From ae4e19d8e5e3d8ba3732be256df26a957a8e89d26c8aa239ae6a918a169b0c3a Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 14 Dec 2020 11:20:34 +0000 Subject: [PATCH 1/9] Accepting request 854071 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1i (bsc#1179491) * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) OBS-URL: https://build.opensuse.org/request/show/854071 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=76 --- openssl-1.1.1-fips-post-rand.patch | 50 +++++++++++++++--------------- openssl-1.1.1h.tar.gz | 3 -- openssl-1.1.1h.tar.gz.asc | 11 ------- openssl-1.1.1i.tar.gz | 3 ++ openssl-1.1.1i.tar.gz.asc | 11 +++++++ openssl-1_1.changes | 6 ++++ openssl-1_1.spec | 2 +- 7 files changed, 46 insertions(+), 40 deletions(-) delete mode 100644 openssl-1.1.1h.tar.gz delete mode 100644 openssl-1.1.1h.tar.gz.asc create mode 100644 openssl-1.1.1i.tar.gz create mode 100644 openssl-1.1.1i.tar.gz.asc diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch index 0088c6c..8b0db97 100644 --- a/openssl-1.1.1-fips-post-rand.patch +++ b/openssl-1.1.1-fips-post-rand.patch @@ -1,7 +1,7 @@ -Index: openssl-1.1.1e/crypto/fips/fips.c +Index: openssl-1.1.1i/crypto/fips/fips.c =================================================================== ---- openssl-1.1.1e.orig/crypto/fips/fips.c 2020-03-20 14:08:12.235758574 +0100 -+++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-20 14:08:13.787766679 +0100 +--- openssl-1.1.1i.orig/crypto/fips/fips.c 2020-12-08 16:46:23.666760618 +0100 ++++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-08 16:46:25.626772700 +0100 @@ -68,6 +68,7 @@ # include @@ -52,10 +52,10 @@ Index: openssl-1.1.1e/crypto/fips/fips.c ret = 1; goto end; } -Index: openssl-1.1.1e/include/crypto/fips_int.h +Index: openssl-1.1.1i/include/crypto/fips_int.h =================================================================== ---- openssl-1.1.1e.orig/include/crypto/fips_int.h 2020-03-20 14:08:12.239758595 +0100 -+++ openssl-1.1.1e/include/crypto/fips_int.h 2020-03-20 14:08:13.787766679 +0100 +--- openssl-1.1.1i.orig/include/crypto/fips_int.h 2020-12-08 16:46:23.666760618 +0100 ++++ openssl-1.1.1i/include/crypto/fips_int.h 2020-12-08 16:46:25.626772700 +0100 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); @@ -65,10 +65,10 @@ Index: openssl-1.1.1e/include/crypto/fips_int.h int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, -Index: openssl-1.1.1e/include/crypto/rand.h +Index: openssl-1.1.1i/include/crypto/rand.h =================================================================== ---- openssl-1.1.1e.orig/include/crypto/rand.h 2020-03-20 14:08:12.239758595 +0100 -+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-20 14:08:13.791766699 +0100 +--- openssl-1.1.1i.orig/include/crypto/rand.h 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/include/crypto/rand.h 2020-12-08 16:46:25.626772700 +0100 @@ -24,6 +24,7 @@ typedef struct rand_pool_st RAND_POOL; @@ -77,11 +77,11 @@ Index: openssl-1.1.1e/include/crypto/rand.h void rand_drbg_cleanup_int(void); void drbg_delete_thread_state(void); -Index: openssl-1.1.1e/crypto/rand/drbg_lib.c +Index: openssl-1.1.1i/crypto/rand/drbg_lib.c =================================================================== ---- openssl-1.1.1e.orig/crypto/rand/drbg_lib.c 2020-03-20 14:08:12.239758595 +0100 -+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-20 14:08:13.791766699 +0100 -@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg +--- openssl-1.1.1i.orig/crypto/rand/drbg_lib.c 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-08 16:46:25.626772700 +0100 +@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg return min_entropy > min_entropylen ? min_entropy : min_entropylen; } @@ -102,10 +102,10 @@ Index: openssl-1.1.1e/crypto/rand/drbg_lib.c /* Implements the default OpenSSL RAND_add() method */ static int drbg_add(const void *buf, int num, double randomness) { -Index: openssl-1.1.1e/crypto/rand/rand_unix.c +Index: openssl-1.1.1i/crypto/rand/rand_unix.c =================================================================== ---- openssl-1.1.1e.orig/crypto/rand/rand_unix.c 2020-03-20 14:08:12.239758595 +0100 -+++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-20 14:08:41.763912735 +0100 +--- openssl-1.1.1i.orig/crypto/rand/rand_unix.c 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-08 16:47:33.695192297 +0100 @@ -17,10 +17,12 @@ #include #include "rand_local.h" @@ -119,7 +119,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c # ifdef DEVRANDOM_WAIT # include # include -@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf, +@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ @@ -128,15 +128,15 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c { /* * Note: 'buflen' equals the size of the buffer which is used by the -@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf, - * - Linux since 3.17 with glibc 2.25 - * - FreeBSD since 12.0 (1200061) +@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, + * Note: Sometimes getentropy() can be provided but not implemented + * internally. So we need to check errno for ENOSYS */ +# if 0 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf, +@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif @@ -150,7 +150,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else -@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO size_t entropy_available; # if defined(OPENSSL_RAND_SEED_GETRANDOM) @@ -160,7 +160,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c { size_t bytes_needed; unsigned char *buffer; -@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -169,7 +169,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; -@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); @@ -181,7 +181,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO return entropy_available; } # endif diff --git a/openssl-1.1.1h.tar.gz b/openssl-1.1.1h.tar.gz deleted file mode 100644 index 8610c3e..0000000 --- a/openssl-1.1.1h.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 -size 9810045 diff --git a/openssl-1.1.1h.tar.gz.asc b/openssl-1.1.1h.tar.gz.asc deleted file mode 100644 index b975d1a..0000000 --- a/openssl-1.1.1h.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g -RJFkgAf/cEJVx8pptVMXRtbh9aBl73I12y+xURVt0WJ7Z6Uwotisq9otypUQH1kb -H7IULXo7SnCjpouJQzAKCh8muv7jz7yquL19q0s4uh46Qdz57tIdfJap/F/eGwR8 -wPnciGtl9P+8uSsPTro9VlEjQRCTvGKXna35V3CilXx2zpP3X9izcUed8Irfcp0o -eWi9W0NhG4HJZOA7RNbfp8fGLCpfp364z1fcXeQFaZFdtiqdl5qKQ0/rt52ji+fs -M71jFvhPU3jyb921cFWO6CQN9O9+MUu02AWCYIm2VPkcqrhOQ5JoCyPsnv3ClE1v -X0TYTMIwnqNZ9UZsgsnIzAg2VxZDDw== -=kMzM ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1i.tar.gz b/openssl-1.1.1i.tar.gz new file mode 100644 index 0000000..dd60ad5 --- /dev/null +++ b/openssl-1.1.1i.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 +size 9808346 diff --git a/openssl-1.1.1i.tar.gz.asc b/openssl-1.1.1i.tar.gz.asc new file mode 100644 index 0000000..5a496a1 --- /dev/null +++ b/openssl-1.1.1i.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g +RJHxYQf8DFul2uhHXbiCxshH7PiOh/TgjEMrdjUMTerYv6dssTcOF08UY7kjXdwV +7WJ61XcDo6m6vpzqZDuz/rbMqTmNP1z8ShQ80T4DQus+QHp9zMkNDWcUFTpv2vSc +PYTHtlBk49zDXJiRNBtWx0UjiVvcUtrDoTf/X0n/2ucqebniHxOSIFG9i/nhE5iP +a+0ccguS9eoq4cphWmSWRQrzweNWjfJUm6kcFBUYek5cVM6JVYMDJRjwwe14lWVP +vVMADBMc6eQFkBD/f/cI0QrFKfB6/ObTgRLqT2aNFgaSHHKvqtjLaB+haldz8oHm +F9orllkrd9bTCxit2kEGHBKg4EjKLw== +=K/1H +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index aad2525..0e73935 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1i (bsc#1179491) + * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) + ------------------------------------------------------------------- Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 57a1b2d..e50d802 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -21,7 +21,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" package! -Version: 1.1.1h +Version: 1.1.1i Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL From 55671aee4d33eb51e3c7a4604dfe7da8ee247f7661b7588732e853861798876b Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 14 Dec 2020 11:22:02 +0000 Subject: [PATCH 2/9] Accepting request 855722 from home:pmonrealgonzalez:branches:security:tls - Refresh openssl-1.1.1-fips-post-rand.patch OBS-URL: https://build.opensuse.org/request/show/855722 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=77 --- openssl-1_1.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 0e73935..fbea441 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -3,6 +3,7 @@ Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek - Update to 1.1.1i (bsc#1179491) * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) +- Refresh openssl-1.1.1-fips-post-rand.patch ------------------------------------------------------------------- Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek From 0e5c7b7193fab22cc2b4b80417789077b9cd65956b5d576435f0743e423be555 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 22 Dec 2020 09:44:19 +0000 Subject: [PATCH 3/9] Accepting request 858095 from home:pmonrealgonzalez:branches:security:tls - Require the crypto-policies package [bsc#1180051] OBS-URL: https://build.opensuse.org/request/show/858095 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=79 --- openssl-1_1.changes | 5 +++++ openssl-1_1.spec | 29 +++++++++++++++-------------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index fbea441..6257c41 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal + +- Require the crypto-policies package [bsc#1180051] + ------------------------------------------------------------------- Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek diff --git a/openssl-1_1.spec b/openssl-1_1.spec index e50d802..da923a7 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -106,6 +106,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security +Requires: crypto-policies Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) Suggests: libopenssl1_1-hmac = %{version}-%{release} @@ -234,21 +235,21 @@ pushd %{buildroot}/%{_mandir} #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do - if test -L $i ; then - LDEST=`readlink $i` - rm -f $i ${i}ssl - ln -sf ${LDEST}ssl ${i}ssl - else - mv $i ${i}ssl + if test -L $i ; then + LDEST=`readlink $i` + rm -f $i ${i}ssl + ln -sf ${LDEST}ssl ${i}ssl + else + mv $i ${i}ssl fi - case "$i" in - *.1) - # these are the pages mentioned in openssl(1). They go into the main package. - echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; - *) - # the rest goes into the openssl-doc package. - echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; - esac + case "$i" in + *.1) + # these are the pages mentioned in openssl(1). They go into the main package. + echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; + *) + # the rest goes into the openssl-doc package. + echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; + esac done popd From 15b55e8cea1aedb03a2614ed1815a85de8027a937e04427993ae19e27143f02b Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 7 Jan 2021 12:04:52 +0000 Subject: [PATCH 4/9] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=80 --- openssl-1_1.changes | 5 ----- openssl-1_1.spec | 3 +-- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 6257c41..fbea441 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal - -- Require the crypto-policies package [bsc#1180051] - ------------------------------------------------------------------- Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek diff --git a/openssl-1_1.spec b/openssl-1_1.spec index da923a7..9498ab9 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-1_1 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -106,7 +106,6 @@ OpenSSL contains an implementation of the SSL and TLS protocols. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security -Requires: crypto-policies Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) Suggests: libopenssl1_1-hmac = %{version}-%{release} From 3a839dd9e9f127ac4317f118a38ff8c43f1574d675bb7067db9b53b5b55c3b6e Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 7 Jan 2021 13:09:26 +0000 Subject: [PATCH 5/9] - Require the crypto-policies package [bsc#1180051] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=81 --- openssl-1_1.changes | 5 +++++ openssl-1_1.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index fbea441..6257c41 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal + +- Require the crypto-policies package [bsc#1180051] + ------------------------------------------------------------------- Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 9498ab9..6361cb4 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -106,6 +106,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security +Requires: crypto-policies Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) Suggests: libopenssl1_1-hmac = %{version}-%{release} From 3d07044ba3e457d04f0a52070bd849cb31e64ee75995b121243eef32256a9b42 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 21 Jan 2021 14:53:39 +0000 Subject: [PATCH 6/9] Accepting request 865443 from home:pmonrealgonzalez:branches:security:tls - Disable test_srp subsection from 90-test_sslapi.t test - Use SECLEVEL 2 in 80-test_ssl_new.t - Add patches: * openssl-1_1-use-seclevel2-in-tests.patch * openssl-1_1-disable-test_srp-sslapi.patch - Allow SHA1 in SECLEVEL 2 in non-FIPS mode - Add openssl-1_1-seclevel.patch OBS-URL: https://build.opensuse.org/request/show/865443 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=82 --- openssl-1_1-disable-test_srp-sslapi.patch | 13 ++ openssl-1_1-seclevel.patch | 160 ++++++++++++++++++++++ openssl-1_1-use-seclevel2-in-tests.patch | 38 +++++ openssl-1_1.changes | 15 ++ openssl-1_1.spec | 8 +- 5 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 openssl-1_1-disable-test_srp-sslapi.patch create mode 100644 openssl-1_1-seclevel.patch create mode 100644 openssl-1_1-use-seclevel2-in-tests.patch diff --git a/openssl-1_1-disable-test_srp-sslapi.patch b/openssl-1_1-disable-test_srp-sslapi.patch new file mode 100644 index 0000000..0699791 --- /dev/null +++ b/openssl-1_1-disable-test_srp-sslapi.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1i/test/sslapitest.c +=================================================================== +--- openssl-1.1.1i.orig/test/sslapitest.c ++++ openssl-1.1.1i/test/sslapitest.c +@@ -6766,7 +6766,7 @@ int setup_tests(void) + #endif + ADD_ALL_TESTS(test_ssl_clear, 2); + ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); +-#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) ++#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) && 0 + ADD_ALL_TESTS(test_srp, 6); + #endif + ADD_ALL_TESTS(test_info_callback, 6); diff --git a/openssl-1_1-seclevel.patch b/openssl-1_1-seclevel.patch new file mode 100644 index 0000000..e7cce59 --- /dev/null +++ b/openssl-1_1-seclevel.patch @@ -0,0 +1,160 @@ +diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c +--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200 +@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c + } + + static const int minbits_table[] = { 80, 112, 128, 192, 256 }; ++static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 }; + static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); + + /* +@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT + + if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) + return 0; +- +- return secbits >= minbits_table[level - 1]; ++ /* ++ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic ++ * disable SHA1 flag is not set. ++ */ ++ if ((ctx->param->flags & 0x40000000) || FIPS_mode()) ++ return secbits >= minbits_table[level - 1]; ++ return secbits >= minbits_digest_table[level - 1]; + } +diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod +--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200 +@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited + + =item B + +-Security level set to 112 bits of security. As a result RSA, DSA and DH keys +-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. ++Security level set to 112 bits of security with the exception of SHA1 allowed ++for signatures. ++As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys ++shorter than 224 bits are prohibited. + In addition to the level 1 exclusions any cipher suite using RC4 is also + prohibited. SSL version 3 is also not allowed. Compression is disabled. + +diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c +--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200 +@@ -27,6 +27,7 @@ + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, void *other, + void *ex); ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx); + + static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; + static volatile int ssl_x509_store_ctx_idx = -1; +@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_ + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); + + /* Set suite B flags if needed */ +- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); ++ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL)); + if (!X509_STORE_CTX_set_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) { + goto end; +@@ -953,12 +954,33 @@ static int ssl_security_default_callback + return 0; + break; + default: ++ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */ ++ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx)) ++ break; + if (bits < minbits) + return 0; + } + return 1; + } + ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx) ++{ ++ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */ ++ const CERT *c; ++ ++ if (FIPS_mode()) ++ return ret; ++ ++ if (ctx != NULL) { ++ c = ctx->cert; ++ } else { ++ c = s->cert; ++ } ++ if (tls1_cert_sigalgs_have_sha1(c)) ++ return 0; ++ return ret; ++} ++ + int ssl_security(const SSL *s, int op, int bits, int nid, void *other) + { + return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex); +diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h +--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200 ++++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200 +@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC + __owur int tls1_process_sigalgs(SSL *s); + __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); + __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); ++int tls1_cert_sigalgs_have_sha1(const CERT *c); + __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); + # ifndef OPENSSL_NO_EC + __owur int tls_check_sigalg_curve(const SSL *s, int curve); +diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c +--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200 +@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int + return 0; + } + ++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen) ++{ ++ size_t i; ++ ++ for (i = 0; i < sigalgslen; i++, sigalgs++) { ++ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); ++ ++ if (lu == NULL) ++ continue; ++ if (lu->hash == NID_sha1) ++ return 1; ++ } ++ return 0; ++} ++ ++ ++int tls1_cert_sigalgs_have_sha1(const CERT *c) ++{ ++ if (c->client_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen)) ++ return 1; ++ } ++ if (c->conf_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen)) ++ return 1; ++ return 0; ++ } ++ return 1; ++} ++ + static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) + { + int sig_nid, use_pc_sigalgs = 0; +diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t +--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200 +@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver + ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), +- "Reject PSS signature using SHA1 and auth level 2"); ++ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), ++ "Reject PSS signature using SHA1 and auth level 3"); + + ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-1_1-use-seclevel2-in-tests.patch b/openssl-1_1-use-seclevel2-in-tests.patch new file mode 100644 index 0000000..ca321ce --- /dev/null +++ b/openssl-1_1-use-seclevel2-in-tests.patch @@ -0,0 +1,38 @@ +Index: openssl-1.1.1d/test/ssl_test.c +=================================================================== +--- openssl-1.1.1d.orig/test/ssl_test.c ++++ openssl-1.1.1d/test/ssl_test.c +@@ -435,6 +440,7 @@ static int test_handshake(int idx) + #endif + if (test_ctx->method == SSL_TEST_METHOD_TLS) { + server_ctx = SSL_CTX_new(TLS_server_method()); ++ SSL_CTX_set_security_level(server_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, + TLS_MAX_VERSION))) + goto err; +@@ -443,21 +449,25 @@ static int test_handshake(int idx) + SSL_TEST_SERVERNAME_CB_NONE) { + if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method()))) + goto err; ++ SSL_CTX_set_security_level(server2_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + TLS_MAX_VERSION))) + goto err; + } + client_ctx = SSL_CTX_new(TLS_client_method()); ++ SSL_CTX_set_security_level(client_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, + TLS_MAX_VERSION))) + goto err; + + if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { + resume_server_ctx = SSL_CTX_new(TLS_server_method()); ++ SSL_CTX_set_security_level(resume_server_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + TLS_MAX_VERSION))) + goto err; + resume_client_ctx = SSL_CTX_new(TLS_client_method()); ++ SSL_CTX_set_security_level(resume_client_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + TLS_MAX_VERSION))) + goto err; diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 6257c41..5d11cad 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal + +- Disable test_srp subsection from 90-test_sslapi.t test +- Use SECLEVEL 2 in 80-test_ssl_new.t +- Add patches: + * openssl-1_1-use-seclevel2-in-tests.patch + * openssl-1_1-disable-test_srp-sslapi.patch + +------------------------------------------------------------------- +Fri Jan 8 17:49:33 UTC 2021 - Pedro Monreal + +- Allow SHA1 in SECLEVEL 2 in non-FIPS mode +- Add openssl-1_1-seclevel.patch + ------------------------------------------------------------------- Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 6361cb4..9b40f36 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -87,6 +87,10 @@ Patch47: openssl-unknown_dgst.patch Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch Patch52: openssl-1.1.1-system-cipherlist.patch +# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration +Patch53: openssl-1_1-seclevel.patch +Patch54: openssl-1_1-use-seclevel2-in-tests.patch +Patch55: openssl-1_1-disable-test_srp-sslapi.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl @@ -212,8 +216,10 @@ make all %{?_smp_mflags} %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +#export HARNESS_VERBOSE=1 LD_LIBRARY_PATH=`pwd` make test -j1 -# show cyphers + +# show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers From 083820900d6a31471facdb76c6db166b4682ca7e047fd743e0c1ec97207a5c98 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Fri, 5 Feb 2021 15:53:45 +0000 Subject: [PATCH 7/9] Accepting request 869551 from home:jsikes:branches:security:tls Small fix. Enjoy! OBS-URL: https://build.opensuse.org/request/show/869551 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=83 --- openssl-1_1.changes | 9 +++++++ openssl-1_1.spec | 1 + openssl-zero-pad-DHE-public-key.patch | 39 +++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 openssl-zero-pad-DHE-public-key.patch diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 5d11cad..d184400 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes + +- Zero pad the DHE public key in ClientKeyExchange for interoperability with + Windows Server 2019. + * openssl-zero-pad-DHE-public-key.patch + * bsc#1181796 + * sourced from https://github.com/openssl/openssl/pull/12331/files + ------------------------------------------------------------------- Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 9b40f36..602c57d 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -91,6 +91,7 @@ Patch52: openssl-1.1.1-system-cipherlist.patch Patch53: openssl-1_1-seclevel.patch Patch54: openssl-1_1-use-seclevel2-in-tests.patch Patch55: openssl-1_1-disable-test_srp-sslapi.patch +Patch56: openssl-zero-pad-DHE-public-key.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl diff --git a/openssl-zero-pad-DHE-public-key.patch b/openssl-zero-pad-DHE-public-key.patch new file mode 100644 index 0000000..1e9e9ff --- /dev/null +++ b/openssl-zero-pad-DHE-public-key.patch @@ -0,0 +1,39 @@ +Index: openssl-1.1.1i/ssl/statem/statem_clnt.c +=================================================================== +--- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c ++++ openssl-1.1.1i/ssl/statem/statem_clnt.c +@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s, + { + #ifndef OPENSSL_NO_DH + DH *dh_clnt = NULL; +- const BIGNUM *pub_key; + EVP_PKEY *ckey = NULL, *skey = NULL; + unsigned char *keybytes = NULL; ++ int prime_len; + + skey = s->s3->peer_tmp; + if (skey == NULL) { +@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s, + } + + /* send off the data */ +- DH_get0_key(dh_clnt, &pub_key, NULL); +- if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), +- &keybytes)) { ++ prime_len = BN_num_bytes(DH_get0_p(dh_clnt)); ++ /* ++ * For interoperability with some versions of the Microsoft TLS ++ * stack, we need to zero pad the DHE pub key to the same length ++ * as the prime, so use the length of the prime here. ++ */ ++ if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes) ++ || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); + goto err; + } + +- BN_bn2bin(pub_key, keybytes); + EVP_PKEY_free(ckey); + + return 1; From 1f67f5cc44f82df500065ab248ba73768f7355f0f0bd6630d03b2153406d73c9 Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Sat, 6 Feb 2021 23:06:18 +0000 Subject: [PATCH 8/9] Accepting request 869986 from home:jsikes:branches:security:tls Small change to undo another small change. Sorry. OBS-URL: https://build.opensuse.org/request/show/869986 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=84 --- openssl-1_1.changes | 7 +++++ openssl-1_1.spec | 1 - openssl-zero-pad-DHE-public-key.patch | 39 --------------------------- 3 files changed, 7 insertions(+), 40 deletions(-) delete mode 100644 openssl-zero-pad-DHE-public-key.patch diff --git a/openssl-1_1.changes b/openssl-1_1.changes index d184400..541f288 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes + +- Removed patch because it was causing problems with other servers. + * openssl-zero-pad-DHE-public-key.patch + * bsc#1181796 + ------------------------------------------------------------------- Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 602c57d..9b40f36 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -91,7 +91,6 @@ Patch52: openssl-1.1.1-system-cipherlist.patch Patch53: openssl-1_1-seclevel.patch Patch54: openssl-1_1-use-seclevel2-in-tests.patch Patch55: openssl-1_1-disable-test_srp-sslapi.patch -Patch56: openssl-zero-pad-DHE-public-key.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl diff --git a/openssl-zero-pad-DHE-public-key.patch b/openssl-zero-pad-DHE-public-key.patch deleted file mode 100644 index 1e9e9ff..0000000 --- a/openssl-zero-pad-DHE-public-key.patch +++ /dev/null @@ -1,39 +0,0 @@ -Index: openssl-1.1.1i/ssl/statem/statem_clnt.c -=================================================================== ---- openssl-1.1.1i.orig/ssl/statem/statem_clnt.c -+++ openssl-1.1.1i/ssl/statem/statem_clnt.c -@@ -3057,9 +3057,9 @@ static int tls_construct_cke_dhe(SSL *s, - { - #ifndef OPENSSL_NO_DH - DH *dh_clnt = NULL; -- const BIGNUM *pub_key; - EVP_PKEY *ckey = NULL, *skey = NULL; - unsigned char *keybytes = NULL; -+ int prime_len; - - skey = s->s3->peer_tmp; - if (skey == NULL) { -@@ -3089,15 +3089,19 @@ static int tls_construct_cke_dhe(SSL *s, - } - - /* send off the data */ -- DH_get0_key(dh_clnt, &pub_key, NULL); -- if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), -- &keybytes)) { -+ prime_len = BN_num_bytes(DH_get0_p(dh_clnt)); -+ /* -+ * For interoperability with some versions of the Microsoft TLS -+ * stack, we need to zero pad the DHE pub key to the same length -+ * as the prime, so use the length of the prime here. -+ */ -+ if (!WPACKET_sub_allocate_bytes_u16(pkt, prime_len, &keybytes) -+ || BN_bn2binpad(DH_get0_pub_key(dh_clnt), keybytes, prime_len) < 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, - ERR_R_INTERNAL_ERROR); - goto err; - } - -- BN_bn2bin(pub_key, keybytes); - EVP_PKEY_free(ckey); - - return 1; From a13839c7c6b50af4e5806fe37a4b29afe08e0eef0b9eef202c03766be59c3cc3 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 22 Feb 2021 12:20:01 +0000 Subject: [PATCH 9/9] Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85 --- openssl-1.1.0-issuer-hash.patch | 8 +- openssl-1.1.1-evp-kdf.patch | 260 +++++++------- openssl-1.1.1-fips.patch | 607 ++++++++++++++++---------------- openssl-1.1.1i.tar.gz | 3 - openssl-1.1.1i.tar.gz.asc | 11 - openssl-1.1.1j.tar.gz | 3 + openssl-1.1.1j.tar.gz.asc | 11 + openssl-1_1.changes | 36 ++ openssl-1_1.spec | 6 +- 9 files changed, 493 insertions(+), 452 deletions(-) delete mode 100644 openssl-1.1.1i.tar.gz delete mode 100644 openssl-1.1.1i.tar.gz.asc create mode 100644 openssl-1.1.1j.tar.gz create mode 100644 openssl-1.1.1j.tar.gz.asc diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch index 4e1337e..f10e676 100644 --- a/openssl-1.1.0-issuer-hash.patch +++ b/openssl-1.1.0-issuer-hash.patch @@ -1,12 +1,12 @@ -Index: openssl-1.1.1d/crypto/x509/x509_cmp.c +Index: openssl-1.1.1j/crypto/x509/x509_cmp.c =================================================================== ---- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c 2019-09-10 15:13:07.000000000 +0200 -+++ openssl-1.1.1d/crypto/x509/x509_cmp.c 2020-01-23 13:45:11.404634047 +0100 +--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c ++++ openssl-1.1.1j/crypto/x509/x509_cmp.c @@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has if (ctx == NULL) goto err; + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); - if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) + if (f == NULL) goto err; diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 54710f6..1fdd9a4 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.1e/crypto/err/openssl.txt +Index: openssl-1.1.1j/crypto/err/openssl.txt =================================================================== ---- openssl-1.1.1e.orig/crypto/err/openssl.txt 2020-03-20 14:37:07.940876078 +0100 -+++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-20 16:12:06.574822921 +0100 -@@ -753,6 +753,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn +--- openssl-1.1.1j.orig/crypto/err/openssl.txt ++++ openssl-1.1.1j/crypto/err/openssl.txt +@@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate @@ -12,7 +12,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex EVP_F_EVP_MD_SIZE:162:EVP_MD_size EVP_F_EVP_OPENINIT:102:EVP_OpenInit -@@ -815,12 +818,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k +@@ -816,12 +819,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen @@ -44,7 +44,7 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -832,6 +854,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc +@@ -833,6 +855,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init @@ -52,15 +52,15 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2284,6 +2307,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on +@@ -2290,6 +2313,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large + EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error - EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ -@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed +@@ -2327,6 +2351,7 @@ KDF_R_MISSING_SEED:106:missing seed KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_MISSING:102:value missing @@ -68,10 +68,10 @@ Index: openssl-1.1.1e/crypto/err/openssl.txt OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -Index: openssl-1.1.1e/crypto/evp/build.info +Index: openssl-1.1.1j/crypto/evp/build.info =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/build.info 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/build.info ++++ openssl-1.1.1j/crypto/evp/build.info @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ @@ -82,10 +82,10 @@ Index: openssl-1.1.1e/crypto/evp/build.info e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c cmeth_lib.c -Index: openssl-1.1.1e/crypto/evp/evp_err.c +Index: openssl-1.1.1j/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_err.c 2020-03-20 14:37:08.036876583 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1j/crypto/evp/evp_err.c @@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), "EVP_EncryptFinal_ex"}, @@ -117,13 +117,13 @@ Index: openssl-1.1.1e/crypto/evp/evp_err.c "operaton not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), + "parameter too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), - "partially overlapping buffers"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, -Index: openssl-1.1.1e/crypto/evp/evp_local.h +Index: openssl-1.1.1j/crypto/evp/evp_local.h =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_local.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_local.h 2020-03-20 16:12:26.722928201 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_local.h ++++ openssl-1.1.1j/crypto/evp/evp_local.h @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ } /* EVP_CIPHER_CTX */ ; @@ -136,10 +136,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_local.h int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, -Index: openssl-1.1.1e/crypto/evp/evp_pbe.c +Index: openssl-1.1.1j/crypto/evp/evp_pbe.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/evp_pbe.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/evp_pbe.c 2020-03-20 14:37:08.204877468 +0100 +--- openssl-1.1.1j.orig/crypto/evp/evp_pbe.c ++++ openssl-1.1.1j/crypto/evp/evp_pbe.c @@ -12,6 +12,7 @@ #include #include @@ -148,10 +148,10 @@ Index: openssl-1.1.1e/crypto/evp/evp_pbe.c #include "evp_local.h" /* Password based encryption (PBE) functions */ -Index: openssl-1.1.1e/crypto/evp/kdf_lib.c +Index: openssl-1.1.1j/crypto/evp/kdf_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/evp/kdf_lib.c 2020-03-20 16:12:06.574822921 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/evp/kdf_lib.c @@ -0,0 +1,165 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -318,10 +318,10 @@ Index: openssl-1.1.1e/crypto/evp/kdf_lib.c + return ctx->kmeth->derive(ctx->impl, key, keylen); +} + -Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c +Index: openssl-1.1.1j/crypto/evp/p5_crpt2.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/p5_crpt2.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/p5_crpt2.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/evp/p5_crpt2.c ++++ openssl-1.1.1j/crypto/evp/p5_crpt2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -470,10 +470,10 @@ Index: openssl-1.1.1e/crypto/evp/p5_crpt2.c } int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c +Index: openssl-1.1.1j/crypto/evp/pbe_scrypt.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/pbe_scrypt.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/evp/pbe_scrypt.c ++++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c @@ -7,135 +7,12 @@ * https://www.openssl.org/source/license.html */ @@ -744,10 +744,10 @@ Index: openssl-1.1.1e/crypto/evp/pbe_scrypt.c } + #endif -Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c +Index: openssl-1.1.1j/crypto/evp/pkey_kdf.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/evp/pkey_kdf.c 2020-03-20 16:11:56.326769377 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/evp/pkey_kdf.c @@ -0,0 +1,255 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1004,10 +1004,10 @@ Index: openssl-1.1.1e/crypto/evp/pkey_kdf.c + pkey_kdf_ctrl_str +}; + -Index: openssl-1.1.1e/include/crypto/evp.h +Index: openssl-1.1.1j/include/crypto/evp.h =================================================================== ---- openssl-1.1.1e.orig/include/crypto/evp.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/crypto/evp.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/crypto/evp.h ++++ openssl-1.1.1j/include/crypto/evp.h @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m extern const EVP_PKEY_METHOD poly1305_pkey_meth; extern const EVP_PKEY_METHOD siphash_pkey_meth; @@ -1033,19 +1033,19 @@ Index: openssl-1.1.1e/include/crypto/evp.h struct evp_md_st { int type; int pkey_type; -Index: openssl-1.1.1e/crypto/kdf/build.info +Index: openssl-1.1.1j/crypto/kdf/build.info =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/build.info 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/build.info ++++ openssl-1.1.1j/crypto/kdf/build.info @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c hkdf.c scrypt.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -Index: openssl-1.1.1e/crypto/kdf/hkdf.c +Index: openssl-1.1.1j/crypto/kdf/hkdf.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/hkdf.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/hkdf.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/hkdf.c ++++ openssl-1.1.1j/crypto/kdf/hkdf.c @@ -8,32 +8,33 @@ */ @@ -1512,10 +1512,10 @@ Index: openssl-1.1.1e/crypto/kdf/hkdf.c err: OPENSSL_cleanse(prev, sizeof(prev)); -Index: openssl-1.1.1e/crypto/kdf/kdf_err.c +Index: openssl-1.1.1j/crypto/kdf/kdf_err.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/kdf_err.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/kdf_err.c 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/kdf_err.c ++++ openssl-1.1.1j/crypto/kdf/kdf_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT @@ -1571,10 +1571,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_err.c {0, NULL} }; -Index: openssl-1.1.1e/crypto/kdf/kdf_local.h +Index: openssl-1.1.1j/crypto/kdf/kdf_local.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/kdf_local.h 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/kdf_local.h @@ -0,0 +1,22 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1598,10 +1598,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_local.h + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); + -Index: openssl-1.1.1e/crypto/kdf/kdf_util.c +Index: openssl-1.1.1j/crypto/kdf/kdf_util.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/kdf_util.c 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/kdf_util.c @@ -0,0 +1,73 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1676,10 +1676,10 @@ Index: openssl-1.1.1e/crypto/kdf/kdf_util.c + return call_ctrl(ctrl, impl, cmd, md); +} + -Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c +Index: openssl-1.1.1j/crypto/kdf/pbkdf2.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/crypto/kdf/pbkdf2.c 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/crypto/kdf/pbkdf2.c @@ -0,0 +1,264 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1945,10 +1945,10 @@ Index: openssl-1.1.1e/crypto/kdf/pbkdf2.c + HMAC_CTX_free(hctx_tpl); + return ret; +} -Index: openssl-1.1.1e/crypto/kdf/scrypt.c +Index: openssl-1.1.1j/crypto/kdf/scrypt.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/scrypt.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/scrypt.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/scrypt.c ++++ openssl-1.1.1j/crypto/kdf/scrypt.c @@ -8,25 +8,34 @@ */ @@ -2537,10 +2537,10 @@ Index: openssl-1.1.1e/crypto/kdf/scrypt.c +} #endif -Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c +Index: openssl-1.1.1j/crypto/kdf/tls1_prf.c =================================================================== ---- openssl-1.1.1e.orig/crypto/kdf/tls1_prf.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/kdf/tls1_prf.c 2020-03-20 14:37:08.208877488 +0100 +--- openssl-1.1.1j.orig/crypto/kdf/tls1_prf.c ++++ openssl-1.1.1j/crypto/kdf/tls1_prf.c @@ -8,11 +8,15 @@ */ @@ -2824,10 +2824,10 @@ Index: openssl-1.1.1e/crypto/kdf/tls1_prf.c OPENSSL_clear_free(tmp, olen); return 0; } -Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod +Index: openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod @@ -0,0 +1,217 @@ +=pod + @@ -3046,10 +3046,10 @@ Index: openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod @@ -0,0 +1,180 @@ +=pod + @@ -3231,10 +3231,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod @@ -0,0 +1,78 @@ +=pod + @@ -3314,10 +3314,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod @@ -0,0 +1,149 @@ +=pod + @@ -3468,10 +3468,10 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod +L. + +=cut -Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod +Index: openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-03-20 14:37:08.208877488 +0100 +--- /dev/null ++++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod @@ -0,0 +1,142 @@ +=pod + @@ -3615,11 +3615,11 @@ Index: openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod +L. + +=cut -Index: openssl-1.1.1e/include/openssl/evperr.h +Index: openssl-1.1.1j/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/evperr.h 2020-03-20 14:37:08.084876835 +0100 -+++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-20 14:37:08.208877488 +0100 -@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void); +--- openssl-1.1.1j.orig/include/openssl/evperr.h ++++ openssl-1.1.1j/include/openssl/evperr.h +@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 # define EVP_F_EVP_ENCRYPTUPDATE 167 @@ -3629,7 +3629,7 @@ Index: openssl-1.1.1e/include/openssl/evperr.h # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 -@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void); +@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 @@ -3643,18 +3643,18 @@ Index: openssl-1.1.1e/include/openssl/evperr.h # define EVP_F_UPDATE 173 /* -@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void); +@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 +# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 - # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 -Index: openssl-1.1.1e/include/openssl/kdferr.h +Index: openssl-1.1.1j/include/openssl/kdferr.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/kdferr.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/kdferr.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/openssl/kdferr.h ++++ openssl-1.1.1j/include/openssl/kdferr.h @@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); /* * KDF function codes. @@ -3694,10 +3694,10 @@ Index: openssl-1.1.1e/include/openssl/kdferr.h +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 #endif -Index: openssl-1.1.1e/include/openssl/kdf.h +Index: openssl-1.1.1j/include/openssl/kdf.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/kdf.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/kdf.h 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/include/openssl/kdf.h ++++ openssl-1.1.1j/include/openssl/kdf.h @@ -10,10 +10,50 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H @@ -3776,10 +3776,10 @@ Index: openssl-1.1.1e/include/openssl/kdf.h } # endif #endif -Index: openssl-1.1.1e/include/openssl/ossl_typ.h +Index: openssl-1.1.1j/include/openssl/ossl_typ.h =================================================================== ---- openssl-1.1.1e.orig/include/openssl/ossl_typ.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/include/openssl/ossl_typ.h 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/include/openssl/ossl_typ.h ++++ openssl-1.1.1j/include/openssl/ossl_typ.h @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; @@ -3789,10 +3789,10 @@ Index: openssl-1.1.1e/include/openssl/ossl_typ.h typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct hmac_ctx_st HMAC_CTX; -Index: openssl-1.1.1e/test/build.info +Index: openssl-1.1.1j/test/build.info =================================================================== ---- openssl-1.1.1e.orig/test/build.info 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/build.info 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/build.info ++++ openssl-1.1.1j/test/build.info @@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test \ @@ -3814,10 +3814,10 @@ Index: openssl-1.1.1e/test/build.info SOURCE[x509_time_test]=x509_time_test.c INCLUDE[x509_time_test]=../include DEPEND[x509_time_test]=../libcrypto libtestutil.a -Index: openssl-1.1.1e/test/evp_kdf_test.c +Index: openssl-1.1.1j/test/evp_kdf_test.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/evp_kdf_test.c 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/evp_kdf_test.c @@ -0,0 +1,237 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -4056,10 +4056,10 @@ Index: openssl-1.1.1e/test/evp_kdf_test.c +#endif + return 1; +} -Index: openssl-1.1.1e/test/evp_test.c +Index: openssl-1.1.1j/test/evp_test.c =================================================================== ---- openssl-1.1.1e.orig/test/evp_test.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/evp_test.c 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/evp_test.c ++++ openssl-1.1.1j/test/evp_test.c @@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test encode_test_run, }; @@ -4271,10 +4271,10 @@ Index: openssl-1.1.1e/test/evp_test.c &keypair_test_method, &keygen_test_method, &mac_test_method, -Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c +Index: openssl-1.1.1j/test/pkey_meth_kdf_test.c =================================================================== ---- openssl-1.1.1e.orig/test/pkey_meth_kdf_test.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/pkey_meth_kdf_test.c 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/pkey_meth_kdf_test.c ++++ openssl-1.1.1j/test/pkey_meth_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4478,10 +4478,10 @@ Index: openssl-1.1.1e/test/pkey_meth_kdf_test.c } #endif -Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt =================================================================== ---- openssl-1.1.1e.orig/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-20 16:12:06.574822921 +0100 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpkdf.txt ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. @@ -4880,10 +4880,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt +Ctrl.digest = digest:sha512 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + -Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt @@ -0,0 +1,305 @@ +# +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5190,10 +5190,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt +Ctrl.p = p:1 +Result = INTERNAL_ERROR + -Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t +Index: openssl-1.1.1j/test/recipes/30-test_evp_kdf.t =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t 2020-03-20 14:37:08.212877511 +0100 +--- /dev/null ++++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t @@ -0,0 +1,13 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5208,10 +5208,10 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp_kdf.t +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -Index: openssl-1.1.1e/test/recipes/30-test_evp.t +Index: openssl-1.1.1j/test/recipes/30-test_evp.t =================================================================== ---- openssl-1.1.1e.orig/test/recipes/30-test_evp.t 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/test/recipes/30-test_evp.t 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp.t ++++ openssl-1.1.1j/test/recipes/30-test_evp.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); @@ -5221,11 +5221,11 @@ Index: openssl-1.1.1e/test/recipes/30-test_evp.t "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); -Index: openssl-1.1.1e/util/libcrypto.num +Index: openssl-1.1.1j/util/libcrypto.num =================================================================== ---- openssl-1.1.1e.orig/util/libcrypto.num 2020-03-20 14:37:08.088876857 +0100 -+++ openssl-1.1.1e/util/libcrypto.num 2020-03-20 16:11:58.798782289 +0100 -@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength +--- openssl-1.1.1j.orig/util/libcrypto.num ++++ openssl-1.1.1j/util/libcrypto.num +@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: @@ -5237,10 +5237,10 @@ Index: openssl-1.1.1e/util/libcrypto.num +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -Index: openssl-1.1.1e/util/private.num +Index: openssl-1.1.1j/util/private.num =================================================================== ---- openssl-1.1.1e.orig/util/private.num 2020-03-20 14:37:07.856875635 +0100 -+++ openssl-1.1.1e/util/private.num 2020-03-20 14:37:08.212877511 +0100 +--- openssl-1.1.1j.orig/util/private.num ++++ openssl-1.1.1j/util/private.num @@ -22,6 +22,7 @@ CRYPTO_EX_dup CRYPTO_EX_free datatype CRYPTO_EX_new datatype @@ -5249,10 +5249,10 @@ Index: openssl-1.1.1e/util/private.num EVP_PKEY_gen_cb datatype EVP_PKEY_METHOD datatype EVP_PKEY_ASN1_METHOD datatype -Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c +Index: openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/e_chacha20_poly1305.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c 2020-03-20 16:12:44.271019899 +0100 +--- openssl-1.1.1j.orig/crypto/evp/e_chacha20_poly1305.c ++++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c @@ -14,8 +14,8 @@ # include @@ -5263,10 +5263,10 @@ Index: openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c # include "crypto/chacha.h" typedef struct { -Index: openssl-1.1.1e/crypto/evp/encode.c +Index: openssl-1.1.1j/crypto/evp/encode.c =================================================================== ---- openssl-1.1.1e.orig/crypto/evp/encode.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/encode.c 2020-03-20 16:15:09.491778701 +0100 +--- openssl-1.1.1j.orig/crypto/evp/encode.c ++++ openssl-1.1.1j/crypto/evp/encode.c @@ -11,8 +11,8 @@ #include #include "internal/cryptlib.h" diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 42138c7..cabaffd 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,7 +1,7 @@ -Index: openssl-1.1.1h/apps/pkcs12.c +Index: openssl-1.1.1j/apps/pkcs12.c =================================================================== ---- openssl-1.1.1h.orig/apps/pkcs12.c 2020-09-22 22:42:56.986158135 +0200 -+++ openssl-1.1.1h/apps/pkcs12.c 2020-09-22 22:42:58.426167464 +0200 +--- openssl-1.1.1j.orig/apps/pkcs12.c ++++ openssl-1.1.1j/apps/pkcs12.c @@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; @@ -11,10 +11,10 @@ Index: openssl-1.1.1h/apps/pkcs12.c #else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; #endif -Index: openssl-1.1.1h/apps/speed.c +Index: openssl-1.1.1j/apps/speed.c =================================================================== ---- openssl-1.1.1h.orig/apps/speed.c 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/apps/speed.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/apps/speed.c ++++ openssl-1.1.1j/apps/speed.c @@ -1674,7 +1674,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { @@ -165,10 +165,10 @@ Index: openssl-1.1.1h/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -Index: openssl-1.1.1h/Configure +Index: openssl-1.1.1j/Configure =================================================================== ---- openssl-1.1.1h.orig/Configure 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/Configure 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/Configure ++++ openssl-1.1.1j/Configure @@ -325,7 +325,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", @@ -178,10 +178,10 @@ Index: openssl-1.1.1h/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; -Index: openssl-1.1.1h/crypto/cmac/cm_pmeth.c +Index: openssl-1.1.1j/crypto/cmac/cm_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/cmac/cm_pmeth.c 2020-09-22 22:42:56.990158161 +0200 -+++ openssl-1.1.1h/crypto/cmac/cm_pmeth.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { @@ -191,10 +191,10 @@ Index: openssl-1.1.1h/crypto/cmac/cm_pmeth.c pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, -Index: openssl-1.1.1h/crypto/dh/dh_err.c +Index: openssl-1.1.1j/crypto/dh/dh_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_err.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_err.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_err.c ++++ openssl-1.1.1j/crypto/dh/dh_err.c @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), @@ -220,10 +220,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_err.c {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -Index: openssl-1.1.1h/crypto/dh/dh_gen.c +Index: openssl-1.1.1j/crypto/dh/dh_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_gen.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_gen.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1j/crypto/dh/dh_gen.c @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include @@ -267,10 +267,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_gen.c ctx = BN_CTX_new(); if (ctx == NULL) goto err; -Index: openssl-1.1.1h/crypto/dh/dh_key.c +Index: openssl-1.1.1j/crypto/dh/dh_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_key.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_key.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1j/crypto/dh/dh_key.c @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_local.h" @@ -281,7 +281,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -22,18 +25,32 @@ static int dh_finish(DH *dh); +@@ -22,6 +25,13 @@ static int dh_finish(DH *dh); int DH_generate_key(DH *dh) { @@ -295,6 +295,8 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c return dh->meth->generate_key(dh); } +@@ -31,6 +41,13 @@ int DH_generate_key(DH *dh) + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { +#ifdef OPENSSL_FIPS @@ -304,18 +306,19 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c + return 0; + } +#endif - return dh->meth->compute_key(key, pub_key, dh); - } + int ret = 0, i; + volatile size_t npad = 0, mask = 1; - int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { +@@ -59,7 +76,7 @@ int DH_compute_key_padded(unsigned char int rv, pad; + + /* rv is constant unless compute_key is external */ - rv = dh->meth->compute_key(key, pub_key, dh); + rv = DH_compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; -@@ -82,6 +99,14 @@ static int generate_key(DH *dh) +@@ -109,6 +126,14 @@ static int generate_key(DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -330,7 +333,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); return 0; -@@ -179,6 +204,13 @@ static int compute_key(unsigned char *ke +@@ -206,6 +231,13 @@ static int compute_key(unsigned char *ke DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); goto err; } @@ -344,7 +347,7 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c ctx = BN_CTX_new(); if (ctx == NULL) -@@ -228,6 +260,9 @@ static int dh_bn_mod_exp(const DH *dh, B +@@ -255,6 +287,9 @@ static int dh_bn_mod_exp(const DH *dh, B static int dh_init(DH *dh) { @@ -354,10 +357,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_key.c dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1h/crypto/dh/dh_pmeth.c +Index: openssl-1.1.1j/crypto/dh/dh_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dh/dh_pmeth.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dh/dh_pmeth.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.1.1j/crypto/dh/dh_pmeth.c @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { @@ -376,10 +379,10 @@ Index: openssl-1.1.1h/crypto/dh/dh_pmeth.c pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, -Index: openssl-1.1.1h/crypto/dsa/dsa_err.c +Index: openssl-1.1.1j/crypto/dsa/dsa_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_err.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_err.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_err.c ++++ openssl-1.1.1j/crypto/dsa/dsa_err.c @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, @@ -411,10 +414,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_err.c {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -Index: openssl-1.1.1h/crypto/dsa/dsa_gen.c +Index: openssl-1.1.1j/crypto/dsa/dsa_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_gen.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_gen.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_gen.c ++++ openssl-1.1.1j/crypto/dsa/dsa_gen.c @@ -22,12 +22,22 @@ #include #include @@ -576,10 +579,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_gen.c +} + +#endif -Index: openssl-1.1.1h/crypto/dsa/dsa_key.c +Index: openssl-1.1.1j/crypto/dsa/dsa_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_key.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_key.c 2020-09-22 22:42:58.430167490 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_key.c ++++ openssl-1.1.1j/crypto/dsa/dsa_key.c @@ -13,10 +13,49 @@ #include #include "dsa_local.h" @@ -659,10 +662,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_key.c ok = 1; err: -Index: openssl-1.1.1h/crypto/dsa/dsa_ossl.c +Index: openssl-1.1.1j/crypto/dsa/dsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_ossl.c 2020-09-22 22:42:56.994158186 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_ossl.c ++++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c @@ -14,6 +14,9 @@ #include #include "dsa_local.h" @@ -722,10 +725,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_ossl.c dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } -Index: openssl-1.1.1h/crypto/dsa/dsa_pmeth.c +Index: openssl-1.1.1j/crypto/dsa/dsa_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/dsa/dsa_pmeth.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/dsa/dsa_pmeth.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c @@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; @@ -746,10 +749,10 @@ Index: openssl-1.1.1h/crypto/dsa/dsa_pmeth.c pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, -Index: openssl-1.1.1h/crypto/ec/ecdh_ossl.c +Index: openssl-1.1.1j/crypto/ec/ecdh_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ecdh_ossl.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ecdh_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c @@ -19,9 +19,20 @@ #include #include "ec_local.h" @@ -771,10 +774,10 @@ Index: openssl-1.1.1h/crypto/ec/ecdh_ossl.c if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -Index: openssl-1.1.1h/crypto/ec/ecdsa_ossl.c +Index: openssl-1.1.1j/crypto/ec/ecdsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ecdsa_ossl.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ecdsa_ossl.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c @@ -14,6 +14,11 @@ #include "crypto/bn.h" #include "ec_local.h" @@ -815,10 +818,10 @@ Index: openssl-1.1.1h/crypto/ec/ecdsa_ossl.c /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -Index: openssl-1.1.1h/crypto/ec/ec_key.c +Index: openssl-1.1.1j/crypto/ec/ec_key.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ec_key.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ec_key.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1j/crypto/ec/ec_key.c @@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } @@ -884,10 +887,10 @@ Index: openssl-1.1.1h/crypto/ec/ec_key.c ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -Index: openssl-1.1.1h/crypto/ec/ec_pmeth.c +Index: openssl-1.1.1j/crypto/ec/ec_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/ec/ec_pmeth.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/ec/ec_pmeth.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.1.1j/crypto/ec/ec_pmeth.c @@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { @@ -897,10 +900,10 @@ Index: openssl-1.1.1h/crypto/ec/ec_pmeth.c pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -Index: openssl-1.1.1h/crypto/evp/c_allc.c +Index: openssl-1.1.1j/crypto/evp/c_allc.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/c_allc.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/c_allc.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/c_allc.c ++++ openssl-1.1.1j/crypto/evp/c_allc.c @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { @@ -982,10 +985,10 @@ Index: openssl-1.1.1h/crypto/evp/c_allc.c + } +#endif } -Index: openssl-1.1.1h/crypto/evp/c_alld.c +Index: openssl-1.1.1j/crypto/evp/c_alld.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/c_alld.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/c_alld.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/c_alld.c ++++ openssl-1.1.1j/crypto/evp/c_alld.c @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) @@ -1021,10 +1024,10 @@ Index: openssl-1.1.1h/crypto/evp/c_alld.c + } +#endif } -Index: openssl-1.1.1h/crypto/evp/digest.c +Index: openssl-1.1.1j/crypto/evp/digest.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/digest.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/digest.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/digest.c ++++ openssl-1.1.1j/crypto/evp/digest.c @@ -14,6 +14,9 @@ #include #include "crypto/evp.h" @@ -1085,10 +1088,10 @@ Index: openssl-1.1.1h/crypto/evp/digest.c OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -Index: openssl-1.1.1h/crypto/evp/e_aes.c +Index: openssl-1.1.1j/crypto/evp/e_aes.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_aes.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_aes.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_aes.c ++++ openssl-1.1.1j/crypto/evp/e_aes.c @@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER * This addresses Rogaway's vulnerability. * See comment in aes_xts_init_key() below. @@ -1211,10 +1214,10 @@ Index: openssl-1.1.1h/crypto/evp/e_aes.c | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -Index: openssl-1.1.1h/crypto/evp/e_des3.c +Index: openssl-1.1.1j/crypto/evp/e_des3.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_des3.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_des3.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_des3.c ++++ openssl-1.1.1j/crypto/evp/e_des3.c @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1241,10 +1244,10 @@ Index: openssl-1.1.1h/crypto/evp/e_des3.c static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -Index: openssl-1.1.1h/crypto/evp/e_null.c +Index: openssl-1.1.1j/crypto/evp/e_null.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/e_null.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/e_null.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/e_null.c ++++ openssl-1.1.1j/crypto/evp/e_null.c @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1255,11 +1258,11 @@ Index: openssl-1.1.1h/crypto/evp/e_null.c null_init_key, null_cipher, NULL, -Index: openssl-1.1.1h/crypto/evp/evp_enc.c +Index: openssl-1.1.1j/crypto/evp/evp_enc.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_enc.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_enc.c 2020-09-22 22:42:58.434167516 +0200 -@@ -17,10 +17,19 @@ +--- openssl-1.1.1j.orig/crypto/evp/evp_enc.c ++++ openssl-1.1.1j/crypto/evp/evp_enc.c +@@ -18,10 +18,19 @@ #include #include "crypto/evp.h" #include "evp_local.h" @@ -1280,7 +1283,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c return 1; if (c->cipher != NULL) { if (c->cipher->cleanup && !c->cipher->cleanup(c)) -@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX +@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { @@ -1293,7 +1296,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); } -@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct enc = 1; ctx->encrypt = enc; } @@ -1306,7 +1309,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct } ctx->key_len = cipher->key_len; /* Preserve wrap enable flag, zero everything else */ @@ -1315,7 +1318,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; -@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct return 0; } } @@ -1334,10 +1337,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_enc.c if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -Index: openssl-1.1.1h/crypto/evp/evp_err.c +Index: openssl-1.1.1j/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_err.c 2020-09-22 22:42:56.998158213 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_err.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1j/crypto/evp/evp_err.c @@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), "aes_t4_xts_init_key"}, @@ -1354,7 +1357,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), -@@ -249,6 +251,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, @@ -1362,7 +1365,7 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, -@@ -274,6 +277,8 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, @@ -1371,10 +1374,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_err.c {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), "xts duplicated keys"}, {0, NULL} -Index: openssl-1.1.1h/crypto/evp/evp_lib.c +Index: openssl-1.1.1j/crypto/evp/evp_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/evp_lib.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/evp_lib.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/evp_lib.c ++++ openssl-1.1.1j/crypto/evp/evp_lib.c @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1385,10 +1388,10 @@ Index: openssl-1.1.1h/crypto/evp/evp_lib.c return ctx->cipher->do_cipher(ctx, out, in, inl); } -Index: openssl-1.1.1h/crypto/evp/m_sha1.c +Index: openssl-1.1.1j/crypto/evp/m_sha1.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/m_sha1.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/m_sha1.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/m_sha1.c ++++ openssl-1.1.1j/crypto/evp/m_sha1.c @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1452,10 +1455,10 @@ Index: openssl-1.1.1h/crypto/evp/m_sha1.c init512, update512, final512, -Index: openssl-1.1.1h/crypto/evp/m_sha3.c +Index: openssl-1.1.1j/crypto/evp/m_sha3.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/m_sha3.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/m_sha3.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/m_sha3.c ++++ openssl-1.1.1j/crypto/evp/m_sha3.c @@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ @@ -1510,10 +1513,10 @@ Index: openssl-1.1.1h/crypto/evp/m_sha3.c shake_init, \ sha3_update, \ sha3_final, \ -Index: openssl-1.1.1h/crypto/evp/pmeth_lib.c +Index: openssl-1.1.1j/crypto/evp/pmeth_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/evp/pmeth_lib.c 2020-09-22 22:42:57.002158239 +0200 -+++ openssl-1.1.1h/crypto/evp/pmeth_lib.c 2020-09-22 22:42:58.434167516 +0200 +--- openssl-1.1.1j.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.1.1j/crypto/evp/pmeth_lib.c @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else @@ -1530,10 +1533,10 @@ Index: openssl-1.1.1h/crypto/evp/pmeth_lib.c if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE -Index: openssl-1.1.1h/crypto/fips/build.info +Index: openssl-1.1.1j/crypto/fips/build.info =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/build.info 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/build.info @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1550,10 +1553,10 @@ Index: openssl-1.1.1h/crypto/fips/build.info +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto -Index: openssl-1.1.1h/crypto/fips/fips_aes_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_aes_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_aes_selftest.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -1927,10 +1930,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_aes_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips.c +Index: openssl-1.1.1j/crypto/fips/fips.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips.c @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2458,10 +2461,10 @@ Index: openssl-1.1.1h/crypto/fips/fips.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c 2020-09-22 22:42:58.434167516 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2619,10 +2622,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_cmac_selftest.c + return rv; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_des_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_des_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_des_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2757,10 +2760,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_des_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_dh_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_dh_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_dh_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2942,10 +2945,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_dh_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3353,10 +3356,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_ctr.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_hash.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_hash.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_hash.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3712,10 +3715,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_hash.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3979,10 +3982,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_hmac.c + + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_lib.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_lib.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4512,10 +4515,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_lib.c +{ + /* Just backwards compatibility API call with no effect. */ +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_rand.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_rand.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_rand.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4702,10 +4705,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_rand.c +{ + return &rand_drbg_meth; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5535,10 +5538,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.c + FIPS_drbg_free(dctx); + return rv; +} -Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h +Index: openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h 2020-09-22 22:42:58.438167541 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7331,10 +7334,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_drbg_selftest.h + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -Index: openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7531,10 +7534,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_dsa_selftest.c + return ret; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7778,10 +7781,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ecdh_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7949,10 +7952,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ecdsa_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_err.h +Index: openssl-1.1.1j/crypto/fips/fips_err.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_err.h 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_err.h @@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8151,10 +8154,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_err.h +#endif + return 1; +} -Index: openssl-1.1.1h/crypto/fips/fips_ers.c +Index: openssl-1.1.1j/crypto/fips/fips_ers.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_ers.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_ers.c @@ -0,0 +1,7 @@ +#include + @@ -8163,10 +8166,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_ers.c +#else +static void *dummy = &dummy; +#endif -Index: openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c 2020-09-22 22:42:58.466167723 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8302,10 +8305,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_hmac_selftest.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_locl.h +Index: openssl-1.1.1j/crypto/fips/fips_locl.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_locl.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_locl.h @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8378,10 +8381,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_locl.h +} +# endif +#endif -Index: openssl-1.1.1h/crypto/fips/fips_post.c +Index: openssl-1.1.1j/crypto/fips/fips_post.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_post.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_post.c @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8607,10 +8610,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_post.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/fips/fips_rand_lcl.h +Index: openssl-1.1.1j/crypto/fips/fips_rand_lcl.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rand_lcl.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8815,10 +8818,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rand_lcl.h +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -Index: openssl-1.1.1h/crypto/fips/fips_rand_lib.c +Index: openssl-1.1.1j/crypto/fips/fips_rand_lib.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rand_lib.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9054,10 +9057,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rand_lib.c +# endif +} + -Index: openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -9397,10 +9400,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_rsa_selftest.c +} + +#endif /* def OPENSSL_FIPS */ -Index: openssl-1.1.1h/crypto/fips/fips_sha_selftest.c +Index: openssl-1.1.1j/crypto/fips/fips_sha_selftest.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_sha_selftest.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9625,10 +9628,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_sha_selftest.c +} + +#endif -Index: openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c +Index: openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9757,10 +9760,10 @@ Index: openssl-1.1.1h/crypto/fips/fips_standalone_hmac.c +#endif + return 0; +} -Index: openssl-1.1.1h/crypto/hmac/hmac.c +Index: openssl-1.1.1j/crypto/hmac/hmac.c =================================================================== ---- openssl-1.1.1h.orig/crypto/hmac/hmac.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/hmac/hmac.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/hmac/hmac.c ++++ openssl-1.1.1j/crypto/hmac/hmac.c @@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; @@ -9775,10 +9778,10 @@ Index: openssl-1.1.1h/crypto/hmac/hmac.c reset = 1; j = EVP_MD_block_size(md); -Index: openssl-1.1.1h/crypto/hmac/hm_pmeth.c +Index: openssl-1.1.1j/crypto/hmac/hm_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/hmac/hm_pmeth.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/hmac/hm_pmeth.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { @@ -9788,10 +9791,10 @@ Index: openssl-1.1.1h/crypto/hmac/hm_pmeth.c pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, -Index: openssl-1.1.1h/include/crypto/fips_int.h +Index: openssl-1.1.1j/include/crypto/fips_int.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/crypto/fips_int.h 2020-09-22 22:42:58.470167749 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/crypto/fips_int.h @@ -0,0 +1,98 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9891,10 +9894,10 @@ Index: openssl-1.1.1h/include/crypto/fips_int.h +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif -Index: openssl-1.1.1h/crypto/o_fips.c +Index: openssl-1.1.1j/crypto/o_fips.c =================================================================== ---- openssl-1.1.1h.orig/crypto/o_fips.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/o_fips.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/o_fips.c ++++ openssl-1.1.1j/crypto/o_fips.c @@ -8,17 +8,28 @@ */ @@ -9924,10 +9927,10 @@ Index: openssl-1.1.1h/crypto/o_fips.c return 0; +#endif } -Index: openssl-1.1.1h/crypto/o_init.c +Index: openssl-1.1.1j/crypto/o_init.c =================================================================== ---- openssl-1.1.1h.orig/crypto/o_init.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/o_init.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/o_init.c ++++ openssl-1.1.1j/crypto/o_init.c @@ -7,8 +7,68 @@ * https://www.openssl.org/source/license.html */ @@ -9997,10 +10000,10 @@ Index: openssl-1.1.1h/crypto/o_init.c /* * Perform any essential OpenSSL initialization operations. Currently does -Index: openssl-1.1.1h/crypto/rand/rand_lib.c +Index: openssl-1.1.1j/crypto/rand/rand_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rand/rand_lib.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/rand/rand_lib.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/rand/rand_lib.c ++++ openssl-1.1.1j/crypto/rand/rand_lib.c @@ -959,3 +959,15 @@ int RAND_status(void) return meth->status(); return 0; @@ -10017,10 +10020,10 @@ Index: openssl-1.1.1h/crypto/rand/rand_lib.c + return 1; +} +#endif -Index: openssl-1.1.1h/crypto/rsa/rsa_crpt.c +Index: openssl-1.1.1j/crypto/rsa/rsa_crpt.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_crpt.c 2020-09-22 22:42:57.006158265 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_crpt.c 2020-09-22 22:42:58.470167749 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_crpt.c ++++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10074,10 +10077,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_crpt.c return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } -Index: openssl-1.1.1h/crypto/rsa/rsa_err.c +Index: openssl-1.1.1j/crypto/rsa/rsa_err.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_err.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_err.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_err.c ++++ openssl-1.1.1j/crypto/rsa/rsa_err.c @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, @@ -10146,10 +10149,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_err.c {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -Index: openssl-1.1.1h/crypto/rsa/rsa_gen.c +Index: openssl-1.1.1j/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_gen.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_gen.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_gen.c ++++ openssl-1.1.1j/crypto/rsa/rsa_gen.c @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include @@ -10542,10 +10545,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_gen.c static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { -Index: openssl-1.1.1h/crypto/rsa/rsa_lib.c +Index: openssl-1.1.1j/crypto/rsa/rsa_lib.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_lib.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_lib.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_lib.c ++++ openssl-1.1.1j/crypto/rsa/rsa_lib.c @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -10588,10 +10591,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_lib.c if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -Index: openssl-1.1.1h/crypto/rsa/rsa_ossl.c +Index: openssl-1.1.1j/crypto/rsa/rsa_ossl.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_ossl.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_ossl.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_ossl.c ++++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c @@ -12,6 +12,10 @@ #include "rsa_local.h" #include "internal/constant_time.h" @@ -10708,10 +10711,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_ossl.c if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -Index: openssl-1.1.1h/crypto/rsa/rsa_pmeth.c +Index: openssl-1.1.1j/crypto/rsa/rsa_pmeth.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_pmeth.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_pmeth.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { @@ -10730,10 +10733,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_pmeth.c pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, -Index: openssl-1.1.1h/crypto/rsa/rsa_sign.c +Index: openssl-1.1.1j/crypto/rsa/rsa_sign.c =================================================================== ---- openssl-1.1.1h.orig/crypto/rsa/rsa_sign.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/rsa/rsa_sign.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/rsa/rsa_sign.c ++++ openssl-1.1.1j/crypto/rsa/rsa_sign.c @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -10760,10 +10763,10 @@ Index: openssl-1.1.1h/crypto/rsa/rsa_sign.c if (encrypt_len <= 0) goto err; -Index: openssl-1.1.1h/crypto/sha/sha256.c +Index: openssl-1.1.1j/crypto/sha/sha256.c =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha256.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha256.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha256.c ++++ openssl-1.1.1j/crypto/sha/sha256.c @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -10784,10 +10787,10 @@ Index: openssl-1.1.1h/crypto/sha/sha256.c memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -Index: openssl-1.1.1h/crypto/sha/sha512.c +Index: openssl-1.1.1j/crypto/sha/sha512.c =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha512.c 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha512.c 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha512.c ++++ openssl-1.1.1j/crypto/sha/sha512.c @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) @@ -10808,10 +10811,10 @@ Index: openssl-1.1.1h/crypto/sha/sha512.c c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -Index: openssl-1.1.1h/crypto/sha/sha_local.h +Index: openssl-1.1.1j/crypto/sha/sha_local.h =================================================================== ---- openssl-1.1.1h.orig/crypto/sha/sha_local.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/crypto/sha/sha_local.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/crypto/sha/sha_local.h ++++ openssl-1.1.1j/crypto/sha/sha_local.h @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -10822,10 +10825,10 @@ Index: openssl-1.1.1h/crypto/sha/sha_local.h memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -Index: openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod +Index: openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod =================================================================== ---- openssl-1.1.1h.orig/doc/man3/DSA_generate_parameters.pod 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/doc/man3/DSA_generate_parameters.pod ++++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -10839,10 +10842,10 @@ Index: openssl-1.1.1h/doc/man3/DSA_generate_parameters.pod DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -Index: openssl-1.1.1h/include/openssl/crypto.h +Index: openssl-1.1.1j/include/openssl/crypto.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/crypto.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/crypto.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/crypto.h ++++ openssl-1.1.1j/include/openssl/crypto.h @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -10855,10 +10858,10 @@ Index: openssl-1.1.1h/include/openssl/crypto.h void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); -Index: openssl-1.1.1h/include/openssl/dherr.h +Index: openssl-1.1.1j/include/openssl/dherr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dherr.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dherr.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dherr.h ++++ openssl-1.1.1j/include/openssl/dherr.h @@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 @@ -10884,10 +10887,10 @@ Index: openssl-1.1.1h/include/openssl/dherr.h # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -Index: openssl-1.1.1h/include/openssl/dh.h +Index: openssl-1.1.1j/include/openssl/dh.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dh.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dh.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dh.h ++++ openssl-1.1.1j/include/openssl/dh.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10896,10 +10899,10 @@ Index: openssl-1.1.1h/include/openssl/dh.h # define DH_FLAG_CACHE_MONT_P 0x01 -Index: openssl-1.1.1h/include/openssl/dsaerr.h +Index: openssl-1.1.1j/include/openssl/dsaerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dsaerr.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dsaerr.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dsaerr.h ++++ openssl-1.1.1j/include/openssl/dsaerr.h @@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 @@ -10926,10 +10929,10 @@ Index: openssl-1.1.1h/include/openssl/dsaerr.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -Index: openssl-1.1.1h/include/openssl/dsa.h +Index: openssl-1.1.1j/include/openssl/dsa.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/dsa.h 2020-09-22 22:42:57.010158291 +0200 -+++ openssl-1.1.1h/include/openssl/dsa.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/dsa.h ++++ openssl-1.1.1j/include/openssl/dsa.h @@ -31,6 +31,7 @@ extern "C" { # endif @@ -10938,11 +10941,11 @@ Index: openssl-1.1.1h/include/openssl/dsa.h # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L -Index: openssl-1.1.1h/include/openssl/evperr.h +Index: openssl-1.1.1j/include/openssl/evperr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/evperr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/evperr.h 2020-09-22 22:42:58.474167775 +0200 -@@ -24,14 +24,15 @@ int ERR_load_EVP_strings(void); +--- openssl-1.1.1j.orig/include/openssl/evperr.h ++++ openssl-1.1.1j/include/openssl/evperr.h +@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 @@ -10961,7 +10964,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 -@@ -142,6 +143,7 @@ int ERR_load_EVP_strings(void); +@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 # define EVP_R_DECODE_ERROR 114 @@ -10969,7 +10972,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -185,6 +187,7 @@ int ERR_load_EVP_strings(void); +@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 @@ -10977,7 +10980,7 @@ Index: openssl-1.1.1h/include/openssl/evperr.h # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 -@@ -200,6 +203,7 @@ int ERR_load_EVP_strings(void); +@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 @@ -10986,10 +10989,10 @@ Index: openssl-1.1.1h/include/openssl/evperr.h +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif -Index: openssl-1.1.1h/include/openssl/evp.h +Index: openssl-1.1.1j/include/openssl/evp.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/evp.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/evp.h 2020-09-22 22:42:58.474167775 +0200 +--- openssl-1.1.1j.orig/include/openssl/evp.h ++++ openssl-1.1.1j/include/openssl/evp.h @@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 @@ -11000,10 +11003,10 @@ Index: openssl-1.1.1h/include/openssl/evp.h const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -Index: openssl-1.1.1h/include/openssl/fips.h +Index: openssl-1.1.1j/include/openssl/fips.