Upgrade to version 1.1.1h

Signed-off-by: Sahana Prasad <sahana@redhat.com>

.gitignore

@@ -41,3 +41,11 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1-pre8-hobbled.tar.xz
 /openssl-1.1.1-pre9-hobbled.tar.xz
 /openssl-1.1.1-hobbled.tar.xz
+/openssl-1.1.1a-hobbled.tar.xz
+/openssl-1.1.1b-hobbled.tar.xz
+/openssl-1.1.1c-hobbled.tar.xz
+/openssl-1.1.1d-hobbled.tar.xz
+/openssl-1.1.1e-hobbled.tar.xz
+/openssl-1.1.1f-hobbled.tar.xz
+/openssl-1.1.1g-hobbled.tar.xz
+/openssl-1.1.1h-hobbled.tar.xz

ec_curve.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -9,7 +9,7 @@
  */
 
 #include <string.h>
-#include "ec_lcl.h"
+#include "ec_local.h"
 #include <openssl/err.h>
 #include <openssl/obj_mac.h>
 #include <openssl/opensslconf.h>
@@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name)
     }
     return NID_undef;
 }
+
+#define NUM_BN_FIELDS 6
+/*
+ * Validates EC domain parameter data for known named curves.
+ * This can be used when a curve is loaded explicitly (without a curve
+ * name) or to validate that domain parameters have not been modified.
+ *
+ * Returns: The nid associated with the found named curve, or NID_undef
+ *          if not found. If there was an error it returns -1.
+ */
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
+{
+    int ret = -1, nid, len, field_type, param_len;
+    size_t i, seed_len;
+    const unsigned char *seed, *params_seed, *params;
+    unsigned char *param_bytes = NULL;
+    const EC_CURVE_DATA *data;
+    const EC_POINT *generator = NULL;
+    const EC_METHOD *meth;
+    const BIGNUM *cofactor = NULL;
+    /* An array of BIGNUMs for (p, a, b, x, y, order) */
+    BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
+
+    meth = EC_GROUP_method_of(group);
+    if (meth == NULL)
+        return -1;
+    /* Use the optional named curve nid as a search field */
+    nid = EC_GROUP_get_curve_name(group);
+    field_type = EC_METHOD_get_field_type(meth);
+    seed_len = EC_GROUP_get_seed_len(group);
+    seed = EC_GROUP_get0_seed(group);
+    cofactor = EC_GROUP_get0_cofactor(group);
+
+    BN_CTX_start(ctx);
+
+    /*
+     * The built-in curves contains data fields (p, a, b, x, y, order) that are
+     * all zero-padded to be the same size. The size of the padding is
+     * determined by either the number of bytes in the field modulus (p) or the
+     * EC group order, whichever is larger.
+     */
+    param_len = BN_num_bytes(group->order);
+    len = BN_num_bytes(group->field);
+    if (len > param_len)
+        param_len = len;
+
+    /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
+    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
+    if (param_bytes == NULL)
+        goto end;
+
+    /* Create the bignums */
+    for (i = 0; i < NUM_BN_FIELDS; ++i) {
+        if ((bn[i] = BN_CTX_get(ctx)) == NULL)
+            goto end;
+    }
+    /*
+     * Fill in the bn array with the same values as the internal curves
+     * i.e. the values are p, a, b, x, y, order.
+     */
+    /* Get p, a & b */
+    if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
+        && ((generator = EC_GROUP_get0_generator(group)) != NULL)
+        /* Get x & y */
+        && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
+        /* Get order */
+        && EC_GROUP_get_order(group, bn[5], ctx)))
+        goto end;
+
+   /*
+     * Convert the bignum array to bytes that are joined together to form
+     * a single buffer that contains data for all fields.
+     * (p, a, b, x, y, order) are all zero padded to be the same size.
+     */
+    for (i = 0; i < NUM_BN_FIELDS; ++i) {
+        if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
+            goto end;
+    }
+
+    for (i = 0; i < curve_list_length; i++) {
+        const ec_list_element curve = curve_list[i];
+
+        data = curve.data;
+        /* Get the raw order byte data */
+        params_seed = (const unsigned char *)(data + 1); /* skip header */
+        params = params_seed + data->seed_len;
+
+        /* Look for unique fields in the fixed curve data */
+        if (data->field_type == field_type
+            && param_len == data->param_len
+            && (nid <= 0 || nid == curve.nid)
+            /* check the optional cofactor (ignore if its zero) */
+            && (BN_is_zero(cofactor)
+                || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
+            /* Check the optional seed (ignore if its not set) */
+            && (data->seed_len == 0 || seed_len == 0
+                || ((size_t)data->seed_len == seed_len
+                     && memcmp(params_seed, seed, seed_len) == 0))
+            /* Check that the groups params match the built-in curve params */
+            && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
+                             == 0) {
+            ret = curve.nid;
+            goto end;
+        }
+    }
+    /* Gets here if the group was not found */
+    ret = NID_undef;
+end:
+    OPENSSL_free(param_bytes);
+    BN_CTX_end(ctx);
+    return ret;
+}

ectest.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -728,6 +728,75 @@ err:
     BN_CTX_free(ctx);
     return r;
 }
+
+/*
+ * Tests a point known to cause an incorrect underflow in an old version of
+ * ecp_nist521.c
+ */
+static int underflow_test(void)
+{
+    BN_CTX *ctx = NULL;
+    EC_GROUP *grp = NULL;
+    EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+    BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL;
+    BIGNUM *k = NULL;
+    int testresult = 0;
+    const char *x1str =
+        "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4"
+        "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004";
+    const char *p521m1 =
+        "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe";
+
+    ctx = BN_CTX_new();
+    if (!TEST_ptr(ctx))
+        return 0;
+
+    BN_CTX_start(ctx);
+    x1 = BN_CTX_get(ctx);
+    y1 = BN_CTX_get(ctx);
+    z1 = BN_CTX_get(ctx);
+    x2 = BN_CTX_get(ctx);
+    y2 = BN_CTX_get(ctx);
+    k = BN_CTX_get(ctx);
+    if (!TEST_ptr(k))
+        goto err;
+
+    grp = EC_GROUP_new_by_curve_name(NID_secp521r1);
+    P = EC_POINT_new(grp);
+    Q = EC_POINT_new(grp);
+    R = EC_POINT_new(grp);
+    if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R))
+        goto err;
+
+    if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0)
+            || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0)
+            || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0)
+            || !TEST_int_gt(BN_hex2bn(&k, "02"), 0)
+            || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1,
+                                                                   y1, z1, ctx))
+            || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx))
+            || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx))
+            || !TEST_true(EC_POINT_dbl(grp, R, P, ctx))
+            || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx)))
+        goto err;
+
+    if (!TEST_int_eq(BN_cmp(x1, x2), 0)
+            || !TEST_int_eq(BN_cmp(y1, y2), 0))
+        goto err;
+
+    testresult = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    EC_POINT_free(P);
+    EC_POINT_free(Q);
+    EC_POINT_free(R);
+    EC_GROUP_free(grp);
+    BN_CTX_free(ctx);
+
+    return testresult;
+}
 # endif
 
 static const unsigned char p521_named[] = {
@@ -775,6 +844,271 @@ static const unsigned char p521_explicit[] = {
     0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
 };
 
+/*
+ * Sometime we cannot compare nids for equality, as the built-in curve table
+ * includes aliases with different names for the same curve.
+ *
+ * This function returns TRUE (1) if the checked nids are identical, or if they
+ * alias to the same curve. FALSE (0) otherwise.
+ */
+static ossl_inline
+int are_ec_nids_compatible(int n1d, int n2d)
+{
+    int ret = 0;
+    switch (n1d) {
+# ifndef OPENSSL_NO_EC2M
+        case NID_sect113r1:
+        case NID_wap_wsg_idm_ecid_wtls4:
+            ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
+            break;
+        case NID_sect163k1:
+        case NID_wap_wsg_idm_ecid_wtls3:
+            ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
+            break;
+        case NID_sect233k1:
+        case NID_wap_wsg_idm_ecid_wtls10:
+            ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
+            break;
+        case NID_sect233r1:
+        case NID_wap_wsg_idm_ecid_wtls11:
+            ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
+            break;
+        case NID_X9_62_c2pnb163v1:
+        case NID_wap_wsg_idm_ecid_wtls5:
+            ret = (n2d == NID_X9_62_c2pnb163v1
+                   || n2d == NID_wap_wsg_idm_ecid_wtls5);
+            break;
+# endif /* OPENSSL_NO_EC2M */
+        case NID_secp112r1:
+        case NID_wap_wsg_idm_ecid_wtls6:
+            ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
+            break;
+        case NID_secp160r2:
+        case NID_wap_wsg_idm_ecid_wtls7:
+            ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
+            break;
+# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
+        case NID_secp224r1:
+        case NID_wap_wsg_idm_ecid_wtls12:
+            ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
+            break;
+# else
+        /*
+         * For SEC P-224 we want to ensure that the SECP nid is returned, as
+         * that is associated with a specialized method.
+         */
+        case NID_wap_wsg_idm_ecid_wtls12:
+            ret = (n2d == NID_secp224r1);
+            break;
+# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+
+        default:
+            ret = (n1d == n2d);
+    }
+    return ret;
+}
+
+/*
+ * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
+ * EC_GROUP for built-in curves.
+ *
+ * Note that it is possible to retrieve an alternative alias that does not match
+ * the original nid.
+ *
+ * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
+ */
+static int check_named_curve_from_ecparameters(int id)
+{
+    int ret = 0, nid, tnid;
+    EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
+    const EC_POINT *group_gen = NULL;
+    EC_POINT *other_gen = NULL;
+    BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
+    BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
+    const BIGNUM *group_order = NULL;
+    BIGNUM *other_order = NULL;
+    BN_CTX *bn_ctx = NULL;
+    static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
+    static size_t invalid_seed_len = sizeof(invalid_seed);
+    ECPARAMETERS *params = NULL, *other_params = NULL;
+    EC_GROUP *g_ary[8] = {NULL};
+    EC_GROUP **g_next = &g_ary[0];
+    ECPARAMETERS *p_ary[8] = {NULL};
+    ECPARAMETERS **p_next = &p_ary[0];
+
+    /* Do some setup */
+    nid = curves[id].nid;
+    TEST_note("Curve %s", OBJ_nid2sn(nid));
+    if (!TEST_ptr(bn_ctx = BN_CTX_new()))
+        return ret;
+    BN_CTX_start(bn_ctx);
+
+    if (/* Allocations */
+        !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
+        || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
+        || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
+        || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
+        || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
+        /* Generate reference group and params */
+        || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
+        || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
+        || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
+        || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
+        || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
+        /* compute `other_*` values */
+        || !TEST_ptr(tmpg = EC_GROUP_dup(group))
+        || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
+        || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
+        || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
+                      other_gen_x, other_gen_y, bn_ctx))
+        || !TEST_true(BN_copy(other_order, group_order))
+        || !TEST_true(BN_add_word(other_order, 1))
+        || !TEST_true(BN_copy(other_cofactor, group_cofactor))
+        || !TEST_true(BN_add_word(other_cofactor, 1)))
+        goto err;
+
+    EC_POINT_free(other_gen);
+    other_gen = NULL;
+
+    if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
+        || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
+                                                      other_gen_x, other_gen_y,
+                                                      bn_ctx)))
+        goto err;
+
+    /*
+     * ###########################
+     * # Actual tests start here #
+     * ###########################
+     */
+
+    /*
+     * Creating a group from built-in explicit parameters returns a
+     * "named" EC_GROUP
+     */
+    if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
+        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
+        goto err;
+    /*
+     * We cannot always guarantee the names match, as the built-in table
+     * contains aliases for the same curve with different names.
+     */
+    if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
+        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+        goto err;
+    }
+    /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
+    if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
+        goto err;
+
+    /*
+     * An invalid seed in the parameters should be ignored: expect a "named"
+     * group.
+     */
+    if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
+                     invalid_seed_len)
+            || !TEST_ptr(other_params = *p_next++ =
+                         EC_GROUP_get_ecparameters(tmpg, NULL))
+            || !TEST_ptr(tgroup = *g_next++ =
+                          EC_GROUP_new_from_ecparameters(other_params))
+            || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+            || !TEST_true(are_ec_nids_compatible(nid, tnid))
+            || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+                            OPENSSL_EC_EXPLICIT_CURVE)) {
+        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+        goto err;
+    }
+
+    /*
+     * A null seed in the parameters should be ignored, as it is optional:
+     * expect a "named" group.
+     */
+    if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
+            || !TEST_ptr(other_params = *p_next++ =
+                         EC_GROUP_get_ecparameters(tmpg, NULL))
+            || !TEST_ptr(tgroup = *g_next++ =
+                          EC_GROUP_new_from_ecparameters(other_params))
+            || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+            || !TEST_true(are_ec_nids_compatible(nid, tnid))
+            || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+                            OPENSSL_EC_EXPLICIT_CURVE)) {
+        TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+        goto err;
+    }
+
+    /*
+     * Check that changing any of the generator parameters does not yield a
+     * match with the built-in curves
+     */
+    if (/* Other gen, same group order & cofactor */
+        !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
+                                          group_cofactor))
+        || !TEST_ptr(other_params = *p_next++ =
+                     EC_GROUP_get_ecparameters(tmpg, NULL))
+        || !TEST_ptr(tgroup = *g_next++ =
+                      EC_GROUP_new_from_ecparameters(other_params))
+        || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+        /* Same gen & cofactor, different order */
+        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
+                                             group_cofactor))
+        || !TEST_ptr(other_params = *p_next++ =
+                     EC_GROUP_get_ecparameters(tmpg, NULL))
+        || !TEST_ptr(tgroup = *g_next++ =
+                      EC_GROUP_new_from_ecparameters(other_params))
+        || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+        /* The order is not an optional field, so this should fail */
+        || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
+                                              group_cofactor))
+        /* Check that a wrong cofactor is ignored, and we still match */
+        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+                                             other_cofactor))
+        || !TEST_ptr(other_params = *p_next++ =
+                     EC_GROUP_get_ecparameters(tmpg, NULL))
+        || !TEST_ptr(tgroup = *g_next++ =
+                      EC_GROUP_new_from_ecparameters(other_params))
+        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+        || !TEST_true(are_ec_nids_compatible(nid, tnid))
+        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+                        OPENSSL_EC_EXPLICIT_CURVE)
+        /* Check that if the cofactor is not set then it still matches */
+        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+                                             NULL))
+        || !TEST_ptr(other_params = *p_next++ =
+                     EC_GROUP_get_ecparameters(tmpg, NULL))
+        || !TEST_ptr(tgroup = *g_next++ =
+                      EC_GROUP_new_from_ecparameters(other_params))
+        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+        || !TEST_true(are_ec_nids_compatible(nid, tnid))
+        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+                        OPENSSL_EC_EXPLICIT_CURVE)
+        /* check that restoring the generator passes */
+        || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+                                             group_cofactor))
+        || !TEST_ptr(other_params = *p_next++ =
+                     EC_GROUP_get_ecparameters(tmpg, NULL))
+        || !TEST_ptr(tgroup = *g_next++ =
+                      EC_GROUP_new_from_ecparameters(other_params))
+        || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+        || !TEST_true(are_ec_nids_compatible(nid, tnid))
+        || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+                        OPENSSL_EC_EXPLICIT_CURVE))
+        goto err;
+
+    ret = 1;
+err:
+    for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
+        EC_GROUP_free(*g_next);
+    for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
+        ECPARAMETERS_free(*p_next);
+    ECPARAMETERS_free(params);
+    EC_POINT_free(other_gen);
+    EC_GROUP_free(tmpg);
+    EC_GROUP_free(group);
+    BN_CTX_end(bn_ctx);
+    BN_CTX_free(bn_ctx);
+    return ret;
+}
+
 static int parameter_test(void)
 {
     EC_GROUP *group = NULL, *group2 = NULL;
@@ -782,7 +1116,8 @@ static int parameter_test(void)
     unsigned char *buf = NULL;
     int r = 0, len;
 
