From ae5568515b15ad2ef0e9901c1ebf59dd950b5c90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Thu, 21 Jan 2010 08:12:12 +0000 Subject: [PATCH] - new upstream release --- .cvsignore | 2 +- openssl-1.0.0-beta4-backports.patch | 45 - openssl-1.0.0-beta4-backports2.patch | 334 -------- openssl-1.0.0-beta4-binutils.patch | 56 -- openssl-1.0.0-beta4-client-reneg.patch | 35 - openssl-1.0.0-beta4-cve-2009-4355.patch | 49 -- openssl-1.0.0-beta4-dtls-ipv6.patch | 222 ----- openssl-1.0.0-beta4-dtls-reneg.patch | 571 ------------- openssl-1.0.0-beta4-reneg-err.patch | 93 -- openssl-1.0.0-beta4-reneg-scsv.patch | 793 ------------------ openssl-1.0.0-beta4-reneg.patch | 237 ------ openssl-1.0.0-beta4-tls-comp.patch | 193 ----- openssl-1.0.0-beta4-tlsver.patch | 27 - ...=> openssl-1.0.0-beta5-cipher-change.patch | 14 +- ...ch => openssl-1.0.0-beta5-enginesdir.patch | 24 +- ...ps.patch => openssl-1.0.0-beta5-fips.patch | 763 +++++++++-------- ...> openssl-1.0.0-beta5-readme-warning.patch | 22 +- ...patch => openssl-1.0.0-beta5-version.patch | 10 +- openssl.spec | 56 +- sources | 2 +- 20 files changed, 431 insertions(+), 3117 deletions(-) delete mode 100644 openssl-1.0.0-beta4-backports.patch delete mode 100644 openssl-1.0.0-beta4-backports2.patch delete mode 100644 openssl-1.0.0-beta4-binutils.patch delete mode 100644 openssl-1.0.0-beta4-client-reneg.patch delete mode 100644 openssl-1.0.0-beta4-cve-2009-4355.patch delete mode 100644 openssl-1.0.0-beta4-dtls-ipv6.patch delete mode 100644 openssl-1.0.0-beta4-dtls-reneg.patch delete mode 100644 openssl-1.0.0-beta4-reneg-err.patch delete mode 100644 openssl-1.0.0-beta4-reneg-scsv.patch delete mode 100644 openssl-1.0.0-beta4-reneg.patch delete mode 100644 openssl-1.0.0-beta4-tls-comp.patch delete mode 100644 openssl-1.0.0-beta4-tlsver.patch rename openssl-1.0.0-beta3-cipher-change.patch => openssl-1.0.0-beta5-cipher-change.patch (61%) rename openssl-1.0.0-beta4-enginesdir.patch => openssl-1.0.0-beta5-enginesdir.patch (63%) rename openssl-1.0.0-beta4-fips.patch => openssl-1.0.0-beta5-fips.patch (91%) rename openssl-0.9.8j-readme-warning.patch => openssl-1.0.0-beta5-readme-warning.patch (55%) rename openssl-1.0.0-beta4-version.patch => openssl-1.0.0-beta5-version.patch (51%) diff --git a/.cvsignore b/.cvsignore index 3819647..f133f6d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -openssl-1.0.0-beta4-usa.tar.bz2 +openssl-1.0.0-beta5-usa.tar.bz2 diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch deleted file mode 100644 index ad4c7e4..0000000 --- a/openssl-1.0.0-beta4-backports.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c ---- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100 -@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK - } - else ret= *a; - -- ret->save_type=type; -- ret->type=EVP_PKEY_type(type); -- switch (ret->type) -+ if (!EVP_PKEY_set_type(ret, type)) -+ { -+ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB); -+ goto err; -+ } -+ -+ switch (EVP_PKEY_id(ret)) - { - #ifndef OPENSSL_NO_RSA - case EVP_PKEY_RSA: -diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c ---- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100 -@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey, - #ifndef OPENSSL_NO_ENGINE - /* If we have an ENGINE release it */ - if (pkey->engine) -+ { - ENGINE_finish(pkey->engine); -+ pkey->engine = NULL; -+ } - #endif - } - if (str) -diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c ---- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100 -@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, - offset= -offset; - } - atm.type=ctm->type; -+ atm.flags = 0; - atm.length=sizeof(buff2); - atm.data=(unsigned char *)buff2; - diff --git a/openssl-1.0.0-beta4-backports2.patch b/openssl-1.0.0-beta4-backports2.patch deleted file mode 100644 index cce04d3..0000000 --- a/openssl-1.0.0-beta4-backports2.patch +++ /dev/null @@ -1,334 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/ca.c.backports2 openssl-1.0.0-beta4/apps/ca.c ---- openssl-1.0.0-beta4/apps/ca.c.backports2 2009-10-04 18:43:21.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/ca.c 2010-01-07 23:16:08.000000000 +0100 -@@ -215,7 +215,6 @@ static int certify_spkac(X509 **xret, ch - char *startdate, char *enddate, long days, char *ext_sect, - CONF *conf, int verbose, unsigned long certopt, - unsigned long nameopt, int default_op, int ext_copy); --static int fix_data(int nid, int *type); - static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); - static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, -@@ -2334,25 +2333,9 @@ static int certify_spkac(X509 **xret, ch - continue; - } - -- /* -- if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) -- continue; -- */ -- -- j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); -- if (fix_data(nid, &j) == 0) -- { -- BIO_printf(bio_err, -- "invalid characters in string %s\n",buf); -- goto err; -- } -- -- if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, -- (unsigned char *)buf, -- strlen(buf))) == NULL) -+ if (!X509_NAME_add_entry_by_NID(n, nid, chtype, -+ (unsigned char *)buf, -1, -1, 0)) - goto err; -- -- if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; - } - if (spki == NULL) - { -@@ -2395,21 +2378,6 @@ err: - return(ok); - } - --static int fix_data(int nid, int *type) -- { -- if (nid == NID_pkcs9_emailAddress) -- *type=V_ASN1_IA5STRING; -- if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) -- *type=V_ASN1_T61STRING; -- if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) -- *type=V_ASN1_T61STRING; -- if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) -- return(0); -- if (nid == NID_pkcs9_unstructuredName) -- *type=V_ASN1_IA5STRING; -- return(1); -- } -- - static int check_time_format(const char *str) - { - return ASN1_TIME_set_string(NULL, str); -diff -up openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c.backports2 openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c ---- openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c.backports2 2008-11-12 04:57:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/asn1/ameth_lib.c 2010-01-07 23:16:08.000000000 +0100 -@@ -301,6 +301,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new( - if (!ameth->info) - goto err; - } -+ else -+ ameth->info = NULL; - - if (pem_str) - { -@@ -308,6 +310,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new( - if (!ameth->pem_str) - goto err; - } -+ else -+ ameth->pem_str = NULL; - - ameth->pub_decode = 0; - ameth->pub_encode = 0; -diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.backports2 openssl-1.0.0-beta4/crypto/bio/b_sock.c ---- openssl-1.0.0-beta4/crypto/bio/b_sock.c.backports2 2010-01-07 23:16:08.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2010-01-07 23:16:08.000000000 +0100 -@@ -595,7 +595,7 @@ int BIO_get_accept_socket(char *host, in - struct sockaddr_in6 sa_in6; - #endif - } server,client; -- int s=INVALID_SOCKET,cs; -+ int s=INVALID_SOCKET,cs,addrlen; - unsigned char ip[4]; - unsigned short port; - char *str=NULL,*e; -@@ -666,8 +666,10 @@ int BIO_get_accept_socket(char *host, in - - if ((*p_getaddrinfo.f)(h,p,&hint,&res)) break; - -- memcpy(&server, res->ai_addr, -- res->ai_addrlen<=sizeof(server)?res->ai_addrlen:sizeof(server)); -+ addrlen = res->ai_addrlen<=sizeof(server) ? -+ res->ai_addrlen : -+ sizeof(server); -+ memcpy(&server, res->ai_addr, addrlen); - - (*p_freeaddrinfo.f)(res); - goto again; -@@ -679,6 +681,7 @@ int BIO_get_accept_socket(char *host, in - memset((char *)&server,0,sizeof(server)); - server.sa_in.sin_family=AF_INET; - server.sa_in.sin_port=htons(port); -+ addrlen = sizeof(server.sa_in); - - if (h == NULL || strcmp(h,"*") == 0) - server.sa_in.sin_addr.s_addr=INADDR_ANY; -@@ -712,7 +715,7 @@ again: - bind_mode=BIO_BIND_NORMAL; - } - #endif -- if (bind(s,&server.sa,sizeof(server)) == -1) -+ if (bind(s,&server.sa,addrlen) == -1) - { - #ifdef SO_REUSEADDR - err_num=get_last_socket_error(); -@@ -740,7 +743,7 @@ again: - if (cs != INVALID_SOCKET) - { - int ii; -- ii=connect(cs,&client.sa,sizeof(client)); -+ ii=connect(cs,&client.sa,addrlen); - closesocket(cs); - if (ii == INVALID_SOCKET) - { -diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.backports2 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c ---- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.backports2 2010-01-07 23:16:08.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2010-01-07 23:16:08.000000000 +0100 -@@ -335,11 +335,21 @@ static int dgram_write(BIO *b, const cha - if ( data->connected ) - ret=writesocket(b->num,in,inl); - else -+ { -+ int peerlen = sizeof(data->peer); -+ -+ if (data->peer.sa.sa_family == AF_INET) -+ peerlen = sizeof(data->peer.sa_in); -+#if OPENSSL_USE_IVP6 -+ else if (data->peer.sa.sa_family == AF_INET6) -+ peerlen = sizeof(data->peer.sa_in6); -+#endif - #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer)); -+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, peerlen); - #else -- ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer)); -+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, peerlen); - #endif -+ } - - BIO_clear_retry_flags(b); - if (ret <= 0) -diff -up openssl-1.0.0-beta4/crypto/bn/bn_mul.c.backports2 openssl-1.0.0-beta4/crypto/bn/bn_mul.c ---- openssl-1.0.0-beta4/crypto/bn/bn_mul.c.backports2 2009-06-17 13:47:54.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/bn/bn_mul.c 2010-01-07 23:16:08.000000000 +0100 -@@ -1032,15 +1032,15 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, c - goto err; - if (al > j || bl > j) - { -- bn_wexpand(t,k*4); -- bn_wexpand(rr,k*4); -+ if (bn_wexpand(t,k*4) == NULL) goto err; -+ if (bn_wexpand(rr,k*4) == NULL) goto err; - bn_mul_part_recursive(rr->d,a->d,b->d, - j,al-j,bl-j,t->d); - } - else /* al <= j || bl <= j */ - { -- bn_wexpand(t,k*2); -- bn_wexpand(rr,k*2); -+ if (bn_wexpand(t,k*2) == NULL) goto err; -+ if (bn_wexpand(rr,k*2) == NULL) goto err; - bn_mul_recursive(rr->d,a->d,b->d, - j,al-j,bl-j,t->d); - } -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c.backports2 openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c.backports2 2009-09-02 17:51:28.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_pmeth.c 2010-01-07 23:16:08.000000000 +0100 -@@ -132,7 +132,7 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c - - ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa); - -- if (ret < 0) -+ if (ret <= 0) - return ret; - *siglen = sltmp; - return 1; -diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.backports2 openssl-1.0.0-beta4/crypto/evp/digest.c ---- openssl-1.0.0-beta4/crypto/evp/digest.c.backports2 2010-01-07 23:16:07.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/digest.c 2010-01-07 23:16:08.000000000 +0100 -@@ -127,7 +127,8 @@ EVP_MD_CTX *EVP_MD_CTX_create(void) - { - EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx); - -- EVP_MD_CTX_init(ctx); -+ if (ctx) -+ EVP_MD_CTX_init(ctx); - - return ctx; - } -@@ -256,6 +257,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - { - ctx->update = type->update; - ctx->md_data=OPENSSL_malloc(type->ctx_size); -+ if (ctx->md_data == NULL) -+ { -+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, -+ ERR_R_MALLOC_FAILURE); -+ return 0; -+ } - } - } - #ifndef OPENSSL_NO_ENGINE -@@ -346,8 +353,17 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, - - if (in->md_data && out->digest->ctx_size) - { -- if (tmp_buf) out->md_data = tmp_buf; -- else out->md_data=OPENSSL_malloc(out->digest->ctx_size); -+ if (tmp_buf) -+ out->md_data = tmp_buf; -+ else -+ { -+ out->md_data=OPENSSL_malloc(out->digest->ctx_size); -+ if (!out->md_data) -+ { -+ EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ } - memcpy(out->md_data,in->md_data,out->digest->ctx_size); - } - -diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.backports2 openssl-1.0.0-beta4/crypto/evp/evp_err.c ---- openssl-1.0.0-beta4/crypto/evp/evp_err.c.backports2 2010-01-07 23:16:07.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2010-01-07 23:16:08.000000000 +0100 -@@ -186,6 +186,8 @@ static ERR_STRING_DATA EVP_str_reasons[] - {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"}, - {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"}, - {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, -+{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, -+{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, - {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, - {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, - {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"}, -diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.backports2 openssl-1.0.0-beta4/crypto/evp/evp.h ---- openssl-1.0.0-beta4/crypto/evp/evp.h.backports2 2010-01-07 23:16:07.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2010-01-07 23:16:08.000000000 +0100 -@@ -1275,6 +1275,8 @@ void ERR_load_EVP_strings(void); - #define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 - #define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 - #define EVP_R_PUBLIC_KEY_NOT_RSA 106 -+#define EVP_R_UNKNOWN_CIPHER 160 -+#define EVP_R_UNKNOWN_DIGEST 161 - #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 - #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 - #define EVP_R_UNSUPPORTED_ALGORITHM 156 -diff -up openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.backports2 openssl-1.0.0-beta4/crypto/evp/evp_pbe.c ---- openssl-1.0.0-beta4/crypto/evp/evp_pbe.c.backports2 2008-11-05 19:38:57.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_pbe.c 2010-01-07 23:17:15.000000000 +0100 -@@ -174,12 +174,26 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_ - if (cipher_nid == -1) - cipher = NULL; - else -+ { - cipher = EVP_get_cipherbynid(cipher_nid); -+ if (!cipher) -+ { -+ EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_CIPHER); -+ return 0; -+ } -+ } - - if (md_nid == -1) - md = NULL; - else -+ { - md = EVP_get_digestbynid(md_nid); -+ if (!md) -+ { -+ EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_DIGEST); -+ return 0; -+ } -+ } - - if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) - { -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.backports2 openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.backports2 2010-01-07 23:16:07.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2010-01-07 23:16:08.000000000 +0100 -@@ -208,7 +208,16 @@ RSA *RSA_new_method(ENGINE *engine) - ret->mt_blinding=NULL; - ret->bignum_data=NULL; - ret->flags=ret->meth->flags; -- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); -+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) -+ { -+#ifndef OPENSSL_NO_ENGINE -+ if (ret->engine) -+ ENGINE_finish(ret->engine); -+#endif -+ OPENSSL_free(ret); -+ return(NULL); -+ } -+ - if ((ret->meth->init != NULL) && !ret->meth->init(ret)) - { - #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.0.0-beta4/crypto/x509/x509_lu.c.backports2 openssl-1.0.0-beta4/crypto/x509/x509_lu.c ---- openssl-1.0.0-beta4/crypto/x509/x509_lu.c.backports2 2009-10-18 16:42:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/x509/x509_lu.c 2010-01-07 23:16:08.000000000 +0100 -@@ -200,7 +200,13 @@ X509_STORE *X509_STORE_new(void) - ret->lookup_crls = 0; - ret->cleanup = 0; - -- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data); -+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) -+ { -+ sk_X509_OBJECT_free(ret->objs); -+ OPENSSL_free(ret); -+ return NULL; -+ } -+ - ret->references=1; - return ret; - } diff --git a/openssl-1.0.0-beta4-binutils.patch b/openssl-1.0.0-beta4-binutils.patch deleted file mode 100644 index d39b2e6..0000000 --- a/openssl-1.0.0-beta4-binutils.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl ---- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100 -@@ -19,6 +19,7 @@ my $code; - sub round1_step - { - my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_; -+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal - $code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1); - $code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1); - $code .= <= (d+n-2)) - { -+#if 0 - /* Because the client does not see any renegotiation during an - attack, we must enforce this on all server hellos, even the - first */ -@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -+#endif - return 1; - } - -@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, - return 0; - } - -+#if 0 - if (!renegotiate_seen - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -+#endif - - if (!s->hit && tlsext_servername == 1) - { diff --git a/openssl-1.0.0-beta4-cve-2009-4355.patch b/openssl-1.0.0-beta4-cve-2009-4355.patch deleted file mode 100644 index 61f0cd6..0000000 --- a/openssl-1.0.0-beta4-cve-2009-4355.patch +++ /dev/null @@ -1,49 +0,0 @@ -Modify compression code so it frees up structures without using the -ex_data callbacks. This works around a problem where some applications -call CRYPTO_free_all_ex_data() before application exit (e.g. when -restarting) then use compression (e.g. SSL with compression) later. -This results in significant per-connection memory leaks and -has caused some security issues including CVE-2008-1678 and -CVE-2009-4355. -[Steve Henson] -diff -up openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak openssl-1.0.0-beta4/crypto/comp/c_zlib.c ---- openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak 2008-12-13 18:19:40.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/comp/c_zlib.c 2010-01-13 22:06:20.000000000 +0100 -@@ -136,15 +136,6 @@ struct zlib_state - - static int zlib_stateful_ex_idx = -1; - --static void zlib_stateful_free_ex_data(void *obj, void *item, -- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp) -- { -- struct zlib_state *state = (struct zlib_state *)item; -- inflateEnd(&state->istream); -- deflateEnd(&state->ostream); -- OPENSSL_free(state); -- } -- - static int zlib_stateful_init(COMP_CTX *ctx) - { - int err; -@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX * - - static void zlib_stateful_finish(COMP_CTX *ctx) - { -+ struct zlib_state *state = -+ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data, -+ zlib_stateful_ex_idx); -+ inflateEnd(&state->istream); -+ deflateEnd(&state->ostream); -+ OPENSSL_free(state); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); - } - -@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void) - if (zlib_stateful_ex_idx == -1) - zlib_stateful_ex_idx = - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, -- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); -+ 0,NULL,NULL,NULL,NULL); - CRYPTO_w_unlock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - goto err; diff --git a/openssl-1.0.0-beta4-dtls-ipv6.patch b/openssl-1.0.0-beta4-dtls-ipv6.patch deleted file mode 100644 index ff9d330..0000000 --- a/openssl-1.0.0-beta4-dtls-ipv6.patch +++ /dev/null @@ -1,222 +0,0 @@ -diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c ---- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100 -@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr) - if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) - { - OPENSSL_assert(sa.len.s<=sizeof(sa.from)); -- sa.len.i = (unsigned int)sa.len.s; -+ sa.len.i = (int)sa.len.s; -+ /* use sa.len.i from this point */ - } - if (ret == INVALID_SOCKET) - { -diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c ---- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2010-01-07 17:31:00.000000000 +0100 -@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp= - - typedef struct bio_dgram_data_st - { -+ union { -+ struct sockaddr sa; -+ struct sockaddr_in sa_in; - #if OPENSSL_USE_IPV6 -- struct sockaddr_storage peer; --#else -- struct sockaddr_in peer; -+ struct sockaddr_in6 sa_in6; - #endif -+ } peer; - unsigned int connected; - unsigned int _errno; - unsigned int mtu; -@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out, - int ret=0; - bio_dgram_data *data = (bio_dgram_data *)b->ptr; - -+ struct { -+ /* -+ * See commentary in b_sock.c. -+ */ -+ union { size_t s; int i; } len; -+ union { -+ struct sockaddr sa; -+ struct sockaddr_in sa_in; - #if OPENSSL_USE_IPV6 -- struct sockaddr_storage peer; --#else -- struct sockaddr_in peer; -+ struct sockaddr_in6 sa_in6; - #endif -- int peerlen = sizeof(peer); -+ } peer; -+ } sa; -+ -+ sa.len.s=0; -+ sa.len.i=sizeof(sa.peer); - - if (out != NULL) - { - clear_socket_error(); -- memset(&peer, 0x00, peerlen); -- /* Last arg in recvfrom is signed on some platforms and -- * unsigned on others. It is of type socklen_t on some -- * but this is not universal. Cast to (void *) to avoid -- * compiler warnings. -- */ -+ memset(&sa.peer, 0x00, sizeof(sa.peer)); - dgram_adjust_rcv_timeout(b); -- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen); -+ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len); -+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) -+ { -+ OPENSSL_assert(sa.len.s<=sizeof(sa.peer)); -+ sa.len.i = (int)sa.len.s; -+ } - dgram_reset_rcv_timeout(b); - - if ( ! data->connected && ret >= 0) -- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer); -+ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer); - - BIO_clear_retry_flags(b); - if (ret < 0) -@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha - if ( data->connected ) - ret=writesocket(b->num,in,inl); - else --#if OPENSSL_USE_IPV6 -- if (data->peer.ss_family == AF_INET) - #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); -+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer)); - #else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#endif -- else --#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); --#else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); --#endif --#else --#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) -- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#else -- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); --#endif -+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer)); - #endif - - BIO_clear_retry_flags(b); -@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, - else - { - #endif -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - #if 0 - } - #endif -@@ -537,41 +543,62 @@ static long dgram_ctrl(BIO *b, int cmd, - if ( to != NULL) - { - data->connected = 1; -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - } - else - { - data->connected = 0; --#if OPENSSL_USE_IPV6 -- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage)); --#else -- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in)); --#endif -+ memset(&(data->peer), 0x00, sizeof(data->peer)); - } - break; - case BIO_CTRL_DGRAM_GET_PEER: -- to = (struct sockaddr *) ptr; -- -+ switch (data->peer.sa.sa_family) -+ { -+ case AF_INET: -+ ret=sizeof(data->peer.sa_in); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage)); -- ret = sizeof(struct sockaddr_storage); --#else -- memcpy(to, &(data->peer), sizeof(struct sockaddr_in)); -- ret = sizeof(struct sockaddr_in); --#endif -+ case AF_INET6: -+ ret=sizeof(data->peer.sa_in6); -+ break; -+#endif -+ default: -+ ret=sizeof(data->peer.sa); -+ break; -+ } -+ if (num==0 || num>ret) -+ num=ret; -+ memcpy(ptr,&data->peer,(ret=num)); - break; - case BIO_CTRL_DGRAM_SET_PEER: - to = (struct sockaddr *) ptr; -- -+ switch (to->sa_family) -+ { -+ case AF_INET: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); -+ break; - #if OPENSSL_USE_IPV6 -- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage)); --#else -- memcpy(&(data->peer), to, sizeof(struct sockaddr_in)); --#endif -+ case AF_INET6: -+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); -+ break; -+#endif -+ default: -+ memcpy(&data->peer,to,sizeof(data->peer.sa)); -+ break; -+ } - break; - case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: - memcpy(&(data->next_timeout), ptr, sizeof(struct timeval)); diff --git a/openssl-1.0.0-beta4-dtls-reneg.patch b/openssl-1.0.0-beta4-dtls-reneg.patch deleted file mode 100644 index 79165f1..0000000 --- a/openssl-1.0.0-beta4-dtls-reneg.patch +++ /dev/null @@ -1,571 +0,0 @@ -diff -up openssl-1.0.0-beta4/ssl/d1_both.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_both.c ---- openssl-1.0.0-beta4/ssl/d1_both.c.dtls-reneg 2009-11-02 14:37:17.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/d1_both.c 2010-01-07 17:35:19.000000000 +0100 -@@ -764,6 +764,24 @@ int dtls1_send_finished(SSL *s, int a, i - p+=i; - l=i; - -+ /* Copy the finished so we can use it for -+ * renegotiation checks -+ */ -+ if(s->type == SSL_ST_CONNECT) -+ { -+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); -+ memcpy(s->s3->previous_client_finished, -+ s->s3->tmp.finish_md, i); -+ s->s3->previous_client_finished_len=i; -+ } -+ else -+ { -+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE); -+ memcpy(s->s3->previous_server_finished, -+ s->s3->tmp.finish_md, i); -+ s->s3->previous_server_finished_len=i; -+ } -+ - #ifdef OPENSSL_SYS_WIN16 - /* MSVC 1.5 does not clear the top bytes of the word unless - * I do this. -diff -up openssl-1.0.0-beta4/ssl/d1_clnt.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_clnt.c ---- openssl-1.0.0-beta4/ssl/d1_clnt.c.dtls-reneg 2009-07-24 13:52:32.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/d1_clnt.c 2010-01-07 17:44:55.000000000 +0100 -@@ -286,16 +286,44 @@ int dtls1_connect(SSL *s) - - case SSL3_ST_CR_CERT_A: - case SSL3_ST_CR_CERT_B: -+#ifndef OPENSSL_NO_TLSEXT -+ ret=ssl3_check_finished(s); -+ if (ret <= 0) goto end; -+ if (ret == 2) -+ { -+ s->hit = 1; -+ if (s->tlsext_ticket_expected) -+ s->state=SSL3_ST_CR_SESSION_TICKET_A; -+ else -+ s->state=SSL3_ST_CR_FINISHED_A; -+ s->init_num=0; -+ break; -+ } -+#endif - /* Check if it is anon DH or PSK */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && - !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) - { - ret=ssl3_get_server_certificate(s); - if (ret <= 0) goto end; -+#ifndef OPENSSL_NO_TLSEXT -+ if (s->tlsext_status_expected) -+ s->state=SSL3_ST_CR_CERT_STATUS_A; -+ else -+ s->state=SSL3_ST_CR_KEY_EXCH_A; -+ } -+ else -+ { -+ skip = 1; -+ s->state=SSL3_ST_CR_KEY_EXCH_A; -+ } -+#else - } - else - skip=1; -+ - s->state=SSL3_ST_CR_KEY_EXCH_A; -+#endif - s->init_num=0; - break; - -@@ -437,11 +465,36 @@ int dtls1_connect(SSL *s) - } - else - { -+#ifndef OPENSSL_NO_TLSEXT -+ /* Allow NewSessionTicket if ticket expected */ -+ if (s->tlsext_ticket_expected) -+ s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; -+ else -+#endif -+ - s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; - } - s->init_num=0; - break; - -+#ifndef OPENSSL_NO_TLSEXT -+ case SSL3_ST_CR_SESSION_TICKET_A: -+ case SSL3_ST_CR_SESSION_TICKET_B: -+ ret=ssl3_get_new_session_ticket(s); -+ if (ret <= 0) goto end; -+ s->state=SSL3_ST_CR_FINISHED_A; -+ s->init_num=0; -+ break; -+ -+ case SSL3_ST_CR_CERT_STATUS_A: -+ case SSL3_ST_CR_CERT_STATUS_B: -+ ret=ssl3_get_cert_status(s); -+ if (ret <= 0) goto end; -+ s->state=SSL3_ST_CR_KEY_EXCH_A; -+ s->init_num=0; -+ break; -+#endif -+ - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - s->d1->change_cipher_spec_ok = 1; -@@ -554,8 +607,14 @@ int dtls1_client_hello(SSL *s) - buf=(unsigned char *)s->init_buf->data; - if (s->state == SSL3_ST_CW_CLNT_HELLO_A) - { -+ SSL_SESSION *sess = s->session; - if ((s->session == NULL) || - (s->session->ssl_version != s->version) || -+#ifdef OPENSSL_NO_TLSEXT -+ !sess->session_id_length || -+#else -+ (!sess->session_id_length && !sess->tlsext_tick) || -+#endif - (s->session->not_resumable)) - { - if (!ssl_get_new_session(s,0)) -@@ -635,7 +694,15 @@ int dtls1_client_hello(SSL *s) - *(p++)=comp->id; - } - *(p++)=0; /* Add the NULL method */ -- -+ -+#ifndef OPENSSL_NO_TLSEXT -+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) -+ { -+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+#endif -+ - l=(p-d); - d=buf; - -diff -up openssl-1.0.0-beta4/ssl/d1_lib.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_lib.c -diff -up openssl-1.0.0-beta4/ssl/d1_srvr.c.dtls-reneg openssl-1.0.0-beta4/ssl/d1_srvr.c ---- openssl-1.0.0-beta4/ssl/d1_srvr.c.dtls-reneg 2009-09-09 19:05:42.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/d1_srvr.c 2010-01-07 17:44:55.000000000 +0100 -@@ -305,8 +305,18 @@ int dtls1_accept(SSL *s) - ret=dtls1_send_server_hello(s); - if (ret <= 0) goto end; - -+#ifndef OPENSSL_NO_TLSEXT - if (s->hit) -- s->state=SSL3_ST_SW_CHANGE_A; -+ { -+ if (s->tlsext_ticket_expected) -+ s->state=SSL3_ST_SW_SESSION_TICKET_A; -+ else -+ s->state=SSL3_ST_SW_CHANGE_A; -+ } -+#else -+ if (s->hit) -+ s->state=SSL3_ST_SW_CHANGE_A; -+#endif - else - s->state=SSL3_ST_SW_CERT_A; - s->init_num=0; -@@ -321,10 +331,24 @@ int dtls1_accept(SSL *s) - dtls1_start_timer(s); - ret=dtls1_send_server_certificate(s); - if (ret <= 0) goto end; -+#ifndef OPENSSL_NO_TLSEXT -+ if (s->tlsext_status_expected) -+ s->state=SSL3_ST_SW_CERT_STATUS_A; -+ else -+ s->state=SSL3_ST_SW_KEY_EXCH_A; -+ } -+ else -+ { -+ skip = 1; -+ s->state=SSL3_ST_SW_KEY_EXCH_A; -+ } -+#else - } - else - skip=1; -+ - s->state=SSL3_ST_SW_KEY_EXCH_A; -+#endif - s->init_num=0; - break; - -@@ -519,11 +543,34 @@ int dtls1_accept(SSL *s) - dtls1_stop_timer(s); - if (s->hit) - s->state=SSL_ST_OK; -+#ifndef OPENSSL_NO_TLSEXT -+ else if (s->tlsext_ticket_expected) -+ s->state=SSL3_ST_SW_SESSION_TICKET_A; -+#endif - else - s->state=SSL3_ST_SW_CHANGE_A; - s->init_num=0; - break; - -+#ifndef OPENSSL_NO_TLSEXT -+ case SSL3_ST_SW_SESSION_TICKET_A: -+ case SSL3_ST_SW_SESSION_TICKET_B: -+ ret=dtls1_send_newsession_ticket(s); -+ if (ret <= 0) goto end; -+ s->state=SSL3_ST_SW_CHANGE_A; -+ s->init_num=0; -+ break; -+ -+ case SSL3_ST_SW_CERT_STATUS_A: -+ case SSL3_ST_SW_CERT_STATUS_B: -+ ret=ssl3_send_cert_status(s); -+ if (ret <= 0) goto end; -+ s->state=SSL3_ST_SW_KEY_EXCH_A; -+ s->init_num=0; -+ break; -+ -+#endif -+ - case SSL3_ST_SW_CHANGE_A: - case SSL3_ST_SW_CHANGE_B: - -@@ -749,6 +796,8 @@ int dtls1_send_server_hello(SSL *s) - p+=sl; - - /* put the cipher */ -+ if (s->s3->tmp.new_cipher == NULL) -+ return -1; - i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); - p+=i; - -@@ -762,6 +811,14 @@ int dtls1_send_server_hello(SSL *s) - *(p++)=s->s3->tmp.new_compression->id; - #endif - -+#ifndef OPENSSL_NO_TLSEXT -+ if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) -+ { -+ SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); -+ return -1; -+ } -+#endif -+ - /* do the header */ - l=(p-d); - d=buf; -@@ -1384,3 +1441,114 @@ int dtls1_send_server_certificate(SSL *s - /* SSL3_ST_SW_CERT_B */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); - } -+ -+#ifndef OPENSSL_NO_TLSEXT -+int dtls1_send_newsession_ticket(SSL *s) -+ { -+ if (s->state == SSL3_ST_SW_SESSION_TICKET_A) -+ { -+ unsigned char *p, *senc, *macstart; -+ int len, slen; -+ unsigned int hlen, msg_len; -+ EVP_CIPHER_CTX ctx; -+ HMAC_CTX hctx; -+ SSL_CTX *tctx = s->initial_ctx; -+ unsigned char iv[EVP_MAX_IV_LENGTH]; -+ unsigned char key_name[16]; -+ -+ /* get session encoding length */ -+ slen = i2d_SSL_SESSION(s->session, NULL); -+ /* Some length values are 16 bits, so forget it if session is -+ * too long -+ */ -+ if (slen > 0xFF00) -+ return -1; -+ /* Grow buffer if need be: the length calculation is as -+ * follows 12 (DTLS handshake message header) + -+ * 4 (ticket lifetime hint) + 2 (ticket length) + -+ * 16 (key name) + max_iv_len (iv length) + -+ * session_length + max_enc_block_size (max encrypted session -+ * length) + max_md_size (HMAC). -+ */ -+ if (!BUF_MEM_grow(s->init_buf, -+ DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH + -+ EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen)) -+ return -1; -+ senc = OPENSSL_malloc(slen); -+ if (!senc) -+ return -1; -+ p = senc; -+ i2d_SSL_SESSION(s->session, &p); -+ -+ p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]); -+ EVP_CIPHER_CTX_init(&ctx); -+ HMAC_CTX_init(&hctx); -+ /* Initialize HMAC and cipher contexts. If callback present -+ * it does all the work otherwise use generated values -+ * from parent ctx. -+ */ -+ if (tctx->tlsext_ticket_key_cb) -+ { -+ if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, -+ &hctx, 1) < 0) -+ { -+ OPENSSL_free(senc); -+ return -1; -+ } -+ } -+ else -+ { -+ RAND_pseudo_bytes(iv, 16); -+ EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, -+ tctx->tlsext_tick_aes_key, iv); -+ HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, -+ tlsext_tick_md(), NULL); -+ memcpy(key_name, tctx->tlsext_tick_key_name, 16); -+ } -+ l2n(s->session->tlsext_tick_lifetime_hint, p); -+ /* Skip ticket length for now */ -+ p += 2; -+ /* Output key name */ -+ macstart = p; -+ memcpy(p, key_name, 16); -+ p += 16; -+ /* output IV */ -+ memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); -+ p += EVP_CIPHER_CTX_iv_length(&ctx); -+ /* Encrypt session data */ -+ EVP_EncryptUpdate(&ctx, p, &len, senc, slen); -+ p += len; -+ EVP_EncryptFinal(&ctx, p, &len); -+ p += len; -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ -+ HMAC_Update(&hctx, macstart, p - macstart); -+ HMAC_Final(&hctx, p, &hlen); -+ HMAC_CTX_cleanup(&hctx); -+ -+ p += hlen; -+ /* Now write out lengths: p points to end of data written */ -+ /* Total length */ -+ len = p - (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]); -+ p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4; -+ s2n(len - 18, p); /* Ticket length */ -+ -+ /* number of bytes to write */ -+ s->init_num= len; -+ s->state=SSL3_ST_SW_SESSION_TICKET_B; -+ s->init_off=0; -+ OPENSSL_free(senc); -+ -+ /* XDTLS: set message header ? */ -+ msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH; -+ dtls1_set_message_header(s, (void *)s->init_buf->data, -+ SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len); -+ -+ /* buffer the message to handle re-xmits */ -+ dtls1_buffer_message(s, 0); -+ } -+ -+ /* SSL3_ST_SW_SESSION_TICKET_B */ -+ return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); -+ } -+#endif -diff -up openssl-1.0.0-beta4/ssl/ssl_locl.h.dtls-reneg openssl-1.0.0-beta4/ssl/ssl_locl.h ---- openssl-1.0.0-beta4/ssl/ssl_locl.h.dtls-reneg 2009-11-23 08:36:03.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_locl.h 2010-01-07 17:44:55.000000000 +0100 -@@ -933,7 +933,7 @@ void dtls1_start_timer(SSL *s); - void dtls1_stop_timer(SSL *s); - int dtls1_is_timer_expired(SSL *s); - void dtls1_double_timeout(SSL *s); -- -+int dtls1_send_newsession_ticket(SSL *s); - - /* some client-only functions */ - int ssl3_client_hello(SSL *s); -@@ -949,6 +949,9 @@ int ssl3_send_client_key_exchange(SSL *s - int ssl3_get_key_exchange(SSL *s); - int ssl3_get_server_certificate(SSL *s); - int ssl3_check_cert_and_algorithm(SSL *s); -+#ifndef OPENSSL_NO_TLSEXT -+int ssl3_check_finished(SSL *s); -+#endif - - int dtls1_client_hello(SSL *s); - int dtls1_send_client_certificate(SSL *s); -@@ -1030,6 +1033,7 @@ int ssl_prepare_clienthello_tlsext(SSL * - int ssl_prepare_serverhello_tlsext(SSL *s); - int ssl_check_clienthello_tlsext(SSL *s); - int ssl_check_serverhello_tlsext(SSL *s); -+ - #ifdef OPENSSL_NO_SHA256 - #define tlsext_tick_md EVP_sha1 - #else -diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.dtls-reneg openssl-1.0.0-beta4/ssl/s3_clnt.c ---- openssl-1.0.0-beta4/ssl/s3_clnt.c.dtls-reneg 2009-11-23 08:36:04.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2010-01-07 17:44:55.000000000 +0100 -@@ -170,9 +170,6 @@ - - static const SSL_METHOD *ssl3_get_client_method(int ver); - static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); --#ifndef OPENSSL_NO_TLSEXT --static int ssl3_check_finished(SSL *s); --#endif - - static const SSL_METHOD *ssl3_get_client_method(int ver) - { -@@ -1827,6 +1824,7 @@ int ssl3_get_new_session_ticket(SSL *s) - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); - goto f_err; - } -+ - p=d=(unsigned char *)s->init_msg; - n2l(p, s->session->tlsext_tick_lifetime_hint); - n2s(p, ticklen); -@@ -2991,7 +2989,7 @@ err: - */ - - #ifndef OPENSSL_NO_TLSEXT --static int ssl3_check_finished(SSL *s) -+int ssl3_check_finished(SSL *s) - { - int ok; - long n; -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.dtls-reneg openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.dtls-reneg 2009-11-23 08:36:04.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2010-01-07 17:44:55.000000000 +0100 -@@ -340,7 +340,8 @@ unsigned char *ssl_add_clienthello_tlsex - } - - #ifndef OPENSSL_NO_EC -- if (s->tlsext_ecpointformatlist != NULL) -+ if (s->tlsext_ecpointformatlist != NULL && -+ s->version != DTLS1_VERSION) - { - /* Add TLS extension ECPointFormats to the ClientHello message */ - long lenmax; -@@ -359,7 +360,8 @@ unsigned char *ssl_add_clienthello_tlsex - memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; - } -- if (s->tlsext_ellipticcurvelist != NULL) -+ if (s->tlsext_ellipticcurvelist != NULL && -+ s->version != DTLS1_VERSION) - { - /* Add TLS extension EllipticCurves to the ClientHello message */ - long lenmax; -@@ -423,7 +425,8 @@ unsigned char *ssl_add_clienthello_tlsex - skip_ext: - - #ifdef TLSEXT_TYPE_opaque_prf_input -- if (s->s3->client_opaque_prf_input != NULL) -+ if (s->s3->client_opaque_prf_input != NULL && -+ s->version != DTLS1_VERSION) - { - size_t col = s->s3->client_opaque_prf_input_len; - -@@ -440,7 +443,8 @@ unsigned char *ssl_add_clienthello_tlsex - } - #endif - -- if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) -+ if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && -+ s->version != DTLS1_VERSION) - { - int i; - long extlen, idlen, itmp; -@@ -515,7 +519,7 @@ unsigned char *ssl_add_serverhello_tlsex - s2n(0,ret); - } - -- if(s->s3->send_connection_binding) -+ if(s->s3->send_connection_binding) - { - int el; - -@@ -540,7 +544,8 @@ unsigned char *ssl_add_serverhello_tlsex - } - - #ifndef OPENSSL_NO_EC -- if (s->tlsext_ecpointformatlist != NULL) -+ if (s->tlsext_ecpointformatlist != NULL && -+ s->version != DTLS1_VERSION) - { - /* Add TLS extension ECPointFormats to the ServerHello message */ - long lenmax; -@@ -579,7 +584,8 @@ unsigned char *ssl_add_serverhello_tlsex - } - - #ifdef TLSEXT_TYPE_opaque_prf_input -- if (s->s3->server_opaque_prf_input != NULL) -+ if (s->s3->server_opaque_prf_input != NULL && -+ s->version != DTLS1_VERSION) - { - size_t sol = s->s3->server_opaque_prf_input_len; - -@@ -757,7 +763,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - } - - #ifndef OPENSSL_NO_EC -- else if (type == TLSEXT_TYPE_ec_point_formats) -+ else if (type == TLSEXT_TYPE_ec_point_formats && -+ s->version != DTLS1_VERSION) - { - unsigned char *sdata = data; - int ecpointformatlist_length = *(sdata++); -@@ -784,7 +791,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - fprintf(stderr,"\n"); - #endif - } -- else if (type == TLSEXT_TYPE_elliptic_curves) -+ else if (type == TLSEXT_TYPE_elliptic_curves && -+ s->version != DTLS1_VERSION) - { - unsigned char *sdata = data; - int ellipticcurvelist_length = (*(sdata++) << 8); -@@ -814,7 +822,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - } - #endif /* OPENSSL_NO_EC */ - #ifdef TLSEXT_TYPE_opaque_prf_input -- else if (type == TLSEXT_TYPE_opaque_prf_input) -+ else if (type == TLSEXT_TYPE_opaque_prf_input && -+ s->version != DTLS1_VERSION) - { - unsigned char *sdata = data; - -@@ -858,8 +867,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - return 0; - renegotiate_seen = 1; - } -- else if (type == TLSEXT_TYPE_status_request -- && s->ctx->tlsext_status_cb) -+ else if (type == TLSEXT_TYPE_status_request && -+ s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) - { - - if (size < 5) -@@ -1027,7 +1036,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - - #ifndef OPENSSL_NO_EC -- else if (type == TLSEXT_TYPE_ec_point_formats) -+ else if (type == TLSEXT_TYPE_ec_point_formats && -+ s->version != DTLS1_VERSION) - { - unsigned char *sdata = data; - int ecpointformatlist_length = *(sdata++); -@@ -1073,7 +1083,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, - s->tlsext_ticket_expected = 1; - } - #ifdef TLSEXT_TYPE_opaque_prf_input -- else if (type == TLSEXT_TYPE_opaque_prf_input) -+ else if (type == TLSEXT_TYPE_opaque_prf_input && -+ s->version != DTLS1_VERSION) - { - unsigned char *sdata = data; - -@@ -1103,7 +1114,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - } - #endif -- else if (type == TLSEXT_TYPE_status_request) -+ else if (type == TLSEXT_TYPE_status_request && -+ s->version != DTLS1_VERSION) - { - /* MUST be empty and only sent if we've requested - * a status request message. diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch deleted file mode 100644 index 271dbe7..0000000 --- a/openssl-1.0.0-beta4-reneg-err.patch +++ /dev/null @@ -1,93 +0,0 @@ -Better error reporting for unsafe renegotiation. -diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c ---- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100 -@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]= - {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, - {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, -+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, -+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, -@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, - {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, - {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, -+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, - {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, - {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, - {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"}, -diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h ---- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100 -@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void); - #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 - #define SSL_F_SSL_NEW 186 - #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 -+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 - #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 -+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 - #define SSL_F_SSL_PEEK 270 - #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 - #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 -@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 - #define SSL_R_UNKNOWN_SSL_VERSION 254 - #define SSL_R_UNKNOWN_STATE 255 -+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 - #define SSL_R_UNSUPPORTED_CIPHER 256 - #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 - #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326 -diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c ---- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100 -@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s) - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); - goto err; - #else -+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -+ goto err; -+ } - /* we are talking sslv2 */ - /* we need to clean up the SSLv3/TLSv1 setup and put in the - * sslv2 stuff. */ -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100 -@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, - { - /* We should always see one extension: the renegotiate extension */ - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - return 1; -@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, - if (s->new_session && !renegotiate_seen - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { -+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ - return 0; - } -@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - { - /* We should always see one extension: the renegotiate extension */ - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - #endif -@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { - *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - #endif diff --git a/openssl-1.0.0-beta4-reneg-scsv.patch b/openssl-1.0.0-beta4-reneg-scsv.patch deleted file mode 100644 index a50d71f..0000000 --- a/openssl-1.0.0-beta4-reneg-scsv.patch +++ /dev/null @@ -1,793 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/s_client.c.scsv openssl-1.0.0-beta4/apps/s_client.c ---- openssl-1.0.0-beta4/apps/s_client.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_client.c 2010-01-07 23:37:39.000000000 +0100 -@@ -382,7 +382,7 @@ int MAIN(int, char **); - - int MAIN(int argc, char **argv) - { -- int off=0; -+ unsigned int off=0, clr=0; - SSL *con=NULL; - int s,k,width,state=0; - char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; -@@ -660,6 +660,10 @@ int MAIN(int argc, char **argv) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; -+ else if (strcmp(*argv,"-legacy_server_connect") == 0) -+ { off|=SSL_OP_LEGACY_SERVER_CONNECT; } -+ else if (strcmp(*argv,"-no_legacy_server_connect") == 0) -+ { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; -@@ -870,6 +874,9 @@ bad: - SSL_CTX_set_options(ctx,SSL_OP_ALL|off); - else - SSL_CTX_set_options(ctx,off); -+ -+ if (clr) -+ SSL_CTX_clear_options(ctx, clr); - /* DTLS: partial reads end up discarding unread UDP bytes :-( - * Setting read ahead solves this problem. - */ -@@ -1725,6 +1732,8 @@ static void print_stuff(BIO *bio, SSL *s - EVP_PKEY_bits(pktmp)); - EVP_PKEY_free(pktmp); - } -+ BIO_printf(bio, "Secure Renegotiation IS%s supported\n", -+ SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); - #ifndef OPENSSL_NO_COMP - comp=SSL_get_current_compression(s); - expansion=SSL_get_current_expansion(s); -diff -up openssl-1.0.0-beta4/apps/s_server.c.scsv openssl-1.0.0-beta4/apps/s_server.c ---- openssl-1.0.0-beta4/apps/s_server.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_server.c 2010-01-07 23:37:39.000000000 +0100 -@@ -2212,6 +2212,8 @@ static int init_ssl_connection(SSL *con) - con->kssl_ctx->client_princ); - } - #endif /* OPENSSL_NO_KRB5 */ -+ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", -+ SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); - return(1); - } - -diff -up openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod.scsv openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod ---- openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod.scsv 2007-08-24 00:49:13.000000000 +0200 -+++ openssl-1.0.0-beta4/doc/ssl/SSL_CTX_set_options.pod 2010-01-07 23:37:39.000000000 +0100 -@@ -2,7 +2,7 @@ - - =head1 NAME - --SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options -+SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options - - =head1 SYNOPSIS - -@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SS - long SSL_CTX_set_options(SSL_CTX *ctx, long options); - long SSL_set_options(SSL *ssl, long options); - -+ long SSL_CTX_clear_options(SSL_CTX *ctx, long options); -+ long SSL_clear_options(SSL *ssl, long options); -+ - long SSL_CTX_get_options(SSL_CTX *ctx); - long SSL_get_options(SSL *ssl); - -+ long SSL_get_secure_renegotiation_support(SSL *ssl); -+ - =head1 DESCRIPTION - -+Note: all these functions are implemented using macros. -+ - SSL_CTX_set_options() adds the options set via bitmask in B to B. - Options already set before are not cleared! - - SSL_set_options() adds the options set via bitmask in B to B. - Options already set before are not cleared! - -+SSL_CTX_clear_options() clears the options set via bitmask in B -+to B. -+ -+SSL_clear_options() clears the options set via bitmask in B to B. -+ - SSL_CTX_get_options() returns the options set for B. - - SSL_get_options() returns the options set for B. - -+SSL_get_secure_renegotiation_support() indicates whether the peer supports -+secure renegotiation. -+ - =head1 NOTES - - The behaviour of the SSL library can be changed by setting several options. - The options are coded as bitmasks and can be combined by a logical B --operation (|). Options can only be added but can never be reset. -+operation (|). - - SSL_CTX_set_options() and SSL_set_options() affect the (external) - protocol behaviour of the SSL library. The (internal) behaviour of -@@ -199,7 +214,7 @@ Do not use the TLSv1 protocol. - - When performing renegotiation as a server, always start a new session - (i.e., session resumption requests are only accepted in the initial --handshake). This option is not needed for clients. -+handshake). This option is not needed for clients. - - =item SSL_OP_NO_TICKET - -@@ -209,15 +224,63 @@ of RFC4507bis tickets for stateless sess - If this option is set this functionality is disabled and tickets will - not be used by clients or servers. - -+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -+ -+See the B section for a discussion of the purpose of -+this option -+ - =back - -+=head1 SECURE RENEGOTIATION -+ -+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as -+described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This -+counters a prefix attack described in the draft and elsewhere (FIXME: need full -+reference). -+ -+This attack has far reaching consequences which application writers should be -+aware of. In the description below an implementation supporting secure -+renegotiation is referred to as I. A server not supporting secure -+renegotiation is referred to as I. -+ -+If an unpatched client attempts to connect to a patched OpenSSL server then -+the attempt will succeed but renegotiation is not permitted. As required -+by the standard a B alert is sent back to the client if -+the TLS v1.0 protocol is used. If SSLv3.0 is used then renegotiation results -+in a fatal B alert. -+ -+If a patched OpenSSL client attempts to connect to an unpatched server -+then the connection will fail because it is not possible to determine -+whether an attack is taking place. -+ -+If the option B is set then the -+above restrictions are relaxed. Renegotiation is permissible and initial -+connections to unpatched servers will succeed. -+ -+This option should be used with caution because it leaves both clients and -+servers vulnerable. However unpatched servers and clients are likely to be -+around for some time and refusing to connect to unpatched servers or denying -+renegotion altogether may be unacceptable. So applications may be forced to -+tolerate unsafe renegotiation for the immediate future. -+ -+The function SSL_get_secure_renegotiation_support() indicates whether the peer -+supports secure renegotiation. -+ -+The deprecated SSLv2 protocol does not support secure renegotiation at all. -+ - =head1 RETURN VALUES - - SSL_CTX_set_options() and SSL_set_options() return the new options bitmask - after adding B. - -+SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask -+after clearing B. -+ - SSL_CTX_get_options() and SSL_get_options() return the current bitmask. - -+SSL_get_secure_renegotiation_support() returns 1 is the peer supports -+secure renegotiation and 0 if it does not. -+ - =head1 SEE ALSO - - L, L, L, -@@ -240,4 +303,10 @@ Versions up to OpenSSL 0.9.6c do not inc - can be disabled with this option (in OpenSSL 0.9.6d, it was always - enabled). - -+SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL -+0.9.8m. -+ -+B was first added in OpenSSL -+0.9.8m. -+ - =cut -diff -up openssl-1.0.0-beta4/ssl/d1_clnt.c.scsv openssl-1.0.0-beta4/ssl/d1_clnt.c ---- openssl-1.0.0-beta4/ssl/d1_clnt.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/d1_clnt.c 2010-01-07 23:37:39.000000000 +0100 -@@ -698,7 +698,7 @@ int dtls1_client_hello(SSL *s) - #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { -- SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); -+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); - goto err; - } - #endif -diff -up openssl-1.0.0-beta4/ssl/d1_srvr.c.scsv openssl-1.0.0-beta4/ssl/d1_srvr.c ---- openssl-1.0.0-beta4/ssl/d1_srvr.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/d1_srvr.c 2010-01-07 23:37:39.000000000 +0100 -@@ -814,7 +814,7 @@ int dtls1_send_server_hello(SSL *s) - #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { -- SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); -+ SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); - return -1; - } - #endif -diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.scsv openssl-1.0.0-beta4/ssl/ssl_err.c ---- openssl-1.0.0-beta4/ssl/ssl_err.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2010-01-07 23:37:39.000000000 +0100 -@@ -414,6 +414,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, - {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, - {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"}, -+{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"}, - {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"}, - {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"}, - {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"}, -@@ -453,6 +454,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"}, - {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"}, - {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"}, -+{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, - {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, - {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, - {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, -diff -up openssl-1.0.0-beta4/ssl/ssl.h.scsv openssl-1.0.0-beta4/ssl/ssl.h ---- openssl-1.0.0-beta4/ssl/ssl.h.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl.h 2010-01-07 23:37:39.000000000 +0100 -@@ -511,6 +511,8 @@ typedef struct ssl_session_st - - #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L - #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L -+/* Allow initial connection to servers that don't support RI */ -+#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L - #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -@@ -518,7 +520,6 @@ typedef struct ssl_session_st - #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L - #define SSL_OP_TLS_D5_BUG 0x00000100L - #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L --#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00000400L - - /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added - * in OpenSSL 0.9.6d. Usually (depending on the application protocol) -@@ -544,6 +545,8 @@ typedef struct ssl_session_st - #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L - /* Don't use compression even if supported */ - #define SSL_OP_NO_COMPRESSION 0x00020000L -+/* Permit unsafe legacy renegotiation */ -+#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L - /* If set, always create a new key when using tmp_ecdh parameters */ - #define SSL_OP_SINGLE_ECDH_USE 0x00080000L - /* If set, always create a new key when using tmp_dh parameters */ -@@ -599,17 +602,25 @@ typedef struct ssl_session_st - - #define SSL_CTX_set_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) -+#define SSL_CTX_clear_options(ctx,op) \ -+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) - #define SSL_CTX_get_options(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) - #define SSL_set_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) -+#define SSL_clear_options(ssl,op) \ -+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) - #define SSL_get_options(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) - - #define SSL_CTX_set_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -+#define SSL_CTX_clear_mode(ctx,op) \ -+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) - #define SSL_CTX_get_mode(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) -+#define SSL_clear_mode(ssl,op) \ -+ SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) - #define SSL_set_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) - #define SSL_get_mode(ssl) \ -@@ -617,6 +628,8 @@ typedef struct ssl_session_st - #define SSL_set_mtu(ssl, mtu) \ - SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) - -+#define SSL_get_secure_renegotiation_support(ssl) \ -+ SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) - - void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); - void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); -@@ -1389,6 +1402,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) - #define DTLS_CTRL_HANDLE_TIMEOUT 74 - #define DTLS_CTRL_LISTEN 75 - -+#define SSL_CTRL_GET_RI_SUPPORT 76 -+#define SSL_CTRL_CLEAR_OPTIONS 77 -+#define SSL_CTRL_CLEAR_MODE 78 -+ - #define DTLSv1_get_timeout(ssl, arg) \ - SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) - #define DTLSv1_handle_timeout(ssl) \ -@@ -2119,6 +2136,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 - #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 - #define SSL_R_NO_PUBLICKEY 192 -+#define SSL_R_NO_RENEGOTIATION 339 - #define SSL_R_NO_REQUIRED_DIGEST 324 - #define SSL_R_NO_SHARED_CIPHER 193 - #define SSL_R_NO_VERIFY_CALLBACK 194 -@@ -2158,6 +2176,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 - #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 - #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 -+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 - #define SSL_R_SERVERHELLO_TLSEXT 275 - #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 - #define SSL_R_SHORT_READ 219 -diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.scsv openssl-1.0.0-beta4/ssl/ssl_lib.c ---- openssl-1.0.0-beta4/ssl/ssl_lib.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2010-01-07 23:38:08.000000000 +0100 -@@ -1041,8 +1041,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v - - case SSL_CTRL_OPTIONS: - return(s->options|=larg); -+ case SSL_CTRL_CLEAR_OPTIONS: -+ return(s->options&=~larg); - case SSL_CTRL_MODE: - return(s->mode|=larg); -+ case SSL_CTRL_CLEAR_MODE: -+ return(s->mode &=~larg); - case SSL_CTRL_GET_MAX_CERT_LIST: - return(s->max_cert_list); - case SSL_CTRL_SET_MAX_CERT_LIST: -@@ -1062,6 +1066,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v - return 0; - s->max_send_fragment = larg; - return 1; -+ case SSL_CTRL_GET_RI_SUPPORT: -+ if (s->s3) -+ return s->s3->send_connection_binding; -+ else return 0; - default: - return(s->method->ssl_ctrl(s,cmd,larg,parg)); - } -@@ -1148,8 +1156,12 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,l - return(ctx->stats.sess_cache_full); - case SSL_CTRL_OPTIONS: - return(ctx->options|=larg); -+ case SSL_CTRL_CLEAR_OPTIONS: -+ return(ctx->options&=~larg); - case SSL_CTRL_MODE: - return(ctx->mode|=larg); -+ case SSL_CTRL_CLEAR_MODE: -+ return(ctx->mode&=~larg); - case SSL_CTRL_SET_MAX_SEND_FRAGMENT: - if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) - return 0; -@@ -1357,6 +1369,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC - j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); - p+=j; - } -+ /* If p == q, no ciphers and caller indicates an error. Otherwise -+ * add SCSV if not renegotiating. -+ */ -+ if (p != q && !s->new_session) -+ { -+ static SSL_CIPHER scsv = -+ { -+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -+ }; -+ j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); -+ p+=j; -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "SCSV sent by client\n"); -+#endif -+ } -+ - return(p-q); - } - -@@ -1366,6 +1394,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int i,n; -+ if (s->s3) -+ s->s3->send_connection_binding = 0; - - n=ssl_put_cipher_by_char(s,NULL,NULL); - if ((num%n) != 0) -@@ -1383,6 +1413,26 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe - - for (i=0; is3 && (n != 3 || !p[0]) && -+ (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && -+ (p[n-1] == (SSL3_CK_SCSV & 0xff))) -+ { -+ /* SCSV fatal if renegotiating */ -+ if (s->new_session) -+ { -+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); -+ goto err; -+ } -+ s->s3->send_connection_binding = 1; -+ p += n; -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "SCSV received by server\n"); -+#endif -+ continue; -+ } -+ - c=ssl_get_cipher_by_char(s,p); - p+=n; - if (c != NULL) -@@ -1642,6 +1692,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - } - #endif - #endif -+ /* Default is to connect to non-RI servers. When RI is more widely -+ * deployed might change this. -+ */ -+ ret->options = SSL_OP_LEGACY_SERVER_CONNECT; - - return(ret); - err: -diff -up openssl-1.0.0-beta4/ssl/ssl3.h.scsv openssl-1.0.0-beta4/ssl/ssl3.h ---- openssl-1.0.0-beta4/ssl/ssl3.h.scsv 2010-01-07 23:37:38.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl3.h 2010-01-07 23:37:39.000000000 +0100 -@@ -128,6 +128,9 @@ - extern "C" { - #endif - -+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ -+#define SSL3_CK_SCSV 0x030000FF -+ - #define SSL3_CK_RSA_NULL_MD5 0x03000001 - #define SSL3_CK_RSA_NULL_SHA 0x03000002 - #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 -diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.scsv openssl-1.0.0-beta4/ssl/s3_clnt.c ---- openssl-1.0.0-beta4/ssl/s3_clnt.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2010-01-07 23:37:39.000000000 +0100 -@@ -916,7 +916,7 @@ int ssl3_get_server_hello(SSL *s) - - #ifndef OPENSSL_NO_TLSEXT - /* TLS extensions*/ -- if (s->version > SSL3_VERSION) -+ if (s->version >= SSL3_VERSION) - { - if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) - { -diff -up openssl-1.0.0-beta4/ssl/s3_pkt.c.scsv openssl-1.0.0-beta4/ssl/s3_pkt.c ---- openssl-1.0.0-beta4/ssl/s3_pkt.c.scsv 2009-07-14 17:28:44.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s3_pkt.c 2010-01-07 23:37:39.000000000 +0100 -@@ -1120,7 +1120,25 @@ start: - * now try again to obtain the (application) data we were asked for */ - goto start; - } -- -+ /* If we are a server and get a client hello when renegotiation isn't -+ * allowed send back a no renegotiation alert and carry on. -+ * WARNING: experimental code, needs reviewing (steve) -+ */ -+ if (s->server && -+ SSL_is_init_finished(s) && -+ !s->s3->send_connection_binding && -+ (s->version > SSL3_VERSION) && -+ (s->s3->handshake_fragment_len >= 4) && -+ (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && -+ (s->session != NULL) && (s->session->cipher != NULL) && -+ !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ -+ { -+ /*s->s3->handshake_fragment_len = 0;*/ -+ rr->length = 0; -+ ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); -+ goto start; -+ } - if (s->s3->alert_fragment_len >= 2) - { - int alert_level = s->s3->alert_fragment[0]; -@@ -1150,6 +1168,21 @@ start: - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return(0); - } -+ /* This is a warning but we receive it if we requested -+ * renegotiation and the peer denied it. Terminate with -+ * a fatal alert because if application tried to -+ * renegotiatie it presumably had a good reason and -+ * expects it to succeed. -+ * -+ * In future we might have a renegotiation where we -+ * don't care if the peer refused it where we carry on. -+ */ -+ else if (alert_descr == SSL_AD_NO_RENEGOTIATION) -+ { -+ al = SSL_AD_HANDSHAKE_FAILURE; -+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); -+ goto f_err; -+ } - } - else if (alert_level == 2) /* fatal */ - { -diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.scsv openssl-1.0.0-beta4/ssl/s3_srvr.c ---- openssl-1.0.0-beta4/ssl/s3_srvr.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2010-01-07 23:37:39.000000000 +0100 -@@ -1015,7 +1015,7 @@ int ssl3_get_client_hello(SSL *s) - - #ifndef OPENSSL_NO_TLSEXT - /* TLS extensions*/ -- if (s->version > SSL3_VERSION) -+ if (s->version >= SSL3_VERSION) - { - if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) - { -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.scsv openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.scsv 2010-01-07 23:37:39.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2010-01-07 23:38:08.000000000 +0100 -@@ -275,8 +275,9 @@ unsigned char *ssl_add_clienthello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -- /* don't add extensions for SSLv3 */ -- if (s->client_version == SSL3_VERSION) -+ /* don't add extensions for SSLv3 unless doing secure renegotiation */ -+ if (s->client_version == SSL3_VERSION -+ && !s->s3->send_connection_binding) - return p; - - ret+=2; -@@ -315,8 +316,9 @@ unsigned char *ssl_add_clienthello_tlsex - ret+=size_str; - } - -- /* Add the renegotiation option: TODOEKR switch */ -- { -+ /* Add RI if renegotiating */ -+ if (s->new_session) -+ { - int el; - - if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) -@@ -504,8 +506,8 @@ unsigned char *ssl_add_serverhello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -- /* don't add extensions for SSLv3 */ -- if (s->version == SSL3_VERSION) -+ /* don't add extensions for SSLv3, unless doing secure renegotiation */ -+ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; - - ret+=2; -@@ -633,24 +635,13 @@ int ssl_parse_clienthello_tlsext(SSL *s, - - s->servername_done = 0; - s->tlsext_status_type = -1; -- s->s3->send_connection_binding = 0; - - if (data >= (d+n-2)) -- { -- if (s->new_session -- && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -- { -- /* We should always see one extension: the renegotiate extension */ -- *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -- return 0; -- } -- return 1; -- } -+ goto ri_check; - n2s(data,len); - - if (data > (d+n-len)) -- return 1; -+ goto ri_check; - - while (data <= (d+n-4)) - { -@@ -658,7 +649,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, - n2s(data,size); - - if (data+size > (d+n)) -- return 1; -+ goto ri_check; - #if 0 - fprintf(stderr,"Received extension type %d size %d\n",type,size); - #endif -@@ -971,17 +962,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, - /* session ticket processed earlier */ - data+=size; - } -- -- if (s->new_session && !renegotiate_seen -- && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -- { -- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -- *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -- return 0; -- } -- - - *p = data; -+ -+ ri_check: -+ -+ /* Need RI if renegotiating */ -+ -+ if (!renegotiate_seen && s->new_session && -+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_HANDSHAKE_FAILURE; -+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, -+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -+ return 0; -+ } -+ - return 1; - } - -@@ -995,21 +991,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - int renegotiate_seen = 0; - - if (data >= (d+n-2)) -- { --#if 0 -- /* Because the client does not see any renegotiation during an -- attack, we must enforce this on all server hellos, even the -- first */ -- if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -- { -- /* We should always see one extension: the renegotiate extension */ -- *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -- return 0; -- } --#endif -- return 1; -- } -+ goto ri_check; - - n2s(data,len); - -@@ -1019,7 +1001,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - n2s(data,size); - - if (data+size > (d+n)) -- return 1; -+ goto ri_check; - - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 1, type, data, size, -@@ -1143,16 +1125,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, - return 0; - } - --#if 0 -- if (!renegotiate_seen -- && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -- { -- *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -- return 0; -- } --#endif -- - if (!s->hit && tlsext_servername == 1) - { - if (s->tlsext_hostname) -@@ -1175,6 +1147,26 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - - *p = data; -+ -+ ri_check: -+ -+ /* Determine if we need to see RI. Strictly speaking if we want to -+ * avoid an attack we should *always* see RI even on initial server -+ * hello because the client doesn't see any renegotiation during an -+ * attack. However this would mean we could not connect to any server -+ * which doesn't support RI so for the immediate future tolerate RI -+ * absence on initial connect only. -+ */ -+ if (!renegotiate_seen && -+ (s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) -+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_HANDSHAKE_FAILURE; -+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, -+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); -+ return 0; -+ } -+ - return 1; - } - -diff -up openssl-1.0.0-beta4/ssl/t1_reneg.c.scsv openssl-1.0.0-beta4/ssl/t1_reneg.c ---- openssl-1.0.0-beta4/ssl/t1_reneg.c.scsv 2009-11-09 19:45:42.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_reneg.c 2010-01-07 23:37:39.000000000 +0100 -@@ -130,10 +130,15 @@ int ssl_add_clienthello_renegotiate_ext( - - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "%s RI extension sent by client\n", -+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -+#endif - } - - *len=s->s3->previous_client_finished_len + 1; -- -+ -+ - return 1; - } - -@@ -166,7 +171,7 @@ int ssl_parse_clienthello_renegotiate_ex - if(ilen != s->s3->previous_client_finished_len) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); -- *al=SSL_AD_ILLEGAL_PARAMETER; -+ *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - -@@ -174,9 +179,13 @@ int ssl_parse_clienthello_renegotiate_ex - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); -- *al=SSL_AD_ILLEGAL_PARAMETER; -+ *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "%s RI extension received by server\n", -+ ilen ? "Non-empty" : "Empty"); -+#endif - - s->s3->send_connection_binding=1; - -@@ -206,6 +215,10 @@ int ssl_add_serverhello_renegotiate_ext( - - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "%s RI extension sent by server\n", -+ s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -+#endif - } - - *len=s->s3->previous_client_finished_len -@@ -249,7 +262,7 @@ int ssl_parse_serverhello_renegotiate_ex - if(ilen != expected_len) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); -- *al=SSL_AD_ILLEGAL_PARAMETER; -+ *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - -@@ -257,7 +270,7 @@ int ssl_parse_serverhello_renegotiate_ex - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); -- *al=SSL_AD_ILLEGAL_PARAMETER; -+ *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - d += s->s3->previous_client_finished_len; -@@ -269,6 +282,11 @@ int ssl_parse_serverhello_renegotiate_ex - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } -+#ifdef OPENSSL_RI_DEBUG -+ fprintf(stderr, "%s RI extension received by client\n", -+ ilen ? "Non-empty" : "Empty"); -+#endif -+ s->s3->send_connection_binding=1; - - return 1; - } diff --git a/openssl-1.0.0-beta4-reneg.patch b/openssl-1.0.0-beta4-reneg.patch deleted file mode 100644 index 92e206d..0000000 --- a/openssl-1.0.0-beta4-reneg.patch +++ /dev/null @@ -1,237 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c ---- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100 -@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c - extname = "server ticket"; - break; - -+ case TLSEXT_TYPE_renegotiate: -+ extname = "renegotiate"; -+ break; -+ - #ifdef TLSEXT_TYPE_opaque_prf_input - case TLSEXT_TYPE_opaque_prf_input: - extname = "opaque PRF input"; -diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c ---- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100 -@@ -343,6 +343,7 @@ static void sc_usage(void) - BIO_printf(bio_err," -status - request certificate status from server\n"); - BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); - #endif -+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); - } - - #ifndef OPENSSL_NO_TLSEXT -@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv) - #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; -+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) -+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; -diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c ---- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100 -@@ -491,6 +491,7 @@ static void sv_usage(void) - BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); - BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); -+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); - #endif - } - -@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[]) - verify_return_error = 1; - else if (strcmp(*argv,"-serverpref") == 0) - { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } -+ else if (strcmp(*argv,"-legacy_renegotiation") == 0) -+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; -diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h ---- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100 -@@ -201,6 +201,9 @@ extern "C" { - # define TLSEXT_TYPE_opaque_prf_input ?? */ - #endif - -+/* Temporary extension type */ -+#define TLSEXT_TYPE_renegotiate 0xff01 -+ - /* NameType value from RFC 3546 */ - #define TLSEXT_NAMETYPE_host_name 0 - /* status request value from RFC 3546 */ -diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c ---- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100 -@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex - ret+=size_str; - } - -+ /* Add the renegotiation option: TODOEKR switch */ -+ { -+ int el; -+ -+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) -+ { -+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ if((limit - p - 4 - el) < 0) return NULL; -+ -+ s2n(TLSEXT_TYPE_renegotiate,ret); -+ s2n(el,ret); -+ -+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) -+ { -+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ ret += el; -+ } -+ - #ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL) - { -@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex - s2n(TLSEXT_TYPE_server_name,ret); - s2n(0,ret); - } -+ -+ if(s->s3->send_connection_binding) -+ { -+ int el; -+ -+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) -+ { -+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ if((limit - p - 4 - el) < 0) return NULL; -+ -+ s2n(TLSEXT_TYPE_renegotiate,ret); -+ s2n(el,ret); -+ -+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) -+ { -+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); -+ return NULL; -+ } -+ -+ ret += el; -+ } -+ - #ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL) - { -@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, - unsigned short size; - unsigned short len; - unsigned char *data = *p; -+ int renegotiate_seen = 0; -+ - s->servername_done = 0; - s->tlsext_status_type = -1; -+ s->s3->send_connection_binding = 0; - - if (data >= (d+n-2)) -+ { -+ if (s->new_session -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ /* We should always see one extension: the renegotiate extension */ -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } - return 1; -+ } - n2s(data,len); - - if (data > (d+n-len)) -@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, - return 0; - } - } -+ else if (type == TLSEXT_TYPE_renegotiate) -+ { -+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) -+ return 0; -+ renegotiate_seen = 1; -+ } - else if (type == TLSEXT_TYPE_status_request - && s->ctx->tlsext_status_cb) - { -@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, - /* session ticket processed earlier */ - data+=size; - } -+ -+ if (s->new_session && !renegotiate_seen -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } -+ - - *p = data; - return 1; -@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s, - unsigned short size; - unsigned short len; - unsigned char *data = *p; -- - int tlsext_servername = 0; -+ int renegotiate_seen = 0; - - if (data >= (d+n-2)) -+ { -+ /* Because the client does not see any renegotiation during an -+ attack, we must enforce this on all server hellos, even the -+ first */ -+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ /* We should always see one extension: the renegotiate extension */ -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } - return 1; -+ } - - n2s(data,len); - -@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, - /* Set flag to expect CertificateStatus message */ - s->tlsext_status_expected = 1; - } -- -+ else if (type == TLSEXT_TYPE_renegotiate) -+ { -+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) -+ return 0; -+ renegotiate_seen = 1; -+ } - data+=size; - } - -@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s, - return 0; - } - -+ if (!renegotiate_seen -+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) -+ { -+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ -+ return 0; -+ } -+ - if (!s->hit && tlsext_servername == 1) - { - if (s->tlsext_hostname) diff --git a/openssl-1.0.0-beta4-tls-comp.patch b/openssl-1.0.0-beta4-tls-comp.patch deleted file mode 100644 index d5c25c5..0000000 --- a/openssl-1.0.0-beta4-tls-comp.patch +++ /dev/null @@ -1,193 +0,0 @@ -diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp openssl-1.0.0-beta4/ssl/ssl_err.c ---- openssl-1.0.0-beta4/ssl/ssl_err.c.tls-comp 2010-01-07 18:45:46.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2010-01-07 22:46:10.000000000 +0100 -@@ -329,6 +329,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"}, - {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"}, - {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"}, -+{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"}, - {ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"}, - {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"}, - {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"}, -@@ -357,8 +358,10 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, - {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, - {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, -+{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, - {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, - {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, -+{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, - {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, - {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"}, - {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"}, -@@ -421,6 +424,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"}, - {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"}, - {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"}, -+{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"}, - {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"}, - {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"}, - {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"}, -@@ -451,6 +455,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"}, - {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"}, - {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"}, -+{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"}, - {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"}, - {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"}, - {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"}, -diff -up openssl-1.0.0-beta4/ssl/ssl.h.tls-comp openssl-1.0.0-beta4/ssl/ssl.h ---- openssl-1.0.0-beta4/ssl/ssl.h.tls-comp 2010-01-07 18:45:46.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssl.h 2010-01-07 22:47:07.000000000 +0100 -@@ -485,7 +485,7 @@ typedef struct ssl_session_st - long timeout; - long time; - -- int compress_meth; /* Need to lookup the method */ -+ unsigned int compress_meth; /* Need to lookup the method */ - - const SSL_CIPHER *cipher; - unsigned long cipher_id; /* when ASN.1 loaded, this -@@ -2051,6 +2051,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 - #define SSL_R_CLIENTHELLO_TLSEXT 226 - #define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 -+#define SSL_R_COMPRESSION_DISABLED 343 - #define SSL_R_COMPRESSION_FAILURE 141 - #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307 - #define SSL_R_COMPRESSION_LIBRARY_ERROR 142 -@@ -2079,8 +2080,10 @@ void ERR_load_SSL_strings(void); - #define SSL_R_HTTPS_PROXY_REQUEST 155 - #define SSL_R_HTTP_REQUEST 156 - #define SSL_R_ILLEGAL_PADDING 283 -+#define SSL_R_INCONSISTENT_COMPRESSION 340 - #define SSL_R_INVALID_CHALLENGE_LENGTH 158 - #define SSL_R_INVALID_COMMAND 280 -+#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 - #define SSL_R_INVALID_PURPOSE 278 - #define SSL_R_INVALID_STATUS_RESPONSE 328 - #define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 -@@ -2143,6 +2146,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_NULL_SSL_CTX 195 - #define SSL_R_NULL_SSL_METHOD_PASSED 196 - #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 -+#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 - #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297 - #define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327 - #define SSL_R_PACKET_LENGTH_TOO_LONG 198 -@@ -2173,6 +2177,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_RENEGOTIATION_ENCODING_ERR 336 - #define SSL_R_RENEGOTIATION_MISMATCH 337 - #define SSL_R_REQUIRED_CIPHER_MISSING 215 -+#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342 - #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 - #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 - #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 -diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp openssl-1.0.0-beta4/ssl/s3_clnt.c ---- openssl-1.0.0-beta4/ssl/s3_clnt.c.tls-comp 2010-01-07 17:53:12.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2010-01-07 22:47:07.000000000 +0100 -@@ -895,10 +895,31 @@ int ssl3_get_server_hello(SSL *s) - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; - } -+ /* If compression is disabled we'd better not try to resume a session -+ * using compression. -+ */ -+ if (s->session->compress_meth != 0) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); -+ goto f_err; -+ } - #else - j= *(p++); -- if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION)) -+ if (s->hit && j != s->session->compress_meth) -+ { -+ al=SSL_AD_ILLEGAL_PARAMETER; -+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); -+ goto f_err; -+ } -+ if (j == 0) - comp=NULL; -+ else if (s->options & SSL_OP_NO_COMPRESSION) -+ { -+ al=SSL_AD_ILLEGAL_PARAMETER; -+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); -+ goto f_err; -+ } - else - comp=ssl3_comp_find(s->ctx->comp_methods,j); - -diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp openssl-1.0.0-beta4/ssl/s3_srvr.c ---- openssl-1.0.0-beta4/ssl/s3_srvr.c.tls-comp 2010-01-07 17:53:12.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2010-01-07 22:46:10.000000000 +0100 -@@ -1088,7 +1088,50 @@ int ssl3_get_client_hello(SSL *s) - * algorithms from the client, starting at q. */ - s->s3->tmp.new_compression=NULL; - #ifndef OPENSSL_NO_COMP -- if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) -+ /* This only happens if we have a cache hit */ -+ if (s->session->compress_meth != 0) -+ { -+ int m, comp_id = s->session->compress_meth; -+ /* Perform sanity checks on resumed compression algorithm */ -+ /* Can't disable compression */ -+ if (s->options & SSL_OP_NO_COMPRESSION) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); -+ goto f_err; -+ } -+ /* Look for resumed compression method */ -+ for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) -+ { -+ comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); -+ if (comp_id == comp->id) -+ { -+ s->s3->tmp.new_compression=comp; -+ break; -+ } -+ } -+ if (s->s3->tmp.new_compression == NULL) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); -+ goto f_err; -+ } -+ /* Look for resumed method in compression list */ -+ for (m = 0; m < i; m++) -+ { -+ if (q[m] == comp_id) -+ break; -+ } -+ if (m >= i) -+ { -+ al=SSL_AD_ILLEGAL_PARAMETER; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); -+ goto f_err; -+ } -+ } -+ else if (s->hit) -+ comp = NULL; -+ else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) - { /* See if we have a match */ - int m,nn,o,v,done=0; - -@@ -1112,6 +1155,16 @@ int ssl3_get_client_hello(SSL *s) - else - comp=NULL; - } -+#else -+ /* If compression is disabled we'd better not try to resume a session -+ * using compression. -+ */ -+ if (s->session->compress_meth != 0) -+ { -+ al=SSL_AD_INTERNAL_ERROR; -+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); -+ goto f_err; -+ } - #endif - - /* Given s->session->ciphers and SSL_get_ciphers, we must diff --git a/openssl-1.0.0-beta4-tlsver.patch b/openssl-1.0.0-beta4-tlsver.patch deleted file mode 100644 index 88282f9..0000000 --- a/openssl-1.0.0-beta4-tlsver.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix handling of future TLS versions. -diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver openssl-1.0.0-beta4/ssl/s23_srvr.c ---- openssl-1.0.0-beta4/ssl/s23_srvr.c.tlsver 2010-01-12 22:20:15.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2010-01-13 22:02:47.000000000 +0100 -@@ -315,7 +315,7 @@ int ssl23_get_client_hello(SSL *s) - (p[1] == SSL3_VERSION_MAJOR) && - (p[5] == SSL3_MT_CLIENT_HELLO) && - ((p[3] == 0 && p[4] < 5 /* silly record length? */) -- || (p[9] == p[1]))) -+ || (p[9] >= p[1]))) - { - /* - * SSLv3 or tls1 header -@@ -339,6 +339,13 @@ int ssl23_get_client_hello(SSL *s) - v[1] = TLS1_VERSION_MINOR; - #endif - } -+ /* if major version number > 3 set minor to a value -+ * which will use the highest version 3 we support. -+ * If TLS 2.0 ever appears we will need to revise -+ * this.... -+ */ -+ else if (p[9] > SSL3_VERSION_MAJOR) -+ v[1]=0xff; - else - v[1]=p[10]; /* minor version according to client_version */ - if (v[1] >= TLS1_VERSION_MINOR) diff --git a/openssl-1.0.0-beta3-cipher-change.patch b/openssl-1.0.0-beta5-cipher-change.patch similarity index 61% rename from openssl-1.0.0-beta3-cipher-change.patch rename to openssl-1.0.0-beta5-cipher-change.patch index 8fe7ada..2e8343b 100644 --- a/openssl-1.0.0-beta3-cipher-change.patch +++ b/openssl-1.0.0-beta5-cipher-change.patch @@ -1,16 +1,16 @@ -diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h ---- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200 -@@ -511,7 +511,7 @@ typedef struct ssl_session_st - - #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L +diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h +--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100 +@@ -513,7 +513,7 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L + /* Allow initial connection to servers that don't support RI */ + #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -@@ -528,7 +528,7 @@ typedef struct ssl_session_st +@@ -530,7 +530,7 @@ typedef struct ssl_session_st /* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */ diff --git a/openssl-1.0.0-beta4-enginesdir.patch b/openssl-1.0.0-beta5-enginesdir.patch similarity index 63% rename from openssl-1.0.0-beta4-enginesdir.patch rename to openssl-1.0.0-beta5-enginesdir.patch index 0a304ce..d942d6e 100644 --- a/openssl-1.0.0-beta4-enginesdir.patch +++ b/openssl-1.0.0-beta5-enginesdir.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100 +diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure +--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100 ++++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100 @@ -622,6 +622,7 @@ my $idx_multilib = $idx++; my $prefix=""; my $libdir=""; @@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure elsif (/^--install.prefix=(.*)$/) { $install_prefix=$1; -@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/; +@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/; $openssldir=$prefix . "/ssl" if $openssldir eq ""; $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; @@ -29,18 +29,18 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure print "IsMK1MF=$IsMK1MF\n"; -@@ -1676,7 +1681,7 @@ while () - # $foo is to become "$prefix/lib$multilib/engines"; - # as Makefile.org and engines/Makefile are adapted for - # $multilib suffix. -- my $foo = "$prefix/lib/engines"; +@@ -1673,7 +1678,7 @@ while () + } + elsif (/^#define\s+ENGINESDIR/) + { +- my $foo = "$prefix/$libdir/engines"; + my $foo = "$enginesdir"; $foo =~ s/\\/\\\\/g; print OUT "#define ENGINESDIR \"$foo\"\n"; } -diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile ---- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100 -+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100 +diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile +--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100 ++++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100 @@ -124,7 +124,7 @@ install: sfx=".so"; \ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ diff --git a/openssl-1.0.0-beta4-fips.patch b/openssl-1.0.0-beta5-fips.patch similarity index 91% rename from openssl-1.0.0-beta4-fips.patch rename to openssl-1.0.0-beta5-fips.patch index 41b3d1f..e70542d 100644 --- a/openssl-1.0.0-beta4-fips.patch +++ b/openssl-1.0.0-beta5-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure ---- openssl-1.0.0-beta4/Configure.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/Configure 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/Configure.fips openssl-1.0.0-beta5/Configure +--- openssl-1.0.0-beta5/Configure.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/Configure 2010-01-20 18:13:46.000000000 +0100 @@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml my $processor=""; my $default_ranlib; @@ -43,9 +43,9 @@ diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto/bf/bf_skey.c ---- openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta5/crypto/bf/bf_skey.c +--- openssl-1.0.0-beta5/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/bf/bf_skey.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,10 +59,15 @@ #include #include @@ -63,9 +63,9 @@ diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto { int i; BF_LONG *p,ri,in[2]; -diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypto/bf/blowfish.h ---- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/bf/blowfish.h.fips openssl-1.0.0-beta5/crypto/bf/blowfish.h +--- openssl-1.0.0-beta5/crypto/bf/blowfish.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/bf/blowfish.h 2010-01-20 18:13:46.000000000 +0100 @@ -104,7 +104,9 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; @@ -77,9 +77,9 @@ diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypt void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); -diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/bn.h ---- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/bn/bn.h.fips openssl-1.0.0-beta5/crypto/bn/bn.h +--- openssl-1.0.0-beta5/crypto/bn/bn.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/bn/bn.h 2010-01-20 18:13:46.000000000 +0100 @@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); @@ -98,9 +98,9 @@ diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/b BN_MONT_CTX *BN_MONT_CTX_new(void ); void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, -diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/bn/bn_x931p.c.fips openssl-1.0.0-beta5/crypto/bn/bn_x931p.c +--- openssl-1.0.0-beta5/crypto/bn/bn_x931p.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/bn/bn_x931p.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,272 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -374,9 +374,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c + + } + -diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/bn/Makefile ---- openssl-1.0.0-beta4/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/bn/Makefile.fips openssl-1.0.0-beta5/crypto/bn/Makefile +--- openssl-1.0.0-beta5/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/bn/Makefile 2010-01-20 18:13:46.000000000 +0100 @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ @@ -393,9 +393,9 @@ diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/ SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl ---- openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta5/crypto/camellia/asm/cmll-x86.pl +--- openssl-1.0.0-beta5/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/camellia/asm/cmll-x86.pl 2010-01-20 18:13:46.000000000 +0100 @@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; } &function_end("Camellia_Ekeygen"); @@ -422,9 +422,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0- } @SBOX=( -diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4/crypto/camellia/camellia.h ---- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/camellia/camellia.h.fips openssl-1.0.0-beta5/crypto/camellia/camellia.h +--- openssl-1.0.0-beta5/crypto/camellia/camellia.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/camellia/camellia.h 2010-01-20 18:13:46.000000000 +0100 @@ -88,6 +88,11 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; @@ -437,9 +437,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4 int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); -diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta5/crypto/camellia/cmll_fblk.c +--- openssl-1.0.0-beta5/crypto/camellia/cmll_fblk.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/camellia/cmll_fblk.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,68 @@ +/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* ==================================================================== @@ -509,9 +509,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c + return private_Camellia_set_key(userKey, bits, key); + } +#endif -diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c ---- openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta5/crypto/camellia/cmll_misc.c +--- openssl-1.0.0-beta5/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/camellia/cmll_misc.c 2010-01-20 18:13:46.000000000 +0100 @@ -52,11 +52,20 @@ #include #include @@ -533,9 +533,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta { if(!userKey || !key) return -1; -diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/crypto/camellia/Makefile ---- openssl-1.0.0-beta4/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/camellia/Makefile.fips openssl-1.0.0-beta5/crypto/camellia/Makefile +--- openssl-1.0.0-beta5/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/camellia/Makefile 2010-01-20 18:13:46.000000000 +0100 @@ -23,9 +23,9 @@ APPS= LIB=$(TOP)/libcrypto.a @@ -548,9 +548,9 @@ diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/c SRC= $(LIBSRC) -diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/cast/cast.h ---- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/cast/cast.h.fips openssl-1.0.0-beta5/crypto/cast/cast.h +--- openssl-1.0.0-beta5/crypto/cast/cast.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/cast/cast.h 2010-01-20 18:14:46.000000000 +0100 @@ -83,7 +83,9 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; @@ -560,11 +560,11 @@ diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/ +void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); +#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); - void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, + void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, int enc); -diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypto/cast/c_skey.c ---- openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/cast/c_skey.c.fips openssl-1.0.0-beta5/crypto/cast/c_skey.c +--- openssl-1.0.0-beta5/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/cast/c_skey.c 2010-01-20 18:13:46.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -586,9 +586,9 @@ diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypt { CAST_LONG x[16]; CAST_LONG z[16]; -diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/crypto.h ---- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/crypto.h.fips openssl-1.0.0-beta5/crypto/crypto.h +--- openssl-1.0.0-beta5/crypto/crypto.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/crypto.h 2010-01-20 18:13:46.000000000 +0100 @@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) @@ -659,9 +659,9 @@ diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/cry /* Error codes for the CRYPTO functions. */ /* Function codes. */ -diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/dh/dh_err.c ---- openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dh/dh_err.c.fips openssl-1.0.0-beta5/crypto/dh/dh_err.c +--- openssl-1.0.0-beta5/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/dh/dh_err.c 2010-01-20 18:13:46.000000000 +0100 @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, @@ -679,9 +679,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/ {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, -diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/dh/dh_gen.c ---- openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta5/crypto/dh/dh_gen.c +--- openssl-1.0.0-beta5/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/dh/dh_gen.c 2010-01-20 18:13:46.000000000 +0100 @@ -65,6 +65,10 @@ #include "cryptlib.h" #include @@ -714,9 +714,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/ ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/dh.h ---- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dh/dh.h.fips openssl-1.0.0-beta5/crypto/dh/dh.h +--- openssl-1.0.0-beta5/crypto/dh/dh.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/dh/dh.h 2010-01-20 18:13:46.000000000 +0100 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -743,9 +743,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/d #ifdef __cplusplus } -diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/dh/dh_key.c ---- openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dh/dh_key.c.fips openssl-1.0.0-beta5/crypto/dh/dh_key.c +--- openssl-1.0.0-beta5/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/dh/dh_key.c 2010-01-20 18:13:46.000000000 +0100 @@ -61,6 +61,9 @@ #include #include @@ -795,9 +795,9 @@ diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/ dh->flags |= DH_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta5/crypto/dsa/dsa_gen.c +--- openssl-1.0.0-beta5/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/dsa/dsa_gen.c 2010-01-20 18:13:46.000000000 +0100 @@ -77,8 +77,12 @@ #include "cryptlib.h" #include @@ -833,9 +833,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypt if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/dsa/dsa.h ---- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dsa/dsa.h.fips openssl-1.0.0-beta5/crypto/dsa/dsa.h +--- openssl-1.0.0-beta5/crypto/dsa/dsa.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/dsa/dsa.h 2010-01-20 18:13:46.000000000 +0100 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -892,9 +892,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/ds #define DSA_R_PARAMETER_ENCODING_ERROR 105 #ifdef __cplusplus -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta5/crypto/dsa/dsa_key.c +--- openssl-1.0.0-beta5/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/dsa/dsa_key.c 2010-01-20 18:13:46.000000000 +0100 @@ -63,9 +63,55 @@ #include #include @@ -982,9 +982,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypt ok=1; err: -diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c ---- openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta5/crypto/dsa/dsa_ossl.c +--- openssl-1.0.0-beta5/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/dsa/dsa_ossl.c 2010-01-20 18:13:46.000000000 +0100 @@ -65,6 +65,9 @@ #include #include @@ -1056,9 +1056,9 @@ diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/cryp dsa->flags|=DSA_FLAG_CACHE_MONT_P; return(1); } -diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypto/err/err_all.c ---- openssl-1.0.0-beta4/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/err/err_all.c.fips openssl-1.0.0-beta5/crypto/err/err_all.c +--- openssl-1.0.0-beta5/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/err/err_all.c 2010-01-20 18:13:46.000000000 +0100 @@ -96,6 +96,9 @@ #include #include @@ -1079,9 +1079,9 @@ diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypt #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif -diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto/evp/digest.c ---- openssl-1.0.0-beta4/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/digest.c.fips openssl-1.0.0-beta5/crypto/evp/digest.c +--- openssl-1.0.0-beta5/crypto/evp/digest.c.fips 2009-12-09 16:02:14.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/digest.c 2010-01-20 18:13:46.000000000 +0100 @@ -116,6 +116,7 @@ #ifndef OPENSSL_NO_ENGINE #include @@ -1090,7 +1090,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { -@@ -137,9 +138,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons +@@ -138,9 +139,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons return EVP_DigestInit_ex(ctx, type, NULL); } @@ -1141,7 +1141,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto #ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing -@@ -195,6 +237,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c +@@ -196,6 +238,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c #endif if (ctx->digest != type) { @@ -1160,7 +1160,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto if (ctx->digest && ctx->digest->ctx_size) OPENSSL_free(ctx->md_data); ctx->digest=type; -@@ -222,6 +276,9 @@ skip_to_init: +@@ -229,6 +283,9 @@ skip_to_init: int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { @@ -1170,7 +1170,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto return ctx->update(ctx,data,count); } -@@ -238,6 +295,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns +@@ -245,6 +302,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { int ret; @@ -1180,9 +1180,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); -diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/evp/e_aes.c ---- openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/e_aes.c.fips openssl-1.0.0-beta5/crypto/evp/e_aes.c +--- openssl-1.0.0-beta5/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/e_aes.c 2010-01-20 18:13:46.000000000 +0100 @@ -69,32 +69,29 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, @@ -1235,9 +1235,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/crypto/evp/e_camellia.c ---- openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta5/crypto/evp/e_camellia.c +--- openssl-1.0.0-beta5/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/evp/e_camellia.c 2010-01-20 18:13:46.000000000 +0100 @@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, EVP_CIPHER_get_asn1_iv, NULL) @@ -1247,9 +1247,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/cr IMPLEMENT_CAMELLIA_CFBR(128,1) IMPLEMENT_CAMELLIA_CFBR(192,1) -diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto/evp/e_des3.c ---- openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/e_des3.c.fips openssl-1.0.0-beta5/crypto/evp/e_des3.c +--- openssl-1.0.0-beta5/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/e_des3.c 2010-01-20 18:13:46.000000000 +0100 @@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH } @@ -1294,9 +1294,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto/evp/e_null.c ---- openssl-1.0.0-beta4/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/e_null.c.fips openssl-1.0.0-beta5/crypto/evp/e_null.c +--- openssl-1.0.0-beta5/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/e_null.c 2010-01-20 18:13:46.000000000 +0100 @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, @@ -1306,9 +1306,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto null_init_key, null_cipher, NULL, -diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypto/evp/evp_enc.c ---- openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta5/crypto/evp/evp_enc.c +--- openssl-1.0.0-beta5/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/evp_enc.c 2010-01-20 18:13:46.000000000 +0100 @@ -68,8 +68,53 @@ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -1401,9 +1401,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypt if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } -diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypto/evp/evp_err.c ---- openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/evp_err.c.fips openssl-1.0.0-beta5/crypto/evp/evp_err.c +--- openssl-1.0.0-beta5/crypto/evp/evp_err.c.fips 2009-12-17 16:28:44.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/evp_err.c 2010-01-20 18:13:46.000000000 +0100 @@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, @@ -1412,9 +1412,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, -diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/evp/evp.h ---- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/evp.h.fips openssl-1.0.0-beta5/crypto/evp/evp.h +--- openssl-1.0.0-beta5/crypto/evp/evp.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/evp.h 2010-01-20 18:13:46.000000000 +0100 @@ -75,6 +75,10 @@ #include #endif @@ -1491,9 +1491,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/ev #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 -diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypto/evp/evp_lib.c ---- openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta5/crypto/evp/evp_lib.c +--- openssl-1.0.0-beta5/crypto/evp/evp_lib.c.fips 2009-12-25 15:12:24.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/evp_lib.c 2010-01-20 18:13:46.000000000 +0100 @@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ if (c->cipher->set_asn1_parameters != NULL) @@ -1512,7 +1512,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt else ret=-1; return(ret); -@@ -180,6 +184,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ +@@ -186,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { @@ -1522,7 +1522,7 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt return ctx->cipher->do_cipher(ctx,out,in,inl); } -@@ -289,3 +296,18 @@ int EVP_MD_CTX_test_flags(const EVP_MD_C +@@ -295,3 +302,18 @@ int EVP_MD_CTX_test_flags(const EVP_MD_C { return (ctx->flags & flags); } @@ -1541,9 +1541,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypt + { + return (ctx->flags & flags); + } -diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/crypto/evp/evp_locl.h ---- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta5/crypto/evp/evp_locl.h +--- openssl-1.0.0-beta5/crypto/evp/evp_locl.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/evp_locl.h 2010-01-20 18:13:46.000000000 +0100 @@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ {\ @@ -1593,9 +1593,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/cryp struct evp_pkey_ctx_st { -diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss.c ---- openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/m_dss.c.fips openssl-1.0.0-beta5/crypto/evp/m_dss.c +--- openssl-1.0.0-beta5/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/evp/m_dss.c 2010-01-20 18:13:46.000000000 +0100 @@ -81,7 +81,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, @@ -1605,9 +1605,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/ init, update, final, -diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss1.c ---- openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta5/crypto/evp/m_dss1.c +--- openssl-1.0.0-beta5/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/evp/m_dss1.c 2010-01-20 18:13:46.000000000 +0100 @@ -82,7 +82,7 @@ static const EVP_MD dss1_md= NID_dsa, NID_dsaWithSHA1, @@ -1617,9 +1617,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto init, update, final, -diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto/evp/m_sha1.c ---- openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta5/crypto/evp/m_sha1.c +--- openssl-1.0.0-beta5/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/m_sha1.c 2010-01-20 18:13:46.000000000 +0100 @@ -82,7 +82,8 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, @@ -1670,9 +1670,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto init512, update512, final512, -diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/evp/names.c ---- openssl-1.0.0-beta4/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/names.c.fips openssl-1.0.0-beta5/crypto/evp/names.c +--- openssl-1.0.0-beta5/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/evp/names.c 2010-01-20 18:13:46.000000000 +0100 @@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; @@ -1695,9 +1695,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/ name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); if (r == 0) return(0); -diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto/evp/p_sign.c ---- openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/p_sign.c.fips openssl-1.0.0-beta5/crypto/evp/p_sign.c +--- openssl-1.0.0-beta5/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/evp/p_sign.c 2010-01-20 18:13:46.000000000 +0100 @@ -61,6 +61,7 @@ #include #include @@ -1729,9 +1729,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; *siglen = sltmp; -diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/crypto/evp/p_verify.c ---- openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/evp/p_verify.c.fips openssl-1.0.0-beta5/crypto/evp/p_verify.c +--- openssl-1.0.0-beta5/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/evp/p_verify.c 2010-01-20 18:13:46.000000000 +0100 @@ -61,6 +61,7 @@ #include #include @@ -1763,9 +1763,9 @@ diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/cryp i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_aesavs.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_aesavs.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_aesavs.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -2706,9 +2706,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_desmovs.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_desmovs.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_desmovs.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3412,9 +3412,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_dssvs.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_dssvs.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_dssvs.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,537 @@ +#include + @@ -3953,9 +3953,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_rngvs.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_rngvs.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_rngvs.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -4187,9 +4187,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c + return 0; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsagtest.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsagtest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsagtest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4581,9 +4581,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsastest.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsastest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsastest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4955,9 +4955,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsavtest.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsavtest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_rsavtest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5336,9 +5336,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_shatest.c +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_shatest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_shatest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5728,9 +5728,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.0-beta5/crypto/fips/cavs/fips_utl.h +--- openssl-1.0.0-beta5/crypto/fips/cavs/fips_utl.h.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/cavs/fips_utl.h 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -6075,9 +6075,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h +#endif + } + -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips_err.c.fips openssl-1.0.0-beta5/crypto/fips_err.c +--- openssl-1.0.0-beta5/crypto/fips_err.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips_err.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,7 @@ +#include + @@ -6086,9 +6086,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c +#else +static void *dummy=&dummy; +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips_err.h.fips openssl-1.0.0-beta5/crypto/fips_err.h +--- openssl-1.0.0-beta5/crypto/fips_err.h.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips_err.h 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,137 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -6227,9 +6227,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h + } +#endif + } -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_aes_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_aes_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_aes_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,103 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6334,9 +6334,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips.c.fips openssl-1.0.0-beta5/crypto/fips/fips.c +--- openssl-1.0.0-beta5/crypto/fips/fips.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,419 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6757,9 +6757,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c + + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_des_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_des_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_des_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_des_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,139 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6900,9 +6900,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_dsa_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_dsa_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_dsa_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,186 @@ +/* crypto/dsa/dsatest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -7090,9 +7090,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c + return ret; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips.h.fips openssl-1.0.0-beta5/crypto/fips/fips.h +--- openssl-1.0.0-beta5/crypto/fips/fips.h.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips.h 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7257,9 +7257,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_hmac_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_hmac_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_hmac_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -7398,9 +7398,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c + return 1; + } +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_rand.c.fips openssl-1.0.0-beta5/crypto/fips/fips_rand.c +--- openssl-1.0.0-beta5/crypto/fips/fips_rand.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_rand.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,412 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -7814,9 +7814,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c +} + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_rand.h.fips openssl-1.0.0-beta5/crypto/fips/fips_rand.h +--- openssl-1.0.0-beta5/crypto/fips/fips_rand.h.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_rand.h 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,77 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7895,9 +7895,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h +#endif +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_rand_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_rand_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_rand_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,373 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8272,9 +8272,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_randtest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_randtest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_randtest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_randtest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,248 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8524,9 +8524,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_rsa_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_rsa_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_rsa_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,441 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -8969,9 +8969,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c + } + +#endif /* def OPENSSL_FIPS */ -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.0-beta5/crypto/fips/fips_rsa_x931g.c +--- openssl-1.0.0-beta5/crypto/fips/fips_rsa_x931g.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_rsa_x931g.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,281 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -9254,9 +9254,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c + return 0; + + } -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_sha1_selftest.c.fips openssl-1.0.0-beta5/crypto/fips/fips_sha1_selftest.c +--- openssl-1.0.0-beta5/crypto/fips/fips_sha1_selftest.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_sha1_selftest.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,99 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9357,9 +9357,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_standalone_sha1.c.fips openssl-1.0.0-beta5/crypto/fips/fips_standalone_sha1.c +--- openssl-1.0.0-beta5/crypto/fips/fips_standalone_sha1.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_standalone_sha1.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,173 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9534,9 +9534,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c + } + + -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/fips_test_suite.c.fips openssl-1.0.0-beta5/crypto/fips/fips_test_suite.c +--- openssl-1.0.0-beta5/crypto/fips/fips_test_suite.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/fips_test_suite.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10126,9 +10126,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c + } + +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips_locl.h.fips openssl-1.0.0-beta5/crypto/fips_locl.h +--- openssl-1.0.0-beta5/crypto/fips_locl.h.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips_locl.h 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,72 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10202,9 +10202,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h +} +#endif +#endif -diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/fips/Makefile.fips openssl-1.0.0-beta5/crypto/fips/Makefile +--- openssl-1.0.0-beta5/crypto/fips/Makefile.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/fips/Makefile 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -10287,9 +10287,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile + +# DO NOT DELETE THIS LINE -- make depend depends on it. + -diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/hmac/hmac.c ---- openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/hmac/hmac.c.fips openssl-1.0.0-beta5/crypto/hmac/hmac.c +--- openssl-1.0.0-beta5/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/hmac/hmac.c 2010-01-20 18:13:46.000000000 +0100 @@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo if (key != NULL) @@ -10315,9 +10315,9 @@ diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/ + EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); + } + -diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/hmac/hmac.h ---- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/hmac/hmac.h.fips openssl-1.0.0-beta5/crypto/hmac/hmac.h +--- openssl-1.0.0-beta5/crypto/hmac/hmac.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/hmac/hmac.h 2010-01-20 18:13:46.000000000 +0100 @@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md unsigned int *md_len); int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); @@ -10326,9 +10326,9 @@ diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/ #ifdef __cplusplus } -diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Makefile ---- openssl-1.0.0-beta4/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/Makefile.fips openssl-1.0.0-beta5/crypto/Makefile +--- openssl-1.0.0-beta5/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/Makefile 2010-01-20 18:13:46.000000000 +0100 @@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i LIB= $(TOP)/libcrypto.a @@ -10347,9 +10347,9 @@ diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Mak ALL= $(GENERAL) $(SRC) $(HEADER) -diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta5/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.0-beta5/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/mdc2/mdc2dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -61,6 +61,11 @@ #include #include @@ -10371,9 +10371,9 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/cry { c->num=0; c->pad_type=1; -diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2.h ---- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta5/crypto/mdc2/mdc2.h +--- openssl-1.0.0-beta5/crypto/mdc2/mdc2.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/mdc2/mdc2.h 2010-01-20 18:13:46.000000000 +0100 @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; @@ -10385,9 +10385,9 @@ diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/ int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/crypto/md2/md2_dgst.c ---- openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta5/crypto/md2/md2_dgst.c +--- openssl-1.0.0-beta5/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/md2/md2_dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -62,6 +62,11 @@ #include #include @@ -10409,9 +10409,9 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/cryp { c->num=0; memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md2/md2.h ---- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md2/md2.h.fips openssl-1.0.0-beta5/crypto/md2/md2.h +--- openssl-1.0.0-beta5/crypto/md2/md2.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/md2/md2.h 2010-01-20 18:13:46.000000000 +0100 @@ -81,6 +81,9 @@ typedef struct MD2state_st } MD2_CTX; @@ -10422,9 +10422,9 @@ diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); int MD2_Final(unsigned char *md, MD2_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/crypto/md4/md4_dgst.c ---- openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta5/crypto/md4/md4_dgst.c +--- openssl-1.0.0-beta5/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/md4/md4_dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "md4_locl.h" @@ -10446,9 +10446,9 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/cryp { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md4/md4.h ---- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md4/md4.h.fips openssl-1.0.0-beta5/crypto/md4/md4.h +--- openssl-1.0.0-beta5/crypto/md4/md4.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/md4/md4.h 2010-01-20 18:13:46.000000000 +0100 @@ -105,6 +105,9 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; @@ -10459,9 +10459,9 @@ diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, size_t len); int MD4_Final(unsigned char *md, MD4_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/crypto/md5/md5_dgst.c ---- openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta5/crypto/md5/md5_dgst.c +--- openssl-1.0.0-beta5/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/md5/md5_dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "md5_locl.h" @@ -10483,9 +10483,9 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/cryp { memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; -diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md5/md5.h ---- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/md5/md5.h.fips openssl-1.0.0-beta5/crypto/md5/md5.h +--- openssl-1.0.0-beta5/crypto/md5/md5.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/md5/md5.h 2010-01-20 18:13:46.000000000 +0100 @@ -105,6 +105,9 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; @@ -10496,9 +10496,9 @@ diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, size_t len); int MD5_Final(unsigned char *md, MD5_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c ---- openssl-1.0.0-beta4/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/mem.c.fips openssl-1.0.0-beta5/crypto/mem.c +--- openssl-1.0.0-beta5/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/mem.c 2010-01-20 18:13:46.000000000 +0100 @@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) /* may be changed as long as 'allow_customize_debug' is set */ @@ -10508,9 +10508,9 @@ diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c /* use default functions from mem_dbg.c */ static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; -diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/o_init.c.fips openssl-1.0.0-beta5/crypto/o_init.c +--- openssl-1.0.0-beta5/crypto/o_init.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/o_init.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,80 @@ +/* o_init.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10592,9 +10592,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c + } + + -diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/crypto/opensslconf.h.in ---- openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/opensslconf.h.in.fips openssl-1.0.0-beta5/crypto/opensslconf.h.in +--- openssl-1.0.0-beta5/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/opensslconf.h.in 2010-01-20 18:13:46.000000000 +0100 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -10616,9 +10616,9 @@ diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/cr /* Generate 80386 code? */ #undef I386_ONLY -diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c ---- openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta5/crypto/pkcs12/p12_crt.c +--- openssl-1.0.0-beta5/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/pkcs12/p12_crt.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -10645,9 +10645,9 @@ diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/cr if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; if (!iter) -diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/crypto/rand/md_rand.c ---- openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rand/md_rand.c.fips openssl-1.0.0-beta5/crypto/rand/md_rand.c +--- openssl-1.0.0-beta5/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rand/md_rand.c 2010-01-20 18:13:46.000000000 +0100 @@ -126,6 +126,10 @@ #include @@ -10674,9 +10674,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/cryp #ifdef PREDICT if (rand_predictable) { -diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/crypto/rand/rand_err.c ---- openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rand/rand_err.c.fips openssl-1.0.0-beta5/crypto/rand/rand_err.c +--- openssl-1.0.0-beta5/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rand/rand_err.c 2010-01-20 18:13:46.000000000 +0100 @@ -70,6 +70,13 @@ static ERR_STRING_DATA RAND_str_functs[]= @@ -10709,9 +10709,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/cry {0,NULL} }; -diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/rand/rand.h ---- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rand/rand.h.fips openssl-1.0.0-beta5/crypto/rand/rand.h +--- openssl-1.0.0-beta5/crypto/rand/rand.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rand/rand.h 2010-01-20 18:13:46.000000000 +0100 @@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -10741,9 +10741,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/ #ifdef __cplusplus } -diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/crypto/rand/rand_lib.c ---- openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta5/crypto/rand/rand_lib.c +--- openssl-1.0.0-beta5/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rand/rand_lib.c 2010-01-20 18:13:46.000000000 +0100 @@ -60,6 +60,12 @@ #include #include "cryptlib.h" @@ -10777,9 +10777,9 @@ diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/cry return default_RAND_meth; } -diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc2/rc2.h ---- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc2/rc2.h.fips openssl-1.0.0-beta5/crypto/rc2/rc2.h +--- openssl-1.0.0-beta5/crypto/rc2/rc2.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc2/rc2.h 2010-01-20 18:13:46.000000000 +0100 @@ -79,7 +79,9 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; @@ -10791,9 +10791,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); -diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c ---- openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta5/crypto/rc2/rc2_skey.c +--- openssl-1.0.0-beta5/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/rc2/rc2_skey.c 2010-01-20 18:13:46.000000000 +0100 @@ -57,6 +57,11 @@ */ @@ -10827,9 +10827,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/cryp int i,j; unsigned char *k; RC2_INT *ki; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta5/crypto/rc4/asm/rc4-s390x.pl +--- openssl-1.0.0-beta5/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/asm/rc4-s390x.pl 2010-01-20 18:13:46.000000000 +0100 @@ -202,4 +202,6 @@ RC4_options: .string "rc4(8x,char)" ___ @@ -10837,9 +10837,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta +$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); + print $code; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta5/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.0.0-beta5/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/rc4/asm/rc4-x86_64.pl 2010-01-20 18:13:46.000000000 +0100 @@ -499,6 +499,8 @@ ___ $code =~ s/#([bwd])/$1/gm; @@ -10849,9 +10849,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-bet print $code; close STDOUT; -diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl ---- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta5/crypto/rc4/asm/rc4-586.pl +--- openssl-1.0.0-beta5/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/asm/rc4-586.pl 2010-01-20 18:13:46.000000000 +0100 @@ -166,8 +166,12 @@ $idx="edx"; &external_label("OPENSSL_ia32cap_P"); @@ -10875,9 +10875,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/ # const char *RC4_options(void); &function_begin_B("RC4_options"); -diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto/rc4/Makefile ---- openssl-1.0.0-beta4/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/Makefile.fips openssl-1.0.0-beta5/crypto/rc4/Makefile +--- openssl-1.0.0-beta5/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/Makefile 2010-01-20 18:13:46.000000000 +0100 @@ -21,8 +21,8 @@ TEST=rc4test.c APPS= @@ -10889,9 +10889,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto SRC= $(LIBSRC) -diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c ---- /dev/null 2009-11-20 08:30:43.534002215 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/rc4_fblk.c.fips openssl-1.0.0-beta5/crypto/rc4/rc4_fblk.c +--- openssl-1.0.0-beta5/crypto/rc4/rc4_fblk.c.fips 2010-01-20 18:13:46.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/rc4_fblk.c 2010-01-20 18:13:46.000000000 +0100 @@ -0,0 +1,75 @@ +/* crypto/rc4/rc4_fblk.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10968,9 +10968,9 @@ diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c + } +#endif + -diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc4/rc4.h ---- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/rc4.h.fips openssl-1.0.0-beta5/crypto/rc4/rc4.h +--- openssl-1.0.0-beta5/crypto/rc4/rc4.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/rc4.h 2010-01-20 18:13:46.000000000 +0100 @@ -78,6 +78,9 @@ typedef struct rc4_key_st @@ -10981,9 +10981,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, unsigned char *outdata); -diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c ---- openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta5/crypto/rc4/rc4_skey.c +--- openssl-1.0.0-beta5/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rc4/rc4_skey.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rc4_locl.h" @@ -11021,9 +11021,9 @@ diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/cryp unsigned char *cp=(unsigned char *)d; for (i=0;i<256;i++) cp[i]=i; -diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/crypto/ripemd/ripemd.h ---- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta5/crypto/ripemd/ripemd.h +--- openssl-1.0.0-beta5/crypto/ripemd/ripemd.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/ripemd/ripemd.h 2010-01-20 18:13:46.000000000 +0100 @@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; @@ -11034,9 +11034,9 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/cry int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta5/crypto/ripemd/rmd_dgst.c +--- openssl-1.0.0-beta5/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/ripemd/rmd_dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -59,6 +59,11 @@ #include #include "rmd_locl.h" @@ -11058,9 +11058,9 @@ diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/c { memset (c,0,sizeof(*c)); c->A=RIPEMD160_A; -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-23 08:33:32.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta5/crypto/rsa/rsa_eay.c +--- openssl-1.0.0-beta5/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa_eay.c 2010-01-20 18:13:46.000000000 +0100 @@ -114,6 +114,10 @@ #include #include @@ -11321,9 +11321,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypt rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; return(1); } -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_err.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta5/crypto/rsa/rsa_err.c +--- openssl-1.0.0-beta5/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa_err.c 2010-01-20 18:13:46.000000000 +0100 @@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, @@ -11350,9 +11350,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypt {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta5/crypto/rsa/rsa_gen.c +--- openssl-1.0.0-beta5/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa_gen.c 2010-01-20 18:13:46.000000000 +0100 @@ -67,6 +67,82 @@ #include "cryptlib.h" #include @@ -11478,9 +11478,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypt ok=1; err: if (ok == -1) -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rsa/rsa.h ---- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa.h.fips openssl-1.0.0-beta5/crypto/rsa/rsa.h +--- openssl-1.0.0-beta5/crypto/rsa/rsa.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa.h 2010-01-20 18:13:46.000000000 +0100 @@ -74,6 +74,21 @@ #error RSA is disabled. #endif @@ -11550,9 +11550,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rs #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips 2009-08-05 17:04:16.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta5/crypto/rsa/rsa_lib.c +--- openssl-1.0.0-beta5/crypto/rsa/rsa_lib.c.fips 2009-12-09 14:38:20.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa_lib.c 2010-01-20 18:13:46.000000000 +0100 @@ -80,6 +80,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -11600,7 +11600,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt ret->pad=0; ret->version=0; -@@ -285,6 +311,13 @@ int RSA_public_encrypt(int flen, const u +@@ -294,6 +320,13 @@ int RSA_public_encrypt(int flen, const u int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -11614,7 +11614,7 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); } -@@ -297,6 +330,13 @@ int RSA_private_decrypt(int flen, const +@@ -306,6 +339,13 @@ int RSA_private_decrypt(int flen, const int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -11628,9 +11628,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypt return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); } -diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c ---- openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 -+++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta5/crypto/rsa/rsa_sign.c +--- openssl-1.0.0-beta5/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 ++++ openssl-1.0.0-beta5/crypto/rsa/rsa_sign.c 2010-01-20 18:13:46.000000000 +0100 @@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -11662,9 +11662,9 @@ diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/cryp if (i <= 0) goto err; -diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha_dgst.c ---- openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta5/crypto/sha/sha_dgst.c +--- openssl-1.0.0-beta5/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha_dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -57,6 +57,12 @@ */ @@ -11678,9 +11678,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/cryp #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) #undef SHA_1 -diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sha/sha.h ---- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha.h.fips openssl-1.0.0-beta5/crypto/sha/sha.h +--- openssl-1.0.0-beta5/crypto/sha/sha.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha.h 2010-01-20 18:13:46.000000000 +0100 @@ -106,6 +106,9 @@ typedef struct SHAstate_st } SHA_CTX; @@ -11691,9 +11691,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sh int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); -diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/crypto/sha/sha_locl.h ---- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-23 08:32:30.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta5/crypto/sha/sha_locl.h +--- openssl-1.0.0-beta5/crypto/sha/sha_locl.h.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha_locl.h 2010-01-20 18:13:46.000000000 +0100 @@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, #define INIT_DATA_h3 0x10325476UL #define INIT_DATA_h4 0xc3d2e1f0UL @@ -11710,9 +11710,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/cryp memset (c,0,sizeof(*c)); c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; -diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha1dgst.c ---- openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta5/crypto/sha/sha1dgst.c +--- openssl-1.0.0-beta5/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha1dgst.c 2010-01-20 18:13:46.000000000 +0100 @@ -63,6 +63,10 @@ #define SHA_1 @@ -11724,9 +11724,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/cryp const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; -diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto/sha/sha256.c ---- openssl-1.0.0-beta4/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha256.c.fips openssl-1.0.0-beta5/crypto/sha/sha256.c +--- openssl-1.0.0-beta5/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha256.c 2010-01-20 18:13:46.000000000 +0100 @@ -12,12 +12,19 @@ #include @@ -11757,9 +11757,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto memset (c,0,sizeof(*c)); c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto/sha/sha512.c ---- openssl-1.0.0-beta4/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/sha/sha512.c.fips openssl-1.0.0-beta5/crypto/sha/sha512.c +--- openssl-1.0.0-beta5/crypto/sha/sha512.c.fips 2009-12-30 12:53:33.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/sha/sha512.c 2010-01-20 18:13:46.000000000 +0100 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -11791,18 +11791,9 @@ diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) /* maintain dword order required by assembler module */ unsigned int *h = (unsigned int *)c->h; -@@ -380,7 +390,7 @@ static const SHA_LONG64 K512[80] = { - ((SHA_LONG64)hi)<<32|lo; }) - # endif - # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) --# define ROTR(a,n) ({ unsigned long ret; \ -+# define ROTR(a,n) ({ SHA_LONG64 ret; \ - asm ("rotrdi %0,%1,%2" \ - : "=r"(ret) \ - : "r"(a),"K"(n)); ret; }) -diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org ---- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/Makefile.org 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/Makefile.org.fips openssl-1.0.0-beta5/Makefile.org +--- openssl-1.0.0-beta5/Makefile.org.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/Makefile.org 2010-01-20 18:13:46.000000000 +0100 @@ -110,6 +110,9 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= @@ -11830,9 +11821,9 @@ diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_ciph.c ---- openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/ssl/ssl_ciph.c.fips openssl-1.0.0-beta5/ssl/ssl_ciph.c +--- openssl-1.0.0-beta5/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200 ++++ openssl-1.0.0-beta5/ssl/ssl_ciph.c 2010-01-20 18:13:46.000000000 +0100 @@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -11855,10 +11846,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_cip { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG -diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib.c ---- openssl-1.0.0-beta4/ssl/ssl_lib.c.fips 2009-10-16 15:41:52.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-23 08:32:31.000000000 +0100 -@@ -1471,6 +1471,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +diff -up openssl-1.0.0-beta5/ssl/ssl_lib.c.fips openssl-1.0.0-beta5/ssl/ssl_lib.c +--- openssl-1.0.0-beta5/ssl/ssl_lib.c.fips 2010-01-07 20:05:03.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/ssl_lib.c 2010-01-20 18:13:46.000000000 +0100 +@@ -1521,6 +1521,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m return(NULL); } @@ -11873,10 +11864,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib. if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); -diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest.c ---- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-23 08:32:31.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-23 08:32:31.000000000 +0100 -@@ -265,6 +265,9 @@ static void sv_usage(void) +diff -up openssl-1.0.0-beta5/ssl/ssltest.c.fips openssl-1.0.0-beta5/ssl/ssltest.c +--- openssl-1.0.0-beta5/ssl/ssltest.c.fips 2010-01-20 18:13:45.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/ssltest.c 2010-01-20 18:13:46.000000000 +0100 +@@ -266,6 +266,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); @@ -11886,7 +11877,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); fprintf(stderr," -proxy - allow proxy certificates\n"); -@@ -484,6 +487,9 @@ int main(int argc, char *argv[]) +@@ -485,6 +488,9 @@ int main(int argc, char *argv[]) #endif STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; int test_cipherlist = 0; @@ -11896,7 +11887,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. verbose = 0; debug = 0; -@@ -515,7 +521,16 @@ int main(int argc, char *argv[]) +@@ -516,7 +522,16 @@ int main(int argc, char *argv[]) while (argc >= 1) { @@ -11914,7 +11905,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; -@@ -711,6 +726,20 @@ bad: +@@ -712,6 +727,20 @@ bad: EXIT(1); } @@ -11935,7 +11926,7 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. if (print_time) { if (!bio_pair) -@@ -2153,12 +2182,12 @@ static int MS_CALLBACK app_verify_callba +@@ -2154,12 +2183,12 @@ static int MS_CALLBACK app_verify_callba } #ifndef OPENSSL_NO_X509_VERIFY @@ -11950,10 +11941,10 @@ diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest. if(s->version == TLS1_VERSION) FIPS_allow_md5(0); # endif -diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_clnt.c ---- openssl-1.0.0-beta4/ssl/s23_clnt.c.fips 2009-08-05 17:29:14.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-23 08:32:31.000000000 +0100 -@@ -335,6 +335,14 @@ static int ssl23_client_hello(SSL *s) +diff -up openssl-1.0.0-beta5/ssl/s23_clnt.c.fips openssl-1.0.0-beta5/ssl/s23_clnt.c +--- openssl-1.0.0-beta5/ssl/s23_clnt.c.fips 2009-11-18 15:45:32.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/s23_clnt.c 2010-01-20 18:13:46.000000000 +0100 +@@ -337,6 +337,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } @@ -11968,7 +11959,7 @@ diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_cln else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; -@@ -618,6 +626,14 @@ static int ssl23_get_server_hello(SSL *s +@@ -620,6 +628,14 @@ static int ssl23_get_server_hello(SSL *s if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { @@ -11983,10 +11974,10 @@ diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_cln s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } -diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srvr.c ---- openssl-1.0.0-beta4/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-23 08:32:31.000000000 +0100 -@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) +diff -up openssl-1.0.0-beta5/ssl/s23_srvr.c.fips openssl-1.0.0-beta5/ssl/s23_srvr.c +--- openssl-1.0.0-beta5/ssl/s23_srvr.c.fips 2010-01-13 20:08:29.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/s23_srvr.c 2010-01-20 18:13:46.000000000 +0100 +@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s) } } @@ -12002,9 +11993,9 @@ diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srv if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header -diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt.c ---- openssl-1.0.0-beta4/ssl/s3_clnt.c.fips 2009-10-30 15:06:18.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/ssl/s3_clnt.c.fips openssl-1.0.0-beta5/ssl/s3_clnt.c +--- openssl-1.0.0-beta5/ssl/s3_clnt.c.fips 2010-01-05 17:46:39.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/s3_clnt.c 2010-01-20 18:13:46.000000000 +0100 @@ -156,6 +156,10 @@ #include #include @@ -12016,7 +12007,7 @@ diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt. #ifndef OPENSSL_NO_DH #include #endif -@@ -1530,6 +1534,8 @@ int ssl3_get_key_exchange(SSL *s) +@@ -1548,6 +1552,8 @@ int ssl3_get_key_exchange(SSL *s) q=md_buf; for (num=2; num > 0; num--) { @@ -12025,9 +12016,9 @@ diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt. EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c ---- openssl-1.0.0-beta4/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/ssl/s3_enc.c.fips openssl-1.0.0-beta5/ssl/s3_enc.c +--- openssl-1.0.0-beta5/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 ++++ openssl-1.0.0-beta5/ssl/s3_enc.c 2010-01-20 18:13:46.000000000 +0100 @@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * #endif k=0; @@ -12053,10 +12044,10 @@ diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c EVP_MD_CTX_copy_ex(&ctx,d); n=EVP_MD_CTX_size(&ctx); if (n < 0) -diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr.c ---- openssl-1.0.0-beta4/ssl/s3_srvr.c.fips 2009-10-30 14:22:44.000000000 +0100 -+++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-23 08:32:31.000000000 +0100 -@@ -1679,6 +1679,8 @@ int ssl3_send_server_key_exchange(SSL *s +diff -up openssl-1.0.0-beta5/ssl/s3_srvr.c.fips openssl-1.0.0-beta5/ssl/s3_srvr.c +--- openssl-1.0.0-beta5/ssl/s3_srvr.c.fips 2010-01-01 15:39:51.000000000 +0100 ++++ openssl-1.0.0-beta5/ssl/s3_srvr.c 2010-01-20 18:13:46.000000000 +0100 +@@ -1732,6 +1732,8 @@ int ssl3_send_server_key_exchange(SSL *s j=0; for (num=2; num > 0; num--) { @@ -12065,9 +12056,9 @@ diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr. EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta4/ssl/t1_enc.c.fips openssl-1.0.0-beta4/ssl/t1_enc.c ---- openssl-1.0.0-beta4/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 -+++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-23 08:32:31.000000000 +0100 +diff -up openssl-1.0.0-beta5/ssl/t1_enc.c.fips openssl-1.0.0-beta5/ssl/t1_enc.c +--- openssl-1.0.0-beta5/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 ++++ openssl-1.0.0-beta5/ssl/t1_enc.c 2010-01-20 18:13:46.000000000 +0100 @@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md HMAC_CTX_init(&ctx); diff --git a/openssl-0.9.8j-readme-warning.patch b/openssl-1.0.0-beta5-readme-warning.patch similarity index 55% rename from openssl-0.9.8j-readme-warning.patch rename to openssl-1.0.0-beta5-readme-warning.patch index 411e6bd..0d89720 100644 --- a/openssl-0.9.8j-readme-warning.patch +++ b/openssl-1.0.0-beta5-readme-warning.patch @@ -1,7 +1,7 @@ -diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README ---- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100 -+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100 -@@ -5,6 +5,31 @@ +diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README +--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100 ++++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100 +@@ -5,6 +5,35 @@ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. @@ -15,9 +15,15 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README + + This version also contains a few differences from the upstream code + some of which are: -+ * The FIPS integrity verification check is implemented differently -+ from the upstream FIPS validated OpenSSL module. It verifies -+ HMAC-SHA256 checksum of the whole libcrypto shared library. ++ * There are added changes forward ported from the upstream OpenSSL ++ 0.9.8 FIPS branch however the FIPS integrity verification check ++ is implemented differently from the upstream FIPS validated OpenSSL ++ module. It verifies HMAC-SHA256 checksum of the whole shared ++ libraries. For this reason the changes are ported to files in the ++ crypto directory and not in a separate fips subdirectory. Also ++ note that the FIPS integrity verification check requires unmodified ++ libcrypto and libssl shared library files which means that it will ++ fail if these files are modified for example by prelink. + * The module respects the kernel FIPS flag /proc/sys/crypto/fips and + tries to initialize the FIPS mode if it is set to 1 aborting if the + FIPS mode could not be initialized. It is also possible to force the @@ -27,8 +33,6 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README + will not automatically load the built in compression method ZLIB + when initialized. Applications can still explicitely ask for ZLIB + compression method. -+ * There is added a support for EAP-FAST through TLS extension. This code -+ is backported from OpenSSL upstream development branch. + DESCRIPTION ----------- diff --git a/openssl-1.0.0-beta4-version.patch b/openssl-1.0.0-beta5-version.patch similarity index 51% rename from openssl-1.0.0-beta4-version.patch rename to openssl-1.0.0-beta5-version.patch index ab12be0..cf3bcf6 100644 --- a/openssl-1.0.0-beta4-version.patch +++ b/openssl-1.0.0-beta5-version.patch @@ -1,14 +1,14 @@ We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist on having the same beta status of OpenSSL library as they were built against. -diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h ---- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100 -+++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100 +diff -up openssl-1.0.0-beta5/crypto/opensslv.h.version openssl-1.0.0-beta5/crypto/opensslv.h +--- openssl-1.0.0-beta5/crypto/opensslv.h.version 2010-01-20 18:16:43.000000000 +0100 ++++ openssl-1.0.0-beta5/crypto/opensslv.h 2010-01-20 20:20:23.000000000 +0100 @@ -25,7 +25,7 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ --#define OPENSSL_VERSION_NUMBER 0x10000004L +-#define OPENSSL_VERSION_NUMBER 0x10000005L +#define OPENSSL_VERSION_NUMBER 0x10000003L #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009" + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta5 20 Jan 2010" #else diff --git a/openssl.spec b/openssl.spec index 5afb7a7..7ccec34 100644 --- a/openssl.spec +++ b/openssl.spec @@ -11,7 +11,7 @@ # 1.0.0 soversion = 10 %define soversion 10 -%define beta beta4 +%define beta beta5 # Number of threads to spawn when testing some threading fixes. %define thread_test_threads %{?threads:%{threads}}%{!?threads:1} @@ -23,7 +23,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0 -Release: 0.19.%{beta}%{?dist} +Release: 0.20.%{beta}%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-%{beta}-usa.tar.bz2 @@ -38,43 +38,30 @@ Source11: README.FIPS Patch0: openssl-1.0.0-beta4-redhat.patch Patch1: openssl-1.0.0-beta3-defaults.patch Patch3: openssl-1.0.0-beta3-soversion.patch -Patch4: openssl-1.0.0-beta4-enginesdir.patch +Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch -Patch24: openssl-1.0.0-beta4-binutils.patch +Patch24: openssl-0.9.8j-bad-mime.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch -Patch38: openssl-1.0.0-beta3-cipher-change.patch +Patch38: openssl-1.0.0-beta5-cipher-change.patch Patch39: openssl-1.0.0-beta3-ipv6-apps.patch -Patch40: openssl-1.0.0-beta4-fips.patch +Patch40: openssl-1.0.0-beta5-fips.patch Patch41: openssl-1.0.0-beta3-fipscheck.patch Patch43: openssl-1.0.0-beta3-fipsmode.patch Patch44: openssl-1.0.0-beta3-fipsrng.patch Patch45: openssl-0.9.8j-env-nozlib.patch -Patch47: openssl-0.9.8j-readme-warning.patch -Patch48: openssl-0.9.8j-bad-mime.patch +Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch -Patch51: openssl-1.0.0-beta4-version.patch +Patch51: openssl-1.0.0-beta5-version.patch +Patch52: openssl-1.0.0-beta4-aesni.patch # Backported fixes including security fixes -Patch60: openssl-1.0.0-beta4-reneg.patch -# This one is not backported but has to be applied after reneg patch -Patch61: openssl-1.0.0-beta4-client-reneg.patch -Patch62: openssl-1.0.0-beta4-backports.patch -Patch63: openssl-1.0.0-beta4-reneg-err.patch -Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch -Patch65: openssl-1.0.0-beta4-dtls-reneg.patch -Patch66: openssl-1.0.0-beta4-backports2.patch -Patch67: openssl-1.0.0-beta4-reneg-scsv.patch -Patch68: openssl-1.0.0-beta4-tls-comp.patch -Patch69: openssl-1.0.0-beta4-aesni.patch -Patch70: openssl-1.0.0-beta4-tlsver.patch -Patch71: openssl-1.0.0-beta4-cve-2009-4355.patch License: OpenSSL Group: System Environment/Libraries @@ -135,7 +122,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch6 -p1 -b .use-localhost %patch23 -p1 -b .default-paths -%patch24 -p1 -b .binutils +%patch24 -p1 -b .bad-mime %patch32 -p1 -b .ia64 %patch33 -p1 -b .ca-dir @@ -149,23 +136,10 @@ from other formats to the formats used by the OpenSSL toolkit. %patch44 -p1 -b .fipsrng %patch45 -p1 -b .env-nozlib %patch47 -p1 -b .warning -%patch48 -p1 -b .bad-mime %patch49 -p1 -b .algo-doc %patch50 -p1 -b .dtls1-abi %patch51 -p1 -b .version - -%patch60 -p1 -b .reneg -%patch61 -p1 -b .client-reneg -%patch62 -p1 -b .backports -%patch63 -p1 -b .reneg-err -%patch64 -p1 -b .dtls-ipv6 -%patch65 -p1 -b .dtls-reneg -%patch66 -p1 -b .backports2 -%patch67 -p1 -b .scsv -%patch68 -p1 -b .tls-comp -%patch69 -p1 -b .aesni -%patch70 -p1 -b .tlsver -%patch71 -p1 -b .compleak +%patch52 -p1 -b .aesni # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -264,12 +238,9 @@ make -C test apps tests install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl} make INSTALL_PREFIX=$RPM_BUILD_ROOT install make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs -# OpenSSL install doesn't use correct _libdir on 64 bit archs -[ "%{_libdir}" != /usr/lib ] && mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT%{_libdir}/ -mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT%{_libdir}/openssl +mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man -mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || : rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do chmod 755 ${lib} @@ -414,6 +385,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Wed Jan 20 2010 Tomas Mraz 1.0.0-0.20.beta5 +- new upstream release + * Thu Jan 14 2010 Tomas Mraz 1.0.0-0.19.beta4 - fix CVE-2009-4355 - leak in applications incorrectly calling CRYPTO_free_all_ex_data() before application exit (#546707) diff --git a/sources b/sources index 8a2c648..acb119b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2 +531160d84017cb52e3c23b52cca0d5cf openssl-1.0.0-beta5-usa.tar.bz2