From a13839c7c6b50af4e5806fe37a4b29afe08e0eef0b9eef202c03766be59c3cc3 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 22 Feb 2021 12:20:01 +0000 Subject: [PATCH] Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85 --- openssl-1.1.0-issuer-hash.patch | 8 +- openssl-1.1.1-evp-kdf.patch | 260 +++++++------- openssl-1.1.1-fips.patch | 607 ++++++++++++++++---------------- openssl-1.1.1i.tar.gz | 3 - openssl-1.1.1i.tar.gz.asc | 11 - openssl-1.1.1j.tar.gz | 3 + openssl-1.1.1j.tar.gz.asc | 11 + openssl-1_1.changes | 36 ++ openssl-1_1.spec | 6 +- 9 files changed, 493 insertions(+), 452 deletions(-) delete mode 100644 openssl-1.1.1i.tar.gz delete mode 100644 openssl-1.1.1i.tar.gz.asc create mode 100644 openssl-1.1.1j.tar.gz create mode 100644 openssl-1.1.1j.tar.gz.asc diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch index 4e1337e..f10e676 100644 --- a/openssl-1.1.0-issuer-hash.patch +++ b/openssl-1.1.0-issuer-hash.patch @@ -1,12 +1,12 @@ -Index: openssl-1.1.1d/crypto/x509/x509_cmp.c +Index: openssl-1.1.1j/crypto/x509/x509_cmp.c =================================================================== ---- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c 2019-09-10 15:13:07.000000000 +0200 -+++ openssl-1.1.1d/crypto/x509/x509_cmp.c 2020-01-23 13:45:11.404634047 +0100 +--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c ++++ openssl-1.1.1j/crypto/x509/x509_cmp.c @@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has if (ctx == NULL) goto err; + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); - if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) + if (f == NULL) goto err; diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 54710f6..1fdd9a4 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.1e/crypto/err/openssl.txt +Index: openssl-1.1.1j/crypto/err/openssl.txt =================================================================== ---- openssl-1.1.1e.orig/crypto/err/openssl.txt 2020-03-20 14:37:07.940876078 +0100 -+++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-20 16:12:06.574822921 +0100 -@@ -753,6 +753,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn +--- openssl-1.1.1j.orig/crypto/err/openssl.txt ++++ openssl-1.1.1j/crypto/err/openssl.txt +@@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate @@ -12,7 +12,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex EVP_F_EVP_MD_SIZE:162:EVP_MD_size EVP_F_EVP_OPENINIT:102:EVP_OpenInit -@@ -815,12 +818,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k +@@ -816,12 +819,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen @@ -44,7 +44,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -832,6 +854,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc +@@ -833,6 +855,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init @@ -52,15 +52,15 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2284,6 +2307,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on +@@ -2290,6 +2313,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large + EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error - EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ -@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed +@@ -2327,6 +2351,7 @@ KDF_R_MISSING_SEED:106:missing seed KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_MISSING:102:value missing @@ -68,10 +68,10 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -Index: openssl-1.1.1e/crypto/evp/build.info +Index: openssl-1.1.1j/crypto/evp/build.info =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/build.info 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/build.info ++++ openssl-1.1.1j/crypto/evp/build.info @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ @@ -82,10 +82,10 @@ Index: openssl-1.1.1e/crypto/evp/build.info e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c cmeth_lib.c -Index: openssl-1.1.1e/crypto/evp/evp_err.c +Index: openssl-1.1.1j/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_err.c 2020-03-20 14:37:08.036876583 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1j/crypto/evp/evp_err.c @@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), "EVP_EncryptFinal_ex"}, @@ -117,13 +117,13 @@ Index: openssl-1.1.1e/crypto/evp/evp_err.c "operaton not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), + "parameter too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), - "partially overlapping buffers"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, -Index: openssl-1.1.1e/crypto/evp/evp_local.h +Index: openssl-1.1.1j/crypto/evp/evp_local.h =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_local.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_local.h 2020-03-20 16:12:26.722928201 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_local.h ++++ openssl-1.1.1j/crypto/evp/evp_local.h @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ } /* EVP_CIPHER_CTX */ ; @@ -136,10 +136,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_local.h int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, -Index: openssl-1.1.1e/crypto/evp/evp_pbe.c +Index: openssl-1.1.1j/crypto/evp/evp_pbe.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_pbe.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_pbe.c 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_pbe.c ++++ openssl-1.1.1j/crypto/evp/evp_pbe.c @@ -12,6 +12,7 @@ #include #include @@ -148,10 +148,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_pbe.c #include "evp_local.h" /* Password based encryption (PBE) functions */ -Index: openssl-1.1.1e/crypto/evp/kdf_lib.c +Index: openssl-1.1.1j/crypto/evp/kdf_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/evp/kdf_lib.c 2020-03-20 16:12:06.574822921 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/evp/kdf_lib.c @@ -0,0 +1,165 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -318,10 +318,10 @@ Index: openssl-1.1.1e/crypto/evp/kdf_lib.c + return ctx->kmeth->derive(ctx->impl, key, keylen); +} + -Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c +Index: openssl-1.1.1j/crypto/evp/p5_crpt2.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/p5_crpt2.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/p5_crpt2.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/evp/p5_crpt2.c ++++ openssl-1.1.1j/crypto/evp/p5_crpt2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -470,10 +470,10 @@ Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c } int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c +Index: openssl-1.1.1j/crypto/evp/pbe_scrypt.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/pbe_scrypt.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/evp/pbe_scrypt.c ++++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c @@ -7,135 +7,12 @@ * https://www.openssl.org/source/license.html */ @@ -744,10 +744,10 @@ Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c } + #endif -Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c +Index: openssl-1.1.1j/crypto/evp/pkey_kdf.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/evp/pkey_kdf.c 2020-03-20 16:11:56.326769377 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/evp/pkey_kdf.c @@ -0,0 +1,255 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1004,10 +1004,10 @@ Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c + pkey_kdf_ctrl_str +}; + -Index: openssl-1.1.1e/include/crypto/evp.h +Index: openssl-1.1.1j/include/crypto/evp.h =================================================================== ---- openssl-1.1.1e.orig/include/crypto/evp.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/crypto/evp.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/crypto/evp.h ++++ openssl-1.1.1j/include/crypto/evp.h @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m extern const EVP_PKEY_METHOD poly1305_pkey_meth; extern const EVP_PKEY_METHOD siphash_pkey_meth; @@ -1033,19 +1033,19 @@ Index: openssl-1.1.1e/include/crypto/evp.h struct evp_md_st { int type; int pkey_type; -Index: openssl-1.1.1e/crypto/kdf/build.info +Index: openssl-1.1.1j/crypto/kdf/build.info =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/build.info 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/build.info ++++ openssl-1.1.1j/crypto/kdf/build.info @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c hkdf.c scrypt.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -Index: openssl-1.1.1e/crypto/kdf/hkdf.c +Index: openssl-1.1.1j/crypto/kdf/hkdf.