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/openssl/fips.h 2020-09-22 22:42:58.474167775 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/openssl/fips.h @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11192,10 +11195,10 @@ Index: openssl-1.1.1h/include/openssl/fips.h +} +# endif +#endif -Index: openssl-1.1.1h/include/openssl/fips_rand.h +Index: openssl-1.1.1j/include/openssl/fips_rand.h =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.1h/include/openssl/fips_rand.h 2020-09-22 22:42:58.474167775 +0200 +--- /dev/null ++++ openssl-1.1.1j/include/openssl/fips_rand.h @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11342,10 +11345,10 @@ Index: openssl-1.1.1h/include/openssl/fips_rand.h +# endif +# endif +#endif -Index: openssl-1.1.1h/include/openssl/opensslconf.h.in +Index: openssl-1.1.1j/include/openssl/opensslconf.h.in =================================================================== ---- openssl-1.1.1h.orig/include/openssl/opensslconf.h.in 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/opensslconf.h.in 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/opensslconf.h.in ++++ openssl-1.1.1j/include/openssl/opensslconf.h.in @@ -155,6 +155,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -11358,10 +11361,10 @@ Index: openssl-1.1.1h/include/openssl/opensslconf.h.in #ifdef __cplusplus } #endif -Index: openssl-1.1.1h/include/openssl/randerr.h +Index: openssl-1.1.1j/include/openssl/randerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/randerr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/randerr.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/randerr.h ++++ openssl-1.1.1j/include/openssl/randerr.h @@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 @@ -11370,10 +11373,10 @@ Index: openssl-1.1.1h/include/openssl/randerr.h # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 -Index: openssl-1.1.1h/include/openssl/rand.h +Index: openssl-1.1.1j/include/openssl/rand.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/rand.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/rand.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/rand.h ++++ openssl-1.1.1j/include/openssl/rand.h @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif @@ -11386,10 +11389,10 @@ Index: openssl-1.1.1h/include/openssl/rand.h #ifdef __cplusplus } -Index: openssl-1.1.1h/include/openssl/rsaerr.h +Index: openssl-1.1.1j/include/openssl/rsaerr.h =================================================================== ---- openssl-1.1.1h.orig/include/openssl/rsaerr.h 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/include/openssl/rsaerr.h 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/include/openssl/rsaerr.h ++++ openssl-1.1.1j/include/openssl/rsaerr.h @@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 @@ -11445,10 +11448,10 @@ Index: openssl-1.1.1h/include/openssl/rsaerr.h # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -Index: openssl-1.1.1h/ssl/s3_lib.c +Index: openssl-1.1.1j/ssl/s3_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/s3_lib.c 2020-09-22 14:55:07.000000000 +0200 -+++ openssl-1.1.1h/ssl/s3_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/s3_lib.c ++++ openssl-1.1.1j/ssl/s3_lib.c @@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, @@ -11548,10 +11551,10 @@ Index: openssl-1.1.1h/ssl/s3_lib.c SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, -Index: openssl-1.1.1h/ssl/ssl_ciph.c +Index: openssl-1.1.1j/ssl/ssl_ciph.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_ciph.c 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/ssl/ssl_ciph.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_ciph.c ++++ openssl-1.1.1j/ssl/ssl_ciph.c @@ -385,7 +385,7 @@ int ssl_load_ciphers(void) } } @@ -11590,10 +11593,10 @@ Index: openssl-1.1.1h/ssl/ssl_ciph.c if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); -Index: openssl-1.1.1h/ssl/ssl_init.c +Index: openssl-1.1.1j/ssl/ssl_init.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_init.c 2020-09-22 22:42:57.014158316 +0200 -+++ openssl-1.1.1h/ssl/ssl_init.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_init.c ++++ openssl-1.1.1j/ssl/ssl_init.c @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -11637,10 +11640,10 @@ Index: openssl-1.1.1h/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -Index: openssl-1.1.1h/ssl/ssl_lib.c +Index: openssl-1.1.1j/ssl/ssl_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_lib.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/ssl_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/ssl_lib.c ++++ openssl-1.1.1j/ssl/ssl_lib.c @@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; @@ -11678,11 +11681,11 @@ Index: openssl-1.1.1h/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -Index: openssl-1.1.1h/ssl/ssl_local.h +Index: openssl-1.1.1j/ssl/ssl_local.h =================================================================== ---- openssl-1.1.1h.orig/ssl/ssl_local.h 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/ssl_local.h 2020-09-22 22:42:58.478167800 +0200 -@@ -1516,6 +1516,7 @@ typedef struct tls_group_info_st { +--- openssl-1.1.1j.orig/ssl/ssl_local.h ++++ openssl-1.1.1j/ssl/ssl_local.h +@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_CUSTOM 0x2 @@ -11690,10 +11693,10 @@ Index: openssl-1.1.1h/ssl/ssl_local.h typedef struct cert_pkey_st CERT_PKEY; -Index: openssl-1.1.1h/ssl/t1_lib.c +Index: openssl-1.1.1j/ssl/t1_lib.c =================================================================== ---- openssl-1.1.1h.orig/ssl/t1_lib.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/ssl/t1_lib.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/ssl/t1_lib.c ++++ openssl-1.1.1j/ssl/t1_lib.c @@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ @@ -11719,10 +11722,10 @@ Index: openssl-1.1.1h/ssl/t1_lib.c ctmp[0] = curve >> 8; ctmp[1] = curve & 0xff; return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -Index: openssl-1.1.1h/test/dsatest.c +Index: openssl-1.1.1j/test/dsatest.c =================================================================== ---- openssl-1.1.1h.orig/test/dsatest.c 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/test/dsatest.c 2020-09-22 22:42:58.478167800 +0200 +--- openssl-1.1.1j.orig/test/dsatest.c ++++ openssl-1.1.1j/test/dsatest.c @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -11805,10 +11808,10 @@ Index: openssl-1.1.1h/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; -Index: openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt +Index: openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt =================================================================== ---- openssl-1.1.1h.orig/test/recipes/30-test_evp_data/evpciph.txt 2020-09-22 22:42:57.018158342 +0200 -+++ openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt 2020-09-22 22:42:58.482167826 +0200 +--- openssl-1.1.1j.orig/test/recipes/30-test_evp_data/evpciph.txt ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt @@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 @@ -11817,10 +11820,10 @@ Index: openssl-1.1.1h/test/recipes/30-test_evp_data/evpciph.txt Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -Index: openssl-1.1.1h/util/libcrypto.num +Index: openssl-1.1.1j/util/libcrypto.num =================================================================== ---- openssl-1.1.1h.orig/util/libcrypto.num 2020-09-22 22:42:58.482167826 +0200 -+++ openssl-1.1.1h/util/libcrypto.num 2020-09-22 22:43:36.782415940 +0200 +--- openssl-1.1.1j.orig/util/libcrypto.num ++++ openssl-1.1.1j/util/libcrypto.num @@ -4591,3 +4591,38 @@ X509_ALGOR_copy X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: diff --git a/openssl-1.1.1i.tar.gz b/openssl-1.1.1i.tar.gz deleted file mode 100644 index dd60ad5..0000000 --- a/openssl-1.1.1i.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 -size 9808346 diff --git a/openssl-1.1.1i.tar.gz.asc b/openssl-1.1.1i.tar.gz.asc deleted file mode 100644 index 5a496a1..0000000 --- a/openssl-1.1.1i.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g -RJHxYQf8DFul2uhHXbiCxshH7PiOh/TgjEMrdjUMTerYv6dssTcOF08UY7kjXdwV -7WJ61XcDo6m6vpzqZDuz/rbMqTmNP1z8ShQ80T4DQus+QHp9zMkNDWcUFTpv2vSc -PYTHtlBk49zDXJiRNBtWx0UjiVvcUtrDoTf/X0n/2ucqebniHxOSIFG9i/nhE5iP -a+0ccguS9eoq4cphWmSWRQrzweNWjfJUm6kcFBUYek5cVM6JVYMDJRjwwe14lWVP -vVMADBMc6eQFkBD/f/cI0QrFKfB6/ObTgRLqT2aNFgaSHHKvqtjLaB+haldz8oHm -F9orllkrd9bTCxit2kEGHBKg4EjKLw== -=K/1H ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1j.tar.gz b/openssl-1.1.1j.tar.gz new file mode 100644 index 0000000..1d78375 --- /dev/null +++ b/openssl-1.1.1j.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf +size 9823161 diff --git a/openssl-1.1.1j.tar.gz.asc b/openssl-1.1.1j.tar.gz.asc new file mode 100644 index 0000000..f1b9906 --- /dev/null +++ b/openssl-1.1.1j.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAr45gACgkQ2cTSbQ5g +RJE55AgAuAYlKdgDPQHfh7gyLmFl+fnO91iF8oaN/W4vFaAO2i3a/rwQayOOGWjh +UR4lUayR8ZLg+9p+69OGxogRd9mPp9YnZYSyLt/TO6BQcU9++CUIVYLgntUDiMzg ++doHvzWx7d9O070KBGb6+AwdUR2xZ29w+hcnq7DJ1xcLlbSj4iXzM1KapCEVlI08 +gHw9UpIy3LASfx9CgiPK1FdKcelpRp4VvUDU4i2QgKzVtQrOLXv7InDBqIiLpwi5 +PP0fAFnxQR1l7PgIF0T+dEyrz5xt60+6JpRaU8WIGqfrN+U4CuxKBvHW2ce7MgWz +oOIJ/1B7o5spKou6eKqm3gMP53J4hw== +=vzFe +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 541f288..4a780c4 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Fri Feb 19 08:01:01 UTC 2021 - Pedro Monreal + +- Update to 1.1.1j + * Fixed the X509_issuer_and_serial_hash() function. It attempts + to create a unique hash value based on the issuer and serial + number data contained within an X509 certificate. However it + was failing to correctly handle any errors that may occur + while parsing the issuer field [bsc#1182331, CVE-2021-23841] + * Fixed the RSA_padding_check_SSLv23() function and the + RSA_SSLV23_PADDING padding mode to correctly check for + rollback attacks. + * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions. Previously they could overflow the + output length argument in some cases where the input length is + close to the maximum permissable length for an integer on the + platform. In such cases the return value from the function call + would be 1 (indicating success), but the output length value + would be negative. This could cause applications to behave + incorrectly or crash. [bsc#1182333, CVE-2021-23840] + * Fixed SRP_Calc_client_key so that it runs in constant time. + The previous implementation called BN_mod_exp without setting + BN_FLG_CONSTTIME. This could be exploited in a side channel + attack to recover the password. Since the attack is local host + only this is outside of the current OpenSSL threat model and + therefore no CVE is assigned. +- Rebase patches: + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + ------------------------------------------------------------------- Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes @@ -14,6 +45,11 @@ Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes * bsc#1181796 * sourced from https://github.com/openssl/openssl/pull/12331/files +------------------------------------------------------------------- +Fri Jan 22 09:05:41 UTC 2021 - Pedro Monreal + +- Add version guards for the crypto-policies + ------------------------------------------------------------------- Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 9b40f36..ae44b35 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -21,7 +21,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" package! -Version: 1.1.1i +Version: 1.1.1j Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -92,6 +92,9 @@ Patch53: openssl-1_1-seclevel.patch Patch54: openssl-1_1-use-seclevel2-in-tests.patch Patch55: openssl-1_1-disable-test_srp-sslapi.patch BuildRequires: pkgconfig +%if 0%{?suse_version} && ! 0%{?sle_version} +Requires: crypto-policies +%endif Conflicts: ssl Provides: ssl Provides: openssl(cli) @@ -110,7 +113,6 @@ OpenSSL contains an implementation of the SSL and TLS protocols. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security -Requires: crypto-policies Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) Suggests: libopenssl1_1-hmac = %{version}-%{release}