From eb052185fbdf9865eeac630395c1b92fcde4842150623ec666a0ec6d6d7cd198 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 15 Mar 2022 18:24:32 +0000 Subject: [PATCH] Accepting request 961990 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1n: [bsc#1196877, CVE-2022-0778] * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli in BN_mod_sqrt() reachable when parsing certificates. * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. * Rebase openssl-1.1.1-fips.patch openssl-1.1.1-evp-kdf.patch OBS-URL: https://build.opensuse.org/request/show/961990 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=109 --- openssl-1.1.1-evp-kdf.patch | 210 ++++++------- openssl-1.1.1-fips.patch | 568 ++++++++++++++++++------------------ openssl-1.1.1m.tar.gz | 3 - openssl-1.1.1m.tar.gz.asc | 11 - openssl-1.1.1n.tar.gz | 3 + openssl-1.1.1n.tar.gz.asc | 11 + openssl-1_1.changes | 11 + openssl-1_1.spec | 2 +- 8 files changed, 415 insertions(+), 404 deletions(-) delete mode 100644 openssl-1.1.1m.tar.gz delete mode 100644 openssl-1.1.1m.tar.gz.asc create mode 100644 openssl-1.1.1n.tar.gz create mode 100644 openssl-1.1.1n.tar.gz.asc diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 6a17992..536e9c0 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -1,7 +1,7 @@ -Index: openssl-1.1.1m/crypto/err/openssl.txt +Index: openssl-1.1.1n/crypto/err/openssl.txt =================================================================== ---- openssl-1.1.1m.orig/crypto/err/openssl.txt -+++ openssl-1.1.1m/crypto/err/openssl.txt +--- openssl-1.1.1n.orig/crypto/err/openssl.txt ++++ openssl-1.1.1n/crypto/err/openssl.txt @@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex @@ -74,10 +74,10 @@ Index: openssl-1.1.1m/crypto/err/openssl.txt OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -Index: openssl-1.1.1m/crypto/evp/build.info +Index: openssl-1.1.1n/crypto/evp/build.info =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/build.info -+++ openssl-1.1.1m/crypto/evp/build.info +--- openssl-1.1.1n.orig/crypto/evp/build.info ++++ openssl-1.1.1n/crypto/evp/build.info @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ @@ -88,10 +88,10 @@ Index: openssl-1.1.1m/crypto/evp/build.info e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c cmeth_lib.c -Index: openssl-1.1.1m/crypto/evp/evp_err.c +Index: openssl-1.1.1n/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/evp_err.c -+++ openssl-1.1.1m/crypto/evp/evp_err.c +--- openssl-1.1.1n.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1n/crypto/evp/evp_err.c @@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), "EVP_EncryptFinal_ex"}, @@ -126,10 +126,10 @@ Index: openssl-1.1.1m/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), -Index: openssl-1.1.1m/crypto/evp/evp_local.h +Index: openssl-1.1.1n/crypto/evp/evp_local.h =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/evp_local.h -+++ openssl-1.1.1m/crypto/evp/evp_local.h +--- openssl-1.1.1n.orig/crypto/evp/evp_local.h ++++ openssl-1.1.1n/crypto/evp/evp_local.h @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ } /* EVP_CIPHER_CTX */ ; @@ -142,10 +142,10 @@ Index: openssl-1.1.1m/crypto/evp/evp_local.h int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, -Index: openssl-1.1.1m/crypto/evp/evp_pbe.c +Index: openssl-1.1.1n/crypto/evp/evp_pbe.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/evp_pbe.c -+++ openssl-1.1.1m/crypto/evp/evp_pbe.c +--- openssl-1.1.1n.orig/crypto/evp/evp_pbe.c ++++ openssl-1.1.1n/crypto/evp/evp_pbe.c @@ -12,6 +12,7 @@ #include #include @@ -154,10 +154,10 @@ Index: openssl-1.1.1m/crypto/evp/evp_pbe.c #include "evp_local.h" /* Password based encryption (PBE) functions */ -Index: openssl-1.1.1m/crypto/evp/kdf_lib.c +Index: openssl-1.1.1n/crypto/evp/kdf_lib.c =================================================================== --- /dev/null -+++ openssl-1.1.1m/crypto/evp/kdf_lib.c ++++ openssl-1.1.1n/crypto/evp/kdf_lib.c @@ -0,0 +1,165 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -324,10 +324,10 @@ Index: openssl-1.1.1m/crypto/evp/kdf_lib.c + return ctx->kmeth->derive(ctx->impl, key, keylen); +} + -Index: openssl-1.1.1m/crypto/evp/p5_crpt2.c +Index: openssl-1.1.1n/crypto/evp/p5_crpt2.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/p5_crpt2.c -+++ openssl-1.1.1m/crypto/evp/p5_crpt2.c +--- openssl-1.1.1n.orig/crypto/evp/p5_crpt2.c ++++ openssl-1.1.1n/crypto/evp/p5_crpt2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -476,10 +476,10 @@ Index: openssl-1.1.1m/crypto/evp/p5_crpt2.c } int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -Index: openssl-1.1.1m/crypto/evp/pbe_scrypt.c +Index: openssl-1.1.1n/crypto/evp/pbe_scrypt.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/pbe_scrypt.c -+++ openssl-1.1.1m/crypto/evp/pbe_scrypt.c +--- openssl-1.1.1n.orig/crypto/evp/pbe_scrypt.c ++++ openssl-1.1.1n/crypto/evp/pbe_scrypt.c @@ -7,135 +7,12 @@ * https://www.openssl.org/source/license.html */ @@ -750,10 +750,10 @@ Index: openssl-1.1.1m/crypto/evp/pbe_scrypt.c } + #endif -Index: openssl-1.1.1m/crypto/evp/pkey_kdf.c +Index: openssl-1.1.1n/crypto/evp/pkey_kdf.c =================================================================== --- /dev/null -+++ openssl-1.1.1m/crypto/evp/pkey_kdf.c ++++ openssl-1.1.1n/crypto/evp/pkey_kdf.c @@ -0,0 +1,255 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1010,10 +1010,10 @@ Index: openssl-1.1.1m/crypto/evp/pkey_kdf.c + pkey_kdf_ctrl_str +}; + -Index: openssl-1.1.1m/include/crypto/evp.h +Index: openssl-1.1.1n/include/crypto/evp.h =================================================================== ---- openssl-1.1.1m.orig/include/crypto/evp.h -+++ openssl-1.1.1m/include/crypto/evp.h +--- openssl-1.1.1n.orig/include/crypto/evp.h ++++ openssl-1.1.1n/include/crypto/evp.h @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m extern const EVP_PKEY_METHOD poly1305_pkey_meth; extern const EVP_PKEY_METHOD siphash_pkey_meth; @@ -1039,19 +1039,19 @@ Index: openssl-1.1.1m/include/crypto/evp.h struct evp_md_st { int type; int pkey_type; -Index: openssl-1.1.1m/crypto/kdf/build.info +Index: openssl-1.1.1n/crypto/kdf/build.info =================================================================== ---- openssl-1.1.1m.orig/crypto/kdf/build.info -+++ openssl-1.1.1m/crypto/kdf/build.info +--- openssl-1.1.1n.orig/crypto/kdf/build.info ++++ openssl-1.1.1n/crypto/kdf/build.info @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c hkdf.c scrypt.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -Index: openssl-1.1.1m/crypto/kdf/hkdf.c +Index: openssl-1.1.1n/crypto/kdf/hkdf.c =================================================================== ---- openssl-1.1.1m.orig/crypto/kdf/hkdf.c -+++ openssl-1.1.1m/crypto/kdf/hkdf.c +--- openssl-1.1.1n.orig/crypto/kdf/hkdf.c ++++ openssl-1.1.1n/crypto/kdf/hkdf.c @@ -8,32 +8,33 @@ */ @@ -1518,10 +1518,10 @@ Index: openssl-1.1.1m/crypto/kdf/hkdf.c err: OPENSSL_cleanse(prev, sizeof(prev)); -Index: openssl-1.1.1m/crypto/kdf/kdf_err.c +Index: openssl-1.1.1n/crypto/kdf/kdf_err.c =================================================================== ---- openssl-1.1.1m.orig/crypto/kdf/kdf_err.c -+++ openssl-1.1.1m/crypto/kdf/kdf_err.c +--- openssl-1.1.1n.orig/crypto/kdf/kdf_err.c ++++ openssl-1.1.1n/crypto/kdf/kdf_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT @@ -1577,10 +1577,10 @@ Index: openssl-1.1.1m/crypto/kdf/kdf_err.c {0, NULL} }; -Index: openssl-1.1.1m/crypto/kdf/kdf_local.h +Index: openssl-1.1.1n/crypto/kdf/kdf_local.h =================================================================== --- /dev/null -+++ openssl-1.1.1m/crypto/kdf/kdf_local.h ++++ openssl-1.1.1n/crypto/kdf/kdf_local.h @@ -0,0 +1,22 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1604,10 +1604,10 @@ Index: openssl-1.1.1m/crypto/kdf/kdf_local.h + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); + -Index: openssl-1.1.1m/crypto/kdf/kdf_util.c +Index: openssl-1.1.1n/crypto/kdf/kdf_util.c =================================================================== --- /dev/null -+++ openssl-1.1.1m/crypto/kdf/kdf_util.c ++++ openssl-1.1.1n/crypto/kdf/kdf_util.c @@ -0,0 +1,73 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1682,10 +1682,10 @@ Index: openssl-1.1.1m/crypto/kdf/kdf_util.c + return call_ctrl(ctrl, impl, cmd, md); +} + -Index: openssl-1.1.1m/crypto/kdf/pbkdf2.c +Index: openssl-1.1.1n/crypto/kdf/pbkdf2.c =================================================================== --- /dev/null -+++ openssl-1.1.1m/crypto/kdf/pbkdf2.c ++++ openssl-1.1.1n/crypto/kdf/pbkdf2.c @@ -0,0 +1,264 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1951,10 +1951,10 @@ Index: openssl-1.1.1m/crypto/kdf/pbkdf2.c + HMAC_CTX_free(hctx_tpl); + return ret; +} -Index: openssl-1.1.1m/crypto/kdf/scrypt.c +Index: openssl-1.1.1n/crypto/kdf/scrypt.c =================================================================== ---- openssl-1.1.1m.orig/crypto/kdf/scrypt.c -+++ openssl-1.1.1m/crypto/kdf/scrypt.c +--- openssl-1.1.1n.orig/crypto/kdf/scrypt.c ++++ openssl-1.1.1n/crypto/kdf/scrypt.c @@ -8,25 +8,34 @@ */ @@ -2543,10 +2543,10 @@ Index: openssl-1.1.1m/crypto/kdf/scrypt.c +} #endif -Index: openssl-1.1.1m/crypto/kdf/tls1_prf.c +Index: openssl-1.1.1n/crypto/kdf/tls1_prf.c =================================================================== ---- openssl-1.1.1m.orig/crypto/kdf/tls1_prf.c -+++ openssl-1.1.1m/crypto/kdf/tls1_prf.c +--- openssl-1.1.1n.orig/crypto/kdf/tls1_prf.c ++++ openssl-1.1.1n/crypto/kdf/tls1_prf.c @@ -8,11 +8,15 @@ */ @@ -2830,10 +2830,10 @@ Index: openssl-1.1.1m/crypto/kdf/tls1_prf.c OPENSSL_clear_free(tmp, olen); return 0; } -Index: openssl-1.1.1m/doc/man3/EVP_KDF_CTX.pod +Index: openssl-1.1.1n/doc/man3/EVP_KDF_CTX.pod =================================================================== --- /dev/null -+++ openssl-1.1.1m/doc/man3/EVP_KDF_CTX.pod ++++ openssl-1.1.1n/doc/man3/EVP_KDF_CTX.pod @@ -0,0 +1,217 @@ +=pod + @@ -3052,10 +3052,10 @@ Index: openssl-1.1.1m/doc/man3/EVP_KDF_CTX.pod +L. + +=cut -Index: openssl-1.1.1m/doc/man7/EVP_KDF_HKDF.pod +Index: openssl-1.1.1n/doc/man7/EVP_KDF_HKDF.pod =================================================================== --- /dev/null -+++ openssl-1.1.1m/doc/man7/EVP_KDF_HKDF.pod ++++ openssl-1.1.1n/doc/man7/EVP_KDF_HKDF.pod @@ -0,0 +1,180 @@ +=pod + @@ -3237,10 +3237,10 @@ Index: openssl-1.1.1m/doc/man7/EVP_KDF_HKDF.pod +L. + +=cut -Index: openssl-1.1.1m/doc/man7/EVP_KDF_PBKDF2.pod +Index: openssl-1.1.1n/doc/man7/EVP_KDF_PBKDF2.pod =================================================================== --- /dev/null -+++ openssl-1.1.1m/doc/man7/EVP_KDF_PBKDF2.pod ++++ openssl-1.1.1n/doc/man7/EVP_KDF_PBKDF2.pod @@ -0,0 +1,78 @@ +=pod + @@ -3320,10 +3320,10 @@ Index: openssl-1.1.1m/doc/man7/EVP_KDF_PBKDF2.pod +L. + +=cut -Index: openssl-1.1.1m/doc/man7/EVP_KDF_SCRYPT.pod +Index: openssl-1.1.1n/doc/man7/EVP_KDF_SCRYPT.pod =================================================================== --- /dev/null -+++ openssl-1.1.1m/doc/man7/EVP_KDF_SCRYPT.pod ++++ openssl-1.1.1n/doc/man7/EVP_KDF_SCRYPT.pod @@ -0,0 +1,149 @@ +=pod + @@ -3474,10 +3474,10 @@ Index: openssl-1.1.1m/doc/man7/EVP_KDF_SCRYPT.pod +L. + +=cut -Index: openssl-1.1.1m/doc/man7/EVP_KDF_TLS1_PRF.pod +Index: openssl-1.1.1n/doc/man7/EVP_KDF_TLS1_PRF.pod =================================================================== --- /dev/null -+++ openssl-1.1.1m/doc/man7/EVP_KDF_TLS1_PRF.pod ++++ openssl-1.1.1n/doc/man7/EVP_KDF_TLS1_PRF.pod @@ -0,0 +1,142 @@ +=pod + @@ -3621,10 +3621,10 @@ Index: openssl-1.1.1m/doc/man7/EVP_KDF_TLS1_PRF.pod +L. + +=cut -Index: openssl-1.1.1m/include/openssl/evperr.h +Index: openssl-1.1.1n/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1m.orig/include/openssl/evperr.h -+++ openssl-1.1.1m/include/openssl/evperr.h +--- openssl-1.1.1n.orig/include/openssl/evperr.h ++++ openssl-1.1.1n/include/openssl/evperr.h @@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 @@ -3657,10 +3657,10 @@ Index: openssl-1.1.1m/include/openssl/evperr.h # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 -Index: openssl-1.1.1m/include/openssl/kdferr.h +Index: openssl-1.1.1n/include/openssl/kdferr.h =================================================================== ---- openssl-1.1.1m.orig/include/openssl/kdferr.h -+++ openssl-1.1.1m/include/openssl/kdferr.h +--- openssl-1.1.1n.orig/include/openssl/kdferr.h ++++ openssl-1.1.1n/include/openssl/kdferr.h @@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); /* * KDF function codes. @@ -3700,10 +3700,10 @@ Index: openssl-1.1.1m/include/openssl/kdferr.h +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 #endif -Index: openssl-1.1.1m/include/openssl/kdf.h +Index: openssl-1.1.1n/include/openssl/kdf.h =================================================================== ---- openssl-1.1.1m.orig/include/openssl/kdf.h -+++ openssl-1.1.1m/include/openssl/kdf.h +--- openssl-1.1.1n.orig/include/openssl/kdf.h ++++ openssl-1.1.1n/include/openssl/kdf.h @@ -10,10 +10,50 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H @@ -3782,10 +3782,10 @@ Index: openssl-1.1.1m/include/openssl/kdf.h } # endif #endif -Index: openssl-1.1.1m/include/openssl/ossl_typ.h +Index: openssl-1.1.1n/include/openssl/ossl_typ.h =================================================================== ---- openssl-1.1.1m.orig/include/openssl/ossl_typ.h -+++ openssl-1.1.1m/include/openssl/ossl_typ.h +--- openssl-1.1.1n.orig/include/openssl/ossl_typ.h ++++ openssl-1.1.1n/include/openssl/ossl_typ.h @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; @@ -3795,10 +3795,10 @@ Index: openssl-1.1.1m/include/openssl/ossl_typ.h typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct hmac_ctx_st HMAC_CTX; -Index: openssl-1.1.1m/test/build.info +Index: openssl-1.1.1n/test/build.info =================================================================== ---- openssl-1.1.1m.orig/test/build.info -+++ openssl-1.1.1m/test/build.info +--- openssl-1.1.1n.orig/test/build.info ++++ openssl-1.1.1n/test/build.info @@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test \ @@ -3820,10 +3820,10 @@ Index: openssl-1.1.1m/test/build.info SOURCE[x509_time_test]=x509_time_test.c INCLUDE[x509_time_test]=../include DEPEND[x509_time_test]=../libcrypto libtestutil.a -Index: openssl-1.1.1m/test/evp_kdf_test.c +Index: openssl-1.1.1n/test/evp_kdf_test.c =================================================================== --- /dev/null -+++ openssl-1.1.1m/test/evp_kdf_test.c ++++ openssl-1.1.1n/test/evp_kdf_test.c @@ -0,0 +1,237 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -4062,10 +4062,10 @@ Index: openssl-1.1.1m/test/evp_kdf_test.c +#endif + return 1; +} -Index: openssl-1.1.1m/test/evp_test.c +Index: openssl-1.1.1n/test/evp_test.c =================================================================== ---- openssl-1.1.1m.orig/test/evp_test.c -+++ openssl-1.1.1m/test/evp_test.c +--- openssl-1.1.1n.orig/test/evp_test.c ++++ openssl-1.1.1n/test/evp_test.c @@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test encode_test_run, }; @@ -4277,10 +4277,10 @@ Index: openssl-1.1.1m/test/evp_test.c &keypair_test_method, &keygen_test_method, &mac_test_method, -Index: openssl-1.1.1m/test/pkey_meth_kdf_test.c +Index: openssl-1.1.1n/test/pkey_meth_kdf_test.c =================================================================== ---- openssl-1.1.1m.orig/test/pkey_meth_kdf_test.c -+++ openssl-1.1.1m/test/pkey_meth_kdf_test.c +--- openssl-1.1.1n.orig/test/pkey_meth_kdf_test.c ++++ openssl-1.1.1n/test/pkey_meth_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4484,10 +4484,10 @@ Index: openssl-1.1.1m/test/pkey_meth_kdf_test.c } #endif -Index: openssl-1.1.1m/test/recipes/30-test_evp_data/evpkdf.txt +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evpkdf.txt =================================================================== ---- openssl-1.1.1m.orig/test/recipes/30-test_evp_data/evpkdf.txt -+++ openssl-1.1.1m/test/recipes/30-test_evp_data/evpkdf.txt +--- openssl-1.1.1n.orig/test/recipes/30-test_evp_data/evpkdf.txt ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evpkdf.txt @@ -15,7 +15,7 @@ Title = TLS1 PRF tests (from NIST test vectors) @@ -4747,7 +4747,7 @@ Index: openssl-1.1.1m/test/recipes/30-test_evp_data/evpkdf.txt Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 @@ -303,3 +303,133 @@ Ctrl.r = r:8 Ctrl.p = p:1 - Result = KDF_MISMATCH + Result = KDF_DERIVE_ERROR +Title = PBKDF2 tests + @@ -4879,10 +4879,10 @@ Index: openssl-1.1.1m/test/recipes/30-test_evp_data/evpkdf.txt +Ctrl.digest = digest:sha512 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + -Index: openssl-1.1.1m/test/recipes/30-test_evp_data/evppkey_kdf.txt +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evppkey_kdf.txt =================================================================== --- /dev/null -+++ openssl-1.1.1m/test/recipes/30-test_evp_data/evppkey_kdf.txt ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evppkey_kdf.txt @@ -0,0 +1,305 @@ +# +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5189,10 +5189,10 @@ Index: openssl-1.1.1m/test/recipes/30-test_evp_data/evppkey_kdf.txt +Ctrl.p = p:1 +Result = INTERNAL_ERROR + -Index: openssl-1.1.1m/test/recipes/30-test_evp_kdf.t +Index: openssl-1.1.1n/test/recipes/30-test_evp_kdf.t =================================================================== --- /dev/null -+++ openssl-1.1.1m/test/recipes/30-test_evp_kdf.t ++++ openssl-1.1.1n/test/recipes/30-test_evp_kdf.t @@ -0,0 +1,13 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5207,10 +5207,10 @@ Index: openssl-1.1.1m/test/recipes/30-test_evp_kdf.t +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -Index: openssl-1.1.1m/test/recipes/30-test_evp.t +Index: openssl-1.1.1n/test/recipes/30-test_evp.t =================================================================== ---- openssl-1.1.1m.orig/test/recipes/30-test_evp.t -+++ openssl-1.1.1m/test/recipes/30-test_evp.t +--- openssl-1.1.1n.orig/test/recipes/30-test_evp.t ++++ openssl-1.1.1n/test/recipes/30-test_evp.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); @@ -5220,10 +5220,10 @@ Index: openssl-1.1.1m/test/recipes/30-test_evp.t "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); -Index: openssl-1.1.1m/util/libcrypto.num +Index: openssl-1.1.1n/util/libcrypto.num =================================================================== ---- openssl-1.1.1m.orig/util/libcrypto.num -+++ openssl-1.1.1m/util/libcrypto.num +--- openssl-1.1.1n.orig/util/libcrypto.num ++++ openssl-1.1.1n/util/libcrypto.num @@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: @@ -5236,10 +5236,10 @@ Index: openssl-1.1.1m/util/libcrypto.num +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -Index: openssl-1.1.1m/util/private.num +Index: openssl-1.1.1n/util/private.num =================================================================== ---- openssl-1.1.1m.orig/util/private.num -+++ openssl-1.1.1m/util/private.num +--- openssl-1.1.1n.orig/util/private.num ++++ openssl-1.1.1n/util/private.num @@ -22,6 +22,7 @@ CRYPTO_EX_dup CRYPTO_EX_free datatype CRYPTO_EX_new datatype @@ -5248,10 +5248,10 @@ Index: openssl-1.1.1m/util/private.num EVP_PKEY_gen_cb datatype EVP_PKEY_METHOD datatype EVP_PKEY_ASN1_METHOD datatype -Index: openssl-1.1.1m/crypto/evp/e_chacha20_poly1305.c +Index: openssl-1.1.1n/crypto/evp/e_chacha20_poly1305.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/e_chacha20_poly1305.c -+++ openssl-1.1.1m/crypto/evp/e_chacha20_poly1305.c +--- openssl-1.1.1n.orig/crypto/evp/e_chacha20_poly1305.c ++++ openssl-1.1.1n/crypto/evp/e_chacha20_poly1305.c @@ -14,8 +14,8 @@ # include @@ -5262,10 +5262,10 @@ Index: openssl-1.1.1m/crypto/evp/e_chacha20_poly1305.c # include "crypto/chacha.h" typedef struct { -Index: openssl-1.1.1m/crypto/evp/encode.c +Index: openssl-1.1.1n/crypto/evp/encode.c =================================================================== ---- openssl-1.1.1m.orig/crypto/evp/encode.c -+++ openssl-1.1.1m/crypto/evp/encode.c +--- openssl-1.1.1n.orig/crypto/evp/encode.c ++++ openssl-1.1.1n/crypto/evp/encode.c @@ -11,8 +11,8 @@ #include #include "internal/cryptlib.h" diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 7fdf876..6dbc095 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,7 +1,7 @@ -Index: openssl-1.1.1j/apps/pkcs12.c +Index: openssl-1.1.1n/apps/pkcs12.c =================================================================== ---- openssl-1.1.1j.orig/apps/pkcs12.c -+++ openssl-1.1.1j/apps/pkcs12.c +--- openssl-1.1.1n.orig/apps/pkcs12.c ++++ openssl-1.1.1n/apps/pkcs12.c @@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; @@ -11,11 +11,11 @@ Index: openssl-1.1.1j/apps/pkcs12.c #else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; #endif -Index: openssl-1.1.1j/apps/speed.c +Index: openssl-1.1.1n/apps/speed.c =================================================================== ---- openssl-1.1.1j.orig/apps/speed.c -+++ openssl-1.1.1j/apps/speed.c -@@ -1674,7 +1674,8 @@ int speed_main(int argc, char **argv) +--- openssl-1.1.1n.orig/apps/speed.c ++++ openssl-1.1.1n/apps/speed.c +@@ -1678,7 +1678,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) @@ -25,7 +25,7 @@ Index: openssl-1.1.1j/apps/speed.c continue; } if (found(*argv, rsa_choices, &i)) { -@@ -1684,7 +1685,9 @@ int speed_main(int argc, char **argv) +@@ -1688,7 +1689,9 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv, "dsa") == 0) { @@ -36,7 +36,7 @@ Index: openssl-1.1.1j/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1715,19 +1718,21 @@ int speed_main(int argc, char **argv) +@@ -1719,19 +1722,21 @@ int speed_main(int argc, char **argv) } if (strcmp(*argv, "ecdh") == 0) { for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) @@ -62,7 +62,7 @@ Index: openssl-1.1.1j/apps/speed.c eddsa_doit[i] = 2; continue; } -@@ -1816,23 +1821,31 @@ int speed_main(int argc, char **argv) +@@ -1820,23 +1825,31 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -100,7 +100,7 @@ Index: openssl-1.1.1j/apps/speed.c #endif } for (i = 0; i < ALGOR_NUM; i++) -@@ -1880,30 +1893,46 @@ int speed_main(int argc, char **argv) +@@ -1884,30 +1897,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -157,7 +157,7 @@ Index: openssl-1.1.1j/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2201,6 +2230,7 @@ int speed_main(int argc, char **argv) +@@ -2205,6 +2234,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -165,10 +165,10 @@ Index: openssl-1.1.1j/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -Index: openssl-1.1.1j/Configure +Index: openssl-1.1.1n/Configure =================================================================== ---- openssl-1.1.1j.orig/Configure -+++ openssl-1.1.1j/Configure +--- openssl-1.1.1n.orig/Configure ++++ openssl-1.1.1n/Configure @@ -325,7 +325,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", @@ -178,10 +178,10 @@ Index: openssl-1.1.1j/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; -Index: openssl-1.1.1j/crypto/cmac/cm_pmeth.c +Index: openssl-1.1.1n/crypto/cmac/cm_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/cmac/cm_pmeth.c -+++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1n.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.1.1n/crypto/cmac/cm_pmeth.c @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { @@ -191,10 +191,10 @@ Index: openssl-1.1.1j/crypto/cmac/cm_pmeth.c pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, -Index: openssl-1.1.1j/crypto/dh/dh_err.c +Index: openssl-1.1.1n/crypto/dh/dh_err.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dh/dh_err.c -+++ openssl-1.1.1j/crypto/dh/dh_err.c +--- openssl-1.1.1n.orig/crypto/dh/dh_err.c ++++ openssl-1.1.1n/crypto/dh/dh_err.c @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), @@ -220,10 +220,10 @@ Index: openssl-1.1.1j/crypto/dh/dh_err.c {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -Index: openssl-1.1.1j/crypto/dh/dh_gen.c +Index: openssl-1.1.1n/crypto/dh/dh_gen.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dh/dh_gen.c -+++ openssl-1.1.1j/crypto/dh/dh_gen.c +--- openssl-1.1.1n.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1n/crypto/dh/dh_gen.c @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include @@ -267,10 +267,10 @@ Index: openssl-1.1.1j/crypto/dh/dh_gen.c ctx = BN_CTX_new(); if (ctx == NULL) goto err; -Index: openssl-1.1.1j/crypto/dh/dh_key.c +Index: openssl-1.1.1n/crypto/dh/dh_key.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dh/dh_key.c -+++ openssl-1.1.1j/crypto/dh/dh_key.c +--- openssl-1.1.1n.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1n/crypto/dh/dh_key.c @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_local.h" @@ -357,10 +357,10 @@ Index: openssl-1.1.1j/crypto/dh/dh_key.c dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1j/crypto/dh/dh_pmeth.c +Index: openssl-1.1.1n/crypto/dh/dh_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dh/dh_pmeth.c -+++ openssl-1.1.1j/crypto/dh/dh_pmeth.c +--- openssl-1.1.1n.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.1.1n/crypto/dh/dh_pmeth.c @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { @@ -379,10 +379,10 @@ Index: openssl-1.1.1j/crypto/dh/dh_pmeth.c pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, -Index: openssl-1.1.1j/crypto/dsa/dsa_err.c +Index: openssl-1.1.1n/crypto/dsa/dsa_err.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dsa/dsa_err.c -+++ openssl-1.1.1j/crypto/dsa/dsa_err.c +--- openssl-1.1.1n.orig/crypto/dsa/dsa_err.c ++++ openssl-1.1.1n/crypto/dsa/dsa_err.c @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, @@ -414,10 +414,10 @@ Index: openssl-1.1.1j/crypto/dsa/dsa_err.c {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -Index: openssl-1.1.1j/crypto/dsa/dsa_gen.c +Index: openssl-1.1.1n/crypto/dsa/dsa_gen.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dsa/dsa_gen.c -+++ openssl-1.1.1j/crypto/dsa/dsa_gen.c +--- openssl-1.1.1n.orig/crypto/dsa/dsa_gen.c ++++ openssl-1.1.1n/crypto/dsa/dsa_gen.c @@ -22,12 +22,22 @@ #include #include @@ -579,10 +579,10 @@ Index: openssl-1.1.1j/crypto/dsa/dsa_gen.c +} + +#endif -Index: openssl-1.1.1j/crypto/dsa/dsa_key.c +Index: openssl-1.1.1n/crypto/dsa/dsa_key.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dsa/dsa_key.c -+++ openssl-1.1.1j/crypto/dsa/dsa_key.c +--- openssl-1.1.1n.orig/crypto/dsa/dsa_key.c ++++ openssl-1.1.1n/crypto/dsa/dsa_key.c @@ -13,10 +13,49 @@ #include #include "dsa_local.h" @@ -662,10 +662,10 @@ Index: openssl-1.1.1j/crypto/dsa/dsa_key.c ok = 1; err: -Index: openssl-1.1.1j/crypto/dsa/dsa_ossl.c +Index: openssl-1.1.1n/crypto/dsa/dsa_ossl.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dsa/dsa_ossl.c -+++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c +--- openssl-1.1.1n.orig/crypto/dsa/dsa_ossl.c ++++ openssl-1.1.1n/crypto/dsa/dsa_ossl.c @@ -14,6 +14,9 @@ #include #include "dsa_local.h" @@ -725,10 +725,10 @@ Index: openssl-1.1.1j/crypto/dsa/dsa_ossl.c dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1j/crypto/dsa/dsa_pmeth.c +Index: openssl-1.1.1n/crypto/dsa/dsa_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/dsa/dsa_pmeth.c -+++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1n.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.1.1n/crypto/dsa/dsa_pmeth.c @@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; @@ -749,10 +749,10 @@ Index: openssl-1.1.1j/crypto/dsa/dsa_pmeth.c pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, -Index: openssl-1.1.1j/crypto/ec/ecdh_ossl.c +Index: openssl-1.1.1n/crypto/ec/ecdh_ossl.c =================================================================== ---- openssl-1.1.1j.orig/crypto/ec/ecdh_ossl.c -+++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c +--- openssl-1.1.1n.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1n/crypto/ec/ecdh_ossl.c @@ -19,9 +19,20 @@ #include #include "ec_local.h" @@ -774,10 +774,10 @@ Index: openssl-1.1.1j/crypto/ec/ecdh_ossl.c if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -Index: openssl-1.1.1j/crypto/ec/ecdsa_ossl.c +Index: openssl-1.1.1n/crypto/ec/ecdsa_ossl.c =================================================================== ---- openssl-1.1.1j.orig/crypto/ec/ecdsa_ossl.c -+++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1n.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1n/crypto/ec/ecdsa_ossl.c @@ -14,6 +14,11 @@ #include "crypto/bn.h" #include "ec_local.h" @@ -818,10 +818,10 @@ Index: openssl-1.1.1j/crypto/ec/ecdsa_ossl.c /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -Index: openssl-1.1.1j/crypto/ec/ec_key.c +Index: openssl-1.1.1n/crypto/ec/ec_key.c =================================================================== ---- openssl-1.1.1j.orig/crypto/ec/ec_key.c -+++ openssl-1.1.1j/crypto/ec/ec_key.c +--- openssl-1.1.1n.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1n/crypto/ec/ec_key.c @@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } @@ -887,10 +887,10 @@ Index: openssl-1.1.1j/crypto/ec/ec_key.c ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -Index: openssl-1.1.1j/crypto/ec/ec_pmeth.c +Index: openssl-1.1.1n/crypto/ec/ec_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/ec/ec_pmeth.c -+++ openssl-1.1.1j/crypto/ec/ec_pmeth.c +--- openssl-1.1.1n.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.1.1n/crypto/ec/ec_pmeth.c @@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { @@ -900,10 +900,10 @@ Index: openssl-1.1.1j/crypto/ec/ec_pmeth.c pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -Index: openssl-1.1.1j/crypto/evp/c_allc.c +Index: openssl-1.1.1n/crypto/evp/c_allc.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/c_allc.c -+++ openssl-1.1.1j/crypto/evp/c_allc.c +--- openssl-1.1.1n.orig/crypto/evp/c_allc.c ++++ openssl-1.1.1n/crypto/evp/c_allc.c @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { @@ -985,10 +985,10 @@ Index: openssl-1.1.1j/crypto/evp/c_allc.c + } +#endif } -Index: openssl-1.1.1j/crypto/evp/c_alld.c +Index: openssl-1.1.1n/crypto/evp/c_alld.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/c_alld.c -+++ openssl-1.1.1j/crypto/evp/c_alld.c +--- openssl-1.1.1n.orig/crypto/evp/c_alld.c ++++ openssl-1.1.1n/crypto/evp/c_alld.c @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) @@ -1024,10 +1024,10 @@ Index: openssl-1.1.1j/crypto/evp/c_alld.c + } +#endif } -Index: openssl-1.1.1j/crypto/evp/digest.c +Index: openssl-1.1.1n/crypto/evp/digest.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/digest.c -+++ openssl-1.1.1j/crypto/evp/digest.c +--- openssl-1.1.1n.orig/crypto/evp/digest.c ++++ openssl-1.1.1n/crypto/evp/digest.c @@ -14,6 +14,9 @@ #include #include "crypto/evp.h" @@ -1036,9 +1036,9 @@ Index: openssl-1.1.1j/crypto/evp/digest.c +# include +#endif - /* This call frees resources associated with the context */ - int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) -@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + + static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) +@@ -77,6 +80,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); @@ -1051,7 +1051,7 @@ Index: openssl-1.1.1j/crypto/evp/digest.c #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -119,6 +128,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c +@@ -131,6 +140,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } #endif if (ctx->digest != type) { @@ -1064,10 +1064,10 @@ Index: openssl-1.1.1j/crypto/evp/digest.c + } + } +#endif - if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; -@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + cleanup_old_md_data(ctx, 1); + + ctx->digest = type; +@@ -160,6 +178,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -1078,7 +1078,7 @@ Index: openssl-1.1.1j/crypto/evp/digest.c if (count == 0) return 1; -@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, +@@ -180,6 +202,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, { int ret; @@ -1088,10 +1088,10 @@ Index: openssl-1.1.1j/crypto/evp/digest.c OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -Index: openssl-1.1.1j/crypto/evp/e_aes.c +Index: openssl-1.1.1n/crypto/evp/e_aes.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/e_aes.c -+++ openssl-1.1.1j/crypto/evp/e_aes.c +--- openssl-1.1.1n.orig/crypto/evp/e_aes.c ++++ openssl-1.1.1n/crypto/evp/e_aes.c @@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER * This addresses Rogaway's vulnerability. * See comment in aes_xts_init_key() below. @@ -1110,7 +1110,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); return 0; } -@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX +@@ -2827,9 +2827,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } @@ -1123,7 +1123,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { -@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -2863,6 +2863,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -1135,7 +1135,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX +@@ -3312,11 +3317,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, @@ -1153,7 +1153,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C +@@ -3374,7 +3382,7 @@ static int aes_xts_init_key(EVP_CIPHER_C * BEFORE using the keys in the XTS-AES algorithm to process * data with them." */ @@ -1162,7 +1162,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); return 0; } -@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3478,6 +3486,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1177,7 +1177,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3495,8 +3511,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1190,7 +1190,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -3766,11 +3784,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1205,7 +1205,7 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c typedef struct { union { -@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -3863,7 +3881,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } @@ -1214,10 +1214,10 @@ Index: openssl-1.1.1j/crypto/evp/e_aes.c | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -Index: openssl-1.1.1j/crypto/evp/e_des3.c +Index: openssl-1.1.1n/crypto/evp/e_des3.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/e_des3.c -+++ openssl-1.1.1j/crypto/evp/e_des3.c +--- openssl-1.1.1n.orig/crypto/evp/e_des3.c ++++ openssl-1.1.1n/crypto/evp/e_des3.c @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1244,10 +1244,10 @@ Index: openssl-1.1.1j/crypto/evp/e_des3.c static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -Index: openssl-1.1.1j/crypto/evp/e_null.c +Index: openssl-1.1.1n/crypto/evp/e_null.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/e_null.c -+++ openssl-1.1.1j/crypto/evp/e_null.c +--- openssl-1.1.1n.orig/crypto/evp/e_null.c ++++ openssl-1.1.1n/crypto/evp/e_null.c @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1258,10 +1258,10 @@ Index: openssl-1.1.1j/crypto/evp/e_null.c null_init_key, null_cipher, NULL, -Index: openssl-1.1.1j/crypto/evp/evp_enc.c +Index: openssl-1.1.1n/crypto/evp/evp_enc.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/evp_enc.c -+++ openssl-1.1.1j/crypto/evp/evp_enc.c +--- openssl-1.1.1n.orig/crypto/evp/evp_enc.c ++++ openssl-1.1.1n/crypto/evp/evp_enc.c @@ -18,10 +18,19 @@ #include #include "crypto/evp.h" @@ -1337,10 +1337,10 @@ Index: openssl-1.1.1j/crypto/evp/evp_enc.c if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -Index: openssl-1.1.1j/crypto/evp/evp_err.c +Index: openssl-1.1.1n/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/evp_err.c -+++ openssl-1.1.1j/crypto/evp/evp_err.c +--- openssl-1.1.1n.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1n/crypto/evp/evp_err.c @@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), "aes_t4_xts_init_key"}, @@ -1374,10 +1374,10 @@ Index: openssl-1.1.1j/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), "xts duplicated keys"}, {0, NULL} -Index: openssl-1.1.1j/crypto/evp/evp_lib.c +Index: openssl-1.1.1n/crypto/evp/evp_lib.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/evp_lib.c -+++ openssl-1.1.1j/crypto/evp/evp_lib.c +--- openssl-1.1.1n.orig/crypto/evp/evp_lib.c ++++ openssl-1.1.1n/crypto/evp/evp_lib.c @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1388,10 +1388,10 @@ Index: openssl-1.1.1j/crypto/evp/evp_lib.c return ctx->cipher->do_cipher(ctx, out, in, inl); } -Index: openssl-1.1.1j/crypto/evp/m_sha1.c +Index: openssl-1.1.1n/crypto/evp/m_sha1.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/m_sha1.c -+++ openssl-1.1.1j/crypto/evp/m_sha1.c +--- openssl-1.1.1n.orig/crypto/evp/m_sha1.c ++++ openssl-1.1.1n/crypto/evp/m_sha1.c @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1455,10 +1455,10 @@ Index: openssl-1.1.1j/crypto/evp/m_sha1.c init512, update512, final512, -Index: openssl-1.1.1j/crypto/evp/m_sha3.c +Index: openssl-1.1.1n/crypto/evp/m_sha3.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/m_sha3.c -+++ openssl-1.1.1j/crypto/evp/m_sha3.c +--- openssl-1.1.1n.orig/crypto/evp/m_sha3.c ++++ openssl-1.1.1n/crypto/evp/m_sha3.c @@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ @@ -1513,10 +1513,10 @@ Index: openssl-1.1.1j/crypto/evp/m_sha3.c shake_init, \ sha3_update, \ sha3_final, \ -Index: openssl-1.1.1j/crypto/evp/pmeth_lib.c +Index: openssl-1.1.1n/crypto/evp/pmeth_lib.c =================================================================== ---- openssl-1.1.1j.orig/crypto/evp/pmeth_lib.c -+++ openssl-1.1.1j/crypto/evp/pmeth_lib.c +--- openssl-1.1.1n.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.1.1n/crypto/evp/pmeth_lib.c @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else @@ -1533,10 +1533,10 @@ Index: openssl-1.1.1j/crypto/evp/pmeth_lib.c if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE -Index: openssl-1.1.1j/crypto/fips/build.info +Index: openssl-1.1.1n/crypto/fips/build.info =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/build.info ++++ openssl-1.1.1n/crypto/fips/build.info @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1553,10 +1553,10 @@ Index: openssl-1.1.1j/crypto/fips/build.info +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto -Index: openssl-1.1.1j/crypto/fips/fips_aes_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_aes_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_aes_selftest.c @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -1930,10 +1930,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_aes_selftest.c +} + +#endif -Index: openssl-1.1.1j/crypto/fips/fips.c +Index: openssl-1.1.1n/crypto/fips/fips.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips.c ++++ openssl-1.1.1n/crypto/fips/fips.c @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2461,10 +2461,10 @@ Index: openssl-1.1.1j/crypto/fips/fips.c +} + +#endif -Index: openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2622,10 +2622,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c + return rv; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_des_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_des_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_des_selftest.c @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2760,10 +2760,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_des_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_dh_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_dh_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_dh_selftest.c @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2945,10 +2945,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_dh_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3356,10 +3356,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c + + return 1; +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_hash.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_hash.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_hash.c @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3715,10 +3715,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_hash.c + + return 1; +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3982,10 +3982,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c + + return 1; +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_lib.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_lib.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_lib.c @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4515,10 +4515,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_lib.c +{ + /* Just backwards compatibility API call with no effect. */ +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_rand.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_rand.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_rand.c @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4705,10 +4705,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_rand.c +{ + return &rand_drbg_meth; +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5538,10 +5538,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c + FIPS_drbg_free(dctx); + return rv; +} -Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h +Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h ++++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7334,10 +7334,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -Index: openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7534,10 +7534,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7781,10 +7781,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c +} + +#endif -Index: openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7952,10 +7952,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c +} + +#endif -Index: openssl-1.1.1j/crypto/fips/fips_err.h +Index: openssl-1.1.1n/crypto/fips/fips_err.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_err.h ++++ openssl-1.1.1n/crypto/fips/fips_err.h @@ -0,0 +1,199 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8156,10 +8156,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_err.h +#endif + return 1; +} -Index: openssl-1.1.1j/crypto/fips/fips_ers.c +Index: openssl-1.1.1n/crypto/fips/fips_ers.