Index: trunk/server/common/oursrc/accountadm/Makefile.in =================================================================== --- trunk/server/common/oursrc/accountadm/Makefile.in (revision 2581) +++ trunk/server/common/oursrc/accountadm/Makefile.in (revision 2591) @@ -10,5 +10,5 @@ all-local: admof -admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread +admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread -lk5crypto admof: admof.o Index: trunk/server/common/oursrc/httpdmods/mod_authz_afsgroup.c =================================================================== --- trunk/server/common/oursrc/httpdmods/mod_authz_afsgroup.c (revision 2581) +++ trunk/server/common/oursrc/httpdmods/mod_authz_afsgroup.c (revision 2591) @@ -13,4 +13,5 @@ #include "ap_config.h" +#include "ap_provider.h" #include "httpd.h" #include "http_config.h" @@ -19,4 +20,6 @@ #include "http_protocol.h" #include "http_request.h" + +#include "mod_auth.h" #include @@ -48,111 +51,102 @@ module AP_MODULE_DECLARE_DATA authz_afsgroup_module; -static int check_afsgroup_access(request_rec *r) +static authz_status is_user_in_afsgroup(request_rec *r, char* user, char* afsgroup) +{ + int pfd[2]; + pid_t cpid; + int status; + FILE *fp; + char *line = NULL; + char buf[256]; + size_t len = 0; + ssize_t read; + int found = 0; + if (pipe(pfd) == -1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "pipe() failed!"); + return AUTHZ_GENERAL_ERROR; + } + cpid = fork(); + if (cpid == -1) { + close(pfd[0]); + close(pfd[1]); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "fork() failed!"); + return AUTHZ_GENERAL_ERROR; + } + if (cpid == 0) { + close(pfd[0]); + dup2(pfd[1], STDOUT_FILENO); + execve("/usr/bin/pts", + (char *const[]) + { "pts", "membership", "-nameorid", afsgroup, NULL }, + NULL); + _exit(1); + } + close(pfd[1]); + fp = fdopen(pfd[0], "r"); + if (fp == NULL) { + close(pfd[0]); + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "fdopen() failed!"); + return AUTHZ_GENERAL_ERROR; + } + if (snprintf(buf, sizeof(buf), " %s\n", user) >= sizeof(buf)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "access to %s failed, reason: username '%s' " + "is too long!", + r->uri, user); + return AUTHZ_DENIED; + } + while ((read = getline(&line, &len, fp)) != -1) { + if (strcmp(line, buf) == 0) + found = 1; + } + if (line) + free(line); + fclose(fp); + if (waitpid(cpid, &status, 0) == -1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "waitpid() failed!"); + return AUTHZ_GENERAL_ERROR; + } + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "`pts membership -nameorid %s` failed!", + afsgroup); + return AUTHZ_GENERAL_ERROR; + } + if (found) + return AUTHZ_GRANTED; + + return AUTHZ_DENIED; +} + +static authz_status check_afsgroup_access(request_rec *r, + const char *require_line, + const void *parsed_require_line) { authz_afsgroup_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_afsgroup_module); - char *user = r->user; - int m = r->method_number; - int required_afsgroup = 0; - register int x; const char *t; char *w; - const apr_array_header_t *reqs_arr = ap_requires(r); - require_line *reqs; + authz_status pergroup; - if (!reqs_arr) { - return DECLINED; - } - reqs = (require_line *)reqs_arr->elts; - - for (x = 0; x < reqs_arr->nelts; x++) { - - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { - continue; - } - - t = reqs[x].requirement; - w = ap_getword_white(r->pool, &t); - if (!strcasecmp(w, "afsgroup")) { - required_afsgroup = 1; - while (t[0]) { - int pfd[2]; - pid_t cpid; - int status; - FILE *fp; - char *line = NULL; - char buf[256]; - size_t len = 0; - ssize_t read; - int found = 0; - w = ap_getword_conf(r->pool, &t); - if (pipe(pfd) == -1) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "pipe() failed!"); - return HTTP_INTERNAL_SERVER_ERROR; - } - cpid = fork(); - if (cpid == -1) { - close(pfd[0]); - close(pfd[1]); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "fork() failed!"); - return HTTP_INTERNAL_SERVER_ERROR; - } - if (cpid == 0) { - close(pfd[0]); - dup2(pfd[1], STDOUT_FILENO); - execve("/usr/bin/pts", - (char *const[]) { - "pts", "membership", "-nameorid", w, NULL - }, - NULL); - _exit(1); - } - close(pfd[1]); - fp = fdopen(pfd[0], "r"); - if (fp == NULL) { - close(pfd[0]); - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "fdopen() failed!"); - return HTTP_INTERNAL_SERVER_ERROR; - } - if (snprintf(buf, sizeof(buf), " %s\n", user) >= sizeof(buf)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: username '%s' " - "is too long!", - r->uri, user); - continue; - } - while ((read = getline(&line, &len, fp)) != -1) { - if (strcmp(line, buf) == 0) - found = 1; - } - if (line) - free(line); - fclose(fp); - if (waitpid(cpid, &status, 0) == -1) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "waitpid() failed!"); - return HTTP_INTERNAL_SERVER_ERROR; - } - if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "`pts membership -nameorid %s` failed!", - w); - return HTTP_INTERNAL_SERVER_ERROR; - } - if (found) - return OK; - } - } + if (!r->user) { + return AUTHZ_DENIED_NO_USER; } - if (!required_afsgroup) { - return DECLINED; + t = require_line; + while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { + if ((pergroup = is_user_in_afsgroup(r, r->user, w)) != AUTHZ_DENIED) { + // If we got some return value other than AUTHZ_DENIED, it + // means we either got GRANTED, or some sort of error, and + // we need to bubble that up. + return pergroup; + } } if (!conf->authoritative) { - return DECLINED; + return AUTHZ_NEUTRAL; } @@ -160,13 +154,21 @@ "access to %s failed, reason: user '%s' does not meet " "'require'ments for afsgroup to be allowed access", - r->uri, user); + r->uri, r->user); - ap_note_auth_failure(r); - return HTTP_FORBIDDEN; + return AUTHZ_DENIED; } + +static const authz_provider authz_afsgroup_provider = +{ + &check_afsgroup_access, + NULL, +}; static void register_hooks(apr_pool_t *p) { - ap_hook_auth_checker(check_afsgroup_access, NULL, NULL, APR_HOOK_MIDDLE); + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "afsgroup", + AUTHZ_PROVIDER_VERSION, + &authz_afsgroup_provider, AP_AUTH_INTERNAL_PER_CONF); + } Index: trunk/server/common/oursrc/httpdmods/mod_original_dst.c =================================================================== --- trunk/server/common/oursrc/httpdmods/mod_original_dst.c (revision 2581) +++ trunk/server/common/oursrc/httpdmods/mod_original_dst.c (revision 2591) @@ -16,8 +16,11 @@ #include "ap_config.h" #include "ap_listen.h" +#include "apr_portable.h" #include "http_config.h" #include "http_log.h" #include "httpd.h" -#include "mpm.h" +#include "unixd.h" + +#define MPM_ACCEPT_FUNC ap_unixd_accept extern void apr_sockaddr_vars_set(apr_sockaddr_t *, int, apr_port_t); Index: trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2581) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2591) @@ -3,5 +3,5 @@ /sbin/sysctl -q afs.GCPAGs=0 @fs_path@ setcrypt on -@fs_path@ sysname 'amd64_fedora17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' +@fs_path@ sysname 'amd64_fedora20_scripts' 'amd64_fedora17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora20' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' @fs_path@ setcell -nosuid -c athena Index: trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2581) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2591) @@ -2,5 +2,5 @@ Description=Scripts AFS Configuration Service After=syslog.target openafs-client.service -Before=crond.service +Before=remote-fs.target Requires=openafs-client.service @@ -10,3 +10,3 @@ [Install] -WantedBy=multi-user.target remote-fs.target crond.service +WantedBy=multi-user.target remote-fs.target Index: trunk/server/common/oursrc/tokensys/scripts-afsagent.service =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2581) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2591) @@ -2,5 +2,5 @@ Description=Scripts afsagent Service After=syslog.target openafs-client.service -Before=crond.service +Before=remote-fs.target Requires=openafs-client.service @@ -11,3 +11,3 @@ [Install] -WantedBy=multi-user.target remote-fs.target crond.service +WantedBy=multi-user.target remote-fs.target Index: trunk/server/common/patches/cve-2014-0196.patch =================================================================== --- trunk/server/common/patches/cve-2014-0196.patch (revision 2581) +++ (revision ) @@ -1,83 +1,0 @@ -From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 -From: Peter Hurley -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - A B -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby -Signed-off-by: Peter Hurley -Signed-off-by: Jiri Slaby -Cc: Linus Torvalds -Cc: Alan Cox -Cc: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/n_tty.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 41fe8a0..fe9d129 100644 ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, - if (tty->ops->flush_chars) - tty->ops->flush_chars(tty); - } else { -+ struct n_tty_data *ldata = tty->disc_data; -+ - while (nr > 0) { -+ mutex_lock(&ldata->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&ldata->output_lock); - if (c < 0) { - retval = c; - goto break_out; --- -1.7.10.4 - Index: trunk/server/common/patches/cve-2014-3153-0.patch =================================================================== --- trunk/server/common/patches/cve-2014-3153-0.patch (revision 2581) +++ (revision ) @@ -1,165 +1,0 @@ -From cabef9fee397081ec3dfbde2955d4db675a96a4a Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Mon, 12 May 2014 20:45:34 +0000 -Subject: [PATCH 1/1] futex: Add another early deadlock detection check - -commit 866293ee54227584ffcb4a42f69c1f365974ba7f upstream. - -Dave Jones trinity syscall fuzzer exposed an issue in the deadlock -detection code of rtmutex: - http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com - -That underlying issue has been fixed with a patch to the rtmutex code, -but the futex code must not call into rtmutex in that case because - - it can detect that issue early - - it avoids a different and more complex fixup for backing out - -If the user space variable got manipulated to 0x80000000 which means -no lock holder, but the waiters bit set and an active pi_state in the -kernel is found we can figure out the recursive locking issue by -looking at the pi_state owner. If that is the current task, then we -can safely return -EDEADLK. - -The check should have been added in commit 59fa62451 (futex: Handle -futex_pi OWNER_DIED take over correctly) already, but I did not see -the above issue caused by user space manipulation back then. - -Signed-off-by: Thomas Gleixner -Cc: Dave Jones -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Darren Hart -Cc: Davidlohr Bueso -Cc: Steven Rostedt -Cc: Clark Williams -Cc: Paul McKenney -Cc: Lai Jiangshan -Cc: Roland McGrath -Cc: Carlos ODonell -Cc: Jakub Jelinek -Cc: Michael Kerrisk -Cc: Sebastian Andrzej Siewior -Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- - 1 file changed, 34 insertions(+), 13 deletions(-) - -diff --git a/kernel/futex.c b/kernel/futex.c -index 3bc18bf..66af37d 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -594,7 +594,8 @@ void exit_pi_state_list(struct task_struct *curr) - - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, -- union futex_key *key, struct futex_pi_state **ps) -+ union futex_key *key, struct futex_pi_state **ps, -+ struct task_struct *task) - { - struct futex_pi_state *pi_state = NULL; - struct futex_q *this, *next; -@@ -638,6 +639,16 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - return -EINVAL; - } - -+ /* -+ * Protect against a corrupted uval. If uval -+ * is 0x80000000 then pid is 0 and the waiter -+ * bit is set. So the deadlock check in the -+ * calling code has failed and we did not fall -+ * into the check above due to !pid. -+ */ -+ if (task && pi_state->owner == task) -+ return -EDEADLK; -+ - atomic_inc(&pi_state->refcount); - *ps = pi_state; - -@@ -787,7 +798,7 @@ retry: - * We dont have the lock. Look up the PI state (or create it if - * we are the first waiter): - */ -- ret = lookup_pi_state(uval, hb, key, ps); -+ ret = lookup_pi_state(uval, hb, key, ps, task); - - if (unlikely(ret)) { - switch (ret) { -@@ -1197,7 +1208,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, - * - * Return: - * 0 - failed to acquire the lock atomically; -- * 1 - acquired the lock; -+ * >0 - acquired the lock, return value is vpid of the top_waiter - * <0 - error - */ - static int futex_proxy_trylock_atomic(u32 __user *pifutex, -@@ -1208,7 +1219,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, - { - struct futex_q *top_waiter = NULL; - u32 curval; -- int ret; -+ int ret, vpid; - - if (get_futex_value_locked(&curval, pifutex)) - return -EFAULT; -@@ -1236,11 +1247,13 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, - * the contended case or if set_waiters is 1. The pi_state is returned - * in ps in contended cases. - */ -+ vpid = task_pid_vnr(top_waiter->task); - ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, - set_waiters); -- if (ret == 1) -+ if (ret == 1) { - requeue_pi_wake_futex(top_waiter, key2, hb2); -- -+ return vpid; -+ } - return ret; - } - -@@ -1272,7 +1285,6 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, - struct futex_hash_bucket *hb1, *hb2; - struct plist_head *head1; - struct futex_q *this, *next; -- u32 curval2; - - if (requeue_pi) { - /* -@@ -1358,16 +1370,25 @@ retry_private: - * At this point the top_waiter has either taken uaddr2 or is - * waiting on it. If the former, then the pi_state will not - * exist yet, look it up one more time to ensure we have a -- * reference to it. -+ * reference to it. If the lock was taken, ret contains the -+ * vpid of the top waiter task. - */ -- if (ret == 1) { -+ if (ret > 0) { - WARN_ON(pi_state); - drop_count++; - task_count++; -- ret = get_futex_value_locked(&curval2, uaddr2); -- if (!ret) -- ret = lookup_pi_state(curval2, hb2, &key2, -- &pi_state); -+ /* -+ * If we acquired the lock, then the user -+ * space value of uaddr2 should be vpid. It -+ * cannot be changed by the top waiter as it -+ * is blocked on hb2 lock if it tries to do -+ * so. If something fiddled with it behind our -+ * back the pi state lookup might unearth -+ * it. So we rather use the known value than -+ * rereading and handing potential crap to -+ * lookup_pi_state. -+ */ -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); - } - - switch (ret) { --- -1.7.10.4 - Index: trunk/server/common/patches/cve-2014-3153-1.patch =================================================================== --- trunk/server/common/patches/cve-2014-3153-1.patch (revision 2581) +++ (revision ) @@ -1,87 +1,0 @@ -From b58623fb64ff0454ec20bce7a02275a20c23086d Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 3 Jun 2014 12:27:06 +0000 -Subject: [PATCH 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex: - Forbid uaddr == uaddr2 in futex_requeue(..., - requeue_pi=1) - -commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream. - -If uaddr == uaddr2, then we have broken the rule of only requeueing from -a non-pi futex to a pi futex with this call. If we attempt this, then -dangling pointers may be left for rt_waiter resulting in an exploitable -condition. - -This change brings futex_requeue() in line with futex_wait_requeue_pi() -which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid -uaddr == uaddr2 in futex_wait_requeue_pi()") - -[ tglx: Compare the resulting keys as well, as uaddrs might be - different depending on the mapping ] - -Fixes CVE-2014-3153. - -Reported-by: Pinkie Pie -Signed-off-by: Will Drewry -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Reviewed-by: Darren Hart -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/futex.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/kernel/futex.c b/kernel/futex.c -index 58743c0..93e522f 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -1293,6 +1293,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, - - if (requeue_pi) { - /* -+ * Requeue PI only works on two distinct uaddrs. This -+ * check is only valid for private futexes. See below. -+ */ -+ if (uaddr1 == uaddr2) -+ return -EINVAL; -+ -+ /* - * requeue_pi requires a pi_state, try to allocate it now - * without any locks in case it fails. - */ -@@ -1330,6 +1337,15 @@ retry: - if (unlikely(ret != 0)) - goto out_put_key1; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (requeue_pi && match_futex(&key1, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - hb1 = hash_futex(&key1); - hb2 = hash_futex(&key2); - -@@ -2360,6 +2376,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - if (ret) - goto out_key2; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (match_futex(&q.key, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - /* Queue the futex_q, drop the hb lock, wait for wakeup. */ - futex_wait_queue_me(hb, &q, to); - --- -1.7.10.4 - Index: trunk/server/common/patches/cve-2014-3153-2.patch =================================================================== --- trunk/server/common/patches/cve-2014-3153-2.patch (revision 2581) +++ (revision ) @@ -1,59 +1,0 @@ -From 63d6ad59dd43f44249150aa8c72eeb01bbe0a599 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 3 Jun 2014 12:27:06 +0000 -Subject: [PATCH 2/4] futex: Validate atomic acquisition in - futex_lock_pi_atomic() - -commit b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 upstream. - -We need to protect the atomic acquisition in the kernel against rogue -user space which sets the user space futex to 0, so the kernel side -acquisition succeeds while there is existing state in the kernel -associated to the real owner. - -Verify whether the futex has waiters associated with kernel state. If -it has, return -EINVAL. The state is corrupted already, so no point in -cleaning it up. Subsequent calls will fail as well. Not our problem. - -[ tglx: Use futex_top_waiter() and explain why we do not need to try - restoring the already corrupted user space state. ] - -Signed-off-by: Darren Hart -Cc: Kees Cook -Cc: Will Drewry -Signed-off-by: Thomas Gleixner -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/futex.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/kernel/futex.c b/kernel/futex.c -index 93e522f..8c1e6d0 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -762,10 +762,18 @@ retry: - return -EDEADLK; - - /* -- * Surprise - we got the lock. Just return to userspace: -+ * Surprise - we got the lock, but we do not trust user space at all. - */ -- if (unlikely(!curval)) -- return 1; -+ if (unlikely(!curval)) { -+ /* -+ * We verify whether there is kernel state for this -+ * futex. If not, we can safely assume, that the 0 -> -+ * TID transition is correct. If state exists, we do -+ * not bother to fixup the user space state as it was -+ * corrupted already. -+ */ -+ return futex_top_waiter(hb, key) ? -EINVAL : 1; -+ } - - uval = curval; - --- -1.7.10.4 - Index: trunk/server/common/patches/cve-2014-3153-3.patch =================================================================== --- trunk/server/common/patches/cve-2014-3153-3.patch (revision 2581) +++ (revision ) @@ -1,102 +1,0 @@ -From 9ad5dabd87e8dd5506529e12e4e8c7b25fb88d7a Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 3 Jun 2014 12:27:07 +0000 -Subject: [PATCH 3/4] futex: Always cleanup owner tid in unlock_pi - -commit 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e upstream. - -If the owner died bit is set at futex_unlock_pi, we currently do not -cleanup the user space futex. So the owner TID of the current owner -(the unlocker) persists. That's observable inconsistant state, -especially when the ownership of the pi state got transferred. - -Clean it up unconditionally. - -Signed-off-by: Thomas Gleixner -Cc: Kees Cook -Cc: Will Drewry -Cc: Darren Hart -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/futex.c | 40 ++++++++++++++++++---------------------- - 1 file changed, 18 insertions(+), 22 deletions(-) - -diff --git a/kernel/futex.c b/kernel/futex.c -index 8c1e6d0..9720c42 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -903,6 +903,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - struct task_struct *new_owner; - struct futex_pi_state *pi_state = this->pi_state; - u32 uninitialized_var(curval), newval; -+ int ret = 0; - - if (!pi_state) - return -EINVAL; -@@ -926,23 +927,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - new_owner = this->task; - - /* -- * We pass it to the next owner. (The WAITERS bit is always -- * kept enabled while there is PI state around. We must also -- * preserve the owner died bit.) -+ * We pass it to the next owner. The WAITERS bit is always -+ * kept enabled while there is PI state around. We cleanup the -+ * owner died bit, because we are the owner. - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- int ret = 0; -- -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); - -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -- ret = -EFAULT; -- else if (curval != uval) -- ret = -EINVAL; -- if (ret) { -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -- return ret; -- } -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -+ ret = -EFAULT; -+ else if (curval != uval) -+ ret = -EINVAL; -+ if (ret) { -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -+ return ret; - } - - raw_spin_lock_irq(&pi_state->owner->pi_lock); -@@ -2187,9 +2184,10 @@ retry: - /* - * To avoid races, try to do the TID -> 0 atomic transition - * again. If it succeeds then we can return without waking -- * anyone else up: -+ * anyone else up. We only try this if neither the waiters nor -+ * the owner died bit are set. - */ -- if (!(uval & FUTEX_OWNER_DIED) && -+ if (!(uval & ~FUTEX_TID_MASK) && - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) - goto pi_faulted; - /* -@@ -2221,11 +2219,9 @@ retry: - /* - * No waiters - kernel unlocks the futex: - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- ret = unlock_futex_pi(uaddr, uval); -- if (ret == -EFAULT) -- goto pi_faulted; -- } -+ ret = unlock_futex_pi(uaddr, uval); -+ if (ret == -EFAULT) -+ goto pi_faulted; - - out_unlock: - spin_unlock(&hb->lock); --- -1.7.10.4 - Index: trunk/server/common/patches/cve-2014-3153-4.patch =================================================================== --- trunk/server/common/patches/cve-2014-3153-4.patch (revision 2581) +++ (revision ) @@ -1,281 +1,0 @@ -From efccdcdb63a7f7cc7cc1816f0d5e2524eb084c72 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Tue, 3 Jun 2014 12:27:08 +0000 -Subject: [PATCH 4/4] futex: Make lookup_pi_state more robust - -commit 54a217887a7b658e2650c3feff22756ab80c7339 upstream. - -The current implementation of lookup_pi_state has ambigous handling of -the TID value 0 in the user space futex. We can get into the kernel -even if the TID value is 0, because either there is a stale waiters bit -or the owner died bit is set or we are called from the requeue_pi path -or from user space just for fun. - -The current code avoids an explicit sanity check for pid = 0 in case -that kernel internal state (waiters) are found for the user space -address. This can lead to state leakage and worse under some -circumstances. - -Handle the cases explicit: - - Waiter | pi_state | pi->owner | uTID | uODIED | ? - - [1] NULL | --- | --- | 0 | 0/1 | Valid - [2] NULL | --- | --- | >0 | 0/1 | Valid - - [3] Found | NULL | -- | Any | 0/1 | Invalid - - [4] Found | Found | NULL | 0 | 1 | Valid - [5] Found | Found | NULL | >0 | 1 | Invalid - - [6] Found | Found | task | 0 | 1 | Valid - - [7] Found | Found | NULL | Any | 0 | Invalid - - [8] Found | Found | task | ==taskTID | 0/1 | Valid - [9] Found | Found | task | 0 | 0 | Invalid - [10] Found | Found | task | !=taskTID | 0/1 | Invalid - - [1] Indicates that the kernel can acquire the futex atomically. We - came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. - - [2] Valid, if TID does not belong to a kernel thread. If no matching - thread is found then it indicates that the owner TID has died. - - [3] Invalid. The waiter is queued on a non PI futex - - [4] Valid state after exit_robust_list(), which sets the user space - value to FUTEX_WAITERS | FUTEX_OWNER_DIED. - - [5] The user space value got manipulated between exit_robust_list() - and exit_pi_state_list() - - [6] Valid state after exit_pi_state_list() which sets the new owner in - the pi_state but cannot access the user space value. - - [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. - - [8] Owner and user space value match - - [9] There is no transient state which sets the user space TID to 0 - except exit_robust_list(), but this is indicated by the - FUTEX_OWNER_DIED bit. See [4] - -[10] There is no transient state which leaves owner and user space - TID out of sync. - -Signed-off-by: Thomas Gleixner -Cc: Kees Cook -Cc: Will Drewry -Cc: Darren Hart -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/futex.c | 134 ++++++++++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 106 insertions(+), 28 deletions(-) - -diff --git a/kernel/futex.c b/kernel/futex.c -index 9720c42..625a4e6 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -592,10 +592,58 @@ void exit_pi_state_list(struct task_struct *curr) - raw_spin_unlock_irq(&curr->pi_lock); - } - -+/* -+ * We need to check the following states: -+ * -+ * Waiter | pi_state | pi->owner | uTID | uODIED | ? -+ * -+ * [1] NULL | --- | --- | 0 | 0/1 | Valid -+ * [2] NULL | --- | --- | >0 | 0/1 | Valid -+ * -+ * [3] Found | NULL | -- | Any | 0/1 | Invalid -+ * -+ * [4] Found | Found | NULL | 0 | 1 | Valid -+ * [5] Found | Found | NULL | >0 | 1 | Invalid -+ * -+ * [6] Found | Found | task | 0 | 1 | Valid -+ * -+ * [7] Found | Found | NULL | Any | 0 | Invalid -+ * -+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid -+ * [9] Found | Found | task | 0 | 0 | Invalid -+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid -+ * -+ * [1] Indicates that the kernel can acquire the futex atomically. We -+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. -+ * -+ * [2] Valid, if TID does not belong to a kernel thread. If no matching -+ * thread is found then it indicates that the owner TID has died. -+ * -+ * [3] Invalid. The waiter is queued on a non PI futex -+ * -+ * [4] Valid state after exit_robust_list(), which sets the user space -+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. -+ * -+ * [5] The user space value got manipulated between exit_robust_list() -+ * and exit_pi_state_list() -+ * -+ * [6] Valid state after exit_pi_state_list() which sets the new owner in -+ * the pi_state but cannot access the user space value. -+ * -+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. -+ * -+ * [8] Owner and user space value match -+ * -+ * [9] There is no transient state which sets the user space TID to 0 -+ * except exit_robust_list(), but this is indicated by the -+ * FUTEX_OWNER_DIED bit. See [4] -+ * -+ * [10] There is no transient state which leaves owner and user space -+ * TID out of sync. -+ */ - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, -- union futex_key *key, struct futex_pi_state **ps, -- struct task_struct *task) -+ union futex_key *key, struct futex_pi_state **ps) - { - struct futex_pi_state *pi_state = NULL; - struct futex_q *this, *next; -@@ -608,12 +656,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - plist_for_each_entry_safe(this, next, head, list) { - if (match_futex(&this->key, key)) { - /* -- * Another waiter already exists - bump up -- * the refcount and return its pi_state: -+ * Sanity check the waiter before increasing -+ * the refcount and attaching to it. - */ - pi_state = this->pi_state; - /* -- * Userspace might have messed up non-PI and PI futexes -+ * Userspace might have messed up non-PI and -+ * PI futexes [3] - */ - if (unlikely(!pi_state)) - return -EINVAL; -@@ -621,44 +670,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - WARN_ON(!atomic_read(&pi_state->refcount)); - - /* -- * When pi_state->owner is NULL then the owner died -- * and another waiter is on the fly. pi_state->owner -- * is fixed up by the task which acquires -- * pi_state->rt_mutex. -- * -- * We do not check for pid == 0 which can happen when -- * the owner died and robust_list_exit() cleared the -- * TID. -+ * Handle the owner died case: - */ -- if (pid && pi_state->owner) { -+ if (uval & FUTEX_OWNER_DIED) { - /* -- * Bail out if user space manipulated the -- * futex value. -+ * exit_pi_state_list sets owner to NULL and -+ * wakes the topmost waiter. The task which -+ * acquires the pi_state->rt_mutex will fixup -+ * owner. - */ -- if (pid != task_pid_vnr(pi_state->owner)) -+ if (!pi_state->owner) { -+ /* -+ * No pi state owner, but the user -+ * space TID is not 0. Inconsistent -+ * state. [5] -+ */ -+ if (pid) -+ return -EINVAL; -+ /* -+ * Take a ref on the state and -+ * return. [4] -+ */ -+ goto out_state; -+ } -+ -+ /* -+ * If TID is 0, then either the dying owner -+ * has not yet executed exit_pi_state_list() -+ * or some waiter acquired the rtmutex in the -+ * pi state, but did not yet fixup the TID in -+ * user space. -+ * -+ * Take a ref on the state and return. [6] -+ */ -+ if (!pid) -+ goto out_state; -+ } else { -+ /* -+ * If the owner died bit is not set, -+ * then the pi_state must have an -+ * owner. [7] -+ */ -+ if (!pi_state->owner) - return -EINVAL; - } - - /* -- * Protect against a corrupted uval. If uval -- * is 0x80000000 then pid is 0 and the waiter -- * bit is set. So the deadlock check in the -- * calling code has failed and we did not fall -- * into the check above due to !pid. -+ * Bail out if user space manipulated the -+ * futex value. If pi state exists then the -+ * owner TID must be the same as the user -+ * space TID. [9/10] - */ -- if (task && pi_state->owner == task) -- return -EDEADLK; -+ if (pid != task_pid_vnr(pi_state->owner)) -+ return -EINVAL; - -+ out_state: - atomic_inc(&pi_state->refcount); - *ps = pi_state; -- - return 0; - } - } - - /* - * We are the first waiter - try to look up the real owner and attach -- * the new pi_state to it, but bail out when TID = 0 -+ * the new pi_state to it, but bail out when TID = 0 [1] - */ - if (!pid) - return -ESRCH; -@@ -691,6 +766,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - return ret; - } - -+ /* -+ * No existing pi state. First waiter. [2] -+ */ - pi_state = alloc_pi_state(); - - /* -@@ -811,7 +889,7 @@ retry: - * We dont have the lock. Look up the PI state (or create it if - * we are the first waiter): - */ -- ret = lookup_pi_state(uval, hb, key, ps, task); -+ ret = lookup_pi_state(uval, hb, key, ps); - - if (unlikely(ret)) { - switch (ret) { -@@ -1414,7 +1492,7 @@ retry_private: - * rereading and handing potential crap to - * lookup_pi_state. - */ -- ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state); - } - - switch (ret) { --- -1.7.10.4 - Index: trunk/server/common/patches/gnutls-2.12.x-cve-2014-0092.patch =================================================================== --- trunk/server/common/patches/gnutls-2.12.x-cve-2014-0092.patch (revision 2581) +++ (revision ) @@ -1,93 +1,0 @@ -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index 2efcebf..e9c704d 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - if (result < 0) - { - gnutls_assert (); -- goto cleanup; -+ goto fail; - } - - result = -@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - if (result < 0) - { - gnutls_assert (); -- goto cleanup; -+ goto fail; - } - - result = -@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - if (result < 0) - { - gnutls_assert (); -- goto cleanup; -+ goto fail; - } - - result = -@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - if (result < 0) - { - gnutls_assert (); -- goto cleanup; -+ goto fail; - } - - /* If the subject certificate is the same as the issuer -@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - else - gnutls_assert (); - -+fail: - result = 0; - - cleanup: -@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer = NULL; -- int issuer_version, result; -+ int issuer_version, result = 0; - - if (output) - *output = 0; -@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - if (issuer_version < 0) - { - gnutls_assert (); -- return issuer_version; -+ return 0; - } - - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && -@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - if (result < 0) - { - gnutls_assert (); -+ result = 0; - goto cleanup; - } - -@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - if (result < 0) - { - gnutls_assert (); -+ result = 0; - goto cleanup; - } - -@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - else if (result < 0) - { - gnutls_assert(); -+ result = 0; - goto cleanup; - } - --- -1.7.11.7 - Index: trunk/server/common/patches/httpd-2.2.x-304.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-304.patch (revision 2581) +++ (revision ) @@ -1,14 +1,0 @@ ---- httpd-2.2.10/server/util_script.c.orig 2006-09-15 09:19:25.000000000 -0400 -+++ httpd-2.2.10/server/util_script.c 2009-03-28 14:33:17.000000000 -0400 -@@ -482,6 +482,11 @@ - if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) { - cond_status = ap_meets_conditions(r); - } -+ else if ((cgi_status == HTTP_NO_CONTENT) || -+ (cgi_status == HTTP_NOT_MODIFIED) || -+ ap_is_HTTP_INFO(cgi_status)) { -+ r->header_only = 1; /* discard any body */ -+ } - apr_table_overlap(r->err_headers_out, merge, - APR_OVERLAP_TABLES_MERGE); - if (!apr_is_empty_table(cookie_table)) { Index: trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch (revision 2581) +++ (revision ) @@ -1,176 +1,0 @@ -Index: httpd-2.2.x/modules/ssl/ssl_private.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) -@@ -395,6 +395,9 @@ typedef struct { - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - const char *szCryptoDevice; - #endif -+#ifndef OPENSSL_NO_TLSEXT -+ ssl_enabled_t session_tickets_enabled; -+#endif - struct { - void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; - } rCtx; -@@ -547,6 +550,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm - const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); - const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); - const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); -+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); - - const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); - const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); -Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) -@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); - ssl_die(); - } -+ -+ /* -+ * Session tickets (stateless resumption) -+ */ -+ if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Disabling TLS session ticket support"); -+ SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); -+ } - } - #endif - -@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b - - BOOL conflict = FALSE; - -+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 -+ unsigned char *tlsext_tick_keys = NULL; -+ long tick_keys_len; -+#endif -+ - /* - * Give out warnings when a server has HTTPS configured - * for the HTTP port or vice versa -@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b - ssl_util_vhostid(p, s), - DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); - } -+ -+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 -+ /* -+ * When using OpenSSL versions 0.9.8f through 0.9.8l, configure -+ * the same ticket encryption parameters for every SSL_CTX (workaround -+ * for SNI+SessionTicket extension interoperability issue in these versions) -+ */ -+ if ((sc->enabled == SSL_ENABLED_TRUE) || -+ (sc->enabled == SSL_ENABLED_OPTIONAL)) { -+ if (!tlsext_tick_keys) { -+ tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, -+ (-1),(NULL)); -+ tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); -+ RAND_bytes(tlsext_tick_keys, tick_keys_len); -+ } -+ SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, -+ (tick_keys_len),(tlsext_tick_keys)); -+ } -+#endif - } - - /* -Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) -@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - mc->szCryptoDevice = NULL; - #endif -+#ifndef OPENSSL_NO_TLSEXT -+ mc->session_tickets_enabled = SSL_ENABLED_UNSET; -+#endif - - memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); - -@@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh - #endif - } - -+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) -+{ -+#ifndef OPENSSL_NO_TLSEXT -+ const char *err; -+ SSLModConfigRec *mc = myModConfig(cmd->server); -+ -+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { -+ return err; -+ } -+ -+ mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; -+ -+ return NULL; -+#else -+ return "SSLSessionTicketExtension failed; OpenSSL is not built with support " -+ "for TLS extensions. Refer to the documentation, and build " -+ "a compatible version of OpenSSL."; -+#endif -+} -+ - void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) - { - if (!ap_exists_config_define("DUMP_CERTS")) { -Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) -@@ -29,6 +29,7 @@ - time I was too famous.'' - -- Unknown */ - #include "ssl_private.h" -+#include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); - #ifndef OPENSSL_NO_TLSEXT -@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna - apr_array_header_t *names; - int i; - SSLConnRec *sslcon; -+ char *sid_ctx; - - /* check ServerName */ - if (!strcasecmp(servername, s->server_hostname)) { -@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), - SSL_CTX_get_verify_callback(ssl->ctx)); - } -+ /* -+ * Adjust the session id context. ssl_init_ssl_connection() -+ * always picks the configuration of the first vhost when -+ * calling SSL_new(), but we want to tie the session to the -+ * vhost we have just switched to. Again, we have to make sure -+ * that we're not overwriting a session id context which was -+ * possibly set in ssl_hook_Access(), before triggering -+ * a renegotation. -+ */ -+ if (!SSL_num_renegotiations(ssl)) { -+ sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, -+ sc->vhost_id_len); -+ SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, -+ APR_MD5_DIGESTSIZE*2); -+ } - - /* - * Save the found server into our SSLConnRec for later -Index: httpd-2.2.x/modules/ssl/mod_ssl.c -=================================================================== ---- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) -@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds - SSL_CMD_SRV(RandomSeed, TAKE23, - "SSL Pseudo Random Number Generator (PRNG) seeding source " - "(`startup|connect builtin|file:/path|exec:/path [bytes]')") -+ SSL_CMD_SRV(SessionTicketExtension, FLAG, -+ "TLS Session Ticket extension support") - - /* - * Per-server context configuration directives Index: trunk/server/common/patches/httpd-2.2.x-mod_status-security.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-mod_status-security.patch (revision 2581) +++ (revision ) @@ -1,70 +1,0 @@ -Prevents mod_status from taking effect in .htaccess files, by requiring -a directive that's only permitted in directory context. - -Signed-off-by: Quentin Smith -Signed-off-by: Geoffrey Thomas ---- a/modules/generators/mod_status.c 2008-01-02 04:43:52.000000000 -0500 -+++ b/modules/generators/mod_status.c 2008-08-06 01:31:26.000000000 -0400 -@@ -115,6 +115,10 @@ - static pid_t child_pid; - #endif - -+typedef struct { -+ int permit_status_handler; -+} status_config_rec; -+ - /* - * command-related code. This is here to prevent use of ExtendedStatus - * without status_module included. -@@ -139,6 +143,13 @@ - return NULL; - } - -+static void *create_status_dir_config(apr_pool_t *p, char *d) -+{ -+ status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); -+ conf->permit_status_handler = 0; -+ return conf; -+} -+ - - static const command_rec status_module_cmds[] = - { -@@ -147,6 +158,11 @@ - AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF, - "For verbose requests, \"On\" to see the last 63 chars of the request, " - "\"Off\" (default) to see the first 63 in extended status display"), -+ AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, -+ (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), -+ ACCESS_CONF, -+ "As a security measure, only permit status handlers where this flag " -+ "is set. Only legal in directory context, not .htaccess."), - {NULL} - }; - -@@ -247,9 +263,13 @@ - pid_t *pid_buffer, worker_pid; - clock_t tu, ts, tcu, tcs; - ap_generation_t worker_generation; -- -- if (strcmp(r->handler, STATUS_MAGIC_TYPE) && -- strcmp(r->handler, "server-status")) { -+ -+ status_config_rec *conf = ap_get_module_config(r->per_dir_config, -+ &status_module); -+ -+ if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && -+ strcmp(r->handler, "server-status")) || -+ !conf->permit_status_handler) { - return DECLINED; - } - -@@ -871,7 +891,7 @@ - module AP_MODULE_DECLARE_DATA status_module = - { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_status_dir_config, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - NULL, /* server config */ - NULL, /* merge server config */ Index: trunk/server/common/patches/httpd-304s.patch =================================================================== --- trunk/server/common/patches/httpd-304s.patch (revision 2591) +++ trunk/server/common/patches/httpd-304s.patch (revision 2591) @@ -0,0 +1,44 @@ +From f4d66a13e385c6fa2026e2da1119ad080928c1f5 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:40:07 -0400 +Subject: [PATCH] Fix "the-bug" (non-empty content in 304s) + +PHP should not produce any output, even if zlib.output_compression is +on, if the HTTP response code is 204 or 304 (no content or not modified). + +ixes PHP bug #42362 with php.cvs #56693, see: +http://bugs.php.net/bug.php?id=42362 +http://news.php.net/php.cvs/56693 +http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/zlib.c?r1=1.183.2.6.2.5.2.9&r2=1.183.2.6.2.5.2.10 + +Apache should discard any body provided by a script (in any language, not +just PHP) when the status is "no content" or "not modified". +Addresses part of Apache bug #40953, see: +https://issues.apache.org/bugzilla/show_bug.cgi?id=40953#c7 + +Solves scripts.mit.edu support issue #773060, see: +https://help.mit.edu/Ticket/UpdateCallCenter.html?id=773060 +https://diswww.mit.edu/charon/scripts/24018 +--- + server/util_script.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/server/util_script.c b/server/util_script.c +index 12a056f..dd83337 100644 +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -503,6 +503,11 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer, + if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) { + cond_status = ap_meets_conditions(r); + } ++ else if ((cgi_status == HTTP_NO_CONTENT) || ++ (cgi_status == HTTP_NOT_MODIFIED) || ++ ap_is_HTTP_INFO(cgi_status)) { ++ r->header_only = 1; /* discard any body */ ++ } + apr_table_overlap(r->err_headers_out, merge, + APR_OVERLAP_TABLES_MERGE); + if (!apr_is_empty_table(cookie_table)) { +-- +1.8.1.2 + Index: trunk/server/common/patches/httpd-SSLCompression.patch =================================================================== --- trunk/server/common/patches/httpd-SSLCompression.patch (revision 2581) +++ (revision ) @@ -1,125 +1,0 @@ -Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression. -Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585 - -diff -r -U3 httpd-2.2.23/modules/ssl/mod_ssl.c httpd-2.2.23.patched/modules/ssl/mod_ssl.c ---- httpd-2.2.23/modules/ssl/mod_ssl.c 2013-02-14 18:32:59.360289681 -0500 -+++ httpd-2.2.23.patched/modules/ssl/mod_ssl.c 2013-02-14 18:34:22.670718893 -0500 -@@ -158,6 +158,9 @@ - "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") - SSL_CMD_SRV(HonorCipherOrder, FLAG, - "Use the server's cipher ordering preference") -+ SSL_CMD_SRV(Compression, FLAG, -+ "Enable SSL level compression" -+ "(`on', `off')") - SSL_CMD_SRV(InsecureRenegotiation, FLAG, - "Enable support for insecure renegotiation") - SSL_CMD_ALL(UserName, TAKE1, -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_config.c httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c ---- httpd-2.2.23/modules/ssl/ssl_engine_config.c 2013-02-14 18:32:59.358289719 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c 2013-02-14 18:34:22.672718856 -0500 -@@ -183,6 +183,9 @@ - #ifdef HAVE_FIPS - sc->fips = UNSET; - #endif -+#ifndef OPENSSL_NO_COMP -+ sc->compression = UNSET; -+#endif - - modssl_ctx_init_proxy(sc, p); - -@@ -281,6 +284,9 @@ - #ifdef HAVE_FIPS - cfgMergeBool(fips); - #endif -+#ifndef OPENSSL_NO_COMP -+ cfgMergeBool(compression); -+#endif - - modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); - -@@ -714,6 +720,23 @@ - - } - -+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) -+{ -+#if !defined(OPENSSL_NO_COMP) -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+#ifndef SSL_OP_NO_COMPRESSION -+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); -+ if (err) -+ return "This version of openssl does not support configuring " -+ "compression within sections."; -+#endif -+ sc->compression = flag ? TRUE : FALSE; -+ return NULL; -+#else -+ return "Setting Compression mode unsupported; not implemented by the SSL library"; -+#endif -+} -+ - const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) - { - #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE -Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_config.c.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_init.c httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c ---- httpd-2.2.23/modules/ssl/ssl_engine_init.c 2013-02-14 18:32:59.358289719 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c 2013-02-14 18:34:22.672718856 -0500 -@@ -542,6 +542,18 @@ - } - #endif - -+ -+#ifndef OPENSSL_NO_COMP -+ if (sc->compression == FALSE) { -+#ifdef SSL_OP_NO_COMPRESSION -+ /* OpenSSL >= 1.0 only */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); -+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L -+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); -+#endif -+ } -+#endif -+ - #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - if (sc->insecure_reneg == TRUE) { - SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); -Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_init.c.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_private.h httpd-2.2.23.patched/modules/ssl/ssl_private.h ---- httpd-2.2.23/modules/ssl/ssl_private.h 2013-02-14 18:32:59.357289737 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_private.h 2013-02-14 18:34:22.673718837 -0500 -@@ -507,6 +507,9 @@ - #ifdef HAVE_FIPS - BOOL fips; - #endif -+#ifndef OPENSSL_NO_COMP -+ BOOL compression; -+#endif - }; - - /** -@@ -563,6 +566,7 @@ - const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); -+const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); - const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); -Only in httpd-2.2.23.patched/modules/ssl: ssl_private.h.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h ---- httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h 2012-08-17 13:30:46.000000000 -0400 -+++ httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h 2013-02-14 18:34:22.674718818 -0500 -@@ -277,6 +277,11 @@ - #endif - #endif - -+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ -+ && OPENSSL_VERSION_NUMBER < 0x00908000L -+#define OPENSSL_NO_COMP -+#endif -+ - #endif /* SSL_TOOLKIT_COMPAT_H */ - - /** @} */ -Only in httpd-2.2.23.patched/modules/ssl: ssl_toolkit_compat.h.orig Index: trunk/server/common/patches/httpd-allow-null-user.patch =================================================================== --- trunk/server/common/patches/httpd-allow-null-user.patch (revision 2591) +++ trunk/server/common/patches/httpd-allow-null-user.patch (revision 2591) @@ -0,0 +1,62 @@ +From a60a2c6a87331510847de401323bcdf3b9895838 Mon Sep 17 00:00:00 2001 +From: Adam Glasgall +Date: Tue, 26 Aug 2014 17:47:45 -0400 +Subject: [PATCH] Remove r->user != NULL check from ap_process_request_internal + +After the check_user_id hook runs, Apache checks to make sure it's +identified a user and aborts if this is not the case, to protect the +auth_checker hook from accidental null pointer +dereferences. Unfortunately, Scripts's mod_auth_optional relies on +being able to have r->user still be NULL after check_user_id has run. + +This patch removes the null check. I believe this is safe because +mod_auth_optional installs its auth_checker hook forcibly at the head +of the hook chain, and said hook ends authz processing immediately if +the directory in question has AuthOptional and no default user. + +Signed-off-by: Adam Glasgall +--- + server/request.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/server/request.c b/server/request.c +index af0a697..9d7e29d 100644 +--- a/server/request.c ++++ b/server/request.c +@@ -244,16 +244,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + if ((access_status = ap_run_check_user_id(r)) != OK) { + return decl_die(access_status, "check user", r); + } +- if (r->user == NULL) { +- /* don't let buggy authn module crash us in authz */ +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00027) +- "No authentication done but request not " +- "allowed without authentication for %s. " +- "Authentication not configured?", +- r->uri); +- access_status = HTTP_INTERNAL_SERVER_ERROR; +- return decl_die(access_status, "check user", r); +- } + if ((access_status = ap_run_auth_checker(r)) != OK) { + return decl_die(access_status, "check authorization", r); + } +@@ -281,16 +271,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + if ((access_status = ap_run_check_user_id(r)) != OK) { + return decl_die(access_status, "check user", r); + } +- if (r->user == NULL) { +- /* don't let buggy authn module crash us in authz */ +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00028) +- "No authentication done but request not " +- "allowed without authentication for %s. " +- "Authentication not configured?", +- r->uri); +- access_status = HTTP_INTERNAL_SERVER_ERROR; +- return decl_die(access_status, "check user", r); +- } + if ((access_status = ap_run_auth_checker(r)) != OK) { + return decl_die(access_status, "check authorization", r); + } +-- +1.9.1 + Index: trunk/server/common/patches/httpd-fixup-vhost.patch =================================================================== --- trunk/server/common/patches/httpd-fixup-vhost.patch (revision 2581) +++ trunk/server/common/patches/httpd-fixup-vhost.patch (revision 2591) @@ -1,85 +1,101 @@ -commit 3b081163d6250d893838d69d9a83f217c341d657 -Author: Greg Brockman -Date: Fri Aug 6 23:19:15 2010 -0400 +From e90c8e59a93e5dde747e6dec7b960d2a6f2523ab Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 22:43:28 -0400 +Subject: [PATCH] Export method to fixup a single virtual host - Add method to merge virtual host with a main server_rec +Apache normally provides ap_fixup_virtual_hosts, which merges the +configuration from the main server into each virtual host. Refactor +this code to allow merging the configuration into a single virtual +host, and export this method for use in mod_vhost_ldap. + +Additionally, call the newly created method in the loop in +ap_fixup_virtual_hosts. +--- + include/http_config.h | 9 ++++++++ + server/config.c | 58 ++++++++++++++++++++++++++++----------------------- + 2 files changed, 41 insertions(+), 26 deletions(-) diff --git a/include/http_config.h b/include/http_config.h -index 5e9fd51..8e6f247 100644 +index 7ee3760..e3657ea 100644 --- a/include/http_config.h +++ b/include/http_config.h -@@ -827,6 +827,16 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); - AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, +@@ -1012,6 +1012,15 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); + */ + AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server); - +/** -+ * Setup a single virtual host by merging the main server_rec into it. ++ * Setup all virtual hosts + * @param p The pool to allocate from -+ * @param main_server The server_rec with which to merge -+ * @param virt The virtual host server_rec with some set of directives to override already set ++ * @param main_server The head of the server_rec list ++ * @param virt The individual virtual host to fix + */ +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, + server_rec *main_server, + server_rec *virt); -+ - /* For http_request.c... */ /** + * Reserve some modules slots for modules loaded by other means than diff --git a/server/config.c b/server/config.c -index 101d0e4..ef0f2ba 100644 +index c1aae17..254c5d2 100644 --- a/server/config.c +++ b/server/config.c -@@ -1902,38 +1902,43 @@ AP_CORE_DECLARE(const char *) ap_init_virtual_host(apr_pool_t *p, +@@ -2245,46 +2245,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf, + } } - -AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, server_rec *main_server, -+ server_rec *virt) ++ server_rec *virt) { - server_rec *virt; -+ merge_server_configs(p, main_server->module_config, -+ virt->module_config); + core_dir_config *dconf = + ap_get_core_module_config(main_server->lookup_defaults); + dconf->log = &main_server->log; - for (virt = main_server->next; virt; virt = virt->next) { - merge_server_configs(p, main_server->module_config, - virt->module_config); -+ virt->lookup_defaults = -+ ap_merge_per_dir_configs(p, main_server->lookup_defaults, -+ virt->lookup_defaults); ++ merge_server_configs(p, main_server->module_config, ++ virt->module_config); - virt->lookup_defaults = - ap_merge_per_dir_configs(p, main_server->lookup_defaults, - virt->lookup_defaults); -+ if (virt->server_admin == NULL) -+ virt->server_admin = main_server->server_admin; ++ virt->lookup_defaults = ++ ap_merge_per_dir_configs(p, main_server->lookup_defaults, ++ virt->lookup_defaults); - if (virt->server_admin == NULL) - virt->server_admin = main_server->server_admin; -+ if (virt->timeout == 0) -+ virt->timeout = main_server->timeout; ++ if (virt->server_admin == NULL) ++ virt->server_admin = main_server->server_admin; - if (virt->timeout == 0) - virt->timeout = main_server->timeout; -+ if (virt->keep_alive_timeout == 0) -+ virt->keep_alive_timeout = main_server->keep_alive_timeout; ++ if (virt->timeout == 0) ++ virt->timeout = main_server->timeout; - if (virt->keep_alive_timeout == 0) - virt->keep_alive_timeout = main_server->keep_alive_timeout; -+ if (virt->keep_alive == -1) -+ virt->keep_alive = main_server->keep_alive; ++ if (virt->keep_alive_timeout == 0) ++ virt->keep_alive_timeout = main_server->keep_alive_timeout; - if (virt->keep_alive == -1) - virt->keep_alive = main_server->keep_alive; -+ if (virt->keep_alive_max == -1) -+ virt->keep_alive_max = main_server->keep_alive_max; ++ if (virt->keep_alive == -1) ++ virt->keep_alive = main_server->keep_alive; - if (virt->keep_alive_max == -1) - virt->keep_alive_max = main_server->keep_alive_max; -+ /* XXX: this is really something that should be dealt with by a -+ * post-config api phase -+ */ -+ ap_core_reorder_directories(p, virt); -+} ++ if (virt->keep_alive_max == -1) ++ virt->keep_alive_max = main_server->keep_alive_max; + +- ap_merge_log_config(&main_server->log, &virt->log); ++ ap_merge_log_config(&main_server->log, &virt->log); + +- dconf = ap_get_core_module_config(virt->lookup_defaults); +- dconf->log = &virt->log; ++ dconf = ap_get_core_module_config(virt->lookup_defaults); ++ dconf->log = &virt->log; - /* XXX: this is really something that should be dealt with by a @@ -88,8 +104,14 @@ - ap_core_reorder_directories(p, virt); - } ++ /* XXX: this is really something that should be dealt with by a ++ * post-config api phase ++ */ ++ ap_core_reorder_directories(p, virt); ++} ++ +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) +{ + server_rec *virt; -+ ++ + for (virt = main_server->next; virt; virt = virt->next) + ap_fixup_virtual_host(p, main_server, virt); @@ -97,2 +119,5 @@ ap_core_reorder_directories(p, main_server); } +-- +1.8.1.2 + Index: trunk/server/common/patches/httpd-mod_status-security.patch =================================================================== --- trunk/server/common/patches/httpd-mod_status-security.patch (revision 2591) +++ trunk/server/common/patches/httpd-mod_status-security.patch (revision 2591) @@ -0,0 +1,78 @@ +From c9e5769ec7163cadd44a1b1a75a12a75a5a1db58 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:39:17 -0400 +Subject: [PATCH] Prevent mod_status from taking effect in .htaccess files + +Introduce a directive to the Apache configuration that is only +permitted in a directory context, called "PermitStatusHandler", to +prevent users from enabling mod_status from their .htaccess files. + +Signed-off-by: Quentin Smith +Signed-off-by: Geoffrey Thomas +--- + modules/generators/mod_status.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c +index fe832b3..92a6f69 100644 +--- a/modules/generators/mod_status.c ++++ b/modules/generators/mod_status.c +@@ -103,6 +103,27 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap, STATUS, int, status_hook, + static pid_t child_pid; + #endif + ++typedef struct { ++ int permit_status_handler; ++} status_config_rec; ++ ++static void *create_status_dir_config(apr_pool_t *p, char *d) ++{ ++ status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); ++ conf->permit_status_handler = 0; ++ return conf; ++} ++ ++static const command_rec status_module_cmds[] = ++{ ++ AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, ++ (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), ++ ACCESS_CONF, ++ "As a security measure, only permit status handlers where this flag " ++ "is set. Only legal in directory context, not .htaccess."), ++ {NULL} ++}; ++ + /* Format the number of bytes nicely */ + static void format_byte_out(request_rec *r, apr_off_t bytes) + { +@@ -207,8 +228,12 @@ static int status_handler(request_rec *r) + int times_per_thread; + #endif + +- if (strcmp(r->handler, STATUS_MAGIC_TYPE) && strcmp(r->handler, +- "server-status")) { ++ status_config_rec *conf = ap_get_module_config(r->per_dir_config, ++ &status_module); ++ ++ if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && ++ strcmp(r->handler, "server-status")) || ++ !conf->permit_status_handler) { + return DECLINED; + } + +@@ -948,10 +973,10 @@ static void register_hooks(apr_pool_t *p) + AP_DECLARE_MODULE(status) = + { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_status_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + NULL, /* server config */ + NULL, /* merge server config */ +- NULL, /* command table */ ++ status_module_cmds, /* command table */ + register_hooks /* register_hooks */ + }; +-- +1.8.1.2 + Index: trunk/server/common/patches/httpd-suexec-cloexec.patch =================================================================== --- trunk/server/common/patches/httpd-suexec-cloexec.patch (revision 2581) +++ (revision ) @@ -1,52 +1,0 @@ -From: Stefan Fritsch -Date: Sat, 3 Oct 2009 13:46:48 +0000 -Subject: suexec: Allow to log an error if exec fails by setting FD_CLOEXEC on the log file instead of closing it. - -PR: 10744 -Submitted by: Nicolas Rachinsky -Reviewed by: Stefan Fritsch - -Origin: upstream, http://svn.apache.org/viewvc?rev=821321&view=rev -Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=10744 ---- - support/suexec.c | 18 +++++++++--------- - 1 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/support/suexec.c b/support/suexec.c -index cb4e85f..85e1318 100644 ---- a/support/suexec.c -+++ b/support/suexec.c -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - #include - - #ifdef HAVE_PWD_H -@@ -714,17 +715,16 @@ TRUSTED_DIRECTORY: - #endif /* AP_SUEXEC_UMASK */ - - /* -- * Be sure to close the log file so the CGI can't -- * mess with it. If the exec fails, it will be reopened -- * automatically when log_err is called. Note that the log -- * might not actually be open if AP_LOG_EXEC isn't defined. -- * However, the "log" cell isn't ifdef'd so let's be defensive -- * and assume someone might have done something with it -- * outside an ifdef'd AP_LOG_EXEC block. -+ * ask fcntl(2) to set the FD_CLOEXEC flag on the log file, -+ * so it'll be automagically closed if the exec() call succeeds. - */ - if (log != NULL) { -- fclose(log); -- log = NULL; -+ fflush(log); -+ setbuf(log,NULL); -+ if ((fcntl(fileno(log), F_SETFD, FD_CLOEXEC) == -1)) { -+ log_err("error: can't set close-on-exec flag"); -+ exit(122); -+ } - } - - /* Index: trunk/server/common/patches/httpd-suexec-scripts.patch =================================================================== --- trunk/server/common/patches/httpd-suexec-scripts.patch (revision 2581) +++ trunk/server/common/patches/httpd-suexec-scripts.patch (revision 2591) @@ -1,38 +1,31 @@ -# scripts.mit.edu httpd suexec patch -# Copyright (C) 2006, 2007, 2008 Jeff Arnold , -# Joe Presbrey , -# Anders Kaseorg , -# Geoffrey Thomas -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -# -# See /COPYRIGHT in this repository for more information. -# ---- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400 -+++ httpd-2.2.2/support/Makefile.in 2007-01-20 17:12:51.000000000 -0500 -@@ -60,7 +60,7 @@ - - suexec_OBJECTS = suexec.lo - suexec: $(suexec_OBJECTS) -- $(LINK) $(suexec_OBJECTS) -+ $(LINK) -lselinux $(suexec_OBJECTS) - - htcacheclean_OBJECTS = htcacheclean.lo - htcacheclean: $(htcacheclean_OBJECTS) ---- httpd-2.2.2/configure.in.old 2007-07-17 10:48:25.000000000 -0400 -+++ httpd-2.2.2/configure.in 2008-08-29 08:15:41.000000000 -0400 -@@ -559,6 +559,10 @@ +From 427d432a56df94d69a11cc438b08adb070615005 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:38:58 -0400 +Subject: [PATCH] Add scripts-specific support to suexec + +This patch make suexec aware of static-cat, Scripts' tool to serve +static content out of AFS. Specifically, this introduces a whitelist +of extensions for which suexec is supposed to invoke static-cat as a +content-handler. + +Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM +to start up in Scripts' limited memory environment. + +Furthermore, this patch deals with some of suexec's paranoia being +incorrect in an AFS world, by ignoring some of the irrelevant stat +results. + +Finally, add support for invoking php-cgi for php files, in a safe +manner that will strip arguments passed by Apache to php-cgi. +--- + configure.in | 4 ++ + support/suexec.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 173 insertions(+), 3 deletions(-) + +diff --git a/configure.in b/configure.in +index 811aace..a95349f 100644 +--- a/configure.in ++++ b/configure.in +@@ -721,6 +721,10 @@ AC_ARG_WITH(suexec-userdir, APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[ AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] ) @@ -45,6 +38,8 @@ APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) ---- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 -+++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 +diff --git a/support/suexec.c b/support/suexec.c +index 32e7320..3a4d802 100644 +--- a/support/suexec.c ++++ b/support/suexec.c @@ -30,6 +30,9 @@ * @@ -57,13 +52,5 @@ #include "ap_config.h" #include "suexec.h" -@@ -46,6 +49,7 @@ - #include - #include - #include -+#include - - #ifdef HAVE_PWD_H - #include -@@ -95,6 +99,7 @@ +@@ -92,6 +95,7 @@ static const char *const safe_env_lst[] = { /* variable name starts with */ @@ -73,5 +60,5 @@ /* variable name is */ -@@ -245,9 +250,108 @@ +@@ -268,9 +272,108 @@ static void clean_env(void) environ = cleanenv; } @@ -182,5 +169,5 @@ gid_t gid; /* target group placeholder */ char *target_uname; /* target user name */ -@@ -268,6 +368,7 @@ +@@ -290,6 +393,7 @@ int main(int argc, char *argv[]) * Start with a "clean" environment */ @@ -188,7 +175,7 @@ + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ - prog = argv[0]; - /* -@@ -350,6 +451,20 @@ + /* + * Check existence/validity of the UID of the user +@@ -373,6 +477,20 @@ int main(int argc, char *argv[]) #endif /*_OSD_POSIX*/ @@ -211,5 +198,5 @@ * or attempts to back up out of the current directory, * to protect against attacks. If any are -@@ -371,6 +486,7 @@ +@@ -394,6 +512,7 @@ int main(int argc, char *argv[]) userdir = 1; } @@ -219,5 +206,5 @@ * Error out if the target username is invalid. */ -@@ -452,7 +568,7 @@ +@@ -482,7 +601,7 @@ int main(int argc, char *argv[]) * Error out if attempt is made to execute as root or as * a UID less than AP_UID_MIN. Tsk tsk. @@ -225,9 +212,9 @@ - if ((uid == 0) || (uid < AP_UID_MIN)) { + if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup */ - log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); + log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); exit(107); } -@@ -484,6 +599,7 @@ - log_err("failed to setuid (%ld: %s)\n", uid, cmd); +@@ -514,6 +633,7 @@ int main(int argc, char *argv[]) + log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); exit(110); } @@ -236,5 +223,5 @@ /* * Get the current working directory, as well as the proper -@@ -506,6 +637,21 @@ +@@ -536,6 +656,21 @@ int main(int argc, char *argv[]) log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); @@ -258,5 +245,5 @@ else { if (((chdir(AP_DOC_ROOT)) != 0) || -@@ -532,15 +678,17 @@ +@@ -562,15 +697,17 @@ int main(int argc, char *argv[]) /* * Error out if cwd is writable by others. @@ -277,5 +264,5 @@ exit(117); } -@@ -548,10 +696,12 @@ +@@ -578,10 +715,12 @@ int main(int argc, char *argv[]) /* * Error out if the program is writable by others. @@ -290,5 +277,5 @@ /* * Error out if the file is setuid or setgid. -@@ -565,6 +715,7 @@ +@@ -595,6 +734,7 @@ int main(int argc, char *argv[]) * Error out if the target name/group is different from * the name/group of the cwd or the program. @@ -298,6 +285,6 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || -@@ -576,12 +727,14 @@ - prg_info.st_uid, prg_info.st_gid); +@@ -606,12 +746,14 @@ int main(int argc, char *argv[]) + (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); exit(120); } @@ -314,5 +301,5 @@ exit(121); } -@@ -614,6 +767,30 @@ +@@ -660,6 +802,30 @@ int main(int argc, char *argv[]) /* * Execute the command, replacing our image with its own. @@ -345,2 +332,5 @@ /* We need the #! emulation when we want to execute scripts */ { +-- +1.8.1.2 + Index: trunk/server/common/patches/openafs-scripts.patch =================================================================== --- trunk/server/common/patches/openafs-scripts.patch (revision 2581) +++ trunk/server/common/patches/openafs-scripts.patch (revision 2591) @@ -46,8 +46,8 @@ # diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c -index 7c7705e..0d0e94f 100644 +index 03caf1c..699b2ce 100644 --- a/src/afs/LINUX/osi_vnodeops.c +++ b/src/afs/LINUX/osi_vnodeops.c -@@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) +@@ -1207,6 +1207,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) /* should we always update the attributes at this point? */ /* unlikely--the vcache entry hasn't changed */ @@ -79,5 +79,5 @@ #ifdef notyet diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c -index eabcfeb..6390850 100644 +index feb0ca7..ba818c7 100644 --- a/src/afs/VNOPS/afs_vnop_access.c +++ b/src/afs/VNOPS/afs_vnop_access.c @@ -119,5 +119,5 @@ } diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c -index b3931e5..71ef05c 100644 +index d01aff2..0a38c1c 100644 --- a/src/afs/VNOPS/afs_vnop_attrs.c +++ b/src/afs/VNOPS/afs_vnop_attrs.c @@ -134,8 +134,8 @@ #elif defined(AFS_DARWIN80_ENV) diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c -index 8e7af1c..7e984e9 100644 +index 5d96f75..7957eee 100644 --- a/src/afs/VNOPS/afs_vnop_lookup.c +++ b/src/afs/VNOPS/afs_vnop_lookup.c -@@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr +@@ -1915,6 +1915,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr } @@ -151,5 +151,5 @@ osi_FreeLargeSpace(tname); diff --git a/src/afs/afs.h b/src/afs/afs.h -index fcc4c70..0d53af6 100644 +index 88d5f77..61d3ee9 100644 --- a/src/afs/afs.h +++ b/src/afs/afs.h @@ -171,8 +171,8 @@ afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ char initd; /* if non-zero, Error fields meaningful */ -@@ -887,6 +895,7 @@ struct vcache { - #ifdef AFS_SUN5_ENV +@@ -896,6 +904,7 @@ struct vcache { struct afs_q multiPage; /* list of multiPage_range structs */ #endif + afs_uint32 lastBRLWarnTime; /* last time we warned about byte-range locks */ + int apache_access; /* whether or not Apache has access to a file */ }; @@ -180,8 +180,8 @@ #define DONT_CHECK_MODE_BITS 0 diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c -index 1834e6d..673a8e6 100644 +index 2ecd38e..95aafcd 100644 --- a/src/afs/afs_analyze.c +++ b/src/afs/afs_analyze.c -@@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode, +@@ -478,7 +478,7 @@ afs_Analyze(struct afs_conn *aconn, struct rx_connection *rxconn, (afid ? afid->Fid.Volume : 0)); } @@ -193,5 +193,5 @@ areq->volumeError = VOLBUSY; diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c -index c888605..ff5cf2d 100644 +index efce229..c1c1871 100644 --- a/src/afs/afs_osi_pag.c +++ b/src/afs/afs_osi_pag.c @@ -206,5 +206,5 @@ * representation is '41XXXXXX' hex are used to represent the pags. @@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) - av->uid = afs_cr_uid(acred); /* default when no pag is set */ + av->uid = afs_cr_ruid(acred); /* default when no pag is set */ #endif } @@ -222,8 +222,8 @@ diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c -index f282510..00f1360 100644 +index e0a744d..c1c8c8c 100644 --- a/src/afs/afs_pioctl.c +++ b/src/afs/afs_pioctl.c -@@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl) +@@ -1420,6 +1420,10 @@ DECL_PIOCTL(PSetAcl) struct rx_connection *rxconn; XSTATS_DECLS; @@ -236,5 +236,5 @@ if (!avc) return EINVAL; -@@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens) +@@ -1806,6 +1810,10 @@ DECL_PIOCTL(PSetTokens) struct vrequest treq; afs_int32 flag, set_parent_pag = 0; @@ -247,5 +247,5 @@ if (!afs_resourceinit_flag) { return EIO; -@@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens) +@@ -2266,6 +2274,11 @@ DECL_PIOCTL(PGetTokens) int newStyle; int code = E2BIG; @@ -259,5 +259,5 @@ if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ -@@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog) +@@ -2376,6 +2389,10 @@ DECL_PIOCTL(PUnlog) afs_int32 i; struct unixuser *tu; Index: trunk/server/common/patches/openafs-systemd-crond.patch =================================================================== --- trunk/server/common/patches/openafs-systemd-crond.patch (revision 2581) +++ trunk/server/common/patches/openafs-systemd-crond.patch (revision 2591) @@ -1,17 +1,13 @@ diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service -index bc95057..9627280 100644 +index 936762e..c0558b2 100644 --- a/src/packaging/RedHat/openafs-client.service +++ b/src/packaging/RedHat/openafs-client.service -@@ -1,5 +1,6 @@ +@@ -1,6 +1,7 @@ [Unit] Description=OpenAFS Client Service -+Before=crond.service - After=syslog.target network.target +-After=syslog.target network.target ++After=syslog.target network-online.target ++Before=remote-fs.target [Service] -@@ -15,4 +16,4 @@ ExecStop=/sbin/rmmod openafs - KillMode=none - - [Install] --WantedBy=multi-user.target remote-fs.target -+WantedBy=multi-user.target remote-fs.target crond.service + Type=forking Index: trunk/server/common/patches/openssl-1.0.0n-algo-doc.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-algo-doc.patch (revision 2581) +++ (revision ) @@ -1,77 +1,0 @@ -diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod ---- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200 -+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200 -@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ - - EVP_DigestInit_ex() sets up digest context B to use a digest - B from ENGINE B. B must be initialized before calling this --function. B will typically be supplied by a functionsuch as EVP_sha1(). -+function. B will typically be supplied by a function such as EVP_sha1(). - If B is NULL then the default implementation of digest B is used. - - EVP_DigestUpdate() hashes B bytes of data at B into the -@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ - EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and - EVP_MD_CTX_block_size() return the digest or block size in bytes. - --EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), -+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), -+EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(), - EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the - corresponding EVP_MD structures. - -diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod ---- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200 -+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200 -@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher - int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); - int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); - -+ const EVP_CIPHER *EVP_des_ede3(void); -+ const EVP_CIPHER *EVP_des_ede3_ecb(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb64(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb1(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb8(void); -+ const EVP_CIPHER *EVP_des_ede3_ofb(void); -+ const EVP_CIPHER *EVP_des_ede3_cbc(void); -+ const EVP_CIPHER *EVP_aes_128_ecb(void); -+ const EVP_CIPHER *EVP_aes_128_cbc(void); -+ const EVP_CIPHER *EVP_aes_128_cfb1(void); -+ const EVP_CIPHER *EVP_aes_128_cfb8(void); -+ const EVP_CIPHER *EVP_aes_128_cfb128(void); -+ const EVP_CIPHER *EVP_aes_128_ofb(void); -+ const EVP_CIPHER *EVP_aes_192_ecb(void); -+ const EVP_CIPHER *EVP_aes_192_cbc(void); -+ const EVP_CIPHER *EVP_aes_192_cfb1(void); -+ const EVP_CIPHER *EVP_aes_192_cfb8(void); -+ const EVP_CIPHER *EVP_aes_192_cfb128(void); -+ const EVP_CIPHER *EVP_aes_192_ofb(void); -+ const EVP_CIPHER *EVP_aes_256_ecb(void); -+ const EVP_CIPHER *EVP_aes_256_cbc(void); -+ const EVP_CIPHER *EVP_aes_256_cfb1(void); -+ const EVP_CIPHER *EVP_aes_256_cfb8(void); -+ const EVP_CIPHER *EVP_aes_256_cfb128(void); -+ const EVP_CIPHER *EVP_aes_256_ofb(void); -+ - =head1 DESCRIPTION - - The EVP cipher routines are a high level interface to certain -@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an - - DESX algorithm in CBC mode. - -+=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void) -+ -+AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ -+=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void) -+ -+AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ -+=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void) -+ -+AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively. -+ - =item EVP_rc4(void) - - RC4 stream cipher. This is a variable key length cipher with default key length 128 bits. Index: trunk/server/common/patches/openssl-1.0.0n-cipher-change.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-cipher-change.patch (revision 2581) +++ (revision ) @@ -1,21 +1,0 @@ -diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h ---- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100 -+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100 -@@ -513,7 +513,7 @@ typedef struct ssl_session_st - #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L - /* Allow initial connection to servers that don't support RI */ - #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L --#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L -@@ -530,7 +530,7 @@ typedef struct ssl_session_st - - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. - * This used to be 0x000FFFFFL before 0.9.7. */ --#define SSL_OP_ALL 0x80000FFFL -+#define SSL_OP_ALL 0x80000FF7L - - /* DTLS options */ - #define SSL_OP_NO_QUERY_MTU 0x00001000L Index: trunk/server/common/patches/openssl-1.0.0n-conflicts.patchpatch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-conflicts.patchpatch (revision 2581) +++ (revision ) @@ -1,112 +1,0 @@ ---- openssl-1.0.0-beta5-cipher-change.patch 2013-02-19 16:06:15.000000000 -0500 -+++ openssl-1.0.0n-cipher-change.patch 2014-08-06 21:07:44.382050554 -0400 -@@ -9,7 +9,7 @@ - +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */ - #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L - #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -- #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ -+ #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L - @@ -530,7 +530,7 @@ typedef struct ssl_session_st - - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. ---- openssl-1.0.0b-ipv6-apps.patch 2013-02-19 16:06:15.000000000 -0500 -+++ openssl-1.0.0n-ipv6-apps.patch 2014-08-06 21:07:44.383050535 -0400 -@@ -179,7 +179,7 @@ - { - - i=0; - - i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); --- if (i < 0) { perror("keepalive"); return(0); } -+- if (i < 0) { closesocket(s); perror("keepalive"); return(0); } - + int i=0; - + i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, - + (char *)&i,sizeof(i)); -@@ -335,7 +335,7 @@ - int len; - /* struct linger ling; */ - --@@ -432,135 +451,58 @@ redoit: -+@@ -432,138 +451,59 @@ redoit: - */ - - if (host == NULL) goto end; -@@ -364,6 +364,7 @@ - + if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) - { - perror("OPENSSL_malloc"); -+ closesocket(ret); - return(0); - } - - BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); -@@ -372,11 +373,13 @@ - - if (h2 == NULL) - - { - - BIO_printf(bio_err,"gethostbyname failure\n"); -+- closesocket(ret); - - return(0); - - } - - if (h2->h_addrtype != AF_INET) - - { - - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -+- closesocket(ret); - - return(0); - - } - + strcpy(*host, buffer); ---- openssl-1.0.0k-fips.patch 2013-02-19 16:06:15.000000000 -0500 -+++ openssl-1.0.0n-fips.patch 2014-08-06 21:07:44.383050535 -0400 -@@ -10646,7 +10646,7 @@ - - - static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); --@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char * -+@@ -90,11 +94,18 @@ PKCS12 *PKCS12_create(char *pass, char * - - /* Set defaults */ - if (!nid_cert) -@@ -10656,7 +10656,11 @@ - + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - + else - +#endif -+ #ifdef OPENSSL_NO_RC2 -+ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -+ #else - nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; -+ #endif - + } - if (!nid_key) - nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; ---- openssl-1.0.1a-algo-doc.patch 2013-02-19 16:06:15.000000000 -0500 -+++ openssl-1.0.0n-algo-doc.patch 2014-08-06 21:07:44.382050554 -0400 -@@ -11,8 +11,8 @@ - - EVP_DigestUpdate() hashes B bytes of data at B into the - @@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_ -- EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block -- size in bytes. -+ EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and -+ EVP_MD_CTX_block_size() return the digest or block size in bytes. - - -EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), - +EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), ---- openssl-1.0.0k-version.patch 2013-02-19 16:06:15.000000000 -0500 -+++ openssl-1.0.0n-version.patch 2014-08-06 21:07:44.383050535 -0400 -@@ -5,17 +5,17 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ ---#define OPENSSL_VERSION_NUMBER 0x100000bfL -+-#define OPENSSL_VERSION_NUMBER 0x100000efL - +#define OPENSSL_VERSION_NUMBER 0x10000003L - #ifdef OPENSSL_FIPS -- #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0k-fips 5 Feb 2013" -+ #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0n-fips 6 Aug 2014" - #else - @@ -83,7 +83,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" - -#define SHLIB_VERSION_NUMBER "1.0.0" --+#define SHLIB_VERSION_NUMBER "1.0.0k" -++#define SHLIB_VERSION_NUMBER "1.0.0n" - - - #endif /* HEADER_OPENSSLV_H */ Index: trunk/server/common/patches/openssl-1.0.0n-fips.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-fips.patch (revision 2581) +++ (revision ) @@ -1,12165 +1,0 @@ -diff -up openssl-1.0.0k/Configure.fips openssl-1.0.0k/Configure ---- openssl-1.0.0k/Configure.fips 2013-02-19 20:12:54.536663757 +0100 -+++ openssl-1.0.0k/Configure 2013-02-19 20:12:54.574664476 +0100 -@@ -664,6 +664,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml - my $processor=""; - my $default_ranlib; - my $perl; -+my $fips=0; - - - # All of the following is disabled by default (RC5 was enabled before 0.9.8): -@@ -810,6 +811,10 @@ PROCESS_ARGS: - } - elsif (/^386$/) - { $processor=386; } -+ elsif (/^fips$/) -+ { -+ $fips=1; -+ } - elsif (/^rsaref$/) - { - # No RSAref support any more since it's not needed. -@@ -1386,6 +1391,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no - - $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/); - -+if ($fips) -+ { -+ $openssl_other_defines.="#define OPENSSL_FIPS\n"; -+ } -+ - $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); - $des_obj=$des_enc unless ($des_obj =~ /\.o$/); - $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); -@@ -1553,6 +1563,10 @@ while () - s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; - s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/; - s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/; -+ if ($fips) -+ { -+ s/^FIPS=.*/FIPS=yes/; -+ } - s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; - s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff -up openssl-1.0.0k/crypto/bf/bf_skey.c.fips openssl-1.0.0k/crypto/bf/bf_skey.c ---- openssl-1.0.0k/crypto/bf/bf_skey.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/bf/bf_skey.c 2013-02-19 20:12:54.574664476 +0100 -@@ -59,10 +59,15 @@ - #include - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #include "bf_locl.h" - #include "bf_pi.h" - --void BF_set_key(BF_KEY *key, int len, const unsigned char *data) -+FIPS_NON_FIPS_VCIPHER_Init(BF) - { - int i; - BF_LONG *p,ri,in[2]; -diff -up openssl-1.0.0k/crypto/bf/blowfish.h.fips openssl-1.0.0k/crypto/bf/blowfish.h ---- openssl-1.0.0k/crypto/bf/blowfish.h.fips 2013-02-19 20:12:53.998653547 +0100 -+++ openssl-1.0.0k/crypto/bf/blowfish.h 2013-02-19 20:12:54.575664496 +0100 -@@ -104,7 +104,9 @@ typedef struct bf_key_st - BF_LONG S[4*256]; - } BF_KEY; - -- -+#ifdef OPENSSL_FIPS -+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); -+#endif - void BF_set_key(BF_KEY *key, int len, const unsigned char *data); - - void BF_encrypt(BF_LONG *data,const BF_KEY *key); -diff -up openssl-1.0.0k/crypto/bn/bn.h.fips openssl-1.0.0k/crypto/bn/bn.h ---- openssl-1.0.0k/crypto/bn/bn.h.fips 2013-02-19 20:12:54.135656147 +0100 -+++ openssl-1.0.0k/crypto/bn/bn.h 2013-02-19 20:12:54.575664496 +0100 -@@ -558,6 +558,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n - int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, - int do_trial_division, BN_GENCB *cb); - -+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); -+ -+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, -+ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, -+ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); -+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, -+ BIGNUM *Xp1, BIGNUM *Xp2, -+ const BIGNUM *Xp, -+ const BIGNUM *e, BN_CTX *ctx, -+ BN_GENCB *cb); -+ - BN_MONT_CTX *BN_MONT_CTX_new(void ); - void BN_MONT_CTX_init(BN_MONT_CTX *ctx); - int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, -diff -up openssl-1.0.0k/crypto/bn/bn_x931p.c.fips openssl-1.0.0k/crypto/bn/bn_x931p.c ---- openssl-1.0.0k/crypto/bn/bn_x931p.c.fips 2013-02-19 20:12:54.575664496 +0100 -+++ openssl-1.0.0k/crypto/bn/bn_x931p.c 2013-02-19 20:12:54.576664516 +0100 -@@ -0,0 +1,272 @@ -+/* bn_x931p.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2005. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+ -+/* X9.31 routines for prime derivation */ -+ -+/* X9.31 prime derivation. This is used to generate the primes pi -+ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd -+ * integers. -+ */ -+ -+static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, -+ BN_GENCB *cb) -+ { -+ int i = 0; -+ if (!BN_copy(pi, Xpi)) -+ return 0; -+ if (!BN_is_odd(pi) && !BN_add_word(pi, 1)) -+ return 0; -+ for(;;) -+ { -+ i++; -+ BN_GENCB_call(cb, 0, i); -+ /* NB 27 MR is specificed in X9.31 */ -+ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb)) -+ break; -+ if (!BN_add_word(pi, 2)) -+ return 0; -+ } -+ BN_GENCB_call(cb, 2, i); -+ return 1; -+ } -+ -+/* This is the main X9.31 prime derivation function. From parameters -+ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are -+ * not NULL they will be returned too: this is needed for testing. -+ */ -+ -+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, -+ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, -+ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) -+ { -+ int ret = 0; -+ -+ BIGNUM *t, *p1p2, *pm1; -+ -+ /* Only even e supported */ -+ if (!BN_is_odd(e)) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ if (!p1) -+ p1 = BN_CTX_get(ctx); -+ -+ if (!p2) -+ p2 = BN_CTX_get(ctx); -+ -+ t = BN_CTX_get(ctx); -+ -+ p1p2 = BN_CTX_get(ctx); -+ -+ pm1 = BN_CTX_get(ctx); -+ -+ if (!bn_x931_derive_pi(p1, Xp1, ctx, cb)) -+ goto err; -+ -+ if (!bn_x931_derive_pi(p2, Xp2, ctx, cb)) -+ goto err; -+ -+ if (!BN_mul(p1p2, p1, p2, ctx)) -+ goto err; -+ -+ /* First set p to value of Rp */ -+ -+ if (!BN_mod_inverse(p, p2, p1, ctx)) -+ goto err; -+ -+ if (!BN_mul(p, p, p2, ctx)) -+ goto err; -+ -+ if (!BN_mod_inverse(t, p1, p2, ctx)) -+ goto err; -+ -+ if (!BN_mul(t, t, p1, ctx)) -+ goto err; -+ -+ if (!BN_sub(p, p, t)) -+ goto err; -+ -+ if (p->neg && !BN_add(p, p, p1p2)) -+ goto err; -+ -+ /* p now equals Rp */ -+ -+ if (!BN_mod_sub(p, p, Xp, p1p2, ctx)) -+ goto err; -+ -+ if (!BN_add(p, p, Xp)) -+ goto err; -+ -+ /* p now equals Yp0 */ -+ -+ for (;;) -+ { -+ int i = 1; -+ BN_GENCB_call(cb, 0, i++); -+ if (!BN_copy(pm1, p)) -+ goto err; -+ if (!BN_sub_word(pm1, 1)) -+ goto err; -+ if (!BN_gcd(t, pm1, e, ctx)) -+ goto err; -+ if (BN_is_one(t) -+ /* X9.31 specifies 8 MR and 1 Lucas test or any prime test -+ * offering similar or better guarantees 50 MR is considerably -+ * better. -+ */ -+ && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb)) -+ break; -+ if (!BN_add(p, p, p1p2)) -+ goto err; -+ } -+ -+ BN_GENCB_call(cb, 3, 0); -+ -+ ret = 1; -+ -+ err: -+ -+ BN_CTX_end(ctx); -+ -+ return ret; -+ } -+ -+/* Generate pair of paramters Xp, Xq for X9.31 prime generation. -+ * Note: nbits paramter is sum of number of bits in both. -+ */ -+ -+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) -+ { -+ BIGNUM *t; -+ int i; -+ /* Number of bits for each prime is of the form -+ * 512+128s for s = 0, 1, ... -+ */ -+ if ((nbits < 1024) || (nbits & 0xff)) -+ return 0; -+ nbits >>= 1; -+ /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and -+ * 2^nbits - 1. By setting the top two bits we ensure that the lower -+ * bound is exceeded. -+ */ -+ if (!BN_rand(Xp, nbits, 1, 0)) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ t = BN_CTX_get(ctx); -+ -+ for (i = 0; i < 1000; i++) -+ { -+ if (!BN_rand(Xq, nbits, 1, 0)) -+ return 0; -+ /* Check that |Xp - Xq| > 2^(nbits - 100) */ -+ BN_sub(t, Xp, Xq); -+ if (BN_num_bits(t) > (nbits - 100)) -+ break; -+ } -+ -+ BN_CTX_end(ctx); -+ -+ if (i < 1000) -+ return 1; -+ -+ return 0; -+ -+ } -+ -+/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1 -+ * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL -+ * the relevant parameter will be stored in it. -+ * -+ * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq -+ * are generated using the previous function and supplied as input. -+ */ -+ -+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, -+ BIGNUM *Xp1, BIGNUM *Xp2, -+ const BIGNUM *Xp, -+ const BIGNUM *e, BN_CTX *ctx, -+ BN_GENCB *cb) -+ { -+ int ret = 0; -+ -+ BN_CTX_start(ctx); -+ if (!Xp1) -+ Xp1 = BN_CTX_get(ctx); -+ if (!Xp2) -+ Xp2 = BN_CTX_get(ctx); -+ -+ if (!BN_rand(Xp1, 101, 0, 0)) -+ goto error; -+ if (!BN_rand(Xp2, 101, 0, 0)) -+ goto error; -+ if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) -+ goto error; -+ -+ ret = 1; -+ -+ error: -+ BN_CTX_end(ctx); -+ -+ return ret; -+ -+ } -+ -diff -up openssl-1.0.0k/crypto/bn/Makefile.fips openssl-1.0.0k/crypto/bn/Makefile ---- openssl-1.0.0k/crypto/bn/Makefile.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/bn/Makefile 2013-02-19 20:12:54.576664516 +0100 -@@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li - bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c -+ bn_depr.c bn_const.c bn_x931p.c - - LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \ - bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \ - bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \ - bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \ -- bn_depr.o bn_const.o -+ bn_depr.o bn_const.o bn_x931p.o - - SRC= $(LIBSRC) - -diff -up openssl-1.0.0k/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0k/crypto/camellia/asm/cmll-x86.pl ---- openssl-1.0.0k/crypto/camellia/asm/cmll-x86.pl.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/camellia/asm/cmll-x86.pl 2013-02-19 20:12:54.576664516 +0100 -@@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0; - } - &function_end("Camellia_Ekeygen"); - -+$setkeyfunc = "Camellia_set_key"; -+$setkeyfunc = "private_Camellia_set_key" if ($ENV{FIPS} ne ""); -+ - if ($OPENSSL) { - # int Camellia_set_key ( - # const unsigned char *userKey, - # int bits, - # CAMELLIA_KEY *key) --&function_begin_B("Camellia_set_key"); -+&function_begin_B($setkeyfunc); - &push ("ebx"); - &mov ("ecx",&wparam(0)); # pull arguments - &mov ("ebx",&wparam(1)); -@@ -760,7 +763,7 @@ if ($OPENSSL) { - &set_label("done",4); - &pop ("ebx"); - &ret (); --&function_end_B("Camellia_set_key"); -+&function_end_B($setkeyfunc); - } - - @SBOX=( -diff -up openssl-1.0.0k/crypto/camellia/camellia.h.fips openssl-1.0.0k/crypto/camellia/camellia.h ---- openssl-1.0.0k/crypto/camellia/camellia.h.fips 2013-02-19 20:12:53.926652181 +0100 -+++ openssl-1.0.0k/crypto/camellia/camellia.h 2013-02-19 20:12:54.577664536 +0100 -@@ -88,6 +88,11 @@ struct camellia_key_st - }; - typedef struct camellia_key_st CAMELLIA_KEY; - -+#ifdef OPENSSL_FIPS -+int private_Camellia_set_key(const unsigned char *userKey, const int bits, -+ CAMELLIA_KEY *key); -+#endif -+ - int Camellia_set_key(const unsigned char *userKey, const int bits, - CAMELLIA_KEY *key); - -diff -up openssl-1.0.0k/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0k/crypto/camellia/cmll_fblk.c ---- openssl-1.0.0k/crypto/camellia/cmll_fblk.c.fips 2013-02-19 20:12:54.577664536 +0100 -+++ openssl-1.0.0k/crypto/camellia/cmll_fblk.c 2013-02-19 20:12:54.577664536 +0100 -@@ -0,0 +1,68 @@ -+/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ -+/* ==================================================================== -+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#include -+#include -+#include "cmll_locl.h" -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#ifdef OPENSSL_FIPS -+int Camellia_set_key(const unsigned char *userKey, const int bits, -+ CAMELLIA_KEY *key) -+ { -+ if (FIPS_mode()) -+ FIPS_BAD_ABORT(CAMELLIA) -+ return private_Camellia_set_key(userKey, bits, key); -+ } -+#endif -diff -up openssl-1.0.0k/crypto/camellia/cmll_misc.c.fips openssl-1.0.0k/crypto/camellia/cmll_misc.c ---- openssl-1.0.0k/crypto/camellia/cmll_misc.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/camellia/cmll_misc.c 2013-02-19 20:12:54.577664536 +0100 -@@ -52,11 +52,20 @@ - #include - #include - #include "cmll_locl.h" -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT; - -+#ifdef OPENSSL_FIPS -+int private_Camellia_set_key(const unsigned char *userKey, const int bits, -+ CAMELLIA_KEY *key) -+#else - int Camellia_set_key(const unsigned char *userKey, const int bits, - CAMELLIA_KEY *key) -+#endif - { - if(!userKey || !key) - return -1; -diff -up openssl-1.0.0k/crypto/camellia/Makefile.fips openssl-1.0.0k/crypto/camellia/Makefile ---- openssl-1.0.0k/crypto/camellia/Makefile.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/camellia/Makefile 2013-02-19 20:12:54.578664555 +0100 -@@ -23,9 +23,9 @@ APPS= - - LIB=$(TOP)/libcrypto.a - LIBSRC=camellia.c cmll_misc.c cmll_ecb.c cmll_cbc.c cmll_ofb.c \ -- cmll_cfb.c cmll_ctr.c -+ cmll_cfb.c cmll_ctr.c cmll_fblk.c - --LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC) -+LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC) cmll_fblk.o - - SRC= $(LIBSRC) - -diff -up openssl-1.0.0k/crypto/cast/cast.h.fips openssl-1.0.0k/crypto/cast/cast.h ---- openssl-1.0.0k/crypto/cast/cast.h.fips 2013-02-19 20:12:54.363660475 +0100 -+++ openssl-1.0.0k/crypto/cast/cast.h 2013-02-19 20:12:54.578664555 +0100 -@@ -83,7 +83,9 @@ typedef struct cast_key_st - int short_key; /* Use reduced rounds for short key */ - } CAST_KEY; - -- -+#ifdef OPENSSL_FIPS -+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); -+#endif - void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); - void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, - int enc); -diff -up openssl-1.0.0k/crypto/cast/c_skey.c.fips openssl-1.0.0k/crypto/cast/c_skey.c ---- openssl-1.0.0k/crypto/cast/c_skey.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/cast/c_skey.c 2013-02-19 20:12:54.578664555 +0100 -@@ -57,6 +57,11 @@ - */ - - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #include "cast_lcl.h" - #include "cast_s.h" - -@@ -72,7 +77,7 @@ - #define S6 CAST_S_table6 - #define S7 CAST_S_table7 - --void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) -+FIPS_NON_FIPS_VCIPHER_Init(CAST) - { - CAST_LONG x[16]; - CAST_LONG z[16]; -diff -up openssl-1.0.0k/crypto/crypto.h.fips openssl-1.0.0k/crypto/crypto.h ---- openssl-1.0.0k/crypto/crypto.h.fips 2013-02-19 20:12:54.000000000 +0100 -+++ openssl-1.0.0k/crypto/crypto.h 2013-02-19 20:14:08.209061781 +0100 -@@ -554,12 +554,70 @@ int OPENSSL_isservice(void); - * non-zero. */ - int CRYPTO_memcmp(const void *a, const void *b, size_t len); - -+ -+#ifdef OPENSSL_FIPS -+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ -+ alg " previous FIPS forbidden algorithm error ignored"); -+ -+#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ -+ #alg " Algorithm forbidden in FIPS mode"); -+ -+#ifdef OPENSSL_FIPS_STRICT -+#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg) -+#else -+#define FIPS_BAD_ALGORITHM(alg) \ -+ { \ -+ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \ -+ ERR_add_error_data(2, "Algorithm=", #alg); \ -+ return 0; \ -+ } -+#endif -+ -+/* Low level digest API blocking macro */ -+ -+#define FIPS_NON_FIPS_MD_Init(alg) \ -+ int alg##_Init(alg##_CTX *c) \ -+ { \ -+ if (FIPS_mode()) \ -+ FIPS_BAD_ALGORITHM(alg) \ -+ return private_##alg##_Init(c); \ -+ } \ -+ int private_##alg##_Init(alg##_CTX *c) -+ -+/* For ciphers the API often varies from cipher to cipher and each needs to -+ * be treated as a special case. Variable key length ciphers (Blowfish, RC4, -+ * CAST) however are very similar and can use a blocking macro. -+ */ -+ -+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ -+ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \ -+ { \ -+ if (FIPS_mode()) \ -+ FIPS_BAD_ABORT(alg) \ -+ private_##alg##_set_key(key, len, data); \ -+ } \ -+ void private_##alg##_set_key(alg##_KEY *key, int len, \ -+ const unsigned char *data) -+ -+#else -+ -+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ -+ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) -+ -+#define FIPS_NON_FIPS_MD_Init(alg) \ -+ int alg##_Init(alg##_CTX *c) -+ -+#endif /* def OPENSSL_FIPS */ -+ - /* BEGIN ERROR CODES */ - /* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ - void ERR_load_CRYPTO_strings(void); - -+#define OPENSSL_HAVE_INIT 1 -+void OPENSSL_init_library(void); -+ - /* Error codes for the CRYPTO functions. */ - - /* Function codes. */ -diff -up openssl-1.0.0k/crypto/dh/dh_err.c.fips openssl-1.0.0k/crypto/dh/dh_err.c ---- openssl-1.0.0k/crypto/dh/dh_err.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dh/dh_err.c 2013-02-19 20:12:54.579664573 +0100 -@@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]= - {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, - {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, - {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, -+{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, -+{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"}, - {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, - {ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"}, - {ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"}, -@@ -94,6 +96,7 @@ static ERR_STRING_DATA DH_str_reasons[]= - {ERR_REASON(DH_R_BN_ERROR) ,"bn error"}, - {ERR_REASON(DH_R_DECODE_ERROR) ,"decode error"}, - {ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, -+{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, - {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, - {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, - {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, -diff -up openssl-1.0.0k/crypto/dh/dh_gen.c.fips openssl-1.0.0k/crypto/dh/dh_gen.c ---- openssl-1.0.0k/crypto/dh/dh_gen.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dh/dh_gen.c 2013-02-19 20:12:54.579664573 +0100 -@@ -65,6 +65,10 @@ - #include "cryptlib.h" - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); - -@@ -106,6 +110,20 @@ static int dh_builtin_genparams(DH *ret, - int g,ok= -1; - BN_CTX *ctx=NULL; - -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) -+ { -+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); -diff -up openssl-1.0.0k/crypto/dh/dh.h.fips openssl-1.0.0k/crypto/dh/dh.h ---- openssl-1.0.0k/crypto/dh/dh.h.fips 2013-02-19 20:12:54.259658499 +0100 -+++ openssl-1.0.0k/crypto/dh/dh.h 2013-02-19 20:12:54.580664592 +0100 -@@ -77,6 +77,8 @@ - # define OPENSSL_DH_MAX_MODULUS_BITS 10000 - #endif - -+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+ - #define DH_FLAG_CACHE_MONT_P 0x01 - #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH - * implementation now uses constant time -@@ -241,6 +243,8 @@ void ERR_load_DH_strings(void); - #define DH_F_GENERATE_PARAMETERS 104 - #define DH_F_PKEY_DH_DERIVE 112 - #define DH_F_PKEY_DH_KEYGEN 113 -+#define DH_F_DH_COMPUTE_KEY 114 -+#define DH_F_DH_GENERATE_KEY 115 - - /* Reason codes. */ - #define DH_R_BAD_GENERATOR 101 -@@ -253,6 +257,7 @@ void ERR_load_DH_strings(void); - #define DH_R_NO_PARAMETERS_SET 107 - #define DH_R_NO_PRIVATE_VALUE 100 - #define DH_R_PARAMETER_ENCODING_ERROR 105 -+#define DH_R_KEY_SIZE_TOO_SMALL 110 - - #ifdef __cplusplus - } -diff -up openssl-1.0.0k/crypto/dh/dh_key.c.fips openssl-1.0.0k/crypto/dh/dh_key.c ---- openssl-1.0.0k/crypto/dh/dh_key.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dh/dh_key.c 2013-02-19 20:12:54.580664592 +0100 -@@ -61,6 +61,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - static int generate_key(DH *dh); - static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -107,6 +110,14 @@ static int generate_key(DH *dh) - BN_MONT_CTX *mont=NULL; - BIGNUM *pub_key=NULL,*priv_key=NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) -+ { -+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) goto err; - -@@ -184,6 +195,13 @@ static int compute_key(unsigned char *ke - DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); - goto err; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) -+ { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif - - ctx = BN_CTX_new(); - if (ctx == NULL) goto err; -@@ -251,6 +269,9 @@ static int dh_bn_mod_exp(const DH *dh, B - - static int dh_init(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dh->flags |= DH_FLAG_CACHE_MONT_P; - return(1); - } -diff -up openssl-1.0.0k/crypto/dsa/dsa_gen.c.fips openssl-1.0.0k/crypto/dsa/dsa_gen.c ---- openssl-1.0.0k/crypto/dsa/dsa_gen.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dsa/dsa_gen.c 2013-02-19 20:12:54.580664592 +0100 -@@ -77,8 +77,12 @@ - #include "cryptlib.h" - #include - #include -+#include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - #include "dsa_locl.h" - - int DSA_generate_parameters_ex(DSA *ret, int bits, -@@ -126,6 +130,21 @@ int dsa_builtin_paramgen(DSA *ret, size_ - BN_CTX *ctx=NULL; - unsigned int h=2; - -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) -+ { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && - qsize != SHA256_DIGEST_LENGTH) - /* invalid q size */ -diff -up openssl-1.0.0k/crypto/dsa/dsa.h.fips openssl-1.0.0k/crypto/dsa/dsa.h ---- openssl-1.0.0k/crypto/dsa/dsa.h.fips 2013-02-19 20:12:54.099655464 +0100 -+++ openssl-1.0.0k/crypto/dsa/dsa.h 2013-02-19 20:12:54.581664610 +0100 -@@ -88,6 +88,8 @@ - # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 - #endif - -+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+ - #define DSA_FLAG_CACHE_MONT_P 0x01 - #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA - * implementation now uses constant time -@@ -97,6 +99,21 @@ - * be used for all exponents. - */ - -+/* If this flag is set the DSA method is FIPS compliant and can be used -+ * in FIPS mode. This is set in the validated module method. If an -+ * application sets this flag in its own methods it is its reposibility -+ * to ensure the result is compliant. -+ */ -+ -+#define DSA_FLAG_FIPS_METHOD 0x0400 -+ -+/* If this flag is set the operations normally disabled in FIPS mode are -+ * permitted it is then the applications responsibility to ensure that the -+ * usage is compliant. -+ */ -+ -+#define DSA_FLAG_NON_FIPS_ALLOW 0x0400 -+ - #ifdef __cplusplus - extern "C" { - #endif -@@ -270,8 +287,11 @@ void ERR_load_DSA_strings(void); - #define DSA_F_DO_DSA_PRINT 104 - #define DSA_F_DSAPARAMS_PRINT 100 - #define DSA_F_DSAPARAMS_PRINT_FP 101 -+#define DSA_F_DSA_BUILTIN_KEYGEN 124 -+#define DSA_F_DSA_BUILTIN_PARAMGEN 123 - #define DSA_F_DSA_DO_SIGN 112 - #define DSA_F_DSA_DO_VERIFY 113 -+#define DSA_F_DSA_GENERATE_PARAMETERS 125 - #define DSA_F_DSA_NEW_METHOD 103 - #define DSA_F_DSA_PARAM_DECODE 119 - #define DSA_F_DSA_PRINT_FP 105 -@@ -296,9 +316,12 @@ void ERR_load_DSA_strings(void); - #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 - #define DSA_R_DECODE_ERROR 104 - #define DSA_R_INVALID_DIGEST_TYPE 106 -+#define DSA_R_KEY_SIZE_TOO_SMALL 110 - #define DSA_R_MISSING_PARAMETERS 101 - #define DSA_R_MODULUS_TOO_LARGE 103 -+#define DSA_R_NON_FIPS_METHOD 111 - #define DSA_R_NO_PARAMETERS_SET 107 -+#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 112 - #define DSA_R_PARAMETER_ENCODING_ERROR 105 - - #ifdef __cplusplus -diff -up openssl-1.0.0k/crypto/dsa/dsa_key.c.fips openssl-1.0.0k/crypto/dsa/dsa_key.c ---- openssl-1.0.0k/crypto/dsa/dsa_key.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dsa/dsa_key.c 2013-02-19 20:12:54.581664610 +0100 -@@ -63,9 +63,55 @@ - #include - #include - #include -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include "fips_locl.h" - - static int dsa_builtin_keygen(DSA *dsa); - -+#ifdef OPENSSL_FIPS -+ -+static int fips_dsa_pairwise_fail = 0; -+ -+void FIPS_corrupt_dsa_keygen(void) -+ { -+ fips_dsa_pairwise_fail = 1; -+ } -+ -+int fips_check_dsa(DSA *dsa) -+ { -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "DSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk=EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_DSA(pk, dsa); -+ -+ if (!fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), 0, NULL)) -+ goto err; -+ -+ ret = 1; -+ -+err: -+ if (ret == 0) -+ { -+ fips_set_selftest_fail(); -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); -+ } -+ -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+ } -+#endif -+ - int DSA_generate_key(DSA *dsa) - { - if(dsa->meth->dsa_keygen) -@@ -79,6 +125,14 @@ static int dsa_builtin_keygen(DSA *dsa) - BN_CTX *ctx=NULL; - BIGNUM *pub_key=NULL,*priv_key=NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) -+ { -+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - if ((ctx=BN_CTX_new()) == NULL) goto err; - - if (dsa->priv_key == NULL) -@@ -117,6 +171,15 @@ static int dsa_builtin_keygen(DSA *dsa) - - dsa->priv_key=priv_key; - dsa->pub_key=pub_key; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if (fips_dsa_pairwise_fail) -+ BN_add_word(dsa->pub_key, 1); -+ if(!fips_check_dsa(dsa)) -+ goto err; -+ } -+#endif - ok=1; - - err: -diff -up openssl-1.0.0k/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0k/crypto/dsa/dsa_ossl.c ---- openssl-1.0.0k/crypto/dsa/dsa_ossl.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/dsa/dsa_ossl.c 2013-02-19 20:12:54.582664628 +0100 -@@ -65,6 +65,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); - static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); -@@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */ - NULL, /* dsa_bn_mod_exp, */ - dsa_init, - dsa_finish, --0, -+DSA_FLAG_FIPS_METHOD, - NULL, - NULL, - NULL -@@ -137,6 +140,20 @@ static DSA_SIG *dsa_do_sign(const unsign - int reason=ERR_R_BN_LIB; - DSA_SIG *ret=NULL; - -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+ -+ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) -+ { -+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); -+ return NULL; -+ } -+#endif -+ - BN_init(&m); - BN_init(&xr); - -@@ -303,6 +320,20 @@ static int dsa_do_verify(const unsigned - return -1; - } - -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) -+ { -+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+#endif -+ - i = BN_num_bits(dsa->q); - /* fips 186-3 allows only different sizes for q */ - if (i != 160 && i != 224 && i != 256) -@@ -385,6 +416,9 @@ static int dsa_do_verify(const unsigned - - static int dsa_init(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dsa->flags|=DSA_FLAG_CACHE_MONT_P; - return(1); - } -diff -up openssl-1.0.0k/crypto/err/err_all.c.fips openssl-1.0.0k/crypto/err/err_all.c ---- openssl-1.0.0k/crypto/err/err_all.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/err/err_all.c 2013-02-19 20:12:54.582664628 +0100 -@@ -98,6 +98,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif - #ifndef OPENSSL_NO_CMS - #include - #endif -@@ -152,6 +155,9 @@ void ERR_load_crypto_strings(void) - #endif - ERR_load_OCSP_strings(); - ERR_load_UI_strings(); -+#ifdef OPENSSL_FIPS -+ ERR_load_FIPS_strings(); -+#endif - #ifndef OPENSSL_NO_CMS - ERR_load_CMS_strings(); - #endif -diff -up openssl-1.0.0k/crypto/evp/digest.c.fips openssl-1.0.0k/crypto/evp/digest.c ---- openssl-1.0.0k/crypto/evp/digest.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/digest.c 2013-02-19 20:12:54.582664628 +0100 -@@ -116,6 +116,7 @@ - #ifndef OPENSSL_NO_ENGINE - #include - #endif -+#include "evp_locl.h" - - void EVP_MD_CTX_init(EVP_MD_CTX *ctx) - { -@@ -138,9 +139,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons - return EVP_DigestInit_ex(ctx, type, NULL); - } - -+#ifdef OPENSSL_FIPS -+ -+/* The purpose of these is to trap programs that attempt to use non FIPS -+ * algorithms in FIPS mode and ignore the errors. -+ */ -+ -+static int bad_init(EVP_MD_CTX *ctx) -+ { FIPS_ERROR_IGNORED("Digest init"); return 0;} -+ -+static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count) -+ { FIPS_ERROR_IGNORED("Digest update"); return 0;} -+ -+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md) -+ { FIPS_ERROR_IGNORED("Digest Final"); return 0;} -+ -+static const EVP_MD bad_md = -+ { -+ 0, -+ 0, -+ 0, -+ 0, -+ bad_init, -+ bad_update, -+ bad_final, -+ NULL, -+ NULL, -+ NULL, -+ 0, -+ {0,0,0,0}, -+ }; -+ -+#endif -+ - int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - { - EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); -+ ctx->digest = &bad_md; -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts - * so this context may already have an ENGINE! Try to avoid releasing -@@ -197,6 +239,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - #endif - if (ctx->digest != type) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if (!(type->flags & EVP_MD_FLAG_FIPS) -+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) -+ { -+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ ctx->digest = &bad_md; -+ return 0; -+ } -+ } -+#endif - if (ctx->digest && ctx->digest->ctx_size) - OPENSSL_free(ctx->md_data); - ctx->digest=type; -@@ -230,6 +284,9 @@ skip_to_init: - - int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->update(ctx,data,count); - } - -@@ -246,6 +303,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns - int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) - { - int ret; -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - - OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); - ret=ctx->digest->final(ctx,md); -diff -up openssl-1.0.0k/crypto/evp/e_aes.c.fips openssl-1.0.0k/crypto/evp/e_aes.c ---- openssl-1.0.0k/crypto/evp/e_aes.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/e_aes.c 2013-02-19 20:12:54.583664647 +0100 -@@ -69,32 +69,29 @@ typedef struct - - IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, - NID_aes_128, 16, 16, 16, 128, -- 0, aes_init_key, NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -- NULL) -+ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ aes_init_key, -+ NULL, NULL, NULL, NULL) - IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, - NID_aes_192, 16, 24, 16, 128, -- 0, aes_init_key, NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -- NULL) -+ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ aes_init_key, -+ NULL, NULL, NULL, NULL) - IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, - NID_aes_256, 16, 32, 16, 128, -- 0, aes_init_key, NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -- NULL) -+ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ aes_init_key, -+ NULL, NULL, NULL, NULL) - --#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16) -+#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) - --IMPLEMENT_AES_CFBR(128,1) --IMPLEMENT_AES_CFBR(192,1) --IMPLEMENT_AES_CFBR(256,1) -+IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS) -+IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS) -+IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS) - --IMPLEMENT_AES_CFBR(128,8) --IMPLEMENT_AES_CFBR(192,8) --IMPLEMENT_AES_CFBR(256,8) -+IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) -+IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) -+IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS) - - static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) -diff -up openssl-1.0.0k/crypto/evp/e_camellia.c.fips openssl-1.0.0k/crypto/evp/e_camellia.c ---- openssl-1.0.0k/crypto/evp/e_camellia.c.fips 2013-02-05 12:47:28.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/e_camellia.c 2013-02-19 20:12:54.583664647 +0100 -@@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, - EVP_CIPHER_get_asn1_iv, - NULL) - --#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16) -+#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16,0) - - IMPLEMENT_CAMELLIA_CFBR(128,1) - IMPLEMENT_CAMELLIA_CFBR(192,1) -diff -up openssl-1.0.0k/crypto/evp/e_des3.c.fips openssl-1.0.0k/crypto/evp/e_des3.c ---- openssl-1.0.0k/crypto/evp/e_des3.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/e_des3.c 2013-02-19 20:12:54.583664647 +0100 -@@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH - } - - BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, -- EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ des_ede_init_key, -+ NULL, NULL, NULL, - des3_ctrl) - - #define des_ede3_cfb64_cipher des_ede_cfb64_cipher -@@ -217,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, - #define des_ede3_ecb_cipher des_ede_ecb_cipher - - BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, -- EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ des_ede3_init_key, -+ NULL, NULL, NULL, - des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, -- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ des_ede3_init_key, -+ NULL, NULL, NULL, - des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, -- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, -- EVP_CIPHER_set_asn1_iv, -- EVP_CIPHER_get_asn1_iv, -+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, -+ des_ede3_init_key, -+ NULL, NULL, NULL, - des3_ctrl) - - static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -diff -up openssl-1.0.0k/crypto/evp/e_null.c.fips openssl-1.0.0k/crypto/evp/e_null.c ---- openssl-1.0.0k/crypto/evp/e_null.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/e_null.c 2013-02-19 20:12:54.584664666 +0100 -@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= - { - NID_undef, - 1,0,0, -- 0, -+ EVP_CIPH_FLAG_FIPS, - null_init_key, - null_cipher, - NULL, -diff -up openssl-1.0.0k/crypto/evp/e_rc4.c.fips openssl-1.0.0k/crypto/evp/e_rc4.c ---- openssl-1.0.0k/crypto/evp/e_rc4.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/e_rc4.c 2013-02-19 20:12:54.584664666 +0100 -@@ -64,6 +64,7 @@ - #include - #include - #include -+#include "evp_locl.h" - - /* FIXME: surely this is available elsewhere? */ - #define EVP_RC4_KEY_SIZE 16 -diff -up openssl-1.0.0k/crypto/evp/evp_enc.c.fips openssl-1.0.0k/crypto/evp/evp_enc.c ---- openssl-1.0.0k/crypto/evp/evp_enc.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/evp_enc.c 2013-02-19 20:12:54.584664666 +0100 -@@ -68,8 +68,53 @@ - - const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; - -+#ifdef OPENSSL_FIPS -+ -+/* The purpose of these is to trap programs that attempt to use non FIPS -+ * algorithms in FIPS mode and ignore the errors. -+ */ -+ -+static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc) -+ { FIPS_ERROR_IGNORED("Cipher init"); return 0;} -+ -+static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, unsigned int inl) -+ { FIPS_ERROR_IGNORED("Cipher update"); return 0;} -+ -+/* NB: no cleanup because it is allowed after failed init */ -+ -+static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) -+ { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;} -+static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) -+ { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;} -+static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) -+ { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;} -+ -+static const EVP_CIPHER bad_cipher = -+ { -+ 0, -+ 0, -+ 0, -+ 0, -+ 0, -+ bad_init, -+ bad_do_cipher, -+ NULL, -+ 0, -+ bad_set_asn1, -+ bad_get_asn1, -+ bad_ctrl, -+ NULL -+ }; -+ -+#endif -+ - void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - memset(ctx,0,sizeof(EVP_CIPHER_CTX)); - /* ctx->cipher=NULL; */ - } -@@ -101,6 +146,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - enc = 1; - ctx->encrypt = enc; - } -+#ifdef OPENSSL_FIPS -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); -+ ctx->cipher = &bad_cipher; -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts - * so this context may already have an ENGINE! Try to avoid releasing -@@ -220,6 +273,22 @@ skip_to_init: - } - } - -+#ifdef OPENSSL_FIPS -+ /* After 'key' is set no further parameters changes are permissible. -+ * So only check for non FIPS enabling at this point. -+ */ -+ if (key && FIPS_mode()) -+ { -+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) -+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) -+ { -+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ ctx->cipher = &bad_cipher; -+ return 0; -+ } -+ } -+#endif -+ - if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { - if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; - } -diff -up openssl-1.0.0k/crypto/evp/evp_err.c.fips openssl-1.0.0k/crypto/evp/evp_err.c ---- openssl-1.0.0k/crypto/evp/evp_err.