-    if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
+    /* must use a curve without a special group method */
+    if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1))
         || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
         || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
         || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
@@ -817,7 +1152,361 @@ err:
     OPENSSL_free(buf);
     return r;
 }
-#endif
+
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order:    0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
+ * cofactor:   0x12bc94785251297abfafddf1565100da (125 bit)
+ */
+static const unsigned char params_cf_pass[] = {
+    0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
+    0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+    0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+    0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
+    0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+    0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+    0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
+    0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
+    0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
+    0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
+    0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
+    0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
+    0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
+    0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
+    0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
+    0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
+    0x14, 0xa8, 0x2f, 0x4f
+};
+
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order:    0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
+ * cofactor:   0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
+ */
+static const unsigned char params_cf_fail[] = {
+    0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
+    0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+    0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+    0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
+    0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+    0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+    0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
+    0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
+    0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
+    0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
+    0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
+    0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
+    0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
+    0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
+    0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
+    0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
+    0x34, 0xa2, 0x21, 0x01
+};
+
+/*-
+ * Test two random 256-bit explicit parameters curves with absent cofactor.
+ * The two curves are chosen to roughly straddle the bounds at which the lib
+ * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
+ *
+ * - params_cf_pass: order is sufficiently close to p to compute cofactor
+ * - params_cf_fail: order is too far away from p to compute cofactor
+ *
+ * For standards-compliant curves, cofactor is chosen as small as possible.
+ * So you can see neither of these curves are fit for cryptographic use.
+ *
+ * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
+ * h <= 2**(t/8) where t is the security level of the curve, for which the lib
+ * will always succeed in computing the cofactor. Neither of these curves
+ * conform to that -- this is just robustness testing.
+ */
+static int cofactor_range_test(void)
+{
+    EC_GROUP *group = NULL;
+    BIGNUM *cf = NULL;
+    int ret = 0;
+    const unsigned char *b1 = (const unsigned char *)params_cf_fail;
+    const unsigned char *b2 = (const unsigned char *)params_cf_pass;
+
+    if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
+        || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
+        || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
+                                                sizeof(params_cf_pass)))
+        || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
+        || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
+        goto err;
+    ret = 1;
+ err:
+    BN_free(cf);
+    EC_GROUP_free(group);
+    return ret;
+}
+
+/*-
+ * For named curves, test that:
+ * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
+ * - a nonsensical cofactor throws an error (negative test)
+ * - nonsensical orders throw errors (negative tests)
+ */
+static int cardinality_test(int n)
+{
+    int ret = 0;
+    int nid = curves[n].nid;
+    BN_CTX *ctx = NULL;
+    EC_GROUP *g1 = NULL, *g2 = NULL;
+    EC_POINT *g2_gen = NULL;
+    BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
+           *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
+
+    TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
+
+    if (!TEST_ptr(ctx = BN_CTX_new())
+        || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
+        || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
+        EC_GROUP_free(g1);
+        EC_GROUP_free(g2);
+        BN_CTX_free(ctx);
+        return 0;
+    }
+
+    BN_CTX_start(ctx);
+    g1_p = BN_CTX_get(ctx);
+    g1_a = BN_CTX_get(ctx);
+    g1_b = BN_CTX_get(ctx);
+    g1_x = BN_CTX_get(ctx);
+    g1_y = BN_CTX_get(ctx);
+    g1_order = BN_CTX_get(ctx);
+    g1_cf = BN_CTX_get(ctx);
+
+    if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
+        /* pull out the explicit curve parameters */
+        || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
+        || !TEST_true(EC_POINT_get_affine_coordinates(g1,
+                      EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
+        || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
+        || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
+        /* construct g2 manually with g1 parameters */
+        || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
+        || !TEST_ptr(g2_gen = EC_POINT_new(g2))
+        || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
+        /* pass NULL cofactor: lib should compute it */
+        || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+        || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
+        || !TEST_BN_eq(g1_cf, g2_cf)
+        /* pass zero cofactor: lib should compute it */
+        || !TEST_true(BN_set_word(g2_cf, 0))
+        || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
+        || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
+        || !TEST_BN_eq(g1_cf, g2_cf)
+        /* negative test for invalid cofactor */
+        || !TEST_true(BN_set_word(g2_cf, 0))
+        || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
+        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
+        /* negative test for NULL order */
+        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
+        /* negative test for zero order */
+        || !TEST_true(BN_set_word(g1_order, 0))
+        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+        /* negative test for negative order */
+        || !TEST_true(BN_set_word(g2_cf, 0))
+        || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
+        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+        /* negative test for too large order */
+        || !TEST_true(BN_lshift(g1_order, g1_p, 2))
+        || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
+        goto err;
+    ret = 1;
+ err:
+    EC_POINT_free(g2_gen);
+    EC_GROUP_free(g1);
+    EC_GROUP_free(g2);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+    return ret;
+}
+
+/*
+ * Helper for ec_point_hex2point_test
+ *
+ * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
+ * (group,P) pair.
+ *
+ * If P is NULL use point at infinity.
+ */
+static ossl_inline
+int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
+                                   point_conversion_form_t form,
+                                   BN_CTX *bnctx)
+{
+    int ret = 0;
+    EC_POINT *Q = NULL, *Pinf = NULL;
+    char *hex = NULL;
+
+    if (P == NULL) {
+        /* If P is NULL use point at infinity. */
+        if (!TEST_ptr(Pinf = EC_POINT_new(group))
+                || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
+            goto err;
+        P = Pinf;
+    }
+
+    if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
+            || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
+            || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
+        goto err;
+
+    /*
+     * The next check is most likely superfluous, as EC_POINT_cmp should already
+     * cover this.
+     * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
+     * so we include it anyway!
+     */
+    if (Pinf != NULL
+            && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
+        goto err;
+
+    ret = 1;
+
+ err:
+    EC_POINT_free(Pinf);
+    OPENSSL_free(hex);
+    EC_POINT_free(Q);
+
+    return ret;
+}
+
+/*
+ * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
+ */
+static int ec_point_hex2point_test(int id)
+{
+    int ret = 0, nid;
+    EC_GROUP *group = NULL;
+    const EC_POINT *G = NULL;
+    EC_POINT *P = NULL;
+    BN_CTX * bnctx = NULL;
+
+    /* Do some setup */
+    nid = curves[id].nid;
+    if (!TEST_ptr(bnctx = BN_CTX_new())
+            || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
+            || !TEST_ptr(G = EC_GROUP_get0_generator(group))
+            || !TEST_ptr(P = EC_POINT_dup(G, group)))
+        goto err;
+
+    if (!TEST_true(ec_point_hex2point_test_helper(group, P,
+                                                  POINT_CONVERSION_COMPRESSED,
+                                                  bnctx))
+            || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+                                                         POINT_CONVERSION_COMPRESSED,
+                                                         bnctx))
+            || !TEST_true(ec_point_hex2point_test_helper(group, P,
+                                                         POINT_CONVERSION_UNCOMPRESSED,
+                                                         bnctx))
+            || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+                                                         POINT_CONVERSION_UNCOMPRESSED,
+                                                         bnctx))
+            || !TEST_true(ec_point_hex2point_test_helper(group, P,
+                                                         POINT_CONVERSION_HYBRID,
+                                                         bnctx))
+            || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+                                                         POINT_CONVERSION_HYBRID,
+                                                         bnctx)))
+        goto err;
+
+    ret = 1;
+
+ err:
+    EC_POINT_free(P);
+    EC_GROUP_free(group);
+    BN_CTX_free(bnctx);
+
+    return ret;
+}
+
+/*
+ * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
+ */
+static int custom_generator_test(int id)
+{
+    int ret = 0, nid, bsize;
+    EC_GROUP *group = NULL;
+    EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
+    BN_CTX *ctx = NULL;
+    BIGNUM *k = NULL;
+    unsigned char *b1 = NULL, *b2 = NULL;
+
+    /* Do some setup */
+    nid = curves[id].nid;
+    TEST_note("Curve %s", OBJ_nid2sn(nid));
+    if (!TEST_ptr(ctx = BN_CTX_new()))
+        return 0;
+
+    BN_CTX_start(ctx);
+
+    if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
+        goto err;
+
+    /* expected byte length of encoded points */
+    bsize = (EC_GROUP_get_degree(group) + 7) / 8;
+    bsize = 2 * bsize + 1;
+
+    if (!TEST_ptr(k = BN_CTX_get(ctx))
+        /* fetch a testing scalar k != 0,1 */
+        || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
+                              BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+        /* make k even */
+        || !TEST_true(BN_clear_bit(k, 0))
+        || !TEST_ptr(G2 = EC_POINT_new(group))
+        || !TEST_ptr(Q1 = EC_POINT_new(group))
+        /* Q1 := kG */
+        || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
+        /* pull out the bytes of that */
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+                                           POINT_CONVERSION_UNCOMPRESSED, NULL,
+                                           0, ctx), bsize)
+        || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+                                           POINT_CONVERSION_UNCOMPRESSED, b1,
+                                           bsize, ctx), bsize)
+        /* new generator is G2 := 2G */
+        || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
+                                   ctx))
+        || !TEST_true(EC_GROUP_set_generator(group, G2,
+                                             EC_GROUP_get0_order(group),
+                                             EC_GROUP_get0_cofactor(group)))
+        || !TEST_ptr(Q2 = EC_POINT_new(group))
+        || !TEST_true(BN_rshift1(k, k))
+        /* Q2 := k/2 G2 */
+        || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+                                           POINT_CONVERSION_UNCOMPRESSED, NULL,
+                                           0, ctx), bsize)
+        || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+                                           POINT_CONVERSION_UNCOMPRESSED, b2,
+                                           bsize, ctx), bsize)
+        /* Q1 = kG = k/2 G2 = Q2 should hold */
+        || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
+        goto err;
+
+    ret = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    EC_POINT_free(Q1);
+    EC_POINT_free(Q2);
+    EC_POINT_free(G2);
+    EC_GROUP_free(group);
+    BN_CTX_free(ctx);
+    OPENSSL_free(b1);
+    OPENSSL_free(b2);
+
+    return ret;
+}
+
+#endif /* OPENSSL_NO_EC */
 
 int setup_tests(void)
 {
@@ -828,6 +1517,8 @@ int setup_tests(void)
         return 0;
 
     ADD_TEST(parameter_test);
+    ADD_TEST(cofactor_range_test);
+    ADD_ALL_TESTS(cardinality_test, crv_len);
     ADD_TEST(prime_field_tests);
 # ifndef OPENSSL_NO_EC2M
     ADD_TEST(char2_field_tests);
@@ -835,10 +1526,15 @@ int setup_tests(void)
 # endif
 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
     ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
+    ADD_TEST(underflow_test);
 # endif
     ADD_ALL_TESTS(internal_curve_test, crv_len);
     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
-#endif
+
+    ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
+    ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+    ADD_ALL_TESTS(custom_generator_test, crv_len);
+#endif /* OPENSSL_NO_EC */
     return 1;
 }
 

openssl-1.1.0-no-html.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html	2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl	2016-07-18 13:58:55.060106243 +0200
-@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
- 
- uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
- 
--install_docs: install_man_docs install_html_docs
-+install_docs: install_man_docs
- 
- uninstall_docs: uninstall_man_docs uninstall_html_docs
- 	$(RM) -r -v $(DESTDIR)$(DOCDIR)

openssl-1.1.1-alpn-cb.patch

@@ -0,0 +1,27 @@
+commit 9e885a707d604e9528b5491b78fb9c00f41193fc
+Author: Tomas Mraz <tmraz@fedoraproject.org>
+Date:   Thu Mar 26 15:59:00 2020 +0100
+
+    s_server: Properly indicate ALPN protocol mismatch
+    
+    Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
+    an alert is sent to the client on ALPN protocol mismatch.
+    
+    Fixes: #2708
+    
+    Reviewed-by: Matt Caswell <matt@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/11415)
+
+diff --git a/apps/s_server.c b/apps/s_server.c
+index bcc83e562c..591c6c19c5 100644
+--- a/apps/s_server.c
++++ b/apps/s_server.c
+@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+     if (SSL_select_next_proto
+         ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
+          inlen) != OPENSSL_NPN_NEGOTIATED) {
+-        return SSL_TLSEXT_ERR_NOACK;
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
+     }
+ 
+     if (!s_quiet) {

openssl-1.1.1-apps-dgst.patch

@@ -1,12 +1,12 @@
-diff -up openssl-1.1.0-pre5/apps/ca.c.dgst openssl-1.1.0-pre5/apps/ca.c
---- openssl-1.1.0-pre5/apps/ca.c.dgst	2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/apps/ca.c	2016-07-18 15:58:18.516742682 +0200
-@@ -216,7 +216,7 @@ OPTIONS ca_options[] = {
+diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
+--- openssl-1.1.1b/apps/ca.c.dgst	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/apps/ca.c	2019-03-15 15:53:46.622267688 +0100
+@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
      {"enddate", OPT_ENDDATE, 's',
       "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
      {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
 -    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
-+    {"md", OPT_MD, 's', "md to use; see openssl dgst -h for list"},
++    {"md", OPT_MD, 's', "md to use; see openssl help for list"},
      {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
      {"keyfile", OPT_KEYFILE, 's', "Private key"},
      {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},

openssl-1.1.1-build.patch

@@ -1,28 +1,7 @@
-diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build	2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl	2018-07-16 17:15:38.108831031 +0200
-@@ -680,7 +680,7 @@ uninstall_runtime:
- install_man_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
- 
- uninstall_man_docs:
-@@ -692,7 +692,7 @@ uninstall_man_docs:
- install_html_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing HTML manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		--destdir=$(DESTDIR)$(HTMLDIR) --type=html
- 
- uninstall_html_docs:
-diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
---- openssl-1.1.1-pre8/Configurations/10-main.conf.build	2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/Configurations/10-main.conf	2018-07-16 17:17:10.312045203 +0200
-@@ -693,6 +693,7 @@ my %targets = (
+diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
+--- openssl-1.1.1f/Configurations/10-main.conf.build	2020-03-31 14:17:45.000000000 +0200
++++ openssl-1.1.1f/Configurations/10-main.conf	2020-04-07 16:42:10.920546387 +0200
+@@ -678,6 +678,7 @@ my %targets = (
          cxxflags         => add("-m64"),
          lib_cppflags     => add("-DL_ENDIAN"),
          perlasm_scheme   => "linux64le",
@@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
      },
  
      "linux-armv4" => {
-@@ -733,6 +734,7 @@ my %targets = (
+@@ -718,6 +719,7 @@ my %targets = (
      "linux-aarch64" => {
          inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
          perlasm_scheme   => "linux64",
@@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
      },
      "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
          inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
+diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build	2020-04-07 16:42:10.920546387 +0200
++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:44:23.539142108 +0200
+@@ -823,7 +823,7 @@ uninstall_runtime_libs:
+ install_man_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@$(ECHO) "*** Installing manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
+ 
+ uninstall_man_docs:
+@@ -835,7 +835,7 @@ uninstall_man_docs:
+ install_html_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@$(ECHO) "*** Installing HTML manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
+ 
+ uninstall_html_docs:

openssl-1.1.1-conf-paths.patch

@@ -31,7 +31,7 @@ diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/
 +
 +[ crypto_policy ]
 +
-+.include /etc/crypto-policies/back-ends/opensslcnf.config
++.include = /etc/crypto-policies/back-ends/opensslcnf.config
 +
  [ new_oids ]
  

openssl-1.1.1-defaults.patch

@@ -1,16 +1,7 @@
-diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
---- openssl-1.1.0-pre5/apps/openssl.cnf.defaults	2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/apps/openssl.cnf	2016-07-18 14:22:08.252691017 +0200
-@@ -10,7 +10,7 @@
- # This definition stops the following lines choking if HOME isn't
- # defined.
- HOME			= .
--RANDFILE		= $ENV::HOME/.rnd
-+#RANDFILE		= $ENV::HOME/.rnd
- 
- # Extra OBJECT IDENTIFIER info:
- #oid_file		= $ENV::HOME/.oid
-@@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate fi
+diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
+--- openssl-1.1.1a/apps/openssl.cnf.defaults	2018-11-20 14:35:37.000000000 +0100
++++ openssl-1.1.1a/apps/openssl.cnf	2019-01-15 13:56:50.841719776 +0100
+@@ -74,7 +74,7 @@ cert_opt 	= ca_default		# Certificate fi
  
  default_days	= 365			# how long to certify for
  default_crl_days= 30			# how long before next CRL
@@ -19,7 +10,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
  preserve	= no			# keep passed DN ordering
  