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/hkdf.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/hkdf.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/hkdf.c ++++ openssl-1.1.1j/crypto/kdf/hkdf.c @@ -8,32 +8,33 @@ */ @@ -1512,10 +1512,10 @@ Index: openssl-1.1.1e/crypto/kdf/hkdf.c err: OPENSSL_cleanse(prev, sizeof(prev)); -Index: openssl-1.1.1e/crypto/kdf/kdf_err.c +Index: openssl-1.1.1j/crypto/kdf/kdf_err.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/kdf_err.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/kdf_err.c 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/kdf_err.c ++++ openssl-1.1.1j/crypto/kdf/kdf_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT @@ -1571,10 +1571,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_err.c {0, NULL} }; -Index: openssl-1.1.1e/crypto/kdf/kdf_local.h +Index: openssl-1.1.1j/crypto/kdf/kdf_local.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/kdf_local.h 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/kdf_local.h @@ -0,0 +1,22 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1598,10 +1598,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_local.h + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); + -Index: openssl-1.1.1e/crypto/kdf/kdf_util.c +Index: openssl-1.1.1j/crypto/kdf/kdf_util.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/kdf_util.c 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/kdf_util.c @@ -0,0 +1,73 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1676,10 +1676,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_util.c + return call_ctrl(ctrl, impl, cmd, md); +} + -Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c +Index: openssl-1.1.1j/crypto/kdf/pbkdf2.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/pbkdf2.c 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/pbkdf2.c @@ -0,0 +1,264 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1945,10 +1945,10 @@ Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c + HMAC_CTX_free(hctx_tpl); + return ret; +} -Index: openssl-1.1.1e/crypto/kdf/scrypt.c +Index: openssl-1.1.1j/crypto/kdf/scrypt.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/scrypt.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/scrypt.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/scrypt.c ++++ openssl-1.1.1j/crypto/kdf/scrypt.c @@ -8,25 +8,34 @@ */ @@ -2537,10 +2537,10 @@ Index: openssl-1.1.1e/crypto/kdf/scrypt.c +} #endif -Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c +Index: openssl-1.1.1j/crypto/kdf/tls1_prf.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/tls1_prf.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/tls1_prf.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/tls1_prf.c ++++ openssl-1.1.1j/crypto/kdf/tls1_prf.c @@ -8,11 +8,15 @@ */ @@ -2824,10 +2824,10 @@ Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c OPENSSL_clear_free(tmp, olen); return 0; } -Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod +Index: openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod @@ -0,0 +1,217 @@ +=pod + @@ -3046,10 +3046,10 @@ Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod @@ -0,0 +1,180 @@ +=pod + @@ -3231,10 +3231,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod @@ -0,0 +1,78 @@ +=pod + @@ -3314,10 +3314,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod @@ -0,0 +1,149 @@ +=pod + @@ -3468,10 +3468,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod @@ -0,0 +1,142 @@ +=pod + @@ -3615,11 +3615,11 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod +L. + +=cut -Index: openssl-1.1.1e/include/openssl/evperr.h +Index: openssl-1.1.1j/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/evperr.h 2020-03-20 14:37:08.084876835 +0100 -+++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-20 14:37:08.208877488 +0100 -@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void); +--- openssl-1.1.1j.orig/include/openssl/evperr.h ++++ openssl-1.1.1j/include/openssl/evperr.h +@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 # define EVP_F_EVP_ENCRYPTUPDATE 167 @@ -3629,7 +3629,7 @@ Index: openssl-1.1.1e/include/openssl/evperr.h # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 -@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void); +@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 @@ -3643,18 +3643,18 @@ Index: openssl-1.1.1e/include/openssl/evperr.h # define EVP_F_UPDATE 173 /* -@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void); +@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 +# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 - # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 -Index: openssl-1.1.1e/include/openssl/kdferr.h +Index: openssl-1.1.1j/include/openssl/kdferr.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/kdferr.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/kdferr.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/openssl/kdferr.h ++++ openssl-1.1.1j/include/openssl/kdferr.h @@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); /* * KDF function codes. @@ -3694,10 +3694,10 @@ Index: openssl-1.1.1e/include/openssl/kdferr.h +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 #endif -Index: openssl-1.1.1e/include/openssl/kdf.h +Index: openssl-1.1.1j/include/openssl/kdf.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/kdf.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/kdf.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/openssl/kdf.h ++++ openssl-1.1.1j/include/openssl/kdf.h @@ -10,10 +10,50 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H @@ -3776,10 +3776,10 @@ Index: openssl-1.1.1e/include/openssl/kdf.h } # endif #endif -Index: openssl-1.1.1e/include/openssl/ossl_typ.h +Index: openssl-1.1.1j/include/openssl/ossl_typ.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/ossl_typ.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/ossl_typ.h 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/include/openssl/ossl_typ.h ++++ openssl-1.1.1j/include/openssl/ossl_typ.h @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; @@ -3789,10 +3789,10 @@ Index: openssl-1.1.1e/include/openssl/ossl_typ.h typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct hmac_ctx_st HMAC_CTX; -Index: openssl-1.1.1e/test/build.info +Index: openssl-1.1.1j/test/build.info =================================================================== ---- openssl-1.1.1e.orig/test/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/build.info 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/build.info ++++ openssl-1.1.1j/test/build.info @@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test \ @@ -3814,10 +3814,10 @@ Index: openssl-1.1.1e/test/build.info SOURCE[x509_time_test]=x509_time_test.c INCLUDE[x509_time_test]=../include DEPEND[x509_time_test]=../libcrypto libtestutil.a -Index: openssl-1.1.1e/test/evp_kdf_test.c +Index: openssl-1.1.1j/test/evp_kdf_test.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/evp_kdf_test.c 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/evp_kdf_test.c @@ -0,0 +1,237 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -4056,10 +4056,10 @@ Index: openssl-1.1.1e/test/evp_kdf_test.c +#endif + return 1; +} -Index: openssl-1.1.1e/test/evp_test.c +Index: openssl-1.1.1j/test/evp_test.c =================================================================== ---- openssl-1.1.1e.orig/test/evp_test.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/evp_test.c 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/evp_test.c ++++ openssl-1.1.1j/test/evp_test.c @@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test encode_test_run, }; @@ -4271,10 +4271,10 @@ Index: openssl-1.1.1e/test/evp_test.c &keypair_test_method, &keygen_test_method, &mac_test_method, -Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c +Index: openssl-1.1.1j/test/pkey_meth_kdf_test.c =================================================================== ---- openssl-1.1.1e.orig/test/pkey_meth_kdf_test.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/pkey_meth_kdf_test.c 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/pkey_meth_kdf_test.c ++++ openssl-1.1.1j/test/pkey_meth_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4478,10 +4478,10 @@ Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c } #endif -Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt =================================================================== ---- openssl-1.1.1e.orig/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpkdf.txt ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. @@ -4880,10 +4880,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt +Ctrl.digest = digest:sha512 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + -Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt @@ -0,0 +1,305 @@ +# +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5190,10 +5190,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt +Ctrl.p = p:1 +Result = INTERNAL_ERROR + -Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t +Index: openssl-1.1.1j/test/recipes/30-test_evp_kdf.t =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t @@ -0,0 +1,13 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5208,10 +5208,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -Index: openssl-1.1.1e/test/recipes/30-test_evp.t +Index: openssl-1.1.1j/test/recipes/30-test_evp.t =================================================================== ---- openssl-1.1.1e.orig/test/recipes/30-test_evp.t 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/recipes/30-test_evp.t 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp.t ++++ openssl-1.1.1j/test/recipes/30-test_evp.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); @@ -5221,11 +5221,11 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp.t "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); -Index: openssl-1.1.1e/util/libcrypto.num +Index: openssl-1.1.1j/util/libcrypto.num =================================================================== ---- openssl-1.1.1e.orig/util/libcrypto.num 2020-03-20 14:37:08.088876857 +0100 -+++ openssl-1.1.1e/util/libcrypto.num 2020-03-20 16:11:58.798782289 +0100 -@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength +--- openssl-1.1.1j.orig/util/libcrypto.num ++++ openssl-1.1.1j/util/libcrypto.num +@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: @@ -5237,10 +5237,10 @@ Index: openssl-1.1.1e/util/libcrypto.num +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -Index: openssl-1.1.1e/util/private.num +Index: openssl-1.1.1j/util/private.num =================================================================== ---- openssl-1.1.1e.orig/util/private.num 2020-03-20 14:37:07.856875635 +0100 -+++ openssl-1.1.1e/util/private.num 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/util/private.num ++++ openssl-1.1.1j/util/private.num @@ -22,6 +22,7 @@ CRYPTO_EX_dup CRYPTO_EX_free datatype CRYPTO_EX_new datatype @@ -5249,10 +5249,10 @@ Index: openssl-1.1.1e/util/private.num EVP_PKEY_gen_cb datatype EVP_PKEY_METHOD datatype EVP_PKEY_ASN1_METHOD datatype -Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c +Index: openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/e_chacha20_poly1305.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c 2020-03-20 16:12:44.271019899 +0100 +--- openssl-1.1.1j.orig/crypto/evp/e_chacha20_poly1305.c ++++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c @@ -14,8 +14,8 @@ # include @@ -5263,10 +5263,10 @@ Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c # include "crypto/chacha.h" typedef struct { -Index: openssl-1.1.1e/crypto/evp/encode.c +Index: openssl-1.1.1j/crypto/evp/encode.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/encode.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/encode.c 2020-03-20 16:15:09.491778701 +0100 +--- openssl-1.1.1j.orig/crypto/evp/encode.c ++++ openssl-1.1.1j/crypto/evp/encode.c @@ -11,8 +11,8 @@ #include #include "internal/cryptlib.h" diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 42138c7..cabaffd 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,7 +1,7 @@ -Index: openssl-1.1.1h/apps/pkcs12.c +Index: openssl-1.1.1j/apps/pkcs12.c =================================================================== ---- openssl-1.1.1h.orig/apps/pkcs12.c 2020-09-22 22:42:56.986158135 +0200 -+++ openssl-1.1.1h/apps/pkcs12.c 2020-09-22 22:42:58.426167464 +0200 +--- openssl-1.1.1j.orig/apps/pkcs12.c ++++ openssl-1.1.1j/apps/pkcs12.c @@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; @@ -11,10 +11,10 @@ Index: openssl-1.1.1h/apps/pkcs12.c #else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; #endif -Index: openssl-1.1.1h/apps/speed.c +Index: openssl-1.1.1j/apps/speed.c =================================================================== ---- openssl-1.1.1h.orig/apps/speed.c 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/apps/speed.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/apps/speed.c ++++ openssl-1.1.1j/apps/speed.c @@ -1674,7 +1674,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { @@ -165,10 +165,10 @@ Index: openssl-1.1.1h/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -Index: openssl-1.1.1h/Configure +Index: openssl-1.1.1j/Configure =================================================================== ---- openssl-1.1.1h.orig/Configure 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/Configure 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/Configure ++++ openssl-1.1.1j/Configure @@ -325,7 +325,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", @@ -178,10 +178,10 @@ Index: openssl-1.1.1h/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; -Index: openssl-1.1.1h/crypto/cmac/cm_pmeth.c +Index: openssl-1.1.1j/crypto/cmac/cm_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/cmac/cm_pmeth.c 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/crypto/cmac/cm_pmeth.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { @@ -191,10 +191,10 @@ Index: openssl-1.1.1h/crypto/cmac/cm_pmeth.c pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, -Index: openssl-1.1.1h/crypto/dh/dh_err.c +Index: openssl-1.1.1j/crypto/dh/dh_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_err.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_err.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_err.c ++++ openssl-1.1.1j/crypto/dh/dh_err.c @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), @@ -220,10 +220,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_err.c {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -Index: openssl-1.1.1h/crypto/dh/dh_gen.c +Index: openssl-1.1.1j/crypto/dh/dh_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_gen.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_gen.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1j/crypto/dh/dh_gen.c @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include @@ -267,10 +267,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_gen.c ctx = BN_CTX_new(); if (ctx == NULL) goto err; -Index: openssl-1.1.1h/crypto/dh/dh_key.c +Index: openssl-1.1.1j/crypto/dh/dh_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_key.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_key.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1j/crypto/dh/dh_key.c @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_local.h" @@ -281,7 +281,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -22,18 +25,32 @@ static int dh_finish(DH *dh); +@@ -22,6 +25,13 @@ static int dh_finish(DH *dh); int DH_generate_key(DH *dh) { @@ -295,6 +295,8 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c return dh->meth->generate_key(dh); } +@@ -31,6 +41,13 @@ int DH_generate_key(DH *dh) + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { +#ifdef OPENSSL_FIPS @@ -304,18 +306,19 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c + return 0; + } +#endif - return dh->meth->compute_key(key, pub_key, dh); - } + int ret = 0, i; + volatile size_t npad = 0, mask = 1; - int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { +@@ -59,7 +76,7 @@ int DH_compute_key_padded(unsigned char int rv, pad; + + /* rv is constant unless compute_key is external */ - rv = dh->meth->compute_key(key, pub_key, dh); + rv = DH_compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; -@@ -82,6 +99,14 @@ static int generate_key(DH *dh) +@@ -109,6 +126,14 @@ static int generate_key(DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -330,7 +333,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); return 0; -@@ -179,6 +204,13 @@ static int compute_key(unsigned char *ke +@@ -206,6 +231,13 @@ static int compute_key(unsigned char *ke DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); goto err; } @@ -344,7 +347,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c ctx = BN_CTX_new(); if (ctx == NULL) -@@ -228,6 +260,9 @@ static int dh_bn_mod_exp(const DH *dh, B +@@ -255,6 +287,9 @@ static int dh_bn_mod_exp(const DH *dh, B static int dh_init(DH *dh) { @@ -354,10 +357,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1h/crypto/dh/dh_pmeth.c +Index: openssl-1.1.1j/crypto/dh/dh_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_pmeth.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_pmeth.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.1.1j/crypto/dh/dh_pmeth.c @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { @@ -376,10 +379,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_pmeth.c pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, -Index: openssl-1.1.1h/crypto/dsa/dsa_err.c +Index: openssl-1.1.1j/crypto/dsa/dsa_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_err.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_err.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_err.c ++++ openssl-1.1.1j/crypto/dsa/dsa_err.c @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, @@ -411,10 +414,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_err.c {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -Index: openssl-1.1.1h/crypto/dsa/dsa_gen.c +Index: openssl-1.1.1j/crypto/dsa/dsa_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_gen.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_gen.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_gen.c ++++ openssl-1.1.1j/crypto/dsa/dsa_gen.c @@ -22,12 +22,22 @@ #include #include @@ -576,10 +579,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_gen.c +} + +#endif -Index: openssl-1.1.1h/crypto/dsa/dsa_key.c +Index: openssl-1.1.1j/crypto/dsa/dsa_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_key.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_key.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_key.c ++++ openssl-1.1.1j/crypto/dsa/dsa_key.c @@ -13,10 +13,49 @@ #include #include "dsa_local.h" @@ -659,10 +662,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_key.c ok = 1; err: -Index: openssl-1.1.1h/crypto/dsa/dsa_ossl.c +Index: openssl-1.1.1j/crypto/dsa/dsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_ossl.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_ossl.c ++++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c @@ -14,6 +14,9 @@ #include #include "dsa_local.h" @@ -722,10 +725,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_ossl.c dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1h/crypto/dsa/dsa_pmeth.c +Index: openssl-1.1.1j/crypto/dsa/dsa_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_pmeth.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_pmeth.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c @@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; @@ -746,10 +749,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_pmeth.c pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, -Index: openssl-1.1.1h/crypto/ec/ecdh_ossl.c +Index: openssl-1.1.1j/crypto/ec/ecdh_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ecdh_ossl.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ecdh_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c @@ -19,9 +19,20 @@ #include #include "ec_local.h" @@ -771,10 +774,10 @@ Index: openssl-1.1.1h/crypto/ec/ecdh_ossl.c if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -Index: openssl-1.1.1h/crypto/ec/ecdsa_ossl.c +Index: openssl-1.1.1j/crypto/ec/ecdsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ecdsa_ossl.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ecdsa_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c @@ -14,6 +14,11 @@ #include "crypto/bn.h" #include "ec_local.h" @@ -815,10 +818,10 @@ Index: openssl-1.1.1h/crypto/ec/ecdsa_ossl.c /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -Index: openssl-1.1.1h/crypto/ec/ec_key.c +Index: openssl-1.1.1j/crypto/ec/ec_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ec_key.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ec_key.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1j/crypto/ec/ec_key.c @@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } @@ -884,10 +887,10 @@ Index: openssl-1.1.1h/crypto/ec/ec_key.c ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -Index: openssl-1.1.1h/crypto/ec/ec_pmeth.c +Index: openssl-1.1.1j/crypto/ec/ec_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ec_pmeth.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ec_pmeth.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.1.1j/crypto/ec/ec_pmeth.c @@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { @@ -897,10 +900,10 @@ Index: openssl-1.1.1h/crypto/ec/ec_pmeth.c pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -Index: openssl-1.1.1h/crypto/evp/c_allc.c +Index: openssl-1.1.1j/crypto/evp/c_allc.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/c_allc.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/c_allc.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/c_allc.c ++++ openssl-1.1.1j/crypto/evp/c_allc.c @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { @@ -982,10 +985,10 @@ Index: openssl-1.1.1h/crypto/evp/c_allc.c + } +#endif } -Index: openssl-1.1.1h/crypto/evp/c_alld.c +Index: openssl-1.1.1j/crypto/evp/c_alld.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/c_alld.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/c_alld.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/c_alld.c ++++ openssl-1.1.1j/crypto/evp/c_alld.c @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) @@ -1021,10 +1024,10 @@ Index: openssl-1.1.1h/crypto/evp/c_alld.c + } +#endif } -Index: openssl-1.1.1h/crypto/evp/digest.c +Index: openssl-1.1.1j/crypto/evp/digest.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/digest.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/digest.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/digest.c ++++ openssl-1.1.1j/crypto/evp/digest.c @@ -14,6 +14,9 @@ #include #include "crypto/evp.h" @@ -1085,10 +1088,10 @@ Index: openssl-1.1.1h/crypto/evp/digest.c OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -Index: openssl-1.1.1h/crypto/evp/e_aes.c +Index: openssl-1.1.1j/crypto/evp/e_aes.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_aes.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_aes.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_aes.c ++++ openssl-1.1.1j/crypto/evp/e_aes.c @@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER * This addresses Rogaway's vulnerability. * See comment in aes_xts_init_key() below. @@ -1211,10 +1214,10 @@ Index: openssl-1.1.1h/crypto/evp/e_aes.c | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -Index: openssl-1.1.1h/crypto/evp/e_des3.c +Index: openssl-1.1.1j/crypto/evp/e_des3.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_des3.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_des3.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_des3.c ++++ openssl-1.1.1j/crypto/evp/e_des3.c @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1241,10 +1244,10 @@ Index: openssl-1.1.1h/crypto/evp/e_des3.c static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -Index: openssl-1.1.1h/crypto/evp/e_null.c +Index: openssl-1.1.1j/crypto/evp/e_null.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_null.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_null.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_null.c ++++ openssl-1.1.1j/crypto/evp/e_null.c @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1255,11 +1258,11 @@ Index: openssl-1.1.1h/crypto/evp/e_null.c null_init_key, null_cipher, NULL, -Index: openssl-1.1.1h/crypto/evp/evp_enc.c +Index: openssl-1.1.1j/crypto/evp/evp_enc.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_enc.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_enc.c 2020-09-22 22:42:58.434167516 +0200 -@@ -17,10 +17,19 @@ +--- openssl-1.1.1j.orig/crypto/evp/evp_enc.c ++++ openssl-1.1.1j/crypto/evp/evp_enc.c +@@ -18,10 +18,19 @@ #include #include "crypto/evp.h" #include "evp_local.h" @@ -1280,7 +1283,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c return 1; if (c->cipher != NULL) { if (c->cipher->cleanup && !c->cipher->cleanup(c)) -@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX +@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { @@ -1293,7 +1296,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); } -@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct enc = 1; ctx->encrypt = enc; } @@ -1306,7 +1309,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct } ctx->key_len = cipher->key_len; /* Preserve wrap enable flag, zero everything else */ @@ -1315,7 +1318,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; -@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct return 0; } } @@ -1334,10 +1337,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -Index: openssl-1.1.1h/crypto/evp/evp_err.c +Index: openssl-1.1.1j/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_err.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_err.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1j/crypto/evp/evp_err.c @@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), "aes_t4_xts_init_key"}, @@ -1354,7 +1357,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), -@@ -249,6 +251,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, @@ -1362,7 +1365,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, -@@ -274,6 +277,8 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, @@ -1371,10 +1374,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), "xts duplicated keys"}, {0, NULL} -Index: openssl-1.1.1h/crypto/evp/evp_lib.c +Index: openssl-1.1.1j/crypto/evp/evp_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_lib.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_lib.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/evp_lib.c ++++ openssl-1.1.1j/crypto/evp/evp_lib.c @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1385,10 +1388,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_lib.c return ctx->cipher->do_cipher(ctx, out, in, inl); } -Index: openssl-1.1.1h/crypto/evp/m_sha1.c +Index: openssl-1.1.1j/crypto/evp/m_sha1.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/m_sha1.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/m_sha1.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/m_sha1.c ++++ openssl-1.1.1j/crypto/evp/m_sha1.c @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1452,10 +1455,10 @@ Index: openssl-1.1.1h/crypto/evp/m_sha1.c init512, update512, final512, -Index: openssl-1.1.1h/crypto/evp/m_sha3.c +Index: openssl-1.1.1j/crypto/evp/m_sha3.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/m_sha3.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/m_sha3.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/m_sha3.c ++++ openssl-1.1.1j/crypto/evp/m_sha3.c @@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ @@ -1510,10 +1513,10 @@ Index: openssl-1.1.1h/crypto/evp/m_sha3.c shake_init, \ sha3_update, \ sha3_final, \ -Index: openssl-1.1.1h/crypto/evp/pmeth_lib.c +Index: openssl-1.1.1j/crypto/evp/pmeth_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/pmeth_lib.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/pmeth_lib.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.1.1j/crypto/evp/pmeth_lib.c @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else @@ -1530,10 +1533,10 @@ Index: openssl-1.1.1h/crypto/evp/pmeth_lib.c if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE -Index: openssl-1.1.1h/crypto/fips/build.info +Index: openssl-1.1.1j/crypto/fips/build.info =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/build.info 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/build.info @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1550,10 +1553,10 @@ Index: openssl-1.1.1h/crypto/fips/build.info +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto -Index: openssl-1.1.1h/crypto/fips/fips_aes_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_aes_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_aes_selftest.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -1927,10 +1930,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_aes_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips.c +Index: openssl-1.1.1j/crypto/fips/fips.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips.c @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2458,10 +2461,10 @@ Index: openssl-1.1.1h/crypto/fips/fips.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2619,10 +2622,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c + return rv; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_des_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_des_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_des_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2757,10 +2760,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_des_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_dh_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_dh_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_dh_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2942,10 +2945,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_dh_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3353,10 +3356,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_hash.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_hash.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_hash.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3712,10 +3715,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_hash.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3979,10 +3982,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_lib.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_lib.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4512,10 +4515,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_lib.c +{ + /* Just backwards compatibility API call with no effect. */ +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_rand.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_rand.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_rand.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4702,10 +4705,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_rand.c +{ + return &rand_drbg_meth; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5535,10 +5538,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c + FIPS_drbg_free(dctx); + return rv; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h +Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7331,10 +7334,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -Index: openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7531,10 +7534,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7778,10 +7781,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7949,10 +7952,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_err.h +Index: openssl-1.1.1j/crypto/fips/fips_err.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_err.h 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_err.h @@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8151,10 +8154,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_err.h +#endif + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_ers.c +Index: openssl-1.1.1j/crypto/fips/fips_ers.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ers.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ers.c @@ -0,0 +1,7 @@ +#include + @@ -8163,10 +8166,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ers.c +#else +static void *dummy = &dummy; +#endif -Index: openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8302,10 +8305,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_locl.h +Index: openssl-1.1.1j/crypto/fips/fips_locl.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_locl.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_locl.h @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8378,10 +8381,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_locl.h +} +# endif +#endif -Index: openssl-1.1.1h/crypto/fips/fips_post.c +Index: openssl-1.1.1j/crypto/fips/fips_post.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_post.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_post.c @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8607,10 +8610,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_post.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_rand_lcl.h +Index: openssl-1.1.1j/crypto/fips/fips_rand_lcl.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rand_lcl.