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_ers.c ++++ openssl-1.1.1n/crypto/fips/fips_ers.c @@ -0,0 +1,7 @@ +#include + @@ -8168,10 +8168,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_ers.c +#else +static void *dummy = &dummy; +#endif -Index: openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8307,10 +8307,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c + return 1; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_locl.h +Index: openssl-1.1.1n/crypto/fips/fips_locl.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_locl.h ++++ openssl-1.1.1n/crypto/fips/fips_locl.h @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8383,10 +8383,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_locl.h +} +# endif +#endif -Index: openssl-1.1.1j/crypto/fips/fips_post.c +Index: openssl-1.1.1n/crypto/fips/fips_post.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_post.c ++++ openssl-1.1.1n/crypto/fips/fips_post.c @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8612,10 +8612,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_post.c + return 1; +} +#endif -Index: openssl-1.1.1j/crypto/fips/fips_rand_lcl.h +Index: openssl-1.1.1n/crypto/fips/fips_rand_lcl.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h ++++ openssl-1.1.1n/crypto/fips/fips_rand_lcl.h @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8820,10 +8820,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_rand_lcl.h +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -Index: openssl-1.1.1j/crypto/fips/fips_rand_lib.c +Index: openssl-1.1.1n/crypto/fips/fips_rand_lib.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c ++++ openssl-1.1.1n/crypto/fips/fips_rand_lib.c @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9059,10 +9059,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_rand_lib.c +# endif +} + -Index: openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -9402,10 +9402,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c +} + +#endif /* def OPENSSL_FIPS */ -Index: openssl-1.1.1j/crypto/fips/fips_sha_selftest.c +Index: openssl-1.1.1n/crypto/fips/fips_sha_selftest.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c ++++ openssl-1.1.1n/crypto/fips/fips_sha_selftest.c @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9630,10 +9630,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_sha_selftest.c +} + +#endif -Index: openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c +Index: openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c =================================================================== --- /dev/null -+++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c ++++ openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9762,10 +9762,10 @@ Index: openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c +#endif + return 0; +} -Index: openssl-1.1.1j/crypto/hmac/hmac.c +Index: openssl-1.1.1n/crypto/hmac/hmac.c =================================================================== ---- openssl-1.1.1j.orig/crypto/hmac/hmac.c -+++ openssl-1.1.1j/crypto/hmac/hmac.c +--- openssl-1.1.1n.orig/crypto/hmac/hmac.c ++++ openssl-1.1.1n/crypto/hmac/hmac.c @@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; @@ -9780,10 +9780,10 @@ Index: openssl-1.1.1j/crypto/hmac/hmac.c reset = 1; j = EVP_MD_block_size(md); -Index: openssl-1.1.1j/crypto/hmac/hm_pmeth.c +Index: openssl-1.1.1n/crypto/hmac/hm_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/hmac/hm_pmeth.c -+++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1n.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.1.1n/crypto/hmac/hm_pmeth.c @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { @@ -9793,10 +9793,10 @@ Index: openssl-1.1.1j/crypto/hmac/hm_pmeth.c pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, -Index: openssl-1.1.1j/include/crypto/fips_int.h +Index: openssl-1.1.1n/include/crypto/fips_int.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/include/crypto/fips_int.h ++++ openssl-1.1.1n/include/crypto/fips_int.h @@ -0,0 +1,98 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9896,10 +9896,10 @@ Index: openssl-1.1.1j/include/crypto/fips_int.h +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif -Index: openssl-1.1.1j/crypto/o_fips.c +Index: openssl-1.1.1n/crypto/o_fips.c =================================================================== ---- openssl-1.1.1j.orig/crypto/o_fips.c -+++ openssl-1.1.1j/crypto/o_fips.c +--- openssl-1.1.1n.orig/crypto/o_fips.c ++++ openssl-1.1.1n/crypto/o_fips.c @@ -8,17 +8,28 @@ */ @@ -9929,10 +9929,10 @@ Index: openssl-1.1.1j/crypto/o_fips.c return 0; +#endif } -Index: openssl-1.1.1j/crypto/o_init.c +Index: openssl-1.1.1n/crypto/o_init.c =================================================================== ---- openssl-1.1.1j.orig/crypto/o_init.c -+++ openssl-1.1.1j/crypto/o_init.c +--- openssl-1.1.1n.orig/crypto/o_init.c ++++ openssl-1.1.1n/crypto/o_init.c @@ -7,8 +7,68 @@ * https://www.openssl.org/source/license.html */ @@ -10002,11 +10002,11 @@ Index: openssl-1.1.1j/crypto/o_init.c /* * Perform any essential OpenSSL initialization operations. Currently does -Index: openssl-1.1.1j/crypto/rand/rand_lib.c +Index: openssl-1.1.1n/crypto/rand/rand_lib.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rand/rand_lib.c -+++ openssl-1.1.1j/crypto/rand/rand_lib.c -@@ -959,3 +959,15 @@ int RAND_status(void) +--- openssl-1.1.1n.orig/crypto/rand/rand_lib.c ++++ openssl-1.1.1n/crypto/rand/rand_lib.c +@@ -963,3 +963,15 @@ int RAND_status(void) return meth->status(); return 0; } @@ -10022,10 +10022,10 @@ Index: openssl-1.1.1j/crypto/rand/rand_lib.c + return 1; +} +#endif -Index: openssl-1.1.1j/crypto/rsa/rsa_crpt.c +Index: openssl-1.1.1n/crypto/rsa/rsa_crpt.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_crpt.c -+++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_crpt.c ++++ openssl-1.1.1n/crypto/rsa/rsa_crpt.c @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10079,10 +10079,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_crpt.c return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } -Index: openssl-1.1.1j/crypto/rsa/rsa_err.c +Index: openssl-1.1.1n/crypto/rsa/rsa_err.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_err.c -+++ openssl-1.1.1j/crypto/rsa/rsa_err.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_err.c ++++ openssl-1.1.1n/crypto/rsa/rsa_err.c @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, @@ -10151,10 +10151,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_err.c {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -Index: openssl-1.1.1j/crypto/rsa/rsa_gen.c +Index: openssl-1.1.1n/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_gen.c -+++ openssl-1.1.1j/crypto/rsa/rsa_gen.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_gen.c ++++ openssl-1.1.1n/crypto/rsa/rsa_gen.c @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include @@ -10547,10 +10547,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_gen.c static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { -Index: openssl-1.1.1j/crypto/rsa/rsa_lib.c +Index: openssl-1.1.1n/crypto/rsa/rsa_lib.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_lib.c -+++ openssl-1.1.1j/crypto/rsa/rsa_lib.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_lib.c ++++ openssl-1.1.1n/crypto/rsa/rsa_lib.c @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -10593,10 +10593,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_lib.c if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -Index: openssl-1.1.1j/crypto/rsa/rsa_ossl.c +Index: openssl-1.1.1n/crypto/rsa/rsa_ossl.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_ossl.c -+++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_ossl.c ++++ openssl-1.1.1n/crypto/rsa/rsa_ossl.c @@ -12,6 +12,10 @@ #include "rsa_local.h" #include "internal/constant_time.h" @@ -10713,10 +10713,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_ossl.c if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -Index: openssl-1.1.1j/crypto/rsa/rsa_pmeth.c +Index: openssl-1.1.1n/crypto/rsa/rsa_pmeth.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_pmeth.c -+++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1n/crypto/rsa/rsa_pmeth.c @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { @@ -10735,10 +10735,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_pmeth.c pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, -Index: openssl-1.1.1j/crypto/rsa/rsa_sign.c +Index: openssl-1.1.1n/crypto/rsa/rsa_sign.c =================================================================== ---- openssl-1.1.1j.orig/crypto/rsa/rsa_sign.c -+++ openssl-1.1.1j/crypto/rsa/rsa_sign.c +--- openssl-1.1.1n.orig/crypto/rsa/rsa_sign.c ++++ openssl-1.1.1n/crypto/rsa/rsa_sign.c @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -10765,10 +10765,10 @@ Index: openssl-1.1.1j/crypto/rsa/rsa_sign.c if (encrypt_len <= 0) goto err; -Index: openssl-1.1.1j/crypto/sha/sha256.c +Index: openssl-1.1.1n/crypto/sha/sha256.c =================================================================== ---- openssl-1.1.1j.orig/crypto/sha/sha256.c -+++ openssl-1.1.1j/crypto/sha/sha256.c +--- openssl-1.1.1n.orig/crypto/sha/sha256.c ++++ openssl-1.1.1n/crypto/sha/sha256.c @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -10789,10 +10789,10 @@ Index: openssl-1.1.1j/crypto/sha/sha256.c memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -Index: openssl-1.1.1j/crypto/sha/sha512.c +Index: openssl-1.1.1n/crypto/sha/sha512.c =================================================================== ---- openssl-1.1.1j.orig/crypto/sha/sha512.c -+++ openssl-1.1.1j/crypto/sha/sha512.c +--- openssl-1.1.1n.orig/crypto/sha/sha512.c ++++ openssl-1.1.1n/crypto/sha/sha512.c @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) @@ -10813,10 +10813,10 @@ Index: openssl-1.1.1j/crypto/sha/sha512.c c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -Index: openssl-1.1.1j/crypto/sha/sha_local.h +Index: openssl-1.1.1n/crypto/sha/sha_local.h =================================================================== ---- openssl-1.1.1j.orig/crypto/sha/sha_local.h -+++ openssl-1.1.1j/crypto/sha/sha_local.h +--- openssl-1.1.1n.orig/crypto/sha/sha_local.h ++++ openssl-1.1.1n/crypto/sha/sha_local.h @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -10827,10 +10827,10 @@ Index: openssl-1.1.1j/crypto/sha/sha_local.h memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -Index: openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod +Index: openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod =================================================================== ---- openssl-1.1.1j.orig/doc/man3/DSA_generate_parameters.pod -+++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod +--- openssl-1.1.1n.orig/doc/man3/DSA_generate_parameters.pod ++++ openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -10844,10 +10844,10 @@ Index: openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -Index: openssl-1.1.1j/include/openssl/crypto.h +Index: openssl-1.1.1n/include/openssl/crypto.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/crypto.h -+++ openssl-1.1.1j/include/openssl/crypto.h +--- openssl-1.1.1n.orig/include/openssl/crypto.h ++++ openssl-1.1.1n/include/openssl/crypto.h @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -10860,10 +10860,10 @@ Index: openssl-1.1.1j/include/openssl/crypto.h void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); -Index: openssl-1.1.1j/include/openssl/dherr.h +Index: openssl-1.1.1n/include/openssl/dherr.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/dherr.h -+++ openssl-1.1.1j/include/openssl/dherr.h +--- openssl-1.1.1n.orig/include/openssl/dherr.h ++++ openssl-1.1.1n/include/openssl/dherr.h @@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 @@ -10889,10 +10889,10 @@ Index: openssl-1.1.1j/include/openssl/dherr.h # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -Index: openssl-1.1.1j/include/openssl/dh.h +Index: openssl-1.1.1n/include/openssl/dh.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/dh.h -+++ openssl-1.1.1j/include/openssl/dh.h +--- openssl-1.1.1n.orig/include/openssl/dh.h ++++ openssl-1.1.1n/include/openssl/dh.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10901,10 +10901,10 @@ Index: openssl-1.1.1j/include/openssl/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 -Index: openssl-1.1.1j/include/openssl/dsaerr.h +Index: openssl-1.1.1n/include/openssl/dsaerr.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/dsaerr.h -+++ openssl-1.1.1j/include/openssl/dsaerr.h +--- openssl-1.1.1n.orig/include/openssl/dsaerr.h ++++ openssl-1.1.1n/include/openssl/dsaerr.h @@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 @@ -10931,10 +10931,10 @@ Index: openssl-1.1.1j/include/openssl/dsaerr.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -Index: openssl-1.1.1j/include/openssl/dsa.h +Index: openssl-1.1.1n/include/openssl/dsa.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/dsa.h -+++ openssl-1.1.1j/include/openssl/dsa.h +--- openssl-1.1.1n.orig/include/openssl/dsa.h ++++ openssl-1.1.1n/include/openssl/dsa.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10943,10 +10943,10 @@ Index: openssl-1.1.1j/include/openssl/dsa.h # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L -Index: openssl-1.1.1j/include/openssl/evperr.h +Index: openssl-1.1.1n/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/evperr.h -+++ openssl-1.1.1j/include/openssl/evperr.h +--- openssl-1.1.1n.orig/include/openssl/evperr.h ++++ openssl-1.1.1n/include/openssl/evperr.h @@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ @@ -10991,10 +10991,10 @@ Index: openssl-1.1.1j/include/openssl/evperr.h +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif -Index: openssl-1.1.1j/include/openssl/evp.h +Index: openssl-1.1.1n/include/openssl/evp.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/evp.h -+++ openssl-1.1.1j/include/openssl/evp.h +--- openssl-1.1.1n.orig/include/openssl/evp.h ++++ openssl-1.1.1n/include/openssl/evp.h @@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 @@ -11005,10 +11005,10 @@ Index: openssl-1.1.1j/include/openssl/evp.h const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -Index: openssl-1.1.1j/include/openssl/fips.h +Index: openssl-1.1.1n/include/openssl/fips.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/include/openssl/fips.h ++++ openssl-1.1.1n/include/openssl/fips.h @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11197,10 +11197,10 @@ Index: openssl-1.1.1j/include/openssl/fips.h +} +# endif +#endif -Index: openssl-1.1.1j/include/openssl/fips_rand.h +Index: openssl-1.1.1n/include/openssl/fips_rand.h =================================================================== --- /dev/null -+++ openssl-1.1.1j/include/openssl/fips_rand.h ++++ openssl-1.1.1n/include/openssl/fips_rand.h @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11347,10 +11347,10 @@ Index: openssl-1.1.1j/include/openssl/fips_rand.h +# endif +# endif +#endif -Index: openssl-1.1.1j/include/openssl/opensslconf.h.in +Index: openssl-1.1.1n/include/openssl/opensslconf.h.in =================================================================== ---- openssl-1.1.1j.orig/include/openssl/opensslconf.h.in -+++ openssl-1.1.1j/include/openssl/opensslconf.h.in +--- openssl-1.1.1n.orig/include/openssl/opensslconf.h.in ++++ openssl-1.1.1n/include/openssl/opensslconf.h.in @@ -155,6 +155,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -11363,10 +11363,10 @@ Index: openssl-1.1.1j/include/openssl/opensslconf.h.in #ifdef __cplusplus } #endif -Index: openssl-1.1.1j/include/openssl/randerr.h +Index: openssl-1.1.1n/include/openssl/randerr.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/randerr.h -+++ openssl-1.1.1j/include/openssl/randerr.h +--- openssl-1.1.1n.orig/include/openssl/randerr.h ++++ openssl-1.1.1n/include/openssl/randerr.h @@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 @@ -11375,10 +11375,10 @@ Index: openssl-1.1.1j/include/openssl/randerr.h # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 -Index: openssl-1.1.1j/include/openssl/rand.h +Index: openssl-1.1.1n/include/openssl/rand.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/rand.h -+++ openssl-1.1.1j/include/openssl/rand.h +--- openssl-1.1.1n.orig/include/openssl/rand.h ++++ openssl-1.1.1n/include/openssl/rand.h @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif @@ -11391,10 +11391,10 @@ Index: openssl-1.1.1j/include/openssl/rand.h #ifdef __cplusplus } -Index: openssl-1.1.1j/include/openssl/rsaerr.h +Index: openssl-1.1.1n/include/openssl/rsaerr.h =================================================================== ---- openssl-1.1.1j.orig/include/openssl/rsaerr.h -+++ openssl-1.1.1j/include/openssl/rsaerr.h +--- openssl-1.1.1n.orig/include/openssl/rsaerr.h ++++ openssl-1.1.1n/include/openssl/rsaerr.h @@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 @@ -11450,10 +11450,10 @@ Index: openssl-1.1.1j/include/openssl/rsaerr.h # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -Index: openssl-1.1.1j/ssl/s3_lib.c +Index: openssl-1.1.1n/ssl/s3_lib.c =================================================================== ---- openssl-1.1.1j.orig/ssl/s3_lib.c -+++ openssl-1.1.1j/ssl/s3_lib.c +--- openssl-1.1.1n.orig/ssl/s3_lib.c ++++ openssl-1.1.1n/ssl/s3_lib.c @@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, @@ -11553,10 +11553,10 @@ Index: openssl-1.1.1j/ssl/s3_lib.c SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, -Index: openssl-1.1.1j/ssl/ssl_ciph.c +Index: openssl-1.1.1n/ssl/ssl_ciph.c =================================================================== ---- openssl-1.1.1j.orig/ssl/ssl_ciph.c -+++ openssl-1.1.1j/ssl/ssl_ciph.c +--- openssl-1.1.1n.orig/ssl/ssl_ciph.c ++++ openssl-1.1.1n/ssl/ssl_ciph.c @@ -385,7 +385,7 @@ int ssl_load_ciphers(void) } } @@ -11585,7 +11585,7 @@ Index: openssl-1.1.1j/ssl/ssl_ciph.c if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || -@@ -1618,7 +1623,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1619,7 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { @@ -11595,10 +11595,10 @@ Index: openssl-1.1.1j/ssl/ssl_ciph.c if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); -Index: openssl-1.1.1j/ssl/ssl_init.c +Index: openssl-1.1.1n/ssl/ssl_init.c =================================================================== ---- openssl-1.1.1j.orig/ssl/ssl_init.c -+++ openssl-1.1.1j/ssl/ssl_init.c +--- openssl-1.1.1n.orig/ssl/ssl_init.c ++++ openssl-1.1.1n/ssl/ssl_init.c @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -11642,11 +11642,11 @@ Index: openssl-1.1.1j/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -Index: openssl-1.1.1j/ssl/ssl_lib.c +Index: openssl-1.1.1n/ssl/ssl_lib.c =================================================================== ---- openssl-1.1.1j.orig/ssl/ssl_lib.c -+++ openssl-1.1.1j/ssl/ssl_lib.c -@@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +--- openssl-1.1.1n.orig/ssl/ssl_lib.c ++++ openssl-1.1.1n/ssl/ssl_lib.c +@@ -3025,6 +3025,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; @@ -11658,7 +11658,7 @@ Index: openssl-1.1.1j/ssl/ssl_lib.c if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; -@@ -3029,13 +3034,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +@@ -3081,13 +3086,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (ret->param == NULL) goto err; @@ -11683,10 +11683,10 @@ Index: openssl-1.1.1j/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -Index: openssl-1.1.1j/ssl/ssl_local.h +Index: openssl-1.1.1n/ssl/ssl_local.h =================================================================== ---- openssl-1.1.1j.orig/ssl/ssl_local.h -+++ openssl-1.1.1j/ssl/ssl_local.h +--- openssl-1.1.1n.orig/ssl/ssl_local.h ++++ openssl-1.1.1n/ssl/ssl_local.h @@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 @@ -11695,10 +11695,10 @@ Index: openssl-1.1.1j/ssl/ssl_local.h typedef struct cert_pkey_st CERT_PKEY; -Index: openssl-1.1.1j/ssl/t1_lib.c +Index: openssl-1.1.1n/ssl/t1_lib.c =================================================================== ---- openssl-1.1.1j.orig/ssl/t1_lib.c -+++ openssl-1.1.1j/ssl/t1_lib.c +--- openssl-1.1.1n.orig/ssl/t1_lib.c ++++ openssl-1.1.1n/ssl/t1_lib.c @@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ @@ -11724,10 +11724,10 @@ Index: openssl-1.1.1j/ssl/t1_lib.c ctmp[0] = curve >> 8; ctmp[1] = curve & 0xff; return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -Index: openssl-1.1.1j/test/dsatest.c +Index: openssl-1.1.1n/test/dsatest.c =================================================================== ---- openssl-1.1.1j.orig/test/dsatest.c -+++ openssl-1.1.1j/test/dsatest.c +--- openssl-1.1.1n.orig/test/dsatest.c ++++ openssl-1.1.1n/test/dsatest.c @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -11810,10 +11810,10 @@ Index: openssl-1.1.1j/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; -Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt =================================================================== ---- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpciph.txt -+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt +--- openssl-1.1.1n.orig/test/recipes/30-test_evp_data/evpciph.txt ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt @@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 @@ -11822,10 +11822,10 @@ Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -Index: openssl-1.1.1j/util/libcrypto.num +Index: openssl-1.1.1n/util/libcrypto.num =================================================================== ---- openssl-1.1.1j.orig/util/libcrypto.num -+++ openssl-1.1.1j/util/libcrypto.num +--- openssl-1.1.1n.orig/util/libcrypto.num ++++ openssl-1.1.1n/util/libcrypto.num @@ -4591,3 +4591,38 @@ X509_ALGOR_copy X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: @@ -11865,10 +11865,10 @@ Index: openssl-1.1.1j/util/libcrypto.num +FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: +FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: +FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: -Index: openssl-1.1.1j/crypto/err/openssl.txt +Index: openssl-1.1.1n/crypto/err/openssl.txt =================================================================== ---- openssl-1.1.1j.orig/crypto/err/openssl.txt -+++ openssl-1.1.1j/crypto/err/openssl.txt +--- openssl-1.1.1n.orig/crypto/err/openssl.txt ++++ openssl-1.1.1n/crypto/err/openssl.txt @@ -822,6 +822,57 @@ EVP_F_RC5_CTRL:125:rc5_ctrl EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl @@ -11927,7 +11927,7 @@ Index: openssl-1.1.1j/crypto/err/openssl.txt KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -2315,6 +2366,61 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor +@@ -2318,6 +2369,61 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys diff --git a/openssl-1.1.1m.tar.gz b/openssl-1.1.1m.tar.gz deleted file mode 100644 index 2dbcc1a..0000000 --- a/openssl-1.1.1m.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 -size 9847315 diff --git a/openssl-1.1.1m.tar.gz.asc b/openssl-1.1.1m.tar.gz.asc deleted file mode 100644 index 2984c97..0000000 --- a/openssl-1.1.1m.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4vAIACgkQ2cTSbQ5g -RJGVWAf+IpYlKvWAi6q5WboXgDldXxmvhV8jwxzLzxeMmbNKpxJN5D2JwNCa/q1C -l7BXb03/jbfAtftWZmHhVmH8FSyhpXGgBizV3/T2KrvHzMHME6Qr22sm7R4Matk/ -xybhArBar4FgewnXW4STaGC1E9GLRIEA6F6+JbsrTOQjnylbej9OA1te3oGwgk+F -SVzWXJeeAAv6Xf35GBcz/IPU95ZjiRIaNzCi/aoohRH7F/L+8Tk500e37s9ewxxh -ZF6e7PoH9AolsxrGk2tf2MhyRLYWy6hKyNqBtMoFPhCVtmPXnv83NIotp5rY+C5w -IzK9hyGWYGkqD6kvfniRYoiBZuWrlg== -=WsEt ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1n.tar.gz b/openssl-1.1.1n.tar.gz new file mode 100644 index 0000000..b5eceb1 --- /dev/null +++ b/openssl-1.1.1n.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a +size 9850712 diff --git a/openssl-1.1.1n.tar.gz.asc b/openssl-1.1.1n.tar.gz.asc new file mode 100644 index 0000000..4aab072 --- /dev/null +++ b/openssl-1.1.1n.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwpMEACgkQ2cTSbQ5g +RJFrAAf+MXlAhQMap5pGG+vj0elF2FS6uCR2hwV1e1w/SJpQkU64BWVgEj3nim86 +DR8NyMgS+SJvkRlB55xqcC1DD4YGYefBHeMeFBjE1+MihJtwa6qHDCG5oYoYigTe +rp9smDdzD+Mu3bHhdMw6rJbgQUktQPM4NgiECsbG0Fr/FbNUbHerOs74kZ9YqJPp +8FCVKSSISicc/KdOIo22ezKDBhOZ4vPjYi5Iqk8zZXJHWjDWpjmegdHPXiZCOksZ +l8VJS96A+xYQkp5MyByaYw6q12WcIwAaluljMMxvwh8uQT/xAsfutKIMVT63nk8+ +EMk32q66Rma68oAyRLX9iwTbvEARZg== +=Lw3S +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index ad423d7..697a826 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal + +- Update to 1.1.1n: [bsc#1196877, CVE-2022-0778] + * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli + in BN_mod_sqrt() reachable when parsing certificates. + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK + (RFC 5489) to the list of ciphersuites providing Perfect Forward + Secrecy as required by SECLEVEL >= 3. + * Rebase openssl-1.1.1-fips.patch openssl-1.1.1-evp-kdf.patch + ------------------------------------------------------------------- Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index f3e7b73..7e8946b 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -41,7 +41,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" package! -Version: 1.1.1m +Version: 1.1.1n Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL