509_time_test]=x509_time_test.c
    INCLUDE[x509_time_test]=../include
    DEPEND[x509_time_test]=../libcrypto libtestutil.a
-Index: openssl-1.1.1e/test/evp_kdf_test.c
+Index: openssl-1.1.1j/test/evp_kdf_test.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/test/evp_kdf_test.c	2020-03-20 14:37:08.212877511 +0100
+--- /dev/null
++++ openssl-1.1.1j/test/evp_kdf_test.c
 @@ -0,0 +1,237 @@
 +/*
 + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -4056,10 +4056,10 @@ Index: openssl-1.1.1e/test/evp_kdf_test.c
 +#endif
 +    return 1;
 +}
-Index: openssl-1.1.1e/test/evp_test.c
+Index: openssl-1.1.1j/test/evp_test.c
 ===================================================================
---- openssl-1.1.1e.orig/test/evp_test.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/test/evp_test.c	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/test/evp_test.c
++++ openssl-1.1.1j/test/evp_test.c
 @@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
      encode_test_run,
  };
@@ -4271,10 +4271,10 @@ Index: openssl-1.1.1e/test/evp_test.c
      &keypair_test_method,
      &keygen_test_method,
      &mac_test_method,
-Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c
+Index: openssl-1.1.1j/test/pkey_meth_kdf_test.c
 ===================================================================
---- openssl-1.1.1e.orig/test/pkey_meth_kdf_test.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/test/pkey_meth_kdf_test.c	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/test/pkey_meth_kdf_test.c
++++ openssl-1.1.1j/test/pkey_meth_kdf_test.c
 @@ -1,5 +1,5 @@
  /*
 - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -4478,10 +4478,10 @@ Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c
  }
  #endif
  
-Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
+Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
 ===================================================================
---- openssl-1.1.1e.orig/test/recipes/30-test_evp_data/evpkdf.txt	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt	2020-03-20 16:12:06.574822921 +0100
+--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpkdf.txt
++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
 @@ -1,5 +1,5 @@
  #
 -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@@ -4880,10 +4880,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
 +Ctrl.digest = digest:sha512
 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14
 +
-Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
+Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt	2020-03-20 14:37:08.212877511 +0100
+--- /dev/null
++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
 @@ -0,0 +1,305 @@
 +#
 +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -5190,10 +5190,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
 +Ctrl.p = p:1
 +Result = INTERNAL_ERROR
 +
-Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
+Index: openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t	2020-03-20 14:37:08.212877511 +0100
+--- /dev/null
++++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
 @@ -0,0 +1,13 @@
 +#! /usr/bin/env perl
 +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -5208,10 +5208,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
 +use OpenSSL::Test::Simple;
 +
 +simple_test("test_evp_kdf", "evp_kdf_test");
-Index: openssl-1.1.1e/test/recipes/30-test_evp.t
+Index: openssl-1.1.1j/test/recipes/30-test_evp.t
 ===================================================================
---- openssl-1.1.1e.orig/test/recipes/30-test_evp.t	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/test/recipes/30-test_evp.t	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/test/recipes/30-test_evp.t
++++ openssl-1.1.1j/test/recipes/30-test_evp.t
 @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
  setup("test_evp");
  
@@ -5221,11 +5221,11 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp.t
      "evpcase.txt", "evpccmcavs.txt" );
  
  plan tests => scalar(@files);
-Index: openssl-1.1.1e/util/libcrypto.num
+Index: openssl-1.1.1j/util/libcrypto.num
 ===================================================================
---- openssl-1.1.1e.orig/util/libcrypto.num	2020-03-20 14:37:08.088876857 +0100
-+++ openssl-1.1.1e/util/libcrypto.num	2020-03-20 16:11:58.798782289 +0100
-@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength
+--- openssl-1.1.1j.orig/util/libcrypto.num
++++ openssl-1.1.1j/util/libcrypto.num
+@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength
  FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
  FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
  FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
@@ -5237,10 +5237,10 @@ Index: openssl-1.1.1e/util/libcrypto.num
 +EVP_KDF_ctrl_str                        6595	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_size                            6596	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_derive                          6597	1_1_1b	EXIST::FUNCTION:
-Index: openssl-1.1.1e/util/private.num
+Index: openssl-1.1.1j/util/private.num
 ===================================================================
---- openssl-1.1.1e.orig/util/private.num	2020-03-20 14:37:07.856875635 +0100
-+++ openssl-1.1.1e/util/private.num	2020-03-20 14:37:08.212877511 +0100
+--- openssl-1.1.1j.orig/util/private.num
++++ openssl-1.1.1j/util/private.num
 @@ -22,6 +22,7 @@ CRYPTO_EX_dup
  CRYPTO_EX_free                          datatype
  CRYPTO_EX_new                           datatype
@@ -5249,10 +5249,10 @@ Index: openssl-1.1.1e/util/private.num
  EVP_PKEY_gen_cb                         datatype
  EVP_PKEY_METHOD                         datatype
  EVP_PKEY_ASN1_METHOD                    datatype
-Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
+Index: openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/e_chacha20_poly1305.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c	2020-03-20 16:12:44.271019899 +0100
+--- openssl-1.1.1j.orig/crypto/evp/e_chacha20_poly1305.c
++++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
 @@ -14,8 +14,8 @@
  
  # include <openssl/evp.h>
@@ -5263,10 +5263,10 @@ Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
  # include "crypto/chacha.h"
  
  typedef struct {
-Index: openssl-1.1.1e/crypto/evp/encode.c
+Index: openssl-1.1.1j/crypto/evp/encode.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/evp/encode.c	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/evp/encode.c	2020-03-20 16:15:09.491778701 +0100
+--- openssl-1.1.1j.orig/crypto/evp/encode.c
++++ openssl-1.1.1j/crypto/evp/encode.c
 @@ -11,8 +11,8 @@
  #include <limits.h>
  #include "internal/cryptlib.h"

openssl-1.1.1-fips-post-rand.patch

@@ -1,7 +1,7 @@
-Index: openssl-1.1.1e/crypto/fips/fips.c
+Index: openssl-1.1.1i/crypto/fips/fips.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/fips/fips.c	2020-03-20 14:08:12.235758574 +0100
-+++ openssl-1.1.1e/crypto/fips/fips.c	2020-03-20 14:08:13.787766679 +0100
+--- openssl-1.1.1i.orig/crypto/fips/fips.c	2020-12-08 16:46:23.666760618 +0100
++++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-08 16:46:25.626772700 +0100
 @@ -68,6 +68,7 @@
  
  # include <openssl/fips.h>
@@ -52,10 +52,10 @@ Index: openssl-1.1.1e/crypto/fips/fips.c
          ret = 1;
          goto end;
      }
-Index: openssl-1.1.1e/include/crypto/fips_int.h
+Index: openssl-1.1.1i/include/crypto/fips_int.h
 ===================================================================
---- openssl-1.1.1e.orig/include/crypto/fips_int.h	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/include/crypto/fips_int.h	2020-03-20 14:08:13.787766679 +0100
+--- openssl-1.1.1i.orig/include/crypto/fips_int.h	2020-12-08 16:46:23.666760618 +0100
++++ openssl-1.1.1i/include/crypto/fips_int.h	2020-12-08 16:46:25.626772700 +0100
 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
  int FIPS_selftest_drbg(void);
  int FIPS_selftest_cmac(void);
@@ -65,10 +65,10 @@ Index: openssl-1.1.1e/include/crypto/fips_int.h
  int fips_pkey_signature_test(EVP_PKEY *pkey,
                                   const unsigned char *tbs, int tbslen,
                                   const unsigned char *kat,
-Index: openssl-1.1.1e/include/crypto/rand.h
+Index: openssl-1.1.1i/include/crypto/rand.h
 ===================================================================
---- openssl-1.1.1e.orig/include/crypto/rand.h	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/include/crypto/rand.h	2020-03-20 14:08:13.791766699 +0100
+--- openssl-1.1.1i.orig/include/crypto/rand.h	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/include/crypto/rand.h	2020-12-08 16:46:25.626772700 +0100
 @@ -24,6 +24,7 @@
  typedef struct rand_pool_st RAND_POOL;
  
@@ -77,11 +77,11 @@ Index: openssl-1.1.1e/include/crypto/rand.h
  void rand_drbg_cleanup_int(void);
  void drbg_delete_thread_state(void);
  
-Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
+Index: openssl-1.1.1i/crypto/rand/drbg_lib.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/rand/drbg_lib.c	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/crypto/rand/drbg_lib.c	2020-03-20 14:08:13.791766699 +0100
-@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+--- openssl-1.1.1i.orig/crypto/rand/drbg_lib.c	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-08 16:46:25.626772700 +0100
+@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
      return min_entropy > min_entropylen ? min_entropy : min_entropylen;
  }
  
@@ -102,10 +102,10 @@ Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
  /* Implements the default OpenSSL RAND_add() method */
  static int drbg_add(const void *buf, int num, double randomness)
  {
-Index: openssl-1.1.1e/crypto/rand/rand_unix.c
+Index: openssl-1.1.1i/crypto/rand/rand_unix.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/rand/rand_unix.c	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/crypto/rand/rand_unix.c	2020-03-20 14:08:41.763912735 +0100
+--- openssl-1.1.1i.orig/crypto/rand/rand_unix.c	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-08 16:47:33.695192297 +0100
 @@ -17,10 +17,12 @@
  #include <openssl/crypto.h>
  #include "rand_local.h"
@@ -119,7 +119,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  # ifdef DEVRANDOM_WAIT
  #  include <sys/shm.h>
  #  include <sys/utsname.h>
-@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
   * syscall_random(): Try to get random data using a system call
   * returns the number of bytes returned in buf, or < 0 on error.
   */
@@ -128,15 +128,15 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  {
      /*
       * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
-      * - Linux since 3.17 with glibc 2.25
-      * - FreeBSD since 12.0 (1200061)
+@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
+      * Note: Sometimes getentropy() can be provided but not implemented
+      * internally. So we need to check errno for ENOSYS
       */
 +#  if 0
  #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
      extern int getentropy(void *buffer, size_t length) __attribute__((weak));
  
-@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
+@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
      if (p_getentropy.p != NULL)
          return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
  #  endif
@@ -150,7 +150,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
      return sysctl_random(buf, buflen);
  #  else
-@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
      size_t entropy_available;
  
  #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
@@ -160,7 +160,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
      {
          size_t bytes_needed;
          unsigned char *buffer;
-@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
          bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
          while (bytes_needed != 0 && attempts-- > 0) {
              buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -169,7 +169,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
              if (bytes > 0) {
                  rand_pool_add_end(pool, bytes, 8 * bytes);
                  bytes_needed -= bytes;
-@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
              int attempts = 3;
              const int fd = get_random_device(i);
  
@@ -181,7 +181,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  
              while (bytes_needed != 0 && attempts-- > 0) {
                  buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
              return entropy_available;
      }
  #   endif

openssl-1.1.1h.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9
-size 9810045

openssl-1.1.1h.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g
-RJFkgAf/cEJVx8pptVMXRtbh9aBl73I12y+xURVt0WJ7Z6Uwotisq9otypUQH1kb
-H7IULXo7SnCjpouJQzAKCh8muv7jz7yquL19q0s4uh46Qdz57tIdfJap/F/eGwR8
-wPnciGtl9P+8uSsPTro9VlEjQRCTvGKXna35V3CilXx2zpP3X9izcUed8Irfcp0o
-eWi9W0NhG4HJZOA7RNbfp8fGLCpfp364z1fcXeQFaZFdtiqdl5qKQ0/rt52ji+fs
-M71jFvhPU3jyb921cFWO6CQN9O9+MUu02AWCYIm2VPkcqrhOQ5JoCyPsnv3ClE1v
-X0TYTMIwnqNZ9UZsgsnIzAg2VxZDDw==
-=kMzM
------END PGP SIGNATURE-----