  # A few difference way of specifying how similar the request should look
-@@ -104,6 +104,7 @@ emailAddress		= optional
+@@ -106,6 +106,7 @@ emailAddress		= optional
  ####################################################################
  [ req ]
  default_bits		= 2048
@@ -27,7 +18,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
  default_keyfile 	= privkey.pem
  distinguished_name	= req_distinguished_name
  attributes		= req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
+@@ -128,17 +129,18 @@ string_mask = utf8only
  
  [ req_distinguished_name ]
  countryName			= Country Name (2 letter code)
@@ -49,7 +40,7 @@ diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/op
  
  # we can do this but it is not needed normally :-)
  #1.organizationName		= Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName			= Locality Name (eg, city
+@@ -147,7 +149,7 @@ localityName			= Locality Name (eg, city
  organizationalUnitName		= Organizational Unit Name (eg, section)
  #organizationalUnitName_default	=
  

openssl-1.1.1-ec-curves.patch

@@ -1,40 +1,38 @@
-diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
---- openssl-1.1.1/apps/speed.c.curves	2018-09-11 14:48:20.000000000 +0200
-+++ openssl-1.1.1/apps/speed.c	2018-09-13 09:24:24.840081023 +0200
-@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
- static double rsa_results[RSA_NUM][2];  /* 2 ops: sign then verify */
+diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
+--- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
+@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
  #endif /* OPENSSL_NO_RSA */
  
--#define R_EC_P160    0
--#define R_EC_P192    1
--#define R_EC_P224    2
--#define R_EC_P256    3
--#define R_EC_P384    4
--#define R_EC_P521    5
--#define R_EC_K163    6
--#define R_EC_K233    7
--#define R_EC_K283    8
--#define R_EC_K409    9
--#define R_EC_K571    10
--#define R_EC_B163    11
--#define R_EC_B233    12
--#define R_EC_B283    13
--#define R_EC_B409    14
--#define R_EC_B571    15
--#define R_EC_BRP256R1  16
--#define R_EC_BRP256T1  17
--#define R_EC_BRP384R1  18
--#define R_EC_BRP384T1  19
--#define R_EC_BRP512R1  20
--#define R_EC_BRP512T1  21
--#define R_EC_X25519  22
--#define R_EC_X448    23
-+#define R_EC_P224    0
-+#define R_EC_P256    1
-+#define R_EC_P384    2
-+#define R_EC_P521    3
-+#define R_EC_X25519  4
-+#define R_EC_X448    5
+ enum {
+-    R_EC_P160,
+-    R_EC_P192,
+     R_EC_P224,
+     R_EC_P256,
+     R_EC_P384,
+     R_EC_P521,
+-#ifndef OPENSSL_NO_EC2M
+-    R_EC_K163,
+-    R_EC_K233,
+-    R_EC_K283,
+-    R_EC_K409,
+-    R_EC_K571,
+-    R_EC_B163,
+-    R_EC_B233,
+-    R_EC_B283,
+-    R_EC_B409,
+-    R_EC_B571,
+-#endif
+-    R_EC_BRP256R1,
+-    R_EC_BRP256T1,
+-    R_EC_BRP384R1,
+-    R_EC_BRP384T1,
+-    R_EC_BRP512R1,
+-    R_EC_BRP512T1,
+     R_EC_X25519,
+     R_EC_X448
+ };
+ 
  #ifndef OPENSSL_NO_EC
  static OPT_PAIR ecdsa_choices[] = {
 -    {"ecdsap160", R_EC_P160},
@@ -43,6 +41,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
      {"ecdsap256", R_EC_P256},
      {"ecdsap384", R_EC_P384},
      {"ecdsap521", R_EC_P521},
+-# ifndef OPENSSL_NO_EC2M
 -    {"ecdsak163", R_EC_K163},
 -    {"ecdsak233", R_EC_K233},
 -    {"ecdsak283", R_EC_K283},
@@ -53,6 +52,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
 -    {"ecdsab283", R_EC_B283},
 -    {"ecdsab409", R_EC_B409},
 -    {"ecdsab571", R_EC_B571},
+-# endif
 -    {"ecdsabrp256r1", R_EC_BRP256R1},
 -    {"ecdsabrp256t1", R_EC_BRP256T1},
 -    {"ecdsabrp384r1", R_EC_BRP384R1},
@@ -71,6 +71,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
      {"ecdhp256", R_EC_P256},
      {"ecdhp384", R_EC_P384},
      {"ecdhp521", R_EC_P521},
+-# ifndef OPENSSL_NO_EC2M
 -    {"ecdhk163", R_EC_K163},
 -    {"ecdhk233", R_EC_K233},
 -    {"ecdhk283", R_EC_K283},
@@ -81,6 +82,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
 -    {"ecdhb283", R_EC_B283},
 -    {"ecdhb409", R_EC_B409},
 -    {"ecdhb571", R_EC_B571},
+-# endif
 -    {"ecdhbrp256r1", R_EC_BRP256R1},
 -    {"ecdhbrp256t1", R_EC_BRP256T1},
 -    {"ecdhbrp384r1", R_EC_BRP384R1},
@@ -90,7 +92,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
      {"ecdhx25519", R_EC_X25519},
      {"ecdhx448", R_EC_X448}
  };
-@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
+@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
          unsigned int bits;
      } test_curves[] = {
          /* Prime Curves */
@@ -98,11 +100,12 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
 -        {"nistp192", NID_X9_62_prime192v1, 192},
          {"nistp224", NID_secp224r1, 224},
          {"nistp256", NID_X9_62_prime256v1, 256},
-         {"nistp384", NID_secp384r1, 384}, 
+         {"nistp384", NID_secp384r1, 384},
          {"nistp521", NID_secp521r1, 521},
+-# ifndef OPENSSL_NO_EC2M
 -        /* Binary Curves */
 -        {"nistk163", NID_sect163k1, 163},
--        {"nistk233", NID_sect233k1, 233}, 
+-        {"nistk233", NID_sect233k1, 233},
 -        {"nistk283", NID_sect283k1, 283},
 -        {"nistk409", NID_sect409k1, 409},
 -        {"nistk571", NID_sect571k1, 571},
@@ -111,6 +114,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
 -        {"nistb283", NID_sect283r1, 283},
 -        {"nistb409", NID_sect409r1, 409},
 -        {"nistb571", NID_sect571r1, 571},
+-# endif
 -        {"brainpoolP256r1", NID_brainpoolP256r1, 256},
 -        {"brainpoolP256t1", NID_brainpoolP256t1, 256},
 -        {"brainpoolP384r1", NID_brainpoolP384r1, 384},
@@ -120,7 +124,7 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
          /* Other and ECDH only ones */
          {"X25519", NID_X25519, 253},
          {"X448", NID_X448, 448}
-@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
+@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
  #  endif
  
  #  ifndef OPENSSL_NO_EC
@@ -133,47 +137,39 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
          ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
          ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
          if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
+@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
              }
          }
      }
-+#if 0
+-#   ifndef OPENSSL_NO_EC2M
++#   if 0
      ecdsa_c[R_EC_K163][0] = count / 1000;
      ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
      for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
-             }
-         }
+@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
      }
--
+ #   endif
+ 
 -    ecdh_c[R_EC_P160][0] = count / 1000;
 -    for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+#endif
 +    ecdh_c[R_EC_P224][0] = count / 1000;
 +    for (i = R_EC_P256; i <= R_EC_P521; i++) {
          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
          if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
              ecdh_doit[i] = 0;
-@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
+@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
              }
          }
      }
-+#if 0
+-#   ifndef OPENSSL_NO_EC2M
++#   if 0
      ecdh_c[R_EC_K163][0] = count / 1000;
      for (i = R_EC_K233; i <= R_EC_K571; i++) {
          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
-             }
-         }
-     }
-+#endif
-     /* default iteration count for the last two EC Curves */
-     ecdh_c[R_EC_X25519][0] = count / 1800;
-     ecdh_c[R_EC_X448][0] = count / 7200;
-diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
---- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves	2018-09-11 14:48:21.000000000 +0200
-+++ openssl-1.1.1/crypto/ec/ecp_smpl.c	2018-09-13 09:09:26.841792619 +0200
-@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
+@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
          return 0;
      }
  
@@ -185,22 +181,86 @@ diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_s
      if (ctx == NULL) {
          ctx = new_ctx = BN_CTX_new();
          if (ctx == NULL)
-diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
---- openssl-1.1.1/test/ecdsatest.c.curves	2018-09-11 14:48:24.000000000 +0200
-+++ openssl-1.1.1/test/ecdsatest.c	2018-09-13 09:09:26.841792619 +0200
-@@ -173,6 +173,7 @@ static int x9_62_tests(void)
-     if (!change_rand())
-         goto x962_err;
+diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
+--- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
++++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
+@@ -32,23 +32,6 @@ typedef struct {
+ } ecdsa_cavs_kat_t;
  
-+#if 0
-     if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
-                  "3342403536405981729393488334694600415596881826869351677613",
-                  "5735822328888155254683894997897571951568553642892029982342")))
-@@ -183,6 +184,7 @@ static int x9_62_tests(void)
-                  "3238135532097973577080787768312505059318910517550078427819"
-                              "78505179448783")))
-         goto x962_err;
-+#endif
+ static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
+-    /* prime KATs from X9.62 */
+-    {NID_X9_62_prime192v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
+-     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
+-     "5ca5c0d69716dfcb3474373902",
+-     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+-     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
+-     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
+-    {NID_X9_62_prime239v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
+-     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
+-     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
+-     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
+-     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
+-     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
+     /* prime KATs from NIST CAVP */
+     {NID_secp224r1, NID_sha224,
+      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
++++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
+@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
+     if disabled("ec");
  
- # ifndef OPENSSL_NO_EC2M
-     if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,
+ my @prime_curves = qw(
+-    secp112r1
+-    secp112r2
+-    secp128r1
+-    secp128r2
+-    secp160k1
+-    secp160r1
+-    secp160r2
+-    secp192k1
+-    secp224k1
+     secp224r1
+     secp256k1
+     secp384r1
+     secp521r1
+-    prime192v1
+-    prime192v2
+-    prime192v3
+-    prime239v1
+-    prime239v2
+-    prime239v3
+     prime256v1
+-    wap-wsg-idm-ecid-wtls6
+-    wap-wsg-idm-ecid-wtls7
+-    wap-wsg-idm-ecid-wtls8
+-    wap-wsg-idm-ecid-wtls9
+-    wap-wsg-idm-ecid-wtls12
+-    brainpoolP160r1
+-    brainpoolP160t1
+-    brainpoolP192r1
+-    brainpoolP192t1
+-    brainpoolP224r1
+-    brainpoolP224t1
+-    brainpoolP256r1
+-    brainpoolP256t1
+-    brainpoolP320r1
+-    brainpoolP320t1
+-    brainpoolP384r1
+-    brainpoolP384t1
+-    brainpoolP512r1
+-    brainpoolP512t1
+ );
+ 
+ my @binary_curves = qw(
+@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
+     if !disabled("sm2");
+ 
+ my @curve_aliases = qw(
+-    P-192
+     P-224
+     P-256
+     P-384

openssl-1.1.1-edk2-build.patch

@@ -0,0 +1,57 @@
+diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
+--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build	2020-05-18 12:55:53.299548432 +0200
++++ openssl-1.1.1g/crypto/evp/pkey_kdf.c	2020-05-18 12:55:53.340548788 +0200
+@@ -12,6 +12,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ #include <openssl/kdf.h>
++#include "internal/numbers.h"
+ #include "crypto/evp.h"
+ 
+ static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
+diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
+--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build	2020-05-18 12:55:53.340548788 +0200
++++ openssl-1.1.1g/crypto/kdf/hkdf.c	2020-05-18 12:57:18.648288904 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
++#include "internal/numbers.h"
+ #include "internal/cryptlib.h"
+ #include "crypto/evp.h"
+ #include "kdf_local.h"
+diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
+--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build	2020-05-18 12:56:05.646655554 +0200
++++ openssl-1.1.1g/crypto/rand/rand_unix.c	2020-05-18 12:58:51.088090896 +0200
+@@ -20,7 +20,7 @@
+ #include "crypto/fips.h"
+ #include <stdio.h>
+ #include "internal/dso.h"
+-#ifdef __linux
++#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
+ # include <sys/syscall.h>
+ # include <sys/random.h>
+ # ifdef DEVRANDOM_WAIT
+diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
+--- openssl-1.1.1g/include/crypto/fips.h.edk2-build	2020-05-18 12:55:53.296548406 +0200
++++ openssl-1.1.1g/include/crypto/fips.h	2020-05-18 12:55:53.340548788 +0200
+@@ -50,10 +50,6 @@
+ #include <openssl/opensslconf.h>
+ #include <openssl/evp.h>
+ 
+-#ifndef OPENSSL_FIPS
+-# error FIPS is disabled.
+-#endif
+-
+ #ifdef OPENSSL_FIPS
+ 
+ int FIPS_module_mode_set(int onoff);
+@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
+ 
+ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+ 
++#else
++
++# define fips_in_post() 0
++
+ #endif

openssl-1.1.1-fips-crng-test.patch

@@ -0,0 +1,408 @@
+diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
+--- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200
++++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+-        randfile.c rand_lib.c rand_err.c rand_egd.c \
++        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
+--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200
+@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
+ 
+ 
+ /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
+-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
++static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
+ 
+ static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
+ 
+@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
+     drbg->parent = parent;
+ 
+     if (parent == NULL) {
++#ifdef OPENSSL_FIPS
++        drbg->get_entropy = rand_crngt_get_entropy;
++        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
++#else
+         drbg->get_entropy = rand_drbg_get_entropy;
+         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
++#endif
+ #ifndef RAND_DRBG_GET_RANDOM_NONCE
+         drbg->get_nonce = rand_drbg_get_nonce;
+         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
+diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
+--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200
++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200
+@@ -0,0 +1,118 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/*
++ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
++ */
++
++#include <string.h>
++#include <openssl/evp.h>
++#include "crypto/rand.h"
++#include "internal/thread_once.h"
++#include "rand_local.h"
++
++static RAND_POOL *crngt_pool;
++static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
++
++int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
++    = &rand_crngt_get_entropy_cb;
++
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++                              unsigned int *md_size)
++{
++    int r;
++    size_t n;
++    unsigned char *p;
++
++    n = rand_pool_acquire_entropy(crngt_pool);
++    if (n >= CRNGT_BUFSIZ) {
++        p = rand_pool_detach(crngt_pool);
++        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++        if (r != 0)
++            memcpy(buf, p, CRNGT_BUFSIZ);
++        rand_pool_reattach(crngt_pool, p);
++        return r;
++    }
++    return 0;
++}
++
++void rand_crngt_cleanup(void)
++{
++    rand_pool_free(crngt_pool);
++    crngt_pool = NULL;
++}
++
++int rand_crngt_init(void)
++{
++    unsigned char buf[CRNGT_BUFSIZ];
++
++    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
++        return 0;
++    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
++        OPENSSL_cleanse(buf, sizeof(buf));
++        return 1;
++    }
++    rand_crngt_cleanup();
++    return 0;
++}
++
++static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
++{
++    return OPENSSL_init_crypto(0, NULL)
++        && rand_crngt_init()
++        && OPENSSL_atexit(&rand_crngt_cleanup);
++}
++
++int rand_crngt_single_init(void)
++{
++    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
++}
++
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++                              unsigned char **pout,
++                              int entropy, size_t min_len, size_t max_len,
++                              int prediction_resistance)
++{
++    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
++    unsigned int sz;
++    RAND_POOL *pool;
++    size_t q, r = 0, s, t = 0;
++    int attempts = 3;
++
++    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
++        return 0;
++
++    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
++        return 0;
++
++    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
++        s = q > sizeof(buf) ? sizeof(buf) : q;
++        if (!crngt_get_entropy(buf, md, &sz)
++            || memcmp(crngt_prev, md, sz) == 0
++            || !rand_pool_add(pool, buf, s, s * 8))
++            goto err;
++        memcpy(crngt_prev, md, sz);
++        t += s;
++        attempts++;
++    }
++    r = t;
++    *pout = rand_pool_detach(pool);
++err:
++    OPENSSL_cleanse(buf, sizeof(buf));
++    rand_pool_free(pool);
++    return r;
++}
++
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++                                unsigned char *out, size_t outlen)
++{
++    OPENSSL_secure_clear_free(out, outlen);
++}
+diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
+--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200
++++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200
+@@ -33,7 +33,15 @@
+ # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
+ # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
+ 
+-
++/*
++ * The number of bytes that constitutes an atomic lump of entropy with respect
++ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
++ * arbitrary, the smaller the value, the less entropy is consumed on first
++ * read but the higher the probability of the test failing by accident.
++ *
++ * The value is in bytes.
++ */
++#define CRNGT_BUFSIZ    16
+ 
+ /*
+  * Maximum input size for the DRBG (entropy, nonce, personalization string)
+@@ -44,6 +52,8 @@
+  */
+ # define DRBG_MAX_LENGTH                         INT32_MAX
+ 
++/* The default nonce */
++# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
+ 
+ /*
+  * Maximum allocation size for RANDOM_POOL buffers
+@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
+ /* initializes the AES-CTR DRBG implementation */
+ int drbg_ctr_init(RAND_DRBG *drbg);
+ 
++/*
++ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
++ * These need to be exposed for the unit tests.
++ */
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++                              unsigned int *md_size);
++extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
++                                unsigned int *md_size);
++int rand_crngt_init(void);
++void rand_crngt_cleanup(void);
++
++/*
++ * Expose the run once initialisation function for the unit tests because.
++ * they need to restart from scratch to validate the first block is skipped
++ * properly.
++ */
++int rand_crngt_single_init(void);
++
+ #endif
+diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
+--- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200
++++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200
+@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
+ 
+ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+ 
++/* CRNG test entropy filter callbacks. */
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++                              unsigned char **pout,
++                              int entropy, size_t min_len, size_t max_len,
++                              int prediction_resistance);
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++                                unsigned char *out, size_t outlen);
++
+ /*
+  * RAND_POOL functions
+  */
+diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
+--- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200
+@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
+     return t->noncelen;
+ }
+ 
++ /*
++ * Disable CRNG testing if it is enabled.
++ * If the DRBG is ready or in an error state, this means an instantiate cycle
++ * for which the default personalisation string is used.
++ */
++static int disable_crngt(RAND_DRBG *drbg)
++{
++    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
++    const int instantiate = drbg->state != DRBG_UNINITIALISED;
++
++    if (drbg->get_entropy != rand_crngt_get_entropy)
++        return 1;
++
++     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
++        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
++                                              &rand_drbg_cleanup_entropy,
++                                              &rand_drbg_get_nonce,
++                                              &rand_drbg_cleanup_nonce))
++        || (instantiate
++            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
++                                      sizeof(pers) - 1)))
++        return 0;
++    return 1;
++}
++
+ static int uninstantiate(RAND_DRBG *drbg)
+ {
+     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
+@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
+     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
+         return 0;
+     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+-                                           kat_nonce, NULL))) {
++                                           kat_nonce, NULL))
++        || !TEST_true(disable_crngt(drbg))) {
+         failures++;
+         goto err;
+     }
+@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
+     unsigned int reseed_counter_tmp;
+     int ret = 0;
+ 
+-    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
++    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
++	|| !TEST_true(disable_crngt(drbg)))
+         goto err;
+ 
+     /*
+@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
+         || !TEST_ptr_eq(private->parent, master))
+         return 0;
+ 
++    /* Disable CRNG testing for the master DRBG */
++    if (!TEST_true(disable_crngt(master)))
++        return 0;
++
+     /* uninstantiate the three global DRBGs */
+     RAND_DRBG_uninstantiate(private);
+     RAND_DRBG_uninstantiate(public);
+@@ -964,7 +995,8 @@ static int test_rand_seed(void)
+     size_t rand_buflen;
+     size_t required_seed_buflen = 0;
+ 
+-    if (!TEST_ptr(master = RAND_DRBG_get0_master()))
++    if (!TEST_ptr(master = RAND_DRBG_get0_master())
++        || !TEST_true(disable_crngt(master)))
+         return 0;
+ 
+ #ifdef OPENSSL_RAND_SEED_NONE
+@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
+     return 1;
+ }
+ 
++/*
++ * A list of the FIPS DRGB types.
++ */
++static const struct s_drgb_types {
++    int nid;
++    int flags;
++} drgb_types[] = {
++    { NID_aes_128_ctr,  0                   },
++    { NID_aes_192_ctr,  0                   },
++    { NID_aes_256_ctr,  0                   },
++};
++
++/* Six cases for each covers seed sizes up to 32 bytes */
++static const size_t crngt_num_cases = 6;
++
++static size_t crngt_case, crngt_idx;
++
++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
++                            unsigned int *md_size)
++{
++    size_t i, z;
++
++    if (!TEST_int_lt(crngt_idx, crngt_num_cases))
++        return 0;
++    /* Generate a block of unique data unless this is the duplication point */
++    z = crngt_idx++;
++    if (z > 0 && crngt_case == z)
++        z--;
++    for (i = 0; i < CRNGT_BUFSIZ; i++)
++        buf[i] = (unsigned char)(i + 'A' + z);
++    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++}
++
++static int test_crngt(int n)
++{
++    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
++    RAND_DRBG *drbg = NULL;
++    unsigned char buff[100];
++    size_t ent;
++    int res = 0;
++    int expect;
++
++    if (!TEST_true(rand_crngt_single_init()))
++        return 0;
++    rand_crngt_cleanup();
++
++    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
++        return 0;
++    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
++    crngt_case = n % crngt_num_cases;
++    crngt_idx = 0;
++    crngt_get_entropy = &crngt_entropy_cb;
++    if (!TEST_true(rand_crngt_init()))
++        goto err;
++#ifndef OPENSSL_FIPS
++    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
++                                           &rand_crngt_cleanup_entropy,
++                                           &rand_drbg_get_nonce,
++                                           &rand_drbg_cleanup_nonce)))
++        goto err;
++#endif
++    expect = crngt_case == 0 || crngt_case > ent;
++    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++        goto err;
++
++    expect = crngt_case == 0 || crngt_case > 2 * ent;
++    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++        goto err;
++
++fin:
++    res = 1;
++err:
++    if (!res)
++        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
++                  crngt_case, crngt_idx);
++    uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    crngt_get_entropy = &rand_crngt_get_entropy_cb;
++    return res;
++}
++
+ int setup_tests(void)
+ {
+     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+@@ -1025,5 +1146,6 @@ int setup_tests(void)
+ #if defined(OPENSSL_THREADS)
+     ADD_TEST(test_multi_thread);
+ #endif
++    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
+     return 1;
+ }

openssl-1.1.1-fips-curves.patch

@@ -0,0 +1,200 @@
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves	2020-05-18 12:59:54.839643980 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c	2020-05-18 12:59:54.852644093 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
+ #include "internal/nelem.h"
+ 
+ typedef struct {
+@@ -237,6 +238,7 @@ static const struct {
+ 
+ typedef struct _ec_list_element_st {
+     int nid;
++    int fips_allowed;
+     const EC_CURVE_DATA *data;
+     const EC_METHOD *(*meth) (void);
+     const char *comment;
+@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
+     /* prime field curves */
+     /* secg curves */
+ #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
++    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+      "NIST/SECG curve over a 224 bit prime field"},
+ #else
+-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
++    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
+      "NIST/SECG curve over a 224 bit prime field"},
+ #endif
+-    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
++    {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
+      "SECG curve over a 256 bit prime field"},
+     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+-    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
++    {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
+ # if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp384_method,
+ # else
+      0,
+ # endif
+      "NIST/SECG curve over a 384 bit prime field"},
+-    {NID_secp521r1, &_EC_NIST_PRIME_521.h,
++    {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
+ # if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp521_method,
+ # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
+ # endif
+      "NIST/SECG curve over a 521 bit prime field"},
+     /* X9.62 curves */
+-    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
++    {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+      EC_GFp_nistz256_method,
+ # elif defined(S390X_EC_ASM)
+@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+ 
+     for (i = 0; i < curve_list_length; i++)
+         if (curve_list[i].nid == nid) {
++            if (!curve_list[i].fips_allowed && FIPS_mode()) {
++                ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
++                return NULL;
++            }
+             ret = ec_group_new_from_data(curve_list[i]);
+             break;
+         }
+@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+ 
+ size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
+ {
+-    size_t i, min;
++    size_t i, j, num;
++    int fips_mode = FIPS_mode();
+ 
+-    if (r == NULL || nitems == 0)
+-        return curve_list_length;
++    num = curve_list_length;
++    if (fips_mode)
++        for (i = 0; i < curve_list_length; i++) {
++            if (!curve_list[i].fips_allowed)
++                --num;
++        }
+ 
+-    min = nitems < curve_list_length ? nitems : curve_list_length;
++    if (r == NULL || nitems == 0) {
++        return num;
++    }
+ 
+-    for (i = 0; i < min; i++) {
+-        r[i].nid = curve_list[i].nid;
+-        r[i].comment = curve_list[i].comment;
++    for (i = 0, j = 0; i < curve_list_length; i++) {
++        if (j >= nitems)
++            break;
++        if (!fips_mode || curve_list[i].fips_allowed) {
++            r[j].nid = curve_list[i].nid;
++            r[j].comment = curve_list[i].comment;
++            ++j;
++        }
+     }
+ 
+-    return curve_list_length;
++    return num;
+ }
+ 
+ /* Functions to translate between common NIST curve names and NIDs */
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves	2020-05-18 12:59:54.797643616 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c	2020-05-18 13:03:54.748725463 +0200
+@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
+ #endif
+ };
+ 
++static const uint16_t tls12_fips_sigalgs[] = {
++#ifndef OPENSSL_NO_EC
++    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
++    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
++    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
++#endif
++
++    TLSEXT_SIGALG_rsa_pss_pss_sha256,
++    TLSEXT_SIGALG_rsa_pss_pss_sha384,
++    TLSEXT_SIGALG_rsa_pss_pss_sha512,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
++
++    TLSEXT_SIGALG_rsa_pkcs1_sha256,
++    TLSEXT_SIGALG_rsa_pkcs1_sha384,
++    TLSEXT_SIGALG_rsa_pkcs1_sha512,
++
++#ifndef OPENSSL_NO_EC
++    TLSEXT_SIGALG_ecdsa_sha224,
++#endif
++    TLSEXT_SIGALG_rsa_pkcs1_sha224,
++#ifndef OPENSSL_NO_DSA
++    TLSEXT_SIGALG_dsa_sha224,
++    TLSEXT_SIGALG_dsa_sha256,
++    TLSEXT_SIGALG_dsa_sha384,
++    TLSEXT_SIGALG_dsa_sha512,
++#endif
++};
++
+ #ifndef OPENSSL_NO_EC
+ static const uint16_t suiteb_sigalgs[] = {
+     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
+     }
+     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
+         return NULL;
++    if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
++        return NULL;
+     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
+         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
+ 
+@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
+     } else if (s->cert->conf_sigalgs) {
+         *psigs = s->cert->conf_sigalgs;
+         return s->cert->conf_sigalgslen;
++    } else if (FIPS_mode()) {
++        *psigs = tls12_fips_sigalgs;
++        return OSSL_NELEM(tls12_fips_sigalgs);
+     } else {
+         *psigs = tls12_sigalgs;
+         return OSSL_NELEM(tls12_sigalgs);
+@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
+     if (s->cert->conf_sigalgs) {
+         sigs = s->cert->conf_sigalgs;
+         siglen = s->cert->conf_sigalgslen;
++    } else if (FIPS_mode()) {
++        sigs = tls12_fips_sigalgs;
++        siglen = OSSL_NELEM(tls12_fips_sigalgs);
+     } else {
+         sigs = tls12_sigalgs;
+         siglen = OSSL_NELEM(tls12_sigalgs);
+@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
+     if (lu->sig == NID_id_GostR3410_2012_256
+             || lu->sig == NID_id_GostR3410_2012_512
+             || lu->sig == NID_id_GostR3410_2001) {
++        if (FIPS_mode())
++            return 0;
+         /* We never allow GOST sig algs on the server with TLSv1.3 */
+         if (s->server && SSL_IS_TLS13(s))
+             return 0;
+@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
+                 const uint16_t *sent_sigs;
+                 size_t sent_sigslen;
+ 
++                if (fatalerrs && FIPS_mode()) {
++                    /* There are no suitable legacy algorithms in FIPS mode */
++                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
++                             SSL_F_TLS_CHOOSE_SIGALG,
++                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
++                    return 0;
++                }
+                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+                     if (!fatalerrs)
+                         return 1;

openssl-1.1.1-fips-drbg-selftest.patch

@@ -0,0 +1,587 @@
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest	2020-04-23 13:33:12.500624151 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-04-23 13:33:12.618621925 +0200
+@@ -67,12 +67,18 @@
+ 
+ # include <openssl/fips.h>
+ # include "crypto/fips.h"
++# include "crypto/rand.h"
+ # include "fips_locl.h"
+ 
+ /* Run all selftests */
+ int FIPS_selftest(void)
+ {
+     int rv = 1;
++    if (!rand_drbg_selftest()) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
++        ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
++        rv = 0;
++    }
+     if (!FIPS_selftest_drbg())
+         rv = 0;
+     if (!FIPS_selftest_sha1())
+diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
+--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
++++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:34:10.857523497 +0200
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+         randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+-        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
++        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
+--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_selftest.c	2020-04-23 13:33:12.619621907 +0200
+@@ -0,0 +1,537 @@
++/*
++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <stddef.h>
++#include "internal/nelem.h"
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand_drbg.h>
++#include <openssl/obj_mac.h>
++#include "internal/thread_once.h"
++#include "crypto/rand.h"
++
++typedef struct test_ctx_st {
++    const unsigned char *entropy;
++    size_t entropylen;
++    int entropycnt;
++    const unsigned char *nonce;
++    size_t noncelen;
++    int noncecnt;
++} TEST_CTX;
++
++static int app_data_index = -1;
++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
++{
++    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
++
++    return 1;
++}
++
++enum drbg_kat_type {
++    NO_RESEED,
++    PR_FALSE,
++    PR_TRUE
++};
++
++enum drbg_df {
++    USE_DF,
++    NO_DF,
++    NA
++};
++
++struct drbg_kat_no_reseed {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *addin1;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_false {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *entropyinreseed;
++    const unsigned char *addinreseed;
++    const unsigned char *addin1;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_true {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *entropyinpr1;
++    const unsigned char *addin1;
++    const unsigned char *entropyinpr2;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat {
++    enum drbg_kat_type type;
++    enum drbg_df df;
++    int nid;
++
++    size_t entropyinlen;
++    size_t noncelen;
++    size_t persstrlen;
++    size_t addinlen;
++    size_t retbyteslen;
++
++    const void *t;
++};
++
++/*
++ * Excerpt from test/drbg_cavs_data.c
++ * DRBG test vectors from:
++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
++ */
++
++static const unsigned char kat1308_entropyin[] = {
++    0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
++    0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
++    0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
++    0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
++};
++static const unsigned char kat1308_nonce[] = {0};
++static const unsigned char kat1308_persstr[] = {
++    0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
++    0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
++    0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
++    0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
++};
++static const unsigned char kat1308_addin0[] = {
++    0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
++    0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
++    0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
++    0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
++};
++static const unsigned char kat1308_addin1[] = {
++    0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
++    0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
++    0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
++    0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
++};
++static const unsigned char kat1308_retbits[] = {
++    0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
++    0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
++    0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
++    0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
++    0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
++    0x26, 0x32, 0xd0, 0xb8,
++};
++static const struct drbg_kat_no_reseed kat1308_t = {
++    2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
++    kat1308_addin0, kat1308_addin1, kat1308_retbits
++};
++static const struct drbg_kat kat1308 = {
++    NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
++};
++
++static const unsigned char kat1465_entropyin[] = {
++    0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
++    0x87, 0xbe, 0xaa, 0xc0,
++};
++static const unsigned char kat1465_nonce[] = {
++    0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
++};
++static const unsigned char kat1465_persstr[] = {0};
++static const unsigned char kat1465_entropyinreseed[] = {
++    0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
++    0x1f, 0x4b, 0x7b, 0x51,
++};
++static const unsigned char kat1465_addinreseed[] = {
++    0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
++    0x61, 0x9f, 0x26, 0x5f,
++};
++static const unsigned char kat1465_addin0[] = {
++    0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
++    0x10, 0x5a, 0x73, 0x9c,
++};
++static const unsigned char kat1465_addin1[] = {
++    0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
++    0x47, 0x99, 0x1f, 0xeb,
++};
++static const unsigned char kat1465_retbits[] = {
++    0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
++    0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
++    0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
++    0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
++    0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
++    0x58, 0xdb, 0x27, 0xba,
++};
++static const struct drbg_kat_pr_false kat1465_t = {
++    9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
++    kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
++    kat1465_addin1, kat1465_retbits
++};
++static const struct drbg_kat kat1465 = {
++    PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
++};
++
++static const unsigned char kat3146_entropyin[] = {
++    0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
++    0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
++};
++static const unsigned char kat3146_nonce[] = {
++    0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
++    0x50, 0x86, 0xca, 0xca,
++};
++static const unsigned char kat3146_persstr[] = {0};
++static const unsigned char kat3146_entropyinpr1[] = {
++    0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
++    0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
++};
++static const unsigned char kat3146_addinpr1[] = {
++    0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
++    0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
++    0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
++};
++static const unsigned char kat3146_entropyinpr2[] = {
++    0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
++    0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
++};
++static const unsigned char kat3146_addinpr2[] = {
++    0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
++    0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
++    0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
++};
++static const unsigned char kat3146_retbits[] = {
++    0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
++    0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
++    0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
++    0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
++    0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
++    0xd4, 0x30, 0x73, 0xbb,
++};
++static const struct drbg_kat_pr_true kat3146_t = {
++    10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
++    kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
++    kat3146_addinpr2, kat3146_retbits
++};
++static const struct drbg_kat kat3146 = {
++    PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
++};
++
++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
++
++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
++
++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
++                          int entropy, size_t min_len, size_t max_len,
++                          int prediction_resistance)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->entropycnt++;
++    *pout = (unsigned char *)t->entropy;
++    return t->entropylen;
++}
++
++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
++                        int entropy, size_t min_len, size_t max_len)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->noncecnt++;
++    *pout = (unsigned char *)t->nonce;
++    return t->noncelen;
++}
++
++/*
++ * Do a single NO_RESEED KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_no_reseed(const struct drbg_kat *td)
++{
++    struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin1, td->addinlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++/*-
++ * Do a single PR_FALSE KAT:
++ *
++ * Instantiate
++ * Reseed
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_false(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++
++    t.entropy = data->entropyinreseed;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin1, td->addinlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++/*-
++ * Do a single PR_TRUE KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=true)
++ * Generate Random Bits (pr=true)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_true(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++
++    t.entropy = data->entropyinpr1;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++                            data->addin1, td->addinlen))
++        failures++;
++
++    t.entropy = data->entropyinpr2;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++                            data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++static int test_kats(int i)
++{
++    const struct drbg_kat *td = drbg_test[i];
++    int rv = 0;
++
++    switch (td->type) {
++    case NO_RESEED:
++        if (!single_kat_no_reseed(td))
++            goto err;
++        break;
++    case PR_FALSE:
++        if (!single_kat_pr_false(td))
++            goto err;
++        break;
++    case PR_TRUE:
++        if (!single_kat_pr_true(td))
++            goto err;
++        break;
++    default:	/* cant happen */
++        goto err;
++    }
++    rv = 1;
++err:
++    return rv;
++}
++
++/*-
++ * Do one expected-error test:
++ *
++ * Instantiate with no entropy supplied
++ *
++ * Return 0 on failure.
++ */
++static int test_drbg_sanity(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = 0;     /* No entropy */
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    ERR_set_mark();
++    /* This must fail. */
++    if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++    RAND_DRBG_uninstantiate(drbg);
++    ERR_pop_to_mark();
++
++err:
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++
++int rand_drbg_selftest(void)
++{
++    int i;
++
++    if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
++        return 0;
++
++    for (i = 0; i < drbg_test_nelem; i++) {
++        if (test_kats(i) <= 0)
++            return 0;
++    }
++
++    if (test_drbg_sanity(&kat1465) <= 0)
++        return 0;
++
++    return 1;
++}
+diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
+--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest	2020-04-23 13:33:12.587622510 +0200
++++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:33:12.619621907 +0200
+@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
+  */
+ void rand_pool_keep_random_devices_open(int keep);
+ 
++/*
++ * Perform the DRBG KAT selftests
++ */
++int rand_drbg_selftest(void);
++
+ #endif

openssl-1.1.1-fips-post-rand.patch

@@ -0,0 +1,189 @@
+diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
+--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand	2020-03-17 18:06:16.822418854 +0100
++++ openssl-1.1.1e/crypto/fips/fips.c	2020-03-17 18:06:16.861418172 +0100
+@@ -68,6 +68,7 @@
+ 
+ # include <openssl/fips.h>
+ # include "internal/thread_once.h"
++# include "crypto/rand.h"
+ 
+ # ifndef PATH_MAX
+ #  define PATH_MAX 1024
+@@ -76,6 +77,7 @@
+ static int fips_selftest_fail = 0;
+ static int fips_mode = 0;
+ static int fips_started = 0;
++static int fips_post = 0;
+ 
+ static int fips_is_owning_thread(void);
+ static int fips_set_owning_thread(void);
+@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
+     fips_selftest_fail = 1;
+ }
+ 
++int fips_in_post(void)
++{
++    return fips_post;
++}
++
+ /* we implement what libfipscheck does ourselves */
+ 
+ static int
+@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
+         }
+ # endif
+ 
++        fips_post = 1;
++
+         if (!FIPS_selftest()) {
+             fips_selftest_fail = 1;
+             ret = 0;
+@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
+             goto end;
+         }
+ 
++        fips_post = 0;
++
+         fips_set_mode(onoff);
++        /* force RNG reseed with entropy from getrandom() on next call */
++        rand_force_reseed();
++
+         ret = 1;
+         goto end;
+     }
+diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
+--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rand/drbg_lib.c	2020-03-17 18:07:35.305045521 +0100
+@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+ }
+ 
++void rand_force_reseed(void)
++{
++    RAND_DRBG *drbg;
++
++    drbg = RAND_DRBG_get0_master();
++    drbg->fork_id = 0;
++
++    drbg = RAND_DRBG_get0_private();
++    drbg->fork_id = 0;
++
++    drbg = RAND_DRBG_get0_public();
++    drbg->fork_id = 0;
++}
++
+ /* Implements the default OpenSSL RAND_add() method */
+ static int drbg_add(const void *buf, int num, double randomness)
+ {
+diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
+--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rand/rand_unix.c	2020-03-17 18:09:01.503537189 +0100
+@@ -17,10 +17,12 @@
+ #include <openssl/crypto.h>
+ #include "rand_local.h"
+ #include "crypto/rand.h"
++#include "crypto/fips.h"
+ #include <stdio.h>
+ #include "internal/dso.h"
+ #ifdef __linux
+ # include <sys/syscall.h>
++# include <sys/random.h>
+ # ifdef DEVRANDOM_WAIT
+ #  include <sys/shm.h>
+ #  include <sys/utsname.h>
+@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
+  * syscall_random(): Try to get random data using a system call
+  * returns the number of bytes returned in buf, or < 0 on error.
+  */
+-static ssize_t syscall_random(void *buf, size_t buflen)
++static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
+ {
+     /*
+      * Note: 'buflen' equals the size of the buffer which is used by the
+@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
+      * - Linux since 3.17 with glibc 2.25
+      * - FreeBSD since 12.0 (1200061)
+      */
++#  if 0
+ #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
+ 
+@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
+     if (p_getentropy.p != NULL)
+         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+ #  endif
+-
++#  endif
+     /* Linux supports this since version 3.17 */
+-#  if defined(__linux) && defined(__NR_getrandom)
+-    return syscall(__NR_getrandom, buf, buflen, 0);
++#  if defined(__linux) && defined(SYS_getrandom)
++    return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
+ #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+     return sysctl_random(buf, buflen);
+ #  else
+@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+     size_t entropy_available;
+ 
+ #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
++    int in_post;
++
++    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
+     {
+         size_t bytes_needed;
+         unsigned char *buffer;
+@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+         while (bytes_needed != 0 && attempts-- > 0) {
+             buffer = rand_pool_add_begin(pool, bytes_needed);
+-            bytes = syscall_random(buffer, bytes_needed);
++            bytes = syscall_random(buffer, bytes_needed, in_post);
+             if (bytes > 0) {
+                 rand_pool_add_end(pool, bytes, 8 * bytes);
+                 bytes_needed -= bytes;
+@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+             int attempts = 3;
+             const int fd = get_random_device(i);
+ 
+-            if (fd == -1)
++            if (fd == -1) {
++                OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
+                 continue;
++            }
+ 
+             while (bytes_needed != 0 && attempts-- > 0) {
+                 buffer = rand_pool_add_begin(pool, bytes_needed);
+@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+             return entropy_available;
+     }
+ #   endif
+-
++#   ifdef OPENSSL_RAND_SEED_GETRANDOM
++    }
++#   endif
+     return rand_pool_entropy_available(pool);
+ #  endif
+ }
+diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
+--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand	2020-03-17 18:06:16.831418696 +0100
++++ openssl-1.1.1e/include/crypto/fips.h	2020-03-17 18:06:16.861418172 +0100
+@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
+ 
++int fips_in_post(void);
++
+ int fips_pkey_signature_test(EVP_PKEY *pkey,
+                                  const unsigned char *tbs, int tbslen,
+                                  const unsigned char *kat,
+diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
+--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/crypto/rand.h	2020-03-17 18:07:35.303045555 +0100
+@@ -24,6 +24,7 @@
+ typedef struct rand_pool_st RAND_POOL;
+ 
+ void rand_cleanup_int(void);
++void rand_force_reseed(void);
+ void rand_drbg_cleanup_int(void);
+ void drbg_delete_thread_state(void);
+ 

openssl-1.1.1-ignore-bound.patch

@@ -1,14 +0,0 @@
-Do not return failure when setting version bound on fixed protocol
-version method.
-diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
-@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
-          * methods are not subject to controls that disable individual protocol
-          * versions.
-          */
--        return 0;
-+        return 1;
- 
-     case TLS_ANY_VERSION:
-         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

openssl-1.1.1-intel-cet.patch

@@ -0,0 +1,500 @@
+diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
+--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl	2020-03-19 17:07:02.626522694 +0100
+@@ -275,6 +275,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_encrypt:
+ .cfi_startproc
++	endbranch
+ 	movups	($inp),$inout0		# load input
+ 	mov	240($key),$rounds	# key->rounds
+ ___
+@@ -293,6 +294,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_decrypt:
+ .cfi_startproc
++	endbranch
+ 	movups	($inp),$inout0		# load input
+ 	mov	240($key),$rounds	# key->rounds
+ ___
+@@ -613,6 +615,7 @@ $code.=<<___;
+ .align	16
+ aesni_ecb_encrypt:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0x58(%rsp),%rsp
+@@ -985,6 +988,7 @@ $code.=<<___;
+ .align	16
+ aesni_ccm64_encrypt_blocks:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0x58(%rsp),%rsp
+@@ -1077,6 +1081,7 @@ $code.=<<___;
+ .align	16
+ aesni_ccm64_decrypt_blocks:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0x58(%rsp),%rsp
+@@ -1203,6 +1208,7 @@ $code.=<<___;
+ .align	16
+ aesni_ctr32_encrypt_blocks:
+ .cfi_startproc
++	endbranch
+ 	cmp	\$1,$len
+ 	jne	.Lctr32_bulk
+ 
+@@ -1775,6 +1781,7 @@ $code.=<<___;
+ .align	16
+ aesni_xts_encrypt:
+ .cfi_startproc
++	endbranch
+ 	lea	(%rsp),%r11			# frame pointer
+ .cfi_def_cfa_register	%r11
+ 	push	%rbp
+@@ -2258,6 +2265,7 @@ $code.=<<___;
+ .align	16
+ aesni_xts_decrypt:
+ .cfi_startproc
++	endbranch
+ 	lea	(%rsp),%r11			# frame pointer
+ .cfi_def_cfa_register	%r11
+ 	push	%rbp
+@@ -2783,6 +2791,7 @@ $code.=<<___;
+ .align	32
+ aesni_ocb_encrypt:
+ .cfi_startproc
++	endbranch
+ 	lea	(%rsp),%rax
+ 	push	%rbx
+ .cfi_push	%rbx
+@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
+ .align	32
+ aesni_ocb_decrypt:
+ .cfi_startproc
++	endbranch
+ 	lea	(%rsp),%rax
+ 	push	%rbx
+ .cfi_push	%rbx
+@@ -3737,6 +3747,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_cbc_encrypt:
+ .cfi_startproc
++	endbranch
+ 	test	$len,$len		# check length
+ 	jz	.Lcbc_ret
+ 
+diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
+--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl	2020-03-19 17:00:15.974621757 +0100
+@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
+ .align	16
+ ${PREFIX}_set_encrypt_key:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0xb8(%rsp),%rsp
+@@ -746,6 +747,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_set_decrypt_key:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0xb8(%rsp),%rsp
+@@ -801,6 +803,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_encrypt:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0xb8(%rsp),%rsp
+@@ -846,6 +849,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_decrypt:
+ .cfi_startproc
++	endbranch
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0xb8(%rsp),%rsp
+@@ -897,6 +901,7 @@ $code.=<<___;
+ .align	16
+ ${PREFIX}_cbc_encrypt:
+ .cfi_startproc
++	endbranch
+ 	xchg	$key,$len
+ ___
+ ($len,$key)=($key,$len);
+diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
+--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/async/arch/async_posix.c	2020-03-19 17:00:15.974621757 +0100
+@@ -34,7 +34,9 @@ void async_local_cleanup(void)
+ 
+ int async_fibre_makecontext(async_fibre *fibre)
+ {
++#ifndef USE_SWAPCONTEXT
+     fibre->env_init = 0;
++#endif
+     if (getcontext(&fibre->fibre) == 0) {
+         fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
+         if (fibre->fibre.uc_stack.ss_sp != NULL) {
+diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
+--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet	2020-03-19 17:00:15.435631166 +0100
++++ openssl-1.1.1e/crypto/async/arch/async_posix.h	2020-03-19 17:00:15.975621739 +0100
+@@ -25,17 +25,33 @@
+ #  define ASYNC_POSIX
+ #  define ASYNC_ARCH
+ 
++#  ifdef __CET__
++/*
++ * When Intel CET is enabled, makecontext will create a different
++ * shadow stack for each context.  async_fibre_swapcontext cannot
++ * use _longjmp.  It must call swapcontext to swap shadow stack as
++ * well as normal stack.
++ */
++#   define USE_SWAPCONTEXT
++#  endif
+ #  include <ucontext.h>
+-#  include <setjmp.h>
++#  ifndef USE_SWAPCONTEXT
++#   include <setjmp.h>
++#  endif
+ 
+ typedef struct async_fibre_st {
+     ucontext_t fibre;
++#  ifndef USE_SWAPCONTEXT
+     jmp_buf env;
+     int env_init;
++#  endif
+ } async_fibre;
+ 
+ static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
+ {
++#  ifdef USE_SWAPCONTEXT
++    swapcontext(&o->fibre, &n->fibre);
++#  else
+     o->env_init = 1;
+ 
+     if (!r || !_setjmp(o->env)) {
+@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
+         else
+             setcontext(&n->fibre);
+     }
++#  endif
+ 
+     return 1;
+ }
+diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
+--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
+@@ -685,6 +685,7 @@ $code.=<<___;
+ .align	16
+ Camellia_cbc_encrypt:
+ .cfi_startproc
++	endbranch
+ 	cmp	\$0,%rdx
+ 	je	.Lcbc_abort
+ 	push	%rbx
+diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
+--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
+@@ -239,6 +239,7 @@ $code=<<___;
+ .align	16
+ gcm_gmult_4bit:
+ .cfi_startproc
++	endbranch
+ 	push	%rbx
+ .cfi_push	%rbx
+ 	push	%rbp		# %rbp and others are pushed exclusively in
+@@ -286,6 +287,7 @@ $code.=<<___;
+ .align	16
+ gcm_ghash_4bit:
+ .cfi_startproc
++	endbranch
+ 	push	%rbx
+ .cfi_push	%rbx
+ 	push	%rbp
+@@ -612,6 +614,7 @@ $code.=<<___;
+ .align	16
+ gcm_gmult_clmul:
+ .cfi_startproc
++	endbranch
+ .L_gmult_clmul:
+ 	movdqu		($Xip),$Xi
+ 	movdqa		.Lbswap_mask(%rip),$T3
+@@ -663,6 +666,7 @@ $code.=<<___;
+ .align	32
+ gcm_ghash_clmul:
+ .cfi_startproc
++	endbranch
+ .L_ghash_clmul:
+ ___
+ $code.=<<___ if ($win64);
+@@ -1166,6 +1170,7 @@ $code.=<<___;
+ .align	32
+ gcm_gmult_avx:
+ .cfi_startproc
++	endbranch
+ 	jmp	.L_gmult_clmul
+ .cfi_endproc
+ .size	gcm_gmult_avx,.-gcm_gmult_avx
+@@ -1177,6 +1182,7 @@ $code.=<<___;
+ .align	32
+ gcm_ghash_avx:
+ .cfi_startproc
++	endbranch
+ ___
+ if ($avx) {
+ my ($Xip,$Htbl,$inp,$len)=@_4args;
+diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
+--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/cbc.pl	2020-03-19 17:00:15.976621722 +0100
+@@ -165,21 +165,28 @@ sub cbc
+ 	&jmp_ptr($count);
+ 
+ &set_label("ej7");
++	&endbranch()
+ 	&movb(&HB("edx"),	&BP(6,$in,"",0));
+ 	&shl("edx",8);
+ &set_label("ej6");
++	&endbranch()
+ 	&movb(&HB("edx"),	&BP(5,$in,"",0));
+ &set_label("ej5");
++	&endbranch()
+ 	&movb(&LB("edx"),	&BP(4,$in,"",0));
+ &set_label("ej4");
++	&endbranch()
+ 	&mov("ecx",		&DWP(0,$in,"",0));
+ 	&jmp(&label("ejend"));
+ &set_label("ej3");
++	&endbranch()
+ 	&movb(&HB("ecx"),	&BP(2,$in,"",0));
+ 	&shl("ecx",8);
+ &set_label("ej2");
++	&endbranch()
+ 	&movb(&HB("ecx"),	&BP(1,$in,"",0));
+ &set_label("ej1");
++	&endbranch()
+ 	&movb(&LB("ecx"),	&BP(0,$in,"",0));
+ &set_label("ejend");
+ 
+diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
+--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl	2020-03-19 17:00:15.984621582 +0100
+@@ -101,6 +101,33 @@ elsif (!$gas)
+     $decor="\$L\$";
+ }
+ 
++my $cet_property;
++if ($flavour =~ /elf/) {
++	# Always generate .note.gnu.property section for ELF outputs to
++	# mark Intel CET support since all input files must be marked
++	# with Intel CET support in order for linker to mark output with
++	# Intel CET support.
++	my $p2align=3; $p2align=2 if ($flavour eq "elf32");
++	$cet_property = <<_____;
++	.section ".note.gnu.property", "a"
++	.p2align $p2align
++	.long 1f - 0f
++	.long 4f - 1f
++	.long 5
++0:
++	.asciz "GNU"
++1:
++	.p2align $p2align
++	.long 0xc0000002
++	.long 3f - 2f
++2:
++	.long 3
++3:
++	.p2align $p2align
++4:
++_____
++}
++
+ my $current_segment;
+ my $current_function;
+ my %globals;
+@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
+     print $line,"\n";
+ }
+ 
++print "$cet_property"			if ($cet_property);
+ print "\n$current_segment\tENDS\n"	if ($current_segment && $masm);
+ print "END\n"				if ($masm);
+ 
+diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
+--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/x86gas.pl	2020-03-19 17:00:15.985621565 +0100
+@@ -124,6 +124,7 @@ sub ::function_begin_B
+     push(@out,".align\t$align\n");
+     push(@out,"$func:\n");
+     push(@out,"$begin:\n")		if ($global);
++    &::endbranch();
+     $::stack=4;
+ }
+ 
+@@ -172,6 +173,26 @@ sub ::file_end
+ 	else		{ push (@out,"$tmp\n"); }
+     }
+     push(@out,$initseg) if ($initseg);
++    if ($::elf) {
++	push(@out,"
++	.section \".note.gnu.property\", \"a\"
++	.p2align 2
++	.long 1f - 0f
++	.long 4f - 1f
++	.long 5
++0:
++	.asciz \"GNU\"
++1:
++	.p2align 2
++	.long 0xc0000002
++	.long 3f - 2f
++2:
++	.long 3
++3:
++	.p2align 2
++4:
++");
++    }
+ }
+ 
+ sub ::data_byte	{   push(@out,".byte\t".join(',',@_)."\n");   }
+diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
+--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet	2020-03-19 17:00:38.185234015 +0100
++++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl	2020-03-19 17:05:46.575850341 +0100
+@@ -2806,6 +2806,7 @@ $code.=<<___;
+ .align	32
+ poly1305_blocks_vpmadd52:
+ .cfi_startproc
++	endbranch
+ 	shr	\$4,$len
+ 	jz	.Lno_data_vpmadd52		# too short
+ 
+@@ -3739,6 +3740,7 @@ $code.=<<___;
+ .align	32
+ poly1305_emit_base2_44:
+ .cfi_startproc
++	endbranch
+ 	mov	0($ctx),%r8	# load hash value
+ 	mov	8($ctx),%r9
+ 	mov	16($ctx),%r10
+diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
+--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet	2020-03-19 17:00:38.190233928 +0100
++++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl	2020-03-19 17:05:02.598618064 +0100
+@@ -140,6 +140,7 @@ $code=<<___;
+ .align	16
+ RC4:
+ .cfi_startproc
++	endbranch
+ 	or	$len,$len
+ 	jne	.Lentry
+ 	ret
+@@ -455,6 +456,7 @@ $code.=<<___;
+ .align	16
+ RC4_set_key:
+ .cfi_startproc
++	endbranch
+ 	lea	8($dat),$dat
+ 	lea	($inp,$len),$inp
+ 	neg	$len
+@@ -529,6 +531,7 @@ RC4_set_key:
+ .align	16
+ RC4_options:
+ .cfi_startproc
++	endbranch
+ 	lea	.Lopts(%rip),%rax
+ 	mov	OPENSSL_ia32cap_P(%rip),%edx
+ 	bt	\$20,%edx
+diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
+--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/x86_64cpuid.pl	2020-03-19 17:03:58.172742775 +0100
+@@ -40,6 +40,7 @@ print<<___;
+ .align	16
+ OPENSSL_atomic_add:
+ .cfi_startproc
++	endbranch
+ 	movl	($arg1),%eax
+ .Lspin:	leaq	($arg2,%rax),%r8
+ 	.byte	0xf0		# lock
+@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
+ .align	16
+ OPENSSL_rdtsc:
+ .cfi_startproc
++	endbranch
+ 	rdtsc
+ 	shl	\$32,%rdx
+ 	or	%rdx,%rax
+@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
+ .align	16
+ OPENSSL_ia32_cpuid:
+ .cfi_startproc
++	endbranch
+ 	mov	%rbx,%r8		# save %rbx
+ .cfi_register	%rbx,%r8
+ 
+@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
+ .align  16
+ OPENSSL_cleanse:
+ .cfi_startproc
++	endbranch
+ 	xor	%rax,%rax
+ 	cmp	\$15,$arg2
+ 	jae	.Lot
+@@ -274,6 +278,7 @@ OPENSSL_cleanse:
+ .align  16
+ CRYPTO_memcmp:
+ .cfi_startproc
++	endbranch
+ 	xor	%rax,%rax
+ 	xor	%r10,%r10
+ 	cmp	\$0,$arg3
+@@ -312,6 +317,7 @@ print<<___ if (!$win64);
+ .align	16
+ OPENSSL_wipe_cpu:
+ .cfi_startproc
++	endbranch
+ 	pxor	%xmm0,%xmm0
+ 	pxor	%xmm1,%xmm1
+ 	pxor	%xmm2,%xmm2
+@@ -346,6 +352,8 @@ print<<___ if ($win64);
+ .type	OPENSSL_wipe_cpu,\@abi-omnipotent
+ .align	16
+ OPENSSL_wipe_cpu:
++.cfi_startproc
++	endbranch
+ 	pxor	%xmm0,%xmm0
+ 	pxor	%xmm1,%xmm1
+ 	pxor	%xmm2,%xmm2
+@@ -376,6 +384,7 @@ print<<___;
+ .align	16
+ OPENSSL_instrument_bus:
+ .cfi_startproc
++	endbranch
+ 	mov	$arg1,$out	# tribute to Win64
+ 	mov	$arg2,$cnt
+ 	mov	$arg2,$max
+@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
+ .align	16
+ OPENSSL_instrument_bus2:
+ .cfi_startproc
++	endbranch
+ 	mov	$arg1,$out	# tribute to Win64
+ 	mov	$arg2,$cnt
+ 	mov	$arg3,$max
+@@ -465,6 +475,7 @@ print<<___;
+ .align	16
+ OPENSSL_ia32_${rdop}_bytes:
+ .cfi_startproc
++	endbranch
+ 	xor	%rax, %rax	# return value
+ 	cmp	\$0,$arg2
+ 	je	.Ldone_${rdop}_bytes

openssl-1.1.1-kdf-selftest.patch

@@ -0,0 +1,170 @@
+diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
+--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest	2020-06-03 16:08:36.274849058 +0200
++++ openssl-1.1.1g/crypto/fips/build.info	2020-06-03 16:11:05.609079372 +0200
+@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
+         fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+-        fips_dh_selftest.c fips_ers.c
++        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
+ 
+ PROGRAMS_NO_INST=\
+           fips_standalone_hmac
+diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
+--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest	2020-06-03 16:08:36.337849577 +0200
++++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c	2020-06-03 16:08:36.337849577 +0200
+@@ -0,0 +1,117 @@
++/*
++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++
++#ifdef OPENSSL_FIPS
++int FIPS_selftest_pbkdf2(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[32];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
++            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
++            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
++            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
++        };
++        if (memcmp(out, expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++
++err:
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
++ * 5) appendix A. */
++int FIPS_selftest_kbkdf(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    char *label = "prf", *prf_input = "test";
++    static unsigned char input_key[] = {
++        0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
++        0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
++    };
++    static unsigned char output[] = {
++        0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
++        0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
++        0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
++        0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
++    };
++    unsigned char result[sizeof(output)] = { 0 };
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
++        goto err;
++    }
++    ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
++        && memcmp(result, output, sizeof(output)) == 0;
++err:
++
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++int FIPS_selftest_kdf(void)
++{
++    return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
++}
++
++#endif
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest	2020-06-03 16:08:36.332849536 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-03 16:08:36.338849585 +0200
+@@ -111,6 +111,8 @@ int FIPS_selftest(void)
+         rv = 0;
+     if (!FIPS_selftest_ecdh())
+         rv = 0;
++    if (!FIPS_selftest_kdf())
++        rv = 0;
+     return rv;
+ }
+ 
+diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
+--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest	2020-06-03 16:08:36.330849519 +0200
++++ openssl-1.1.1g/include/crypto/fips.h	2020-06-03 16:08:36.338849585 +0200
+@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
+ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
++int FIPS_selftest_kbkdf(void);
++int FIPS_selftest_pbkdf2(void);
++int FIPS_selftest_kdf(void);
+ 
+ int fips_in_post(void);
+ 
+diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
+--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest	2020-06-03 16:08:36.282849124 +0200
++++ openssl-1.1.1g/include/openssl/fips.h	2020-06-03 16:08:36.338849585 +0200
+@@ -123,6 +123,8 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_DSA                         112
+ # define FIPS_F_FIPS_SELFTEST_ECDSA                       133
+ # define FIPS_F_FIPS_SELFTEST_HMAC                        113
++# define FIPS_F_FIPS_SELFTEST_KBKDF                       151
++# define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143

openssl-1.1.1-no-brainpool.patch

@@ -0,0 +1,112 @@
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in	2019-09-13 15:11:07.358687169 +0200
+@@ -147,22 +147,22 @@ our @tests = (
+     {
+         name => "ECDSA with brainpool",
+         server =>  {
+-            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+-            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+-            "Groups" => "brainpoolP256r1",
++            "Certificate" => test_pem("server-ecdsa-cert.pem"),
++            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
++#            "Groups" => "brainpoolP256r1",
+         },
+         client => {
+             #We don't restrict this to TLSv1.2, although use of brainpool
+             #should force this anyway so that this should succeed
+             "CipherString" => "aECDSA",
+             "RequestCAFile" => test_pem("root-cert.pem"),
+-            "Groups" => "brainpoolP256r1",
++#            "Groups" => "brainpoolP256r1",
+         },
+         test   => {
+-            "ExpectedServerCertType" =>, "brainpoolP256r1",
+-            "ExpectedServerSignType" =>, "EC",
++#            "ExpectedServerCertType" =>, "brainpoolP256r1",
++#            "ExpectedServerSignType" =>, "EC",
+             # Note: certificate_authorities not sent for TLS < 1.3
+-            "ExpectedServerCANames" =>, "empty",
++#            "ExpectedServerCANames" =>, "empty",
+             "ExpectedResult" => "Success"
+         },
+     },
+@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
+     {
+         name => "TLS 1.3 ECDSA with brainpool",
+         server =>  {
+-            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+-            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+-            "Groups" => "brainpoolP256r1",
++            "Certificate" => test_pem("server-ecdsa-cert.pem"),
++            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
++#            "Groups" => "brainpoolP256r1",
+         },
+         client => {
+             "RequestCAFile" => test_pem("root-cert.pem"),
+-            "Groups" => "brainpoolP256r1",
++#            "Groups" => "brainpoolP256r1",
+             "MinProtocol" => "TLSv1.3",
+             "MaxProtocol" => "TLSv1.3"
+         },
+         test   => {
+-            "ExpectedResult" => "ServerFail"
++            "ExpectedResult" => "Success"
+         },
+     },
+ );
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf	2019-09-13 15:12:27.380288469 +0200
+@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
+ client = 5-ECDSA with brainpool-client
+ 
+ [5-ECDSA with brainpool-server]
+-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ CipherString = DEFAULT
+-Groups = brainpoolP256r1
+-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+ 
+ [5-ECDSA with brainpool-client]
+ CipherString = aECDSA
+-Groups = brainpoolP256r1
+ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+ VerifyMode = Peer
+ 
+ [test-5]
+ ExpectedResult = Success
+-ExpectedServerCANames = empty
+-ExpectedServerCertType = brainpoolP256r1
+-ExpectedServerSignType = EC
+ 
+ 
+ # ===========================================================
+@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
+ client = 52-TLS 1.3 ECDSA with brainpool-client
+ 
+ [52-TLS 1.3 ECDSA with brainpool-server]
+-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ CipherString = DEFAULT
+-Groups = brainpoolP256r1
+-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+ 
+ [52-TLS 1.3 ECDSA with brainpool-client]
+ CipherString = DEFAULT
+-Groups = brainpoolP256r1
+ MaxProtocol = TLSv1.3
+ MinProtocol = TLSv1.3
+ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
+ VerifyMode = Peer
+ 
+ [test-52]
+-ExpectedResult = ServerFail
++ExpectedResult = Success
+ 
+ 
+ # ===========================================================

openssl-1.1.1-no-html.patch

@@ -0,0 +1,12 @@
+diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html	2020-04-07 16:45:21.904083989 +0200
++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:45:56.218461895 +0200
+@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
+ 
+ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+ 
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"

openssl-1.1.1-no-weak-verify.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
---- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify	2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0g/crypto/asn1/a_verify.c	2017-11-03 16:15:46.125801341 +0100
+diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c
+--- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/asn1/a_verify.c	2019-02-28 11:25:31.531862873 +0100
 @@ -7,6 +7,9 @@
   * https://www.openssl.org/source/license.html
   */
@@ -11,7 +11,7 @@ diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/cryp
  #include <stdio.h>
  #include <time.h>
  #include <sys/types.h>
-@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
+@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
          if (ret != 2)
              goto err;
          ret = -1;
@@ -22,5 +22,5 @@ diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/cryp
 +                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 +        goto err;
      } else {
-         const EVP_MD *type;
-         type = EVP_get_digestbynid(mdnid);
+         const EVP_MD *type = EVP_get_digestbynid(mdnid);
+ 

openssl-1.1.1-rewire-fips-drbg.patch

@@ -0,0 +1,170 @@
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c	2020-06-22 13:32:47.675852917 +0200
+@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
+ int FIPS_drbg_reseed(DRBG_CTX *dctx,
+                      const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)adinlen;
++
++    if (len < 0 || (size_t)len != adinlen) {
++        FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++        return 0;
++    }
++    RAND_seed(adin, len);
++    return 1;
++}
++
++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
++                     const unsigned char *adin, size_t adinlen)
++{
+     return drbg_reseed(dctx, adin, adinlen, 1);
+ }
+ 
+@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
+                        int prediction_resistance,
+                        const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)outlen;
++
++    if (len < 0 || (size_t)len != outlen) {
++        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
++        return 0;
++    }
++    return RAND_bytes(out, len);
++}
++
++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++                       int prediction_resistance,
++                       const unsigned char *adin, size_t adinlen)
++{
+     int r = 0;
+ 
+     if (FIPS_selftest_failed()) {
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c	2020-06-22 13:32:47.675852917 +0200
+@@ -57,6 +57,8 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ 
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg	2020-06-22 13:32:47.612852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c	2020-06-22 13:32:47.675852917 +0200
+@@ -55,6 +55,8 @@
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ #include "fips_locl.h"
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-22 13:32:47.675852917 +0200
+@@ -79,8 +79,6 @@ int FIPS_selftest(void)
+         ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
+         rv = 0;
+     }
+-    if (!FIPS_selftest_drbg())
+-        rv = 0;
+     if (!FIPS_selftest_sha1())
+         rv = 0;
+     if (!FIPS_selftest_sha2())
+diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.613852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c	2020-06-22 13:36:28.722817967 +0200
+@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
+ 
+ int FIPS_rand_seed(const void *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
+     if (fips_rand_meth && fips_rand_meth->seed)
+         fips_rand_meth->seed(buf, num);
+     return 1;
++#else
++    RAND_seed(buf, num);
++    return 1;
++#endif
+ }
+ 
+ int FIPS_rand_bytes(unsigned char *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
+     if (fips_rand_meth && fips_rand_meth->bytes)
+         return fips_rand_meth->bytes(buf, num);
+     return 0;
++#else
++    return RAND_bytes(buf, num);
++#endif
+ }
+ 
+ int FIPS_rand_status(void)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
+     if (fips_rand_meth && fips_rand_meth->status)
+         return fips_rand_meth->status();
+     return 0;
++#else
++    return RAND_status();
++#endif
+ }
+ 
+ /* Return instantiated strength of PRNG. For DRBG this is an internal
+diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
+--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/include/openssl/fips.h	2020-06-22 13:32:47.675852917 +0200
+@@ -64,6 +64,11 @@ extern "C" {
+ 
+     int FIPS_selftest(void);
+     int FIPS_selftest_failed(void);
++
++    /*
++     * This function is deprecated as it performs selftest of the old FIPS drbg
++     * implementation that is not validated.
++     */
+     int FIPS_selftest_drbg_all(void);
+ 
+     int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
+--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg	2020-06-22 13:32:47.617852926 +0200
++++ openssl-1.1.1g/include/openssl/fips_rand.h	2020-06-22 13:32:47.675852917 +0200
+@@ -60,6 +60,20 @@
+ #  ifdef  __cplusplus
+ extern "C" {
+ #  endif
++
++/*
++ * IMPORTANT NOTE:
++ * All functions in this header file are deprecated and should not be used
++ * as they use the old FIPS_drbg implementation that is not FIPS validated
++ * anymore.
++ * To provide backwards compatibility for applications that need FIPS compliant
++ * RNG number generation and use FIPS_drbg_generate, this function was
++ * re-wired to call the FIPS validated DRBG instance instead through
++ * the RAND_bytes() call.
++ *
++ * All these functions will be removed in future.
++ */
++
+     typedef struct drbg_ctx_st DRBG_CTX;
+ /* DRBG external flags */
+ /* Flag for CTR mode only: use derivation function ctr_df */

openssl-1.1.1-seclevel.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
---- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel	2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/crypto/x509/x509_vfy.c	2018-09-14 11:47:39.715317617 +0200
-@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
+diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
+--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
+@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
  }
  
  static const int minbits_table[] = { 80, 112, 128, 192, 256 };
@@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
  static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
  
  /*
-@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
+@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
  
      if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
          return 0;
 -
 -    return secbits >= minbits_table[level - 1];
-+    /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
-+    if (FIPS_mode())
++    /*
++     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
++     * disable SHA1 flag is not set.
++     */
++    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
 +        return secbits >= minbits_table[level - 1];
 +    return secbits >= minbits_digest_table[level - 1];
  }
-diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
---- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod	2018-09-14 11:47:39.715317617 +0200
+diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
+--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
 @@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
  
  =item B<Level 2>
@@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
  In addition to the level 1 exclusions any cipher suite using RC4 is also
  prohibited. SSL version 3 is also not allowed. Compression is disabled.
  
-diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
---- openssl-1.1.1/ssl/ssl_cert.c.seclevel	2018-09-11 14:48:23.000000000 +0200
-+++ openssl-1.1.1/ssl/ssl_cert.c	2018-09-14 11:47:39.716317598 +0200
-@@ -983,6 +983,9 @@ static int ssl_security_default_callback
+diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
+--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
+@@ -27,6 +27,7 @@
+ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+                                          int op, int bits, int nid, void *other,
+                                          void *ex);
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
+ 
+ static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
+ static volatile int ssl_x509_store_ctx_idx = -1;
+@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
+     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
+ 
+     /* Set suite B flags if needed */
+-    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
++    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
+     if (!X509_STORE_CTX_set_ex_data
+         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+         goto end;
+@@ -953,12 +954,33 @@ static int ssl_security_default_callback
              return 0;
          break;
      default:
 +        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
-+        if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
++        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
 +            break;
          if (bits < minbits)
              return 0;
      }
-diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
---- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel	2018-09-11 14:48:24.000000000 +0200
-+++ openssl-1.1.1/test/recipes/25-test_verify.t	2018-09-14 12:36:40.021812399 +0200
-@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
+     return 1;
+ }
+ 
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
++{
++    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
++    const CERT *c;
++
++    if (FIPS_mode())
++        return ret;
++
++    if (ctx != NULL) {
++       c = ctx->cert;
++    } else {
++       c = s->cert;
++    }
++    if (tls1_cert_sigalgs_have_sha1(c))
++        return 0;
++    return ret;
++}
++
+ int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
+ {
+     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
+diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
+--- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
++++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
+@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
+ __owur int tls1_process_sigalgs(SSL *s);
+ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
+ __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
++int tls1_cert_sigalgs_have_sha1(const CERT *c);
+ __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+ #  ifndef OPENSSL_NO_EC
+ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
+@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
+     return 0;
+ }
+ 
++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
++{
++    size_t i;
++
++    for (i = 0; i < sigalgslen; i++, sigalgs++) {
++        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
++
++        if (lu == NULL)
++            continue;
++        if (lu->hash == NID_sha1)
++            return 1;
++    }
++    return 0;
++}
++
++
++int tls1_cert_sigalgs_have_sha1(const CERT *c)
++{
++    if (c->client_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
++            return 1;
++    }
++    if (c->conf_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
++            return 1;
++        return 0;
++    }
++    return 1;
++}
++
+ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
+ {
+     int sig_nid, use_pc_sigalgs = 0;
+diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
+--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
+@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
  ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
      "CA with PSS signature using SHA256");
  

openssl-1.1.1-secure-getenv.patch

@@ -1,173 +0,0 @@
-diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c
---- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv	2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/conf/conf_api.c	2018-07-16 18:01:11.708359766 +0200
-@@ -9,6 +9,8 @@
- 
- /* Part of the code in here was originally in conf.c, which is now removed */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include <stdlib.h>
- #include <string.h>
-@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
-             if (v != NULL)
-                 return v->value;
-             if (strcmp(section, "ENV") == 0) {
--                p = getenv(name);
-+                p = secure_getenv(name);
-                 if (p != NULL)
-                     return p;
-             }
-diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c
---- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv	2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c	2018-07-16 18:02:37.308383955 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "internal/cryptlib.h"
- #include <stdio.h>
- #include <ctype.h>
-@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void
-     int len;
- 
-     if (!OPENSSL_issetugid()) {
--        file = getenv("OPENSSL_CONF");
-+        file = secure_getenv("OPENSSL_CONF");
-         if (file)
-             return OPENSSL_strdup(file);
-     }
-diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c
---- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv	2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ct/ct_log.c	2018-07-16 18:01:11.708359766 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <string.h>
- 
-@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c
- 
- int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
- {
--    const char *fpath = getenv(CTLOG_FILE_EVP);
-+    const char *fpath = secure_getenv(CTLOG_FILE_EVP);
- 
-     if (fpath == NULL)
-       fpath = CTLOG_FILE;
-diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c
---- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv	2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/engine/eng_list.c	2018-07-16 18:03:03.190996004 +0200
-@@ -8,6 +8,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "eng_int.h"
- 
- /*
-@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id)
-      */
-     if (strcmp(id, "dynamic")) {
-         if (OPENSSL_issetugid()
--                || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
-+                || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL)
-             load_dir = ENGINESDIR;
-         iterator = ENGINE_by_id("dynamic");
-         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c
---- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv	2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/mem.c	2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include "internal/cryptlib.h"
- #include "internal/cryptlib_int.h"
-@@ -180,11 +182,11 @@ static int shouldfail(void)
- 
- void ossl_malloc_setup_failures(void)
- {
--    const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
-+    const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES");
- 
-     if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
-         parseit();
--    if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
-+    if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL)
-         md_tracefd = atoi(cp);
- }
- #endif
-diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c
---- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv	2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rand/randfile.c	2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "internal/cryptlib.h"
- 
- #include <errno.h>
-@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si
- #else
-     if (OPENSSL_issetugid() != 0) {
-         use_randfile = 0;
--    } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
-+    } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') {
-         use_randfile = 0;
-         s = getenv("HOME");
-     }
-diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c
---- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv	2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/x509/by_dir.c	2018-07-16 18:03:43.355945786 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include "internal/cryptlib.h"
- #include <stdio.h>
-@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
-     switch (cmd) {
-     case X509_L_ADD_DIR:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            const char *dir = getenv(X509_get_default_cert_dir_env());
-+            const char *dir = secure_getenv(X509_get_default_cert_dir_env());
- 
-             if (dir)
-                 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c
---- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv	2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/x509/by_file.c	2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
-     switch (cmd) {
-     case X509_L_FILE_LOAD:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            file = getenv(X509_get_default_cert_file_env());
-+            file = secure_getenv(X509_get_default_cert_file_env());
-             if (file)
-                 ok = (X509_load_cert_crl_file(ctx, file,
-                                               X509_FILETYPE_PEM) != 0);

openssl-1.1.1-system-cipherlist.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist	2018-08-22 12:15:54.520742678 +0200
-+++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl	2018-08-22 12:15:54.554743511 +0200
+diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist	2019-05-29 15:42:27.951329271 +0200
++++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl	2019-05-29 15:42:27.974328867 +0200
 @@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
  DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
  HTMLDIR=$(DOCDIR)/html
@@ -20,15 +20,15 @@ diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist
                                    (map { "-I".$_} @{$config{CPPINCLUDES}}),
                                    @{$config{CPPFLAGS}}) -}
  CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure
---- openssl-1.1.1-pre9/Configure.system-cipherlist	2018-08-21 14:14:11.000000000 +0200
-+++ openssl-1.1.1-pre9/Configure	2018-08-22 12:16:46.600018343 +0200
+diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
+--- openssl-1.1.1c/Configure.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/Configure	2019-05-29 15:45:10.465469533 +0200
 @@ -24,7 +24,7 @@ use OpenSSL::Glob;
  my $orig_death_handler = $SIG{__DIE__};
  $SIG{__DIE__} = \&death_handler;
  
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
  
  # Options:
  #
@@ -50,18 +50,18 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
  my $auto_threads=1;    # enable threads automatically? true by default
  my $default_ranlib;
  
-@@ -817,6 +821,10 @@ while (@argvcopy)
- 			    push @seed_sources, $x;
- 			    }
+@@ -824,6 +828,10 @@ while (@argvcopy)
+                             push @seed_sources, $x;
+                             }
                          }
 +		elsif (/^--system-ciphers-file=(.*)$/)
 +			{
 +			$config{system_ciphers_file}=$1;
 +			}
- 		elsif (/^--cross-compile-prefix=(.*)$/)
- 			{
- 			$user{CROSS_COMPILE}=$1;
-@@ -1003,6 +1011,8 @@ if ($target eq "HASH") {
+                 elsif (/^--cross-compile-prefix=(.*)$/)
+                         {
+                         $user{CROSS_COMPILE}=$1;
+@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
      exit 0;
  }
  
@@ -70,9 +70,9 @@ diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Confi
  print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
  print "for $target\n";
  
-diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod
---- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist	2018-08-21 14:14:13.000000000 +0200
-+++ openssl-1.1.1-pre9/doc/man1/ciphers.pod	2018-08-22 12:15:54.555743536 +0200
+diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
+--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/doc/man1/ciphers.pod	2019-05-29 15:42:27.975328849 +0200
 @@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
  
  The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1
  =item B<HIGH>
  
  "High" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h
---- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist	2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/include/openssl/ssl.h	2018-08-22 12:15:54.557743585 +0200
+diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
+--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/include/openssl/ssl.h	2019-05-29 15:42:27.975328849 +0200
 @@ -186,6 +186,11 @@ extern "C" {
   * throwing out anonymous and unencrypted ciphersuites! (The latter are not
   * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.
  
  /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
  # define SSL_SENT_SHUTDOWN       1
-diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c
---- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist	2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/ssl/ssl_ciph.c	2018-08-22 12:15:54.557743585 +0200
+diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
+--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/ssl/ssl_ciph.c	2019-05-29 15:42:27.976328831 +0200
 @@ -9,6 +9,8 @@
   * https://www.openssl.org/source/license.html
   */
@@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
  #include <stdio.h>
  #include <ctype.h>
  #include <openssl/objects.h>
-@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
      return ret;
  }
  
@@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
  STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                                               STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
                                               STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      const char *rule_p;
      CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
      const SSL_CIPHER **ca_list = NULL;
@@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
  #endif
  
      /*
-@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
      if (co_list == NULL) {
          SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
      }
  
      ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
       * in force within each class
       */
      if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
      }
  
      /*
-@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
      ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
      if (ca_list == NULL) {
@@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
      }
      ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                 disabled_mkey, disabled_auth, disabled_enc,
-@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      OPENSSL_free(ca_list);      /* Not needed anymore */
  
      if (!ok) {                  /* Rule processing failure */
@@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
      }
  
