From d99d49a007d4ae5bf47a93715a441ae59603f4a394d7c943d3a62950976334b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 27 Mar 2018 15:20:21 +0000 Subject: [PATCH 1/2] Accepting request 591684 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.0h OpenSSL Security Advisory [27 Mar 2018] * Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) (bsc#1087102) * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) (bsc#1071906) - refresh patches: * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch * openssl-1.1.0-fips.patch * openssl-pkgconfig.patch * openssl-rsakeygen-minimum-distance.patch * openssl-static-deps.patch OBS-URL: https://build.opensuse.org/request/show/591684 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=7 --- ...ntf-implementation-use-glibc-instead.patch | 25 +- openssl-1.1.0-fips.patch | 506 +++++++++--------- openssl-1.1.0g.tar.gz | 3 - openssl-1.1.0g.tar.gz.asc | 10 - openssl-1.1.0h.tar.gz | 3 + openssl-1.1.0h.tar.gz.asc | 10 + openssl-1_1.changes | 16 + openssl-1_1.spec | 2 +- openssl-pkgconfig.patch | 12 +- openssl-rsakeygen-minimum-distance.patch | 16 +- openssl-static-deps.patch | 50 +- 11 files changed, 334 insertions(+), 319 deletions(-) delete mode 100644 openssl-1.1.0g.tar.gz delete mode 100644 openssl-1.1.0g.tar.gz.asc create mode 100644 openssl-1.1.0h.tar.gz create mode 100644 openssl-1.1.0h.tar.gz.asc diff --git a/0001-Axe-builtin-printf-implementation-use-glibc-instead.patch b/0001-Axe-builtin-printf-implementation-use-glibc-instead.patch index bbde5dd..419c9ce 100644 --- a/0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +++ b/0001-Axe-builtin-printf-implementation-use-glibc-instead.patch @@ -4,11 +4,11 @@ Date: Sun, 4 May 2014 23:36:54 -0400 Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.1.0g/crypto/bio/b_print.c +Index: openssl-1.1.0h/crypto/bio/b_print.c =================================================================== ---- openssl-1.1.0g.orig/crypto/bio/b_print.c 2017-11-02 15:29:02.000000000 +0100 -+++ openssl-1.1.0g/crypto/bio/b_print.c 2017-11-02 20:48:01.240953505 +0100 -@@ -21,831 +21,6 @@ +--- openssl-1.1.0h.orig/crypto/bio/b_print.c 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/crypto/bio/b_print.c 2018-03-27 16:31:15.425784205 +0200 +@@ -21,830 +21,6 @@ * on all source code distributions. */ @@ -656,7 +656,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c - iconvert[iplace++] = "0123456789"[intpart % 10]; - intpart = (intpart / 10); - } while (intpart && (iplace < (int)sizeof(iconvert))); -- if (iplace == sizeof iconvert) +- if (iplace == sizeof(iconvert)) - iplace--; - iconvert[iplace] = 0; - @@ -674,7 +674,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c - fracpart = (fracpart / 10); - } - -- if (fplace == sizeof fconvert) +- if (fplace == sizeof(fconvert)) - fplace--; - fconvert[fplace] = 0; - @@ -836,11 +836,10 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c -} - -/***************************************************************************/ -- + int BIO_printf(BIO *bio, const char *format, ...) { - va_list args; -@@ -859,30 +34,36 @@ int BIO_printf(BIO *bio, const char *for +@@ -859,30 +35,36 @@ int BIO_printf(BIO *bio, const char *for return (ret); } @@ -898,7 +897,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c return (ret); } -@@ -898,29 +79,21 @@ int BIO_snprintf(char *buf, size_t n, co +@@ -898,29 +80,21 @@ int BIO_snprintf(char *buf, size_t n, co int ret; va_start(args, format); @@ -936,10 +935,10 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c - return (retlen <= INT_MAX) ? (int)retlen : -1; + return (ret); } -Index: openssl-1.1.0g/test/bioprinttest.c +Index: openssl-1.1.0h/test/bioprinttest.c =================================================================== ---- openssl-1.1.0g.orig/test/bioprinttest.c 2017-11-02 15:29:05.000000000 +0100 -+++ openssl-1.1.0g/test/bioprinttest.c 2017-11-02 20:45:03.446174264 +0100 +--- openssl-1.1.0h.orig/test/bioprinttest.c 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/test/bioprinttest.c 2018-03-27 16:30:23.096947435 +0200 @@ -200,13 +200,6 @@ int main(int argc, char **argv) dofptest(test++, 66666.0 + frac, width, prec, &fail); } diff --git a/openssl-1.1.0-fips.patch b/openssl-1.1.0-fips.patch index 4195494..a611c61 100644 --- a/openssl-1.1.0-fips.patch +++ b/openssl-1.1.0-fips.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.0g/apps/speed.c +Index: openssl-1.1.0h/apps/speed.c =================================================================== ---- openssl-1.1.0g.orig/apps/speed.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/apps/speed.c 2017-11-02 20:48:37.765524549 +0100 -@@ -1470,7 +1470,9 @@ int speed_main(int argc, char **argv) +--- openssl-1.1.0h.orig/apps/speed.c 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/apps/speed.c 2018-03-27 16:33:31.935965886 +0200 +@@ -1471,7 +1471,9 @@ int speed_main(int argc, char **argv) if (strcmp(*argv, "openssl") == 0) continue; if (strcmp(*argv, "rsa") == 0) { @@ -13,7 +13,7 @@ Index: openssl-1.1.0g/apps/speed.c rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = rsa_doit[R_RSA_15360] = 1; -@@ -1483,7 +1485,9 @@ int speed_main(int argc, char **argv) +@@ -1484,7 +1486,9 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv, "dsa") == 0) { @@ -24,7 +24,7 @@ Index: openssl-1.1.0g/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1572,15 +1576,21 @@ int speed_main(int argc, char **argv) +@@ -1573,15 +1577,21 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -48,8 +48,8 @@ Index: openssl-1.1.0g/apps/speed.c + dsa_doit[i] = 1; #endif #ifndef OPENSSL_NO_EC - for (i = 0; i < EC_NUM; i++) -@@ -1629,30 +1639,46 @@ int speed_main(int argc, char **argv) + for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) +@@ -1630,30 +1640,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -106,7 +106,7 @@ Index: openssl-1.1.0g/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -1913,6 +1939,7 @@ int speed_main(int argc, char **argv) +@@ -1914,6 +1940,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -114,11 +114,11 @@ Index: openssl-1.1.0g/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -Index: openssl-1.1.0g/Configure +Index: openssl-1.1.0h/Configure =================================================================== ---- openssl-1.1.0g.orig/Configure 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/Configure 2017-11-02 20:48:37.765524549 +0100 -@@ -308,7 +308,7 @@ $config{sdirs} = [ +--- openssl-1.1.0h.orig/Configure 2018-03-27 16:33:31.835964289 +0200 ++++ openssl-1.1.0h/Configure 2018-03-27 16:33:31.935965886 +0200 +@@ -310,7 +310,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", @@ -127,10 +127,10 @@ Index: openssl-1.1.0g/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf" ]; -Index: openssl-1.1.0g/crypto/bn/bn_rand.c +Index: openssl-1.1.0h/crypto/bn/bn_rand.c =================================================================== ---- openssl-1.1.0g.orig/crypto/bn/bn_rand.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/bn/bn_rand.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/bn/bn_rand.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/bn/bn_rand.c 2018-03-27 16:33:31.935965886 +0200 @@ -39,9 +39,11 @@ static int bnrand(int pseudorand, BIGNUM goto err; } @@ -146,10 +146,10 @@ Index: openssl-1.1.0g/crypto/bn/bn_rand.c if (RAND_bytes(buf, bytes) <= 0) goto err; -Index: openssl-1.1.0g/crypto/dh/dh_err.c +Index: openssl-1.1.0h/crypto/dh/dh_err.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dh/dh_err.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dh/dh_err.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dh/dh_err.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dh/dh_err.c 2018-03-27 16:33:31.935965886 +0200 @@ -25,6 +25,9 @@ static ERR_STRING_DATA DH_str_functs[] = {ERR_FUNC(DH_F_DH_CMS_DECRYPT), "dh_cms_decrypt"}, {ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "dh_cms_set_peerkey"}, @@ -172,10 +172,10 @@ Index: openssl-1.1.0g/crypto/dh/dh_err.c {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_REASON(DH_R_PEER_KEY_ERROR), "peer key error"}, {ERR_REASON(DH_R_SHARED_INFO_ERROR), "shared info error"}, -Index: openssl-1.1.0g/crypto/dh/dh_gen.c +Index: openssl-1.1.0h/crypto/dh/dh_gen.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dh/dh_gen.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dh/dh_gen.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dh/dh_gen.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dh/dh_gen.c 2018-03-27 16:33:31.935965886 +0200 @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include @@ -219,10 +219,10 @@ Index: openssl-1.1.0g/crypto/dh/dh_gen.c ctx = BN_CTX_new(); if (ctx == NULL) goto err; -Index: openssl-1.1.0g/crypto/dh/dh_key.c +Index: openssl-1.1.0h/crypto/dh/dh_key.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dh/dh_key.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dh/dh_key.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dh/dh_key.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dh/dh_key.c 2018-03-27 16:33:31.935965886 +0200 @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_locl.h" @@ -306,10 +306,10 @@ Index: openssl-1.1.0g/crypto/dh/dh_key.c dh->flags |= DH_FLAG_CACHE_MONT_P; return (1); } -Index: openssl-1.1.0g/crypto/dsa/dsa_err.c +Index: openssl-1.1.0h/crypto/dsa/dsa_err.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dsa/dsa_err.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dsa/dsa_err.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dsa/dsa_err.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dsa/dsa_err.c 2018-03-27 16:33:31.935965886 +0200 @@ -21,10 +21,13 @@ static ERR_STRING_DATA DSA_str_functs[] = { {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, @@ -337,10 +337,10 @@ Index: openssl-1.1.0g/crypto/dsa/dsa_err.c {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_REASON(DSA_R_Q_NOT_PRIME), "q not prime"}, {ERR_REASON(DSA_R_SEED_LEN_SMALL), -Index: openssl-1.1.0g/crypto/dsa/dsa_gen.c +Index: openssl-1.1.0h/crypto/dsa/dsa_gen.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dsa/dsa_gen.c 2017-11-02 15:29:03.000000000 +0100 -+++ openssl-1.1.0g/crypto/dsa/dsa_gen.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dsa/dsa_gen.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dsa/dsa_gen.c 2018-03-27 16:33:31.939965950 +0200 @@ -22,12 +22,22 @@ #include #include @@ -502,10 +502,10 @@ Index: openssl-1.1.0g/crypto/dsa/dsa_gen.c +} + +#endif -Index: openssl-1.1.0g/crypto/dsa/dsa_key.c +Index: openssl-1.1.0h/crypto/dsa/dsa_key.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dsa/dsa_key.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dsa/dsa_key.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dsa/dsa_key.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dsa/dsa_key.c 2018-03-27 16:33:31.939965950 +0200 @@ -13,10 +13,49 @@ #include #include "dsa_locl.h" @@ -585,10 +585,10 @@ Index: openssl-1.1.0g/crypto/dsa/dsa_key.c ok = 1; err: -Index: openssl-1.1.0g/crypto/dsa/dsa_ossl.c +Index: openssl-1.1.0h/crypto/dsa/dsa_ossl.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dsa/dsa_ossl.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dsa/dsa_ossl.c 2017-11-02 20:48:37.765524549 +0100 +--- openssl-1.1.0h.orig/crypto/dsa/dsa_ossl.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dsa/dsa_ossl.c 2018-03-27 16:33:31.939965950 +0200 @@ -15,6 +15,9 @@ #include #include "dsa_locl.h" @@ -648,10 +648,10 @@ Index: openssl-1.1.0g/crypto/dsa/dsa_ossl.c dsa->flags |= DSA_FLAG_CACHE_MONT_P; return (1); } -Index: openssl-1.1.0g/crypto/dsa/dsa_pmeth.c +Index: openssl-1.1.0h/crypto/dsa/dsa_pmeth.c =================================================================== ---- openssl-1.1.0g.orig/crypto/dsa/dsa_pmeth.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/dsa/dsa_pmeth.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/dsa/dsa_pmeth.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/dsa/dsa_pmeth.c 2018-03-27 16:33:31.939965950 +0200 @@ -212,8 +212,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; @@ -663,10 +663,10 @@ Index: openssl-1.1.0g/crypto/dsa/dsa_pmeth.c BN_GENCB_free(pcb); if (ret) EVP_PKEY_assign_DSA(pkey, dsa); -Index: openssl-1.1.0g/crypto/ec/ecdh_ossl.c +Index: openssl-1.1.0h/crypto/ec/ecdh_ossl.c =================================================================== ---- openssl-1.1.0g.orig/crypto/ec/ecdh_ossl.c 2017-11-02 20:48:36.165499533 +0100 -+++ openssl-1.1.0g/crypto/ec/ecdh_ossl.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/ec/ecdh_ossl.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/ec/ecdh_ossl.c 2018-03-27 16:33:31.939965950 +0200 @@ -33,9 +33,20 @@ #include #include "ec_lcl.h" @@ -688,10 +688,10 @@ Index: openssl-1.1.0g/crypto/ec/ecdh_ossl.c if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -Index: openssl-1.1.0g/crypto/ec/ecdsa_ossl.c +Index: openssl-1.1.0h/crypto/ec/ecdsa_ossl.c =================================================================== ---- openssl-1.1.0g.orig/crypto/ec/ecdsa_ossl.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/ec/ecdsa_ossl.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/ec/ecdsa_ossl.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/ec/ecdsa_ossl.c 2018-03-27 16:33:31.939965950 +0200 @@ -15,6 +15,10 @@ #include #include "ec_lcl.h" @@ -731,10 +731,10 @@ Index: openssl-1.1.0g/crypto/ec/ecdsa_ossl.c /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -Index: openssl-1.1.0g/crypto/ec/ec_key.c +Index: openssl-1.1.0h/crypto/ec/ec_key.c =================================================================== ---- openssl-1.1.0g.orig/crypto/ec/ec_key.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/ec/ec_key.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/ec/ec_key.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/ec/ec_key.c 2018-03-27 16:33:31.939965950 +0200 @@ -177,14 +177,61 @@ int EC_KEY_up_ref(EC_KEY *r) return ((i > 1) ? 1 : 0); } @@ -799,10 +799,10 @@ Index: openssl-1.1.0g/crypto/ec/ec_key.c ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -Index: openssl-1.1.0g/crypto/err/err_all.c +Index: openssl-1.1.0h/crypto/err/err_all.c =================================================================== ---- openssl-1.1.0g.orig/crypto/err/err_all.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/err/err_all.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/err/err_all.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/err/err_all.c 2018-03-27 16:33:31.939965950 +0200 @@ -43,9 +43,6 @@ int err_load_crypto_strings_int(void) { @@ -813,10 +813,10 @@ Index: openssl-1.1.0g/crypto/err/err_all.c #ifndef OPENSSL_NO_ERR ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */ ERR_load_BN_strings() == 0 || -Index: openssl-1.1.0g/crypto/evp/c_allc.c +Index: openssl-1.1.0h/crypto/evp/c_allc.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/c_allc.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/c_allc.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/c_allc.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/c_allc.c 2018-03-27 16:33:31.939965950 +0200 @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { @@ -898,10 +898,10 @@ Index: openssl-1.1.0g/crypto/evp/c_allc.c + } +#endif } -Index: openssl-1.1.0g/crypto/evp/c_alld.c +Index: openssl-1.1.0h/crypto/evp/c_alld.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/c_alld.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/c_alld.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/c_alld.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/c_alld.c 2018-03-27 16:33:31.939965950 +0200 @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) @@ -928,10 +928,10 @@ Index: openssl-1.1.0g/crypto/evp/c_alld.c + } +#endif } -Index: openssl-1.1.0g/crypto/evp/digest.c +Index: openssl-1.1.0h/crypto/evp/digest.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/digest.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/digest.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/digest.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/digest.c 2018-03-27 16:33:31.939965950 +0200 @@ -14,6 +14,9 @@ #include #include "internal/evp_int.h" @@ -991,11 +991,11 @@ Index: openssl-1.1.0g/crypto/evp/digest.c OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -Index: openssl-1.1.0g/crypto/evp/e_aes.c +Index: openssl-1.1.0h/crypto/evp/e_aes.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/e_aes.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/e_aes.c 2017-11-02 20:48:37.769524611 +0100 -@@ -1261,9 +1261,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX +--- openssl-1.1.0h.orig/crypto/evp/e_aes.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/e_aes.c 2018-03-27 16:33:31.939965950 +0200 +@@ -1263,9 +1263,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } @@ -1008,7 +1008,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { -@@ -1309,6 +1309,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -1311,6 +1311,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -1020,7 +1020,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c)) -@@ -1769,11 +1774,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX +@@ -1771,11 +1776,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX | EVP_CIPH_CUSTOM_COPY) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, @@ -1038,7 +1038,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -1908,6 +1916,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -1910,6 +1918,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1053,7 +1053,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -1925,8 +1941,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -1927,8 +1943,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1066,7 +1066,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -2190,11 +2208,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -2192,11 +2210,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1081,7 +1081,7 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c typedef struct { union { -@@ -2287,7 +2305,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -2289,7 +2307,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } @@ -1090,10 +1090,10 @@ Index: openssl-1.1.0g/crypto/evp/e_aes.c | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -Index: openssl-1.1.0g/crypto/evp/e_des3.c +Index: openssl-1.1.0h/crypto/evp/e_des3.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/e_des3.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/e_des3.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/e_des3.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/e_des3.c 2018-03-27 16:33:31.939965950 +0200 @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1120,10 +1120,10 @@ Index: openssl-1.1.0g/crypto/evp/e_des3.c static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -Index: openssl-1.1.0g/crypto/evp/e_null.c +Index: openssl-1.1.0h/crypto/evp/e_null.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/e_null.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/e_null.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/e_null.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/e_null.c 2018-03-27 16:33:31.939965950 +0200 @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1134,10 +1134,10 @@ Index: openssl-1.1.0g/crypto/evp/e_null.c null_init_key, null_cipher, NULL, -Index: openssl-1.1.0g/crypto/evp/evp_enc.c +Index: openssl-1.1.0h/crypto/evp/evp_enc.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/evp_enc.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/evp_enc.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/evp_enc.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/evp_enc.c 2018-03-27 16:33:31.939965950 +0200 @@ -16,10 +16,19 @@ #include #include "internal/evp_int.h" @@ -1213,10 +1213,10 @@ Index: openssl-1.1.0g/crypto/evp/evp_enc.c if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -Index: openssl-1.1.0g/crypto/evp/evp_err.c +Index: openssl-1.1.0h/crypto/evp/evp_err.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/evp_err.c 2017-11-02 20:48:36.169499595 +0100 -+++ openssl-1.1.0g/crypto/evp/evp_err.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/evp_err.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/evp_err.c 2018-03-27 16:33:31.939965950 +0200 @@ -24,6 +24,7 @@ static ERR_STRING_DATA EVP_str_functs[] {ERR_FUNC(EVP_F_AES_OCB_CIPHER), "aes_ocb_cipher"}, {ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "aes_t4_init_key"}, @@ -1233,7 +1233,7 @@ Index: openssl-1.1.0g/crypto/evp/evp_err.c {ERR_REASON(EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"}, {ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"}, -@@ -148,6 +150,7 @@ static ERR_STRING_DATA EVP_str_reasons[] +@@ -150,6 +152,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, @@ -1241,10 +1241,10 @@ Index: openssl-1.1.0g/crypto/evp/evp_err.c {ERR_REASON(EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_REASON(EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_REASON(EVP_R_UNKNOWN_OPTION), "unknown option"}, -Index: openssl-1.1.0g/crypto/evp/evp_lib.c +Index: openssl-1.1.0h/crypto/evp/evp_lib.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/evp_lib.c 2017-11-02 20:48:36.173499657 +0100 -+++ openssl-1.1.0g/crypto/evp/evp_lib.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/evp_lib.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/evp_lib.c 2018-03-27 16:33:31.939965950 +0200 @@ -180,6 +180,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1255,10 +1255,10 @@ Index: openssl-1.1.0g/crypto/evp/evp_lib.c return ctx->cipher->do_cipher(ctx, out, in, inl); } -Index: openssl-1.1.0g/crypto/evp/m_sha1.c +Index: openssl-1.1.0h/crypto/evp/m_sha1.c =================================================================== ---- openssl-1.1.0g.orig/crypto/evp/m_sha1.c 2017-11-02 20:48:36.173499657 +0100 -+++ openssl-1.1.0g/crypto/evp/m_sha1.c 2017-11-02 20:48:37.769524611 +0100 +--- openssl-1.1.0h.orig/crypto/evp/m_sha1.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/evp/m_sha1.c 2018-03-27 16:33:31.939965950 +0200 @@ -94,7 +94,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1268,16 +1268,16 @@ Index: openssl-1.1.0g/crypto/evp/m_sha1.c init, update, final, -@@ -139,7 +139,7 @@ static const EVP_MD sha224_md = { +@@ -144,7 +144,7 @@ static const EVP_MD sha224_md = { NID_sha224, NID_sha224WithRSAEncryption, SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init224, - update256, - final256, -@@ -158,7 +158,7 @@ static const EVP_MD sha256_md = { + update224, + final224, +@@ -163,7 +163,7 @@ static const EVP_MD sha256_md = { NID_sha256, NID_sha256WithRSAEncryption, SHA256_DIGEST_LENGTH, @@ -1286,16 +1286,16 @@ Index: openssl-1.1.0g/crypto/evp/m_sha1.c init256, update256, final256, -@@ -198,7 +198,7 @@ static const EVP_MD sha384_md = { +@@ -213,7 +213,7 @@ static const EVP_MD sha384_md = { NID_sha384, NID_sha384WithRSAEncryption, SHA384_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init384, - update512, - final512, -@@ -217,7 +217,7 @@ static const EVP_MD sha512_md = { + update384, + final384, +@@ -232,7 +232,7 @@ static const EVP_MD sha512_md = { NID_sha512, NID_sha512WithRSAEncryption, SHA512_DIGEST_LENGTH, @@ -1304,10 +1304,10 @@ Index: openssl-1.1.0g/crypto/evp/m_sha1.c init512, update512, final512, -Index: openssl-1.1.0g/crypto/fips/build.info +Index: openssl-1.1.0h/crypto/fips/build.info =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/build.info 2017-11-02 20:48:37.769524611 +0100 ++++ openssl-1.1.0h/crypto/fips/build.info 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1324,10 +1324,10 @@ Index: openssl-1.1.0g/crypto/fips/build.info +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto.a -Index: openssl-1.1.0g/crypto/fips/fips_aes_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_aes_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_aes_selftest.c 2017-11-02 20:48:37.769524611 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_aes_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -1701,10 +1701,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_aes_selftest.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips.c +Index: openssl-1.1.0h/crypto/fips/fips.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips.c 2017-11-02 20:48:37.769524611 +0100 ++++ openssl-1.1.0h/crypto/fips/fips.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2232,10 +2232,10 @@ Index: openssl-1.1.0g/crypto/fips/fips.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips_cmac_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_cmac_selftest.c 2017-11-02 20:48:37.769524611 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2393,10 +2393,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_cmac_selftest.c + return rv; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_des_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_des_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_des_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_des_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2531,10 +2531,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_des_selftest.c + return ret; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_dh_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_dh_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_dh_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_dh_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2716,10 +2716,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_dh_selftest.c + return ret; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_drbg_ctr.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_ctr.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3136,10 +3136,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_ctr.c + + return 1; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_hash.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_hash.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_hash.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_hash.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,361 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3502,10 +3502,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_hash.c + + return 1; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_hmac.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_hmac.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,272 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3779,10 +3779,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_hmac.c + + return 1; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_lib.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_lib.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_lib.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_lib.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,555 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4339,10 +4339,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_lib.c + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_rand.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_rand.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_rand.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_rand.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,183 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4527,10 +4527,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_rand.c +{ + return &rand_drbg_meth; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5360,10 +5360,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_selftest.c + FIPS_drbg_free(dctx); + return rv; +} -Index: openssl-1.1.0g/crypto/fips/fips_drbg_selftest.h +Index: openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_drbg_selftest.h 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7156,10 +7156,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_drbg_selftest.h + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -Index: openssl-1.1.0g/crypto/fips/fips_dsa_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_dsa_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c 2018-03-27 16:33:31.943966014 +0200 @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7356,10 +7356,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_dsa_selftest.c + return ret; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_ecdh_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_ecdh_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7603,10 +7603,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_ecdh_selftest.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips_ecdsa_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_ecdsa_selftest.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7774,10 +7774,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_ecdsa_selftest.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips_enc.c +Index: openssl-1.1.0h/crypto/fips/fips_enc.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_enc.c 2017-11-02 20:48:37.773524674 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_enc.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -7968,10 +7968,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_enc.c + + } +} -Index: openssl-1.1.0g/crypto/fips/fips_err.h +Index: openssl-1.1.0h/crypto/fips/fips_err.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_err.h 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_err.h 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,196 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8169,10 +8169,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_err.h +#endif + return 1; +} -Index: openssl-1.1.0g/crypto/fips/fips_ers.c +Index: openssl-1.1.0h/crypto/fips/fips_ers.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_ers.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_ers.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,7 @@ +#include + @@ -8181,10 +8181,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_ers.c +#else +static void *dummy = &dummy; +#endif -Index: openssl-1.1.0g/crypto/fips/fips_hmac_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_hmac_selftest.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8320,10 +8320,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_hmac_selftest.c + return 1; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_locl.h +Index: openssl-1.1.0h/crypto/fips/fips_locl.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_locl.h 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_locl.h 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8396,10 +8396,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_locl.h +} +# endif +#endif -Index: openssl-1.1.0g/crypto/fips/fips_md.c +Index: openssl-1.1.0h/crypto/fips/fips_md.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_md.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_md.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -8545,10 +8545,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_md.c + return NULL; + } +} -Index: openssl-1.1.0g/crypto/fips/fips_post.c +Index: openssl-1.1.0h/crypto/fips/fips_post.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_post.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_post.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,222 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8772,10 +8772,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_post.c + return 1; +} +#endif -Index: openssl-1.1.0g/crypto/fips/fips_rand_lcl.h +Index: openssl-1.1.0h/crypto/fips/fips_rand_lcl.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_rand_lcl.h 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_rand_lcl.h 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,209 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8986,10 +8986,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_rand_lcl.h +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -Index: openssl-1.1.0g/crypto/fips/fips_rand_lib.c +Index: openssl-1.1.0h/crypto/fips/fips_rand_lib.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_rand_lib.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_rand_lib.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9225,10 +9225,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_rand_lib.c +# endif +} + -Index: openssl-1.1.0g/crypto/fips/fips_randtest.c +Index: openssl-1.1.0h/crypto/fips/fips_randtest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_randtest.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_randtest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,247 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -9477,10 +9477,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_randtest.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips_rsa_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_rsa_selftest.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,578 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -10060,10 +10060,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_rsa_selftest.c +} + +#endif /* def OPENSSL_FIPS */ -Index: openssl-1.1.0g/crypto/fips/fips_sha_selftest.c +Index: openssl-1.1.0h/crypto/fips/fips_sha_selftest.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_sha_selftest.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_sha_selftest.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,138 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10203,10 +10203,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_sha_selftest.c +} + +#endif -Index: openssl-1.1.0g/crypto/fips/fips_standalone_hmac.c +Index: openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/fips/fips_standalone_hmac.c 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10335,10 +10335,10 @@ Index: openssl-1.1.0g/crypto/fips/fips_standalone_hmac.c +#endif + return 0; +} -Index: openssl-1.1.0g/crypto/hmac/hmac.c +Index: openssl-1.1.0h/crypto/hmac/hmac.c =================================================================== ---- openssl-1.1.0g.orig/crypto/hmac/hmac.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/hmac/hmac.c 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/hmac/hmac.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/hmac/hmac.c 2018-03-27 16:33:31.947966078 +0200 @@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo } @@ -10353,10 +10353,10 @@ Index: openssl-1.1.0g/crypto/hmac/hmac.c reset = 1; j = EVP_MD_block_size(md); OPENSSL_assert(j <= (int)sizeof(ctx->key)); -Index: openssl-1.1.0g/crypto/include/internal/fips_int.h +Index: openssl-1.1.0h/crypto/include/internal/fips_int.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/crypto/include/internal/fips_int.h 2017-11-02 20:48:37.777524736 +0100 ++++ openssl-1.1.0h/crypto/include/internal/fips_int.h 2018-03-27 16:33:31.947966078 +0200 @@ -0,0 +1,101 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10459,10 +10459,10 @@ Index: openssl-1.1.0g/crypto/include/internal/fips_int.h +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif -Index: openssl-1.1.0g/crypto/o_fips.c +Index: openssl-1.1.0h/crypto/o_fips.c =================================================================== ---- openssl-1.1.0g.orig/crypto/o_fips.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/o_fips.c 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/o_fips.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/o_fips.c 2018-03-27 16:33:31.947966078 +0200 @@ -9,7 +9,10 @@ #include "internal/cryptlib.h" @@ -10491,10 +10491,10 @@ Index: openssl-1.1.0g/crypto/o_fips.c #else if (r == 0) return 1; -Index: openssl-1.1.0g/crypto/o_init.c +Index: openssl-1.1.0h/crypto/o_init.c =================================================================== ---- openssl-1.1.0g.orig/crypto/o_init.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/o_init.c 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/o_init.c 2018-03-27 15:50:38.000000000 +0200 ++++ openssl-1.1.0h/crypto/o_init.c 2018-03-27 16:33:31.947966078 +0200 @@ -7,11 +7,50 @@ * https://www.openssl.org/source/license.html */ @@ -10581,10 +10581,10 @@ Index: openssl-1.1.0g/crypto/o_init.c +{ + OPENSSL_init_library(); +} -Index: openssl-1.1.0g/crypto/rand/md_rand.c +Index: openssl-1.1.0h/crypto/rand/md_rand.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rand/md_rand.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rand/md_rand.c 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/rand/md_rand.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rand/md_rand.c 2018-03-27 16:33:31.947966078 +0200 @@ -360,7 +360,7 @@ static int rand_bytes(unsigned char *buf CRYPTO_THREAD_unlock(rand_tmp_lock); crypto_lock_rand = 1; @@ -10594,10 +10594,10 @@ Index: openssl-1.1.0g/crypto/rand/md_rand.c RAND_poll(); initialized = 1; } -Index: openssl-1.1.0g/crypto/rand/rand_err.c +Index: openssl-1.1.0h/crypto/rand/rand_err.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rand/rand_err.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rand/rand_err.c 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/rand/rand_err.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rand/rand_err.c 2018-03-27 16:33:31.947966078 +0200 @@ -20,10 +20,13 @@ static ERR_STRING_DATA RAND_str_functs[] = { @@ -10612,10 +10612,10 @@ Index: openssl-1.1.0g/crypto/rand/rand_err.c {ERR_REASON(RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"}, {0, NULL} }; -Index: openssl-1.1.0g/crypto/rand/rand_lcl.h +Index: openssl-1.1.0h/crypto/rand/rand_lcl.h =================================================================== ---- openssl-1.1.0g.orig/crypto/rand/rand_lcl.h 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rand/rand_lcl.h 2017-11-02 20:48:37.777524736 +0100 +--- openssl-1.1.0h.orig/crypto/rand/rand_lcl.h 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rand/rand_lcl.h 2018-03-27 16:33:31.947966078 +0200 @@ -10,7 +10,7 @@ #ifndef HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H @@ -10625,10 +10625,10 @@ Index: openssl-1.1.0g/crypto/rand/rand_lcl.h # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # define USE_SHA1_RAND -Index: openssl-1.1.0g/crypto/rand/rand_lib.c +Index: openssl-1.1.0h/crypto/rand/rand_lib.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rand/rand_lib.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rand/rand_lib.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rand/rand_lib.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rand/rand_lib.c 2018-03-27 16:33:31.947966078 +0200 @@ -18,6 +18,8 @@ #ifdef OPENSSL_FIPS # include @@ -10766,10 +10766,10 @@ Index: openssl-1.1.0g/crypto/rand/rand_lib.c +} + +#endif -Index: openssl-1.1.0g/crypto/rsa/rsa_crpt.c +Index: openssl-1.1.0h/crypto/rsa/rsa_crpt.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_crpt.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_crpt.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_crpt.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_crpt.c 2018-03-27 16:33:31.947966078 +0200 @@ -28,24 +28,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10823,10 +10823,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_crpt.c return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } -Index: openssl-1.1.0g/crypto/rsa/rsa_err.c +Index: openssl-1.1.0h/crypto/rsa/rsa_err.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_err.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_err.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_err.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_err.c 2018-03-27 16:33:31.947966078 +0200 @@ -21,6 +21,7 @@ static ERR_STRING_DATA RSA_str_functs[] = { {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "check_padding_md"}, @@ -10872,10 +10872,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_err.c {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"}, -Index: openssl-1.1.0g/crypto/rsa/rsa_gen.c +Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_gen.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_gen.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-27 16:33:31.947966078 +0200 @@ -18,6 +18,75 @@ #include "internal/cryptlib.h" #include @@ -11237,7 +11237,7 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_gen.c static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { -@@ -53,6 +395,16 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -54,6 +396,16 @@ static int rsa_builtin_keygen(RSA *rsa, goto err; } @@ -11254,10 +11254,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_gen.c ctx = BN_CTX_new(); if (ctx == NULL) goto err; -Index: openssl-1.1.0g/crypto/rsa/rsa_lib.c +Index: openssl-1.1.0h/crypto/rsa/rsa_lib.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_lib.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_lib.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_lib.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_lib.c 2018-03-27 16:33:31.947966078 +0200 @@ -32,6 +32,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -11300,10 +11300,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_lib.c if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -Index: openssl-1.1.0g/crypto/rsa/rsa_ossl.c +Index: openssl-1.1.0h/crypto/rsa/rsa_ossl.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_ossl.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_ossl.c 2017-11-02 20:54:59.375492788 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_ossl.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_ossl.c 2018-03-27 16:33:31.947966078 +0200 @@ -11,6 +11,10 @@ #include "internal/bn_int.h" #include "rsa_locl.h" @@ -11420,10 +11420,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_ossl.c if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -Index: openssl-1.1.0g/crypto/rsa/rsa_sign.c +Index: openssl-1.1.0h/crypto/rsa/rsa_sign.c =================================================================== ---- openssl-1.1.0g.orig/crypto/rsa/rsa_sign.c 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/rsa/rsa_sign.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/rsa/rsa_sign.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_sign.c 2018-03-27 16:33:31.947966078 +0200 @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -11450,10 +11450,10 @@ Index: openssl-1.1.0g/crypto/rsa/rsa_sign.c if (encrypt_len <= 0) goto err; -Index: openssl-1.1.0g/crypto/sha/sha_locl.h +Index: openssl-1.1.0h/crypto/sha/sha_locl.h =================================================================== ---- openssl-1.1.0g.orig/crypto/sha/sha_locl.h 2017-11-02 20:48:36.181499783 +0100 -+++ openssl-1.1.0g/crypto/sha/sha_locl.h 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/sha/sha_locl.h 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/sha/sha_locl.h 2018-03-27 16:33:31.947966078 +0200 @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -11464,10 +11464,10 @@ Index: openssl-1.1.0g/crypto/sha/sha_locl.h memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -Index: openssl-1.1.0g/crypto/sha/sha256.c +Index: openssl-1.1.0h/crypto/sha/sha256.c =================================================================== ---- openssl-1.1.0g.orig/crypto/sha/sha256.c 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/crypto/sha/sha256.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/sha/sha256.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/sha/sha256.c 2018-03-27 16:33:31.947966078 +0200 @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -11488,10 +11488,10 @@ Index: openssl-1.1.0g/crypto/sha/sha256.c memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -Index: openssl-1.1.0g/crypto/sha/sha512.c +Index: openssl-1.1.0h/crypto/sha/sha512.c =================================================================== ---- openssl-1.1.0g.orig/crypto/sha/sha512.c 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/crypto/sha/sha512.c 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/crypto/sha/sha512.c 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/crypto/sha/sha512.c 2018-03-27 16:33:31.947966078 +0200 @@ -62,6 +62,9 @@ int SHA384_Init(SHA512_CTX *c) @@ -11512,10 +11512,10 @@ Index: openssl-1.1.0g/crypto/sha/sha512.c c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -Index: openssl-1.1.0g/doc/crypto/DSA_generate_parameters.pod +Index: openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod =================================================================== ---- openssl-1.1.0g.orig/doc/crypto/DSA_generate_parameters.pod 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/doc/crypto/DSA_generate_parameters.pod 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/doc/crypto/DSA_generate_parameters.pod 2018-03-27 15:50:39.000000000 +0200 ++++ openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod 2018-03-27 16:33:31.947966078 +0200 @@ -29,8 +29,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -11529,10 +11529,10 @@ Index: openssl-1.1.0g/doc/crypto/DSA_generate_parameters.pod DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -Index: openssl-1.1.0g/include/openssl/crypto.h +Index: openssl-1.1.0h/include/openssl/crypto.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/crypto.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/crypto.h 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/include/openssl/crypto.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/crypto.h 2018-03-27 16:33:31.947966078 +0200 @@ -336,6 +336,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -11545,10 +11545,10 @@ Index: openssl-1.1.0g/include/openssl/crypto.h void OPENSSL_init(void); struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result); -Index: openssl-1.1.0g/include/openssl/dh.h +Index: openssl-1.1.0h/include/openssl/dh.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/dh.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/dh.h 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/include/openssl/dh.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/dh.h 2018-03-27 16:33:31.947966078 +0200 @@ -30,6 +30,7 @@ extern "C" { # endif @@ -11580,10 +11580,10 @@ Index: openssl-1.1.0g/include/openssl/dh.h # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -Index: openssl-1.1.0g/include/openssl/dsa.h +Index: openssl-1.1.0h/include/openssl/dsa.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/dsa.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/dsa.h 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/include/openssl/dsa.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/dsa.h 2018-03-27 16:33:31.947966078 +0200 @@ -36,6 +36,7 @@ extern "C" { # endif @@ -11629,10 +11629,10 @@ Index: openssl-1.1.0g/include/openssl/dsa.h # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -Index: openssl-1.1.0g/include/openssl/evp.h +Index: openssl-1.1.0h/include/openssl/evp.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/evp.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/evp.h 2017-11-02 20:48:37.781524799 +0100 +--- openssl-1.1.0h.orig/include/openssl/evp.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/evp.h 2018-03-27 16:33:31.947966078 +0200 @@ -1461,6 +1461,7 @@ int ERR_load_EVP_strings(void); # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 @@ -11649,7 +11649,7 @@ Index: openssl-1.1.0g/include/openssl/evp.h # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -1574,6 +1576,7 @@ int ERR_load_EVP_strings(void); +@@ -1575,6 +1577,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 @@ -11657,10 +11657,10 @@ Index: openssl-1.1.0g/include/openssl/evp.h # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 -Index: openssl-1.1.0g/include/openssl/fips.h +Index: openssl-1.1.0h/include/openssl/fips.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/include/openssl/fips.h 2017-11-02 20:48:37.785524862 +0100 ++++ openssl-1.1.0h/include/openssl/fips.h 2018-03-27 16:33:31.951966142 +0200 @@ -0,0 +1,186 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11848,10 +11848,10 @@ Index: openssl-1.1.0g/include/openssl/fips.h +} +# endif +#endif -Index: openssl-1.1.0g/include/openssl/fips_rand.h +Index: openssl-1.1.0h/include/openssl/fips_rand.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssl-1.1.0g/include/openssl/fips_rand.h 2017-11-02 20:48:37.785524862 +0100 ++++ openssl-1.1.0h/include/openssl/fips_rand.h 2018-03-27 16:33:31.951966142 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11998,10 +11998,10 @@ Index: openssl-1.1.0g/include/openssl/fips_rand.h +# endif +# endif +#endif -Index: openssl-1.1.0g/include/openssl/opensslconf.h.in +Index: openssl-1.1.0h/include/openssl/opensslconf.h.in =================================================================== ---- openssl-1.1.0g.orig/include/openssl/opensslconf.h.in 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/opensslconf.h.in 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/include/openssl/opensslconf.h.in 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/opensslconf.h.in 2018-03-27 16:33:31.951966142 +0200 @@ -136,6 +136,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -12014,10 +12014,10 @@ Index: openssl-1.1.0g/include/openssl/opensslconf.h.in #ifdef __cplusplus } #endif -Index: openssl-1.1.0g/include/openssl/rand.h +Index: openssl-1.1.0h/include/openssl/rand.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/rand.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/rand.h 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/include/openssl/rand.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/rand.h 2018-03-27 16:33:31.951966142 +0200 @@ -67,6 +67,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) #endif @@ -12042,10 +12042,10 @@ Index: openssl-1.1.0g/include/openssl/rand.h # define RAND_R_PRNG_NOT_SEEDED 100 # ifdef __cplusplus -Index: openssl-1.1.0g/include/openssl/rsa.h +Index: openssl-1.1.0h/include/openssl/rsa.h =================================================================== ---- openssl-1.1.0g.orig/include/openssl/rsa.h 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/include/openssl/rsa.h 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/include/openssl/rsa.h 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/include/openssl/rsa.h 2018-03-27 16:33:31.951966142 +0200 @@ -463,6 +463,7 @@ int ERR_load_RSA_strings(void); /* Function codes. */ # define RSA_F_CHECK_PADDING_MD 140 @@ -12090,10 +12090,10 @@ Index: openssl-1.1.0g/include/openssl/rsa.h # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -Index: openssl-1.1.0g/ssl/ssl_ciph.c +Index: openssl-1.1.0h/ssl/ssl_ciph.c =================================================================== ---- openssl-1.1.0g.orig/ssl/ssl_ciph.c 2017-11-02 20:48:36.185499845 +0100 -+++ openssl-1.1.0g/ssl/ssl_ciph.c 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/ssl/ssl_ciph.c 2018-03-27 16:33:31.875964928 +0200 ++++ openssl-1.1.0h/ssl/ssl_ciph.c 2018-03-27 16:33:31.951966142 +0200 @@ -404,7 +404,8 @@ void ssl_load_ciphers(void) } } @@ -12113,10 +12113,10 @@ Index: openssl-1.1.0g/ssl/ssl_ciph.c continue; if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || -Index: openssl-1.1.0g/ssl/ssl_init.c +Index: openssl-1.1.0h/ssl/ssl_init.c =================================================================== ---- openssl-1.1.0g.orig/ssl/ssl_init.c 2017-11-02 20:48:36.189499908 +0100 -+++ openssl-1.1.0g/ssl/ssl_init.c 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/ssl/ssl_init.c 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/ssl/ssl_init.c 2018-03-27 16:33:31.951966142 +0200 @@ -28,6 +28,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -12160,11 +12160,11 @@ Index: openssl-1.1.0g/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -Index: openssl-1.1.0g/ssl/ssl_lib.c +Index: openssl-1.1.0h/ssl/ssl_lib.c =================================================================== ---- openssl-1.1.0g.orig/ssl/ssl_lib.c 2017-11-02 20:48:36.189499908 +0100 -+++ openssl-1.1.0g/ssl/ssl_lib.c 2017-11-02 20:48:37.785524862 +0100 -@@ -2524,13 +2524,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +--- openssl-1.1.0h.orig/ssl/ssl_lib.c 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-27 16:33:31.951966142 +0200 +@@ -2588,13 +2588,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (ret->param == NULL) goto err; @@ -12189,10 +12189,10 @@ Index: openssl-1.1.0g/ssl/ssl_lib.c } if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) -Index: openssl-1.1.0g/test/dsatest.c +Index: openssl-1.1.0h/test/dsatest.c =================================================================== ---- openssl-1.1.0g.orig/test/dsatest.c 2017-11-02 20:48:36.189499908 +0100 -+++ openssl-1.1.0g/test/dsatest.c 2017-11-02 20:48:37.785524862 +0100 +--- openssl-1.1.0h.orig/test/dsatest.c 2018-03-27 15:50:41.000000000 +0200 ++++ openssl-1.1.0h/test/dsatest.c 2018-03-27 16:33:31.951966142 +0200 @@ -32,41 +32,42 @@ int main(int argc, char *argv[]) static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -12281,11 +12281,11 @@ Index: openssl-1.1.0g/test/dsatest.c goto end; } if (h != 2) { -Index: openssl-1.1.0g/util/mkdef.pl +Index: openssl-1.1.0h/util/mkdef.pl =================================================================== ---- openssl-1.1.0g.orig/util/mkdef.pl 2017-11-02 20:48:36.189499908 +0100 -+++ openssl-1.1.0g/util/mkdef.pl 2017-11-02 20:48:37.785524862 +0100 -@@ -300,6 +300,8 @@ $crypto.=" include/openssl/modes.h"; +--- openssl-1.1.0h.orig/util/mkdef.pl 2018-03-27 15:50:41.000000000 +0200 ++++ openssl-1.1.0h/util/mkdef.pl 2018-03-27 16:33:31.951966142 +0200 +@@ -311,6 +311,8 @@ $crypto.=" include/openssl/modes.h"; $crypto.=" include/openssl/async.h"; $crypto.=" include/openssl/ct.h"; $crypto.=" include/openssl/kdf.h"; diff --git a/openssl-1.1.0g.tar.gz b/openssl-1.1.0g.tar.gz deleted file mode 100644 index 589acdd..0000000 --- a/openssl-1.1.0g.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af -size 5404748 diff --git a/openssl-1.1.0g.tar.gz.asc b/openssl-1.1.0g.tar.gz.asc deleted file mode 100644 index 4630d80..0000000 --- a/openssl-1.1.0g.tar.gz.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABCAAGBQJZ+yu1AAoJENnE0m0OYESRZaAH/RYgVpfSwQA/GzxR7BBTU/kT -nhAwrDzCZyZe6UhWJHIvZhWira3+NEMmJRWgxfLRmoO5+8Jo07Ayz6iI9K6j32Hf -NshzdUNerBy1xsvb8Z+mFPu8EPbmOrILJx1TQez4oLbFNDYDDaBXL/z+3H8ffKab -wfdVeJ3Qj3XKUi8v+FncSYn5jlzIlMVhOLLEJjgWbA+YP7WXbWveRf2oBEwVJ/ej -zcgrgJ6iyCXO7xP5t4Y2OzWpJKopflFz9uR7TwA5tanKibnG6GIoHCGf+mtBtU7t -zVMQh8+QnJyGy1qe9QnYrFksP9Fcb0qjMZMB6/DLqJ07t27TkXTB9fIAgElcmK8= -=i4gh ------END PGP SIGNATURE----- diff --git a/openssl-1.1.0h.tar.gz b/openssl-1.1.0h.tar.gz new file mode 100644 index 0000000..c4c4c67 --- /dev/null +++ b/openssl-1.1.0h.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517 +size 5422717 diff --git a/openssl-1.1.0h.tar.gz.asc b/openssl-1.1.0h.tar.gz.asc new file mode 100644 index 0000000..eab7c8e --- /dev/null +++ b/openssl-1.1.0h.tar.gz.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABCAAGBQJaukw0AAoJENnE0m0OYESRNZoH/jP9DGnLUsEr58XUE1w+q+P/ +JXF/yaBr1LUx9e599zlVNkLyNsqIN0mVfMDgdnjefIwrEGBVBh9YdeNeeZ9Lnhc4 +PQCN4vzjUcNv7Jo2DSPmuVoUikntIYM4thrBQuVt031h1+1NQmDpcmU8SESFpM5H +A7N6+p/i/ow5g2G/uqc+Wqy/Jdgwtkq+UPHvxajE7pVLhtY+ue5gU3f6Jb8odTdV +VT1QNzaStN40WiUIHtrykB3F8eg5BvwkmLUqbruy9IEEtYoJvxALVLD1B7t047Tf +Ti1AQ4Ld+NNxbhZeeYMeXTAog3w3DudsSQoOmIN2TiAR6WK44XlS/lu9lK/mFpo= +=SK44 +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 71d72ab..f6578e9 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Mar 27 14:42:36 UTC 2018 - vcizek@suse.com + +- Update to 1.1.0h + OpenSSL Security Advisory [27 Mar 2018] + * Constructed ASN.1 types with a recursive definition could exceed + the stack (CVE-2018-0739) (bsc#1087102) + * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + (bsc#1071906) +- refresh patches: + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * openssl-1.1.0-fips.patch + * openssl-pkgconfig.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-static-deps.patch + ------------------------------------------------------------------- Tue Feb 27 20:13:14 UTC 2018 - dimstar@opensuse.org diff --git a/openssl-1_1.spec b/openssl-1_1.spec index b6e1e6e..b42de9c 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -20,7 +20,7 @@ %define maj_min 1.1 %define _rname openssl Name: openssl-1_1 -Version: 1.1.0g +Version: 1.1.0h Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch index 94797a1..27c86f4 100644 --- a/openssl-pkgconfig.patch +++ b/openssl-pkgconfig.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.0c.orig/Configurations/unix-Makefile.tmpl 2016-11-10 15:03:43.000000000 +0100 -+++ openssl-1.1.0c/Configurations/unix-Makefile.tmpl 2016-12-02 14:42:03.547865145 +0100 -@@ -790,7 +790,7 @@ libcrypto.pc: +--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:32:18.922799218 +0200 ++++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:33:19.307764137 +0200 +@@ -710,7 +710,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs.private: $(EX_LIBS)'; \ @@ -11,10 +11,10 @@ Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -804,7 +804,7 @@ libssl.pc: +@@ -723,7 +723,7 @@ libssl.pc: + echo 'Version: '$(VERSION); \ echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ - echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir}' ) > libssl.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc diff --git a/openssl-rsakeygen-minimum-distance.patch b/openssl-rsakeygen-minimum-distance.patch index 987d008..f104e61 100644 --- a/openssl-rsakeygen-minimum-distance.patch +++ b/openssl-rsakeygen-minimum-distance.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c +Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.0f.orig/crypto/rsa/rsa_gen.c 2017-05-29 13:02:47.095166778 +0200 -+++ openssl-1.1.0f/crypto/rsa/rsa_gen.c 2017-05-29 13:03:29.415824383 +0200 -@@ -419,6 +419,19 @@ static int rsa_builtin_keygen(RSA *rsa, +--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.709128590 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.753129312 +0200 +@@ -420,6 +420,19 @@ static int rsa_builtin_keygen(RSA *rsa, bitsp = (bits + 1) / 2; bitsq = bits - bitsp; @@ -22,7 +22,7 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) goto err; -@@ -444,6 +457,8 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -446,6 +459,8 @@ static int rsa_builtin_keygen(RSA *rsa, for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; @@ -30,8 +30,8 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c + continue; if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) -@@ -460,6 +475,13 @@ static int rsa_builtin_keygen(RSA *rsa, + ERR_set_mark(); +@@ -471,6 +486,13 @@ static int rsa_builtin_keygen(RSA *rsa, if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) goto err; } while (BN_cmp(rsa->p, rsa->q) == 0); @@ -44,4 +44,4 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c + continue; if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) + ERR_set_mark(); diff --git a/openssl-static-deps.patch b/openssl-static-deps.patch index d04b427..4eb6124 100644 --- a/openssl-static-deps.patch +++ b/openssl-static-deps.patch @@ -19,10 +19,10 @@ Reviewed-by: Rich Salz Configure | 7 +++++++ 5 files changed, 47 insertions(+), 20 deletions(-) -Index: openssl-1.1.0e/Configurations/common.tmpl +Index: openssl-1.1.0h/Configurations/common.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/common.tmpl -+++ openssl-1.1.0e/Configurations/common.tmpl +--- openssl-1.1.0h.orig/Configurations/common.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/common.tmpl 2018-03-27 16:31:37.126131133 +0200 @@ -9,15 +9,22 @@ # there are no duplicate dependencies and that they are in the # right order. This is especially used to sort the list of @@ -59,11 +59,11 @@ Index: openssl-1.1.0e/Configurations/common.tmpl } @newlist; } -Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl +Index: openssl-1.1.0h/Configurations/descrip.mms.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/descrip.mms.tmpl -+++ openssl-1.1.0e/Configurations/descrip.mms.tmpl -@@ -524,6 +524,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC +--- openssl-1.1.0h.orig/Configurations/descrip.mms.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/descrip.mms.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -537,6 +537,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC use File::Basename; use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/; @@ -81,7 +81,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl sub generatesrc { my %args = @_; my $generator = join(" ", @{$args{generator}}); -@@ -619,9 +630,7 @@ EOF +@@ -632,9 +643,7 @@ EOF my $libd = dirname($lib); my $libn = basename($lib); (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib([^0-9]*)\d*/$1/i; @@ -92,7 +92,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl my $deps = join(", -\n\t\t", @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : ""; -@@ -667,9 +676,7 @@ EOF +@@ -680,9 +689,7 @@ EOF my $libn = basename($lib); (my $libn_nolib = $libn) =~ s/^lib//; my @objs = map { "$_.OBJ" } @{$args{objs}}; @@ -103,7 +103,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl my $deps = join(", -\n\t\t", @objs, @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir}, -@@ -719,9 +726,7 @@ EOF +@@ -732,9 +739,7 @@ EOF my $bind = dirname($bin); my $binn = basename($bin); my @objs = map { "$_.OBJ" } @{$args{objs}}; @@ -114,11 +114,11 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl my $deps = join(", -\n\t\t", @objs, @deps); # The "[]" hack is because in .OPT files, each line inherits the # previous line's file spec as default, so if no directory spec -Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/unix-Makefile.tmpl -+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl -@@ -837,13 +837,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC +--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.110130877 +0200 ++++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -755,13 +755,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { @@ -134,7 +134,7 @@ Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl } sub generatesrc { -@@ -1056,11 +1056,16 @@ EOF +@@ -976,11 +976,16 @@ EOF my $binn = basename($bin); my $objs = join(" ", map { $_.$objext } @{$args{objs}}); my $deps = join(" ",compute_lib_depends(@{$args{deps}})); @@ -156,11 +156,11 @@ Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; return <<"EOF"; $bin$exeext: $objs $deps -Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl +Index: openssl-1.1.0h/Configurations/windows-makefile.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/windows-makefile.tmpl -+++ openssl-1.1.0e/Configurations/windows-makefile.tmpl -@@ -342,8 +342,10 @@ configdata.pm: "$(SRCDIR)\Configure" {- +--- openssl-1.1.0h.orig/Configurations/windows-makefile.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/windows-makefile.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -361,8 +361,10 @@ configdata.pm: "$(SRCDIR)\Configure" {- # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { @@ -172,11 +172,11 @@ Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl return map { shlib_import($_) } @_; } -Index: openssl-1.1.0e/Configure +Index: openssl-1.1.0h/Configure =================================================================== ---- openssl-1.1.0e.orig/Configure -+++ openssl-1.1.0e/Configure -@@ -1838,9 +1838,16 @@ EOF +--- openssl-1.1.0h.orig/Configure 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configure 2018-03-27 16:31:37.126131133 +0200 +@@ -1844,9 +1844,16 @@ EOF $d = cleanfile($buildd, $_, $blddir); } # Take note if the file to depend on is being renamed @@ -191,5 +191,5 @@ Index: openssl-1.1.0e/Configure } + $d .= $e; $unified_info{depends}->{$ddest}->{$d} = 1; - # If we depend on a header file or a perl module, let's make - # sure it can get included + } + } From 54892abfaeefb5e43331f4cc275aa2da918fb3f13463b664f7b44d90786d1fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Wed, 28 Mar 2018 14:56:27 +0000 Subject: [PATCH 2/2] Accepting request 592071 from home:vitezslav_cizek:branches:security:tls - Tolerate a Certificate using a non-supported group on server side (boo#1084651) * https://github.com/openssl/openssl/pull/5607 * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch OBS-URL: https://build.opensuse.org/request/show/592071 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=8 --- ...ficate-using-a-non-supported-group-o.patch | 104 ++++++++++++++++++ openssl-1_1.changes | 8 ++ openssl-1_1.spec | 2 + 3 files changed, 114 insertions(+) create mode 100644 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch diff --git a/0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch b/0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch new file mode 100644 index 0000000..57be6b5 --- /dev/null +++ b/0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch @@ -0,0 +1,104 @@ +From e9d26dc85238c071117d911704f5f769e79b46a1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 13 Mar 2018 17:23:10 +0000 +Subject: [PATCH] Tolerate a Certificate using a non-supported group on server + side + +If a server has been configured to use an ECDSA certificate, we should +allow it regardless of whether the server's own supported groups list +includes the certificate's group. + +Fixes #2033 + +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/5607) +--- + ssl/t1_lib.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 7a5721a1e2..dc4e6526d6 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -490,13 +490,16 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, + return 1; + } + ++# define DONT_CHECK_OWN_GROUPS 0 ++# define CHECK_OWN_GROUPS 1 + /* Check an EC key is compatible with extensions */ +-static int tls1_check_ec_key(SSL *s, +- unsigned char *curve_id, unsigned char *comp_id) ++static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, ++ unsigned char *comp_id, int check_own_groups) + { + const unsigned char *pformats, *pcurves; + size_t num_formats, num_curves, i; + int j; ++ + /* + * If point formats extension present check it, otherwise everything is + * supported (see RFC4492). +@@ -513,8 +516,12 @@ static int tls1_check_ec_key(SSL *s, + } + if (!curve_id) + return 1; ++ ++ if (!s->server && !check_own_groups) ++ return 1; ++ + /* Check curve is consistent with client and server preferences */ +- for (j = 0; j <= 1; j++) { ++ for (j = check_own_groups ? 0 : 1; j <= 1; j++) { + if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) + return 0; + if (j == 1 && num_curves == 0) { +@@ -579,9 +586,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) + return 0; + /* + * Can't check curve_id for client certs as we don't have a supported +- * curves extension. ++ * curves extension. For server certs we will tolerate certificates that ++ * aren't in our own list of curves. If we've been configured to use an EC ++ * cert then we should use it - therefore we use DONT_CHECK_OWN_GROUPS here. + */ +- rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); ++ rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id, ++ DONT_CHECK_OWN_GROUPS); + if (!rv) + return 0; + /* +@@ -644,7 +654,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) + return 0; + curve_id[0] = 0; + /* Check this curve is acceptable */ +- if (!tls1_check_ec_key(s, curve_id, NULL)) ++ if (!tls1_check_ec_key(s, curve_id, NULL, CHECK_OWN_GROUPS)) + return 0; + return 1; + } +@@ -746,8 +756,9 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) + } + + /* +- * Check signature algorithm is consistent with sent supported signature +- * algorithms and if so return relevant digest. ++ * Check signature algorithm received from the peer with a signature is ++ * consistent with the sent supported signature algorithms and if so return ++ * relevant digest. + */ + int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, + const unsigned char *sig, EVP_PKEY *pkey) +@@ -769,7 +780,8 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, + /* Check compression and curve matches extensions */ + if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) + return 0; +- if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { ++ if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id, ++ CHECK_OWN_GROUPS)) { + SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); + return 0; + } +-- +2.16.2 + diff --git a/openssl-1_1.changes b/openssl-1_1.changes index f6578e9..f317d7c 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Mar 28 14:34:49 UTC 2018 - vcizek@suse.com + +- Tolerate a Certificate using a non-supported group on server side + (boo#1084651) + * https://github.com/openssl/openssl/pull/5607 + * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch + ------------------------------------------------------------------- Tue Mar 27 14:42:36 UTC 2018 - vcizek@suse.com diff --git a/openssl-1_1.spec b/openssl-1_1.spec index b42de9c..044bb40 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -74,6 +74,8 @@ Patch69: 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch +# PATCH-FIX-UPSTREAM (boo#1084651) +Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig