From 75f7276f8b814d24695aa98679063ed4a064c7fb Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Sep 30 2009 18:18:48 +0000 Subject: - fix RSA and DSA FIPS selftests - reenable fixed x86_64 camellia assembler code (#521127) --- diff --git a/openssl-1.0.0-beta3-camellia-rounds.patch b/openssl-1.0.0-beta3-camellia-rounds.patch new file mode 100644 index 0000000..a43b602 --- /dev/null +++ b/openssl-1.0.0-beta3-camellia-rounds.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl +--- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds 2009-09-15 12:09:08.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl 2009-09-15 12:09:48.000000000 +0200 +@@ -656,7 +656,7 @@ Camellia_cbc_encrypt: + mov %rsi,$out # out argument + mov %r8,%rbx # ivp argument + mov %rcx,$key # key argument +- mov 272(%rcx),$keyend # grandRounds ++ mov 272(%rcx),${keyend}d # grandRounds + + mov %r8,$_ivp + mov %rbp,$_rsp diff --git a/openssl-1.0.0-beta3-cmll-noasm.patch b/openssl-1.0.0-beta3-cmll-noasm.patch deleted file mode 100644 index 2df67a5..0000000 --- a/openssl-1.0.0-beta3-cmll-noasm.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.0.0-beta3/Configure.cmll-noasm openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.cmll-noasm 2009-09-04 13:44:53.000000000 +0200 -+++ openssl-1.0.0-beta3/Configure 2009-09-04 13:46:08.000000000 +0200 -@@ -125,7 +125,7 @@ my $x86_asm="x86cpuid.o:bn-586.o co-586. - - my $x86_elf_asm="$x86_asm:elf"; - --my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o"; -+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:"; - my $ia64_asm="ia64cpuid.o:bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::void"; - my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::void"; - my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::void"; diff --git a/openssl-1.0.0-beta3-fips.patch b/openssl-1.0.0-beta3-fips.patch index 707a0b9..99404e6 100644 --- a/openssl-1.0.0-beta3-fips.patch +++ b/openssl-1.0.0-beta3-fips.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure ---- openssl-1.0.0-beta3/Configure.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/Configure 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/Configure.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/Configure 2009-09-30 13:25:58.000000000 +0200 @@ -654,6 +654,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml my $processor=""; my $default_ranlib; @@ -45,7 +45,7 @@ diff -up openssl-1.0.0-beta3/Configure.fips openssl-1.0.0-beta3/Configure s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto/bf/bf_skey.c --- openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/bf/bf_skey.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bf/bf_skey.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,10 +59,15 @@ #include #include @@ -64,8 +64,8 @@ diff -up openssl-1.0.0-beta3/crypto/bf/bf_skey.c.fips openssl-1.0.0-beta3/crypto int i; BF_LONG *p,ri,in[2]; diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypto/bf/blowfish.h ---- openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/bf/blowfish.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bf/blowfish.h 2009-09-30 13:25:58.000000000 +0200 @@ -104,7 +104,9 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; @@ -78,8 +78,8 @@ diff -up openssl-1.0.0-beta3/crypto/bf/blowfish.h.fips openssl-1.0.0-beta3/crypt void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/bn.h ---- openssl-1.0.0-beta3/crypto/bn/bn.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/bn/bn.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/bn/bn.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bn/bn.h 2009-09-30 13:25:58.000000000 +0200 @@ -540,6 +540,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); @@ -99,8 +99,8 @@ diff -up openssl-1.0.0-beta3/crypto/bn/bn.h.fips openssl-1.0.0-beta3/crypto/bn/b void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/bn/bn_x931p.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/bn/bn_x931p.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,272 @@ +/* bn_x931p.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -376,7 +376,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/bn/bn_x931p.c + diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/bn/Makefile --- openssl-1.0.0-beta3/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/bn/Makefile 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/bn/Makefile 2009-09-30 13:25:58.000000000 +0200 @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ @@ -395,7 +395,7 @@ diff -up openssl-1.0.0-beta3/crypto/bn/Makefile.fips openssl-1.0.0-beta3/crypto/ diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl --- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl 2009-08-20 16:54:59.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl 2009-09-30 13:25:58.000000000 +0200 @@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; } &function_end("Camellia_Ekeygen"); @@ -423,8 +423,8 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0- @SBOX=( diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3/crypto/camellia/camellia.h ---- openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/camellia.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips 2009-09-30 13:25:56.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/camellia.h 2009-09-30 13:25:58.000000000 +0200 @@ -88,6 +88,11 @@ struct camellia_key_st }; typedef struct camellia_key_st CAMELLIA_KEY; @@ -437,9 +437,9 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/camellia.h.fips openssl-1.0.0-beta3 int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key); -diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c ---- openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips 2009-08-20 17:01:56.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c 2009-08-20 17:03:21.000000000 +0200 +diff -up /dev/null openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,68 @@ +/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* ==================================================================== @@ -511,7 +511,7 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0-beta +#endif diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c --- openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c 2009-08-20 17:04:10.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c 2009-09-30 13:25:58.000000000 +0200 @@ -52,11 +52,20 @@ #include #include @@ -535,7 +535,7 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/cmll_misc.c.fips openssl-1.0.0-beta return -1; diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/crypto/camellia/Makefile --- openssl-1.0.0-beta3/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/camellia/Makefile 2009-08-20 17:02:56.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/camellia/Makefile 2009-09-30 13:25:58.000000000 +0200 @@ -23,9 +23,9 @@ APPS= LIB=$(TOP)/libcrypto.a @@ -549,8 +549,8 @@ diff -up openssl-1.0.0-beta3/crypto/camellia/Makefile.fips openssl-1.0.0-beta3/c SRC= $(LIBSRC) diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/cast/cast.h ---- openssl-1.0.0-beta3/crypto/cast/cast.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/cast/cast.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/cast/cast.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/cast/cast.h 2009-09-30 13:25:58.000000000 +0200 @@ -83,7 +83,9 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; @@ -564,7 +564,7 @@ diff -up openssl-1.0.0-beta3/crypto/cast/cast.h.fips openssl-1.0.0-beta3/crypto/ int enc); diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypto/cast/c_skey.c --- openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/cast/c_skey.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/cast/c_skey.c 2009-09-30 13:25:58.000000000 +0200 @@ -57,6 +57,11 @@ */ @@ -587,8 +587,8 @@ diff -up openssl-1.0.0-beta3/crypto/cast/c_skey.c.fips openssl-1.0.0-beta3/crypt CAST_LONG x[16]; CAST_LONG z[16]; diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/crypto.h ---- openssl-1.0.0-beta3/crypto/crypto.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/crypto.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/crypto.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/crypto.h 2009-09-30 13:25:58.000000000 +0200 @@ -546,12 +546,69 @@ void OpenSSLDie(const char *file,int lin unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) @@ -661,7 +661,7 @@ diff -up openssl-1.0.0-beta3/crypto/crypto.h.fips openssl-1.0.0-beta3/crypto/cry /* Function codes. */ diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/dh/dh_err.c --- openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/dh/dh_err.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh_err.c 2009-09-30 13:25:58.000000000 +0200 @@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, @@ -681,7 +681,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_err.c.fips openssl-1.0.0-beta3/crypto/ {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/dh/dh_gen.c --- openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh_gen.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh_gen.c 2009-09-30 13:25:58.000000000 +0200 @@ -65,6 +65,10 @@ #include "cryptlib.h" #include @@ -715,8 +715,8 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_gen.c.fips openssl-1.0.0-beta3/crypto/ if (ctx == NULL) goto err; BN_CTX_start(ctx); diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/dh.h ---- openssl-1.0.0-beta3/crypto/dh/dh.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/dh/dh.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh.h 2009-09-30 13:25:58.000000000 +0200 @@ -77,6 +77,8 @@ # define OPENSSL_DH_MAX_MODULUS_BITS 10000 #endif @@ -745,7 +745,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh.h.fips openssl-1.0.0-beta3/crypto/dh/d } diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/dh/dh_key.c --- openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dh/dh_key.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dh/dh_key.c 2009-09-30 13:25:58.000000000 +0200 @@ -61,6 +61,9 @@ #include #include @@ -797,7 +797,7 @@ diff -up openssl-1.0.0-beta3/crypto/dh/dh_key.c.fips openssl-1.0.0-beta3/crypto/ } diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c --- openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips 2008-12-26 18:17:21.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c 2009-09-30 13:25:58.000000000 +0200 @@ -77,8 +77,12 @@ #include "cryptlib.h" #include @@ -834,8 +834,8 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_gen.c.fips openssl-1.0.0-beta3/crypt qsize != SHA256_DIGEST_LENGTH) /* invalid q size */ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/dsa/dsa.h ---- openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa.h 2009-09-30 13:25:58.000000000 +0200 @@ -88,6 +88,8 @@ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif @@ -894,8 +894,8 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa.h.fips openssl-1.0.0-beta3/crypto/ds #ifdef __cplusplus diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_key.c --- openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_key.c 2009-08-11 18:09:42.000000000 +0200 -@@ -63,9 +63,40 @@ ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_key.c 2009-09-30 17:01:34.000000000 +0200 +@@ -63,9 +63,53 @@ #include #include #include @@ -917,26 +917,39 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt + +int fips_check_dsa(DSA *dsa) + { -+ EVP_PKEY pk; ++ EVP_PKEY *pk; + unsigned char tbs[] = "DSA Pairwise Check Data"; -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; ++ int ret = 0; ++ ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_DSA(pk, dsa); ++ ++ if (!fips_pkey_signature_test(pk, tbs, -1, ++ NULL, 0, EVP_sha1(), 0, NULL)) ++ goto err; ++ ++ ret = 1; + -+ if (!fips_pkey_signature_test(&pk, tbs, -1, -+ NULL, 0, EVP_dss1(), 0, NULL)) ++err: ++ if (ret == 0) + { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + fips_set_selftest_fail(); -+ return 0; ++ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); + } -+ return 1; ++ ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; + } +#endif + int DSA_generate_key(DSA *dsa) { if(dsa->meth->dsa_keygen) -@@ -79,6 +110,14 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -79,6 +123,14 @@ static int dsa_builtin_keygen(DSA *dsa) BN_CTX *ctx=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -951,7 +964,7 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt if ((ctx=BN_CTX_new()) == NULL) goto err; if (dsa->priv_key == NULL) -@@ -117,6 +156,15 @@ static int dsa_builtin_keygen(DSA *dsa) +@@ -117,6 +169,15 @@ static int dsa_builtin_keygen(DSA *dsa) dsa->priv_key=priv_key; dsa->pub_key=pub_key; @@ -969,7 +982,7 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_key.c.fips openssl-1.0.0-beta3/crypt err: diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c --- openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips 2007-03-28 02:15:26.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c 2009-09-30 13:25:58.000000000 +0200 @@ -65,6 +65,9 @@ #include #include @@ -1043,7 +1056,7 @@ diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0-beta3/cryp } diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypto/err/err_all.c --- openssl-1.0.0-beta3/crypto/err/err_all.c.fips 2008-11-24 18:27:06.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/err/err_all.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/err/err_all.c 2009-09-30 13:25:58.000000000 +0200 @@ -96,6 +96,9 @@ #include #include @@ -1066,7 +1079,7 @@ diff -up openssl-1.0.0-beta3/crypto/err/err_all.c.fips openssl-1.0.0-beta3/crypt #endif diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto/evp/digest.c --- openssl-1.0.0-beta3/crypto/evp/digest.c.fips 2008-11-04 13:06:09.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/digest.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/digest.c 2009-09-30 13:25:58.000000000 +0200 @@ -116,6 +116,7 @@ #ifndef OPENSSL_NO_ENGINE #include @@ -1167,7 +1180,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/digest.c.fips openssl-1.0.0-beta3/crypto ret=ctx->digest->final(ctx,md); diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/evp/e_aes.c --- openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_aes.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/e_aes.c 2009-09-30 13:25:58.000000000 +0200 @@ -69,32 +69,29 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, @@ -1222,7 +1235,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_aes.c.fips openssl-1.0.0-beta3/crypto/ const unsigned char *iv, int enc) diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/crypto/evp/e_camellia.c --- openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/e_camellia.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/e_camellia.c 2009-09-30 13:25:58.000000000 +0200 @@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, EVP_CIPHER_get_asn1_iv, NULL) @@ -1234,7 +1247,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_camellia.c.fips openssl-1.0.0-beta3/cr IMPLEMENT_CAMELLIA_CFBR(192,1) diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto/evp/e_des3.c --- openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_des3.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/e_des3.c 2009-09-30 13:25:58.000000000 +0200 @@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH } @@ -1281,7 +1294,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_des3.c.fips openssl-1.0.0-beta3/crypto static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto/evp/e_null.c --- openssl-1.0.0-beta3/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/e_null.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/e_null.c 2009-09-30 13:25:58.000000000 +0200 @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, @@ -1293,7 +1306,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/e_null.c.fips openssl-1.0.0-beta3/crypto NULL, diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypto/evp/evp_enc.c --- openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips 2008-11-12 04:58:00.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/evp_enc.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_enc.c 2009-09-30 13:25:58.000000000 +0200 @@ -68,8 +68,53 @@ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; @@ -1388,7 +1401,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_enc.c.fips openssl-1.0.0-beta3/crypt } diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypto/evp/evp_err.c --- openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips 2008-12-29 17:11:54.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/evp_err.