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8815,10 +8818,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rand_lcl.h +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -Index: openssl-1.1.1h/crypto/fips/fips_rand_lib.c +Index: openssl-1.1.1j/crypto/fips/fips_rand_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rand_lib.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9054,10 +9057,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rand_lib.c +# endif +} + -Index: openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -9397,10 +9400,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c +} + +#endif /* def OPENSSL_FIPS */ -Index: openssl-1.1.1h/crypto/fips/fips_sha_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_sha_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_sha_selftest.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9625,10 +9628,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_sha_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c +Index: openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9757,10 +9760,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c +#endif + return 0; +} -Index: openssl-1.1.1h/crypto/hmac/hmac.c +Index: openssl-1.1.1j/crypto/hmac/hmac.c =================================================================== ---- openssl-1.1.1h.orig/crypto/hmac/hmac.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/hmac/hmac.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/hmac/hmac.c ++++ openssl-1.1.1j/crypto/hmac/hmac.c @@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; @@ -9775,10 +9778,10 @@ Index: openssl-1.1.1h/crypto/hmac/hmac.c reset = 1; j = EVP_MD_block_size(md); -Index: openssl-1.1.1h/crypto/hmac/hm_pmeth.c +Index: openssl-1.1.1j/crypto/hmac/hm_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/hmac/hm_pmeth.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/hmac/hm_pmeth.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { @@ -9788,10 +9791,10 @@ Index: openssl-1.1.1h/crypto/hmac/hm_pmeth.c pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, -Index: openssl-1.1.1h/include/crypto/fips_int.h +Index: openssl-1.1.1j/include/crypto/fips_int.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/crypto/fips_int.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/crypto/fips_int.h @@ -0,0 +1,98 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9891,10 +9894,10 @@ Index: openssl-1.1.1h/include/crypto/fips_int.h +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif -Index: openssl-1.1.1h/crypto/o_fips.c +Index: openssl-1.1.1j/crypto/o_fips.c =================================================================== ---- openssl-1.1.1h.orig/crypto/o_fips.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/o_fips.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/o_fips.c ++++ openssl-1.1.1j/crypto/o_fips.c @@ -8,17 +8,28 @@ */ @@ -9924,10 +9927,10 @@ Index: openssl-1.1.1h/crypto/o_fips.c return 0; +#endif } -Index: openssl-1.1.1h/crypto/o_init.c +Index: openssl-1.1.1j/crypto/o_init.c =================================================================== ---- openssl-1.1.1h.orig/crypto/o_init.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/o_init.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/o_init.c ++++ openssl-1.1.1j/crypto/o_init.c @@ -7,8 +7,68 @@ * https://www.openssl.org/source/license.html */ @@ -9997,10 +10000,10 @@ Index: openssl-1.1.1h/crypto/o_init.c /* * Perform any essential OpenSSL initialization operations. Currently does -Index: openssl-1.1.1h/crypto/rand/rand_lib.c +Index: openssl-1.1.1j/crypto/rand/rand_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rand/rand_lib.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/rand/rand_lib.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/rand/rand_lib.c ++++ openssl-1.1.1j/crypto/rand/rand_lib.c @@ -959,3 +959,15 @@ int RAND_status(void) return meth->status(); return 0; @@ -10017,10 +10020,10 @@ Index: openssl-1.1.1h/crypto/rand/rand_lib.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/rsa/rsa_crpt.c +Index: openssl-1.1.1j/crypto/rsa/rsa_crpt.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_crpt.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_crpt.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_crpt.c ++++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10074,10 +10077,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_crpt.c return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } -Index: openssl-1.1.1h/crypto/rsa/rsa_err.c +Index: openssl-1.1.1j/crypto/rsa/rsa_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_err.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_err.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_err.c ++++ openssl-1.1.1j/crypto/rsa/rsa_err.c @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, @@ -10146,10 +10149,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_err.c {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -Index: openssl-1.1.1h/crypto/rsa/rsa_gen.c +Index: openssl-1.1.1j/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_gen.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_gen.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_gen.c ++++ openssl-1.1.1j/crypto/rsa/rsa_gen.c @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include @@ -10542,10 +10545,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_gen.c static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { -Index: openssl-1.1.1h/crypto/rsa/rsa_lib.c +Index: openssl-1.1.1j/crypto/rsa/rsa_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_lib.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_lib.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_lib.c ++++ openssl-1.1.1j/crypto/rsa/rsa_lib.c @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -10588,10 +10591,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_lib.c if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -Index: openssl-1.1.1h/crypto/rsa/rsa_ossl.c +Index: openssl-1.1.1j/crypto/rsa/rsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_ossl.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_ossl.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_ossl.c ++++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c @@ -12,6 +12,10 @@ #include "rsa_local.h" #include "internal/constant_time.h" @@ -10708,10 +10711,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_ossl.c if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -Index: openssl-1.1.1h/crypto/rsa/rsa_pmeth.c +Index: openssl-1.1.1j/crypto/rsa/rsa_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_pmeth.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_pmeth.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { @@ -10730,10 +10733,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_pmeth.c pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, -Index: openssl-1.1.1h/crypto/rsa/rsa_sign.c +Index: openssl-1.1.1j/crypto/rsa/rsa_sign.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_sign.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_sign.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_sign.c ++++ openssl-1.1.1j/crypto/rsa/rsa_sign.c @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -10760,10 +10763,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_sign.c if (encrypt_len <= 0) goto err; -Index: openssl-1.1.1h/crypto/sha/sha256.c +Index: openssl-1.1.1j/crypto/sha/sha256.c =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha256.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha256.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha256.c ++++ openssl-1.1.1j/crypto/sha/sha256.c @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -10784,10 +10787,10 @@ Index: openssl-1.1.1h/crypto/sha/sha256.c memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -Index: openssl-1.1.1h/crypto/sha/sha512.c +Index: openssl-1.1.1j/crypto/sha/sha512.c =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha512.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha512.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha512.c ++++ openssl-1.1.1j/crypto/sha/sha512.c @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) @@ -10808,10 +10811,10 @@ Index: openssl-1.1.1h/crypto/sha/sha512.c c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -Index: openssl-1.1.1h/crypto/sha/sha_local.h +Index: openssl-1.1.1j/crypto/sha/sha_local.h =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha_local.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha_local.