openssl-1.1.1j.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
+size 9823161

openssl-1.1.1j.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g
+RJE55AgAuAYlKdgDPQHfh7gyLmFl+fnO91iF8oaN/W4vFaAO2i3a/rwQayOOGWjh
+UR4lUayR8ZLg+9p+69OGxogRd9mPp9YnZYSyLt/TO6BQcU9++CUIVYLgntUDiMzg
++doHvzWx7d9O070KBGb6+AwdUR2xZ29w+hcnq7DJ1xcLlbSj4iXzM1KapCEVlI08
+gHw9UpIy3LASfx9CgiPK1FdKcelpRp4VvUDU4i2QgKzVtQrOLXv7InDBqIiLpwi5
+PP0fAFnxQR1l7PgIF0T+dEyrz5xt60+6JpRaU8WIGqfrN+U4CuxKBvHW2ce7MgWz
+oOIJ/1B7o5spKou6eKqm3gMP53J4hw==
+=vzFe
+-----END PGP SIGNATURE-----

openssl-1_1-disable-test_srp-sslapi.patch

@@ -0,0 +1,13 @@
+Index: openssl-1.1.1i/test/sslapitest.c
+===================================================================
+--- openssl-1.1.1i.orig/test/sslapitest.c
++++ openssl-1.1.1i/test/sslapitest.c
+@@ -6766,7 +6766,7 @@ int setup_tests(void)
+ #endif
+     ADD_ALL_TESTS(test_ssl_clear, 2);
+     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
+-#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
++#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) && 0
+     ADD_ALL_TESTS(test_srp, 6);
+ #endif
+     ADD_ALL_TESTS(test_info_callback, 6);

openssl-1_1-seclevel.patch

@@ -0,0 +1,160 @@
+diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
+--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
+@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
+ }
+ 
+ static const int minbits_table[] = { 80, 112, 128, 192, 256 };
++static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
+ static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
+ 
+ /*
+@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
+ 
+     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+         return 0;
+-
+-    return secbits >= minbits_table[level - 1];
++    /*
++     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
++     * disable SHA1 flag is not set.
++     */
++    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
++        return secbits >= minbits_table[level - 1];
++    return secbits >= minbits_digest_table[level - 1];
+ }
+diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
+--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
+@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
+ 
+ =item B<Level 2>
+ 
+-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
+-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
++Security level set to 112 bits of security with the exception of SHA1 allowed
++for signatures.
++As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
++shorter than 224 bits are prohibited.
+ In addition to the level 1 exclusions any cipher suite using RC4 is also
+ prohibited. SSL version 3 is also not allowed. Compression is disabled.
+ 
+diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
+--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
+@@ -27,6 +27,7 @@
+ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+                                          int op, int bits, int nid, void *other,
+                                          void *ex);
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
+ 
+ static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
+ static volatile int ssl_x509_store_ctx_idx = -1;
+@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
+     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
+ 
+     /* Set suite B flags if needed */
+-    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
++    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
+     if (!X509_STORE_CTX_set_ex_data
+         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+         goto end;
+@@ -953,12 +954,33 @@ static int ssl_security_default_callback
+             return 0;
+         break;
+     default:
++        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
++        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
++            break;
+         if (bits < minbits)
+             return 0;
+     }
+     return 1;
+ }
+ 
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
++{
++    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
++    const CERT *c;
++
++    if (FIPS_mode())
++        return ret;
++
++    if (ctx != NULL) {
++       c = ctx->cert;
++    } else {
++       c = s->cert;
++    }
++    if (tls1_cert_sigalgs_have_sha1(c))
++        return 0;
++    return ret;
++}
++
+ int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
+ {
+     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
+diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
+--- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
++++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
+@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
+ __owur int tls1_process_sigalgs(SSL *s);
+ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
+ __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
++int tls1_cert_sigalgs_have_sha1(const CERT *c);
+ __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+ #  ifndef OPENSSL_NO_EC
+ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
+@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
+     return 0;
+ }
+ 
++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
++{
++    size_t i;
++
++    for (i = 0; i < sigalgslen; i++, sigalgs++) {
++        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
++
++        if (lu == NULL)
++            continue;
++        if (lu->hash == NID_sha1)
++            return 1;
++    }
++    return 0;
++}
++
++
++int tls1_cert_sigalgs_have_sha1(const CERT *c)
++{
++    if (c->client_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
++            return 1;
++    }
++    if (c->conf_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
++            return 1;
++        return 0;
++    }
++    return 1;
++}
++
+ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
+ {
+     int sig_nid, use_pc_sigalgs = 0;
+diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
+--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
+@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
+ ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+-    "Reject PSS signature using SHA1 and auth level 2");
++ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
++    "Reject PSS signature using SHA1 and auth level 3");
+ 
+ ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");

