update to the 1.1.1d release

2019-09-13 17:25:44 +02:00 · 2019-09-13 17:25:44 +02:00 · f6a62c4c2c
parent c44b3f96fe
commit f6a62c4c2c
14 changed files with 1386 additions and 1400 deletions
--- a/.gitignore
+++ b/.gitignore
@ -44,3 +44,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1a-hobbled.tar.xz
 /openssl-1.1.1b-hobbled.tar.xz
 /openssl-1.1.1c-hobbled.tar.xz
 /openssl-1.1.1d-hobbled.tar.xz
--- a/ec_curve.c
+++ b/ec_curve.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name)
    }
    return NID_undef;
 }
 #define NUM_BN_FIELDS 6
 /*
 * Validates EC domain parameter data for known named curves.
 * This can be used when a curve is loaded explicitly (without a curve
 * name) or to validate that domain parameters have not been modified.
 *
 * Returns: The nid associated with the found named curve, or NID_undef
 *          if not found. If there was an error it returns -1.
 */
 int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
 {
    int ret = -1, nid, len, field_type, param_len;
    size_t i, seed_len;
    const unsigned char *seed, *params_seed, *params;
    unsigned char *param_bytes = NULL;
    const EC_CURVE_DATA *data;
    const EC_POINT *generator = NULL;
    const EC_METHOD *meth;
    const BIGNUM *cofactor = NULL;
    /* An array of BIGNUMs for (p, a, b, x, y, order) */
    BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
    meth = EC_GROUP_method_of(group);
    if (meth == NULL)
        return -1;
    /* Use the optional named curve nid as a search field */
    nid = EC_GROUP_get_curve_name(group);
    field_type = EC_METHOD_get_field_type(meth);
    seed_len = EC_GROUP_get_seed_len(group);
    seed = EC_GROUP_get0_seed(group);
    cofactor = EC_GROUP_get0_cofactor(group);
    BN_CTX_start(ctx);
    /*
     * The built-in curves contains data fields (p, a, b, x, y, order) that are
     * all zero-padded to be the same size. The size of the padding is
     * determined by either the number of bytes in the field modulus (p) or the
     * EC group order, whichever is larger.
     */
    param_len = BN_num_bytes(group->order);
    len = BN_num_bytes(group->field);
    if (len > param_len)
        param_len = len;
    /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
    if (param_bytes == NULL)
        goto end;
    /* Create the bignums */
    for (i = 0; i < NUM_BN_FIELDS; ++i) {
        if ((bn[i] = BN_CTX_get(ctx)) == NULL)
            goto end;
    }
    /*
     * Fill in the bn array with the same values as the internal curves
     * i.e. the values are p, a, b, x, y, order.
     */
    /* Get p, a & b */
    if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
        && ((generator = EC_GROUP_get0_generator(group)) != NULL)
        /* Get x & y */
        && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
        /* Get order */
        && EC_GROUP_get_order(group, bn[5], ctx)))
        goto end;
   /*
     * Convert the bignum array to bytes that are joined together to form
     * a single buffer that contains data for all fields.
     * (p, a, b, x, y, order) are all zero padded to be the same size.
     */
    for (i = 0; i < NUM_BN_FIELDS; ++i) {
        if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
            goto end;
    }
    for (i = 0; i < curve_list_length; i++) {
        const ec_list_element curve = curve_list[i];
        data = curve.data;
        /* Get the raw order byte data */
        params_seed = (const unsigned char *)(data + 1); /* skip header */
        params = params_seed + data->seed_len;
        /* Look for unique fields in the fixed curve data */
        if (data->field_type == field_type
            && param_len == data->param_len
            && (nid <= 0 || nid == curve.nid)
            /* check the optional cofactor (ignore if its zero) */
            && (BN_is_zero(cofactor)
                || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
            /* Check the optional seed (ignore if its not set) */
            && (data->seed_len == 0 || seed_len == 0
                || ((size_t)data->seed_len == seed_len
                     && memcmp(params_seed, seed, seed_len) == 0))
            /* Check that the groups params match the built-in curve params */
            && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
                             == 0) {
            ret = curve.nid;
            goto end;
        }
    }
    /* Gets here if the group was not found */
    ret = NID_undef;
 end:
    OPENSSL_free(param_bytes);
    BN_CTX_end(ctx);
    return ret;
 }
--- a/ectest.c
+++ b/ectest.c
@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = {
    0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
 };
 /*
 * Sometime we cannot compare nids for equality, as the built-in curve table
 * includes aliases with different names for the same curve.
 *
 * This function returns TRUE (1) if the checked nids are identical, or if they
 * alias to the same curve. FALSE (0) otherwise.
 */
 static ossl_inline
 int are_ec_nids_compatible(int n1d, int n2d)
 {
    int ret = 0;
    switch (n1d) {
 # ifndef OPENSSL_NO_EC2M
        case NID_sect113r1:
        case NID_wap_wsg_idm_ecid_wtls4:
            ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
            break;
        case NID_sect163k1:
        case NID_wap_wsg_idm_ecid_wtls3:
            ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
            break;
        case NID_sect233k1:
        case NID_wap_wsg_idm_ecid_wtls10:
            ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
            break;
        case NID_sect233r1:
        case NID_wap_wsg_idm_ecid_wtls11:
            ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
            break;
        case NID_X9_62_c2pnb163v1:
        case NID_wap_wsg_idm_ecid_wtls5:
            ret = (n2d == NID_X9_62_c2pnb163v1
                   || n2d == NID_wap_wsg_idm_ecid_wtls5);
            break;
 # endif /* OPENSSL_NO_EC2M */
        case NID_secp112r1:
        case NID_wap_wsg_idm_ecid_wtls6:
            ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
            break;
        case NID_secp160r2:
        case NID_wap_wsg_idm_ecid_wtls7:
            ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
            break;
 # ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
        case NID_secp224r1:
        case NID_wap_wsg_idm_ecid_wtls12:
            ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
            break;
 # else
        /*
         * For SEC P-224 we want to ensure that the SECP nid is returned, as
         * that is associated with a specialized method.
         */
        case NID_wap_wsg_idm_ecid_wtls12:
            ret = (n2d == NID_secp224r1);
            break;
 # endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
        default:
            ret = (n1d == n2d);
    }
    return ret;
 }
 /*
 * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
 * EC_GROUP for built-in curves.
 *
 * Note that it is possible to retrieve an alternative alias that does not match
 * the original nid.
 *
 * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
 */
 static int check_named_curve_from_ecparameters(int id)
 {
    int ret = 0, nid, tnid;
    EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
    const EC_POINT *group_gen = NULL;
    EC_POINT *other_gen = NULL;
    BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
    BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
    const BIGNUM *group_order = NULL;
    BIGNUM *other_order = NULL;
    BN_CTX *bn_ctx = NULL;
    static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
    static size_t invalid_seed_len = sizeof(invalid_seed);
    ECPARAMETERS *params = NULL, *other_params = NULL;
    EC_GROUP *g_ary[8] = {NULL};
    EC_GROUP **g_next = &g_ary[0];
    ECPARAMETERS *p_ary[8] = {NULL};
    ECPARAMETERS **p_next = &p_ary[0];
    /* Do some setup */
    nid = curves[id].nid;
    TEST_note("Curve %s", OBJ_nid2sn(nid));
    if (!TEST_ptr(bn_ctx = BN_CTX_new()))
        return ret;
    BN_CTX_start(bn_ctx);
    if (/* Allocations */
        !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
        || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
        || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
        || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
        || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
        /* Generate reference group and params */
        || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
        || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
        || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
        || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
        || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
        /* compute `other_*` values */
        || !TEST_ptr(tmpg = EC_GROUP_dup(group))
        || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
        || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
        || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
                      other_gen_x, other_gen_y, bn_ctx))
        || !TEST_true(BN_copy(other_order, group_order))
        || !TEST_true(BN_add_word(other_order, 1))
        || !TEST_true(BN_copy(other_cofactor, group_cofactor))
        || !TEST_true(BN_add_word(other_cofactor, 1)))
        goto err;
    EC_POINT_free(other_gen);
    other_gen = NULL;
    if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
        || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
                                                      other_gen_x, other_gen_y,
                                                      bn_ctx)))
        goto err;
    /*
     * ###########################
     * # Actual tests start here #
     * ###########################
     */
    /*
     * Creating a group from built-in explicit parameters returns a
     * "named" EC_GROUP
     */
    if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
        goto err;
    /*
     * We cannot always guarantee the names match, as the built-in table
     * contains aliases for the same curve with different names.
     */
    if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
        goto err;
    }
    /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
    if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
        goto err;
    /*
     * An invalid seed in the parameters should be ignored: expect a "named"
     * group.
     */
    if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
                     invalid_seed_len)
            || !TEST_ptr(other_params = *p_next++ =
                         EC_GROUP_get_ecparameters(tmpg, NULL))
            || !TEST_ptr(tgroup = *g_next++ =
                          EC_GROUP_new_from_ecparameters(other_params))
            || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
            || !TEST_true(are_ec_nids_compatible(nid, tnid))
            || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
                            OPENSSL_EC_EXPLICIT_CURVE)) {
        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
        goto err;
    }
    /*
     * A null seed in the parameters should be ignored, as it is optional:
     * expect a "named" group.