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha_local.h ++++ openssl-1.1.1j/crypto/sha/sha_local.h @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -10822,10 +10825,10 @@ Index: openssl-1.1.1h/crypto/sha/sha_local.h memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -Index: openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod +Index: openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod =================================================================== ---- openssl-1.1.1h.orig/doc/man3/DSA_generate_parameters.pod 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/doc/man3/DSA_generate_parameters.pod ++++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -10839,10 +10842,10 @@ Index: openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -Index: openssl-1.1.1h/include/openssl/crypto.h +Index: openssl-1.1.1j/include/openssl/crypto.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/crypto.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/crypto.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/crypto.h ++++ openssl-1.1.1j/include/openssl/crypto.h @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -10855,10 +10858,10 @@ Index: openssl-1.1.1h/include/openssl/crypto.h void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); -Index: openssl-1.1.1h/include/openssl/dherr.h +Index: openssl-1.1.1j/include/openssl/dherr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dherr.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dherr.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dherr.h ++++ openssl-1.1.1j/include/openssl/dherr.h @@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 @@ -10884,10 +10887,10 @@ Index: openssl-1.1.1h/include/openssl/dherr.h # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -Index: openssl-1.1.1h/include/openssl/dh.h +Index: openssl-1.1.1j/include/openssl/dh.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dh.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dh.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dh.h ++++ openssl-1.1.1j/include/openssl/dh.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10896,10 +10899,10 @@ Index: openssl-1.1.1h/include/openssl/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 -Index: openssl-1.1.1h/include/openssl/dsaerr.h +Index: openssl-1.1.1j/include/openssl/dsaerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dsaerr.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dsaerr.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dsaerr.h ++++ openssl-1.1.1j/include/openssl/dsaerr.h @@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 @@ -10926,10 +10929,10 @@ Index: openssl-1.1.1h/include/openssl/dsaerr.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -Index: openssl-1.1.1h/include/openssl/dsa.h +Index: openssl-1.1.1j/include/openssl/dsa.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dsa.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dsa.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dsa.h ++++ openssl-1.1.1j/include/openssl/dsa.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10938,11 +10941,11 @@ Index: openssl-1.1.1h/include/openssl/dsa.h # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L -Index: openssl-1.1.1h/include/openssl/evperr.h +Index: openssl-1.1.1j/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/evperr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/evperr.h 2020-09-22 22:42:58.474167775 +0200 -@@ -24,14 +24,15 @@ int ERR_load_EVP_strings(void); +--- openssl-1.1.1j.orig/include/openssl/evperr.h ++++ openssl-1.1.1j/include/openssl/evperr.h +@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 @@ -10961,7 +10964,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 -@@ -142,6 +143,7 @@ int ERR_load_EVP_strings(void); +@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 # define EVP_R_DECODE_ERROR 114 @@ -10969,7 +10972,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -185,6 +187,7 @@ int ERR_load_EVP_strings(void); +@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 @@ -10977,7 +10980,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 -@@ -200,6 +203,7 @@ int ERR_load_EVP_strings(void); +@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 @@ -10986,10 +10989,10 @@ Index: openssl-1.1.1h/include/openssl/evperr.h +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif -Index: openssl-1.1.1h/include/openssl/evp.h +Index: openssl-1.1.1j/include/openssl/evp.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/evp.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/evp.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/evp.h ++++ openssl-1.1.1j/include/openssl/evp.h @@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 @@ -11000,10 +11003,10 @@ Index: openssl-1.1.1h/include/openssl/evp.h const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -Index: openssl-1.1.1h/include/openssl/fips.h +Index: openssl-1.1.1j/include/openssl/fips.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/openssl/fips.h 2020-09-22 22:42:58.474167775 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/openssl/fips.h @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11192,10 +11195,10 @@ Index: openssl-1.1.1h/include/openssl/fips.h +} +# endif +#endif -Index: openssl-1.1.1h/include/openssl/fips_rand.h +Index: openssl-1.1.1j/include/openssl/fips_rand.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/openssl/fips_rand.h 2020-09-22 22:42:58.474167775 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/openssl/fips_rand.h @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11342,10 +11345,10 @@ Index: openssl-1.1.1h/include/openssl/fips_rand.h +# endif +# endif +#endif -Index: openssl-1.1.1h/include/openssl/opensslconf.h.in +Index: openssl-1.1.1j/include/openssl/opensslconf.h.in =================================================================== ---- openssl-1.1.1h.orig/include/openssl/opensslconf.h.in 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/opensslconf.h.in 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/opensslconf.h.in ++++ openssl-1.1.1j/include/openssl/opensslconf.h.in @@ -155,6 +155,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -11358,10 +11361,10 @@ Index: openssl-1.1.1h/include/openssl/opensslconf.h.in #ifdef __cplusplus } #endif -Index: openssl-1.1.1h/include/openssl/randerr.h +Index: openssl-1.1.1j/include/openssl/randerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/randerr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/randerr.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/randerr.h ++++ openssl-1.1.1j/include/openssl/randerr.h @@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 @@ -11370,10 +11373,10 @@ Index: openssl-1.1.1h/include/openssl/randerr.h # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 -Index: openssl-1.1.1h/include/openssl/rand.h +Index: openssl-1.1.1j/include/openssl/rand.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/rand.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/rand.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/rand.h ++++ openssl-1.1.1j/include/openssl/rand.h @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif @@ -11386,10 +11389,10 @@ Index: openssl-1.1.1h/include/openssl/rand.h #ifdef __cplusplus } -Index: openssl-1.1.1h/include/openssl/rsaerr.h +Index: openssl-1.1.1j/include/openssl/rsaerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/rsaerr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/rsaerr.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/rsaerr.h ++++ openssl-1.1.1j/include/openssl/rsaerr.h @@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 @@ -11445,10 +11448,10 @@ Index: openssl-1.1.1h/include/openssl/rsaerr.h # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -Index: openssl-1.1.1h/ssl/s3_lib.c +Index: openssl-1.1.1j/ssl/s3_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/s3_lib.c 2020-09-22 14:55:07.000000000 +0200 -+++ openssl-1.1.1h/ssl/s3_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/s3_lib.c ++++ openssl-1.1.1j/ssl/s3_lib.c @@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, @@ -11548,10 +11551,10 @@ Index: openssl-1.1.1h/ssl/s3_lib.c SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, -Index: openssl-1.1.1h/ssl/ssl_ciph.c +Index: openssl-1.1.1j/ssl/ssl_ciph.