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_err.c 2009-09-30 13:25:58.000000000 +0200 @@ -154,6 +154,7 @@ static ERR_STRING_DATA EVP_str_reasons[] {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, @@ -1398,8 +1411,8 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_err.c.fips openssl-1.0.0-beta3/crypt {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/evp/evp.h ---- openssl-1.0.0-beta3/crypto/evp/evp.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/evp/evp.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp.h 2009-09-30 14:40:54.000000000 +0200 @@ -75,6 +75,10 @@ #include #endif @@ -1431,7 +1444,18 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest * in FIPS mode */ -@@ -330,6 +332,14 @@ struct evp_cipher_st +@@ -284,6 +286,10 @@ struct env_md_ctx_st + #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */ + #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */ + #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */ ++#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \ ++ ((ctx->flags>>16) &0xFFFF) /* seed length */ ++#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */ ++#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */ + + #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */ + +@@ -330,6 +336,14 @@ struct evp_cipher_st #define EVP_CIPH_NO_PADDING 0x100 /* cipher handles random key generation */ #define EVP_CIPH_RAND_KEY 0x200 @@ -1446,7 +1470,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev /* ctrl() values */ -@@ -507,6 +517,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ +@@ -507,6 +521,10 @@ int EVP_BytesToKey(const EVP_CIPHER *typ const unsigned char *salt, const unsigned char *data, int datal, int count, unsigned char *key,unsigned char *iv); @@ -1457,7 +1481,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, -@@ -1225,6 +1239,7 @@ void ERR_load_EVP_strings(void); +@@ -1225,6 +1243,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 #define EVP_R_DIFFERENT_PARAMETERS 153 @@ -1467,7 +1491,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp.h.fips openssl-1.0.0-beta3/crypto/ev #define EVP_R_EXPECTING_AN_RSA_KEY 127 diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypto/evp/evp_lib.c --- openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp_lib.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_lib.c 2009-09-30 13:25:58.000000000 +0200 @@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ if (c->cipher->set_asn1_parameters != NULL) @@ -1516,8 +1540,8 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_lib.c.fips openssl-1.0.0-beta3/crypt + return (ctx->flags & flags); + } diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/crypto/evp/evp_locl.h ---- openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/evp_locl.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/evp_locl.h 2009-09-30 13:25:58.000000000 +0200 @@ -111,11 +111,11 @@ static int cname##_cbc_cipher(EVP_CIPHER static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ {\ @@ -1567,24 +1591,24 @@ diff -up openssl-1.0.0-beta3/crypto/evp/evp_locl.h.fips openssl-1.0.0-beta3/cryp struct evp_pkey_ctx_st { -diff -up openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss1.c ---- openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/m_dss1.c 2009-08-11 18:07:30.000000000 +0200 -@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= - NID_dsa, - NID_dsaWithSHA1, +diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss.c +--- openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/m_dss.c 2009-09-30 13:25:58.000000000 +0200 +@@ -81,7 +81,7 @@ static const EVP_MD dsa_md= + NID_dsaWithSHA, + NID_dsaWithSHA, SHA_DIGEST_LENGTH, - EVP_MD_FLAG_PKEY_DIGEST, + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, init, update, final, -diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss.c ---- openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/m_dss.c 2009-08-11 18:07:30.000000000 +0200 -@@ -81,7 +81,7 @@ static const EVP_MD dsa_md= - NID_dsaWithSHA, - NID_dsaWithSHA, +diff -up openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips openssl-1.0.0-beta3/crypto/evp/m_dss1.c +--- openssl-1.0.0-beta3/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/m_dss1.c 2009-09-30 13:25:58.000000000 +0200 +@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= + NID_dsa, + NID_dsaWithSHA1, SHA_DIGEST_LENGTH, - EVP_MD_FLAG_PKEY_DIGEST, + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, @@ -1593,7 +1617,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/m_dss.c.fips openssl-1.0.0-beta3/crypto/ final, diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto/evp/m_sha1.c --- openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/evp/m_sha1.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/m_sha1.c 2009-09-30 13:25:58.000000000 +0200 @@ -82,7 +82,8 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, @@ -1646,7 +1670,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/m_sha1.c.fips openssl-1.0.0-beta3/crypto final512, diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/evp/names.c --- openssl-1.0.0-beta3/crypto/evp/names.c.fips 2009-04-10 12:30:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/evp/names.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/names.c 2009-09-30 13:25:58.000000000 +0200 @@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) { int r; @@ -1669,9 +1693,77 @@ diff -up openssl-1.0.0-beta3/crypto/evp/names.c.fips openssl-1.0.0-beta3/crypto/ name=OBJ_nid2sn(md->type); r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); if (r == 0) return(0); +diff -up openssl-1.0.0-beta3/crypto/evp/p_sign.c.fips openssl-1.0.0-beta3/crypto/evp/p_sign.c +--- openssl-1.0.0-beta3/crypto/evp/p_sign.c.fips 2006-05-24 15:29:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/evp/p_sign.c 2009-09-30 15:07:14.000000000 +0200 +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + #ifdef undef + void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type) +@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) + goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) ++ goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) ++ { ++ int saltlen; ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ goto err; ++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); ++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) ++ saltlen = -1; ++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) ++ saltlen = -2; ++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) ++ goto err; ++ } + if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) + goto err; + *siglen = sltmp; +diff -up openssl-1.0.0-beta3/crypto/evp/p_verify.c.fips openssl-1.0.0-beta3/crypto/evp/p_verify.c +--- openssl-1.0.0-beta3/crypto/evp/p_verify.c.fips 2008-11-12 04:58:01.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/evp/p_verify.c 2009-09-30 15:07:27.000000000 +0200 +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, + unsigned int siglen, EVP_PKEY *pkey) +@@ -86,6 +87,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) + goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) ++ goto err; ++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) ++ { ++ int saltlen; ++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ goto err; ++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); ++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) ++ saltlen = -1; ++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) ++ saltlen = -2; ++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) ++ goto err; ++ } + i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); + err: + EVP_PKEY_CTX_free(pkctx); diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,939 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -2613,8 +2705,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_aesavs.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,702 @@ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. @@ -3319,8 +3411,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_desmovs.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,537 @@ +#include + @@ -3860,8 +3952,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_dssvs.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,230 @@ +/* + * Crude test driver for processing the VST and MCT testvector files @@ -4094,8 +4186,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rngvs.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,390 @@ +/* fips_rsagtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4488,8 +4580,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsagtest.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,370 @@ +/* fips_rsastest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4862,8 +4954,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsastest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,377 @@ +/* fips_rsavtest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5243,8 +5335,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_rsavtest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,388 @@ +/* fips_shatest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5635,8 +5727,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_shatest.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,343 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -5982,8 +6074,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/cavs/fips_utl.h + } + diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_err.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_err.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,7 @@ +#include + @@ -5993,8 +6085,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.c +static void *dummy=&dummy; +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_err.h 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_err.h 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,137 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -6134,8 +6226,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_err.h +#endif + } diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,101 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6239,8 +6331,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_aes_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,419 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6662,8 +6754,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,137 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -6803,9 +6895,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_des_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,180 @@ +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c 2009-09-30 13:25:58.000000000 +0200 +@@ -0,0 +1,184 @@ +/* crypto/dsa/dsatest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -6923,13 +7015,13 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c + +int FIPS_selftest_dsa() + { -+ DSA *dsa=NULL; ++ DSA *dsa; + int counter,i,j, ret = 0; + unsigned int slen; + unsigned char buf[256]; + unsigned long h; + EVP_MD_CTX mctx; -+ EVP_PKEY pk; ++ EVP_PKEY *pk = NULL; + + EVP_MD_CTX_init(&mctx); + @@ -6958,28 +7050,32 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c + if (i != j || memcmp(buf,out_g,i) != 0) + goto err; + DSA_generate_key(dsa); -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; ++ ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ EVP_PKEY_assign_DSA(pk, dsa); + + if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) + goto err; + if (!EVP_SignUpdate(&mctx, str1, 20)) + goto err; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) ++ if (!EVP_SignFinal(&mctx, buf, &slen, pk)) + goto err; + + if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) + goto err; + if (!EVP_VerifyUpdate(&mctx, str1, 20)) + goto err; -+ if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1) ++ if (EVP_VerifyFinal(&mctx, buf, slen, pk) != 1) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_cleanup(&mctx); -+ if (dsa) ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (dsa) + DSA_free(dsa); + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); @@ -6987,8 +7083,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_dsa_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips.h 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips.h 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,163 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7154,8 +7250,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,135 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -7293,8 +7389,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_hmac_selftest.c + } +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,410 @@ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. @@ -7707,8 +7803,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.h 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.h 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,77 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -7788,8 +7884,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,371 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -8163,8 +8259,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rand_selftest.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_randtest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_randtest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,248 @@ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8415,9 +8511,9 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_randtest.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c 2009-08-11 18:07:30.000000000 +0200 -@@ -0,0 +1,432 @@ +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c 2009-09-30 13:25:58.000000000 +0200 +@@ -0,0 +1,439 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. + * @@ -8759,83 +8855,87 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c +int FIPS_selftest_rsa() + { + int ret = 0; -+ RSA *key = NULL; -+ EVP_PKEY pk; -+ key=RSA_new(); ++ RSA *key; ++ EVP_PKEY *pk = NULL; ++ ++ if ((key=RSA_new()) == NULL) ++ goto err; + setrsakey(key); -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = key; ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_RSA(pk, key); + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA1, sizeof(kat_RSA_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA1 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA224, sizeof(kat_RSA_SHA224), + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA224 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA256, sizeof(kat_RSA_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA256 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA384, sizeof(kat_RSA_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA384 PKCS#1")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA512, sizeof(kat_RSA_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA512 PKCS#1")) + goto err; + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA1 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224), + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA224 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA256 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA384 PSS")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS, + "RSA SHA512 PSS")) + goto err; + + -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1), + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA1 X931")) + goto err; + /* NB: SHA224 not supported in X9.31 */ -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA256 X931")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384), + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA384 X931")) + goto err; -+ if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512), + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931, + "RSA SHA512 X931")) @@ -8845,14 +8945,17 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_selftest.c + ret = 1; + + err: -+ RSA_free(key); ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (key) ++ RSA_free(key); + return ret; + } + +#endif /* def OPENSSL_FIPS */ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,281 @@ +/* crypto/rsa/rsa_gen.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) @@ -9136,8 +9239,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_rsa_x931g.c + + } diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,97 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9237,8 +9340,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_sha1_selftest.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,173 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9414,8 +9517,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c + + diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,588 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10006,8 +10109,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/fips_test_suite.c + +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips_locl.h 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips_locl.h 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,72 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10082,8 +10185,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips_locl.h +#endif +#endif diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/fips/Makefile @@ -10168,7 +10271,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/fips/Makefile + diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/hmac/hmac.c --- openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips 2008-11-12 04:58:02.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/hmac/hmac.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/hmac/hmac.c 2009-09-30 13:25:58.000000000 +0200 @@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo if (key != NULL) @@ -10195,8 +10298,8 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.c.fips openssl-1.0.0-beta3/crypto/ + } + diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/hmac/hmac.h ---- openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/hmac/hmac.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/hmac/hmac.h 2009-09-30 13:25:58.000000000 +0200 @@ -101,6 +101,7 @@ unsigned char *HMAC(const EVP_MD *evp_md unsigned int *md_len); int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); @@ -10207,7 +10310,7 @@ diff -up openssl-1.0.0-beta3/crypto/hmac/hmac.h.fips openssl-1.0.0-beta3/crypto/ } diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Makefile --- openssl-1.0.0-beta3/crypto/Makefile.fips 2009-04-06 16:31:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/Makefile 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/Makefile 2009-09-30 13:25:58.000000000 +0200 @@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i LIB= $(TOP)/libcrypto.a @@ -10226,9 +10329,47 @@ diff -up openssl-1.0.0-beta3/crypto/Makefile.fips openssl-1.0.0-beta3/crypto/Mak ALL= $(GENERAL) $(SRC) $(HEADER) +diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c +--- openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c 2009-09-30 13:25:58.000000000 +0200 +@@ -61,6 +61,11 @@ + #include + #include + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + + #undef c2l + #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ +@@ -75,7 +80,7 @@ + *((c)++)=(unsigned char)(((l)>>24L)&0xff)) + + static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len); +-int MDC2_Init(MDC2_CTX *c) ++FIPS_NON_FIPS_MD_Init(MDC2) + { + c->num=0; + c->pad_type=1; +diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2.h +--- openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/mdc2/mdc2.h 2009-09-30 13:25:58.000000000 +0200 +@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st + int pad_type; /* either 1 or 2, default 1 */ + } MDC2_CTX; + +- ++#ifdef OPENSSL_FIPS ++int private_MDC2_Init(MDC2_CTX *c); ++#endif + int MDC2_Init(MDC2_CTX *c); + int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); + int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/crypto/md2/md2_dgst.c --- openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md2/md2_dgst.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md2/md2_dgst.c 2009-09-30 13:25:58.000000000 +0200 @@ -62,6 +62,11 @@ #include #include @@ -10251,8 +10392,8 @@ diff -up openssl-1.0.0-beta3/crypto/md2/md2_dgst.c.fips openssl-1.0.0-beta3/cryp c->num=0; memset(c->state,0,sizeof c->state); diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md2/md2.h ---- openssl-1.0.0-beta3/crypto/md2/md2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md2/md2.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/md2/md2.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md2/md2.h 2009-09-30 13:25:58.000000000 +0200 @@ -81,6 +81,9 @@ typedef struct MD2state_st } MD2_CTX; @@ -10265,7 +10406,7 @@ diff -up openssl-1.0.0-beta3/crypto/md2/md2.h.fips openssl-1.0.0-beta3/crypto/md int MD2_Final(unsigned char *md, MD2_CTX *c); diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/crypto/md4/md4_dgst.c --- openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/md4/md4_dgst.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md4/md4_dgst.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "md4_locl.h" @@ -10288,8 +10429,8 @@ diff -up openssl-1.0.0-beta3/crypto/md4/md4_dgst.c.fips openssl-1.0.0-beta3/cryp memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md4/md4.h ---- openssl-1.0.0-beta3/crypto/md4/md4.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md4/md4.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/md4/md4.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md4/md4.h 2009-09-30 13:25:58.000000000 +0200 @@ -105,6 +105,9 @@ typedef struct MD4state_st unsigned int num; } MD4_CTX; @@ -10302,7 +10443,7 @@ diff -up openssl-1.0.0-beta3/crypto/md4/md4.h.fips openssl-1.0.0-beta3/crypto/md int MD4_Final(unsigned char *md, MD4_CTX *c); diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/crypto/md5/md5_dgst.c --- openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/md5/md5_dgst.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md5/md5_dgst.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "md5_locl.h" @@ -10325,8 +10466,8 @@ diff -up openssl-1.0.0-beta3/crypto/md5/md5_dgst.c.fips openssl-1.0.0-beta3/cryp memset (c,0,sizeof(*c)); c->A=INIT_DATA_A; diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md5/md5.h ---- openssl-1.0.0-beta3/crypto/md5/md5.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/md5/md5.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/md5/md5.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/md5/md5.h 2009-09-30 13:25:58.000000000 +0200 @@ -105,6 +105,9 @@ typedef struct MD5state_st unsigned int num; } MD5_CTX; @@ -10337,47 +10478,9 @@ diff -up openssl-1.0.0-beta3/crypto/md5/md5.h.fips openssl-1.0.0-beta3/crypto/md int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, size_t len); int MD5_Final(unsigned char *md, MD5_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -61,6 +61,11 @@ - #include - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - #undef c2l - #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ -@@ -75,7 +80,7 @@ - *((c)++)=(unsigned char)(((l)>>24L)&0xff)) - - static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len); --int MDC2_Init(MDC2_CTX *c) -+FIPS_NON_FIPS_MD_Init(MDC2) - { - c->num=0; - c->pad_type=1; -diff -up openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips openssl-1.0.0-beta3/crypto/mdc2/mdc2.h ---- openssl-1.0.0-beta3/crypto/mdc2/mdc2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/mdc2/mdc2.h 2009-08-11 18:07:30.000000000 +0200 -@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st - int pad_type; /* either 1 or 2, default 1 */ - } MDC2_CTX; - -- -+#ifdef OPENSSL_FIPS -+int private_MDC2_Init(MDC2_CTX *c); -+#endif - int MDC2_Init(MDC2_CTX *c); - int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); - int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c --- openssl-1.0.0-beta3/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/mem.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/mem.c 2009-09-30 13:25:58.000000000 +0200 @@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) /* may be changed as long as 'allow_customize_debug' is set */ @@ -10388,8 +10491,8 @@ diff -up openssl-1.0.0-beta3/crypto/mem.c.fips openssl-1.0.0-beta3/crypto/mem.c static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/o_init.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/o_init.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,80 @@ +/* o_init.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10473,7 +10576,7 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/o_init.c + diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/crypto/opensslconf.h.in --- openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/opensslconf.h.in 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/opensslconf.h.in 2009-09-30 13:25:58.000000000 +0200 @@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ @@ -10497,7 +10600,7 @@ diff -up openssl-1.0.0-beta3/crypto/opensslconf.h.in.fips openssl-1.0.0-beta3/cr diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c --- openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,6 +59,10 @@ #include #include "cryptlib.h" @@ -10526,7 +10629,7 @@ diff -up openssl-1.0.0-beta3/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0-beta3/cr if (!iter) diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/crypto/rand/md_rand.c --- openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips 2009-01-03 10:25:32.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/md_rand.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/md_rand.c 2009-09-30 13:25:58.000000000 +0200 @@ -126,6 +126,10 @@ #include @@ -10555,7 +10658,7 @@ diff -up openssl-1.0.0-beta3/crypto/rand/md_rand.c.fips openssl-1.0.0-beta3/cryp { diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/crypto/rand/rand_err.c --- openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/rand_err.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/rand_err.c 2009-09-30 13:25:58.000000000 +0200 @@ -70,6 +70,13 @@ static ERR_STRING_DATA RAND_str_functs[]= @@ -10589,8 +10692,8 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_err.c.fips openssl-1.0.0-beta3/cry }; diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/rand/rand.h ---- openssl-1.0.0-beta3/crypto/rand/rand.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rand/rand.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/rand/rand.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/rand.h 2009-09-30 13:25:58.000000000 +0200 @@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ @@ -10622,7 +10725,7 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand.h.fips openssl-1.0.0-beta3/crypto/ } diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/crypto/rand/rand_lib.c --- openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rand/rand_lib.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rand/rand_lib.c 2009-09-30 13:25:58.000000000 +0200 @@ -60,6 +60,12 @@ #include #include "cryptlib.h" @@ -10657,8 +10760,8 @@ diff -up openssl-1.0.0-beta3/crypto/rand/rand_lib.c.fips openssl-1.0.0-beta3/cry } diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc2/rc2.h ---- openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc2/rc2.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc2/rc2.h 2009-09-30 13:25:58.000000000 +0200 @@ -79,7 +79,9 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; @@ -10672,7 +10775,7 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2.h.fips openssl-1.0.0-beta3/crypto/rc int enc); diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c --- openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c 2009-09-30 13:25:58.000000000 +0200 @@ -57,6 +57,11 @@ */ @@ -10706,9 +10809,31 @@ diff -up openssl-1.0.0-beta3/crypto/rc2/rc2_skey.c.fips openssl-1.0.0-beta3/cryp int i,j; unsigned char *k; RC2_INT *ki; +diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl +--- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl 2009-09-30 13:25:58.000000000 +0200 +@@ -202,4 +202,6 @@ RC4_options: + .string "rc4(8x,char)" + ___ + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; +diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl 2009-09-30 13:25:58.000000000 +0200 +@@ -499,6 +499,8 @@ ___ + + $code =~ s/#([bwd])/$1/gm; + ++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); ++ + print $code; + + close STDOUT; diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl --- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl 2009-09-30 13:25:58.000000000 +0200 @@ -166,8 +166,12 @@ $idx="edx"; &external_label("OPENSSL_ia32cap_P"); @@ -10732,31 +10857,9 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0-beta3/ # const char *RC4_options(void); &function_begin_B("RC4_options"); -diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl ---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-s390x.pl 2009-08-11 18:07:30.000000000 +0200 -@@ -202,4 +202,6 @@ RC4_options: - .string "rc4(8x,char)" - ___ - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; -diff -up openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/asm/rc4-x86_64.pl 2009-08-11 18:07:30.000000000 +0200 -@@ -499,6 +499,8 @@ ___ - - $code =~ s/#([bwd])/$1/gm; - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; - - close STDOUT; diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto/rc4/Makefile --- openssl-1.0.0-beta3/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/Makefile 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/Makefile 2009-09-30 13:25:58.000000000 +0200 @@ -21,8 +21,8 @@ TEST=rc4test.c APPS= @@ -10769,8 +10872,8 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/Makefile.fips openssl-1.0.0-beta3/crypto SRC= $(LIBSRC) diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c ---- /dev/null 2009-07-27 08:39:22.849064505 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c 2009-08-11 18:07:30.000000000 +0200 +--- /dev/null 2009-09-23 10:56:02.148001752 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c 2009-09-30 13:25:58.000000000 +0200 @@ -0,0 +1,75 @@ +/* crypto/rc4/rc4_fblk.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -10848,8 +10951,8 @@ diff -up /dev/null openssl-1.0.0-beta3/crypto/rc4/rc4_fblk.c +#endif + diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc4/rc4.h ---- openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4.h 2009-09-30 13:25:58.000000000 +0200 @@ -78,6 +78,9 @@ typedef struct rc4_key_st @@ -10862,7 +10965,7 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4.h.fips openssl-1.0.0-beta3/crypto/rc unsigned char *outdata); diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c --- openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "rc4_locl.h" @@ -10901,8 +11004,8 @@ diff -up openssl-1.0.0-beta3/crypto/rc4/rc4_skey.c.fips openssl-1.0.0-beta3/cryp for (i=0;i<256;i++) cp[i]=i; diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/crypto/ripemd/ripemd.h ---- openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/ripemd/ripemd.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/ripemd/ripemd.h 2009-09-30 13:25:58.000000000 +0200 @@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st unsigned int num; } RIPEMD160_CTX; @@ -10915,7 +11018,7 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/ripemd.h.fips openssl-1.0.0-beta3/cry int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c --- openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c 2009-09-30 13:25:58.000000000 +0200 @@ -59,6 +59,11 @@ #include #include "rmd_locl.h" @@ -10939,7 +11042,7 @@ diff -up openssl-1.0.0-beta3/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0-beta3/c c->A=RIPEMD160_A; diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c --- openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips 2008-09-14 15:51:44.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c 2009-09-30 13:25:58.000000000 +0200 @@ -114,6 +114,8 @@ #include #include @@ -11200,7 +11303,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_eay.c.fips openssl-1.0.0-beta3/crypt } diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_err.c --- openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_err.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_err.c 2009-09-30 13:25:58.000000000 +0200 @@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, @@ -11229,8 +11332,8 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_err.c.fips openssl-1.0.0-beta3/crypt {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c --- openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c 2009-08-11 18:07:30.000000000 +0200 -@@ -67,6 +67,77 @@ ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c 2009-09-30 16:55:26.000000000 +0200 +@@ -67,6 +67,82 @@ #include "cryptlib.h" #include #include @@ -11252,16 +11355,19 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt + const unsigned char tbs[] = "RSA Pairwise Check Data"; + unsigned char *ctbuf = NULL, *ptbuf = NULL; + int len, ret = 0; -+ EVP_PKEY pk; -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = rsa; ++ EVP_PKEY *pk; ++ ++ if ((pk=EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, rsa); + + /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(&pk, tbs, -1, ++ if (!fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(&pk, tbs, -1, ++ || !fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) -+ || !fips_pkey_signature_test(&pk, tbs, -1, ++ || !fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + goto err; + /* Now perform pairwise consistency encrypt/decrypt test */ @@ -11301,6 +11407,8 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt + OPENSSL_free(ctbuf); + if (ptbuf) + OPENSSL_free(ptbuf); ++ if (pk) ++ EVP_PKEY_free(pk); + + return ret; + } @@ -11308,7 +11416,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); -@@ -90,6 +161,23 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -90,6 +166,23 @@ static int rsa_builtin_keygen(RSA *rsa, int bitsp,bitsq,ok= -1,n=0; BN_CTX *ctx=NULL; @@ -11332,7 +11440,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); -@@ -201,6 +289,17 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -201,6 +294,17 @@ static int rsa_builtin_keygen(RSA *rsa, p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; @@ -11351,8 +11459,8 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_gen.c.fips openssl-1.0.0-beta3/crypt err: if (ok == -1) diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rsa/rsa.h ---- openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips 2009-08-11 18:07:29.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa.h 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips 2009-09-30 13:25:56.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa.h 2009-09-30 13:25:58.000000000 +0200 @@ -74,6 +74,21 @@ #error RSA is disabled. #endif @@ -11424,7 +11532,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa.h.fips openssl-1.0.0-beta3/crypto/rs #define RSA_R_P_NOT_PRIME 128 diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c --- openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips 2008-08-06 17:54:14.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c 2009-09-30 13:25:58.000000000 +0200 @@ -80,6 +80,13 @@ RSA *RSA_new(void) void RSA_set_default_method(const RSA_METHOD *meth) @@ -11556,7 +11664,7 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_lib.c.fips openssl-1.0.0-beta3/crypt - } diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c --- openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c 2009-09-30 13:25:58.000000000 +0200 @@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch i2d_X509_SIG(&sig,&p); s=tmps; @@ -11588,9 +11696,57 @@ diff -up openssl-1.0.0-beta3/crypto/rsa/rsa_sign.c.fips openssl-1.0.0-beta3/cryp if (i <= 0) goto err; +diff -up openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha_dgst.c +--- openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 ++++ openssl-1.0.0-beta3/crypto/sha/sha_dgst.c 2009-09-30 13:25:58.000000000 +0200 +@@ -57,6 +57,12 @@ + */ + + #include ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ ++#include + #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) + + #undef SHA_1 +diff -up openssl-1.0.0-beta3/crypto/sha/sha.h.fips openssl-1.0.0-beta3/crypto/sha/sha.h +--- openssl-1.0.0-beta3/crypto/sha/sha.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha.h 2009-09-30 13:25:58.000000000 +0200 +@@ -106,6 +106,9 @@ typedef struct SHAstate_st + } SHA_CTX; + + #ifndef OPENSSL_NO_SHA0 ++#ifdef OPENSSL_FIPS ++int private_SHA_Init(SHA_CTX *c); ++#endif + int SHA_Init(SHA_CTX *c); + int SHA_Update(SHA_CTX *c, const void *data, size_t len); + int SHA_Final(unsigned char *md, SHA_CTX *c); +diff -up openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta3/crypto/sha/sha_locl.h +--- openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha_locl.h 2009-09-30 13:25:58.000000000 +0200 +@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, + #define INIT_DATA_h3 0x10325476UL + #define INIT_DATA_h4 0xc3d2e1f0UL + ++#if defined(SHA_0) && defined(OPENSSL_FIPS) ++FIPS_NON_FIPS_MD_Init(SHA) ++#else + int HASH_INIT (SHA_CTX *c) ++#endif + { ++#if defined(SHA_1) && defined(OPENSSL_FIPS) ++ FIPS_selftest_check(); ++#endif + memset (c,0,sizeof(*c)); + c->h0=INIT_DATA_h0; + c->h1=INIT_DATA_h1; diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha1dgst.c --- openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha1dgst.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha1dgst.c 2009-09-30 13:25:58.000000000 +0200 @@ -63,6 +63,10 @@ #define SHA_1 @@ -11604,7 +11760,7 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha1dgst.c.fips openssl-1.0.0-beta3/cryp diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto/sha/sha256.c --- openssl-1.0.0-beta3/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha256.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha256.c 2009-09-30 13:25:58.000000000 +0200 @@ -12,12 +12,19 @@ #include @@ -11637,7 +11793,7 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha256.c.fips openssl-1.0.0-beta3/crypto c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto/sha/sha512.c --- openssl-1.0.0-beta3/crypto/sha/sha512.c.fips 2008-12-29 13:35:48.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha512.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/crypto/sha/sha512.c 2009-09-30 13:25:58.000000000 +0200 @@ -5,6 +5,10 @@ * ==================================================================== */ @@ -11678,57 +11834,9 @@ diff -up openssl-1.0.0-beta3/crypto/sha/sha512.c.fips openssl-1.0.0-beta3/crypto asm ("rotrdi %0,%1,%2" \ : "=r"(ret) \ : "r"(a),"K"(n)); ret; }) -diff -up openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips openssl-1.0.0-beta3/crypto/sha/sha_dgst.c ---- openssl-1.0.0-beta3/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100 -+++ openssl-1.0.0-beta3/crypto/sha/sha_dgst.c 2009-08-11 18:07:30.000000000 +0200 -@@ -57,6 +57,12 @@ - */ - - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#include - #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) - - #undef SHA_1 -diff -up openssl-1.0.0-beta3/crypto/sha/sha.h.fips openssl-1.0.0-beta3/crypto/sha/sha.h ---- openssl-1.0.0-beta3/crypto/sha/sha.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/sha/sha.h 2009-08-11 18:07:30.000000000 +0200 -@@ -106,6 +106,9 @@ typedef struct SHAstate_st - } SHA_CTX; - - #ifndef OPENSSL_NO_SHA0 -+#ifdef OPENSSL_FIPS -+int private_SHA_Init(SHA_CTX *c); -+#endif - int SHA_Init(SHA_CTX *c); - int SHA_Update(SHA_CTX *c, const void *data, size_t len); - int SHA_Final(unsigned char *md, SHA_CTX *c); -diff -up openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips openssl-1.0.0-beta3/crypto/sha/sha_locl.h ---- openssl-1.0.0-beta3/crypto/sha/sha_locl.h.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/crypto/sha/sha_locl.h 2009-08-11 18:07:30.000000000 +0200 -@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, - #define INIT_DATA_h3 0x10325476UL - #define INIT_DATA_h4 0xc3d2e1f0UL - -+#if defined(SHA_0) && defined(OPENSSL_FIPS) -+FIPS_NON_FIPS_MD_Init(SHA) -+#else - int HASH_INIT (SHA_CTX *c) -+#endif - { -+#if defined(SHA_1) && defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset (c,0,sizeof(*c)); - c->h0=INIT_DATA_h0; - c->h1=INIT_DATA_h1; diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org ---- openssl-1.0.0-beta3/Makefile.org.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/Makefile.org 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/Makefile.org.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/Makefile.org 2009-09-30 13:25:58.000000000 +0200 @@ -109,6 +109,9 @@ LIBKRB5= ZLIB_INCLUDE= LIBZLIB= @@ -11756,124 +11864,9 @@ diff -up openssl-1.0.0-beta3/Makefile.org.fips openssl-1.0.0-beta3/Makefile.org THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.0-beta3/ssl/s23_clnt.c.fips openssl-1.0.0-beta3/ssl/s23_clnt.c ---- openssl-1.0.0-beta3/ssl/s23_clnt.c.fips 2009-04-07 19:01:07.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s23_clnt.c 2009-08-11 18:07:30.000000000 +0200 -@@ -332,6 +332,14 @@ static int ssl23_client_hello(SSL *s) - version_major = TLS1_VERSION_MAJOR; - version_minor = TLS1_VERSION_MINOR; - } -+#ifdef OPENSSL_FIPS -+ else if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - else if (version == SSL3_VERSION) - { - version_major = SSL3_VERSION_MAJOR; -@@ -615,6 +623,14 @@ static int ssl23_get_server_hello(SSL *s - if ((p[2] == SSL3_VERSION_MINOR) && - !(s->options & SSL_OP_NO_SSLv3)) - { -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif - s->version=SSL3_VERSION; - s->method=SSLv3_client_method(); - } -diff -up openssl-1.0.0-beta3/ssl/s23_srvr.c.fips openssl-1.0.0-beta3/ssl/s23_srvr.c ---- openssl-1.0.0-beta3/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s23_srvr.c 2009-08-11 18:07:30.000000000 +0200 -@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) - } - } - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (s->version < TLS1_VERSION)) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif -+ - if (s->state == SSL23_ST_SR_CLNT_HELLO_B) - { - /* we have SSLv3/TLSv1 in an SSLv2 header -diff -up openssl-1.0.0-beta3/ssl/s3_clnt.c.fips openssl-1.0.0-beta3/ssl/s3_clnt.c ---- openssl-1.0.0-beta3/ssl/s3_clnt.c.fips 2009-06-16 18:39:20.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_clnt.c 2009-08-11 18:07:30.000000000 +0200 -@@ -156,6 +156,10 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #ifndef OPENSSL_NO_DH - #include - #endif -@@ -1524,6 +1528,8 @@ int ssl3_get_key_exchange(SSL *s) - q=md_buf; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0-beta3/ssl/s3_enc.c.fips openssl-1.0.0-beta3/ssl/s3_enc.c ---- openssl-1.0.0-beta3/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_enc.c 2009-08-11 18:07:30.000000000 +0200 -@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * - #endif - k=0; - EVP_MD_CTX_init(&m5); -+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_init(&s1); - for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) - { - s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); -+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); - EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); - } -@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in - return 0; - } - EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_copy_ex(&ctx,d); - n=EVP_MD_CTX_size(&ctx); - if (n < 0) -diff -up openssl-1.0.0-beta3/ssl/s3_srvr.c.fips openssl-1.0.0-beta3/ssl/s3_srvr.c ---- openssl-1.0.0-beta3/ssl/s3_srvr.c.fips 2009-06-26 17:04:22.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/s3_srvr.c 2009-08-11 18:07:30.000000000 +0200 -@@ -1674,6 +1674,8 @@ int ssl3_send_server_key_exchange(SSL *s - j=0; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_ciph.c --- openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips 2009-04-07 14:10:59.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-09-30 13:25:58.000000000 +0200 @@ -727,6 +727,9 @@ static void ssl_cipher_collect_ciphers(c !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -11898,7 +11891,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.fips openssl-1.0.0-beta3/ssl/ssl_cip #ifdef CIPHER_DEBUG diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib.c --- openssl-1.0.0-beta3/ssl/ssl_lib.c.fips 2009-06-30 13:57:24.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-09-30 13:25:58.000000000 +0200 @@ -1470,6 +1470,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m return(NULL); } @@ -11915,8 +11908,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.fips openssl-1.0.0-beta3/ssl/ssl_lib. { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest.c ---- openssl-1.0.0-beta3/ssl/ssltest.c.fips 2009-08-11 18:07:30.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/ssltest.c 2009-08-11 18:07:30.000000000 +0200 +--- openssl-1.0.0-beta3/ssl/ssltest.c.fips 2009-09-30 13:25:57.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/ssltest.c 2009-09-30 13:25:58.000000000 +0200 @@ -265,6 +265,9 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); @@ -11991,9 +11984,124 @@ diff -up openssl-1.0.0-beta3/ssl/ssltest.c.fips openssl-1.0.0-beta3/ssl/ssltest. if(s->version == TLS1_VERSION) FIPS_allow_md5(0); # endif +diff -up openssl-1.0.0-beta3/ssl/s23_clnt.c.fips openssl-1.0.0-beta3/ssl/s23_clnt.c +--- openssl-1.0.0-beta3/ssl/s23_clnt.c.fips 2009-04-07 19:01:07.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s23_clnt.c 2009-09-30 13:25:58.000000000 +0200 +@@ -332,6 +332,14 @@ static int ssl23_client_hello(SSL *s) + version_major = TLS1_VERSION_MAJOR; + version_minor = TLS1_VERSION_MINOR; + } ++#ifdef OPENSSL_FIPS ++ else if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + else if (version == SSL3_VERSION) + { + version_major = SSL3_VERSION_MAJOR; +@@ -615,6 +623,14 @@ static int ssl23_get_server_hello(SSL *s + if ((p[2] == SSL3_VERSION_MINOR) && + !(s->options & SSL_OP_NO_SSLv3)) + { ++#ifdef OPENSSL_FIPS ++ if(FIPS_mode()) ++ { ++ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif + s->version=SSL3_VERSION; + s->method=SSLv3_client_method(); + } +diff -up openssl-1.0.0-beta3/ssl/s23_srvr.c.fips openssl-1.0.0-beta3/ssl/s23_srvr.c +--- openssl-1.0.0-beta3/ssl/s23_srvr.c.fips 2008-06-03 04:48:34.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s23_srvr.c 2009-09-30 13:25:58.000000000 +0200 +@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) + } + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && (s->version < TLS1_VERSION)) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, ++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); ++ goto err; ++ } ++#endif ++ + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) + { + /* we have SSLv3/TLSv1 in an SSLv2 header +diff -up openssl-1.0.0-beta3/ssl/s3_clnt.c.fips openssl-1.0.0-beta3/ssl/s3_clnt.c +--- openssl-1.0.0-beta3/ssl/s3_clnt.c.fips 2009-06-16 18:39:20.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_clnt.c 2009-09-30 13:25:58.000000000 +0200 +@@ -156,6 +156,10 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++ + #ifndef OPENSSL_NO_DH + #include + #endif +@@ -1524,6 +1528,8 @@ int ssl3_get_key_exchange(SSL *s) + q=md_buf; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); +diff -up openssl-1.0.0-beta3/ssl/s3_enc.c.fips openssl-1.0.0-beta3/ssl/s3_enc.c +--- openssl-1.0.0-beta3/ssl/s3_enc.c.fips 2009-04-16 19:22:50.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_enc.c 2009-09-30 13:25:58.000000000 +0200 +@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * + #endif + k=0; + EVP_MD_CTX_init(&m5); ++ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_init(&s1); + for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) + { + s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); ++ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); + EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); + } +@@ -670,6 +673,7 @@ static int ssl3_handshake_mac(SSL *s, in + return 0; + } + EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_copy_ex(&ctx,d); + n=EVP_MD_CTX_size(&ctx); + if (n < 0) +diff -up openssl-1.0.0-beta3/ssl/s3_srvr.c.fips openssl-1.0.0-beta3/ssl/s3_srvr.c +--- openssl-1.0.0-beta3/ssl/s3_srvr.c.fips 2009-06-26 17:04:22.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/s3_srvr.c 2009-09-30 13:25:58.000000000 +0200 +@@ -1674,6 +1674,8 @@ int ssl3_send_server_key_exchange(SSL *s + j=0; + for (num=2; num > 0; num--) + { ++ EVP_MD_CTX_set_flags(&md_ctx, ++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); + EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); diff -up openssl-1.0.0-beta3/ssl/t1_enc.c.fips openssl-1.0.0-beta3/ssl/t1_enc.c --- openssl-1.0.0-beta3/ssl/t1_enc.c.fips 2009-04-19 20:03:13.000000000 +0200 -+++ openssl-1.0.0-beta3/ssl/t1_enc.c 2009-08-11 18:07:30.000000000 +0200 ++++ openssl-1.0.0-beta3/ssl/t1_enc.c 2009-09-30 13:25:58.000000000 +0200 @@ -169,6 +169,8 @@ static void tls1_P_hash(const EVP_MD *md HMAC_CTX_init(&ctx); diff --git a/openssl.spec b/openssl.spec index f0cf488..09dc467 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0 -Release: 0.7.%{beta}%{?dist} +Release: 0.8.%{beta}%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-%{beta}-usa.tar.bz2 @@ -63,10 +63,10 @@ Patch49: openssl-0.9.8k-algo-doc.patch Patch50: openssl-1.0.0-beta3-curl.patch Patch51: openssl-1.0.0-beta3-const.patch Patch52: openssl-1.0.0-beta3-dss1.patch -Patch53: openssl-1.0.0-beta3-cmll-noasm.patch # Backported fixes including security fixes Patch60: openssl-1.0.0-beta3-namingstr.patch Patch61: openssl-1.0.0-beta3-namingblk.patch +Patch62: openssl-1.0.0-beta3-camellia-rounds.patch License: OpenSSL Group: System Environment/Libraries @@ -148,9 +148,9 @@ from other formats to the formats used by the OpenSSL toolkit. %patch50 -p1 -b .curl %patch51 -p1 -b .const %patch52 -p1 -b .dss1 -%patch53 -p1 -b .cmll-noasm %patch60 -p1 -b .namingstr %patch61 -p1 -b .namingblk +%patch62 -p1 -b .cmll-rounds # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -399,6 +399,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Wed Sep 30 2009 Tomas Mraz 1.0.0-0.8.beta3 +- fix RSA and DSA FIPS selftests +- reenable fixed x86_64 camellia assembler code (#521127) + * Fri Sep 4 2009 Tomas Mraz 1.0.0-0.7.beta3 - temporarily disable x86_64 camellia assembler code (#521127)