     */
    if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
            || !TEST_ptr(other_params = *p_next++ =
                         EC_GROUP_get_ecparameters(tmpg, NULL))
            || !TEST_ptr(tgroup = *g_next++ =
                          EC_GROUP_new_from_ecparameters(other_params))
            || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
            || !TEST_true(are_ec_nids_compatible(nid, tnid))
            || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
                            OPENSSL_EC_EXPLICIT_CURVE)) {
        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
        goto err;
    }
    /*
     * Check that changing any of the generator parameters does not yield a
     * match with the built-in curves
     */
    if (/* Other gen, same group order & cofactor */
        !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
                                          group_cofactor))
        || !TEST_ptr(other_params = *p_next++ =
                     EC_GROUP_get_ecparameters(tmpg, NULL))
        || !TEST_ptr(tgroup = *g_next++ =
                      EC_GROUP_new_from_ecparameters(other_params))
        || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
        /* Same gen & cofactor, different order */
        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
                                             group_cofactor))
        || !TEST_ptr(other_params = *p_next++ =
                     EC_GROUP_get_ecparameters(tmpg, NULL))
        || !TEST_ptr(tgroup = *g_next++ =
                      EC_GROUP_new_from_ecparameters(other_params))
        || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
        /* The order is not an optional field, so this should fail */
        || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
                                              group_cofactor))
        /* Check that a wrong cofactor is ignored, and we still match */
        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
                                             other_cofactor))
        || !TEST_ptr(other_params = *p_next++ =
                     EC_GROUP_get_ecparameters(tmpg, NULL))
        || !TEST_ptr(tgroup = *g_next++ =
                      EC_GROUP_new_from_ecparameters(other_params))
        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
        || !TEST_true(are_ec_nids_compatible(nid, tnid))
        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
                        OPENSSL_EC_EXPLICIT_CURVE)
        /* Check that if the cofactor is not set then it still matches */
        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
                                             NULL))
        || !TEST_ptr(other_params = *p_next++ =
                     EC_GROUP_get_ecparameters(tmpg, NULL))
        || !TEST_ptr(tgroup = *g_next++ =
                      EC_GROUP_new_from_ecparameters(other_params))
        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
        || !TEST_true(are_ec_nids_compatible(nid, tnid))
        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
                        OPENSSL_EC_EXPLICIT_CURVE)
        /* check that restoring the generator passes */
        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
                                             group_cofactor))
        || !TEST_ptr(other_params = *p_next++ =
                     EC_GROUP_get_ecparameters(tmpg, NULL))
        || !TEST_ptr(tgroup = *g_next++ =
                      EC_GROUP_new_from_ecparameters(other_params))
        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
        || !TEST_true(are_ec_nids_compatible(nid, tnid))
        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
                        OPENSSL_EC_EXPLICIT_CURVE))
        goto err;
    ret = 1;
 err:
    for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
        EC_GROUP_free(*g_next);
    for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
        ECPARAMETERS_free(*p_next);
    ECPARAMETERS_free(params);
    EC_POINT_free(other_gen);
    EC_GROUP_free(tmpg);
    EC_GROUP_free(group);
    BN_CTX_end(bn_ctx);
    BN_CTX_free(bn_ctx);
    return ret;
 }
 static int parameter_test(void)
 {
    EC_GROUP *group = NULL, *group2 = NULL;
@ -886,6 +1151,179 @@ err:
    OPENSSL_free(buf);
    return r;
 }
 /*-
 * random 256-bit explicit parameters curve, cofactor absent
 * order:    0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
 * cofactor:   0x12bc94785251297abfafddf1565100da (125 bit)
 */
 static const unsigned char params_cf_pass[] = {
    0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
    0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
    0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
    0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
    0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
    0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
    0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
    0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
    0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
    0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
    0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
    0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
    0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
    0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
    0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
    0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
    0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
    0x14, 0xa8, 0x2f, 0x4f
 };
 /*-
 * random 256-bit explicit parameters curve, cofactor absent
 * order:    0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
 * cofactor:   0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
 */
 static const unsigned char params_cf_fail[] = {
    0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
    0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
    0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
    0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
    0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
    0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
    0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
    0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
    0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
    0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
    0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
    0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
    0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
    0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
    0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
    0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
    0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
    0x34, 0xa2, 0x21, 0x01
 };
 /*-
 * Test two random 256-bit explicit parameters curves with absent cofactor.
 * The two curves are chosen to roughly straddle the bounds at which the lib
 * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
 *
 * - params_cf_pass: order is sufficiently close to p to compute cofactor
 * - params_cf_fail: order is too far away from p to compute cofactor
 *
 * For standards-compliant curves, cofactor is chosen as small as possible.
 * So you can see neither of these curves are fit for cryptographic use.
 *
 * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
 * h <= 2**(t/8) where t is the security level of the curve, for which the lib
 * will always succeed in computing the cofactor. Neither of these curves
 * conform to that -- this is just robustness testing.
 */
 static int cofactor_range_test(void)
 {
    EC_GROUP *group = NULL;
    BIGNUM *cf = NULL;
    int ret = 0;
    const unsigned char *b1 = (const unsigned char *)params_cf_fail;
    const unsigned char *b2 = (const unsigned char *)params_cf_pass;
    if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
        || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
        || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
                                                sizeof(params_cf_pass)))
        || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
        || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
        goto err;
    ret = 1;
 err:
    BN_free(cf);
    EC_GROUP_free(group);
    return ret;
 }
 /*-
 * For named curves, test that:
 * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
 * - a nonsensical cofactor throws an error (negative test)
 * - nonsensical orders throw errors (negative tests)
 */
 static int cardinality_test(int n)
 {
    int ret = 0;
    int nid = curves[n].nid;
    BN_CTX *ctx = NULL;
    EC_GROUP *g1 = NULL, *g2 = NULL;
    EC_POINT *g2_gen = NULL;
    BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
           *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
    TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
    if (!TEST_ptr(ctx = BN_CTX_new())
        || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
        || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
        EC_GROUP_free(g1);
        EC_GROUP_free(g2);
        BN_CTX_free(ctx);
        return 0;
    }
    BN_CTX_start(ctx);
    g1_p = BN_CTX_get(ctx);
    g1_a = BN_CTX_get(ctx);
    g1_b = BN_CTX_get(ctx);
    g1_x = BN_CTX_get(ctx);
    g1_y = BN_CTX_get(ctx);
    g1_order = BN_CTX_get(ctx);
    g1_cf = BN_CTX_get(ctx);
    if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
        /* pull out the explicit curve parameters */
        || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
        || !TEST_true(EC_POINT_get_affine_coordinates(g1,
                      EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
        || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
        || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
        /* construct g2 manually with g1 parameters */
        || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
        || !TEST_ptr(g2_gen = EC_POINT_new(g2))
        || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
        /* pass NULL cofactor: lib should compute it */
        || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
        || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
        || !TEST_BN_eq(g1_cf, g2_cf)
        /* pass zero cofactor: lib should compute it */
        || !TEST_true(BN_set_word(g2_cf, 0))
        || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
        || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
        || !TEST_BN_eq(g1_cf, g2_cf)
        /* negative test for invalid cofactor */
        || !TEST_true(BN_set_word(g2_cf, 0))
        || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
        /* negative test for NULL order */
        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
        /* negative test for zero order */
        || !TEST_true(BN_set_word(g1_order, 0))
        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
        /* negative test for negative order */
        || !TEST_true(BN_set_word(g2_cf, 0))
        || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
        /* negative test for too large order */
        || !TEST_true(BN_lshift(g1_order, g1_p, 2))
        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
        goto err;
    ret = 1;
 err:
    EC_POINT_free(g2_gen);
    EC_GROUP_free(g1);
    EC_GROUP_free(g2);
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    return ret;
 }
 #endif
 int setup_tests(void)
@ -897,6 +1335,8 @@ int setup_tests(void)
        return 0;
    ADD_TEST(parameter_test);
    ADD_TEST(cofactor_range_test);
    ADD_ALL_TESTS(cardinality_test, crv_len);
    ADD_TEST(prime_field_tests);
 # ifndef OPENSSL_NO_EC2M
    ADD_TEST(char2_field_tests);
@ -908,7 +1348,9 @@ int setup_tests(void)
 # endif
    ADD_ALL_TESTS(internal_curve_test, crv_len);
    ADD_ALL_TESTS(internal_curve_test_method, crv_len);
-#endif
+
    ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
 #endif /* OPENSSL_NO_EC */
    return 1;
 }
--- a/openssl-1.1.0-no-html.patch
+++ b/openssl-1.1.0-no-html.patch
@ -1,12 +0,0 @@
 diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
 --- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html	2016-04-19 16:57:52.000000000 +0200
 +++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl	2016-07-18 13:58:55.060106243 +0200
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
 uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
 -install_docs: install_man_docs install_html_docs
 +install_docs: install_man_docs
 uninstall_docs: uninstall_man_docs uninstall_html_docs
 	$(RM) -r -v $(DESTDIR)$(DOCDIR)
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt
+diff -up openssl-1.1.1d/crypto/err/openssl.txt.evp-kdf openssl-1.1.1d/crypto/err/openssl.txt
--- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/err/openssl.txt.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/err/openssl.txt	2019-02-28 13:05:05.651521474 +0100
+++ openssl-1.1.1d/crypto/err/openssl.txt	2019-09-13 15:45:01.723001323 +0200
-@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
+@@ -747,6 +747,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
 EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
 EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
 EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
 EVP_F_EVP_MD_SIZE:162:EVP_MD_size
 EVP_F_EVP_OPENINIT:102:EVP_OpenInit
-@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
+@@ -809,12 +812,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
 EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
 EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
 EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 EVP_F_PKEY_SET_TYPE:158:pkey_set_type
 EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
 EVP_F_RC5_CTRL:125:rc5_ctrl
 EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
 EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
 +EVP_F_SCRYPT_ALG:228:scrypt_alg
 EVP_F_UPDATE:173:update
@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
 KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
 KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
-@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
+@@ -826,6 +848,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
 KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
 KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
 KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@ -50,7 +51,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
 OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
 OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
-@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
+@@ -2273,6 +2296,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
 EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
 	operation not supported for this keytype
 EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
@ -58,7 +59,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
 EVP_R_PBKDF2_ERROR:181:pbkdf2 error
 EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
-@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed
+@@ -2309,6 +2333,7 @@ KDF_R_MISSING_SEED:106:missing seed
 KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
 KDF_R_VALUE_ERROR:108:value error
 KDF_R_VALUE_MISSING:102:value missing
@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
 OBJ_R_OID_EXISTS:102:oid exists
 OBJ_R_UNKNOWN_NID:101:unknown nid
 OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
-diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info
+diff -up openssl-1.1.1d/crypto/evp/build.info.evp-kdf openssl-1.1.1d/crypto/evp/build.info
--- openssl-1.1.1b/crypto/evp/build.info.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/build.info.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/build.info	2019-02-28 13:05:05.651521474 +0100
+++ openssl-1.1.1d/crypto/evp/build.info	2019-09-13 15:39:20.268982830 +0200
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
         p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
         bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@ -79,9 +80,9 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/
         e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
         e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
         e_chacha20_poly1305.c cmeth_lib.c
-diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
+diff -up openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c	2019-02-28 13:05:05.651521474 +0100
+++ openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c	2019-09-13 15:39:20.268982830 +0200
@@ -14,8 +14,8 @@
 # include <openssl/evp.h>
@ -92,9 +93,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/
 # include "internal/chacha.h"
 typedef struct {
-diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c
+diff -up openssl-1.1.1d/crypto/evp/encode.c.evp-kdf openssl-1.1.1d/crypto/evp/encode.c
--- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/encode.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/encode.c	2019-02-28 13:05:05.651521474 +0100
+++ openssl-1.1.1d/crypto/evp/encode.c	2019-09-13 15:39:20.268982830 +0200
@@ -11,8 +11,8 @@
 #include <limits.h>
 #include "internal/cryptlib.h"
@ -105,18 +106,10 @@ diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/en
 static unsigned char conv_ascii2bin(unsigned char a,
                                     const unsigned char *table);
-diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c
+diff -up openssl-1.1.1d/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1d/crypto/evp/evp_err.c
--- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf	2019-02-28 13:05:05.617522103 +0100
+--- openssl-1.1.1d/crypto/evp/evp_err.c.evp-kdf	2019-09-13 15:39:20.226983569 +0200
-+++ openssl-1.1.1b/crypto/evp/evp_err.c	2019-02-28 13:05:05.651521474 +0100
+++ openssl-1.1.1d/crypto/evp/evp_err.c	2019-09-13 15:44:00.070076961 +0200
-@@ -1,6 +1,6 @@
+@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
      "EVP_EncryptFinal_ex"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
@ -126,7 +119,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
-@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun
+@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun
      "PKCS5_v2_PBKDF2_keyivgen"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
      "PKCS5_v2_scrypt_keyivgen"},
@ -134,12 +127,14 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
      "r_32_12_16_init_key"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
 +    {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
     {0, NULL}
 };
-@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea
+@@ -240,6 +245,8 @@ static const ERR_STRING_DATA EVP_str_rea
     "operation not supported for this keytype"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
     "operaton not initialized"},
@ -148,9 +143,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
     "partially overlapping buffers"},
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
-diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h
+diff -up openssl-1.1.1d/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1d/crypto/evp/evp_locl.h
--- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf	2019-02-28 13:05:05.253528831 +0100
+--- openssl-1.1.1d/crypto/evp/evp_locl.h.evp-kdf	2019-09-13 15:39:19.820990718 +0200
-+++ openssl-1.1.1b/crypto/evp/evp_locl.h	2019-02-28 13:05:05.652521456 +0100
+++ openssl-1.1.1d/crypto/evp/evp_locl.h	2019-09-13 15:39:24.144914578 +0200
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
     unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
 } /* EVP_CIPHER_CTX */ ;
@ -163,9 +158,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/
 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                              int passlen, ASN1_TYPE *param,
                              const EVP_CIPHER *c, const EVP_MD *md,
-diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c
+diff -up openssl-1.1.1d/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1d/crypto/evp/evp_pbe.c
--- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/evp_pbe.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/evp_pbe.c	2019-02-28 13:05:05.652521456 +0100
+++ openssl-1.1.1d/crypto/evp/evp_pbe.c	2019-09-13 15:39:24.145914561 +0200
@@ -12,6 +12,7 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
@ -174,9 +169,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/e
 #include "evp_locl.h"
 /* Password based encryption (PBE) functions */
-diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c
+diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c
--- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf	2019-02-28 13:05:05.652521456 +0100
+--- openssl-1.1.1d/crypto/evp/kdf_lib.c.evp-kdf	2019-09-13 15:39:24.146914543 +0200
-+++ openssl-1.1.1b/crypto/evp/kdf_lib.c	2019-02-28 13:05:05.652521456 +0100
+++ openssl-1.1.1d/crypto/evp/kdf_lib.c	2019-09-13 15:39:24.146914543 +0200
@@ -0,0 +1,165 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -343,9 +338,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
 +    return ctx->kmeth->derive(ctx->impl, key, keylen);
 +}
 +
-diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c
+diff -up openssl-1.1.1d/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1d/crypto/evp/p5_crpt2.c
--- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/p5_crpt2.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c	2019-02-28 13:05:05.652521456 +0100
+++ openssl-1.1.1d/crypto/evp/p5_crpt2.c	2019-09-13 15:39:24.147914525 +0200
@@ -1,5 +1,5 @@
 /*
 - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -494,9 +489,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
 }
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c
+diff -up openssl-1.1.1d/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1d/crypto/evp/pbe_scrypt.c
--- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/evp/pbe_scrypt.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c	2019-02-28 13:33:18.446264056 +0100
+++ openssl-1.1.1d/crypto/evp/pbe_scrypt.c	2019-09-13 15:39:24.150914473 +0200
@@ -7,135 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
@ -682,9 +677,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
 -     */
 -    if (Blen > INT_MAX) {
 -        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
-        return 0;
+    if (r > UINT32_MAX || p > UINT32_MAX) {
-    }
+        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
-
+         return 0;
     }
 -    /*
 -     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
 -     * This is combined size V, X and T (section 4)
@ -692,21 +689,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
 -    i = UINT64_MAX / (32 * sizeof(uint32_t));
 -    if (N + 2 > i / r) {
 -        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
 +    if (r > UINT32_MAX || p > UINT32_MAX) {
 +        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
         return 0;
     }
 -    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
 -    /* check total allocated size fits in uint64_t */
 -    if (Blen > UINT64_MAX - Vlen) {
 -        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
 -        return 0;
 +    /* Maintain existing behaviour. */
 +    if (pass == NULL) {
 +        pass = empty;
 +        passlen = 0;
-+    }
+     }
 -    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
 -
 -    /* check total allocated size fits in uint64_t */
 -    if (Blen > UINT64_MAX - Vlen) {
 -        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
 -        return 0;
 +    if (salt == NULL) {
 +        salt = (const unsigned char *)empty;
 +        saltlen = 0;
@ -768,9 +762,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
 }
 +
 #endif
-diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c
+diff -up openssl-1.1.1d/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1d/crypto/evp/pkey_kdf.c
--- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf	2019-02-28 13:05:05.653521437 +0100
+--- openssl-1.1.1d/crypto/evp/pkey_kdf.c.evp-kdf	2019-09-13 15:39:24.154914402 +0200
-+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c	2019-02-28 13:05:05.653521437 +0100
+++ openssl-1.1.1d/crypto/evp/pkey_kdf.c	2019-09-13 15:39:24.154914402 +0200
@@ -0,0 +1,255 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1027,9 +1021,9 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
 +    pkey_kdf_ctrl_str
 +};
 +
-diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h
+diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h
--- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf	2019-02-28 13:05:05.304527888 +0100
+--- openssl-1.1.1d/crypto/include/internal/evp_int.h.evp-kdf	2019-09-13 15:39:19.873989785 +0200
-+++ openssl-1.1.1b/crypto/include/internal/evp_int.h	2019-02-28 13:05:05.653521437 +0100
+++ openssl-1.1.1d/crypto/include/internal/evp_int.h	2019-09-13 15:39:24.155914384 +0200
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
 extern const EVP_PKEY_METHOD poly1305_pkey_meth;
 extern const EVP_PKEY_METHOD siphash_pkey_meth;
@ -1055,17 +1049,17 @@ diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b
 struct evp_md_st {
     int type;
     int pkey_type;
-diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info
+diff -up openssl-1.1.1d/crypto/kdf/build.info.evp-kdf openssl-1.1.1d/crypto/kdf/build.info
--- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/kdf/build.info.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/kdf/build.info	2019-02-28 13:05:05.653521437 +0100
+++ openssl-1.1.1d/crypto/kdf/build.info	2019-09-13 15:39:24.156914367 +0200
@@ -1,3 +1,3 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
 -        tls1_prf.c kdf_err.c hkdf.c scrypt.c
 +        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
-diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c
+diff -up openssl-1.1.1d/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1d/crypto/kdf/hkdf.c
--- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/kdf/hkdf.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/kdf/hkdf.c	2019-02-28 13:05:05.653521437 +0100
+++ openssl-1.1.1d/crypto/kdf/hkdf.c	2019-09-13 15:39:24.158914332 +0200
@@ -8,32 +8,33 @@
  */
@ -1532,9 +1526,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
  err:
     OPENSSL_cleanse(prev, sizeof(prev));
-diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c
+diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c
--- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/kdf/kdf_err.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/kdf/kdf_err.c	2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_err.c	2019-09-13 15:39:24.159914314 +0200
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
@ -1590,9 +1584,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k
     {0, NULL}
 };
-diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h
+diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h
--- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf	2019-02-28 13:05:05.654521419 +0100
+--- openssl-1.1.1d/crypto/kdf/kdf_local.h.evp-kdf	2019-09-13 15:39:24.160914297 +0200
-+++ openssl-1.1.1b/crypto/kdf/kdf_local.h	2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_local.h	2019-09-13 15:39:24.160914297 +0200
@@ -0,0 +1,22 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1616,9 +1610,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf
 +                int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
 +                int cmd, const char *md_name);
 +
-diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c
+diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c
--- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf	2019-02-28 13:05:05.654521419 +0100
+--- openssl-1.1.1d/crypto/kdf/kdf_util.c.evp-kdf	2019-09-13 15:39:24.161914279 +0200
-+++ openssl-1.1.1b/crypto/kdf/kdf_util.c	2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_util.c	2019-09-13 15:39:24.160914297 +0200
@@ -0,0 +1,73 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1693,9 +1687,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
 +    return call_ctrl(ctrl, impl, cmd, md);
 +}
 +
-diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c
+diff -up openssl-1.1.1d/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1d/crypto/kdf/pbkdf2.c
--- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf	2019-02-28 13:05:05.654521419 +0100
+--- openssl-1.1.1d/crypto/kdf/pbkdf2.c.evp-kdf	2019-09-13 15:39:24.162914261 +0200
-+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c	2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1d/crypto/kdf/pbkdf2.c	2019-09-13 15:39:24.162914261 +0200
@@ -0,0 +1,264 @@
 +/*
 + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1961,9 +1955,9 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
 +    HMAC_CTX_free(hctx_tpl);
 +    return ret;
 +}
-diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c
+diff -up openssl-1.1.1d/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1d/crypto/kdf/scrypt.c
--- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/kdf/scrypt.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/kdf/scrypt.c	2019-02-28 13:05:05.655521400 +0100
+++ openssl-1.1.1d/crypto/kdf/scrypt.c	2019-09-13 15:39:24.164914226 +0200
@@ -8,25 +8,34 @@
  */
@ -2552,9 +2546,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
 +}
 #endif
-diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c
+diff -up openssl-1.1.1d/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1d/crypto/kdf/tls1_prf.c
--- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/kdf/tls1_prf.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c	2019-02-28 13:05:05.655521400 +0100
+++ openssl-1.1.1d/crypto/kdf/tls1_prf.c	2019-09-13 15:39:24.167914173 +0200
@@ -8,11 +8,15 @@
  */
@ -2838,9 +2832,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
             OPENSSL_clear_free(tmp, olen);
             return 0;
         }
-diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod
+diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf	2019-02-28 13:05:05.656521382 +0100
+--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.evp-kdf	2019-09-13 15:39:24.169914138 +0200
-+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod	2019-02-28 13:05:05.655521400 +0100
+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod	2019-09-13 15:39:24.169914138 +0200
@@ -0,0 +1,217 @@
 +=pod
 +
@ -3059,9 +3053,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf	2019-02-28 13:05:05.656521382 +0100
+--- openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod.evp-kdf	2019-09-13 15:39:24.171914103 +0200
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod	2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod	2019-09-13 15:39:24.171914103 +0200
@@ -0,0 +1,180 @@
 +=pod
 +
@ -3243,9 +3237,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf	2019-02-28 13:05:05.656521382 +0100
+--- openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf	2019-09-13 15:39:24.172914085 +0200
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod	2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod	2019-09-13 15:39:24.172914085 +0200
@@ -0,0 +1,78 @@
 +=pod
 +
@ -3325,9 +3319,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf	2019-02-28 13:05:05.656521382 +0100
+--- openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf	2019-09-13 15:39:24.173914068 +0200
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod	2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod	2019-09-13 15:39:24.173914068 +0200
@@ -0,0 +1,149 @@
 +=pod
 +
@ -3478,9 +3472,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf	2019-02-28 13:05:05.656521382 +0100
+--- openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf	2019-09-13 15:39:24.174914050 +0200
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod	2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod	2019-09-13 15:39:24.174914050 +0200
@@ -0,0 +1,142 @@
 +=pod
 +
@ -3624,18 +3618,10 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
-diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h
+diff -up openssl-1.1.1d/include/openssl/evperr.h.evp-kdf openssl-1.1.1d/include/openssl/evperr.h
--- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf	2019-02-28 13:05:05.633521807 +0100
+--- openssl-1.1.1d/include/openssl/evperr.h.evp-kdf	2019-09-13 15:39:20.242983287 +0200
-+++ openssl-1.1.1b/include/openssl/evperr.h	2019-02-28 13:05:05.657521363 +0100
+++ openssl-1.1.1d/include/openssl/evperr.h	2019-09-13 15:42:42.818424742 +0200
-@@ -1,6 +1,6 @@
+@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE                   219
 # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
 # define EVP_F_EVP_ENCRYPTUPDATE                          167
@ -3645,7 +3631,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
 # define EVP_F_EVP_MD_CTX_COPY_EX                         110
 # define EVP_F_EVP_MD_SIZE                                162
 # define EVP_F_EVP_OPENINIT                               102
-@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void);
+@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_PKCS5_V2_PBE_KEYIVGEN                      118
 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN                   164
 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN                   180
@ -3653,12 +3639,13 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
 # define EVP_F_PKEY_SET_TYPE                              158
 # define EVP_F_RC2_MAGIC_TO_METH                          109
 # define EVP_F_RC5_CTRL                                   125
 # define EVP_F_R_32_12_16_INIT_KEY                        242
 # define EVP_F_S390X_AES_GCM_CTRL                         201
 +# define EVP_F_SCRYPT_ALG                                 228
 # define EVP_F_UPDATE                                     173
 /*
-@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void);
+@@ -180,6 +185,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
 # define EVP_R_OPERATON_NOT_INITIALIZED                   151
@ -3666,18 +3653,10 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
 # define EVP_R_PARTIALLY_OVERLAPPING                      162
 # define EVP_R_PBKDF2_ERROR                               181
 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
-diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h
+diff -up openssl-1.1.1d/include/openssl/kdferr.h.evp-kdf openssl-1.1.1d/include/openssl/kdferr.h
--- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/include/openssl/kdferr.h.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/include/openssl/kdferr.h	2019-02-28 13:05:05.657521363 +0100
+++ openssl-1.1.1d/include/openssl/kdferr.h	2019-09-13 15:39:34.856725957 +0200
-@@ -1,6 +1,6 @@
+@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void);
 /*
  * KDF function codes.
  */
@ -3701,7 +3680,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
 # define KDF_F_PKEY_HKDF_CTRL_STR                         103
 # define KDF_F_PKEY_HKDF_DERIVE                           102
 # define KDF_F_PKEY_HKDF_INIT                             108
-@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void);
+@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void);
 # define KDF_F_PKEY_TLS1_PRF_CTRL_STR                     100
 # define KDF_F_PKEY_TLS1_PRF_DERIVE                       101
 # define KDF_F_PKEY_TLS1_PRF_INIT                         110
@ -3709,16 +3688,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
 # define KDF_F_TLS1_PRF_ALG                               111
 /*
-@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void);
+@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void);
 # define KDF_R_UNKNOWN_PARAMETER_TYPE                     103
 # define KDF_R_VALUE_ERROR                                108
 # define KDF_R_VALUE_MISSING                              102
 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE                   112
 #endif
-diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h
+diff -up openssl-1.1.1d/include/openssl/kdf.h.evp-kdf openssl-1.1.1d/include/openssl/kdf.h
--- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/include/openssl/kdf.h.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/include/openssl/kdf.h	2019-02-28 13:05:05.657521363 +0100
+++ openssl-1.1.1d/include/openssl/kdf.h	2019-09-13 15:39:34.857725939 +0200
@@ -10,10 +10,50 @@
 #ifndef HEADER_KDF_H
 # define HEADER_KDF_H
@ -3797,9 +3776,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope
 }
 # endif
 #endif
-diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h
+diff -up openssl-1.1.1d/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1d/include/openssl/ossl_typ.h
--- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/include/openssl/ossl_typ.h.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/include/openssl/ossl_typ.h	2019-02-28 13:05:05.657521363 +0100
+++ openssl-1.1.1d/include/openssl/ossl_typ.h	2019-09-13 15:39:34.858725922 +0200
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
 typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
 typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@ -3809,10 +3788,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ
 typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
 typedef struct hmac_ctx_st HMAC_CTX;
-diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
+diff -up openssl-1.1.1d/test/build.info.evp-kdf openssl-1.1.1d/test/build.info
--- openssl-1.1.1b/test/build.info.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/build.info.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/build.info	2019-02-28 13:05:05.657521363 +0100
+++ openssl-1.1.1d/test/build.info	2019-09-13 15:39:34.861725869 +0200
-@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bio_callback_test bio_memleak_test \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
@ -3822,7 +3801,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
           asn1_encode_test asn1_decode_test asn1_string_table_test \
           x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
           recordlentest drbgtest sslbuffertest \
-@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
   INCLUDE[pkey_meth_kdf_test]=../include
   DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
@ -3833,9 +3812,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
   SOURCE[x509_time_test]=x509_time_test.c
   INCLUDE[x509_time_test]=../include
   DEPEND[x509_time_test]=../libcrypto libtestutil.a
-diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c
+diff -up openssl-1.1.1d/test/evp_kdf_test.c.evp-kdf openssl-1.1.1d/test/evp_kdf_test.c
--- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf	2019-02-28 13:05:05.658521345 +0100
+--- openssl-1.1.1d/test/evp_kdf_test.c.evp-kdf	2019-09-13 15:39:34.862725851 +0200
-+++ openssl-1.1.1b/test/evp_kdf_test.c	2019-02-28 13:05:05.658521345 +0100
+++ openssl-1.1.1d/test/evp_kdf_test.c	2019-09-13 15:39:34.862725851 +0200
@@ -0,0 +1,237 @@
 +/*
 + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -4074,10 +4053,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_
 +#endif
 +    return 1;
 +}
-diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
+diff -up openssl-1.1.1d/test/evp_test.c.evp-kdf openssl-1.1.1d/test/evp_test.c
--- openssl-1.1.1b/test/evp_test.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/evp_test.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/evp_test.c	2019-02-28 13:05:05.658521345 +0100
+++ openssl-1.1.1d/test/evp_test.c	2019-09-13 15:39:34.865725798 +0200
-@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test
+@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
     encode_test_run,
 };
@ -4093,7 +4072,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
     /* Expected output */
     unsigned char *output;
     size_t output_len;
-@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co
+@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co
     if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
         return 0;
@ -4111,7 +4090,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
     t->data = kdata;
     return 1;
 }
-@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t
+@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t
 {
     KDF_DATA *kdata = t->data;
     OPENSSL_free(kdata->output);
@ -4155,7 +4134,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
 }
 static int kdf_test_parse(EVP_TEST *t,
-@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t,
+@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t,
     if (strcmp(keyword, "Output") == 0)
         return parse_bin(value, &kdata->output, &kdata->output_len);
     if (strncmp(keyword, "Ctrl", 4) == 0)
@ -4164,7 +4143,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
     return 0;
 }
-@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t)
+@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t)
         t->err = "INTERNAL_ERROR";
         goto err;
     }
@ -4173,7 +4152,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
         t->err = "KDF_DERIVE_ERROR";
         goto err;
     }
-@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me
+@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me
 /**
@ -4280,7 +4259,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
 ***  KEYPAIR TESTS
 **/
-@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l
+@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l
     &digestverify_test_method,
     &encode_test_method,
     &kdf_test_method,
@ -4288,9 +4267,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
     &keypair_test_method,
     &keygen_test_method,
     &mac_test_method,
-diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c
+diff -up openssl-1.1.1d/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1d/test/pkey_meth_kdf_test.c
--- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/pkey_meth_kdf_test.c.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c	2019-02-28 13:05:05.658521345 +0100
+++ openssl-1.1.1d/test/pkey_meth_kdf_test.c	2019-09-13 15:39:34.867725763 +0200
@@ -1,5 +1,5 @@
 /*
 - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -4494,9 +4473,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk
 }
 #endif
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt
+diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt	2019-02-28 13:05:05.659521326 +0100
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt	2019-09-13 15:39:34.870725710 +0200
@@ -1,5 +1,5 @@
 #
 -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@ -4895,9 +4874,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
 +Ctrl.digest = digest:sha512
 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14
 +
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt
+diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf	2019-02-28 13:05:05.659521326 +0100
+--- openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf	2019-09-13 15:39:34.873725658 +0200
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt	2019-02-28 13:05:05.659521326 +0100
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt	2019-09-13 15:39:34.872725675 +0200
@@ -0,0 +1,305 @@
 +#
 +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5204,9 +5183,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op
 +Ctrl.p = p:1
 +Result = INTERNAL_ERROR
 +
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t
+diff -up openssl-1.1.1d/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_kdf.t
--- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf	2019-02-28 13:05:05.659521326 +0100
+--- openssl-1.1.1d/test/recipes/30-test_evp_kdf.t.evp-kdf	2019-09-13 15:39:34.875725622 +0200
-+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t	2019-02-28 13:05:05.659521326 +0100
+++ openssl-1.1.1d/test/recipes/30-test_evp_kdf.t	2019-09-13 15:39:34.875725622 +0200
@@ -0,0 +1,13 @@
 +#! /usr/bin/env perl
 +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5221,9 +5200,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
 +use OpenSSL::Test::Simple;
 +
 +simple_test("test_evp_kdf", "evp_kdf_test");
-diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
+diff -up openssl-1.1.1d/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp.t
--- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf	2019-05-29 16:55:38.236960543 +0200
+--- openssl-1.1.1d/test/recipes/30-test_evp.t.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1c/test/recipes/30-test_evp.t	2019-05-29 16:57:46.348718012 +0200
+++ openssl-1.1.1d/test/recipes/30-test_evp.t	2019-09-13 15:39:34.876725605 +0200
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
 setup("test_evp");
@ -5233,11 +5212,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r
     "evpcase.txt", "evpccmcavs.txt" );
 plan tests => scalar(@files);
- 
+diff -up openssl-1.1.1d/util/libcrypto.num.evp-kdf openssl-1.1.1d/util/libcrypto.num
-diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num
+--- openssl-1.1.1d/util/libcrypto.num.evp-kdf	2019-09-13 15:39:20.248983182 +0200
--- openssl-1.1.1b/util/libcrypto.num.evp-kdf	2019-02-28 13:05:05.636521752 +0100
+++ openssl-1.1.1d/util/libcrypto.num	2019-09-13 15:39:34.881725517 +0200
-+++ openssl-1.1.1b/util/libcrypto.num	2019-02-28 13:05:05.660521308 +0100
+@@ -4617,3 +4617,11 @@ FIPS_drbg_get_strength
@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength
 FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
@ -5249,9 +5227,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto
 +EVP_KDF_ctrl_str                        6595	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_size                            6596	1_1_1b	EXIST::FUNCTION:
 +EVP_KDF_derive                          6597	1_1_1b	EXIST::FUNCTION:
-diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num
+diff -up openssl-1.1.1d/util/private.num.evp-kdf openssl-1.1.1d/util/private.num
--- openssl-1.1.1b/util/private.num.evp-kdf	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/util/private.num.evp-kdf	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/util/private.num	2019-02-28 13:05:05.660521308 +0100
+++ openssl-1.1.1d/util/private.num	2019-09-13 15:39:34.883725481 +0200
@@ -21,6 +21,7 @@ CRYPTO_EX_dup
 CRYPTO_EX_free                          datatype
 CRYPTO_EX_new                           datatype
--- a/openssl-1.1.1-fips-crng-test.patch
+++ b/openssl-1.1.1-fips-crng-test.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h
+diff -up openssl-1.1.1d/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1d/crypto/include/internal/rand_int.h
--- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test	2019-05-07 08:56:33.242179136 +0200
+--- openssl-1.1.1d/crypto/include/internal/rand_int.h.crng-test	2019-09-13 16:03:54.572238927 +0200
-+++ openssl-1.1.1b/crypto/include/internal/rand_int.h	2019-05-07 09:54:14.920204875 +0200
+++ openssl-1.1.1d/crypto/include/internal/rand_int.h	2019-09-13 16:03:54.966232056 +0200
-@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
+@@ -48,6 +48,14 @@ size_t rand_drbg_get_additional_data(RAN
 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
@ -16,18 +16,18 @@ diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1
 /*
  * RAND_POOL functions
  */
-diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info
+diff -up openssl-1.1.1d/crypto/rand/build.info.crng-test openssl-1.1.1d/crypto/rand/build.info
--- openssl-1.1.1b/crypto/rand/build.info.crng-test	2019-05-07 09:54:14.921204857 +0200
+--- openssl-1.1.1d/crypto/rand/build.info.crng-test	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/rand/build.info	2019-05-07 09:55:22.730014705 +0200
+++ openssl-1.1.1d/crypto/rand/build.info	2019-09-13 16:03:54.968232021 +0200
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
 -        randfile.c rand_lib.c rand_err.c rand_egd.c \
 +        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c
+diff -up openssl-1.1.1d/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1d/crypto/rand/drbg_lib.c
--- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/crypto/rand/drbg_lib.c.crng-test	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/crypto/rand/drbg_lib.c	2019-05-07 10:04:51.753157224 +0200
+++ openssl-1.1.1d/crypto/rand/drbg_lib.c	2019-09-13 16:03:54.969232004 +0200
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
@ -51,9 +51,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r
 #ifndef RAND_DRBG_GET_RANDOM_NONCE
         drbg->get_nonce = rand_drbg_get_nonce;
         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c
+diff -up openssl-1.1.1d/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1d/crypto/rand/rand_crng_test.c
--- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test	2019-05-07 09:54:14.925204787 +0200
+--- openssl-1.1.1d/crypto/rand/rand_crng_test.c.crng-test	2019-09-13 16:03:54.969232004 +0200
-+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c	2019-05-07 09:54:14.932204664 +0200
+++ openssl-1.1.1d/crypto/rand/rand_crng_test.c	2019-09-13 16:15:20.834271063 +0200
@@ -0,0 +1,118 @@
 +/*
 + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -110,7 +110,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
 +{
 +    unsigned char buf[CRNGT_BUFSIZ];
 +
-+    if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
+    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
 +        return 0;
 +    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
 +        OPENSSL_cleanse(buf, sizeof(buf));
@ -147,7 +147,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
 +    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
 +        return 0;
 +
-+    if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL)
+    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
 +        return 0;
 +
 +    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
@ -173,9 +173,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
 +{
 +    OPENSSL_secure_clear_free(out, outlen);
 +}
-diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h
+diff -up openssl-1.1.1d/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1d/crypto/rand/rand_lcl.h
--- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test	2019-05-07 08:56:33.330177674 +0200
+--- openssl-1.1.1d/crypto/rand/rand_lcl.h.crng-test	2019-09-13 16:03:54.653237514 +0200
-+++ openssl-1.1.1b/crypto/rand/rand_lcl.h	2019-05-07 09:54:14.933204647 +0200
+++ openssl-1.1.1d/crypto/rand/rand_lcl.h	2019-09-13 16:03:54.969232004 +0200
@@ -33,7 +33,15 @@
 # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
 # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
@ -193,17 +193,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
 /*
  * Maximum input size for the DRBG (entropy, nonce, personalization string)
-@@ -44,7 +52,8 @@
+@@ -44,6 +52,8 @@
  */
 # define DRBG_MAX_LENGTH                         INT32_MAX
 -
 +/* The default nonce */
 +# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
 /*
  * Maximum allocation size for RANDOM_POOL buffers
-@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
+@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
 /* initializes the AES-CTR DRBG implementation */
 int drbg_ctr_init(RAND_DRBG *drbg);
@ -226,10 +225,10 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
 +int rand_crngt_single_init(void);
 +
 #endif
-diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
+diff -up openssl-1.1.1d/test/drbgtest.c.crng-test openssl-1.1.1d/test/drbgtest.c
--- openssl-1.1.1b/test/drbgtest.c.crng-test	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/drbgtest.c.crng-test	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/drbgtest.c	2019-05-07 10:06:24.706551561 +0200
+++ openssl-1.1.1d/test/drbgtest.c	2019-09-13 16:03:54.969232004 +0200
-@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
+@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
     return t->noncelen;
 }
@ -261,7 +260,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
 static int uninstantiate(RAND_DRBG *drbg)
 {
     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
-@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA
+@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
         return 0;
     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
@ -271,7 +270,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
         failures++;
         goto err;
     }
-@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT
+@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
     unsigned int reseed_counter_tmp;
     int ret = 0;
@ -281,7 +280,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
         goto err;
     /*
-@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void)
+@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
         || !TEST_ptr_eq(private->parent, master))
         return 0;
@ -292,7 +291,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
     /* uninstantiate the three global DRBGs */
     RAND_DRBG_uninstantiate(private);
     RAND_DRBG_uninstantiate(public);
-@@ -919,7 +950,8 @@ static int test_rand_seed(void)
+@@ -964,7 +995,8 @@ static int test_rand_seed(void)
     size_t rand_buflen;
     size_t required_seed_buflen = 0;
@ -302,7 +301,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
         return 0;
 #ifdef OPENSSL_RAND_SEED_NONE
-@@ -968,6 +1000,95 @@ static int test_rand_add(void)
+@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
     return 1;
 }
@ -398,7 +397,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
 int setup_tests(void)
 {
     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-@@ -980,5 +1101,6 @@ int setup_tests(void)
+@@ -1025,5 +1146,6 @@ int setup_tests(void)
 #if defined(OPENSSL_THREADS)
     ADD_TEST(test_multi_thread);
 #endif
--- a/openssl-1.1.1-fips-post-rand.patch
+++ b/openssl-1.1.1-fips-post-rand.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
+diff -up openssl-1.1.1d/crypto/fips/fips.c.fips-post-rand openssl-1.1.1d/crypto/fips/fips.c
--- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand	2019-05-29 15:53:56.328216002 +0200
+--- openssl-1.1.1d/crypto/fips/fips.c.fips-post-rand	2019-09-13 16:15:52.656716089 +0200
-+++ openssl-1.1.1c/crypto/fips/fips.c	2019-05-29 15:53:56.359215457 +0200
+++ openssl-1.1.1d/crypto/fips/fips.c	2019-09-13 16:44:33.217852364 +0200
@@ -68,6 +68,7 @@
 # include <openssl/fips.h>
@ -46,14 +46,14 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/
 +
         fips_set_mode(onoff);
 +        /* force RNG reseed with entropy from getrandom() on next call */
-+        rand_fork();
+        rand_force_reseed();
 +
         ret = 1;
         goto end;
     }
-diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
+diff -up openssl-1.1.1d/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1d/crypto/include/internal/fips_int.h
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand	2019-05-29 15:53:56.337215844 +0200
+--- openssl-1.1.1d/crypto/include/internal/fips_int.h.fips-post-rand	2019-09-13 16:15:52.666715914 +0200
-+++ openssl-1.1.1c/crypto/include/internal/fips_int.h	2019-05-29 15:53:56.359215457 +0200
+++ openssl-1.1.1d/crypto/include/internal/fips_int.h	2019-09-13 16:15:52.690715496 +0200
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
 int FIPS_selftest_drbg(void);
 int FIPS_selftest_cmac(void);
@ -63,24 +63,58 @@ diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openss
 int fips_pkey_signature_test(EVP_PKEY *pkey,
                                  const unsigned char *tbs, int tbslen,
                                  const unsigned char *kat,
-diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
+diff -up openssl-1.1.1d/crypto/include/internal/rand_int.h.fips-post-rand openssl-1.1.1d/crypto/include/internal/rand_int.h
--- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand	2019-05-28 15:12:21.000000000 +0200
+--- openssl-1.1.1d/crypto/include/internal/rand_int.h.fips-post-rand	2019-09-13 16:15:52.307722175 +0200
-+++ openssl-1.1.1c/crypto/rand/rand_unix.c	2019-05-29 16:54:16.471391802 +0200
+++ openssl-1.1.1d/crypto/include/internal/rand_int.h	2019-09-13 16:41:47.133736023 +0200
-@@ -16,10 +16,12 @@
+@@ -24,6 +24,7 @@
- #include <openssl/rand.h>
+ typedef struct rand_pool_st RAND_POOL;
 void rand_cleanup_int(void);
 +void rand_force_reseed(void);
 void rand_drbg_cleanup_int(void);
 void drbg_delete_thread_state(void);
 diff -up openssl-1.1.1d/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1d/crypto/rand/drbg_lib.c
 --- openssl-1.1.1d/crypto/rand/drbg_lib.c.fips-post-rand	2019-09-10 15:13:07.000000000 +0200
 +++ openssl-1.1.1d/crypto/rand/drbg_lib.c	2019-09-13 16:44:04.808345620 +0200
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
 }
 +void rand_force_reseed(void)
 +{
 +    RAND_DRBG *drbg;
 +
 +    drbg = RAND_DRBG_get0_master();
 +    drbg->fork_id = 0;
 +
 +    drbg = RAND_DRBG_get0_private();
 +    drbg->fork_id = 0;
 +
 +    drbg = RAND_DRBG_get0_public();
 +    drbg->fork_id = 0;
 +}
 +
 /* Implements the default OpenSSL RAND_add() method */
 static int drbg_add(const void *buf, int num, double randomness)
 {
 diff -up openssl-1.1.1d/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1d/crypto/rand/rand_unix.c
 --- openssl-1.1.1d/crypto/rand/rand_unix.c.fips-post-rand	2019-09-10 15:13:07.000000000 +0200
 +++ openssl-1.1.1d/crypto/rand/rand_unix.c	2019-09-13 16:15:52.690715496 +0200
@@ -17,10 +17,12 @@
 #include <openssl/crypto.h>
 #include "rand_lcl.h"
 #include "internal/rand_int.h"
 +#include "internal/fips_int.h"
 #include <stdio.h>
 #include "internal/dso.h"
- #if defined(__linux)
+ #ifdef __linux
-# include <asm/unistd.h>
+ # include <sys/syscall.h>
 +# include <sys/syscall.h>
 +# include <sys/random.h>
- #endif
+ # ifdef DEVRANDOM_WAIT
- #if defined(__FreeBSD__)
+ #  include <sys/shm.h>
- # include <sys/types.h>
+ #  include <sys/utsname.h>
-@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -295,7 +297,7 @@ static ssize_t sysctl_random(char *buf,
  * syscall_random(): Try to get random data using a system call
  * returns the number of bytes returned in buf, or < 0 on error.
  */
@ -89,7 +123,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
 {
     /*
      * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
+@@ -317,6 +319,7 @@ static ssize_t syscall_random(void *buf,
      * - Linux since 3.17 with glibc 2.25
      * - FreeBSD since 12.0 (1200061)
      */
@ -97,7 +131,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
 #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
+@@ -338,10 +341,10 @@ static ssize_t syscall_random(void *buf,
     if (p_getentropy.p != NULL)
         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
 #  endif
@ -111,19 +145,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
 #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
     return sysctl_random(buf, buflen);
 #  else
-@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -576,6 +579,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-     size_t bytes_needed;
+     size_t entropy_available;
-     size_t entropy_available = 0;
+ 
     unsigned char *buffer;
 -
 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
 +    int in_post;
 +
 +    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
     {
-         ssize_t bytes;
+         size_t bytes_needed;
-         /* Maximum allowed number of consecutive unsuccessful attempts */
+         unsigned char *buffer;
-@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -586,7 +592,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
         while (bytes_needed != 0 && attempts-- > 0) {
             buffer = rand_pool_add_begin(pool, bytes_needed);
@ -132,7 +164,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
             if (bytes > 0) {
                 rand_pool_add_end(pool, bytes, 8 * bytes);
                 bytes_needed -= bytes;
-@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -621,8 +627,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
             int attempts = 3;
             const int fd = get_random_device(i);
@ -144,8 +176,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
             while (bytes_needed != 0 && attempts-- > 0) {
                 buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -685,7 +693,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-         }
+             return entropy_available;
     }
 #   endif
 -
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
--- a/openssl-1.1.1-no-brainpool.patch
+++ b/openssl-1.1.1-no-brainpool.patch
@ -1,17 +1,16 @@
-diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in	2019-05-07 11:52:35.885597934 +0200
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in	2019-09-13 15:11:07.358687169 +0200
-@@ -141,22 +141,23 @@ our @tests = (
+@@ -147,22 +147,22 @@ our @tests = (
     {
         name => "ECDSA with brainpool",
         server =>  {
 -            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
 -            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
 -            "Groups" => "brainpoolP256r1",
-+#            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+#            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
 +#            "Groups" => "brainpoolP256r1",
 +            "CipherString" => "aNULL",
         },
         client => {
             #We don't restrict this to TLSv1.2, although use of brainpool
@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
             "ExpectedResult" => "Success"
         },
     },
-@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
+@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
     {
         name => "TLS 1.3 ECDSA with brainpool",
         server =>  {
 -            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
 -            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
 -            "Groups" => "brainpoolP256r1",
-+#            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+#            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
 +#            "Groups" => "brainpoolP256r1",
 +             "CipherString" => "aNULL",
         },
         client => {
             "RequestCAFile" => test_pem("root-cert.pem"),
@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
         },
     },
 );
-diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool	2019-02-26 15:15:30.000000000 +0100
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf	2019-05-07 12:15:12.762907496 +0200
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf	2019-09-13 15:12:27.380288469 +0200
-@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server
+@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
 client = 5-ECDSA with brainpool-client
 [5-ECDSA with brainpool-server]
 -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
 CipherString = DEFAULT
 -Groups = brainpoolP256r1
 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
 +CipherString = aNULL
 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [5-ECDSA with brainpool-client]
 CipherString = aECDSA
@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
 # ===========================================================
-@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool
+@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
- client = 47-TLS 1.3 ECDSA with brainpool-client
+ client = 52-TLS 1.3 ECDSA with brainpool-client
- [47-TLS 1.3 ECDSA with brainpool-server]
+ [52-TLS 1.3 ECDSA with brainpool-server]
 -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
 CipherString = DEFAULT
 -Groups = brainpoolP256r1
 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
 +CipherString = aNULL
 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [47-TLS 1.3 ECDSA with brainpool-client]
+ [52-TLS 1.3 ECDSA with brainpool-client]
 CipherString = DEFAULT
 -Groups = brainpoolP256r1
 MaxProtocol = TLSv1.3
 MinProtocol = TLSv1.3
 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
+@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
 VerifyMode = Peer
- [test-47]
+ [test-52]
 -ExpectedResult = ServerFail
 +ExpectedResult = Success
--- a/openssl-1.1.1-no-html.patch
+++ b/openssl-1.1.1-no-html.patch
@ -0,0 +1,12 @@
 diff -up openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1d/Configurations/unix-Makefile.tmpl
 --- openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html	2019-09-13 15:00:32.976774673 +0200
 +++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl	2019-09-13 15:02:22.283864321 +0200
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
 uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
 -install_docs: install_man_docs install_html_docs
 +install_docs: install_man_docs
 uninstall_docs: uninstall_man_docs uninstall_html_docs
 	$(RM) -r $(DESTDIR)$(DOCDIR)
--- a/openssl-1.1.1-upstream-sync.patch
+++ b/openssl-1.1.1-upstream-sync.patch
@ -1,534 +1,153 @@
-diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
+commit 515c728dbaa92211d2eafb0041ab9fcd258fdc41
--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync	2019-05-28 15:12:21.000000000 +0200
+Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
-+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c	2019-05-29 17:10:39.768187283 +0200
+Date:   Mon Sep 9 19:12:25 2019 +0200
@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
         *(int *)arg2 = NID_sha256;
 -        return 2;
 +        return 1;
     default:
         return -2;
 diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
 --- openssl-1.1.1c/crypto/err/err.c.sync	2019-05-28 15:12:21.000000000 +0200
 +++ openssl-1.1.1c/crypto/err/err.c	2019-05-29 17:07:13.345793792 +0200
@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
 }
 #ifndef OPENSSL_NO_ERR
 -/* A measurement on Linux 2018-11-21 showed about 3.5kib */
 -# define SPACE_SYS_STR_REASONS 4 * 1024
 +/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
 +# define SPACE_SYS_STR_REASONS 8 * 1024
 # define NUM_SYS_STR_REASONS 127
 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
         ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
         str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
 -        if (str->string == NULL) {
 +        /*
 +         * If we have used up all the space in strerror_pool,
 +         * there's no point in calling openssl_strerror_r()
 +         */
 +        if (str->string == NULL && cnt < sizeof(strerror_pool)) {
             if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
                 size_t l = strlen(cur);
                 str->string = cur;
                 cnt += l;
 -                if (cnt > sizeof(strerror_pool))
 -                    cnt = sizeof(strerror_pool);
                 cur += l;
                 /*
                  * VMS has an unusual quirk of adding spaces at the end of
 -                 * some (most? all?) messages.  Lets trim them off.
 +                 * some (most? all?) messages. Lets trim them off.
                  */
 -                while (ossl_isspace(cur[-1])) {
 +                while (cur > strerror_pool && ossl_isspace(cur[-1])) {
                     cur--;
                     cnt--;
                 }
 diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
 --- openssl-1.1.1c/crypto/rand/rand_lib.c.sync	2019-05-29 17:20:17.175099183 +0200
 +++ openssl-1.1.1c/crypto/rand/rand_lib.c	2019-05-30 11:51:20.784850208 +0200
@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr
     struct {
         void * instance;
         int count;
 -    } data = { NULL, 0 };
 +    } data;
 +    memset(&data, 0, sizeof(data));
     pool = rand_pool_new(0, min_len, max_len);
     if (pool == NULL)
         return 0;
 From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Wed, 17 Apr 2019 11:09:05 +0100
 Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are
 complete
-If we receive a KeyUpdate message (update requested) from the peer while
+    Fix potential memory leaks with BN_to_ASN1_INTEGER
-we are in the middle of a write, we should defer sending the responding
+    
-KeyUpdate message until after the current write is complete. We do this
+    Reviewed-by: Paul Dale <paul.dale@oracle.com>
-by waiting to send the KeyUpdate until the next time we write and there is
+    Reviewed-by: Matt Caswell <matt@openssl.org>
-no pending write data.
+    (Merged from https://github.com/openssl/openssl/pull/9833)
    (cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
-This does imply a subtle change in behaviour. Firstly the responding
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
-KeyUpdate message won't be sent straight away as it is now. Secondly if
+index 1ce1181fc1..7cbf8de981 100644
-the peer sends multiple KeyUpdates without us doing any writing then we
+--- a/crypto/ec/ec_asn1.c
-will only send one response, as opposed to previously where we sent a
+++ b/crypto/ec/ec_asn1.c
-response for each KeyUpdate received.
+@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-
+     unsigned char *buffer = NULL;
-Fixes #8677
+     const EC_POINT *point = NULL;
-
+     point_conversion_form_t form;
-Reviewed-by: Ben Kaduk <kaduk@mit.edu>
+    ASN1_INTEGER *orig;
 (Merged from https://github.com/openssl/openssl/pull/8773)
 (cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
 ---
 ssl/record/rec_layer_s3.c | 7 +++++++
 ssl/statem/statem_clnt.c  | 6 ------
 ssl/statem/statem_lib.c   | 7 ++-----
 ssl/statem/statem_srvr.c  | 6 ------
 4 files changed, 9 insertions(+), 17 deletions(-)
 diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
 index b2f97ef905..b65137c332 100644
 --- a/ssl/record/rec_layer_s3.c
 +++ b/ssl/record/rec_layer_s3.c
@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
-     s->rlayer.wnum = 0;
+     if (params == NULL) {
- 
+         if ((ret = ECPARAMETERS_new()) == NULL) {
-+    /*
+@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-+     * If we are supposed to be sending a KeyUpdate then go into init unless we
+         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
-+     * have writes pending - in which case we should finish doing that first.
+         goto err;
 +     */
 +    if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
 +        ossl_statem_set_in_init(s, 1);
 +
     /*
      * When writing early data on the server side we could be "in_init" in
      * between receiving the EoED and the CF - but we don't want to handle those
 diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
 index 87800cd835..6410414fb6 100644
 --- a/ssl/statem/statem_clnt.c
 +++ b/ssl/statem/statem_clnt.c
@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
         return WRITE_TRAN_CONTINUE;
     case TLS_ST_CR_KEY_UPDATE:
 -        if (s->key_update != SSL_KEY_UPDATE_NONE) {
 -            st->hand_state = TLS_ST_CW_KEY_UPDATE;
 -            return WRITE_TRAN_CONTINUE;
 -        }
 -        /* Fall through */
 -
     case TLS_ST_CW_KEY_UPDATE:
     case TLS_ST_CR_SESSION_TICKET:
     case TLS_ST_CW_FINISHED:
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
 index c0482b0a90..2960dafa52 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
     /*
      * If we get a request for us to update our sending keys too then, we need
      * to additionally send a KeyUpdate message. However that message should
 -     * not also request an update (otherwise we get into an infinite loop). We
 -     * ignore a request for us to update our sending keys too if we already
 -     * sent close_notify.
 +     * not also request an update (otherwise we get into an infinite loop).
      */
 -    if (updatetype == SSL_KEY_UPDATE_REQUESTED
 -            && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
 +    if (updatetype == SSL_KEY_UPDATE_REQUESTED)
         s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
     if (!tls13_update_key(s, 0)) {
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
 index d454326a99..04a23320fc 100644
 --- a/ssl/statem/statem_srvr.c
 +++ b/ssl/statem/statem_srvr.c
@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
         return WRITE_TRAN_CONTINUE;
     case TLS_ST_SR_KEY_UPDATE:
 -        if (s->key_update != SSL_KEY_UPDATE_NONE) {
 -            st->hand_state = TLS_ST_SW_KEY_UPDATE;
 -            return WRITE_TRAN_CONTINUE;
 -        }
 -        /* Fall through */
 -
     case TLS_ST_SW_KEY_UPDATE:
         st->hand_state = TLS_ST_OK;
         return WRITE_TRAN_CONTINUE;
 -- 
 2.20.1
 From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Wed, 17 Apr 2019 10:30:53 +0100
 Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested)
 while writing
 Reviewed-by: Ben Kaduk <kaduk@mit.edu>
 (Merged from https://github.com/openssl/openssl/pull/8773)
 (cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f)
 ---
 test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++
 test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++
 test/ssltestlib.h |  3 ++
 3 files changed, 191 insertions(+)
 diff --git a/test/sslapitest.c b/test/sslapitest.c
 index 2261fe4a7a..577342644d 100644
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
@@ -4290,6 +4290,11 @@ static int test_key_update(void)
                 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
                                          strlen(mess)))
             goto end;
 +
 +        if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
 +                || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
 +                                         strlen(mess)))
 +            goto end;
     }
- 
+-    ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
-     testresult = 1;
+    ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
-@@ -4302,6 +4307,91 @@ static int test_key_update(void)
+     if (ret->order == NULL) {
- 
+        ret->order = orig;
-     return testresult;
+         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
- }
+         goto err;
-+
+     }
-+/*
+@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
-+ * Test we can handle a KeyUpdate (update requested) message while write data
+     /* set the cofactor (optional) */
-+ * is pending.
+     tmp = EC_GROUP_get0_cofactor(group);
-+ * Test 0: Client sends KeyUpdate while Server is writing
+     if (tmp != NULL) {
-+ * Test 1: Server sends KeyUpdate while Client is writing
+-        ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
-+ */
+        ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
-+static int test_key_update_in_write(int tst)
+         if (ret->cofactor == NULL) {
-+{
+            ret->cofactor = orig;
-+    SSL_CTX *cctx = NULL, *sctx = NULL;
+             ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
-+    SSL *clientssl = NULL, *serverssl = NULL;
+             goto err;
-+    int testresult = 0;
+         }
-+    char buf[20];
+diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
-+    static char *mess = "A test message";
+index 089f2ae29f..ef2d64826f 100644
-+    BIO *bretry = BIO_new(bio_s_always_retry());
+--- a/crypto/x509v3/v3_asid.c
-+    BIO *tmp = NULL;
+++ b/crypto/x509v3/v3_asid.c
-+    SSL *peerupdate = NULL, *peerwrite = NULL;
+@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,
-+
+ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
 +    if (!TEST_ptr(bretry)
 +            || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
 +                                              TLS_client_method(),
 +                                              TLS1_3_VERSION,
 +                                              0,
 +                                              &sctx, &cctx, cert, privkey))
 +            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
 +                                             NULL, NULL))
 +            || !TEST_true(create_ssl_connection(serverssl, clientssl,
 +                                                SSL_ERROR_NONE)))
 +        goto end;
 +
 +    peerupdate = tst == 0 ? clientssl : serverssl;
 +    peerwrite = tst == 0 ? serverssl : clientssl;
 +
 +    if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
 +            || !TEST_true(SSL_do_handshake(peerupdate)))
 +        goto end;
 +
 +    /* Swap the writing endpoint's write BIO to force a retry */
 +    tmp = SSL_get_wbio(peerwrite);
 +    if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
 +        tmp = NULL;
 +        goto end;
 +    }
 +    SSL_set0_wbio(peerwrite, bretry);
 +    bretry = NULL;
 +
 +    /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
 +    if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
 +            || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
 +        goto end;
 +
 +    /* Reinstate the original writing endpoint's write BIO */
 +    SSL_set0_wbio(peerwrite, tmp);
 +    tmp = NULL;
 +
 +    /* Now read some data - we will read the key update */
 +    if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
 +            || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
 +        goto end;
 +
 +    /*
 +     * Complete the write we started previously and read it from the other
 +     * endpoint
 +     */
 +    if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
 +            || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
 +        goto end;
 +
 +    /* Write more data to ensure we send the KeyUpdate message back */
 +    if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
 +            || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
 +        goto end;
 +
 +    testresult = 1;
 +
 + end:
 +    SSL_free(serverssl);
 +    SSL_free(clientssl);
 +    SSL_CTX_free(sctx);
 +    SSL_CTX_free(cctx);
 +    BIO_free(bretry);
 +    BIO_free(tmp);
 +
 +    return testresult;
 +}
 #endif /* OPENSSL_NO_TLS1_3 */
 static int test_ssl_clear(int idx)
@@ -5982,6 +6072,7 @@ int setup_tests(void)
 #ifndef OPENSSL_NO_TLS1_3
     ADD_ALL_TESTS(test_export_key_mat_early, 3);
     ADD_TEST(test_key_update);
 +    ADD_ALL_TESTS(test_key_update_in_write, 2);
 #endif
     ADD_ALL_TESTS(test_ssl_clear, 2);
     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
@@ -6002,4 +6093,5 @@ int setup_tests(void)
 void cleanup_tests(void)
 {
-     bio_s_mempacket_test_free();
+     ASN1_INTEGER *a_max_plus_one = NULL;
-+    bio_s_always_retry_free();
+    ASN1_INTEGER *orig;
- }
+     BIGNUM *bn = NULL;
-diff --git a/test/ssltestlib.c b/test/ssltestlib.c
+     int i, ret = 0;
 index 05139be750..e1038620ac 100644
 --- a/test/ssltestlib.c
 +++ b/test/ssltestlib.c
@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str);
 /* Choose a sufficiently large type likely to be unused for this custom BIO */
 #define BIO_TYPE_TLS_DUMP_FILTER  (0x80 | BIO_TYPE_FILTER)
 #define BIO_TYPE_MEMPACKET_TEST    0x81
 +#define BIO_TYPE_ALWAYS_RETRY      0x82
- static BIO_METHOD *method_tls_dump = NULL;
+@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
- static BIO_METHOD *meth_mem = NULL;
+          */
-+static BIO_METHOD *meth_always_retry = NULL;
+         if ((bn == NULL && (bn = BN_new()) == NULL) ||
             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
 -            !BN_add_word(bn, 1) ||
 -            (a_max_plus_one =
 -             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
 +            !BN_add_word(bn, 1)) {
 +            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
 +                      ERR_R_MALLOC_FAILURE);
 +            goto done;
 +        }
 +
 +        if ((a_max_plus_one =
 +                BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
 +            a_max_plus_one = orig;
             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
                       ERR_R_MALLOC_FAILURE);
             goto done;
@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)
 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
 {
     ASN1_INTEGER *a_max_plus_one = NULL;
 +    ASN1_INTEGER *orig;
     BIGNUM *bn = NULL;
     int i, ret = 0;
- /* Note: Not thread safe! */
+@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
- const BIO_METHOD *bio_f_tls_dump_filter(void)
+          */
-@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str)
+         if ((bn == NULL && (bn = BN_new()) == NULL) ||
-     return mempacket_test_write(bio, str, strlen(str));
+             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
- }
+-            !BN_add_word(bn, 1) ||
- 
+-            (a_max_plus_one =
-+static int always_retry_new(BIO *bi);
+-             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-+static int always_retry_free(BIO *a);
+            !BN_add_word(bn, 1)) {
-+static int always_retry_read(BIO *b, char *out, int outl);
+            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
-+static int always_retry_write(BIO *b, const char *in, int inl);
+                      ERR_R_MALLOC_FAILURE);
-+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr);
+            goto done;
-+static int always_retry_gets(BIO *bp, char *buf, int size);
+        }
 +static int always_retry_puts(BIO *bp, const char *str);
 +
-+const BIO_METHOD *bio_s_always_retry(void)
+        if ((a_max_plus_one =
-+{
+                 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
-+    if (meth_always_retry == NULL) {
+            a_max_plus_one = orig;
-+        if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY,
+             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
-+                                                       "Always Retry"))
+                       ERR_R_MALLOC_FAILURE);
-+            || !TEST_true(BIO_meth_set_write(meth_always_retry,
+             goto done;
-+                                             always_retry_write))
+commit 86ed78676c660b553696cc10c682962522dfeb6c
-+            || !TEST_true(BIO_meth_set_read(meth_always_retry,
+Author: Tomas Mraz <tmraz@fedoraproject.org>
-+                                            always_retry_read))
+Date:   Thu Sep 12 12:27:36 2019 +0200
 +            || !TEST_true(BIO_meth_set_puts(meth_always_retry,
 +                                            always_retry_puts))
 +            || !TEST_true(BIO_meth_set_gets(meth_always_retry,
 +                                            always_retry_gets))
 +            || !TEST_true(BIO_meth_set_ctrl(meth_always_retry,
 +                                            always_retry_ctrl))
 +            || !TEST_true(BIO_meth_set_create(meth_always_retry,
 +                                              always_retry_new))
 +            || !TEST_true(BIO_meth_set_destroy(meth_always_retry,
 +                                               always_retry_free)))
 +            return NULL;
 +    }
 +    return meth_always_retry;
 +}
 +
 +void bio_s_always_retry_free(void)
 +{
 +    BIO_meth_free(meth_always_retry);
 +}
 +
 +static int always_retry_new(BIO *bio)
 +{
 +    BIO_set_init(bio, 1);
 +    return 1;
 +}
 +
 +static int always_retry_free(BIO *bio)
 +{
 +    BIO_set_data(bio, NULL);
 +    BIO_set_init(bio, 0);
 +    return 1;
 +}
 +
 +static int always_retry_read(BIO *bio, char *out, int outl)
 +{
 +    BIO_set_retry_read(bio);
 +    return -1;
 +}
 +
 +static int always_retry_write(BIO *bio, const char *in, int inl)
 +{
 +    BIO_set_retry_write(bio);
 +    return -1;
 +}
 +
 +static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
 +{
 +    long ret = 1;
 +
 +    switch (cmd) {
 +    case BIO_CTRL_FLUSH:
 +        BIO_set_retry_write(bio);
 +        /* fall through */
 +    case BIO_CTRL_EOF:
 +    case BIO_CTRL_RESET:
 +    case BIO_CTRL_DUP:
 +    case BIO_CTRL_PUSH:
 +    case BIO_CTRL_POP:
 +    default:
 +        ret = 0;
 +        break;
 +    }
 +    return ret;
 +}
 +
 +static int always_retry_gets(BIO *bio, char *buf, int size)
 +{
 +    BIO_set_retry_read(bio);
 +    return -1;
 +}
 +
 +static int always_retry_puts(BIO *bio, const char *str)
 +{
 +    BIO_set_retry_write(bio);
 +    return -1;
 +}
 +
 int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
                         int min_proto_version, int max_proto_version,
                         SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
 diff --git a/test/ssltestlib.h b/test/ssltestlib.h
 index fa19e7d80d..56e323f5bc 100644
 --- a/test/ssltestlib.h
 +++ b/test/ssltestlib.h
@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void);
 const BIO_METHOD *bio_s_mempacket_test(void);
 void bio_s_mempacket_test_free(void);
 +const BIO_METHOD *bio_s_always_retry(void);
 +void bio_s_always_retry_free(void);
 +
 /* Packet types - value 0 is reserved */
 #define INJECT_PACKET                   1
 #define INJECT_PACKET_IGNORE_REC_SEQ    2
 -- 
 2.20.1
-diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
+    BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind	2019-05-28 15:12:21.000000000 +0200
+    
-+++ openssl-1.1.1c/include/internal/constant_time_locl.h	2019-06-24 15:02:12.796053536 +0200
+    There can be data to write in output buffer and data to read that were
-@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
+    not yet read in the input stream.
-     return constant_time_eq_8((unsigned)(a), (unsigned)(b));
+    
- }
+    Fixes #9866
    Reviewed-by: Richard Levitte <levitte@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9877)
    (cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
 diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
 index d688deee5f..7c1be358fd 100644
 --- a/crypto/comp/c_zlib.c
 +++ b/crypto/comp/c_zlib.c
@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
         BIO_copy_next_retry(b);
         break;
-+/* Returns the value unmodified, but avoids optimizations. */
+    case BIO_CTRL_WPENDING:
-+static ossl_inline unsigned int value_barrier(unsigned int a)
+        if (ctx->obuf == NULL)
-+{
+            return 0;
 +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
 +    unsigned int r;
 +    __asm__("" : "=r"(r) : "0"(a));
 +#else
 +    volatile unsigned int r = a;
 +#endif
 +    return r;
 +}
 +
-+/* Convenience method for uint32_t. */
+        if (ctx->odone) {
-+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+            ret = ctx->ocount;
-+{
+        } else {
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+            ret = ctx->ocount;
-+    uint32_t r;
+            if (ret == 0)
-+    __asm__("" : "=r"(r) : "0"(a));
+                /* Unknown amount pending but we are not finished */
-+#else
+                ret = 1;
-+    volatile uint32_t r = a;
+        }
-+#endif
+        if (ret == 0)
-+    return r;
+            ret = BIO_ctrl(next, cmd, num, ptr);
-+}
+        break;
 +
-+/* Convenience method for uint64_t. */
+    case BIO_CTRL_PENDING:
-+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+        ret = ctx->zin.avail_in;
-+{
+        if (ret == 0)
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+            ret = BIO_ctrl(next, cmd, num, ptr);
-+    uint64_t r;
+        break;
 +    __asm__("" : "=r"(r) : "0"(a));
 +#else
 +    volatile uint64_t r = a;
 +#endif
 +    return r;
 +}
 +
-+/* Convenience method for size_t. */
+     default:
-+static ossl_inline size_t value_barrier_s(size_t a)
+         ret = BIO_ctrl(next, cmd, num, ptr);
-+{
+         break;
 +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
 +    size_t r;
 +    __asm__("" : "=r"(r) : "0"(a));
 +#else
 +    volatile size_t r = a;
 +#endif
 +    return r;
 +}
 +
 static ossl_inline unsigned int constant_time_select(unsigned int mask,
                                                      unsigned int a,
                                                      unsigned int b)
 {
 -    return (mask & a) | (~mask & b);
 +    return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
 }
 static ossl_inline size_t constant_time_select_s(size_t mask,
                                                  size_t a,
                                                  size_t b)
 {
 -    return (mask & a) | (~mask & b);
 +    return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
 }
 static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
 static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
                                                     uint32_t b)
 {
 -    return (mask & a) | (~mask & b);
 +    return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
 }
 static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
                                                     uint64_t b)
 {
 -    return (mask & a) | (~mask & b);
 +    return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
 }
 /*
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@ -1,12 +1,12 @@
-diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
+diff -up openssl-1.1.1d/include/openssl/opensslv.h.version-override openssl-1.1.1d/include/openssl/opensslv.h
--- openssl-1.1.1c/include/openssl/opensslv.h.version-override	2019-05-29 15:52:30.014734859 +0200
+--- openssl-1.1.1d/include/openssl/opensslv.h.version-override	2019-09-13 15:26:32.606500244 +0200
-+++ openssl-1.1.1c/include/openssl/opensslv.h	2019-05-29 15:53:23.093800831 +0200
+++ openssl-1.1.1d/include/openssl/opensslv.h	2019-09-13 15:27:03.805950866 +0200
@@ -40,7 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
- # define OPENSSL_VERSION_NUMBER  0x1010103fL
+ # define OPENSSL_VERSION_NUMBER  0x1010104fL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1c  28 May 2019"
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1d  10 Sep 2019"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1c FIPS  28 May 2019"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1d FIPS  10 Sep 2019"
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/openssl.spec
+++ b/openssl.spec
@ -21,8 +21,8 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.1c
+Version: 1.1.1d
-Release: 6%{?dist}
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -40,7 +40,7 @@ Source13: ectest.c
 # Build changes
 Patch1: openssl-1.1.1-build.patch
 Patch2: openssl-1.1.1-defaults.patch
-Patch3: openssl-1.1.0-no-html.patch
+Patch3: openssl-1.1.1-no-html.patch
 Patch4: openssl-1.1.1-man-rename.patch
 # Bug fixes
 Patch21: openssl-1.1.0-issuer-hash.patch
@ -454,6 +454,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 %changelog
 * Fri Sep 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-1
 - update to the 1.1.1d release
 * Fri Sep  6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
 - upstream fix for status request extension non-compliance (#1737471)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db
+SHA512 (openssl-1.1.1d-hobbled.tar.xz) = c350e4669b82dcbc7fcc997726e376392e2ee0c92c37a952eb02369f05780a8d1b0c265f6264ce0e7619e44200d2d057e3fdcb0fe22c168dfb28e9381841fc00
`@ -1 +1 @@`
	`SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db`	`SHA512 (openssl-1.1.1d-hobbled.tar.xz) = c350e4669b82dcbc7fcc997726e376392e2ee0c92c37a952eb02369f05780a8d1b0c265f6264ce0e7619e44200d2d057e3fdcb0fe22c168dfb28e9381841fc00`