      /*
-@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
       * if we cannot get one.
       */
      if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
              sk_SSL_CIPHER_free(cipherstack);
              return NULL;
          }
-@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      *cipher_list = cipherstack;
  
      return cipherstack;
@@ -274,10 +274,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/
  }
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c
---- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist	2018-08-22 12:15:54.552743462 +0200
-+++ openssl-1.1.1-pre9/ssl/ssl_lib.c	2018-08-22 12:15:54.558743609 +0200
-@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
+--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist	2019-05-29 15:42:27.970328937 +0200
++++ openssl-1.1.1c/ssl/ssl_lib.c	2019-05-29 15:42:27.977328814 +0200
+@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
                                  ctx->tls13_ciphersuites,
                                  &(ctx->cipher_list),
                                  &(ctx->cipher_list_by_id),
@@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
      if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
          SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
          return 0;
-@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
      if (!ssl_create_cipher_list(ret->method,
                                  ret->tls13_ciphersuites,
                                  &ret->cipher_list, &ret->cipher_list_by_id,
@@ -295,10 +295,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
          || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
          SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
          goto err2;
-diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre9/test/cipherlist_test.c
---- openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist	2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/test/cipherlist_test.c	2018-08-22 12:15:54.558743609 +0200
-@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
+diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
+--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/test/cipherlist_test.c	2019-05-29 15:42:27.977328814 +0200
+@@ -251,7 +251,9 @@ end:
  
  int setup_tests(void)
  {
@@ -306,5 +306,5 @@ diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1
      ADD_TEST(test_default_cipherlist_implicit);
 +#endif
      ADD_TEST(test_default_cipherlist_explicit);
+     ADD_TEST(test_default_cipherlist_clear);
      return 1;
- }

openssl-1.1.1-ts-sha256-default.patch

@@ -0,0 +1,70 @@
+diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
+--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100
++++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100
+@@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i
+ 				# (optional, default: no)
+ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+ 				# (optional, default: no)
+-ess_cert_id_alg		= sha1	# algorithm to compute certificate
++ess_cert_id_alg		= sha256	# algorithm to compute certificate
+ 				# identifier (optional, default: sha1)
+diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
+--- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100
+@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
+     ASN1_OBJECT *policy_obj = NULL;
+     ASN1_INTEGER *nonce_asn1 = NULL;
+ 
+-    if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
++    if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
+         goto err;
+     if ((ts_req = TS_REQ_new()) == NULL)
+         goto err;
+diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
+--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100
++++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100
+@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
+     const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
+ 
+     if (md == NULL)
+-        md = "sha1";
++        md = "sha256";
+ 
+     cert_md = EVP_get_digestbyname(md);
+     if (cert_md == NULL) {
+diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
+--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100
+@@ -518,7 +518,7 @@ included. Default is no. (Optional)
+ =item B<ess_cert_id_alg>
+ 
+ This option specifies the hash function to be used to calculate the TSA's
+-public key certificate identifier. Default is sha1. (Optional)
++public key certificate identifier. Default is sha256. (Optional)
+ 
+ =back
+ 
+@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
+ 
+ =head2 Time Stamp Request
+ 
+-To create a timestamp request for design1.txt with SHA-1
++To create a timestamp request for design1.txt with SHA-256
+ without nonce and policy and no certificate is required in the response:
+ 
+   openssl ts -query -data design1.txt -no_nonce \
+@@ -546,12 +546,12 @@ To print the content of the previous req
+ 
+   openssl ts -query -in design1.tsq -text
+ 
+-To create a timestamp request which includes the MD-5 digest
++To create a timestamp request which includes the SHA-512 digest
+ of design2.txt, requests the signer certificate and nonce,
+ specifies a policy id (assuming the tsa_policy1 name is defined in the
+ OID section of the config file):
+ 
+-  openssl ts -query -data design2.txt -md5 \
++  openssl ts -query -data design2.txt -sha512 \
+         -tspolicy tsa_policy1 -cert -out design2.tsq
+ 
+ =head2 Time Stamp Response

openssl-1.1.1-version-override.patch

@@ -1,12 +1,12 @@
-diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
---- openssl-1.1.1/include/openssl/opensslv.h.version-override	2018-09-13 08:54:38.247940128 +0200
-+++ openssl-1.1.1/include/openssl/opensslv.h	2018-09-13 08:56:10.757779555 +0200
+diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
+--- openssl-1.1.1g/include/openssl/opensslv.h.version-override	2020-04-23 13:29:37.802673513 +0200
++++ openssl-1.1.1g/include/openssl/opensslv.h	2020-04-23 13:30:13.064008458 +0200
 @@ -40,7 +40,7 @@ extern "C" {
   *  major minor fix final patch/beta)
   */
- # define OPENSSL_VERSION_NUMBER  0x1010100fL
--# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1  11 Sep 2018"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1 FIPS  11 Sep 2018"
+ # define OPENSSL_VERSION_NUMBER  0x1010108fL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"
++# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"
  
  /*-
   * The macros below are to be used for shared library (.so, .dll, ...)

openssl.spec

@@ -21,8 +21,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.1
-Release: 3%{?dist}
+Version: 1.1.1h
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -39,32 +39,47 @@ Source12: ec_curve.c
 Source13: ectest.c
 # Build changes
 Patch1: openssl-1.1.1-build.patch
-Patch2: openssl-1.1.0-defaults.patch
-Patch3: openssl-1.1.0-no-html.patch
+Patch2: openssl-1.1.1-defaults.patch
+Patch3: openssl-1.1.1-no-html.patch
 Patch4: openssl-1.1.1-man-rename.patch
 # Bug fixes
 Patch21: openssl-1.1.0-issuer-hash.patch
 # Functionality changes
 Patch31: openssl-1.1.1-conf-paths.patch
 Patch32: openssl-1.1.1-version-add-engines.patch
-Patch33: openssl-1.1.0-apps-dgst.patch
-Patch36: openssl-1.1.1-secure-getenv.patch
+Patch33: openssl-1.1.1-apps-dgst.patch
+Patch36: openssl-1.1.1-no-brainpool.patch
 Patch37: openssl-1.1.1-ec-curves.patch
-Patch38: openssl-1.1.0-no-weak-verify.patch
+Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
-Patch43: openssl-1.1.1-ignore-bound.patch
 Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
+Patch47: openssl-1.1.1-ts-sha256-default.patch
+Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch49: openssl-1.1.1-evp-kdf.patch
+Patch50: openssl-1.1.1-ssh-kdf.patch
+Patch51: openssl-1.1.1-intel-cet.patch
+Patch60: openssl-1.1.1-krb5-kdf.patch
+Patch61: openssl-1.1.1-edk2-build.patch
+Patch62: openssl-1.1.1-fips-curves.patch
+Patch65: openssl-1.1.1-fips-drbg-selftest.patch
+Patch66: openssl-1.1.1-fips-dh.patch
+Patch67: openssl-1.1.1-kdf-selftest.patch
+Patch69: openssl-1.1.1-alpn-cb.patch
+Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 # Backported fixes including security fixes
+Patch52: openssl-1.1.1-s390x-update.patch
+Patch53: openssl-1.1.1-fips-crng-test.patch
+Patch55: openssl-1.1.1-arm-update.patch
+Patch56: openssl-1.1.1-s390x-ecc.patch
 
-License: OpenSSL
-Group: System Environment/Libraries
+License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
 BuildRequires: gcc
-BuildRequires: coreutils, krb5-devel, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
+BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
 BuildRequires: lksctp-tools-devel
 BuildRequires: /usr/bin/rename
 BuildRequires: /usr/bin/pod2man
@@ -72,6 +87,7 @@ BuildRequires: /usr/sbin/sysctl
 BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
 BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
 BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
 Requires: coreutils
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -83,13 +99,9 @@ protocols.
 
 %package libs
 Summary: A general purpose cryptography library with TLS implementation
-Group: System Environment/Libraries
 Requires: ca-certificates >= 2008-5
 Requires: crypto-policies >= 20180730
 Recommends: openssl-pkcs11%{?_isa}
-# Needed obsoletes due to the base/lib subpackage split
-Obsoletes: openssl < 1:1.0.1-0.3.beta3
-Obsoletes: openssl-fips < 1:1.0.1e-28
 Provides: openssl-fips = %{epoch}:%{version}-%{release}
 
 %description libs
@@ -99,9 +111,7 @@ support cryptographic algorithms and protocols.
 
 %package devel
 Summary: Files for development of applications which will use OpenSSL
-Group: Development/Libraries
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
 Requires: pkgconfig
 
 %description devel
@@ -111,7 +121,6 @@ support various cryptographic algorithms and protocols.
 
 %package static
 Summary:  Libraries for static linking of applications which will use OpenSSL
-Group: Development/Libraries
 Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description static
@@ -122,7 +131,6 @@ protocols.
 
 %package perl
 Summary: Perl scripts provided with OpenSSL
-Group: Applications/Internet
 Requires: perl-interpreter
 Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -151,16 +159,32 @@ cp %{SOURCE13} test/
 %patch31 -p1 -b .conf-paths
 %patch32 -p1 -b .version-add-engines
 %patch33 -p1 -b .dgst
-%patch36 -p1 -b .secure-getenv
+%patch36 -p1 -b .no-brainpool
 %patch37 -p1 -b .curves
 %patch38 -p1 -b .no-weak-verify
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
-%patch43 -p1 -b .ignore-bound
 %patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
+%patch47 -p1 -b .ts-sha256-default
+%patch48 -p1 -b .fips-post-rand
+%patch49 -p1 -b .evp-kdf
+%patch50 -p1 -b .ssh-kdf
+%patch51 -p1 -b .intel-cet
+%patch52 -p1 -b .s390x-update
+%patch53 -p1 -b .crng-test
+%patch55 -p1 -b .arm-update
+%patch56 -p1 -b .s390x-ecc
+%patch60 -p1 -b .krb5-kdf
+%patch61 -p1 -b .edk2-build
+%patch62 -p1 -b .fips-curves
+%patch65 -p1 -b .drbg-selftest
+%patch66 -p1 -b .fips-dh
+%patch67 -p1 -b .kdf-selftest
+%patch69 -p1 -b .alpn-cb
+%patch70 -p1 -b .rewire-fips-drbg
 
 
 %build
@@ -227,7 +251,7 @@ sslarch=linux-generic64
 # marked as not requiring an executable stack.
 # Also add -DPURIFY to make using valgrind with openssl easier as we do not
 # want to depend on the uninitialized memory as a source of entropy anyway.
-RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
 
 export HASHBANGPERL=/usr/bin/perl
 
@@ -299,7 +323,7 @@ make test
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 # Install OpenSSL.
 install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
-make DESTDIR=$RPM_BUILD_ROOT install
+%make_install
 rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
 for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
 	chmod 755 ${lib}
@@ -318,13 +342,6 @@ install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
 mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
 mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
 
-# Make sure we actually include the headers we built against.
-for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
-	if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then
-		install -m644 include/openssl/`basename ${header}` ${header}
-	fi
-done
-
 # Rename man pages so that they don't conflict with other system man pages.
 pushd $RPM_BUILD_ROOT%{_mandir}
 ln -s -f config.5 man5/openssl.cnf.5
@@ -373,6 +390,13 @@ basearch=sparc
 basearch=sparc64
 %endif
 
+# Next step of gradual disablement of SSL3.
+# Make SSL3 disappear to newly built dependencies.
+sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
+#ifndef OPENSSL_NO_SSL3\
+# define OPENSSL_NO_SSL3\
+#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
+
 %ifarch %{multilib_arches}
 # Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
 # can have both a 32- and 64-bit version of the library, and they each need
@@ -400,6 +424,7 @@ export LD_LIBRARY_PATH
 %{_pkgdocdir}/Makefile.certificate
 %exclude %{_mandir}/man1*/*.pl*
 %exclude %{_mandir}/man1*/c_rehash*
+%exclude %{_mandir}/man1*/openssl-c_rehash*
 %exclude %{_mandir}/man1*/tsget*
 %exclude %{_mandir}/man1*/openssl-tsget*
 
@@ -436,6 +461,7 @@ export LD_LIBRARY_PATH
 %{_bindir}/tsget
 %{_mandir}/man1*/*.pl*
 %{_mandir}/man1*/c_rehash*
+%{_mandir}/man1*/openssl-c_rehash*
 %{_mandir}/man1*/tsget*
 %{_mandir}/man1*/openssl-tsget*
 %dir %{_sysconfdir}/pki/CA
@@ -444,11 +470,174 @@ export LD_LIBRARY_PATH
 %dir %{_sysconfdir}/pki/CA/crl
 %dir %{_sysconfdir}/pki/CA/newcerts
 
-%post libs -p /sbin/ldconfig
-
-%postun libs -p /sbin/ldconfig
+%ldconfig_scriptlets libs
 
 %changelog
+* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
+- Upgrade to version 1.1.1.h
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1:1.1.1g-14
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
+- Additional FIPS mode check for EC key generation
+
+* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
+- Further changes for SP 800-56A rev3 requirements
+
+* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
+- Drop long ago obsolete part of the FIPS patch
+
+* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-10
+- Rewire FIPS_drbg API to use the RAND_DRBG
+
+* Fri Jun  5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
+- Disallow dropping Extended Master Secret extension
+  on renegotiation
+- Return alert from s_server if ALPN protocol does not match
+- SHA1 is allowed in @SECLEVEL=2 only if allowed by
+  TLS SigAlgs configuration
+
+* Wed Jun  3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-8
+- Add FIPS selftest for PBKDF2 and KBKDF
+
+* Tue May 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
+- Use the well known DH groups in TLS
+
+* Mon May 25 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
+- Allow only well known DH groups in the FIPS mode
+
+* Thu May 21 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-5
+- Re-apply the change from -2 now we have fixed nosync to work with it
+
+* Tue May 19 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-4
+- Revert the change from -2 as it seems to cause segfaults in systemd
+
+* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-3
+- pull some fixes and improvements from RHEL-8
+
+* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
+- FIPS module installed state definition is modified
+
+* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
+- update to the 1.1.1g release
+
+* Tue Apr  7 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1f-1
+- update to the 1.1.1f release
+
+* Thu Mar 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-2
+- revert the unexpected EOF error reporting change as it is
+  too disruptive for the stable release branch
+
+* Fri Mar 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-1
+- update to the 1.1.1e release
+- add selftest of the RAND_DRBG implementation
+- fix incorrect error return value from FIPS_selftest_dsa
+
+* Mon Feb 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-7
+- apply Intel CET support patches by hjl (#1788699)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1d-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-5
+- allow zero length parameters in KDF_CTX_ctrl()
+
+* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-4
+- backport of SSKDF from master
+
+* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-3
+- backport of KBKDF and KRB5KDF from master
+
+* Thu Oct  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-2
+- re-enable the stitched AES-CBC-SHA implementations
+- make AES-GCM work in FIPS mode again
+- enable TLS-1.2 AES-CCM ciphers in FIPS mode
+- fix openssl speed errors in FIPS mode
+
+* Fri Sep 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-1
+- update to the 1.1.1d release
+
+* Fri Sep  6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
+- upstream fix for status request extension non-compliance (#1737471)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1c-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
+- do not try to use EC groups disallowed in FIPS mode
+  in TLS
+- fix Valgrind regression with constant-time code
+
+* Mon Jun  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
+- add upstream patch to defer sending KeyUpdate after
+  pending writes are complete
+
+* Thu May 30 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
+- fix use of uninitialized memory
+
+* Wed May 29 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
+- update to the 1.1.1c release
+
+* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-10
+- Another attempt at the AES-CCM regression fix
+
+* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-9
+- Fix two small regressions
+- Change the ts application default hash to SHA256
+
+* Tue May  7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-8
+- FIPS compliance fixes
+
+* Mon May  6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-7
+- add S390x chacha20-poly1305 assembler support from master branch
+
+* Fri May  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-6
+- apply new bugfixes from upstream 1.1.1 branch
+
+* Tue Apr 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-5
+- fix for BIO_get_mem_ptr() regression in 1.1.1b (#1691853)
+
+* Wed Mar 27 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-4
+- drop unused BuildRequires and Requires in the -devel subpackage
+
+* Fri Mar 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-3
+- fix regression in EVP_PBE_scrypt() (#1688284)
+- fix incorrect help message in ca app (#1553206)
+
+* Fri Mar  1 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-2
+- use .include = syntax in the config file to allow it
+  to be parsed by 1.0.2 version (#1668916)
+
+* Thu Feb 28 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-1
+- update to the 1.1.1b release
+- EVP_KDF API backport from master
+- SSH KDF implementation for EVP_KDF API backport from master
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1a-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Jan 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1a-1
+- update to the 1.1.1a release
+
+* Fri Nov  9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7
+- use /dev/urandom for seeding the RNG in FIPS POST
+
+* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
+- fix SECLEVEL 3 support
+- fix some issues found in Coverity scan
+
+* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
+- Correctly invoke sed for defining OPENSSL_NO_SSL3
+
+* Thu Sep 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4
+- define OPENSSL_NO_SSL3 so the newly built dependencies do not
+  have access to SSL3 API calls anymore
+
 * Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
 - reinstate accidentally dropped patch for weak ciphersuites
 

sources

@@ -1 +1 @@
-SHA512 (openssl-1.1.1-hobbled.tar.xz) = a593ea9b4b11745e1a4fa8be91c0dbb5ee7c4c1089410ad6e6501212e838573bcf7e78e843444de3f9ba0beccc7db138deef243a22cafe480c040c696e80b0b3
+SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908

tests/tests_python.yml

@@ -0,0 +1,18 @@
+---
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/python.git"
+      dest: "python"
+    tests:
+    - python_selftest:
+        dir: python/selftest
+        run: X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
+    required_packages:
+    - gcc  # for extension building in venv and selftest
+    - python3-tkinter  # for selftest
+    - python3-test  # for selftest
+    - python3-rpm-macros  # for dynamic python version