Upload the new version of sources.

deprecate and disable verification of insecure hash algorithms
add support for /etc/pki/tls/legacy-settings also for minimum DH length
  accepted by SSL client
compare the encrypt and tweak key in XTS as required by FIPS

.gitignore

@@ -31,3 +31,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.2h-hobbled.tar.xz
 /openssl-1.0.2i-hobbled.tar.xz
 /openssl-1.0.2j-hobbled.tar.xz
+/openssl-1.0.2k-hobbled.tar.xz

README.legacy-settings

@@ -0,0 +1,53 @@
+Guide for legacy support enablement
+===================================
+
+To improve security provided by use of OpenSSL especially in context of
+TLS connections we regularly review and deprecate algorithms and algorithm
+settings which are no longer viewed as secure.
+
+For some of these deprecated algorithms we provide a way for the
+system administrator to reenable them.
+
+Deprecated algorithms, protocols and settings in OpenSSL
+========================================================
+
+Previous Red Hat Enterprise Linux 7 update releases:
+
+* SSL2 protocol disabled by default.
+* Minimum DH group size accepted by SSL/TLS client 768 bits.
+* Verification of certificates and signatures using MD5 hash
+  disabled.
+
+Red Hat Enterprise Linux 7.4:
+
+* SSL2 protocol support completely disabled (cannot be re-enabled).
+* All SSL/TLS export ciphers disabled.
+* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
+* Minimum DH group size accepted by SSL/TLS client 1024 bits.
+* Disabled support for verification of certificates and signatures
+  using MD2, MD4, MD5, and SHA0 hashes.
+
+Legacy support enablement
+=========================
+
+The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
+which can be created by the system administrator which contains lines with
+simple Key Value pairs.
+
+The library recognizes the following possible configuration settings in
+that file:
+
+LegacySigningMDs md2 md5
+MinimumDHBits 512
+
+The LegacySigningMDs option allows reenabling support for verification of
+signatures with the specified hash algorithms. These can be any combination
+of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
+unrecognized algorithms are ignored.
+
+The MinimumDHBits option allows setting of the minimum bit size of DH group
+accepted by SSL/TLS client. It can be any value between 512 and 10000.
+
+If the configuration file is not present the built-in defaults (that is the
+secure defaults) are used. Any unrecognized lines (with other parameter
+names or comments) are ignored.

openssl-1.0.2a-no-md5-verify.patch

@@ -1,25 +0,0 @@
-diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
---- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify	2015-04-09 18:20:58.829680829 +0200
-+++ openssl-1.0.2a/crypto/asn1/a_verify.c	2015-04-09 18:20:54.495580710 +0200
-@@ -56,6 +56,9 @@
-  * [including the GNU Public Licence.]
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
- 
-@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
-         if (ret != 2)
-             goto err;
-         ret = -1;
-+    } else if (mdnid == NID_md5
-+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
-+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
-+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+        goto err;
-     } else {
-         const EVP_MD *type;
-         type = EVP_get_digestbynid(mdnid);

openssl-1.0.2i-fips.patch

@@ -4997,7 +4997,7 @@ diff -up openssl-1.0.2i/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2i/crypto/f
 diff -up openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_rand.c
 --- openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips	2016-09-22 13:35:57.015220951 +0200
 +++ openssl-1.0.2i/crypto/fips/fips_drbg_rand.c	2016-09-22 13:35:57.015220951 +0200
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,164 @@
 +/* fips/rand/fips_drbg_rand.c */
 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 + * project.
@@ -5121,9 +5121,7 @@ diff -up openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2i/crypto/
 +{
 +    DRBG_CTX *dctx = &ossl_dctx;
 +    int rv;
-+    CRYPTO_r_lock(CRYPTO_LOCK_RAND);
 +    rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-+    CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
 +    return rv;
 +}
 +

openssl-1.0.2j-deprecate-algos.patch

@@ -0,0 +1,226 @@
+diff -up openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos openssl-1.0.2j/crypto/asn1/a_verify.c
+--- openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/asn1/a_verify.c	2017-01-09 16:47:11.666994197 +0100
+@@ -56,6 +56,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+ 
+@@ -133,6 +136,30 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
+ 
+ #endif
+ 
++static int legacy_mds[] = { NID_md5, NID_sha, NID_md4, NID_md2, 0 };
++extern int private_ossl_allowed_legacy_mds[];
++
++static int is_md_legacy_disallowed(int mdnid)
++{
++    int i;
++
++    if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
++        return 0;
++
++    for (i = 0; legacy_mds[i] != 0; ++i) {
++         if (mdnid == legacy_mds[i]) {
++            int j;
++
++            for (j = 0; private_ossl_allowed_legacy_mds[j] != 0; ++j) {
++                 if (mdnid == private_ossl_allowed_legacy_mds[j])
++                     return 0;
++            }
++            return 1;
++        }
++     }
++     return 0;
++}
++
+ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
+                      ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
+ {
+@@ -174,6 +201,10 @@ int ASN1_item_verify(const ASN1_ITEM *it
+         if (ret != 2)
+             goto err;
+         ret = -1;
++    } else if (is_md_legacy_disallowed(mdnid)) {
++        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
++                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++        goto err;
+     } else {
+         const EVP_MD *type;
+         type = EVP_get_digestbynid(mdnid);
+diff -up openssl-1.0.2j/crypto/o_init.c.deprecate-algos openssl-1.0.2j/crypto/o_init.c
+--- openssl-1.0.2j/crypto/o_init.c.deprecate-algos	2017-01-05 17:49:00.000000000 +0100
++++ openssl-1.0.2j/crypto/o_init.c	2017-01-09 16:52:29.018298611 +0100
+@@ -64,11 +64,21 @@
+ # include <unistd.h>
+ # include <errno.h>
+ # include <stdlib.h>
++# include <stdio.h>
++# include <string.h>
++# include <strings.h>
++# include <ctype.h>
+ # include <openssl/fips.h>
+ # include <openssl/rand.h>
++# include <openssl/dh.h>
++# include <openssl/objects.h>
+ 
+ # define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+ 
++# define LEGACY_SETTINGS_FILE "/etc/pki/tls/legacy-settings"
++
++# define NUM_MAX_LEGACY_MDS 8
++
+ static void init_fips_mode(void)
+ {
+     char buf[2] = "0";
+@@ -98,6 +108,115 @@ static void init_fips_mode(void)
+ }
+ #endif
+ 
++int private_ossl_allowed_legacy_mds[NUM_MAX_LEGACY_MDS + 1]; /* zero terminated */
++
++int private_ossl_minimum_dh_bits;
++
++static void parse_legacy_mds(char *p)
++{
++    int idx = 0;
++    char *e = p;
++
++    while (p[0] != '\0') {
++        while (e[0] != '\0' && !isspace(e[0]) && e[0] != ',') {
++            ++e;
++        }
++        if (e[0] != '\0') {
++            e[0] = '\0';
++            ++e;
++        }
++
++        if (strcasecmp(p, "md5") == 0) {
++            private_ossl_allowed_legacy_mds[idx++] = NID_md5;
++        } else if (strcasecmp(p, "md4") == 0) {
++            private_ossl_allowed_legacy_mds[idx++] = NID_md4;
++        } else if (strcasecmp(p, "sha") == 0) {
++            private_ossl_allowed_legacy_mds[idx++] = NID_sha;
++        } else if (strcasecmp(p, "md2") == 0) {
++            private_ossl_allowed_legacy_mds[idx++] = NID_md2;
++        }
++
++        if (idx >=
++            sizeof(private_ossl_allowed_legacy_mds) /
++            sizeof(private_ossl_allowed_legacy_mds[0])) {
++            break;
++        }
++
++        while (e[0] == ',' || isspace(e[0])) {
++            ++e;
++        }
++
++        p = e;
++    }
++}
++
++static void parse_minimum_dh_bits(char *p)
++{
++    private_ossl_minimum_dh_bits = strtol(p, NULL, 10);
++    if (private_ossl_minimum_dh_bits < 512
++        || private_ossl_minimum_dh_bits > OPENSSL_DH_MAX_MODULUS_BITS) {
++        /* use default */
++        private_ossl_minimum_dh_bits = 0;
++    }
++}
++
++static void load_legacy_settings(void)
++{
++    FILE *f;
++    char *line = NULL;
++    size_t len = 0;
++
++    if ((f = fopen(LEGACY_SETTINGS_FILE, "r")) == NULL) {
++        return;
++    }
++
++    while (getline(&line, &len, f) > 0) {
++        char *p = line, *e, *val;
++
++        /* skip initial whitespace */
++        while (isspace(p[0])) {
++            ++p;
++        }
++
++        e = p;
++
++        while (e[0] != '\0' && !isspace(e[0])) {
++            ++e;
++        }
++
++        /* terminate name, skip whitespace between name and value */
++        if (e[0] != '\0') {
++            e[0] = '\0';
++            ++e;
++            while (isspace(e[0])) {
++                ++e;
++            }
++        }
++
++        val = e;
++
++        e = e + strlen(val);
++
++        /* trim terminating whitespace */
++        while (e > val) {
++            --e;
++            if (isspace(e[0])) {
++                e[0] = '\0';
++            } else {
++                break;
++            }
++        }
++
++        if (strcasecmp(p, "LegacySigningMDs") == 0) {
++            parse_legacy_mds(val);
++        } else if (strcasecmp(line, "MinimumDHBits") == 0) {
++            parse_minimum_dh_bits(val);
++        }
++        /* simply skip other unrecognized lines */
++    }
++    (void)fclose(f);
++}
++
+ /*
+  * Perform any essential OpenSSL initialization operations. Currently only
+  * sets FIPS callbacks
+@@ -109,6 +228,7 @@ void __attribute__ ((constructor)) OPENS
+     if (done)
+         return;
+     done = 1;
++    load_legacy_settings();
+ #ifdef OPENSSL_FIPS
+     if (!FIPS_module_installed()) {
+         return;
+diff -up openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos openssl-1.0.2j/ssl/s3_clnt.c
+--- openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/ssl/s3_clnt.c	2017-01-09 17:01:19.428506961 +0100
+@@ -3478,6 +3478,8 @@ int ssl3_send_client_certificate(SSL *s)
+ 
+ #define has_bits(i,m)   (((i)&(m)) == (m))
+ 
++extern int private_ossl_minimum_dh_bits;
++
+ int ssl3_check_cert_and_algorithm(SSL *s)
+ {
+     int i, idx;
+@@ -3608,8 +3610,7 @@ int ssl3_check_cert_and_algorithm(SSL *s
+             DH_free(dh_srvr);
+         }
+ 
+-        if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
+-            || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
++        if (dh_size < (private_ossl_minimum_dh_bits ? private_ossl_minimum_dh_bits : 1024)) {
+             SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
+             goto f_err;
+         }

openssl-1.0.2j-downgrade-strength.patch

@@ -0,0 +1,138 @@
+diff -up openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength openssl-1.0.2j/ssl/s3_lib.c
+--- openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength	2017-01-05 17:23:21.091203023 +0100
++++ openssl-1.0.2j/ssl/s3_lib.c	2017-01-05 17:36:37.250194225 +0100
+@@ -227,7 +227,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -243,7 +243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -278,7 +278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ #endif
+@@ -575,7 +575,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -730,7 +730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -746,7 +746,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -796,7 +796,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_SSLV3,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -1429,7 +1429,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ #endif
+@@ -1714,7 +1714,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -2106,7 +2106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -2186,7 +2186,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -2266,7 +2266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -2346,7 +2346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 
+@@ -2426,7 +2426,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      SSL_TLSV1,
+      SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+-     128,
++     112,
+      128,
+      },
+ 

openssl-1.0.2j-krb5keytab.patch

@@ -0,0 +1,172 @@
+diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.c
+--- openssl-1.0.2j/apps/s_client.c.krb5keytab	2017-01-05 17:02:05.481441088 +0100
++++ openssl-1.0.2j/apps/s_client.c	2017-01-05 17:08:28.311073180 +0100
+@@ -171,6 +171,10 @@ typedef unsigned int u_int;
+ #include "s_apps.h"
+ #include "timeouts.h"
+ 
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc = NULL;
++#endif
++
+ #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+ /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+ # undef FIONBIO
+@@ -400,6 +404,9 @@ static void sc_usage(void)
+     BIO_printf(bio_err,
+                "                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+     BIO_printf(bio_err, "                 are supported.\n");
++#ifndef OPENSSL_NO_KRB5
++    BIO_printf(bio_err, " -krb5svc arg  - Kerberos service name\n");
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+     BIO_printf(bio_err,
+                " -engine id    - Initialise and use the specified engine\n");
+@@ -1069,6 +1076,13 @@ int MAIN(int argc, char **argv)
+             c_nbio = 1;
+         }
+ #endif
++#ifndef OPENSSL_NO_KRB5
++	else if	(strcmp(*argv, "-krb5svc") == 0) {
++            if (--argc < 1)
++                goto bad;
++            krb5svc= *(++argv);
++        }
++#endif
+         else if (strcmp(*argv, "-starttls") == 0) {
+             if (--argc < 1)
+                 goto bad;
+@@ -1435,6 +1449,8 @@ int MAIN(int argc, char **argv)
+     if (con && (kctx = kssl_ctx_new()) != NULL) {
+         SSL_set0_kssl_ctx(con, kctx);
+         kssl_ctx_setstring(kctx, KSSL_SERVER, host);
++        if (krb5svc != NULL)
++            kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
+     }
+ #endif                          /* OPENSSL_NO_KRB5 */
+ /*      SSL_set_cipher_list(con,"RC4-MD5"); */
+diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.c
+--- openssl-1.0.2j/apps/s_server.c.krb5keytab	2017-01-05 17:02:05.482441111 +0100
++++ openssl-1.0.2j/apps/s_server.c	2017-01-05 17:16:36.458078609 +0100
+@@ -206,6 +206,11 @@ typedef unsigned int u_int;
+ # include <fcntl.h>
+ #endif
+ 
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc = NULL;
++static char *keytab = NULL;
++#endif
++
+ #ifndef OPENSSL_NO_RSA
+ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+ #endif
+@@ -579,6 +584,10 @@ static void sv_usage(void)
+     BIO_printf(bio_err, " -serverpref   - Use server's cipher preferences\n");
+     BIO_printf(bio_err, " -quiet        - No server output\n");
+     BIO_printf(bio_err, " -no_tmp_rsa   - Do not generate a tmp RSA key\n");
++#ifndef OPENSSL_NO_KRB5
++    BIO_printf(bio_err, " -krb5svc arg  - Kerberos service name\n");
++    BIO_printf(bio_err, " -keytab arg   - Kerberos keytab filename\n");
++#endif
+ #ifndef OPENSSL_NO_PSK
+     BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
+     BIO_printf(bio_err, " -psk arg      - PSK in hex (without 0x)\n");
+@@ -1326,6 +1335,17 @@ int MAIN(int argc, char *argv[])
+                 goto bad;
+             vfyCAfile = *(++argv);
+         }
++#ifndef OPENSSL_NO_KRB5
++        else if (strcmp(*argv, "-krb5svc") == 0) {
++            if (--argc < 1)
++                goto bad;
++            krb5svc = *(++argv);
++        } else if (strcmp(*argv, "-keytab") == 0) {
++            if (--argc < 1)
++                goto bad;
++            keytab = *(++argv);
++        }
++#endif
+ #ifdef FIONBIO
+         else if (strcmp(*argv, "-nbio") == 0) {
+             s_nbio = 1;
+@@ -2226,8 +2246,10 @@ static int sv_body(char *hostname, int s
+ #ifndef OPENSSL_NO_KRB5
+         if ((kctx = kssl_ctx_new()) != NULL) {
+             SSL_set0_kssl_ctx(con, kctx);
+-            kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+-            kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++            kssl_ctx_setstring(kctx, KSSL_SERVICE,
++                krb5svc == NULL ? KRB5SVC : krb5svc);
++            if (keytab != NULL)
++                kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+         }
+ #endif                          /* OPENSSL_NO_KRB5 */
+         if (context)
+@@ -2836,8 +2858,11 @@ static int www_body(char *hostname, int
+ #endif
+ #ifndef OPENSSL_NO_KRB5
+     if ((kctx = kssl_ctx_new()) != NULL) {
+-        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+-        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++        SSL_set0_kssl_ctx(con, kctx);
++        kssl_ctx_setstring(kctx, KSSL_SERVICE,
++            krb5svc == NULL ? KRB5SVC : krb5svc);
++        if (keytab != NULL)
++            kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+     }
+ #endif                          /* OPENSSL_NO_KRB5 */
+     if (context)
+diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps/s_client.pod
+--- openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/doc/apps/s_client.pod	2017-01-05 17:21:30.562709291 +0100
+@@ -43,6 +43,7 @@ B<openssl> B<s_client>
+ [B<-fallback_scsv>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
++[B<-krb5svc service>]
+ [B<-serverpref>]
+ [B<-starttls protocol>]
+ [B<-engine id>]
+@@ -228,6 +229,12 @@ command for more information.
+ 
+ use the server's cipher preferences; only used for SSLV2.
+ 
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
+ =item B<-starttls protocol>
+ 
+ send the protocol-specific message(s) to switch to TLS for communication.
+diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps/s_server.pod
+--- openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab	2017-01-05 17:02:05.482441111 +0100
++++ openssl-1.0.2j/doc/apps/s_server.pod	2017-01-05 17:20:54.769902331 +0100
+@@ -37,6 +37,8 @@ B<openssl> B<s_server>
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+ [B<-serverpref>]
++[B<-krb5svc service>]
++[B<-keytab filename>]
+ [B<-quiet>]
+ [B<-no_tmp_rsa>]
+ [B<-ssl2>]
+@@ -246,6 +248,17 @@ the B<ciphers> command for more informat
+ 
+ use the server's cipher preferences, rather than the client's preferences.
+ 
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
++=item B<-keytab filename>
++
++the Kerberos "keytab" (key table) file, containing keys for the s_server
++service principal (Kerberos identity; see -krb5svc).
++
+ =item B<-tlsextdebug>
+ 
+ print out a hex dump of any TLS extensions received from the server.

openssl-1.0.2j-new-fips-reqs.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/bn_rand.c
---- openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs	2016-09-22 13:54:26.533848449 +0200
-+++ openssl-1.0.2i/crypto/bn/bn_rand.c	2016-09-22 13:56:52.169233060 +0200
+diff -up openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2j/crypto/bn/bn_rand.c
+--- openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/bn/bn_rand.c	2017-01-10 16:25:11.142340595 +0100
 @@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
      }
  
@@ -15,9 +15,9 @@ diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/b
  
      /* We ignore the value of pseudorand and always call RAND_bytes */
      if (RAND_bytes(buf, bytes) <= 0)
-diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh_gen.c
---- openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs	2016-09-22 13:54:26.489847426 +0200
-+++ openssl-1.0.2i/crypto/dh/dh_gen.c	2016-09-22 13:54:26.533848449 +0200
+diff -up openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2j/crypto/dh/dh_gen.c
+--- openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs	2017-01-10 16:25:11.099339627 +0100
++++ openssl-1.0.2j/crypto/dh/dh_gen.c	2017-01-10 16:25:11.142340595 +0100
 @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
          return 0;
      }
@@ -27,9 +27,9 @@ diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh
          DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
          goto err;
      }
-diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
---- openssl-1.0.2i/crypto/dh/dh.h.fips-reqs	2016-09-22 13:54:26.489847426 +0200
-+++ openssl-1.0.2i/crypto/dh/dh.h	2016-09-22 13:54:26.534848472 +0200
+diff -up openssl-1.0.2j/crypto/dh/dh.h.fips-reqs openssl-1.0.2j/crypto/dh/dh.h
+--- openssl-1.0.2j/crypto/dh/dh.h.fips-reqs	2017-01-10 16:25:11.099339627 +0100
++++ openssl-1.0.2j/crypto/dh/dh.h	2017-01-10 16:25:11.142340595 +0100
 @@ -78,6 +78,7 @@
  # endif
  
@@ -38,9 +38,9 @@ diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
  
  # define DH_FLAG_CACHE_MONT_P     0x01
  
-diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_gen.c
---- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs	2016-09-22 13:54:26.490847450 +0200
-+++ openssl-1.0.2i/crypto/dsa/dsa_gen.c	2016-09-22 13:54:26.534848472 +0200
+diff -up openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs	2017-01-10 16:25:11.100339650 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa_gen.c	2017-01-10 16:25:11.143340618 +0100
 @@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
      }
  
@@ -56,9 +56,9 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa
          DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
          goto err;
      }
-diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa.h
---- openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs	2016-09-22 13:54:26.490847450 +0200
-+++ openssl-1.0.2i/crypto/dsa/dsa.h	2016-09-22 13:54:26.534848472 +0200
+diff -up openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2j/crypto/dsa/dsa.h
+--- openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs	2017-01-10 16:25:11.100339650 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa.h	2017-01-10 16:25:11.143340618 +0100
 @@ -89,6 +89,7 @@
  # endif
  
@@ -79,9 +79,9 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa
   * Rabin-Miller
   */
  # define DSA_is_prime(n, callback, cb_arg) \
-diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_key.c
---- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs	2016-09-22 13:54:26.532848426 +0200
-+++ openssl-1.0.2i/crypto/dsa/dsa_key.c	2016-09-22 13:54:26.534848472 +0200
+diff -up openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_key.c
+--- openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs	2017-01-10 16:25:11.141340573 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa_key.c	2017-01-10 16:25:11.143340618 +0100
 @@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
  
  # ifdef OPENSSL_FIPS
@@ -91,9 +91,40 @@ diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa
          DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
          goto err;
      }
-diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/fips.c
---- openssl-1.0.2i/crypto/fips/fips.c.fips-reqs	2016-09-22 13:54:26.532848426 +0200
-+++ openssl-1.0.2i/crypto/fips/fips.c	2016-09-22 13:54:26.534848472 +0200
+diff -up openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs openssl-1.0.2j/crypto/evp/e_aes.c
+--- openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs	2017-01-10 16:25:11.102339695 +0100
++++ openssl-1.0.2j/crypto/evp/e_aes.c	2017-01-10 16:25:11.143340618 +0100
+@@ -381,6 +381,8 @@ static int aesni_xts_init_key(EVP_CIPHER
+ 
+     if (key) {
+         /* key_len is two AES keys */
++        if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++            return 0;
+         if (enc) {
+             aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
+             xctx->xts.block1 = (block128_f) aesni_encrypt;
+@@ -701,6 +703,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+ 
+     if (key) {
+         int bits = ctx->key_len * 4;
++
++        if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++            return 0;
+         xctx->stream = NULL;
+         /* key_len is two AES keys */
+         if (enc) {
+@@ -1645,6 +1650,8 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ 
+     if (key)
+         do {
++            if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++                return 0;
+ # ifdef AES_XTS_ASM
+             xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
+ # else
+diff -up openssl-1.0.2j/crypto/fips/fips.c.fips-reqs openssl-1.0.2j/crypto/fips/fips.c
+--- openssl-1.0.2j/crypto/fips/fips.c.fips-reqs	2017-01-10 16:25:11.141340573 +0100
++++ openssl-1.0.2j/crypto/fips/fips.c	2017-01-10 16:25:11.143340618 +0100
 @@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
                  ret = 0;
                  goto end;
@@ -127,9 +158,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/
          ret = 1;
          goto end;
      }
-diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_dh_selftest.c
---- openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs	2016-09-22 13:54:26.535848495 +0200
-+++ openssl-1.0.2i/crypto/fips/fips_dh_selftest.c	2016-09-22 13:54:26.535848495 +0200
+diff -up openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_dh_selftest.c
+--- openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs	2017-01-10 16:25:11.143340618 +0100
++++ openssl-1.0.2j/crypto/fips/fips_dh_selftest.c	2017-01-10 16:25:11.143340618 +0100
 @@ -0,0 +1,162 @@
 +/* ====================================================================
 + * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
@@ -293,9 +324,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/
 +    return ret;
 +}
 +#endif
-diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/fips.h
---- openssl-1.0.2i/crypto/fips/fips.h.fips-reqs	2016-09-22 13:54:26.527848309 +0200
-+++ openssl-1.0.2i/crypto/fips/fips.h	2016-09-22 13:54:26.535848495 +0200
+diff -up openssl-1.0.2j/crypto/fips/fips.h.fips-reqs openssl-1.0.2j/crypto/fips/fips.h
+--- openssl-1.0.2j/crypto/fips/fips.h.fips-reqs	2017-01-10 16:25:11.137340483 +0100
++++ openssl-1.0.2j/crypto/fips/fips.h	2017-01-10 16:25:11.144340641 +0100
 @@ -96,6 +96,7 @@ extern "C" {
      int FIPS_selftest_dsa(void);
      int FIPS_selftest_ecdsa(void);
@@ -304,9 +335,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/
      void FIPS_corrupt_rng(void);
      void FIPS_rng_stick(void);
      void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_post.c
---- openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs	2016-09-22 13:54:26.524848240 +0200
-+++ openssl-1.0.2i/crypto/fips/fips_post.c	2016-09-22 13:54:26.535848495 +0200
+diff -up openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_post.c
+--- openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs	2017-01-10 16:25:11.134340415 +0100
++++ openssl-1.0.2j/crypto/fips/fips_post.c	2017-01-10 16:25:11.144340641 +0100
 @@ -99,6 +99,8 @@ int FIPS_selftest(void)
          rv = 0;
      if (!FIPS_selftest_dsa())
@@ -316,9 +347,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/
      if (!FIPS_selftest_ecdh())
          rv = 0;
      return rv;
-diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs	2016-09-22 13:54:26.499847659 +0200
-+++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c	2016-09-22 13:54:26.537848542 +0200
+diff -up openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs	2017-01-10 16:25:11.109339852 +0100
++++ openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c	2017-01-10 16:25:11.144340641 +0100
 @@ -60,68 +60,107 @@
  #ifdef OPENSSL_FIPS
  
@@ -973,9 +1004,9 @@ diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i
          RSA_free(key);
      return ret;
  }
-diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fips/Makefile
---- openssl-1.0.2i/crypto/fips/Makefile.fips-reqs	2016-09-22 13:54:26.524848240 +0200
-+++ openssl-1.0.2i/crypto/fips/Makefile	2016-09-22 13:54:26.537848542 +0200
+diff -up openssl-1.0.2j/crypto/fips/Makefile.fips-reqs openssl-1.0.2j/crypto/fips/Makefile
+--- openssl-1.0.2j/crypto/fips/Makefile.fips-reqs	2017-01-10 16:25:11.134340415 +0100
++++ openssl-1.0.2j/crypto/fips/Makefile	2017-01-10 16:25:11.144340641 +0100
 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
      fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \
      fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@@ -994,9 +1025,9 @@ diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fip
  
  LIBCRYPTO=-L.. -lcrypto
  
-diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/rand/rand_lcl.h
---- openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs	2016-09-22 13:54:26.261842127 +0200
-+++ openssl-1.0.2i/crypto/rand/rand_lcl.h	2016-09-22 13:54:26.537848542 +0200
+diff -up openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2j/crypto/rand/rand_lcl.h
+--- openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs	2017-01-10 16:25:10.830333571 +0100
++++ openssl-1.0.2j/crypto/rand/rand_lcl.h	2017-01-10 16:25:11.144340641 +0100
 @@ -112,7 +112,7 @@
  #ifndef HEADER_RAND_LCL_H
  # define HEADER_RAND_LCL_H
@@ -1006,9 +1037,9 @@ diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/r
  
  # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
  #  if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/rand/rand_lib.c
---- openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs	2016-09-22 12:23:06.000000000 +0200
-+++ openssl-1.0.2i/crypto/rand/rand_lib.c	2016-09-22 13:54:26.537848542 +0200
+diff -up openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2j/crypto/rand/rand_lib.c
+--- openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/rand/rand_lib.c	2017-01-10 16:25:11.145340663 +0100
 @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
                           double entropy)
  {
@@ -1032,9 +1063,9 @@ diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/r
      return 1;
  }
  
-diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa/rsa_gen.c
---- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs	2016-09-22 13:54:26.502847728 +0200
-+++ openssl-1.0.2i/crypto/rsa/rsa_gen.c	2016-09-22 13:54:26.538848565 +0200
+diff -up openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2j/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs	2017-01-10 16:25:11.112339920 +0100
++++ openssl-1.0.2j/crypto/rsa/rsa_gen.c	2017-01-10 16:25:11.145340663 +0100
 @@ -1,5 +1,6 @@
  /* crypto/rsa/rsa_gen.c */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@@ -1336,9 +1367,9 @@ diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa
      ok = 1;
   err:
      if (ok == -1) {
-diff -up openssl-1.0.2i/ssl/t1_enc.c.fips-reqs openssl-1.0.2i/ssl/t1_enc.c
---- openssl-1.0.2i/ssl/t1_enc.c.fips-reqs	2016-09-22 12:23:06.000000000 +0200
-+++ openssl-1.0.2i/ssl/t1_enc.c	2016-09-22 13:54:26.538848565 +0200
+diff -up openssl-1.0.2j/ssl/t1_enc.c.fips-reqs openssl-1.0.2j/ssl/t1_enc.c
+--- openssl-1.0.2j/ssl/t1_enc.c.fips-reqs	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/ssl/t1_enc.c	2017-01-10 16:25:11.145340663 +0100
 @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
      return ret;
  }

openssl-1.0.2k-backports.patch

@@ -0,0 +1,115 @@
+From e93f7d9c9873e8e9538c0be0b0d3b6851344dd6d Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 26 Jan 2017 17:39:48 +0000
+Subject: [PATCH] Use correct signature algorithm list when sending or
+ checking.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2298)
+---
+ ssl/s3_lib.c   |  2 +-
+ ssl/s3_srvr.c  |  2 +-
+ ssl/ssl_locl.h |  2 +-
+ ssl/t1_lib.c   | 12 ++++++------
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 0385e03..1014a3f 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
+         return (int)s->cert->ctype_num;
+     }
+     /* get configured sigalgs */
+-    siglen = tls12_get_psigalgs(s, &sig);
++    siglen = tls12_get_psigalgs(s, 1, &sig);
+     if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
+         nostrict = 0;
+     for (i = 0; i < siglen; i += 2, sig += 2) {
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ea56f9c..e5ee384 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -2084,7 +2084,7 @@ int ssl3_send_certificate_request(SSL *s)
+ 
+         if (SSL_USE_SIGALGS(s)) {
+             const unsigned char *psigs;
+-            nl = tls12_get_psigalgs(s, &psigs);
++            nl = tls12_get_psigalgs(s, 1, &psigs);
+             s2n(nl, p);
+             memcpy(p, psigs, nl);
+             p += nl;
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index d50edd1..f582d5f 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
+ long ssl_get_algorithm2(SSL *s);
+ int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
+ int tls1_process_sigalgs(SSL *s);
+-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
++size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
+ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+                             const unsigned char *sig, EVP_PKEY *pkey);
+ void ssl_set_client_disabled(SSL *s);
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index e60c88b..5355f0e 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1035,7 +1035,7 @@ static unsigned char suiteb_sigalgs[] = {
+         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
+ };
+ # endif
+-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
++size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
+ {
+     /*
+      * If Suite B mode use Suite B sigalgs only, ignore any other
+@@ -1057,7 +1057,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
+     }
+ # endif
+     /* If server use client authentication sigalgs if not NULL */
+-    if (s->server && s->cert->client_sigalgs) {
++    if (s->server == sent && s->cert->client_sigalgs) {
+         *psigs = s->cert->client_sigalgs;
+         return s->cert->client_sigalgslen;
+     } else if (s->cert->conf_sigalgs) {
+@@ -1121,7 +1121,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+ # endif
+ 
+     /* Check signature matches a type we sent */
+-    sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
++    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
+     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
+         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
+             break;
+@@ -1169,7 +1169,7 @@ void ssl_set_client_disabled(SSL *s)
+      * Now go through all signature algorithms seeing if we support any for
+      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
+      */
+-    sigalgslen = tls12_get_psigalgs(s, &sigalgs);
++    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
+     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
+         switch (sigalgs[1]) {
+ # ifndef OPENSSL_NO_RSA
+@@ -1440,7 +1440,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
+     if (SSL_CLIENT_USE_SIGALGS(s)) {
+         size_t salglen;
+         const unsigned char *salg;
+-        salglen = tls12_get_psigalgs(s, &salg);
++        salglen = tls12_get_psigalgs(s, 1, &salg);
+ 
+         /*-
+          * check for enough space.
+@@ -3803,7 +3803,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
+         conf = c->conf_sigalgs;
+         conflen = c->conf_sigalgslen;
+     } else
+-        conflen = tls12_get_psigalgs(s, &conf);
++        conflen = tls12_get_psigalgs(s, 0, &conf);
+     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
+         pref = conf;
+         preflen = conflen;
+-- 
+2.9.3
+

openssl-1.0.2k-cc-reqs.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs	2015-04-09 18:22:58.638448432 +0200
-+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c	2015-04-09 18:22:57.264416692 +0200
+diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2k/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs	2017-02-06 16:42:47.313963001 +0100
++++ openssl-1.0.2k/crypto/rsa/rsa_gen.c	2017-02-06 16:46:54.453628783 +0100
 @@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
      if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
          goto err;
@@ -11,10 +11,10 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/r
 +    if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
 +        goto err;
 +
-     BN_copy(rsa->e, e_value);
+     if (BN_copy(rsa->e, e_value) == NULL)
+         goto err;
  
-     /* generate p and q */
-@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -502,7 +508,9 @@ static int rsa_builtin_keygen(RSA *rsa,
          do {
              if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
                  goto err;

openssl.spec

@@ -22,8 +22,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.2j
-Release: 2%{?dist}
+Version: 1.0.2k
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -31,6 +31,7 @@ Epoch: 1
 Source: openssl-%{version}-hobbled.tar.xz
 Source1: hobble-openssl
 Source2: Makefile.certificate
+Source5: README.legacy-settings
 Source6: make-dummy-cert
 Source7: renew-dummy-cert
 Source8: openssl-thread-test.c
@@ -57,6 +58,7 @@ Patch34: openssl-1.0.2a-x509.patch
 Patch35: openssl-1.0.2a-version-add-engines.patch
 Patch39: openssl-1.0.2a-ipv6-apps.patch
 Patch40: openssl-1.0.2i-fips.patch
+Patch43: openssl-1.0.2j-krb5keytab.patch
 Patch45: openssl-1.0.2a-env-zlib.patch
 Patch47: openssl-1.0.2a-readme-warning.patch
 Patch49: openssl-1.0.1i-algo-doc.patch
@@ -73,10 +75,11 @@ Patch70: openssl-1.0.2a-fips-ec.patch
 Patch71: openssl-1.0.2g-manfix.patch
 Patch72: openssl-1.0.2a-fips-ctor.patch
 Patch73: openssl-1.0.2c-ecc-suiteb.patch
-Patch74: openssl-1.0.2a-no-md5-verify.patch
+Patch74: openssl-1.0.2j-deprecate-algos.patch
 Patch75: openssl-1.0.2a-compat-symbols.patch
-Patch76: openssl-1.0.2i-new-fips-reqs.patch
-Patch78: openssl-1.0.2a-cc-reqs.patch
+Patch76: openssl-1.0.2j-new-fips-reqs.patch
+Patch77: openssl-1.0.2j-downgrade-strength.patch
+Patch78: openssl-1.0.2k-cc-reqs.patch
 Patch90: openssl-1.0.2i-enc-fail.patch
 Patch92: openssl-1.0.2a-system-cipherlist.patch
 Patch93: openssl-1.0.2g-disable-sslv2v3.patch
@@ -87,6 +90,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
 Patch80: openssl-1.0.2e-wrap-pad.patch
 Patch81: openssl-1.0.2a-padlock64.patch
 Patch82: openssl-1.0.2i-trusted-first-doc.patch
+Patch83: openssl-1.0.2k-backports.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -180,6 +184,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch35 -p1 -b .version-add-engines
 %patch39 -p1 -b .ipv6-apps
 %patch40 -p1 -b .fips
+%patch43 -p1 -b .krb5keytab 
 %patch45 -p1 -b .env-zlib
 %patch47 -p1 -b .warning
 %patch49 -p1 -b .algo-doc
@@ -196,9 +201,10 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch71 -p1 -b .manfix
 %patch72 -p1 -b .fips-ctor
 %patch73 -p1 -b .suiteb
-%patch74 -p1 -b .no-md5-verify
+%patch74 -p1 -b .deprecate-algos
 %patch75 -p1 -b .compat
 %patch76 -p1 -b .fips-reqs
+%patch77 -p1 -b .strength
 %patch78 -p1 -b .cc-reqs
 %patch90 -p1 -b .enc-fail
 %patch92 -p1 -b .system
@@ -210,6 +216,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch80 -p1 -b .wrap
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .trusted-first
+%patch83 -p1 -b .backports
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -304,8 +311,8 @@ make all
 # Generate hashes for the included certs.
 make rehash
 
-# Overwrite FIPS README
-cp -f %{SOURCE11} .
+# Overwrite FIPS README and copy README.legacy-settings
+cp -f %{SOURCE5} %{SOURCE11} .
 
 # Clean up the .pc files
 for i in libcrypto.pc libssl.pc openssl.pc ; do
@@ -446,7 +453,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %defattr(-,root,root)
 %{!?_licensedir:%global license %%doc}
 %license LICENSE
-%doc FAQ NEWS README README.FIPS
+%doc FAQ NEWS README
+%doc README.FIPS
+%doc README.legacy-settings
 %{_sysconfdir}/pki/tls/certs/make-dummy-cert
 %{_sysconfdir}/pki/tls/certs/renew-dummy-cert
 %{_sysconfdir}/pki/tls/certs/Makefile
@@ -508,6 +517,17 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Feb  6 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-1
+- minor upstream release 1.0.2k fixing security issues
+- deprecate and disable verification of insecure hash algorithms
+- add support for /etc/pki/tls/legacy-settings also for minimum DH length
+  accepted by SSL client
+- compare the encrypt and tweak key in XTS as required by FIPS
+
+* Fri Dec  2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-2
+- drop read lock in fips_drbg_status that is unnecessary
+  and causes deadlock when reseeding (#1400922)
+
 * Fri Oct 07 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.0.2j-2
 - Add flags for riscv64.
 

sources

@@ -1 +1 @@
-088e893a390e253a8897c3cb1b488a83  openssl-1.0.2j-hobbled.tar.xz
+SHA512 (openssl-1.0.2k-hobbled.tar.xz) = f702b9a18f4500f0263e0c1fc09985a8caf72c8bcb744b8d3683a49ec889120b1b595db42f2a66cae722312736b09236a0911548590d318382a2981f35fed533