[mingw-openssl: 14/32] - Updated to version 1.0.0 beta 4 - Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta
Kalev Lember
kalev at fedoraproject.org
Tue Mar 6 20:07:25 UTC 2012
commit 543260c394dae55a5e7356ff6c071dd6087e71f0
Author: Kalev Lember <kalev at fedoraproject.org>
Date: Sun Nov 22 17:44:35 2009 +0000
- Updated to version 1.0.0 beta 4
- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
- Added patch to fix build with fips disabled
.cvsignore | 2 +-
Makefile.certificate | 4 +-
make-dummy-cert | 2 +-
mingw32-openssl-1.0.0-beta4-nofips.patch | 130 ++
mingw32-openssl.spec | 57 +-
openssl-0.9.8b-aliasing-bug.patch | 24 -
openssl-0.9.8j-ca-dir.patch | 36 -
openssl-1.0.0-beta3-const.patch | 36 -
openssl-1.0.0-beta3-curl.patch | 27 -
openssl-1.0.0-beta3-enginesdir.patch | 52 -
openssl-1.0.0-beta3-fipsmode.patch | 4 +-
openssl-1.0.0-beta3-krb5.patch | 12 -
openssl-1.0.0-beta3-namingblk.patch | 253 ---
openssl-1.0.0-beta3-namingstr.patch | 1663 --------------------
...doc.patch => openssl-1.0.0-beta4-algo-doc.patch | 16 +-
openssl-1.0.0-beta4-backports.patch | 45 +
openssl-1.0.0-beta4-binutils.patch | 56 +
openssl-1.0.0-beta4-ca-dir.patch | 36 +
openssl-1.0.0-beta4-client-reneg.patch | 35 +
...atch => openssl-1.0.0-beta4-default-paths.patch | 28 +-
openssl-1.0.0-beta4-dtls1-abi.patch | 25 +
openssl-1.0.0-beta4-enginesdir.patch | 52 +
...a3-fips.patch => openssl-1.0.0-beta4-fips.patch | 1410 +++++++++--------
...edhat.patch => openssl-1.0.0-beta4-redhat.patch | 16 +-
openssl-1.0.0-beta4-reneg-err.patch | 93 ++
openssl-1.0.0-beta4-reneg.patch | 237 +++
openssl-1.0.0-beta4-version.patch | 14 +
sources | 2 +-
28 files changed, 1517 insertions(+), 2850 deletions(-)
---
diff --git a/.cvsignore b/.cvsignore
index 37e2722..3819647 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-openssl-1.0.0-beta3-usa.tar.bz2
+openssl-1.0.0-beta4-usa.tar.bz2
diff --git a/Makefile.certificate b/Makefile.certificate
index bf3dc21..e839427 100644
--- a/Makefile.certificate
+++ b/Makefile.certificate
@@ -38,7 +38,7 @@ usage:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+ /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
@@ -46,7 +46,7 @@ usage:
%.key:
umask 77 ; \
- /usr/bin/openssl genrsa -des3 1024 > $@
+ /usr/bin/openssl genrsa -aes128 2048 > $@
%.csr: %.key
umask 77 ; \
diff --git a/make-dummy-cert b/make-dummy-cert
index 3aff5be..f5f0453 100755
--- a/make-dummy-cert
+++ b/make-dummy-cert
@@ -20,7 +20,7 @@ for target in $@ ; do
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
trap "rm -f $PEM1 $PEM2" SIGINT
- answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+ answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
cat $PEM1 > ${target}
echo "" >> ${target}
cat $PEM2 >> ${target}
diff --git a/mingw32-openssl-1.0.0-beta4-nofips.patch b/mingw32-openssl-1.0.0-beta4-nofips.patch
new file mode 100644
index 0000000..fba1b6f
--- /dev/null
+++ b/mingw32-openssl-1.0.0-beta4-nofips.patch
@@ -0,0 +1,130 @@
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-22 19:07:58.000000000 +0200
+@@ -65,7 +65,9 @@
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include "fips_locl.h"
+
+ static int dsa_builtin_keygen(DSA *dsa);
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+ #include <openssl/opensslconf.h>
+
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -59,7 +59,9 @@
+ #include <string.h>
+ #include <openssl/crypto.h>
+ #include <openssl/dsa.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/bn.h>
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/hmac.h>
+
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rand.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-22 19:07:58.000000000 +0200
+@@ -76,7 +76,9 @@
+ # endif
+ #endif
+ #include <string.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/rsa.h>
+ #include <openssl/evp.h>
+ #include <openssl/bn.h>
+diff -up openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c
+--- openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-22 19:07:58.000000000 +0200
+@@ -49,7 +49,9 @@
+
+ #include <string.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+ #include <openssl/evp.h>
+ #include <openssl/sha.h>
+
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.mingw-nofips 2009-11-22 19:07:58.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-22 19:07:58.000000000 +0200
+@@ -115,7 +115,9 @@
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
++#endif
+
+ #ifndef RSA_NULL
+
diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec
index d530ab4..3f8f216 100644
--- a/mingw32-openssl.spec
+++ b/mingw32-openssl.spec
@@ -18,7 +18,7 @@
# 1.0.0 soversion = 10
%global soversion 10
-%global beta beta3
+%global beta beta4
# Enable the tests.
# These only work some of the time, but fail randomly at other times
@@ -31,7 +31,7 @@
Name: mingw32-openssl
Version: 1.0.0
-Release: 0.4.%{beta}%{?dist}
+Release: 0.5.%{beta}%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
@@ -50,37 +50,39 @@ Source10: opensslconf-new-warning.h
# Patches from Fedora native package.
# Build changes
-Patch0: openssl-1.0.0-beta3-redhat.patch
+Patch0: openssl-1.0.0-beta4-redhat.patch
Patch1: openssl-1.0.0-beta3-defaults.patch
-Patch2: openssl-1.0.0-beta3-krb5.patch
Patch3: openssl-1.0.0-beta3-soversion.patch
-Patch4: openssl-1.0.0-beta3-enginesdir.patch
+Patch4: openssl-1.0.0-beta4-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
# Bug fixes
-Patch21: openssl-0.9.8b-aliasing-bug.patch
-Patch23: openssl-1.0.0-beta3-default-paths.patch
+Patch23: openssl-1.0.0-beta4-default-paths.patch
+Patch24: openssl-1.0.0-beta4-binutils.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
-Patch33: openssl-0.9.8j-ca-dir.patch
+Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-1.0.0-beta3-cipher-change.patch
# Disabled this because it uses getaddrinfo which is lacking on Windows.
#Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
-Patch40: openssl-1.0.0-beta3-fips.patch
+Patch40: openssl-1.0.0-beta4-fips.patch
Patch41: openssl-1.0.0-beta3-fipscheck.patch
Patch43: openssl-1.0.0-beta3-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
-Patch49: openssl-0.9.8k-algo-doc.patch
-Patch50: openssl-1.0.0-beta3-curl.patch
-Patch51: openssl-1.0.0-beta3-const.patch
+Patch49: openssl-1.0.0-beta4-algo-doc.patch
+Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
+Patch51: openssl-1.0.0-beta4-version.patch
# Backported fixes including security fixes
-Patch60: openssl-1.0.0-beta3-namingstr.patch
-Patch61: openssl-1.0.0-beta3-namingblk.patch
+Patch60: openssl-1.0.0-beta4-reneg.patch
+# This one is not backported but has to be applied after reneg patch
+Patch61: openssl-1.0.0-beta4-client-reneg.patch
+Patch62: openssl-1.0.0-beta4-backports.patch
+Patch63: openssl-1.0.0-beta4-reneg-err.patch
# MinGW-specific patches.
# Use MINGW32_CFLAGS (set below) in Configure script
@@ -92,6 +94,8 @@ Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch
# Ugly patch to fix a compilation error (the linker can't find
# some symbols mentioned in an autogenerated .def file)
Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch
+# Fix build without fips
+Patch106: mingw32-openssl-1.0.0-beta4-nofips.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -156,15 +160,13 @@ Static version of the MinGW port of the OpenSSL toolkit.
%{SOURCE1} > /dev/null
%patch0 -p1 -b .redhat
%patch1 -p1 -b .defaults
-# Fix link line for libssl (bug #111154).
-%patch2 -p1 -b .krb5
%patch3 -p1 -b .soversion
%patch4 -p1 -b .enginesdir
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost
-%patch21 -p1 -b .aliasing-bug
%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .binutils
%patch32 -p1 -b .ia64
#patch33 is applied after make test
@@ -180,15 +182,19 @@ Static version of the MinGW port of the OpenSSL toolkit.
%patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .algo-doc
-%patch50 -p1 -b .curl
-%patch51 -p1 -b .const
-%patch60 -p1 -b .namingstr
-%patch61 -p1 -b .namingblk
+%patch50 -p1 -b .dtls1-abi
+%patch51 -p1 -b .version
+
+%patch60 -p1 -b .reneg
+%patch61 -p1 -b .client-reneg
+%patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
%patch100 -p1 -b .mingw-configure
%patch101 -p1 -b .mingw-libversion
%patch102 -p1 -b .mingw-sfx
%patch105 -p0 -b .mingw-linker-fix
+%patch106 -p1 -b .mingw-nofips
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -206,9 +212,9 @@ export MINGW32_CFLAGS="%{_mingw32_cflags}"; \
--openssldir=%{_mingw32_sysconfdir}/pki/tls \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
- no-hw shared --cross-compile-prefix=%{_mingw32_target}- \
+ no-hw --cross-compile-prefix=%{_mingw32_target}- \
--enginesdir=%{_mingw32_libdir}/openssl/engines \
- mingw
+ shared mingw
# --with-krb5-flavor=MIT
# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib}
make depend
@@ -347,6 +353,11 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Sun Nov 22 2009 Kalev Lember <kalev at smartlink.ee> - 1.0.0-0.5.beta4
+- Updated to version 1.0.0 beta 4
+- Merged patches from native Fedora openssl (up to 1.0.0-0.15.beta4)
+- Added patch to fix build with fips disabled
+
* Fri Sep 18 2009 Kalev Lember <kalev at smartlink.ee> - 1.0.0-0.4.beta3
- Rebuilt to fix debuginfo
diff --git a/openssl-1.0.0-beta3-fipsmode.patch b/openssl-1.0.0-beta3-fipsmode.patch
index 643654e..2fbf0a6 100644
--- a/openssl-1.0.0-beta3-fipsmode.patch
+++ b/openssl-1.0.0-beta3-fipsmode.patch
@@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -115,6 +121,38 @@ int SSL_library_init(void)
+@@ -115,6 +121,40 @@ int SSL_library_init(void)
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
@@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
+#ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS MAC */
+ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5,"ssl2-md5");
++ EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
diff --git a/openssl-0.9.8k-algo-doc.patch b/openssl-1.0.0-beta4-algo-doc.patch
similarity index 86%
rename from openssl-0.9.8k-algo-doc.patch
rename to openssl-1.0.0-beta4-algo-doc.patch
index 27521a4..2f18f3f 100644
--- a/openssl-0.9.8k-algo-doc.patch
+++ b/openssl-1.0.0-beta4-algo-doc.patch
@@ -1,6 +1,6 @@
-diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod
---- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc 2004-05-20 23:39:50.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod 2009-06-30 12:04:47.000000000 +0200
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
@@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
+signature algorithm is RSA in each case.
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
- algorithms but using DSS (DSA) for the signature algorithm.
-@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+ algorithms but using DSS (DSA) for the signature algorithm. Note: there is
+@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
size in bytes.
@@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
corresponding EVP_MD structures.
-diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod
---- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
-+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod 2009-06-30 12:04:47.000000000 +0200
+diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
++++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch
new file mode 100644
index 0000000..ad4c7e4
--- /dev/null
+++ b/openssl-1.0.0-beta4-backports.patch
@@ -0,0 +1,45 @@
+diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
+--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
+@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
+ }
+ else ret= *a;
+
+- ret->save_type=type;
+- ret->type=EVP_PKEY_type(type);
+- switch (ret->type)
++ if (!EVP_PKEY_set_type(ret, type))
++ {
++ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
++ goto err;
++ }
++
++ switch (EVP_PKEY_id(ret))
+ {
+ #ifndef OPENSSL_NO_RSA
+ case EVP_PKEY_RSA:
+diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
+--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
+@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
+ #ifndef OPENSSL_NO_ENGINE
+ /* If we have an ENGINE release it */
+ if (pkey->engine)
++ {
+ ENGINE_finish(pkey->engine);
++ pkey->engine = NULL;
++ }
+ #endif
+ }
+ if (str)
+diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
+--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
+@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
+ offset= -offset;
+ }
+ atm.type=ctm->type;
++ atm.flags = 0;
+ atm.length=sizeof(buff2);
+ atm.data=(unsigned char *)buff2;
+
diff --git a/openssl-1.0.0-beta4-binutils.patch b/openssl-1.0.0-beta4-binutils.patch
new file mode 100644
index 0000000..d39b2e6
--- /dev/null
+++ b/openssl-1.0.0-beta4-binutils.patch
@@ -0,0 +1,56 @@
+diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl
+--- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100
+@@ -19,6 +19,7 @@ my $code;
+ sub round1_step
+ {
+ my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+ $code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
+ $code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+ $code .= <<EOF;
+@@ -43,6 +44,7 @@ EOF
+ sub round2_step
+ {
+ my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+ $code .= " mov 1*4(%rsi), %r10d /* (NEXT STEP) X[1] */\n" if ($pos == -1);
+ $code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+ $code .= " mov %edx, %r12d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+@@ -69,6 +71,7 @@ EOF
+ sub round3_step
+ {
+ my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+ $code .= " mov 5*4(%rsi), %r10d /* (NEXT STEP) X[5] */\n" if ($pos == -1);
+ $code .= " mov %ecx, %r11d /* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
+ $code .= <<EOF;
+@@ -91,6 +94,7 @@ EOF
+ sub round4_step
+ {
+ my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
++ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
+ $code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
+ $code .= " mov \$0xffffffff, %r11d\n" if ($pos == -1);
+ $code .= " xor %edx, %r11d /* (NEXT STEP) not z' = not %edx*/\n"
+diff -up openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl
+--- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl 2009-11-12 17:24:18.000000000 +0100
+@@ -150,7 +150,7 @@ ___
+ sub BODY_20_39 {
+ my ($i,$a,$b,$c,$d,$e,$f)=@_;
+ my $j=$i+1;
+-my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
++my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
+ $code.=<<___ if ($i<79);
+ lea $K($xi,$e),$f
+ mov `4*($j%16)`(%rsp),$xi
+@@ -187,7 +187,7 @@ sub BODY_40_59 {
+ my ($i,$a,$b,$c,$d,$e,$f)=@_;
+ my $j=$i+1;
+ $code.=<<___;
+- lea 0x8f1bbcdc($xi,$e),$f
++ lea -0x70e44324($xi,$e),$f
+ mov `4*($j%16)`(%rsp),$xi
+ mov $b,$t0
+ mov $b,$t1
diff --git a/openssl-1.0.0-beta4-ca-dir.patch b/openssl-1.0.0-beta4-ca-dir.patch
new file mode 100644
index 0000000..751cabd
--- /dev/null
+++ b/openssl-1.0.0-beta4-ca-dir.patch
@@ -0,0 +1,36 @@
+diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
+--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100
+@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
+ $X509="$openssl x509";
+ $PKCS12="$openssl pkcs12";
+
+-$CATOP="./demoCA";
++$CATOP="/etc/pki/CA";
+ $CAKEY="cakey.pem";
+ $CAREQ="careq.pem";
+ $CACERT="cacert.pem";
+diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
+--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100
+@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
+ X509="$OPENSSL x509"
+ PKCS12="openssl pkcs12"
+
+-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
++if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
+ CAKEY=./cakey.pem
+ CAREQ=./careq.pem
+ CACERT=./cacert.pem
+diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
+--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100
++++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100
+@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
+ ####################################################################
+ [ CA_default ]
+
+-dir = ./demoCA # Where everything is kept
++dir = /etc/pki/CA # Where everything is kept
+ certs = $dir/certs # Where the issued certs are kept
+ crl_dir = $dir/crl # Where the issued crl are kept
+ database = $dir/index.txt # database index file.
diff --git a/openssl-1.0.0-beta4-client-reneg.patch b/openssl-1.0.0-beta4-client-reneg.patch
new file mode 100644
index 0000000..11b9ab7
--- /dev/null
+++ b/openssl-1.0.0-beta4-client-reneg.patch
@@ -0,0 +1,35 @@
+Do not enforce the renegotiation extension on the client - too many broken servers remain.
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
+@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+
+ if (data >= (d+n-2))
+ {
++#if 0
+ /* Because the client does not see any renegotiation during an
+ attack, we must enforce this on all server hellos, even the
+ first */
+@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+ return 1;
+ }
+
+@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ return 0;
+ }
+
++#if 0
+ if (!renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
++#endif
+
+ if (!s->hit && tlsext_servername == 1)
+ {
diff --git a/openssl-1.0.0-beta3-default-paths.patch b/openssl-1.0.0-beta4-default-paths.patch
similarity index 66%
rename from openssl-1.0.0-beta3-default-paths.patch
rename to openssl-1.0.0-beta4-default-paths.patch
index 4ed02e0..0b48a27 100644
--- a/openssl-1.0.0-beta3-default-paths.patch
+++ b/openssl-1.0.0-beta4-default-paths.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
---- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200
-@@ -888,12 +888,13 @@ bad:
+diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100
+@@ -889,12 +889,13 @@ bad:
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
@@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a
}
#ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
---- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200
-@@ -1403,12 +1403,13 @@ bad:
+diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100
+@@ -1408,12 +1408,13 @@ bad:
}
#endif
@@ -40,9 +40,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
}
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
-@@ -1457,8 +1458,11 @@ bad:
-
- SSL_CTX_sess_set_cache_size(ctx2,128);
+@@ -1465,8 +1466,11 @@ bad:
+ else
+ SSL_CTX_sess_set_cache_size(ctx2,128);
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
@@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
{
ERR_print_errors(bio_err);
}
-diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
---- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200
+diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
+--- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100
@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
diff --git a/openssl-1.0.0-beta4-dtls1-abi.patch b/openssl-1.0.0-beta4-dtls1-abi.patch
new file mode 100644
index 0000000..a50f55d
--- /dev/null
+++ b/openssl-1.0.0-beta4-dtls1-abi.patch
@@ -0,0 +1,25 @@
+Adding struct member is ABI breaker however as the structure is always allocated by
+the library calls we just move it to the end and it should be reasonably safe.
+diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
+--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
+@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
+ */
+ record_pqueue buffered_app_data;
+
+- /* Is set when listening for new connections with dtls1_listen() */
+- unsigned int listen;
+-
+ unsigned int mtu; /* max DTLS packet size */
+
+ struct hm_header_st w_msg_hdr;
+@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
+ unsigned int retransmitting;
+ unsigned int change_cipher_spec_ok;
+
++ /* Is set when listening for new connections with dtls1_listen() */
++ unsigned int listen;
++
+ } DTLS1_STATE;
+
+ typedef struct dtls1_record_data_st
diff --git a/openssl-1.0.0-beta4-enginesdir.patch b/openssl-1.0.0-beta4-enginesdir.patch
new file mode 100644
index 0000000..0a304ce
--- /dev/null
+++ b/openssl-1.0.0-beta4-enginesdir.patch
@@ -0,0 +1,52 @@
+diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100
++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100
+@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -833,6 +834,10 @@ PROCESS_ARGS:
+ {
+ $openssldir=$1;
+ }
++ elsif (/^--enginesdir=(.*)$/)
++ {
++ $enginesdir=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
+
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+@@ -1676,7 +1681,7 @@ while (<IN>)
+ # $foo is to become "$prefix/lib$multilib/engines";
+ # as Makefile.org and engines/Makefile are adapted for
+ # $multilib suffix.
+- my $foo = "$prefix/lib/engines";
++ my $foo = "$enginesdir";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
+diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
+--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100
++++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100
+@@ -124,7 +124,7 @@ install:
+ sfx=".so"; \
+ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ fi; \
+- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
diff --git a/openssl-1.0.0-beta3-fips.patch b/openssl-1.0.0-beta4-fips.patch
similarity index 90%
rename from openssl-1.0.0-beta3-fips.patch
rename to openssl-1.0.0-beta4-fips.patch
index d552198..bc81d71 100644
--- a/openssl-1.0.0-beta3-fips.patch
+++ b/openssl-1.0.0-beta4-fips.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure
---- openssl-1.0.0-beta3/Configure.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/Configure 2009-08-11 18:07:30.000000000 +0200
-@@ -654,6 +654,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
+diff -up openssl-1.0.0-beta4/Configure.fips openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:36:50.000000000 +0100
+@@ -660,6 +660,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
my $processor="";
my $default_ranlib;
my $perl;
@@ -9,7 +9,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
-@@ -797,6 +798,10 @@ PROCESS_ARGS:
+@@ -806,6 +807,10 @@ PROCESS_ARGS:
}
elsif (/^386$/)
{ $processor=386; }
@@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
-@@ -1349,6 +1354,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
+@@ -1368,6 +1373,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
@@ -32,7 +32,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure
$cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
-@@ -1504,6 +1514,10 @@ while (<IN>)
+@@ -1535,6 +1545,10 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
@@ -43,9 +43,9 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
-diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto/bf/bf_skey.c
---- openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/bf/bf_skey.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta4/crypto/bf/bf_skey.c
+--- openssl-1.0.0-beta4/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bf/bf_skey.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,10 +59,15 @@
#include <stdio.h>
#include <string.h>
@@ -63,9 +63,9 @@ diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto
{
int i;
BF_LONG *p,ri,in[2];
-diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypto/bf/blowfish.h
---- openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/bf/blowfish.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips openssl-1.0.0-beta4/crypto/bf/blowfish.h
+--- openssl-1.0.0-beta4/crypto/bf/blowfish.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bf/blowfish.h 2009-11-12 12:36:50.000000000 +0100
@@ -104,7 +104,9 @@ typedef struct bf_key_st
BF_LONG S[4*256];
} BF_KEY;
@@ -77,9 +77,9 @@ diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypt
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
-diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/bn.h
---- openssl-1.0.0-beta3/crypto/bn/bn.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/bn/bn.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/bn/bn.h.fips openssl-1.0.0-beta4/crypto/bn/bn.h
+--- openssl-1.0.0-beta4/crypto/bn/bn.h.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bn/bn.h 2009-11-12 12:36:50.000000000 +0100
@@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n
int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
int do_trial_division, BN_GENCB *cb);
@@ -98,9 +98,9 @@ diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/b
BN_MONT_CTX *BN_MONT_CTX_new(void );
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
-diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/bn/bn_x931p.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/bn/bn_x931p.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/bn/bn_x931p.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,272 @@
+/* bn_x931p.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -374,9 +374,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c
+
+ }
+
-diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/bn/Makefile
---- openssl-1.0.0-beta3/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/bn/Makefile 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/bn/Makefile.fips openssl-1.0.0-beta4/crypto/bn/Makefile
+--- openssl-1.0.0-beta4/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bn/Makefile 2009-11-12 12:36:50.000000000 +0100
@@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li
bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
@@ -393,9 +393,9 @@ diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/
SRC= $(LIBSRC)
-diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl
---- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl 2009-08-20 16:54:59.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl
+--- openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/camellia/asm/cmll-x86.pl 2009-11-12 12:36:50.000000000 +0100
@@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0;
}
&function_end("Camellia_Ekeygen");
@@ -422,9 +422,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-
}
@SBOX=(
-diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3/crypto/camellia/camellia.h
---- openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips 2009-08-11 18:07:29.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/camellia/camellia.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips openssl-1.0.0-beta4/crypto/camellia/camellia.h
+--- openssl-1.0.0-beta4/crypto/camellia/camellia.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/camellia/camellia.h 2009-11-12 12:36:50.000000000 +0100
@@ -88,6 +88,11 @@ struct camellia_key_st
};
typedef struct camellia_key_st CAMELLIA_KEY;
@@ -437,9 +437,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3
int Camellia_set_key(const unsigned char *userKey, const int bits,
CAMELLIA_KEY *key);
-diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c
---- openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips 2009-08-20 17:01:56.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c 2009-08-20 17:03:21.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/camellia/cmll_fblk.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,68 @@
+/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
@@ -509,9 +509,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta
+ return private_Camellia_set_key(userKey, bits, key);
+ }
+#endif
-diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c
---- openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c 2009-08-20 17:04:10.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c
+--- openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/camellia/cmll_misc.c 2009-11-12 12:36:50.000000000 +0100
@@ -52,11 +52,20 @@
#include <openssl/opensslv.h>
#include <openssl/camellia.h>
@@ -533,9 +533,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta
{
if(!userKey || !key)
return -1;
-diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/crypto/camellia/Makefile
---- openssl-1.0.0-beta3/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/camellia/Makefile 2009-08-20 17:02:56.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/camellia/Makefile.fips openssl-1.0.0-beta4/crypto/camellia/Makefile
+--- openssl-1.0.0-beta4/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/camellia/Makefile 2009-11-12 12:36:50.000000000 +0100
@@ -23,9 +23,9 @@ APPS=
LIB=$(TOP)/libcrypto.a
@@ -548,9 +548,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/c
SRC= $(LIBSRC)
-diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/cast/cast.h
---- openssl-1.0.0-beta3/crypto/cast/cast.h.fips 2009-08-11 18:07:29.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/cast/cast.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/cast/cast.h.fips openssl-1.0.0-beta4/crypto/cast/cast.h
+--- openssl-1.0.0-beta4/crypto/cast/cast.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/cast/cast.h 2009-11-12 12:36:50.000000000 +0100
@@ -83,7 +83,9 @@ typedef struct cast_key_st
int short_key; /* Use reduced rounds for short key */
} CAST_KEY;
@@ -562,9 +562,9 @@ diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/
void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
int enc);
-diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypto/cast/c_skey.c
---- openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/cast/c_skey.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips openssl-1.0.0-beta4/crypto/cast/c_skey.c
+--- openssl-1.0.0-beta4/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/cast/c_skey.c 2009-11-12 12:36:50.000000000 +0100
@@ -57,6 +57,11 @@
*/
@@ -586,9 +586,9 @@ diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypt
{
CAST_LONG x[16];
CAST_LONG z[16];
-diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/crypto.h
---- openssl-1.0.0-beta3/crypto/crypto.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/crypto.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/crypto.h.fips openssl-1.0.0-beta4/crypto/crypto.h
+--- openssl-1.0.0-beta4/crypto/crypto.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/crypto.h 2009-11-12 12:36:50.000000000 +0100
@@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin
unsigned long *OPENSSL_ia32cap_loc(void);
#define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
@@ -659,9 +659,9 @@ diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/cry
/* Error codes for the CRYPTO functions. */
/* Function codes. */
-diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/dh/dh_err.c
---- openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/dh/dh_err.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips openssl-1.0.0-beta4/crypto/dh/dh_err.c
+--- openssl-1.0.0-beta4/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/dh/dh_err.c 2009-11-12 12:36:50.000000000 +0100
@@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]=
{ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"},
{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"},
@@ -679,9 +679,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/
{ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"},
{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"},
{ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"},
-diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/dh/dh_gen.c
---- openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dh/dh_gen.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta4/crypto/dh/dh_gen.c
+--- openssl-1.0.0-beta4/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dh/dh_gen.c 2009-11-12 12:36:50.000000000 +0100
@@ -65,6 +65,10 @@
#include "cryptlib.h"
#include <openssl/bn.h>
@@ -714,9 +714,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
BN_CTX_start(ctx);
-diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/dh.h
---- openssl-1.0.0-beta3/crypto/dh/dh.h.fips 2009-08-11 18:07:29.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dh/dh.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dh/dh.h.fips openssl-1.0.0-beta4/crypto/dh/dh.h
+--- openssl-1.0.0-beta4/crypto/dh/dh.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/dh/dh.h 2009-11-12 12:36:50.000000000 +0100
@@ -77,6 +77,8 @@
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
#endif
@@ -726,7 +726,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d
#define DH_FLAG_CACHE_MONT_P 0x01
#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
* implementation now uses constant time
-@@ -240,6 +242,8 @@ void ERR_load_DH_strings(void);
+@@ -241,6 +243,8 @@ void ERR_load_DH_strings(void);
#define DH_F_GENERATE_PARAMETERS 104
#define DH_F_PKEY_DH_DERIVE 112
#define DH_F_PKEY_DH_KEYGEN 113
@@ -735,7 +735,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d
/* Reason codes. */
#define DH_R_BAD_GENERATOR 101
-@@ -252,6 +256,7 @@ void ERR_load_DH_strings(void);
+@@ -253,6 +257,7 @@ void ERR_load_DH_strings(void);
#define DH_R_NO_PARAMETERS_SET 107
#define DH_R_NO_PRIVATE_VALUE 100
#define DH_R_PARAMETER_ENCODING_ERROR 105
@@ -743,9 +743,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d
#ifdef __cplusplus
}
-diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/dh/dh_key.c
---- openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dh/dh_key.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips openssl-1.0.0-beta4/crypto/dh/dh_key.c
+--- openssl-1.0.0-beta4/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dh/dh_key.c 2009-11-12 12:36:50.000000000 +0100
@@ -61,6 +61,9 @@
#include <openssl/bn.h>
#include <openssl/rand.h>
@@ -795,9 +795,9 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/
dh->flags |= DH_FLAG_CACHE_MONT_P;
return(1);
}
-diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c
---- openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_gen.c 2009-11-12 12:36:50.000000000 +0100
@@ -77,8 +77,12 @@
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -833,9 +833,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypt
if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
qsize != SHA256_DIGEST_LENGTH)
/* invalid q size */
-diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/dsa/dsa.h
---- openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dsa/dsa.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips openssl-1.0.0-beta4/crypto/dsa/dsa.h
+--- openssl-1.0.0-beta4/crypto/dsa/dsa.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/dsa/dsa.h 2009-11-12 12:36:50.000000000 +0100
@@ -88,6 +88,8 @@
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
#endif
@@ -892,18 +892,16 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/ds
#define DSA_R_PARAMETER_ENCODING_ERROR 105
#ifdef __cplusplus
-diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_key.c
---- openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dsa/dsa_key.c 2009-08-11 18:09:42.000000000 +0200
-@@ -65,9 +65,42 @@
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_key.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_key.c 2009-11-12 12:36:50.000000000 +0100
+@@ -63,9 +63,53 @@
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include "fips_locl.h"
static int dsa_builtin_keygen(DSA *dsa);
@@ -919,26 +917,39 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt
+
+int fips_check_dsa(DSA *dsa)
+ {
-+ EVP_PKEY pk;
++ EVP_PKEY *pk;
+ unsigned char tbs[] = "DSA Pairwise Check Data";
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
++ int ret = 0;
+
-+ if (!fips_pkey_signature_test(&pk, tbs, -1,
-+ NULL, 0, EVP_dss1(), 0, NULL))
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(), 0, NULL))
++ goto err;
++
++ ret = 1;
++
++err:
++ if (ret == 0)
+ {
-+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
-+ return 0;
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
+ }
-+ return 1;
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
+ }
+#endif
+
int DSA_generate_key(DSA *dsa)
{
if(dsa->meth->dsa_keygen)
-@@ -79,6 +110,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+@@ -79,6 +123,14 @@ static int dsa_builtin_keygen(DSA *dsa)
BN_CTX *ctx=NULL;
BIGNUM *pub_key=NULL,*priv_key=NULL;
@@ -953,7 +964,7 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt
if ((ctx=BN_CTX_new()) == NULL) goto err;
if (dsa->priv_key == NULL)
-@@ -117,6 +156,15 @@ static int dsa_builtin_keygen(DSA *dsa)
+@@ -117,6 +169,15 @@ static int dsa_builtin_keygen(DSA *dsa)
dsa->priv_key=priv_key;
dsa->pub_key=pub_key;
@@ -969,9 +980,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt
ok=1;
err:
-diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c
---- openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/dsa/dsa_ossl.c 2009-11-12 12:36:50.000000000 +0100
@@ -65,6 +65,9 @@
#include <openssl/dsa.h>
#include <openssl/rand.h>
@@ -1043,9 +1054,9 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/cryp
dsa->flags|=DSA_FLAG_CACHE_MONT_P;
return(1);
}
-diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypto/err/err_all.c
---- openssl-1.0.0-beta3/crypto/err/err_all.c.fips 2008-11-24 18:27:06.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/err/err_all.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/err/err_all.c.fips openssl-1.0.0-beta4/crypto/err/err_all.c
+--- openssl-1.0.0-beta4/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/err/err_all.c 2009-11-12 12:36:50.000000000 +0100
@@ -96,6 +96,9 @@
#include <openssl/ocsp.h>
#include <openssl/err.h>
@@ -1056,7 +1067,7 @@ diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypt
#ifndef OPENSSL_NO_CMS
#include <openssl/cms.h>
#endif
-@@ -148,6 +151,9 @@ void ERR_load_crypto_strings(void)
+@@ -149,6 +152,9 @@ void ERR_load_crypto_strings(void)
#endif
ERR_load_OCSP_strings();
ERR_load_UI_strings();
@@ -1066,9 +1077,9 @@ diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypt
#ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings();
#endif
-diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto/evp/digest.c
---- openssl-1.0.0-beta3/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/digest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/digest.c.fips openssl-1.0.0-beta4/crypto/evp/digest.c
+--- openssl-1.0.0-beta4/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/digest.c 2009-11-12 12:36:50.000000000 +0100
@@ -116,6 +116,7 @@
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
@@ -1167,9 +1178,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret=ctx->digest->final(ctx,md);
-diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/evp/e_aes.c
---- openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/e_aes.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips openssl-1.0.0-beta4/crypto/evp/e_aes.c
+--- openssl-1.0.0-beta4/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/e_aes.c 2009-11-12 12:36:50.000000000 +0100
@@ -69,32 +69,29 @@ typedef struct
IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
@@ -1222,9 +1233,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/
static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
-diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/crypto/evp/e_camellia.c
---- openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/e_camellia.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta4/crypto/evp/e_camellia.c
+--- openssl-1.0.0-beta4/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/e_camellia.c 2009-11-12 12:36:50.000000000 +0100
@@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks,
EVP_CIPHER_get_asn1_iv,
NULL)
@@ -1234,9 +1245,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/cr
IMPLEMENT_CAMELLIA_CFBR(128,1)
IMPLEMENT_CAMELLIA_CFBR(192,1)
-diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto/evp/e_des3.c
---- openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/e_des3.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips openssl-1.0.0-beta4/crypto/evp/e_des3.c
+--- openssl-1.0.0-beta4/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/e_des3.c 2009-11-12 12:36:50.000000000 +0100
@@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
}
@@ -1281,9 +1292,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto
des3_ctrl)
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto/evp/e_null.c
---- openssl-1.0.0-beta3/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/e_null.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/e_null.c.fips openssl-1.0.0-beta4/crypto/evp/e_null.c
+--- openssl-1.0.0-beta4/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/e_null.c 2009-11-12 12:36:50.000000000 +0100
@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
{
NID_undef,
@@ -1293,9 +1304,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto
null_init_key,
null_cipher,
NULL,
-diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypto/evp/evp_enc.c
---- openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/evp_enc.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta4/crypto/evp/evp_enc.c
+--- openssl-1.0.0-beta4/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp_enc.c 2009-11-12 12:36:50.000000000 +0100
@@ -68,8 +68,53 @@
const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
@@ -1388,9 +1399,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypt
if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
}
-diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypto/evp/evp_err.c
---- openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/evp_err.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips openssl-1.0.0-beta4/crypto/evp/evp_err.c
+--- openssl-1.0.0-beta4/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp_err.c 2009-11-12 12:36:50.000000000 +0100
@@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
{ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"},
{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"},
@@ -1399,9 +1410,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypt
{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"},
{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"},
-diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/evp/evp.h
---- openssl-1.0.0-beta3/crypto/evp/evp.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/evp.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/evp.h.fips openssl-1.0.0-beta4/crypto/evp/evp.h
+--- openssl-1.0.0-beta4/crypto/evp/evp.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp.h 2009-11-12 12:36:50.000000000 +0100
@@ -75,6 +75,10 @@
#include <openssl/bio.h>
#endif
@@ -1433,7 +1444,18 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev
#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
* in FIPS mode */
-@@ -330,6 +332,14 @@ struct evp_cipher_st
+@@ -284,6 +286,10 @@ struct env_md_ctx_st
+ #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
+ #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
+ #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
++#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
++ ((ctx->flags>>16) &0xFFFF) /* seed length */
++#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
++#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
+
+ #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
+
+@@ -330,6 +336,14 @@ struct evp_cipher_st
#define EVP_CIPH_NO_PADDING 0x100
/* cipher handles random key generation */
#define EVP_CIPH_RAND_KEY 0x200
@@ -1448,7 +1470,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev
/* ctrl() values */
-@@ -507,6 +517,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ
+@@ -507,6 +521,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ
const unsigned char *salt, const unsigned char *data,
int datal, int count, unsigned char *key,unsigned char *iv);
@@ -1459,7 +1481,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev
int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
-@@ -1225,6 +1239,7 @@ void ERR_load_EVP_strings(void);
+@@ -1225,6 +1243,7 @@ void ERR_load_EVP_strings(void);
#define EVP_R_DECODE_ERROR 114
#define EVP_R_DIFFERENT_KEY_TYPES 101
#define EVP_R_DIFFERENT_PARAMETERS 153
@@ -1467,9 +1489,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev
#define EVP_R_ENCODE_ERROR 115
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
-diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypto/evp/evp_lib.c
---- openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/evp_lib.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta4/crypto/evp/evp_lib.c
+--- openssl-1.0.0-beta4/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/evp_lib.c 2009-11-12 12:36:50.000000000 +0100
@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_
if (c->cipher->set_asn1_parameters != NULL)
@@ -1517,9 +1539,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypt
+ {
+ return (ctx->flags & flags);
+ }
-diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/crypto/evp/evp_locl.h
---- openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/evp_locl.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta4/crypto/evp/evp_locl.h
+--- openssl-1.0.0-beta4/crypto/evp/evp_locl.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/evp_locl.h 2009-11-12 12:36:50.000000000 +0100
@@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER
static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
{\
@@ -1569,33 +1591,33 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/cryp
struct evp_pkey_ctx_st
{
-diff -up openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss1.c
---- openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/m_dss1.c 2009-08-11 18:07:30.000000000 +0200
-@@ -82,7 +82,7 @@ static const EVP_MD dss1_md=
- NID_dsa,
- NID_dsaWithSHA1,
+diff -up openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss.c
+--- openssl-1.0.0-beta4/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/m_dss.c 2009-11-12 12:36:50.000000000 +0100
+@@ -81,7 +81,7 @@ static const EVP_MD dsa_md=
+ NID_dsaWithSHA,
+ NID_dsaWithSHA,
SHA_DIGEST_LENGTH,
- EVP_MD_FLAG_PKEY_DIGEST,
+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
init,
update,
final,
-diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss.c
---- openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/m_dss.c 2009-08-11 18:07:30.000000000 +0200
-@@ -81,7 +81,7 @@ static const EVP_MD dsa_md=
- NID_dsaWithSHA,
- NID_dsaWithSHA,
+diff -up openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta4/crypto/evp/m_dss1.c
+--- openssl-1.0.0-beta4/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/m_dss1.c 2009-11-12 12:36:50.000000000 +0100
+@@ -82,7 +82,7 @@ static const EVP_MD dss1_md=
+ NID_dsa,
+ NID_dsaWithSHA1,
SHA_DIGEST_LENGTH,
- EVP_MD_FLAG_PKEY_DIGEST,
+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
init,
update,
final,
-diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto/evp/m_sha1.c
---- openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/evp/m_sha1.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta4/crypto/evp/m_sha1.c
+--- openssl-1.0.0-beta4/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/m_sha1.c 2009-11-12 12:36:50.000000000 +0100
@@ -82,7 +82,8 @@ static const EVP_MD sha1_md=
NID_sha1,
NID_sha1WithRSAEncryption,
@@ -1646,9 +1668,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto
init512,
update512,
final512,
-diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/evp/names.c
---- openssl-1.0.0-beta3/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/names.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/names.c.fips openssl-1.0.0-beta4/crypto/evp/names.c
+--- openssl-1.0.0-beta4/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/names.c 2009-11-12 12:36:50.000000000 +0100
@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c)
{
int r;
@@ -1671,9 +1693,77 @@ diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/
name=OBJ_nid2sn(md->type);
r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
if (r == 0) return(0);
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips openssl-1.0.0-beta4/crypto/evp/p_sign.c
+--- openssl-1.0.0-beta4/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/evp/p_sign.c 2009-11-12 12:36:50.000000000 +0100
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ #ifdef undef
+ void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
++ {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+ goto err;
+ *siglen = sltmp;
+diff -up openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips openssl-1.0.0-beta4/crypto/evp/p_verify.c
+--- openssl-1.0.0-beta4/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/evp/p_verify.c 2009-11-12 12:36:50.000000000 +0100
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+ unsigned int siglen, EVP_PKEY *pkey)
+@@ -86,6 +87,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
++ {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+ EVP_PKEY_CTX_free(pkctx);
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_aesavs.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,939 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
@@ -2614,9 +2704,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_desmovs.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,702 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
@@ -3320,9 +3410,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_dssvs.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,537 @@
+#include <openssl/opensslconf.h>
+
@@ -3861,9 +3951,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rngvs.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,230 @@
+/*
+ * Crude test driver for processing the VST and MCT testvector files
@@ -4095,9 +4185,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c
+ return 0;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsagtest.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,390 @@
+/* fips_rsagtest.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -4489,9 +4579,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsastest.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,370 @@
+/* fips_rsastest.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -4863,9 +4953,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c
+ return ret;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_rsavtest.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,377 @@
+/* fips_rsavtest.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -5244,9 +5334,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c
+ return ret;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_shatest.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,388 @@
+/* fips_shatest.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -5636,9 +5726,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/cavs/fips_utl.h 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,343 @@
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
@@ -5983,9 +6073,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h
+#endif
+ }
+
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips_err.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips_err.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
@@ -5994,9 +6084,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c
+#else
+static void *dummy=&dummy;
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips_err.h 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_err.h
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips_err.h 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,137 @@
+/* crypto/fips_err.h */
+/* ====================================================================
@@ -6135,10 +6225,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h
+ }
+#endif
+ }
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,103 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_aes_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -6190,9 +6280,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/evp.h>
+
+#ifdef OPENSSL_FIPS
@@ -6242,9 +6330,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c
+ return ret;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,419 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -6665,10 +6753,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c
+
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,139 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_des_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,137 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -6720,9 +6808,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/evp.h>
+#include <openssl/opensslconf.h>
+
@@ -6808,10 +6894,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c
+ return ret;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,182 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_dsa_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,184 @@
+/* crypto/dsa/dsatest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+ * All rights reserved.
@@ -6873,9 +6959,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
@@ -6931,13 +7015,13 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c
+
+int FIPS_selftest_dsa()
+ {
-+ DSA *dsa=NULL;
++ DSA *dsa;
+ int counter,i,j, ret = 0;
+ unsigned int slen;
+ unsigned char buf[256];
+ unsigned long h;
+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
++ EVP_PKEY *pk = NULL;
+
+ EVP_MD_CTX_init(&mctx);
+
@@ -6966,37 +7050,41 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c
+ if (i != j || memcmp(buf,out_g,i) != 0)
+ goto err;
+ DSA_generate_key(dsa);
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
++
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++ EVP_PKEY_assign_DSA(pk, dsa);
+
+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
+ goto err;
+ if (!EVP_SignUpdate(&mctx, str1, 20))
+ goto err;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ if (!EVP_SignFinal(&mctx, buf, &slen, pk))
+ goto err;
+
+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
+ goto err;
+ if (!EVP_VerifyUpdate(&mctx, str1, 20))
+ goto err;
-+ if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1)
++ if (EVP_VerifyFinal(&mctx, buf, slen, pk) != 1)
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_MD_CTX_cleanup(&mctx);
-+ if (dsa)
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
+ DSA_free(dsa);
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED);
+ return ret;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips.h 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips.h
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips.h 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,163 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -7161,10 +7249,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h
+}
+#endif
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,137 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_hmac_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,135 @@
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
@@ -7216,9 +7304,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/hmac.h>
+
+#ifdef OPENSSL_FIPS
@@ -7302,10 +7388,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c
+ return 1;
+ }
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,412 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,410 @@
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
+ *
@@ -7384,9 +7470,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c
+# endif
+#endif
+#include <string.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
@@ -7718,9 +7802,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c
+}
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.h 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand.h
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand.h 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,77 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -7799,10 +7883,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h
+#endif
+#endif
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,373 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_rand_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,371 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -7854,9 +7938,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+
@@ -8176,9 +8258,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_randtest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_randtest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_randtest.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,248 @@
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+ * All rights reserved.
@@ -8428,10 +8510,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,434 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,439 @@
+/* ====================================================================
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
+ *
@@ -8483,9 +8565,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
@@ -8775,83 +8855,87 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c
+int FIPS_selftest_rsa()
+ {
+ int ret = 0;
-+ RSA *key = NULL;
-+ EVP_PKEY pk;
-+ key=RSA_new();
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key=RSA_new()) == NULL)
++ goto err;
+ setrsakey(key);
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = key;
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
+
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ EVP_PKEY_assign_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA1 PKCS#1"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA224 PKCS#1"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA256 PKCS#1"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA384 PKCS#1"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA512 PKCS#1"))
+ goto err;
+
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA1 PSS"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA224 PSS"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA256 PSS"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA384 PSS"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA512 PSS"))
+ goto err;
+
+
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
+ "RSA SHA1 X931"))
+ goto err;
+ /* NB: SHA224 not supported in X9.31 */
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
+ "RSA SHA256 X931"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
+ "RSA SHA384 X931"))
+ goto err;
-+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1,
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
+ "RSA SHA512 X931"))
@@ -8861,14 +8945,17 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c
+ ret = 1;
+
+ err:
-+ RSA_free(key);
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (key)
++ RSA_free(key);
+ return ret;
+ }
+
+#endif /* def OPENSSL_FIPS */
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_rsa_x931g.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,281 @@
+/* crypto/rsa/rsa_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
@@ -9151,10 +9238,10 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c
+ return 0;
+
+ }
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c 2009-08-11 18:07:30.000000000 +0200
-@@ -0,0 +1,99 @@
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_sha1_selftest.c 2009-11-12 12:36:50.000000000 +0100
+@@ -0,0 +1,97 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -9206,9 +9293,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c
+
+#include <string.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+
@@ -9254,9 +9339,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_standalone_sha1.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,173 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -9431,9 +9516,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
+ }
+
+
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/fips_test_suite.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,588 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10023,9 +10108,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c
+ }
+
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips_locl.h 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips_locl.h
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips_locl.h 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,72 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10099,9 +10184,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h
+}
+#endif
+#endif
-diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/fips/Makefile
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/fips/Makefile 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,81 @@
+#
+# OpenSSL/crypto/fips/Makefile
@@ -10184,9 +10269,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
-diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/hmac/hmac.c
---- openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/hmac/hmac.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips openssl-1.0.0-beta4/crypto/hmac/hmac.c
+--- openssl-1.0.0-beta4/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/hmac/hmac.c 2009-11-12 12:36:50.000000000 +0100
@@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
if (key != NULL)
@@ -10212,9 +10297,9 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/
+ EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+ }
+
-diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/hmac/hmac.h
---- openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/hmac/hmac.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips openssl-1.0.0-beta4/crypto/hmac/hmac.h
+--- openssl-1.0.0-beta4/crypto/hmac/hmac.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/hmac/hmac.h 2009-11-12 12:36:50.000000000 +0100
@@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md
unsigned int *md_len);
int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
@@ -10223,9 +10308,9 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/
#ifdef __cplusplus
}
-diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Makefile
---- openssl-1.0.0-beta3/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/Makefile 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/Makefile.fips openssl-1.0.0-beta4/crypto/Makefile
+--- openssl-1.0.0-beta4/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/Makefile 2009-11-12 12:36:50.000000000 +0100
@@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i
LIB= $(TOP)/libcrypto.a
@@ -10244,9 +10329,47 @@ diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Mak
ALL= $(GENERAL) $(SRC) $(HEADER)
-diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/crypto/md2/md2_dgst.c
---- openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/md2/md2_dgst.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c
+--- openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2dgst.c 2009-11-12 12:36:50.000000000 +0100
+@@ -61,6 +61,11 @@
+ #include <string.h>
+ #include <openssl/des.h>
+ #include <openssl/mdc2.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ #undef c2l
+ #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \
+@@ -75,7 +80,7 @@
+ *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
+-int MDC2_Init(MDC2_CTX *c)
++FIPS_NON_FIPS_MD_Init(MDC2)
+ {
+ c->num=0;
+ c->pad_type=1;
+diff -up openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta4/crypto/mdc2/mdc2.h
+--- openssl-1.0.0-beta4/crypto/mdc2/mdc2.h.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/mdc2/mdc2.h 2009-11-12 12:36:50.000000000 +0100
+@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
+ int pad_type; /* either 1 or 2, default 1 */
+ } MDC2_CTX;
+
+-
++#ifdef OPENSSL_FIPS
++int private_MDC2_Init(MDC2_CTX *c);
++#endif
+ int MDC2_Init(MDC2_CTX *c);
+ int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
+ int MDC2_Final(unsigned char *md, MDC2_CTX *c);
+diff -up openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta4/crypto/md2/md2_dgst.c
+--- openssl-1.0.0-beta4/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/md2/md2_dgst.c 2009-11-12 12:36:50.000000000 +0100
@@ -62,6 +62,11 @@
#include <openssl/md2.h>
#include <openssl/opensslv.h>
@@ -10268,9 +10391,9 @@ diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/cryp
{
c->num=0;
memset(c->state,0,sizeof c->state);
-diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md2/md2.h
---- openssl-1.0.0-beta3/crypto/md2/md2.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/md2/md2.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/md2/md2.h.fips openssl-1.0.0-beta4/crypto/md2/md2.h
+--- openssl-1.0.0-beta4/crypto/md2/md2.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md2/md2.h 2009-11-12 12:36:50.000000000 +0100
@@ -81,6 +81,9 @@ typedef struct MD2state_st
} MD2_CTX;
@@ -10281,9 +10404,9 @@ diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md
int MD2_Init(MD2_CTX *c);
int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
int MD2_Final(unsigned char *md, MD2_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/crypto/md4/md4_dgst.c
---- openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/md4/md4_dgst.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta4/crypto/md4/md4_dgst.c
+--- openssl-1.0.0-beta4/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md4/md4_dgst.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,6 +59,11 @@
#include <stdio.h>
#include "md4_locl.h"
@@ -10305,9 +10428,9 @@ diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/cryp
{
memset (c,0,sizeof(*c));
c->A=INIT_DATA_A;
-diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md4/md4.h
---- openssl-1.0.0-beta3/crypto/md4/md4.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/md4/md4.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/md4/md4.h.fips openssl-1.0.0-beta4/crypto/md4/md4.h
+--- openssl-1.0.0-beta4/crypto/md4/md4.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md4/md4.h 2009-11-12 12:36:50.000000000 +0100
@@ -105,6 +105,9 @@ typedef struct MD4state_st
unsigned int num;
} MD4_CTX;
@@ -10318,9 +10441,9 @@ diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md
int MD4_Init(MD4_CTX *c);
int MD4_Update(MD4_CTX *c, const void *data, size_t len);
int MD4_Final(unsigned char *md, MD4_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/crypto/md5/md5_dgst.c
---- openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/md5/md5_dgst.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta4/crypto/md5/md5_dgst.c
+--- openssl-1.0.0-beta4/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md5/md5_dgst.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,6 +59,11 @@
#include <stdio.h>
#include "md5_locl.h"
@@ -10342,9 +10465,9 @@ diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/cryp
{
memset (c,0,sizeof(*c));
c->A=INIT_DATA_A;
-diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md5/md5.h
---- openssl-1.0.0-beta3/crypto/md5/md5.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/md5/md5.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/md5/md5.h.fips openssl-1.0.0-beta4/crypto/md5/md5.h
+--- openssl-1.0.0-beta4/crypto/md5/md5.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/md5/md5.h 2009-11-12 12:36:50.000000000 +0100
@@ -105,6 +105,9 @@ typedef struct MD5state_st
unsigned int num;
} MD5_CTX;
@@ -10355,47 +10478,9 @@ diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md
int MD5_Init(MD5_CTX *c);
int MD5_Update(MD5_CTX *c, const void *data, size_t len);
int MD5_Final(unsigned char *md, MD5_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c
---- openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c 2009-08-11 18:07:30.000000000 +0200
-@@ -61,6 +61,11 @@
- #include <string.h>
- #include <openssl/des.h>
- #include <openssl/mdc2.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
-
- #undef c2l
- #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \
-@@ -75,7 +80,7 @@
- *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
- static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
--int MDC2_Init(MDC2_CTX *c)
-+FIPS_NON_FIPS_MD_Init(MDC2)
- {
- c->num=0;
- c->pad_type=1;
-diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2.h
---- openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2.h 2009-08-11 18:07:30.000000000 +0200
-@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
- int pad_type; /* either 1 or 2, default 1 */
- } MDC2_CTX;
-
--
-+#ifdef OPENSSL_FIPS
-+int private_MDC2_Init(MDC2_CTX *c);
-+#endif
- int MDC2_Init(MDC2_CTX *c);
- int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
- int MDC2_Final(unsigned char *md, MDC2_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c
---- openssl-1.0.0-beta3/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/mem.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/mem.c.fips openssl-1.0.0-beta4/crypto/mem.c
+--- openssl-1.0.0-beta4/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/mem.c 2009-11-12 12:36:50.000000000 +0100
@@ -101,7 +101,7 @@ static void (*free_locked_func)(void *)
/* may be changed as long as 'allow_customize_debug' is set */
@@ -10405,9 +10490,9 @@ diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c
/* use default functions from mem_dbg.c */
static void (*malloc_debug_func)(void *,int,const char *,int,int)
= CRYPTO_dbg_malloc;
-diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/o_init.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/o_init.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,80 @@
+/* o_init.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -10489,9 +10574,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c
+ }
+
+
-diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/crypto/opensslconf.h.in
---- openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/opensslconf.h.in 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips openssl-1.0.0-beta4/crypto/opensslconf.h.in
+--- openssl-1.0.0-beta4/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/opensslconf.h.in 2009-11-12 12:36:50.000000000 +0100
@@ -1,5 +1,20 @@
/* crypto/opensslconf.h.in */
@@ -10513,9 +10598,9 @@ diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/cr
/* Generate 80386 code? */
#undef I386_ONLY
-diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c
---- openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c
+--- openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/pkcs12/p12_crt.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,6 +59,10 @@
#include <stdio.h>
#include "cryptlib.h"
@@ -10542,9 +10627,9 @@ diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/cr
if (!nid_key)
nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
if (!iter)
-diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/crypto/rand/md_rand.c
---- openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rand/md_rand.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips openssl-1.0.0-beta4/crypto/rand/md_rand.c
+--- openssl-1.0.0-beta4/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rand/md_rand.c 2009-11-12 12:36:50.000000000 +0100
@@ -126,6 +126,10 @@
#include <openssl/crypto.h>
@@ -10571,9 +10656,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/cryp
#ifdef PREDICT
if (rand_predictable)
{
-diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/crypto/rand/rand_err.c
---- openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rand/rand_err.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips openssl-1.0.0-beta4/crypto/rand/rand_err.c
+--- openssl-1.0.0-beta4/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rand/rand_err.c 2009-11-12 12:36:50.000000000 +0100
@@ -70,6 +70,13 @@
static ERR_STRING_DATA RAND_str_functs[]=
@@ -10606,9 +10691,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/cry
{0,NULL}
};
-diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/rand/rand.h
---- openssl-1.0.0-beta3/crypto/rand/rand.h.fips 2009-08-11 18:07:29.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rand/rand.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rand/rand.h.fips openssl-1.0.0-beta4/crypto/rand/rand.h
+--- openssl-1.0.0-beta4/crypto/rand/rand.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rand/rand.h 2009-11-12 12:36:50.000000000 +0100
@@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void);
/* Error codes for the RAND functions. */
@@ -10638,9 +10723,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/
#ifdef __cplusplus
}
-diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/crypto/rand/rand_lib.c
---- openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rand/rand_lib.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta4/crypto/rand/rand_lib.c
+--- openssl-1.0.0-beta4/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rand/rand_lib.c 2009-11-12 12:36:50.000000000 +0100
@@ -60,6 +60,12 @@
#include <time.h>
#include "cryptlib.h"
@@ -10674,9 +10759,9 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/cry
return default_RAND_meth;
}
-diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc2/rc2.h
---- openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rc2/rc2.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips openssl-1.0.0-beta4/crypto/rc2/rc2.h
+--- openssl-1.0.0-beta4/crypto/rc2/rc2.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc2/rc2.h 2009-11-12 12:36:50.000000000 +0100
@@ -79,7 +79,9 @@ typedef struct rc2_key_st
RC2_INT data[64];
} RC2_KEY;
@@ -10688,9 +10773,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc
void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
int enc);
-diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c
---- openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c
+--- openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rc2/rc2_skey.c 2009-11-12 12:36:50.000000000 +0100
@@ -57,6 +57,11 @@
*/
@@ -10724,9 +10809,31 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/cryp
int i,j;
unsigned char *k;
RC2_INT *ki;
-diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl
---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl
+--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-s390x.pl 2009-11-12 12:36:50.000000000 +0100
+@@ -202,4 +202,6 @@ RC4_options:
+ .string "rc4(8x,char)"
+ ___
+
++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
++
+ print $code;
+diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl
+--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-x86_64.pl 2009-11-12 12:36:50.000000000 +0100
+@@ -499,6 +499,8 @@ ___
+
+ $code =~ s/#([bwd])/$1/gm;
+
++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
++
+ print $code;
+
+ close STDOUT;
+diff -up openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl
+--- openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/asm/rc4-586.pl 2009-11-12 12:36:50.000000000 +0100
@@ -166,8 +166,12 @@ $idx="edx";
&external_label("OPENSSL_ia32cap_P");
@@ -10750,31 +10857,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/
# const char *RC4_options(void);
&function_begin_B("RC4_options");
-diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl
---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl 2009-08-11 18:07:30.000000000 +0200
-@@ -202,4 +202,6 @@ RC4_options:
- .string "rc4(8x,char)"
- ___
-
-+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
-+
- print $code;
-diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl
---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl 2009-08-11 18:07:30.000000000 +0200
-@@ -499,6 +499,8 @@ ___
-
- $code =~ s/#([bwd])/$1/gm;
-
-+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
-+
- print $code;
-
- close STDOUT;
-diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto/rc4/Makefile
---- openssl-1.0.0-beta3/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rc4/Makefile 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc4/Makefile.fips openssl-1.0.0-beta4/crypto/rc4/Makefile
+--- openssl-1.0.0-beta4/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/Makefile 2009-11-12 12:36:50.000000000 +0100
@@ -21,8 +21,8 @@ TEST=rc4test.c
APPS=
@@ -10786,9 +10871,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto
SRC= $(LIBSRC)
-diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c
---- /dev/null 2009-07-27 08:39:22.849064505 +0200
-+++ openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c 2009-08-11 18:07:30.000000000 +0200
+diff -up /dev/null openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c
+--- /dev/null 2009-11-04 12:00:58.801002276 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/rc4_fblk.c 2009-11-12 12:36:50.000000000 +0100
@@ -0,0 +1,75 @@
+/* crypto/rc4/rc4_fblk.c */
+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
@@ -10865,9 +10950,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c
+ }
+#endif
+
-diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc4/rc4.h
---- openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rc4/rc4.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips openssl-1.0.0-beta4/crypto/rc4/rc4.h
+--- openssl-1.0.0-beta4/crypto/rc4/rc4.h.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/rc4.h 2009-11-12 12:36:50.000000000 +0100
@@ -78,6 +78,9 @@ typedef struct rc4_key_st
@@ -10878,9 +10963,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc
void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
unsigned char *outdata);
-diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c
---- openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c
+--- openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rc4/rc4_skey.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,6 +59,11 @@
#include <openssl/rc4.h>
#include "rc4_locl.h"
@@ -10918,9 +11003,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/cryp
unsigned char *cp=(unsigned char *)d;
for (i=0;i<256;i++) cp[i]=i;
-diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/crypto/ripemd/ripemd.h
---- openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/ripemd/ripemd.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta4/crypto/ripemd/ripemd.h
+--- openssl-1.0.0-beta4/crypto/ripemd/ripemd.h.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/ripemd/ripemd.h 2009-11-12 12:36:50.000000000 +0100
@@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st
unsigned int num;
} RIPEMD160_CTX;
@@ -10931,9 +11016,9 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/cry
int RIPEMD160_Init(RIPEMD160_CTX *c);
int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c
---- openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c
+--- openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/ripemd/rmd_dgst.c 2009-11-12 12:36:50.000000000 +0100
@@ -59,6 +59,11 @@
#include <stdio.h>
#include "rmd_locl.h"
@@ -10955,17 +11040,15 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/c
{
memset (c,0,sizeof(*c));
c->A=RIPEMD160_A;
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c
---- openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c 2009-08-11 18:07:30.000000000 +0200
-@@ -116,6 +116,10 @@
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_eay.c 2009-11-12 12:36:50.000000000 +0100
+@@ -114,6 +114,8 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
-+#endif
#ifndef RSA_NULL
@@ -11218,9 +11301,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypt
rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
return(1);
}
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_err.c
---- openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa_err.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_err.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_err.c 2009-11-12 12:36:50.000000000 +0100
@@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]=
{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
@@ -11247,10 +11330,10 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypt
{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c
---- openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c 2009-08-11 18:07:30.000000000 +0200
-@@ -67,6 +67,77 @@
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_gen.c 2009-11-12 12:36:50.000000000 +0100
+@@ -67,6 +67,82 @@
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -11272,16 +11355,19 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt
+ const unsigned char tbs[] = "RSA Pairwise Check Data";
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
+ int len, ret = 0;
-+ EVP_PKEY pk;
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = rsa;
++ EVP_PKEY *pk;
++
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
+
+ /* Perform pairwise consistency signature test */
-+ if (!fips_pkey_signature_test(&pk, tbs, -1,
++ if (!fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
-+ || !fips_pkey_signature_test(&pk, tbs, -1,
++ || !fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
-+ || !fips_pkey_signature_test(&pk, tbs, -1,
++ || !fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
+ goto err;
+ /* Now perform pairwise consistency encrypt/decrypt test */
@@ -11321,6 +11407,8 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt
+ OPENSSL_free(ctbuf);
+ if (ptbuf)
+ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
+
+ return ret;
+ }
@@ -11328,7 +11416,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
-@@ -90,6 +161,23 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -90,6 +166,23 @@ static int rsa_builtin_keygen(RSA *rsa,
int bitsp,bitsq,ok= -1,n=0;
BN_CTX *ctx=NULL;
@@ -11352,7 +11440,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
BN_CTX_start(ctx);
-@@ -201,6 +289,17 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -201,6 +294,17 @@ static int rsa_builtin_keygen(RSA *rsa,
p = rsa->p;
if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
@@ -11370,9 +11458,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt
ok=1;
err:
if (ok == -1)
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rsa/rsa.h
---- openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips 2009-08-11 18:07:29.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa.h 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips openssl-1.0.0-beta4/crypto/rsa/rsa.h
+--- openssl-1.0.0-beta4/crypto/rsa/rsa.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/rsa/rsa.h 2009-11-12 12:36:50.000000000 +0100
@@ -74,6 +74,21 @@
#error RSA is disabled.
#endif
@@ -11442,9 +11530,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rs
#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
#define RSA_R_PADDING_CHECK_FAILED 114
#define RSA_R_P_NOT_PRIME 128
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c
---- openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips 2008-08-06 17:54:14.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c.fips 2009-08-05 17:04:16.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_lib.c 2009-11-12 12:36:50.000000000 +0100
@@ -80,6 +80,13 @@ RSA *RSA_new(void)
void RSA_set_default_method(const RSA_METHOD *meth)
@@ -11520,63 +11608,9 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypt
return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
}
-@@ -422,51 +462,8 @@ err:
- BN_CTX_end(ctx);
- if (in_ctx == NULL)
- BN_CTX_free(ctx);
-+ if(rsa->e == NULL)
-+ BN_free(e);
-
- return ret;
- }
--
--int RSA_memory_lock(RSA *r)
-- {
-- int i,j,k,off;
-- char *p;
-- BIGNUM *bn,**t[6],*b;
-- BN_ULONG *ul;
--
-- if (r->d == NULL) return(1);
-- t[0]= &r->d;
-- t[1]= &r->p;
-- t[2]= &r->q;
-- t[3]= &r->dmp1;
-- t[4]= &r->dmq1;
-- t[5]= &r->iqmp;
-- k=sizeof(BIGNUM)*6;
-- off=k/sizeof(BN_ULONG)+1;
-- j=1;
-- for (i=0; i<6; i++)
-- j+= (*t[i])->top;
-- if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
-- {
-- RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
-- return(0);
-- }
-- bn=(BIGNUM *)p;
-- ul=(BN_ULONG *)&(p[off]);
-- for (i=0; i<6; i++)
-- {
-- b= *(t[i]);
-- *(t[i])= &(bn[i]);
-- memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
-- bn[i].flags=BN_FLG_STATIC_DATA;
-- bn[i].d=ul;
-- memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
-- ul+=b->top;
-- BN_clear_free(b);
-- }
--
-- /* I should fix this so it can still be done */
-- r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
--
-- r->bignum_data=p;
-- return(1);
-- }
-diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c
---- openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c
+--- openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/rsa/rsa_sign.c 2009-11-12 12:36:50.000000000 +0100
@@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch
i2d_X509_SIG(&sig,&p);
s=tmps;
@@ -11608,9 +11642,57 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/cryp
if (i <= 0) goto err;
-diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha1dgst.c
---- openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/sha/sha1dgst.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha_dgst.c
+--- openssl-1.0.0-beta4/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha_dgst.c 2009-11-12 12:36:50.000000000 +0100
+@@ -57,6 +57,12 @@
+ */
+
+ #include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+ #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
+
+ #undef SHA_1
+diff -up openssl-1.0.0-beta4/crypto/sha/sha.h.fips openssl-1.0.0-beta4/crypto/sha/sha.h
+--- openssl-1.0.0-beta4/crypto/sha/sha.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha.h 2009-11-12 12:36:50.000000000 +0100
+@@ -106,6 +106,9 @@ typedef struct SHAstate_st
+ } SHA_CTX;
+
+ #ifndef OPENSSL_NO_SHA0
++#ifdef OPENSSL_FIPS
++int private_SHA_Init(SHA_CTX *c);
++#endif
+ int SHA_Init(SHA_CTX *c);
+ int SHA_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA_Final(unsigned char *md, SHA_CTX *c);
+diff -up openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta4/crypto/sha/sha_locl.h
+--- openssl-1.0.0-beta4/crypto/sha/sha_locl.h.fips 2009-11-12 12:36:49.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha_locl.h 2009-11-12 12:36:50.000000000 +0100
+@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c,
+ #define INIT_DATA_h3 0x10325476UL
+ #define INIT_DATA_h4 0xc3d2e1f0UL
+
++#if defined(SHA_0) && defined(OPENSSL_FIPS)
++FIPS_NON_FIPS_MD_Init(SHA)
++#else
+ int HASH_INIT (SHA_CTX *c)
++#endif
+ {
++#if defined(SHA_1) && defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset (c,0,sizeof(*c));
+ c->h0=INIT_DATA_h0;
+ c->h1=INIT_DATA_h1;
+diff -up openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta4/crypto/sha/sha1dgst.c
+--- openssl-1.0.0-beta4/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha1dgst.c 2009-11-12 12:36:50.000000000 +0100
@@ -63,6 +63,10 @@
#define SHA_1
@@ -11622,9 +11704,9 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/cryp
const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT;
-diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto/sha/sha256.c
---- openssl-1.0.0-beta3/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/sha/sha256.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/sha/sha256.c.fips openssl-1.0.0-beta4/crypto/sha/sha256.c
+--- openssl-1.0.0-beta4/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha256.c 2009-11-12 12:36:50.000000000 +0100
@@ -12,12 +12,19 @@
#include <openssl/crypto.h>
@@ -11655,9 +11737,9 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto
memset (c,0,sizeof(*c));
c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
-diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto/sha/sha512.c
---- openssl-1.0.0-beta3/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/sha/sha512.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/crypto/sha/sha512.c.fips openssl-1.0.0-beta4/crypto/sha/sha512.c
+--- openssl-1.0.0-beta4/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/sha/sha512.c 2009-11-12 12:36:50.000000000 +0100
@@ -5,6 +5,10 @@
* ====================================================================
*/
@@ -11698,58 +11780,10 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto
asm ("rotrdi %0,%1,%2" \
: "=r"(ret) \
: "r"(a),"K"(n)); ret; })
-diff -up openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha_dgst.c
---- openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
-+++ openssl-1.0.0-beta3/crypto/sha/sha_dgst.c 2009-08-11 18:07:30.000000000 +0200
-@@ -57,6 +57,12 @@
- */
-
- #include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
-+#include <openssl/err.h>
- #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
-
- #undef SHA_1
-diff -up openssl-1.0.0-beta3/crypto/sha/sha.h.fips openssl-1.0.0-beta3/crypto/sha/sha.h
---- openssl-1.0.0-beta3/crypto/sha/sha.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/sha/sha.h 2009-08-11 18:07:30.000000000 +0200
-@@ -106,6 +106,9 @@ typedef struct SHAstate_st
- } SHA_CTX;
-
- #ifndef OPENSSL_NO_SHA0
-+#ifdef OPENSSL_FIPS
-+int private_SHA_Init(SHA_CTX *c);
-+#endif
- int SHA_Init(SHA_CTX *c);
- int SHA_Update(SHA_CTX *c, const void *data, size_t len);
- int SHA_Final(unsigned char *md, SHA_CTX *c);
-diff -up openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta3/crypto/sha/sha_locl.h
---- openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/sha/sha_locl.h 2009-08-11 18:07:30.000000000 +0200
-@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c,
- #define INIT_DATA_h3 0x10325476UL
- #define INIT_DATA_h4 0xc3d2e1f0UL
-
-+#if defined(SHA_0) && defined(OPENSSL_FIPS)
-+FIPS_NON_FIPS_MD_Init(SHA)
-+#else
- int HASH_INIT (SHA_CTX *c)
-+#endif
- {
-+#if defined(SHA_1) && defined(OPENSSL_FIPS)
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h0=INIT_DATA_h0;
- c->h1=INIT_DATA_h1;
-diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org
---- openssl-1.0.0-beta3/Makefile.org.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/Makefile.org 2009-08-11 18:07:30.000000000 +0200
-@@ -109,6 +109,9 @@ LIBKRB5=
+diff -up openssl-1.0.0-beta4/Makefile.org.fips openssl-1.0.0-beta4/Makefile.org
+--- openssl-1.0.0-beta4/Makefile.org.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/Makefile.org 2009-11-12 12:36:50.000000000 +0100
+@@ -110,6 +110,9 @@ LIBKRB5=
ZLIB_INCLUDE=
LIBZLIB=
@@ -11759,7 +11793,7 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org
DIRS= crypto ssl engines apps test tools
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
-@@ -121,7 +124,7 @@ SDIRS= \
+@@ -122,7 +125,7 @@ SDIRS= \
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
@@ -11768,7 +11802,7 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
-@@ -204,6 +207,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
+@@ -206,6 +209,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \
WP_ASM_OBJ='$(WP_ASM_OBJ)' \
PERLASM_SCHEME='$(PERLASM_SCHEME)' \
@@ -11776,124 +11810,9 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
-diff -up openssl-1.0.0-beta3/ssl/s23_clnt.c.fips openssl-1.0.0-beta3/ssl/s23_clnt.c
---- openssl-1.0.0-beta3/ssl/s23_clnt.c.fips 2009-04-07 19:01:07.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/s23_clnt.c 2009-08-11 18:07:30.000000000 +0200
-@@ -332,6 +332,14 @@ static int ssl23_client_hello(SSL *s)
- version_major = TLS1_VERSION_MAJOR;
- version_minor = TLS1_VERSION_MINOR;
- }
-+#ifdef OPENSSL_FIPS
-+ else if(FIPS_mode())
-+ {
-+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
-+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-+ return -1;
-+ }
-+#endif
- else if (version == SSL3_VERSION)
- {
- version_major = SSL3_VERSION_MAJOR;
-@@ -615,6 +623,14 @@ static int ssl23_get_server_hello(SSL *s
- if ((p[2] == SSL3_VERSION_MINOR) &&
- !(s->options & SSL_OP_NO_SSLv3))
- {
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_mode())
-+ {
-+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
-+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-+ goto err;
-+ }
-+#endif
- s->version=SSL3_VERSION;
- s->method=SSLv3_client_method();
- }
-diff -up openssl-1.0.0-beta3/ssl/s23_srvr.c.fips openssl-1.0.0-beta3/ssl/s23_srvr.c
---- openssl-1.0.0-beta3/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/s23_srvr.c 2009-08-11 18:07:30.000000000 +0200
-@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
- }
- }
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && (s->version < TLS1_VERSION))
-+ {
-+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-+ goto err;
-+ }
-+#endif
-+
- if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
- {
- /* we have SSLv3/TLSv1 in an SSLv2 header
-diff -up openssl-1.0.0-beta3/ssl/s3_clnt.c.fips openssl-1.0.0-beta3/ssl/s3_clnt.c
---- openssl-1.0.0-beta3/ssl/s3_clnt.c.fips 2009-06-16 18:39:20.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/s3_clnt.c 2009-08-11 18:07:30.000000000 +0200
-@@ -156,6 +156,10 @@
- #include <openssl/objects.h>
- #include <openssl/evp.h>
- #include <openssl/md5.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- #ifndef OPENSSL_NO_DH
- #include <openssl/dh.h>
- #endif
-@@ -1524,6 +1528,8 @@ int ssl3_get_key_exchange(SSL *s)
- q=md_buf;
- for (num=2; num > 0; num--)
- {
-+ EVP_MD_CTX_set_flags(&md_ctx,
-+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-diff -up openssl-1.0.0-beta3/ssl/s3_enc.c.fips openssl-1.0.0-beta3/ssl/s3_enc.c
---- openssl-1.0.0-beta3/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/s3_enc.c 2009-08-11 18:07:30.000000000 +0200
-@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
- #endif
- k=0;
- EVP_MD_CTX_init(&m5);
-+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_MD_CTX_init(&s1);
- for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
- {
-@@ -614,6 +615,8 @@ int ssl3_digest_cached_records(SSL *s)
- if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
- {
- s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
-+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
-+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
- EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
- }
-@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in
- return 0;
- }
- EVP_MD_CTX_init(&ctx);
-+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_MD_CTX_copy_ex(&ctx,d);
- n=EVP_MD_CTX_size(&ctx);
- if (n < 0)
-diff -up openssl-1.0.0-beta3/ssl/s3_srvr.c.fips openssl-1.0.0-beta3/ssl/s3_srvr.c
---- openssl-1.0.0-beta3/ssl/s3_srvr.c.fips 2009-06-26 17:04:22.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/s3_srvr.c 2009-08-11 18:07:30.000000000 +0200
-@@ -1674,6 +1674,8 @@ int ssl3_send_server_key_exchange(SSL *s
- j=0;
- for (num=2; num > 0; num--)
- {
-+ EVP_MD_CTX_set_flags(&md_ctx,
-+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_ciph.c
---- openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips 2009-04-07 14:10:59.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips openssl-1.0.0-beta4/ssl/ssl_ciph.c
+--- openssl-1.0.0-beta4/ssl/ssl_ciph.c.fips 2009-09-13 01:18:09.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/ssl_ciph.c 2009-11-12 12:36:50.000000000 +0100
@@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c
!(c->algorithm_auth & disabled_auth) &&
!(c->algorithm_enc & disabled_enc) &&
@@ -11916,10 +11835,10 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_cip
{
sk_SSL_CIPHER_push(cipherstack, curr->cipher);
#ifdef CIPHER_DEBUG
-diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib.c
---- openssl-1.0.0-beta3/ssl/ssl_lib.c.fips 2009-06-30 13:57:24.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-08-11 18:07:30.000000000 +0200
-@@ -1470,6 +1470,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+diff -up openssl-1.0.0-beta4/ssl/ssl_lib.c.fips openssl-1.0.0-beta4/ssl/ssl_lib.c
+--- openssl-1.0.0-beta4/ssl/ssl_lib.c.fips 2009-10-16 15:41:52.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/ssl_lib.c 2009-11-12 12:36:50.000000000 +0100
+@@ -1471,6 +1471,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
return(NULL);
}
@@ -11934,9 +11853,9 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib.
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
{
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
-diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest.c
---- openssl-1.0.0-beta3/ssl/ssltest.c.fips 2009-08-11 18:07:30.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssltest.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/ssl/ssltest.c.fips openssl-1.0.0-beta4/ssl/ssltest.c
+--- openssl-1.0.0-beta4/ssl/ssltest.c.fips 2009-11-12 12:36:50.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssltest.c 2009-11-12 12:36:50.000000000 +0100
@@ -265,6 +265,9 @@ static void sv_usage(void)
{
fprintf(stderr,"usage: ssltest [args ...]\n");
@@ -12011,9 +11930,124 @@ diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest.
if(s->version == TLS1_VERSION)
FIPS_allow_md5(0);
# endif
-diff -up openssl-1.0.0-beta3/ssl/t1_enc.c.fips openssl-1.0.0-beta3/ssl/t1_enc.c
---- openssl-1.0.0-beta3/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/t1_enc.c 2009-08-11 18:07:30.000000000 +0200
+diff -up openssl-1.0.0-beta4/ssl/s23_clnt.c.fips openssl-1.0.0-beta4/ssl/s23_clnt.c
+--- openssl-1.0.0-beta4/ssl/s23_clnt.c.fips 2009-08-05 17:29:14.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/s23_clnt.c 2009-11-12 12:36:50.000000000 +0100
+@@ -335,6 +335,14 @@ static int ssl23_client_hello(SSL *s)
+ version_major = TLS1_VERSION_MAJOR;
+ version_minor = TLS1_VERSION_MINOR;
+ }
++#ifdef OPENSSL_FIPS
++ else if(FIPS_mode())
++ {
++ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ return -1;
++ }
++#endif
+ else if (version == SSL3_VERSION)
+ {
+ version_major = SSL3_VERSION_MAJOR;
+@@ -618,6 +626,14 @@ static int ssl23_get_server_hello(SSL *s
+ if ((p[2] == SSL3_VERSION_MINOR) &&
+ !(s->options & SSL_OP_NO_SSLv3))
+ {
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode())
++ {
++ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ goto err;
++ }
++#endif
+ s->version=SSL3_VERSION;
+ s->method=SSLv3_client_method();
+ }
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.fips openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-12 12:36:50.000000000 +0100
+@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
+ }
+ }
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (s->version < TLS1_VERSION))
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ goto err;
++ }
++#endif
++
+ if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
+ {
+ /* we have SSLv3/TLSv1 in an SSLv2 header
+diff -up openssl-1.0.0-beta4/ssl/s3_clnt.c.fips openssl-1.0.0-beta4/ssl/s3_clnt.c
+--- openssl-1.0.0-beta4/ssl/s3_clnt.c.fips 2009-10-30 15:06:18.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_clnt.c 2009-11-12 12:36:50.000000000 +0100
+@@ -156,6 +156,10 @@
+ #include <openssl/objects.h>
+ #include <openssl/evp.h>
+ #include <openssl/md5.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+ #endif
+@@ -1530,6 +1534,8 @@ int ssl3_get_key_exchange(SSL *s)
+ q=md_buf;
+ for (num=2; num > 0; num--)
+ {
++ EVP_MD_CTX_set_flags(&md_ctx,
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
+ EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+diff -up openssl-1.0.0-beta4/ssl/s3_enc.c.fips openssl-1.0.0-beta4/ssl/s3_enc.c
+--- openssl-1.0.0-beta4/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/s3_enc.c 2009-11-12 12:36:50.000000000 +0100
+@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
+ #endif
+ k=0;
+ EVP_MD_CTX_init(&m5);
++ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_init(&s1);
+ for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
+ {
+@@ -614,6 +615,8 @@ int ssl3_digest_cached_records(SSL *s)
+ if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
+ {
+ s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
++ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
+ EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
+ }
+@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in
+ return 0;
+ }
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_copy_ex(&ctx,d);
+ n=EVP_MD_CTX_size(&ctx);
+ if (n < 0)
+diff -up openssl-1.0.0-beta4/ssl/s3_srvr.c.fips openssl-1.0.0-beta4/ssl/s3_srvr.c
+--- openssl-1.0.0-beta4/ssl/s3_srvr.c.fips 2009-10-30 14:22:44.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s3_srvr.c 2009-11-12 12:36:50.000000000 +0100
+@@ -1679,6 +1679,8 @@ int ssl3_send_server_key_exchange(SSL *s
+ j=0;
+ for (num=2; num > 0; num--)
+ {
++ EVP_MD_CTX_set_flags(&md_ctx,
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
+ EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+diff -up openssl-1.0.0-beta4/ssl/t1_enc.c.fips openssl-1.0.0-beta4/ssl/t1_enc.c
+--- openssl-1.0.0-beta4/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200
++++ openssl-1.0.0-beta4/ssl/t1_enc.c 2009-11-12 12:36:50.000000000 +0100
@@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md
HMAC_CTX_init(&ctx);
diff --git a/openssl-1.0.0-beta3-redhat.patch b/openssl-1.0.0-beta4-redhat.patch
similarity index 92%
rename from openssl-1.0.0-beta3-redhat.patch
rename to openssl-1.0.0-beta4-redhat.patch
index bd6b9af..4356e41 100644
--- a/openssl-1.0.0-beta3-redhat.patch
+++ b/openssl-1.0.0-beta4-redhat.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
---- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200
-+++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200
-@@ -331,32 +331,32 @@ my %table=(
+diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
+@@ -336,32 +336,32 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
@@ -22,14 +22,14 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)",
++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### SPARC Linux setups
# Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
@@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -370,8 +370,8 @@ my %table=(
+@@ -375,8 +375,8 @@ my %table=(
#
# <appro at fy.chalmers.se>
#
diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch
new file mode 100644
index 0000000..271dbe7
--- /dev/null
+++ b/openssl-1.0.0-beta4-reneg-err.patch
@@ -0,0 +1,93 @@
+Better error reporting for unsafe renegotiation.
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
+@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
+@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
+ {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
+@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+ #define SSL_F_SSL_NEW 186
+ #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
+ #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
+ #define SSL_F_SSL_PEEK 270
+ #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
+ #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
+@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
+ #define SSL_R_UNKNOWN_SSL_VERSION 254
+ #define SSL_R_UNKNOWN_STATE 255
++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
+ #define SSL_R_UNSUPPORTED_CIPHER 256
+ #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+ #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
+@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ #else
++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++ goto err;
++ }
+ /* we are talking sslv2 */
+ /* we need to clean up the SSLv3/TLSv1 setup and put in the
+ * sslv2 stuff. */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
+@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ return 1;
+@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ if (s->new_session && !renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
+@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ #endif
+@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ return 0;
+ }
+ #endif
diff --git a/openssl-1.0.0-beta4-reneg.patch b/openssl-1.0.0-beta4-reneg.patch
new file mode 100644
index 0000000..92e206d
--- /dev/null
+++ b/openssl-1.0.0-beta4-reneg.patch
@@ -0,0 +1,237 @@
+diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
+--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200
++++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100
+@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
+ extname = "server ticket";
+ break;
+
++ case TLSEXT_TYPE_renegotiate:
++ extname = "renegotiate";
++ break;
++
+ #ifdef TLSEXT_TYPE_opaque_prf_input
+ case TLSEXT_TYPE_opaque_prf_input:
+ extname = "opaque PRF input";
+diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
+--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100
+@@ -343,6 +343,7 @@ static void sc_usage(void)
+ BIO_printf(bio_err," -status - request certificate status from server\n");
+ BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+ #endif
++ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+ }
+
+ #ifndef OPENSSL_NO_TLSEXT
+@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
+ #endif
+ else if (strcmp(*argv,"-serverpref") == 0)
+ off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
++ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
++ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ else if (strcmp(*argv,"-cipher") == 0)
+ {
+ if (--argc < 1) goto bad;
+diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
+--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100
++++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100
+@@ -491,6 +491,7 @@ static void sv_usage(void)
+ BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
+ BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
+ BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
++ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+ #endif
+ }
+
+@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
+ verify_return_error = 1;
+ else if (strcmp(*argv,"-serverpref") == 0)
+ { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
++ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
++ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ else if (strcmp(*argv,"-cipher") == 0)
+ {
+ if (--argc < 1) goto bad;
+diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
+--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100
+@@ -201,6 +201,9 @@ extern "C" {
+ # define TLSEXT_TYPE_opaque_prf_input ?? */
+ #endif
+
++/* Temporary extension type */
++#define TLSEXT_TYPE_renegotiate 0xff01
++
+ /* NameType value from RFC 3546 */
+ #define TLSEXT_NAMETYPE_host_name 0
+ /* status request value from RFC 3546 */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100
+@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
+ ret+=size_str;
+ }
+
++ /* Add the renegotiation option: TODOEKR switch */
++ {
++ int el;
++
++ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
++ {
++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++ return NULL;
++ }
++
++ if((limit - p - 4 - el) < 0) return NULL;
++
++ s2n(TLSEXT_TYPE_renegotiate,ret);
++ s2n(el,ret);
++
++ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
++ {
++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++ return NULL;
++ }
++
++ ret += el;
++ }
++
+ #ifndef OPENSSL_NO_EC
+ if (s->tlsext_ecpointformatlist != NULL)
+ {
+@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
+ s2n(TLSEXT_TYPE_server_name,ret);
+ s2n(0,ret);
+ }
++
++ if(s->s3->send_connection_binding)
++ {
++ int el;
++
++ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
++ {
++ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++ return NULL;
++ }
++
++ if((limit - p - 4 - el) < 0) return NULL;
++
++ s2n(TLSEXT_TYPE_renegotiate,ret);
++ s2n(el,ret);
++
++ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
++ {
++ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
++ return NULL;
++ }
++
++ ret += el;
++ }
++
+ #ifndef OPENSSL_NO_EC
+ if (s->tlsext_ecpointformatlist != NULL)
+ {
+@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ unsigned short size;
+ unsigned short len;
+ unsigned char *data = *p;
++ int renegotiate_seen = 0;
++
+ s->servername_done = 0;
+ s->tlsext_status_type = -1;
++ s->s3->send_connection_binding = 0;
+
+ if (data >= (d+n-2))
++ {
++ if (s->new_session
++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ /* We should always see one extension: the renegotiate extension */
++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ return 0;
++ }
+ return 1;
++ }
+ n2s(data,len);
+
+ if (data > (d+n-len))
+@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ return 0;
+ }
+ }
++ else if (type == TLSEXT_TYPE_renegotiate)
++ {
++ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
++ return 0;
++ renegotiate_seen = 1;
++ }
+ else if (type == TLSEXT_TYPE_status_request
+ && s->ctx->tlsext_status_cb)
+ {
+@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ /* session ticket processed earlier */
+ data+=size;
+ }
++
++ if (s->new_session && !renegotiate_seen
++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ return 0;
++ }
++
+
+ *p = data;
+ return 1;
+@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ unsigned short size;
+ unsigned short len;
+ unsigned char *data = *p;
+-
+ int tlsext_servername = 0;
++ int renegotiate_seen = 0;
+
+ if (data >= (d+n-2))
++ {
++ /* Because the client does not see any renegotiation during an
++ attack, we must enforce this on all server hellos, even the
++ first */
++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ /* We should always see one extension: the renegotiate extension */
++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ return 0;
++ }
+ return 1;
++ }
+
+ n2s(data,len);
+
+@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ /* Set flag to expect CertificateStatus message */
+ s->tlsext_status_expected = 1;
+ }
+-
++ else if (type == TLSEXT_TYPE_renegotiate)
++ {
++ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
++ return 0;
++ renegotiate_seen = 1;
++ }
+ data+=size;
+ }
+
+@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ return 0;
+ }
+
++ if (!renegotiate_seen
++ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++ return 0;
++ }
++
+ if (!s->hit && tlsext_servername == 1)
+ {
+ if (s->tlsext_hostname)
diff --git a/openssl-1.0.0-beta4-version.patch b/openssl-1.0.0-beta4-version.patch
new file mode 100644
index 0000000..ab12be0
--- /dev/null
+++ b/openssl-1.0.0-beta4-version.patch
@@ -0,0 +1,14 @@
+We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist
+on having the same beta status of OpenSSL library as they were built against.
+diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h
+--- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100
+@@ -25,7 +25,7 @@
+ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+ * major minor fix final patch/beta)
+ */
+-#define OPENSSL_VERSION_NUMBER 0x10000004L
++#define OPENSSL_VERSION_NUMBER 0x10000003L
+ #ifdef OPENSSL_FIPS
+ #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009"
+ #else
diff --git a/sources b/sources
index ccd2532..8a2c648 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9926dcf78e797a12d8e3ffd7a018824b openssl-1.0.0-beta3-usa.tar.bz2
+1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2
More information about the scm-commits
mailing list