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_ciph.c 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/ssl/ssl_ciph.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_ciph.c ++++ openssl-1.1.1j/ssl/ssl_ciph.c @@ -385,7 +385,7 @@ int ssl_load_ciphers(void) } } @@ -11590,10 +11593,10 @@ Index: openssl-1.1.1h/ssl/ssl_ciph.c if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); -Index: openssl-1.1.1h/ssl/ssl_init.c +Index: openssl-1.1.1j/ssl/ssl_init.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_init.c 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/ssl/ssl_init.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_init.c ++++ openssl-1.1.1j/ssl/ssl_init.c @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -11637,10 +11640,10 @@ Index: openssl-1.1.1h/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -Index: openssl-1.1.1h/ssl/ssl_lib.c +Index: openssl-1.1.1j/ssl/ssl_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_lib.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/ssl_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_lib.c ++++ openssl-1.1.1j/ssl/ssl_lib.c @@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; @@ -11678,11 +11681,11 @@ Index: openssl-1.1.1h/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -Index: openssl-1.1.1h/ssl/ssl_local.h +Index: openssl-1.1.1j/ssl/ssl_local.h =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_local.h 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/ssl_local.h 2020-09-22 22:42:58.478167800 +0200 -@@ -1516,6 +1516,7 @@ typedef struct tls_group_info_st { +--- openssl-1.1.1j.orig/ssl/ssl_local.h ++++ openssl-1.1.1j/ssl/ssl_local.h +@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_CUSTOM 0x2 @@ -11690,10 +11693,10 @@ Index: openssl-1.1.1h/ssl/ssl_local.h typedef struct cert_pkey_st CERT_PKEY; -Index: openssl-1.1.1h/ssl/t1_lib.c +Index: openssl-1.1.1j/ssl/t1_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/t1_lib.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/t1_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/t1_lib.c ++++ openssl-1.1.1j/ssl/t1_lib.c @@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ @@ -11719,10 +11722,10 @@ Index: openssl-1.1.1h/ssl/t1_lib.c ctmp[0] = curve >> 8; ctmp[1] = curve & 0xff; return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -Index: openssl-1.1.1h/test/dsatest.c +Index: openssl-1.1.1j/test/dsatest.c =================================================================== ---- openssl-1.1.1h.orig/test/dsatest.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/test/dsatest.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/test/dsatest.c ++++ openssl-1.1.1j/test/dsatest.c @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -11805,10 +11808,10 @@ Index: openssl-1.1.1h/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; -Index: openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt =================================================================== ---- openssl-1.1.1h.orig/test/recipes/30-test_evp_data/evpciph.txt 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt 2020-09-22 22:42:58.482167826 +0200 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpciph.txt ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt @@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 @@ -11817,10 +11820,10 @@ Index: openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -Index: openssl-1.1.1h/util/libcrypto.num +Index: openssl-1.1.1j/util/libcrypto.num =================================================================== ---- openssl-1.1.1h.orig/util/libcrypto.num 2020-09-22 22:42:58.482167826 +0200 -+++ openssl-1.1.1h/util/libcrypto.num 2020-09-22 22:43:36.782415940 +0200 +--- openssl-1.1.1j.orig/util/libcrypto.num ++++ openssl-1.1.1j/util/libcrypto.num @@ -4591,3 +4591,38 @@ X509_ALGOR_copy X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: diff --git a/openssl-1.1.1i.tar.gz b/openssl-1.1.1i.tar.gz deleted file mode 100644 index dd60ad5..0000000 --- a/openssl-1.1.1i.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 -size 9808346 diff --git a/openssl-1.1.1i.tar.gz.asc b/openssl-1.1.1i.tar.gz.asc deleted file mode 100644 index 5a496a1..0000000 --- a/openssl-1.1.1i.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g -RJHxYQf8DFul2uhHXbiCxshH7PiOh/TgjEMrdjUMTerYv6dssTcOF08UY7kjXdwV -7WJ61XcDo6m6vpzqZDuz/rbMqTmNP1z8ShQ80T4DQus+QHp9zMkNDWcUFTpv2vSc -PYTHtlBk49zDXJiRNBtWx0UjiVvcUtrDoTf/X0n/2ucqebniHxOSIFG9i/nhE5iP -a+0ccguS9eoq4cphWmSWRQrzweNWjfJUm6kcFBUYek5cVM6JVYMDJRjwwe14lWVP -vVMADBMc6eQFkBD/f/cI0QrFKfB6/ObTgRLqT2aNFgaSHHKvqtjLaB+haldz8oHm -F9orllkrd9bTCxit2kEGHBKg4EjKLw== -=K/1H ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1j.tar.gz b/openssl-1.1.1j.tar.gz new file mode 100644 index 0000000..1d78375 --- /dev/null +++ b/openssl-1.1.1j.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf +size 9823161 diff --git a/openssl-1.1.1j.tar.gz.asc b/openssl-1.1.1j.tar.gz.asc new file mode 100644 index 0000000..f1b9906 --- /dev/null +++ b/openssl-1.1.1j.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g +RJE55AgAuAYlKdgDPQHfh7gyLmFl+fnO91iF8oaN/W4vFaAO2i3a/rwQayOOGWjh +UR4lUayR8ZLg+9p+69OGxogRd9mPp9YnZYSyLt/TO6BQcU9++CUIVYLgntUDiMzg ++doHvzWx7d9O070KBGb6+AwdUR2xZ29w+hcnq7DJ1xcLlbSj4iXzM1KapCEVlI08 +gHw9UpIy3LASfx9CgiPK1FdKcelpRp4VvUDU4i2QgKzVtQrOLXv7InDBqIiLpwi5 +PP0fAFnxQR1l7PgIF0T+dEyrz5xt60+6JpRaU8WIGqfrN+U4CuxKBvHW2ce7MgWz +oOIJ/1B7o5spKou6eKqm3gMP53J4hw== +=vzFe +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 541f288..4a780c4 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Fri Feb 19 08:01:01 UTC 2021 - Pedro Monreal + +- Update to 1.1.1j + * Fixed the X509_issuer_and_serial_hash() function. It attempts + to create a unique hash value based on the issuer and serial + number data contained within an X509 certificate. However it + was failing to correctly handle any errors that may occur + while parsing the issuer field [bsc#1182331, CVE-2021-23841] + * Fixed the RSA_padding_check_SSLv23() function and the + RSA_SSLV23_PADDING padding mode to correctly check for + rollback attacks. + * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions. Previously they could overflow the + output length argument in some cases where the input length is + close to the maximum permissable length for an integer on the + platform. In such cases the return value from the function call + would be 1 (indicating success), but the output length value + would be negative. This could cause applications to behave + incorrectly or crash. [bsc#1182333, CVE-2021-23840] + * Fixed SRP_Calc_client_key so that it runs in constant time. + The previous implementation called BN_mod_exp without setting + BN_FLG_CONSTTIME. This could be exploited in a side channel + attack to recover the password. Since the attack is local host + only this is outside of the current OpenSSL threat model and + therefore no CVE is assigned. +- Rebase patches: + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + ------------------------------------------------------------------- Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes @@ -14,6 +45,11 @@ Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes * bsc#1181796 * sourced from https://github.com/openssl/openssl/pull/12331/files +------------------------------------------------------------------- +Fri Jan 22 09:05:41 UTC 2021 - Pedro Monreal + +- Add version guards for the crypto-policies + ------------------------------------------------------------------- Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 9b40f36..ae44b35 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -21,7 +21,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" package! -Version: 1.1.1i +Version: 1.1.1j Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -92,6 +92,9 @@ Patch53: openssl-1_1-seclevel.patch Patch54: openssl-1_1-use-seclevel2-in-tests.patch Patch55: openssl-1_1-disable-test_srp-sslapi.patch BuildRequires: pkgconfig +%if 0%{?suse_version} && ! 0%{?sle_version} +Requires: crypto-policies +%endif Conflicts: ssl Provides: ssl Provides: openssl(cli) @@ -110,7 +113,6 @@ OpenSSL contains an implementation of the SSL and TLS protocols. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security -Requires: crypto-policies Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) Suggests: libopenssl1_1-hmac = %{version}-%{release}