Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2016-03-05 11:21:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2015-12-13 09:36:20.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2016-03-05 11:21:19.000000000 +0100 @@ -1,0 +2,55 @@ +Tue Mar 1 14:40:18 UTC 2016 - vci...@suse.com + +- update to 1.0.2g (bsc#968044) + * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. + Builds that are not configured with "enable-weak-ssl-ciphers" will not + provide any "EXPORT" or "LOW" strength ciphers. + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 + is by default disabled at build-time. Builds that are not configured with + "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, + users who want to negotiate SSLv2 via the version-flexible SSLv23_method() + will need to explicitly call either of: + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); + or + SSL_clear_options(ssl, SSL_OP_NO_SSLv2); + (CVE-2016-0800) + * Fix a double-free in DSA code + (CVE-2016-0705) + * Disable SRP fake user seed to address a server memory leak. + Add a new method SRP_VBASE_get1_by_user that handles the seed properly. + (CVE-2016-0798) + * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + (CVE-2016-0797) + *) Side channel attack on modular exponentiation + http://cachebleed.info. + (CVE-2016-0702) + *) Change the req app to generate a 2048-bit RSA/DSA key by default, + if no keysize is specified with default_bits. This fixes an + omission in an earlier change that changed all RSA/DSA key generation + apps to use 2048 bits by default. + +------------------------------------------------------------------- +Thu Jan 28 15:10:38 UTC 2016 - vci...@suse.com + +- update to 1.0.2f (boo#963410) + *) DH small subgroups (boo#963413) + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + (CVE-2016-0701) + *) SSLv2 doesn't block disabled ciphers (boo#963415) + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + (CVE-2015-3197) + *) Reject DH handshakes with parameters shorter than 1024 bits. + +------------------------------------------------------------------- Old: ---- openssl-1.0.2e.tar.gz openssl-1.0.2e.tar.gz.asc New: ---- openssl-1.0.2g.tar.gz openssl-1.0.2g.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.4dhzIu/_old 2016-03-05 11:21:21.000000000 +0100 +++ /var/tmp/diff_new_pack.4dhzIu/_new 2016-03-05 11:21:21.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version: 1.0.2e +Version: 1.0.2g Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ --- /var/tmp/diff_new_pack.4dhzIu/_old 2016-03-05 11:21:21.000000000 +0100 +++ /var/tmp/diff_new_pack.4dhzIu/_new 2016-03-05 11:21:21.000000000 +0100 @@ -4,10 +4,10 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.0.2b/crypto/bio/b_print.c +Index: openssl-1.0.2g/crypto/bio/b_print.c =================================================================== ---- openssl-1.0.2b.orig/crypto/bio/b_print.c 2015-06-11 15:01:06.000000000 +0200 -+++ openssl-1.0.2b/crypto/bio/b_print.c 2015-06-11 17:50:00.893823977 +0200 +--- openssl-1.0.2g.orig/crypto/bio/b_print.c 2016-03-01 14:35:05.000000000 +0100 ++++ openssl-1.0.2g/crypto/bio/b_print.c 2016-03-01 15:26:55.597307479 +0100 @@ -56,17 +56,10 @@ * [including the GNU Public Licence.] */ @@ -28,7 +28,7 @@ #include <stdio.h> #include <string.h> #include <ctype.h> -@@ -79,668 +72,6 @@ +@@ -79,708 +72,6 @@ #include <openssl/bn.h> /* To get BN_LLONG properly defined */ #include <openssl/bio.h> @@ -78,16 +78,16 @@ -# define LLONG long -#endif - --static void fmtstr(char **, char **, size_t *, size_t *, -- const char *, int, int, int); --static void fmtint(char **, char **, size_t *, size_t *, -- LLONG, int, int, int, int); --static void fmtfp(char **, char **, size_t *, size_t *, -- LDOUBLE, int, int, int); --static void doapr_outch(char **, char **, size_t *, size_t *, int); --static void _dopr(char **sbuffer, char **buffer, -- size_t *maxlen, size_t *retlen, int *truncated, -- const char *format, va_list args); +-static int fmtstr(char **, char **, size_t *, size_t *, +- const char *, int, int, int); +-static int fmtint(char **, char **, size_t *, size_t *, +- LLONG, int, int, int, int); +-static int fmtfp(char **, char **, size_t *, size_t *, +- LDOUBLE, int, int, int); +-static int doapr_outch(char **, char **, size_t *, size_t *, int); +-static int _dopr(char **sbuffer, char **buffer, +- size_t *maxlen, size_t *retlen, int *truncated, +- const char *format, va_list args); - -/* format read states */ -#define DP_S_DEFAULT 0 @@ -118,7 +118,7 @@ -#define char_to_int(p) (p - '0') -#define OSSL_MAX(p,q) ((p >= q) ? p : q) - --static void +-static int -_dopr(char **sbuffer, - char **buffer, - size_t *maxlen, @@ -149,7 +149,8 @@ - if (ch == '%') - state = DP_S_FLAGS; - else -- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); +- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) +- return 0; - ch = *format++; - break; - case DP_S_FLAGS: @@ -255,8 +256,9 @@ - value = va_arg(args, int); - break; - } -- fmtint(sbuffer, buffer, &currlen, maxlen, -- value, 10, min, max, flags); +- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min, +- max, flags)) +- return 0; - break; - case 'X': - flags |= DP_F_UP; @@ -279,17 +281,19 @@ - value = (LLONG) va_arg(args, unsigned int); - break; - } -- fmtint(sbuffer, buffer, &currlen, maxlen, value, -- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), -- min, max, flags); +- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, +- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), +- min, max, flags)) +- return 0; - break; - case 'f': - if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, LDOUBLE); - else - fvalue = va_arg(args, double); -- fmtfp(sbuffer, buffer, &currlen, maxlen, -- fvalue, min, max, flags); +- if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max, +- flags)) +- return 0; - break; - case 'E': - flags |= DP_F_UP; @@ -308,8 +312,9 @@ - fvalue = va_arg(args, double); - break; - case 'c': -- doapr_outch(sbuffer, buffer, &currlen, maxlen, -- va_arg(args, int)); +- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, +- va_arg(args, int))) +- return 0; - break; - case 's': - strvalue = va_arg(args, char *); @@ -319,13 +324,15 @@ - else - max = *maxlen; - } -- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, -- flags, min, max); +- if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, +- flags, min, max)) +- return 0; - break; - case 'p': - value = (long)va_arg(args, void *); -- fmtint(sbuffer, buffer, &currlen, maxlen, -- value, 16, min, max, flags | DP_F_NUM); +- if (!fmtint(sbuffer, buffer, &currlen, maxlen, +- value, 16, min, max, flags | DP_F_NUM)) +- return 0; - break; - case 'n': /* XXX */ - if (cflags == DP_C_SHORT) { @@ -347,7 +354,8 @@ - } - break; - case '%': -- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); +- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) +- return 0; - break; - case 'w': - /* not supported yet, treat as next char */ @@ -371,46 +379,56 @@ - *truncated = (currlen > *maxlen - 1); - if (*truncated) - currlen = *maxlen - 1; -- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); +- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0')) +- return 0; - *retlen = currlen - 1; -- return; +- return 1; -} - --static void +-static int -fmtstr(char **sbuffer, - char **buffer, - size_t *currlen, - size_t *maxlen, const char *value, int flags, int min, int max) -{ -- int padlen, strln; +- int padlen; +- size_t strln; - int cnt = 0; - - if (value == 0) - value = "<NULL>"; -- for (strln = 0; value[strln]; ++strln) ; +- +- strln = strlen(value); +- if (strln > INT_MAX) +- strln = INT_MAX; +- - padlen = min - strln; -- if (padlen < 0) +- if (min < 0 || padlen < 0) - padlen = 0; - if (flags & DP_F_MINUS) - padlen = -padlen; - - while ((padlen > 0) && (cnt < max)) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - --padlen; - ++cnt; - } - while (*value && (cnt < max)) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++)) +- return 0; - ++cnt; - } - while ((padlen < 0) && (cnt < max)) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - ++padlen; - ++cnt; - } +- return 1; -} - --static void +-static int -fmtint(char **sbuffer, - char **buffer, - size_t *currlen, @@ -470,37 +488,44 @@ - - /* spaces */ - while (spadlen > 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - --spadlen; - } - - /* sign */ - if (signvalue) -- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) +- return 0; - - /* prefix */ - while (*prefix) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix)) +- return 0; - prefix++; - } - - /* zeros */ - if (zpadlen > 0) { - while (zpadlen > 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) +- return 0; - --zpadlen; - } - } - /* digits */ -- while (place > 0) -- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); +- while (place > 0) { +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place])) +- return 0; +- } - - /* left justified spaces */ - while (spadlen < 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - ++spadlen; - } -- return; +- return 1; -} - -static LDOUBLE abs_val(LDOUBLE value) @@ -531,7 +556,7 @@ - return intpart; -} - --static void +-static int -fmtfp(char **sbuffer, - char **buffer, - size_t *currlen, @@ -610,47 +635,61 @@ - - if ((flags & DP_F_ZERO) && (padlen > 0)) { - if (signvalue) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) +- return 0; - --padlen; - signvalue = 0; - } - while (padlen > 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) +- return 0; - --padlen; - } - } - while (padlen > 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - --padlen; - } -- if (signvalue) -- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); +- if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) +- return 0; - -- while (iplace > 0) -- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); +- while (iplace > 0) { +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace])) +- return 0; +- } - - /* - * Decimal point. This should probably use locale to find the correct - * char to print out. - */ - if (max > 0 || (flags & DP_F_NUM)) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.')) +- return 0; - -- while (fplace > 0) -- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); +- while (fplace > 0) { +- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, +- fconvert[--fplace])) +- return 0; +- } - } - while (zpadlen > 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) +- return 0; - --zpadlen; - } - - while (padlen < 0) { -- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); +- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) +- return 0; - ++padlen; - } +- return 1; -} - --static void +-#define BUFFER_INC 1024 +- +-static int -doapr_outch(char **sbuffer, - char **buffer, size_t *currlen, size_t *maxlen, int c) -{ @@ -661,24 +700,25 @@ - assert(*currlen <= *maxlen); - - if (buffer && *currlen == *maxlen) { -- *maxlen += 1024; +- if (*maxlen > INT_MAX - BUFFER_INC) +- return 0; +- +- *maxlen += BUFFER_INC; - if (*buffer == NULL) { - *buffer = OPENSSL_malloc(*maxlen); -- if (!*buffer) { -- /* Panic! Can't really do anything sensible. Just return */ -- return; -- } +- if (*buffer == NULL) +- return 0; - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { -- *buffer = OPENSSL_realloc(*buffer, *maxlen); -- if (!*buffer) { -- /* Panic! Can't really do anything sensible. Just return */ -- return; -- } +- char *tmpbuf; +- tmpbuf = OPENSSL_realloc(*buffer, *maxlen); +- if (tmpbuf == NULL) +- return 0; +- *buffer = tmpbuf; - } - } - @@ -689,7 +729,7 @@ - (*buffer)[(*currlen)++] = (char)c; - } - -- return; +- return 1; -} - -/***************************************************************************/ @@ -697,7 +737,7 @@ int BIO_printf(BIO *bio, const char *format, ...) { va_list args; -@@ -754,28 +85,36 @@ int BIO_printf(BIO *bio, const char *for +@@ -794,32 +85,36 @@ int BIO_printf(BIO *bio, const char *for return (ret); } @@ -726,7 +766,11 @@ - - dynbuf = NULL; - CRYPTO_push_info("doapr()"); -- _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args); +- if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, +- args)) { +- OPENSSL_free(dynbuf); +- return -1; +- } - if (dynbuf) { - ret = BIO_write(bio, dynbuf, (int)retlen); - OPENSSL_free(dynbuf); @@ -753,7 +797,7 @@ return (ret); } -@@ -791,28 +130,22 @@ int BIO_snprintf(char *buf, size_t n, co +@@ -835,29 +130,21 @@ int BIO_snprintf(char *buf, size_t n, co int ret; va_start(args, format); @@ -772,10 +816,13 @@ - size_t retlen; - int truncated; + int ret; - -- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); + ret = vsnprintf(buf, n, format, args); +- if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args)) +- return -1; ++ if (ret >= n || ret == -1) ++ return (-1); + - if (truncated) - /* - * In case of truncation, return -1 like traditional snprintf. @@ -786,8 +833,5 @@ - return -1; - else - return (retlen <= INT_MAX) ? (int)retlen : -1; -+ if (ret >= n || ret == -1) -+ return (-1); -+ + return (ret); } ++++++ openssl-1.0.2a-new-fips-reqs.patch ++++++ --- /var/tmp/diff_new_pack.4dhzIu/_old 2016-03-05 11:21:22.000000000 +0100 +++ /var/tmp/diff_new_pack.4dhzIu/_new 2016-03-05 11:21:22.000000000 +0100 @@ -1,7 +1,8 @@ -diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/bn_rand.c ---- openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/bn/bn_rand.c 2015-04-22 15:06:37.907003880 +0200 -@@ -136,9 +136,11 @@ static int bnrand(int pseudorand, BIGNUM +Index: openssl-1.0.2f/crypto/bn/bn_rand.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/bn/bn_rand.c 2016-01-28 14:38:30.000000000 +0100 ++++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 15:59:54.945269236 +0100 +@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM goto err; } @@ -16,9 +17,10 @@ if (pseudorand) { if (RAND_pseudo_bytes(buf, bytes) == -1) -diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_gen.c ---- openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs 2015-04-22 15:06:37.840002285 +0200 -+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 15:06:37.907003880 +0200 +Index: openssl-1.0.2f/crypto/dh/dh_gen.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/dh/dh_gen.c 2016-01-28 15:59:54.912268693 +0100 ++++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 15:59:54.945269236 +0100 @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, return 0; } @@ -28,9 +30,10 @@ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h ---- openssl-1.0.2a/crypto/dh/dh.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 -+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 15:07:25.265130812 +0200 +Index: openssl-1.0.2f/crypto/dh/dh.h +=================================================================== +--- openssl-1.0.2f.orig/crypto/dh/dh.h 2016-01-28 15:59:54.912268693 +0100 ++++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 15:59:54.945269236 +0100 @@ -78,6 +78,7 @@ # endif @@ -39,44 +42,11 @@ # define DH_FLAG_CACHE_MONT_P 0x01 -diff -up openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_check.c ---- openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/crypto/dh/dh_check.c 2015-04-22 15:06:37.908003903 +0200 -@@ -164,7 +164,30 @@ int DH_check_pub_key(const DH *dh, const - BN_sub_word(q, 1); - if (BN_cmp(pub_key, q) >= 0) - *ret |= DH_CHECK_PUBKEY_TOO_LARGE; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && dh->q != NULL) { -+ BN_CTX *ctx = NULL; - -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) { -+ BN_CTX_free(ctx); -+ goto err; -+ } -+ if (!BN_is_one(q)) { -+ /* it would be more correct to add new return flag -+ * for this test, but we do not want to do it -+ * so just error out -+ */ -+ BN_CTX_free(ctx); -+ goto err; -+ } -+ -+ BN_CTX_free(ctx); -+ } -+#endif - ok = 1; - err: - if (q != NULL) -diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_gen.c ---- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs 2015-04-22 15:06:37.841002309 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 15:06:37.908003903 +0200 -@@ -165,9 +165,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ +Index: openssl-1.0.2f/crypto/dsa/dsa_gen.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/dsa/dsa_gen.c 2016-01-28 15:59:54.913268710 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 15:59:54.945269236 +0100 +@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ } if (FIPS_module_mode() && @@ -91,9 +61,10 @@ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); goto err; } -diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa.h ---- openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 15:09:01.291415852 +0200 +Index: openssl-1.0.2f/crypto/dsa/dsa.h +=================================================================== +--- openssl-1.0.2f.orig/crypto/dsa/dsa.h 2016-01-28 15:59:54.913268710 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 15:59:54.946269253 +0100 @@ -89,6 +89,7 @@ # endif @@ -114,10 +85,11 @@ * Rabin-Miller */ # define DSA_is_prime(n, callback, cb_arg) \ -diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_key.c ---- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 -+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 15:06:37.908003903 +0200 -@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa) +Index: openssl-1.0.2f/crypto/dsa/dsa_key.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/dsa/dsa_key.c 2016-01-28 15:59:54.913268710 +0100 ++++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 15:59:54.946269253 +0100 +@@ -120,7 +120,7 @@ static int dsa_builtin_keygen(DSA *dsa) # ifdef OPENSSL_FIPS if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) @@ -126,10 +98,11 @@ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); goto err; } -diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/fips.c ---- openssl-1.0.2a/crypto/fips/fips.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 15:06:37.909003927 +0200 -@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons +Index: openssl-1.0.2f/crypto/fips/fips.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/fips/fips.c 2016-01-28 15:59:54.939269138 +0100 ++++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 15:59:54.946269253 +0100 +@@ -418,26 +418,24 @@ int FIPS_module_mode_set(int onoff, cons ret = 0; goto end; } @@ -162,9 +135,10 @@ ret = 1; goto end; } -diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_dh_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs 2015-04-22 15:06:37.909003927 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_dh_selftest.c 2015-04-22 15:06:37.909003927 +0200 +Index: openssl-1.0.2f/crypto/fips/fips_dh_selftest.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 15:59:54.946269253 +0100 @@ -0,0 +1,162 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -328,9 +302,10 @@ + return ret; +} +#endif -diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/fips.h ---- openssl-1.0.2a/crypto/fips/fips.h.fips-reqs 2015-04-22 15:06:37.899003689 +0200 -+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 15:06:37.909003927 +0200 +Index: openssl-1.0.2f/crypto/fips/fips.h +=================================================================== +--- openssl-1.0.2f.orig/crypto/fips/fips.h 2016-01-28 15:59:54.939269138 +0100 ++++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 15:59:54.946269253 +0100 @@ -96,6 +96,7 @@ extern "C" { int FIPS_selftest_dsa(void); int FIPS_selftest_ecdsa(void); @@ -339,9 +314,10 @@ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_post.c ---- openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs 2015-04-22 15:06:37.895003594 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 15:06:37.909003927 +0200 +Index: openssl-1.0.2f/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/fips/fips_post.c 2016-01-28 15:59:54.933269039 +0100 ++++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 15:59:54.946269253 +0100 @@ -99,6 +99,8 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_dsa()) @@ -351,9 +327,10 @@ if (!FIPS_selftest_ecdh()) rv = 0; return rv; -diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs 2015-04-22 15:06:37.854002618 +0200 -+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 15:06:37.910003951 +0200 +Index: openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/fips/fips_rsa_selftest.c 2016-01-28 15:59:54.920268825 +0100 ++++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 15:59:54.947269270 +0100 @@ -60,68 +60,107 @@ #ifdef OPENSSL_FIPS @@ -1008,9 +985,10 @@ RSA_free(key); return ret; } -diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fips/Makefile ---- openssl-1.0.2a/crypto/fips/Makefile.fips-reqs 2015-04-22 15:06:37.895003594 +0200 -+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 15:06:37.910003951 +0200 +Index: openssl-1.0.2f/crypto/fips/Makefile +=================================================================== +--- openssl-1.0.2f.orig/crypto/fips/Makefile 2016-01-28 15:59:54.933269039 +0100 ++++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 15:59:54.947269270 +0100 @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -1029,9 +1007,10 @@ LIBCRYPTO=-L.. -lcrypto -diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/rand/rand_lcl.h ---- openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs 2015-04-22 15:06:37.599996574 +0200 -+++ openssl-1.0.2a/crypto/rand/rand_lcl.h 2015-04-22 15:06:37.910003951 +0200 +Index: openssl-1.0.2f/crypto/rand/rand_lcl.h +=================================================================== +--- openssl-1.0.2f.orig/crypto/rand/rand_lcl.h 2016-01-28 14:38:31.000000000 +0100 ++++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 15:59:54.947269270 +0100 @@ -112,7 +112,7 @@ #ifndef HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H @@ -1041,9 +1020,10 @@ # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/rand/rand_lib.c ---- openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 -+++ openssl-1.0.2a/crypto/rand/rand_lib.c 2015-04-22 15:06:37.910003951 +0200 +Index: openssl-1.0.2f/crypto/rand/rand_lib.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/rand/rand_lib.c 2016-01-28 14:38:31.000000000 +0100 ++++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 15:59:54.947269270 +0100 @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, double entropy) { @@ -1067,9 +1047,10 @@ return 1; } -diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c ---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs 2015-04-22 15:06:37.858002714 +0200 -+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 15:06:37.910003951 +0200 +Index: openssl-1.0.2f/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2f.orig/crypto/rsa/rsa_gen.c 2016-01-28 15:59:54.923268874 +0100 ++++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 15:59:54.947269270 +0100 @@ -1,5 +1,6 @@ /* crypto/rsa/rsa_gen.c */ /* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com) @@ -1371,9 +1352,10 @@ ok = 1; err: if (ok == -1) { -diff -up openssl-1.0.2a/ssl/t1_enc.c.fips-reqs openssl-1.0.2a/ssl/t1_enc.c ---- openssl-1.0.2a/ssl/t1_enc.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 -+++ openssl-1.0.2a/ssl/t1_enc.c 2015-04-22 15:06:37.911003975 +0200 +Index: openssl-1.0.2f/ssl/t1_enc.c +=================================================================== +--- openssl-1.0.2f.orig/ssl/t1_enc.c 2016-01-28 14:56:08.000000000 +0100 ++++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 15:59:54.947269270 +0100 @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, return ret; } ++++++ openssl-1.0.2e-fips.patch ++++++ ++++ 1381 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl/openssl-1.0.2e-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssl.new/openssl-1.0.2e-fips.patch