openssl-1_1-use-seclevel2-in-tests.patch

@@ -0,0 +1,38 @@
+Index: openssl-1.1.1d/test/ssl_test.c
+===================================================================
+--- openssl-1.1.1d.orig/test/ssl_test.c
++++ openssl-1.1.1d/test/ssl_test.c
+@@ -435,6 +440,7 @@ static int test_handshake(int idx)
+ #endif
+     if (test_ctx->method == SSL_TEST_METHOD_TLS) {
+         server_ctx = SSL_CTX_new(TLS_server_method());
++        SSL_CTX_set_security_level(server_ctx, 1);
+         if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx,
+                                                      TLS_MAX_VERSION)))
+             goto err;
+@@ -443,21 +449,25 @@ static int test_handshake(int idx)
+             SSL_TEST_SERVERNAME_CB_NONE) {
+             if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
+                 goto err;
++            SSL_CTX_set_security_level(server2_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
+                                                          TLS_MAX_VERSION)))
+                 goto err;
+         }
+         client_ctx = SSL_CTX_new(TLS_client_method());
++        SSL_CTX_set_security_level(client_ctx, 1);
+         if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx,
+                                                      TLS_MAX_VERSION)))
+             goto err;
+ 
+         if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
+             resume_server_ctx = SSL_CTX_new(TLS_server_method());
++            SSL_CTX_set_security_level(resume_server_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
+                                                      TLS_MAX_VERSION)))
+                 goto err;
+             resume_client_ctx = SSL_CTX_new(TLS_client_method());
++            SSL_CTX_set_security_level(resume_client_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
+                                                          TLS_MAX_VERSION)))
+                 goto err;

openssl-1_1.changes

@@ -1,3 +1,82 @@
+-------------------------------------------------------------------
+Fri Feb 19 08:01:01 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 1.1.1j
+  * Fixed the X509_issuer_and_serial_hash() function. It attempts
+    to create a unique hash value based on the issuer and serial
+    number data contained within an X509 certificate. However it
+    was failing to correctly handle any errors that may occur
+    while parsing the issuer field [bsc#1182331, CVE-2021-23841]
+  * Fixed the RSA_padding_check_SSLv23() function and the
+    RSA_SSLV23_PADDING padding mode to correctly check for
+    rollback attacks.
+  * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and
+    EVP_DecryptUpdate functions. Previously they could overflow the
+    output length argument in some cases where the input length is
+    close to the maximum permissable length for an integer on the
+    platform. In such cases the return value from the function call
+    would be 1 (indicating success), but the output length value
+    would be negative. This could cause applications to behave
+    incorrectly or crash. [bsc#1182333, CVE-2021-23840]
+  * Fixed SRP_Calc_client_key so that it runs in constant time.
+    The previous implementation called BN_mod_exp without setting
+    BN_FLG_CONSTTIME. This could be exploited in a side channel
+    attack to recover the password. Since the attack is local host
+    only this is outside of the current OpenSSL threat model and
+    therefore no CVE is assigned.
+- Rebase patches:
+  * openssl-1.1.1-fips.patch
+  * openssl-1.1.0-issuer-hash.patch
+  * openssl-1.1.1-evp-kdf.patch
+
+-------------------------------------------------------------------
+Sat Feb  6 14:44:12 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Removed patch because it was causing problems with other servers.
+  * openssl-zero-pad-DHE-public-key.patch
+  * bsc#1181796
+
+-------------------------------------------------------------------
+Thu Feb  4 18:23:17 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Zero pad the DHE public key in ClientKeyExchange for interoperability with
+  Windows Server 2019.
+  * openssl-zero-pad-DHE-public-key.patch
+  * bsc#1181796
+  * sourced from https://github.com/openssl/openssl/pull/12331/files
+
+-------------------------------------------------------------------
+Fri Jan 22 09:05:41 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Add version guards for the crypto-policies
+
+-------------------------------------------------------------------
+Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Disable test_srp subsection from 90-test_sslapi.t test
+- Use SECLEVEL 2 in 80-test_ssl_new.t
+- Add patches:
+  * openssl-1_1-use-seclevel2-in-tests.patch
+  * openssl-1_1-disable-test_srp-sslapi.patch
+
+-------------------------------------------------------------------
+Fri Jan  8 17:49:33 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Allow SHA1 in SECLEVEL 2 in non-FIPS mode
+- Add openssl-1_1-seclevel.patch
+
+-------------------------------------------------------------------
+Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal <pmonreal@suse.com> 
+
+- Require the crypto-policies package [bsc#1180051]
+
+-------------------------------------------------------------------
+Tue Dec  8 15:43:32 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.1.1i (bsc#1179491)
+  * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
+- Refresh openssl-1.1.1-fips-post-rand.patch
+
 -------------------------------------------------------------------
 Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

openssl-1_1.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-1_1
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1h
+Version:        1.1.1j
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
@@ -87,7 +87,14 @@ Patch47:        openssl-unknown_dgst.patch
 Patch50:        openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
 Patch51:        openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
 Patch52:        openssl-1.1.1-system-cipherlist.patch
+# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration
+Patch53:        openssl-1_1-seclevel.patch
+Patch54:        openssl-1_1-use-seclevel2-in-tests.patch
+Patch55:        openssl-1_1-disable-test_srp-sslapi.patch
 BuildRequires:  pkgconfig
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:       crypto-policies
+%endif
 Conflicts:      ssl
 Provides:       ssl
 Provides:       openssl(cli)
@@ -211,8 +218,10 @@ make all %{?_smp_mflags}
 %check
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+#export HARNESS_VERBOSE=1
 LD_LIBRARY_PATH=`pwd` make test -j1
-# show cyphers
+
+# show ciphers
 gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
 
@@ -234,21 +243,21 @@ pushd %{buildroot}/%{_mandir}
 #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
 which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
 for i in man?/*; do
-	if test -L $i ; then
-	    LDEST=`readlink $i`
-	    rm -f $i ${i}ssl
-	    ln -sf ${LDEST}ssl ${i}ssl
-	else
-	    mv $i ${i}ssl
+    if test -L $i ; then
+        LDEST=`readlink $i`
+        rm -f $i ${i}ssl
+        ln -sf ${LDEST}ssl ${i}ssl
+    else
+        mv $i ${i}ssl
         fi
-	case "$i" in
-	    *.1)
-		# these are the pages mentioned in openssl(1). They go into the main package.
-		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
-	    *)
-		# the rest goes into the openssl-doc package.
-		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
-	esac
+    case "$i" in
+        *.1)
+        # these are the pages mentioned in openssl(1). They go into the main package.
+        echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
+        *)
+        # the rest goes into the openssl-doc package.
+        echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
+    esac
 done
 popd