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/evp_err.c 2013-02-19 20:12:54.585664685 +0100 -@@ -155,6 +155,7 @@ static ERR_STRING_DATA EVP_str_reasons[] - {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, - {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, - {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, -+{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, - {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, - {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, - {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, -diff -up openssl-1.0.0k/crypto/evp/evp.h.fips openssl-1.0.0k/crypto/evp/evp.h ---- openssl-1.0.0k/crypto/evp/evp.h.fips 2013-02-19 20:12:54.344660112 +0100 -+++ openssl-1.0.0k/crypto/evp/evp.h 2013-02-19 20:12:54.585664685 +0100 -@@ -75,6 +75,10 @@ - #include - #endif - -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - /* - #define EVP_RC2_KEY_SIZE 16 - #define EVP_RC4_KEY_SIZE 16 -@@ -197,6 +201,8 @@ typedef int evp_verify_method(int type,c - - #define EVP_MD_FLAG_PKEY_METHOD_SIGNATURE 0x0004 - -+#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ -+ - /* DigestAlgorithmIdentifier flags... */ - - #define EVP_MD_FLAG_DIGALGID_MASK 0x0018 -@@ -269,10 +275,6 @@ struct env_md_ctx_st - * cleaned */ - #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data - * in EVP_MD_CTX_cleanup */ --/* FIPS and pad options are ignored in 1.0.0, definitions are here -- * so we don't accidentally reuse the values for other purposes. -- */ -- - #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest - * in FIPS mode */ - -@@ -284,6 +286,10 @@ struct env_md_ctx_st - #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */ - #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */ - #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */ -+#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \ -+ ((ctx->flags>>16) &0xFFFF) /* seed length */ -+#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */ -+#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */ - - #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */ - -@@ -330,12 +336,16 @@ struct evp_cipher_st - #define EVP_CIPH_NO_PADDING 0x100 - /* cipher handles random key generation */ - #define EVP_CIPH_RAND_KEY 0x200 --/* cipher has its own additional copying logic */ --#define EVP_CIPH_CUSTOM_COPY 0x400 -+/* Note if suitable for use in FIPS mode */ -+#define EVP_CIPH_FLAG_FIPS 0x400 -+/* Allow non FIPS cipher in FIPS mode */ -+#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 - /* Allow use default ASN1 get/set iv */ - #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 - /* Buffer length in bits not bytes: CFB1 mode only */ - #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 -+/* cipher has its own additional copying logic */ -+#define EVP_CIPH_CUSTOM_COPY 0x4000 - - /* ctrl() values */ - -@@ -1239,6 +1249,7 @@ void ERR_load_EVP_strings(void); - #define EVP_R_DECODE_ERROR 114 - #define EVP_R_DIFFERENT_KEY_TYPES 101 - #define EVP_R_DIFFERENT_PARAMETERS 153 -+#define EVP_R_DISABLED_FOR_FIPS 160 - #define EVP_R_ENCODE_ERROR 115 - #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 - #define EVP_R_EXPECTING_AN_RSA_KEY 127 -diff -up openssl-1.0.0k/crypto/evp/evp_lib.c.fips openssl-1.0.0k/crypto/evp/evp_lib.c ---- openssl-1.0.0k/crypto/evp/evp_lib.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/evp_lib.c 2013-02-19 20:12:54.586664704 +0100 -@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_ - - if (c->cipher->set_asn1_parameters != NULL) - ret=c->cipher->set_asn1_parameters(c,type); -+ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) -+ ret=EVP_CIPHER_set_asn1_iv(c, type); - else - ret=-1; - return(ret); -@@ -78,6 +80,8 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_ - - if (c->cipher->get_asn1_parameters != NULL) - ret=c->cipher->get_asn1_parameters(c,type); -+ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) -+ ret=EVP_CIPHER_get_asn1_iv(c, type); - else - ret=-1; - return(ret); -@@ -186,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_ - - int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->cipher->do_cipher(ctx,out,in,inl); - } - -diff -up openssl-1.0.0k/crypto/evp/evp_locl.h.fips openssl-1.0.0k/crypto/evp/evp_locl.h ---- openssl-1.0.0k/crypto/evp/evp_locl.h.fips 2013-02-19 20:12:54.335659942 +0100 -+++ openssl-1.0.0k/crypto/evp/evp_locl.h 2013-02-19 20:12:54.586664704 +0100 -@@ -254,14 +254,32 @@ const EVP_CIPHER *EVP_##cname##_ecb(void - - #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) - --#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \ -+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \ - BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ - BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ - NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ -- 0, cipher##_init_key, NULL, \ -- EVP_CIPHER_set_asn1_iv, \ -- EVP_CIPHER_get_asn1_iv, \ -- NULL) -+ (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \ -+ cipher##_init_key, NULL, NULL, NULL, NULL) -+ -+#ifdef OPENSSL_FIPS -+#define RC2_set_key private_RC2_set_key -+#define RC4_set_key private_RC4_set_key -+#define CAST_set_key private_CAST_set_key -+#define RC5_32_set_key private_RC5_32_set_key -+#define BF_set_key private_BF_set_key -+#define SEED_set_key private_SEED_set_key -+#define Camellia_set_key private_Camellia_set_key -+#define idea_set_encrypt_key private_idea_set_encrypt_key -+ -+#define MD5_Init private_MD5_Init -+#define MD4_Init private_MD4_Init -+#define MD2_Init private_MD2_Init -+#define MDC2_Init private_MDC2_Init -+#define SHA_Init private_SHA_Init -+#define RIPEMD160_Init private_RIPEMD160_Init -+#define WHIRLPOOL_Init private_WHIRLPOOL_Init -+ -+#endif - - struct evp_pkey_ctx_st - { -diff -up openssl-1.0.0k/crypto/evp/m_dss1.c.fips openssl-1.0.0k/crypto/evp/m_dss1.c ---- openssl-1.0.0k/crypto/evp/m_dss1.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_dss1.c 2013-02-19 20:12:54.587664724 +0100 -@@ -82,7 +82,7 @@ static const EVP_MD dss1_md= - NID_dsa, - NID_dsaWithSHA1, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, - init, - update, - final, -diff -up openssl-1.0.0k/crypto/evp/m_dss.c.fips openssl-1.0.0k/crypto/evp/m_dss.c ---- openssl-1.0.0k/crypto/evp/m_dss.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_dss.c 2013-02-19 20:12:54.587664724 +0100 -@@ -81,7 +81,7 @@ static const EVP_MD dsa_md= - NID_dsaWithSHA, - NID_dsaWithSHA, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS, - init, - update, - final, -diff -up openssl-1.0.0k/crypto/evp/m_md2.c.fips openssl-1.0.0k/crypto/evp/m_md2.c ---- openssl-1.0.0k/crypto/evp/m_md2.c.fips 2013-02-05 12:47:28.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_md2.c 2013-02-19 20:12:54.587664724 +0100 -@@ -68,6 +68,7 @@ - #ifndef OPENSSL_NO_RSA - #include - #endif -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return MD2_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/m_md4.c.fips openssl-1.0.0k/crypto/evp/m_md4.c ---- openssl-1.0.0k/crypto/evp/m_md4.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_md4.c 2013-02-19 20:12:54.588664743 +0100 -@@ -68,6 +68,7 @@ - #ifndef OPENSSL_NO_RSA - #include - #endif -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return MD4_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/m_md5.c.fips openssl-1.0.0k/crypto/evp/m_md5.c ---- openssl-1.0.0k/crypto/evp/m_md5.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_md5.c 2013-02-19 20:12:54.588664743 +0100 -@@ -68,6 +68,7 @@ - #ifndef OPENSSL_NO_RSA - #include - #endif -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return MD5_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/m_mdc2.c.fips openssl-1.0.0k/crypto/evp/m_mdc2.c ---- openssl-1.0.0k/crypto/evp/m_mdc2.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_mdc2.c 2013-02-19 20:12:54.587664724 +0100 -@@ -68,6 +68,7 @@ - #ifndef OPENSSL_NO_RSA - #include - #endif -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return MDC2_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/m_ripemd.c.fips openssl-1.0.0k/crypto/evp/m_ripemd.c ---- openssl-1.0.0k/crypto/evp/m_ripemd.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_ripemd.c 2013-02-19 20:12:54.588664743 +0100 -@@ -68,6 +68,7 @@ - #ifndef OPENSSL_NO_RSA - #include - #endif -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return RIPEMD160_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/m_sha1.c.fips openssl-1.0.0k/crypto/evp/m_sha1.c ---- openssl-1.0.0k/crypto/evp/m_sha1.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_sha1.c 2013-02-19 20:12:54.589664762 +0100 -@@ -82,7 +82,8 @@ static const EVP_MD sha1_md= - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| -+ EVP_MD_FLAG_FIPS, - init, - update, - final, -@@ -119,7 +120,8 @@ static const EVP_MD sha224_md= - NID_sha224, - NID_sha224WithRSAEncryption, - SHA224_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| -+ EVP_MD_FLAG_FIPS, - init224, - update256, - final256, -@@ -138,7 +140,8 @@ static const EVP_MD sha256_md= - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| -+ EVP_MD_FLAG_FIPS, - init256, - update256, - final256, -@@ -169,7 +172,8 @@ static const EVP_MD sha384_md= - NID_sha384, - NID_sha384WithRSAEncryption, - SHA384_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| -+ EVP_MD_FLAG_FIPS, - init384, - update512, - final512, -@@ -188,7 +192,8 @@ static const EVP_MD sha512_md= - NID_sha512, - NID_sha512WithRSAEncryption, - SHA512_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT| -+ EVP_MD_FLAG_FIPS, - init512, - update512, - final512, -diff -up openssl-1.0.0k/crypto/evp/m_wp.c.fips openssl-1.0.0k/crypto/evp/m_wp.c ---- openssl-1.0.0k/crypto/evp/m_wp.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/m_wp.c 2013-02-19 20:12:54.589664762 +0100 -@@ -9,6 +9,7 @@ - #include - #include - #include -+#include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { return WHIRLPOOL_Init(ctx->md_data); } -diff -up openssl-1.0.0k/crypto/evp/names.c.fips openssl-1.0.0k/crypto/evp/names.c ---- openssl-1.0.0k/crypto/evp/names.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/names.c 2013-02-19 20:12:54.589664762 +0100 -@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c) - { - int r; - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+#endif -+ - r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c); - if (r == 0) return(0); - check_defer(c->nid); -@@ -79,6 +83,10 @@ int EVP_add_digest(const EVP_MD *md) - int r; - const char *name; - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+#endif -+ - name=OBJ_nid2sn(md->type); - r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); - if (r == 0) return(0); -diff -up openssl-1.0.0k/crypto/evp/p_sign.c.fips openssl-1.0.0k/crypto/evp/p_sign.c ---- openssl-1.0.0k/crypto/evp/p_sign.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/p_sign.c 2013-02-19 20:12:54.589664762 +0100 -@@ -61,6 +61,7 @@ - #include - #include - #include -+#include - - #ifdef undef - void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type) -@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig - goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) - goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) -+ goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) -+ { -+ int saltlen; -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) -+ goto err; -+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); -+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) -+ saltlen = -1; -+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) -+ saltlen = -2; -+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) -+ goto err; -+ } - if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) - goto err; - *siglen = sltmp; -diff -up openssl-1.0.0k/crypto/evp/p_verify.c.fips openssl-1.0.0k/crypto/evp/p_verify.c ---- openssl-1.0.0k/crypto/evp/p_verify.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/evp/p_verify.c 2013-02-19 20:12:54.590664781 +0100 -@@ -61,6 +61,7 @@ - #include - #include - #include -+#include - - int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, - unsigned int siglen, EVP_PKEY *pkey) -@@ -86,6 +87,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con - goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) - goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) -+ goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) -+ { -+ int saltlen; -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) -+ goto err; -+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); -+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) -+ saltlen = -1; -+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) -+ saltlen = -2; -+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) -+ goto err; -+ } - i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); - err: - EVP_PKEY_CTX_free(pkctx); -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_aesavs.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_aesavs.c.fips 2013-02-19 20:12:54.591664800 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_aesavs.c 2013-02-19 20:12:54.591664800 +0100 -@@ -0,0 +1,939 @@ -+/* ==================================================================== -+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+/*--------------------------------------------- -+ NIST AES Algorithm Validation Suite -+ Test Program -+ -+ Donated to OpenSSL by: -+ V-ONE Corporation -+ 20250 Century Blvd, Suite 300 -+ Germantown, MD 20874 -+ U.S.A. -+ ----------------------------------------------*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include "e_os.h" -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS AES support\n"); -+ return(0); -+} -+ -+#else -+ -+#include -+#include "fips_utl.h" -+ -+#define AES_BLOCK_SIZE 16 -+ -+#define VERBOSE 0 -+ -+/*-----------------------------------------------*/ -+ -+int AESTest(EVP_CIPHER_CTX *ctx, -+ char *amode, int akeysz, unsigned char *aKey, -+ unsigned char *iVec, -+ int dir, /* 0 = decrypt, 1 = encrypt */ -+ unsigned char *plaintext, unsigned char *ciphertext, int len) -+ { -+ const EVP_CIPHER *cipher = NULL; -+ -+ if (strcasecmp(amode, "CBC") == 0) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_cbc(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_cbc(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_cbc(); -+ break; -+ } -+ -+ } -+ else if (strcasecmp(amode, "ECB") == 0) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_ecb(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_ecb(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_ecb(); -+ break; -+ } -+ } -+ else if (strcasecmp(amode, "CFB128") == 0) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_cfb128(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_cfb128(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_cfb128(); -+ break; -+ } -+ -+ } -+ else if (strncasecmp(amode, "OFB", 3) == 0) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_ofb(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_ofb(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_ofb(); -+ break; -+ } -+ } -+ else if(!strcasecmp(amode,"CFB1")) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_cfb1(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_cfb1(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_cfb1(); -+ break; -+ } -+ } -+ else if(!strcasecmp(amode,"CFB8")) -+ { -+ switch (akeysz) -+ { -+ case 128: -+ cipher = EVP_aes_128_cfb8(); -+ break; -+ -+ case 192: -+ cipher = EVP_aes_192_cfb8(); -+ break; -+ -+ case 256: -+ cipher = EVP_aes_256_cfb8(); -+ break; -+ } -+ } -+ else -+ { -+ printf("Unknown mode: %s\n", amode); -+ return 0; -+ } -+ if (!cipher) -+ { -+ printf("Invalid key size: %d\n", akeysz); -+ return 0; -+ } -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) -+ return 0; -+ if(!strcasecmp(amode,"CFB1")) -+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); -+ if (dir) -+ EVP_Cipher(ctx, ciphertext, plaintext, len); -+ else -+ EVP_Cipher(ctx, plaintext, ciphertext, len); -+ return 1; -+ } -+ -+/*-----------------------------------------------*/ -+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; -+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"}; -+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128}; -+enum XCrypt {XDECRYPT, XENCRYPT}; -+ -+/*=============================*/ -+/* Monte Carlo Tests */ -+/*-----------------------------*/ -+ -+/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/ -+/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/ -+ -+#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1) -+#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8))) -+ -+int do_mct(char *amode, -+ int akeysz, unsigned char *aKey,unsigned char *iVec, -+ int dir, unsigned char *text, int len, -+ FILE *rfp) -+ { -+ int ret = 0; -+ unsigned char key[101][32]; -+ unsigned char iv[101][AES_BLOCK_SIZE]; -+ unsigned char ptext[1001][32]; -+ unsigned char ctext[1001][32]; -+ unsigned char ciphertext[64+4]; -+ int i, j, n, n1, n2; -+ int imode = 0, nkeysz = akeysz/8; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ if (len > 32) -+ { -+ printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n", -+ amode, akeysz); -+ return -1; -+ } -+ for (imode = 0; imode < 6; ++imode) -+ if (strcmp(amode, t_mode[imode]) == 0) -+ break; -+ if (imode == 6) -+ { -+ printf("Unrecognized mode: %s\n", amode); -+ return -1; -+ } -+ -+ memcpy(key[0], aKey, nkeysz); -+ if (iVec) -+ memcpy(iv[0], iVec, AES_BLOCK_SIZE); -+ if (dir == XENCRYPT) -+ memcpy(ptext[0], text, len); -+ else -+ memcpy(ctext[0], text, len); -+ for (i = 0; i < 100; ++i) -+ { -+ /* printf("Iteration %d\n", i); */ -+ if (i > 0) -+ { -+ fprintf(rfp,"COUNT = %d\n",i); -+ OutputValue("KEY",key[i],nkeysz,rfp,0); -+ if (imode != ECB) /* ECB */ -+ OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0); -+ /* Output Ciphertext | Plaintext */ -+ OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp, -+ imode == CFB1); -+ } -+ for (j = 0; j < 1000; ++j) -+ { -+ switch (imode) -+ { -+ case ECB: -+ if (j == 0) -+ { /* set up encryption */ -+ ret = AESTest(&ctx, amode, akeysz, key[i], NULL, -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ ptext[j], ctext[j], len); -+ if (dir == XENCRYPT) -+ memcpy(ptext[j+1], ctext[j], len); -+ else -+ memcpy(ctext[j+1], ptext[j], len); -+ } -+ else -+ { -+ if (dir == XENCRYPT) -+ { -+ EVP_Cipher(&ctx, ctext[j], ptext[j], len); -+ memcpy(ptext[j+1], ctext[j], len); -+ } -+ else -+ { -+ EVP_Cipher(&ctx, ptext[j], ctext[j], len); -+ memcpy(ctext[j+1], ptext[j], len); -+ } -+ } -+ break; -+ -+ case CBC: -+ case OFB: -+ case CFB128: -+ if (j == 0) -+ { -+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ ptext[j], ctext[j], len); -+ if (dir == XENCRYPT) -+ memcpy(ptext[j+1], iv[i], len); -+ else -+ memcpy(ctext[j+1], iv[i], len); -+ } -+ else -+ { -+ if (dir == XENCRYPT) -+ { -+ EVP_Cipher(&ctx, ctext[j], ptext[j], len); -+ memcpy(ptext[j+1], ctext[j-1], len); -+ } -+ else -+ { -+ EVP_Cipher(&ctx, ptext[j], ctext[j], len); -+ memcpy(ctext[j+1], ptext[j-1], len); -+ } -+ } -+ break; -+ -+ case CFB8: -+ if (j == 0) -+ { -+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ ptext[j], ctext[j], len); -+ } -+ else -+ { -+ if (dir == XENCRYPT) -+ EVP_Cipher(&ctx, ctext[j], ptext[j], len); -+ else -+ EVP_Cipher(&ctx, ptext[j], ctext[j], len); -+ } -+ if (dir == XENCRYPT) -+ { -+ if (j < 16) -+ memcpy(ptext[j+1], &iv[i][j], len); -+ else -+ memcpy(ptext[j+1], ctext[j-16], len); -+ } -+ else -+ { -+ if (j < 16) -+ memcpy(ctext[j+1], &iv[i][j], len); -+ else -+ memcpy(ctext[j+1], ptext[j-16], len); -+ } -+ break; -+ -+ case CFB1: -+ if(j == 0) -+ { -+#if 0 -+ /* compensate for wrong endianness of input file */ -+ if(i == 0) -+ ptext[0][0]<<=7; -+#endif -+ ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir, -+ ptext[j], ctext[j], len); -+ } -+ else -+ { -+ if (dir == XENCRYPT) -+ EVP_Cipher(&ctx, ctext[j], ptext[j], len); -+ else -+ EVP_Cipher(&ctx, ptext[j], ctext[j], len); -+ -+ } -+ if(dir == XENCRYPT) -+ { -+ if(j < 128) -+ sb(ptext[j+1],0,gb(iv[i],j)); -+ else -+ sb(ptext[j+1],0,gb(ctext[j-128],0)); -+ } -+ else -+ { -+ if(j < 128) -+ sb(ctext[j+1],0,gb(iv[i],j)); -+ else -+ sb(ctext[j+1],0,gb(ptext[j-128],0)); -+ } -+ break; -+ } -+ } -+ --j; /* reset to last of range */ -+ /* Output Ciphertext | Plaintext */ -+ OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp, -+ imode == CFB1); -+ fprintf(rfp, "\n"); /* add separator */ -+ -+ /* Compute next KEY */ -+ if (dir == XENCRYPT) -+ { -+ if (imode == CFB8) -+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ -+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) -+ ciphertext[n1] = ctext[j-n2][0]; -+ } -+ else if(imode == CFB1) -+ { -+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) -+ sb(ciphertext,n1,gb(ctext[j-n2],0)); -+ } -+ else -+ switch (akeysz) -+ { -+ case 128: -+ memcpy(ciphertext, ctext[j], 16); -+ break; -+ case 192: -+ memcpy(ciphertext, ctext[j-1]+8, 8); -+ memcpy(ciphertext+8, ctext[j], 16); -+ break; -+ case 256: -+ memcpy(ciphertext, ctext[j-1], 16); -+ memcpy(ciphertext+16, ctext[j], 16); -+ break; -+ } -+ } -+ else -+ { -+ if (imode == CFB8) -+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ -+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) -+ ciphertext[n1] = ptext[j-n2][0]; -+ } -+ else if(imode == CFB1) -+ { -+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) -+ sb(ciphertext,n1,gb(ptext[j-n2],0)); -+ } -+ else -+ switch (akeysz) -+ { -+ case 128: -+ memcpy(ciphertext, ptext[j], 16); -+ break; -+ case 192: -+ memcpy(ciphertext, ptext[j-1]+8, 8); -+ memcpy(ciphertext+8, ptext[j], 16); -+ break; -+ case 256: -+ memcpy(ciphertext, ptext[j-1], 16); -+ memcpy(ciphertext+16, ptext[j], 16); -+ break; -+ } -+ } -+ /* Compute next key: Key[i+1] = Key[i] xor ct */ -+ for (n = 0; n < nkeysz; ++n) -+ key[i+1][n] = key[i][n] ^ ciphertext[n]; -+ -+ /* Compute next IV and text */ -+ if (dir == XENCRYPT) -+ { -+ switch (imode) -+ { -+ case ECB: -+ memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE); -+ break; -+ case CBC: -+ case OFB: -+ case CFB128: -+ memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE); -+ memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE); -+ break; -+ case CFB8: -+ /* IV[i+1] = ct */ -+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) -+ iv[i+1][n1] = ctext[j-n2][0]; -+ ptext[0][0] = ctext[j-16][0]; -+ break; -+ case CFB1: -+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) -+ sb(iv[i+1],n1,gb(ctext[j-n2],0)); -+ ptext[0][0]=ctext[j-128][0]&0x80; -+ break; -+ } -+ } -+ else -+ { -+ switch (imode) -+ { -+ case ECB: -+ memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE); -+ break; -+ case CBC: -+ case OFB: -+ case CFB128: -+ memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE); -+ memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE); -+ break; -+ case CFB8: -+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) -+ iv[i+1][n1] = ptext[j-n2][0]; -+ ctext[0][0] = ptext[j-16][0]; -+ break; -+ case CFB1: -+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) -+ sb(iv[i+1],n1,gb(ptext[j-n2],0)); -+ ctext[0][0]=ptext[j-128][0]&0x80; -+ break; -+ } -+ } -+ } -+ -+ return ret; -+ } -+ -+/*================================================*/ -+/*---------------------------- -+ # Config info for v-one -+ # AESVS MMT test data for ECB -+ # State : Encrypt and Decrypt -+ # Key Length : 256 -+ # Fri Aug 30 04:07:22 PM -+ ----------------------------*/ -+ -+int proc_file(char *rqfile, char *rspfile) -+ { -+ char afn[256], rfn[256]; -+ FILE *afp = NULL, *rfp = NULL; -+ char ibuf[2048]; -+ char tbuf[2048]; -+ int ilen, len, ret = 0; -+ char algo[8] = ""; -+ char amode[8] = ""; -+ char atest[8] = ""; -+ int akeysz = 0; -+ unsigned char iVec[20], aKey[40]; -+ int dir = -1, err = 0, step = 0; -+ unsigned char plaintext[2048]; -+ unsigned char ciphertext[2048]; -+ char *rp; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ if (!rqfile || !(*rqfile)) -+ { -+ printf("No req file\n"); -+ return -1; -+ } -+ strcpy(afn, rqfile); -+ -+ if ((afp = fopen(afn, "r")) == NULL) -+ { -+ printf("Cannot open file: %s, %s\n", -+ afn, strerror(errno)); -+ return -1; -+ } -+ if (!rspfile) -+ { -+ strcpy(rfn,afn); -+ rp=strstr(rfn,"req/"); -+#ifdef OPENSSL_SYS_WIN32 -+ if (!rp) -+ rp=strstr(rfn,"req\\"); -+#endif -+ assert(rp); -+ memcpy(rp,"rsp",3); -+ rp = strstr(rfn, ".req"); -+ memcpy(rp, ".rsp", 4); -+ rspfile = rfn; -+ } -+ if ((rfp = fopen(rspfile, "w")) == NULL) -+ { -+ printf("Cannot open file: %s, %s\n", -+ rfn, strerror(errno)); -+ fclose(afp); -+ afp = NULL; -+ return -1; -+ } -+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) -+ { -+ tidy_line(tbuf, ibuf); -+ ilen = strlen(ibuf); -+ /* printf("step=%d ibuf=%s",step,ibuf); */ -+ switch (step) -+ { -+ case 0: /* read preamble */ -+ if (ibuf[0] == '\n') -+ { /* end of preamble */ -+ if ((*algo == '\0') || -+ (*amode == '\0') || -+ (akeysz == 0)) -+ { -+ printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n", -+ algo,amode,akeysz); -+ err = 1; -+ } -+ else -+ { -+ fputs(ibuf, rfp); -+ ++ step; -+ } -+ } -+ else if (ibuf[0] != '#') -+ { -+ printf("Invalid preamble item: %s\n", ibuf); -+ err = 1; -+ } -+ else -+ { /* process preamble */ -+ char *xp, *pp = ibuf+2; -+ int n; -+ if (akeysz) -+ { /* insert current time & date */ -+ time_t rtim = time(0); -+ fprintf(rfp, "# %s", ctime(&rtim)); -+ } -+ else -+ { -+ fputs(ibuf, rfp); -+ if (strncmp(pp, "AESVS ", 6) == 0) -+ { -+ strcpy(algo, "AES"); -+ /* get test type */ -+ pp += 6; -+ xp = strchr(pp, ' '); -+ n = xp-pp; -+ strncpy(atest, pp, n); -+ atest[n] = '\0'; -+ /* get mode */ -+ xp = strrchr(pp, ' '); /* get mode" */ -+ n = strlen(xp+1)-1; -+ strncpy(amode, xp+1, n); -+ amode[n] = '\0'; -+ /* amode[3] = '\0'; */ -+ if (VERBOSE) -+ printf("Test = %s, Mode = %s\n", atest, amode); -+ } -+ else if (strncasecmp(pp, "Key Length : ", 13) == 0) -+ { -+ akeysz = atoi(pp+13); -+ if (VERBOSE) -+ printf("Key size = %d\n", akeysz); -+ } -+ } -+ } -+ break; -+ -+ case 1: /* [ENCRYPT] | [DECRYPT] */ -+ if (ibuf[0] == '[') -+ { -+ fputs(ibuf, rfp); -+ ++step; -+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) -+ dir = 1; -+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) -+ dir = 0; -+ else -+ { -+ printf("Invalid keyword: %s\n", ibuf); -+ err = 1; -+ } -+ break; -+ } -+ else if (dir == -1) -+ { -+ err = 1; -+ printf("Missing ENCRYPT/DECRYPT keyword\n"); -+ break; -+ } -+ else -+ step = 2; -+ -+ case 2: /* KEY = xxxx */ -+ fputs(ibuf, rfp); -+ if(*ibuf == '\n') -+ break; -+ if(!strncasecmp(ibuf,"COUNT = ",8)) -+ break; -+ -+ if (strncasecmp(ibuf, "KEY = ", 6) != 0) -+ { -+ printf("Missing KEY\n"); -+ err = 1; -+ } -+ else -+ { -+ len = hex2bin((char*)ibuf+6, aKey); -+ if (len < 0) -+ { -+ printf("Invalid KEY\n"); -+ err =1; -+ break; -+ } -+ PrintValue("KEY", aKey, len); -+ if (strcmp(amode, "ECB") == 0) -+ { -+ memset(iVec, 0, sizeof(iVec)); -+ step = (dir)? 4: 5; /* no ivec for ECB */ -+ } -+ else -+ ++step; -+ } -+ break; -+ -+ case 3: /* IV = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "IV = ", 5) != 0) -+ { -+ printf("Missing IV\n"); -+ err = 1; -+ } -+ else -+ { -+ len = hex2bin((char*)ibuf+5, iVec); -+ if (len < 0) -+ { -+ printf("Invalid IV\n"); -+ err =1; -+ break; -+ } -+ PrintValue("IV", iVec, len); -+ step = (dir)? 4: 5; -+ } -+ break; -+ -+ case 4: /* PLAINTEXT = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) -+ { -+ printf("Missing PLAINTEXT\n"); -+ err = 1; -+ } -+ else -+ { -+ int nn = strlen(ibuf+12); -+ if(!strcmp(amode,"CFB1")) -+ len=bint2bin(ibuf+12,nn-1,plaintext); -+ else -+ len=hex2bin(ibuf+12, plaintext); -+ if (len < 0) -+ { -+ printf("Invalid PLAINTEXT: %s", ibuf+12); -+ err =1; -+ break; -+ } -+ if (len >= sizeof(plaintext)) -+ { -+ printf("Buffer overflow\n"); -+ } -+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); -+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ -+ { -+ if(do_mct(amode, akeysz, aKey, iVec, -+ dir, (unsigned char*)plaintext, len, -+ rfp) < 0) -+ EXIT(1); -+ } -+ else -+ { -+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec, -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ plaintext, ciphertext, len); -+ OutputValue("CIPHERTEXT",ciphertext,len,rfp, -+ !strcmp(amode,"CFB1")); -+ } -+ step = 6; -+ } -+ break; -+ -+ case 5: /* CIPHERTEXT = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) -+ { -+ printf("Missing KEY\n"); -+ err = 1; -+ } -+ else -+ { -+ if(!strcmp(amode,"CFB1")) -+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); -+ else -+ len = hex2bin(ibuf+13,ciphertext); -+ if (len < 0) -+ { -+ printf("Invalid CIPHERTEXT\n"); -+ err =1; -+ break; -+ } -+ -+ PrintValue("CIPHERTEXT", ciphertext, len); -+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ -+ { -+ do_mct(amode, akeysz, aKey, iVec, -+ dir, ciphertext, len, rfp); -+ } -+ else -+ { -+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec, -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ plaintext, ciphertext, len); -+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, -+ !strcmp(amode,"CFB1")); -+ } -+ step = 6; -+ } -+ break; -+ -+ case 6: -+ if (ibuf[0] != '\n') -+ { -+ err = 1; -+ printf("Missing terminator\n"); -+ } -+ else if (strcmp(atest, "MCT") != 0) -+ { /* MCT already added terminating nl */ -+ fputs(ibuf, rfp); -+ } -+ step = 1; -+ break; -+ } -+ } -+ if (rfp) -+ fclose(rfp); -+ if (afp) -+ fclose(afp); -+ return err; -+ } -+ -+/*-------------------------------------------------- -+ Processes either a single file or -+ a set of files whose names are passed in a file. -+ A single file is specified as: -+ aes_test -f xxx.req -+ A set of files is specified as: -+ aes_test -d xxxxx.xxx -+ The default is: -d req.txt -+--------------------------------------------------*/ -+int main(int argc, char **argv) -+ { -+ char *rqlist = "req.txt", *rspfile = NULL; -+ FILE *fp = NULL; -+ char fn[250] = "", rfn[256] = ""; -+ int f_opt = 0, d_opt = 1; -+ -+#ifdef OPENSSL_FIPS -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ EXIT(1); -+ } -+#endif -+ if (argc > 1) -+ { -+ if (strcasecmp(argv[1], "-d") == 0) -+ { -+ d_opt = 1; -+ } -+ else if (strcasecmp(argv[1], "-f") == 0) -+ { -+ f_opt = 1; -+ d_opt = 0; -+ } -+ else -+ { -+ printf("Invalid parameter: %s\n", argv[1]); -+ return 0; -+ } -+ if (argc < 3) -+ { -+ printf("Missing parameter\n"); -+ return 0; -+ } -+ if (d_opt) -+ rqlist = argv[2]; -+ else -+ { -+ strcpy(fn, argv[2]); -+ rspfile = argv[3]; -+ } -+ } -+ if (d_opt) -+ { /* list of files (directory) */ -+ if (!(fp = fopen(rqlist, "r"))) -+ { -+ printf("Cannot open req list file\n"); -+ return -1; -+ } -+ while (fgets(fn, sizeof(fn), fp)) -+ { -+ strtok(fn, "\r\n"); -+ strcpy(rfn, fn); -+ if (VERBOSE) -+ printf("Processing: %s\n", rfn); -+ if (proc_file(rfn, rspfile)) -+ { -+ printf(">>> Processing failed for: %s <<<\n", rfn); -+ EXIT(1); -+ } -+ } -+ fclose(fp); -+ } -+ else /* single file */ -+ { -+ if (VERBOSE) -+ printf("Processing: %s\n", fn); -+ if (proc_file(fn, rspfile)) -+ { -+ printf(">>> Processing failed for: %s <<<\n", fn); -+ } -+ } -+ EXIT(0); -+ return 0; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_desmovs.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_desmovs.c.fips 2013-02-19 20:12:54.591664800 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_desmovs.c 2013-02-19 20:12:54.591664800 +0100 -@@ -0,0 +1,702 @@ -+/* ==================================================================== -+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+/*--------------------------------------------- -+ NIST DES Modes of Operation Validation System -+ Test Program -+ -+ Based on the AES Validation Suite, which was: -+ Donated to OpenSSL by: -+ V-ONE Corporation -+ 20250 Century Blvd, Suite 300 -+ Germantown, MD 20874 -+ U.S.A. -+ ----------------------------------------------*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include "e_os.h" -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS DES support\n"); -+ return(0); -+} -+ -+#else -+ -+#include -+#include "fips_utl.h" -+ -+#define DES_BLOCK_SIZE 8 -+ -+#define VERBOSE 0 -+ -+int DESTest(EVP_CIPHER_CTX *ctx, -+ char *amode, int akeysz, unsigned char *aKey, -+ unsigned char *iVec, -+ int dir, /* 0 = decrypt, 1 = encrypt */ -+ unsigned char *out, unsigned char *in, int len) -+ { -+ const EVP_CIPHER *cipher = NULL; -+ -+ if (akeysz != 192) -+ { -+ printf("Invalid key size: %d\n", akeysz); -+ EXIT(1); -+ } -+ -+ if (strcasecmp(amode, "CBC") == 0) -+ cipher = EVP_des_ede3_cbc(); -+ else if (strcasecmp(amode, "ECB") == 0) -+ cipher = EVP_des_ede3_ecb(); -+ else if (strcasecmp(amode, "CFB64") == 0) -+ cipher = EVP_des_ede3_cfb64(); -+ else if (strncasecmp(amode, "OFB", 3) == 0) -+ cipher = EVP_des_ede3_ofb(); -+ else if(!strcasecmp(amode,"CFB8")) -+ cipher = EVP_des_ede3_cfb8(); -+ else if(!strcasecmp(amode,"CFB1")) -+ cipher = EVP_des_ede3_cfb1(); -+ else -+ { -+ printf("Unknown mode: %s\n", amode); -+ EXIT(1); -+ } -+ -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) -+ return 0; -+ if(!strcasecmp(amode,"CFB1")) -+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); -+ EVP_Cipher(ctx, out, in, len); -+ -+ return 1; -+ } -+ -+void DebugValue(char *tag, unsigned char *val, int len) -+ { -+ char obuf[2048]; -+ int olen; -+ olen = bin2hex(val, len, obuf); -+ printf("%s = %.*s\n", tag, olen, obuf); -+ } -+ -+void shiftin(unsigned char *dst,unsigned char *src,int nbits) -+ { -+ int n; -+ -+ /* move the bytes... */ -+ memmove(dst,dst+nbits/8,3*8-nbits/8); -+ /* append new data */ -+ memcpy(dst+3*8-nbits/8,src,(nbits+7)/8); -+ /* left shift the bits */ -+ if(nbits%8) -+ for(n=0 ; n < 3*8 ; ++n) -+ dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8)); -+ } -+ -+/*-----------------------------------------------*/ -+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; -+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"}; -+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64}; -+int Sizes[6]={64,64,64,1,8,64}; -+ -+void do_mct(char *amode, -+ int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec, -+ int dir, unsigned char *text, int len, -+ FILE *rfp) -+ { -+ int i,imode; -+ unsigned char nk[4*8]; /* longest key+8 */ -+ unsigned char text0[8]; -+ -+ for (imode=0 ; imode < 6 ; ++imode) -+ if(!strcmp(amode,t_mode[imode])) -+ break; -+ if (imode == 6) -+ { -+ printf("Unrecognized mode: %s\n", amode); -+ EXIT(1); -+ } -+ -+ for(i=0 ; i < 400 ; ++i) -+ { -+ int j; -+ int n; -+ int kp=akeysz/64; -+ unsigned char old_iv[8]; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ fprintf(rfp,"\nCOUNT = %d\n",i); -+ if(kp == 1) -+ OutputValue("KEY",akey,8,rfp,0); -+ else -+ for(n=0 ; n < kp ; ++n) -+ { -+ fprintf(rfp,"KEY%d",n+1); -+ OutputValue("",akey+n*8,8,rfp,0); -+ } -+ -+ if(imode != ECB) -+ OutputValue("IV",ivec,8,rfp,0); -+ OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1); -+#if 0 -+ /* compensate for endianness */ -+ if(imode == CFB1) -+ text[0]<<=7; -+#endif -+ memcpy(text0,text,8); -+ -+ for(j=0 ; j < 10000 ; ++j) -+ { -+ unsigned char old_text[8]; -+ -+ memcpy(old_text,text,8); -+ if(j == 0) -+ { -+ memcpy(old_iv,ivec,8); -+ DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len); -+ } -+ else -+ { -+ memcpy(old_iv,ctx.iv,8); -+ EVP_Cipher(&ctx,text,text,len); -+ } -+ if(j == 9999) -+ { -+ OutputValue(t_tag[dir],text,len,rfp,imode == CFB1); -+ /* memcpy(ivec,text,8); */ -+ } -+ /* DebugValue("iv",ctx.iv,8); */ -+ /* accumulate material for the next key */ -+ shiftin(nk,text,Sizes[imode]); -+ /* DebugValue("nk",nk,24);*/ -+ if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64 -+ || imode == CBC)) || imode == OFB) -+ memcpy(text,old_iv,8); -+ -+ if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64)) -+ { -+ /* the test specifies using the output of the raw DES operation -+ which we don't have, so reconstruct it... */ -+ for(n=0 ; n < 8 ; ++n) -+ text[n]^=old_text[n]; -+ } -+ } -+ for(n=0 ; n < 8 ; ++n) -+ akey[n]^=nk[16+n]; -+ for(n=0 ; n < 8 ; ++n) -+ akey[8+n]^=nk[8+n]; -+ for(n=0 ; n < 8 ; ++n) -+ akey[16+n]^=nk[n]; -+ if(numkeys < 3) -+ memcpy(&akey[2*8],akey,8); -+ if(numkeys < 2) -+ memcpy(&akey[8],akey,8); -+ DES_set_odd_parity((DES_cblock *)akey); -+ DES_set_odd_parity((DES_cblock *)(akey+8)); -+ DES_set_odd_parity((DES_cblock *)(akey+16)); -+ memcpy(ivec,ctx.iv,8); -+ -+ /* pointless exercise - the final text doesn't depend on the -+ initial text in OFB mode, so who cares what it is? (Who -+ designed these tests?) */ -+ if(imode == OFB) -+ for(n=0 ; n < 8 ; ++n) -+ text[n]=text0[n]^old_iv[n]; -+ } -+ } -+ -+int proc_file(char *rqfile, char *rspfile) -+ { -+ char afn[256], rfn[256]; -+ FILE *afp = NULL, *rfp = NULL; -+ char ibuf[2048], tbuf[2048]; -+ int ilen, len, ret = 0; -+ char amode[8] = ""; -+ char atest[100] = ""; -+ int akeysz=0; -+ unsigned char iVec[20], aKey[40]; -+ int dir = -1, err = 0, step = 0; -+ unsigned char plaintext[2048]; -+ unsigned char ciphertext[2048]; -+ char *rp; -+ EVP_CIPHER_CTX ctx; -+ int numkeys=1; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ if (!rqfile || !(*rqfile)) -+ { -+ printf("No req file\n"); -+ return -1; -+ } -+ strcpy(afn, rqfile); -+ -+ if ((afp = fopen(afn, "r")) == NULL) -+ { -+ printf("Cannot open file: %s, %s\n", -+ afn, strerror(errno)); -+ return -1; -+ } -+ if (!rspfile) -+ { -+ strcpy(rfn,afn); -+ rp=strstr(rfn,"req/"); -+#ifdef OPENSSL_SYS_WIN32 -+ if (!rp) -+ rp=strstr(rfn,"req\\"); -+#endif -+ assert(rp); -+ memcpy(rp,"rsp",3); -+ rp = strstr(rfn, ".req"); -+ memcpy(rp, ".rsp", 4); -+ rspfile = rfn; -+ } -+ if ((rfp = fopen(rspfile, "w")) == NULL) -+ { -+ printf("Cannot open file: %s, %s\n", -+ rfn, strerror(errno)); -+ fclose(afp); -+ afp = NULL; -+ return -1; -+ } -+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) -+ { -+ tidy_line(tbuf, ibuf); -+ ilen = strlen(ibuf); -+ /* printf("step=%d ibuf=%s",step,ibuf);*/ -+ if(step == 3 && !strcmp(amode,"ECB")) -+ { -+ memset(iVec, 0, sizeof(iVec)); -+ step = (dir)? 4: 5; /* no ivec for ECB */ -+ } -+ switch (step) -+ { -+ case 0: /* read preamble */ -+ if (ibuf[0] == '\n') -+ { /* end of preamble */ -+ if (*amode == '\0') -+ { -+ printf("Missing Mode\n"); -+ err = 1; -+ } -+ else -+ { -+ fputs(ibuf, rfp); -+ ++ step; -+ } -+ } -+ else if (ibuf[0] != '#') -+ { -+ printf("Invalid preamble item: %s\n", ibuf); -+ err = 1; -+ } -+ else -+ { /* process preamble */ -+ char *xp, *pp = ibuf+2; -+ int n; -+ if(*amode) -+ { /* insert current time & date */ -+ time_t rtim = time(0); -+ fprintf(rfp, "# %s", ctime(&rtim)); -+ } -+ else -+ { -+ fputs(ibuf, rfp); -+ if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4) -+ || !strncmp(pp,"TDES ",5) -+ || !strncmp(pp,"PERMUTATION ",12) -+ || !strncmp(pp,"SUBSTITUTION ",13) -+ || !strncmp(pp,"VARIABLE ",9)) -+ { -+ /* get test type */ -+ if(!strncmp(pp,"DES ",4)) -+ pp+=4; -+ else if(!strncmp(pp,"TDES ",5)) -+ pp+=5; -+ xp = strchr(pp, ' '); -+ n = xp-pp; -+ strncpy(atest, pp, n); -+ atest[n] = '\0'; -+ /* get mode */ -+ xp = strrchr(pp, ' '); /* get mode" */ -+ n = strlen(xp+1)-1; -+ strncpy(amode, xp+1, n); -+ amode[n] = '\0'; -+ /* amode[3] = '\0'; */ -+ if (VERBOSE) -+ printf("Test=%s, Mode=%s\n",atest,amode); -+ } -+ } -+ } -+ break; -+ -+ case 1: /* [ENCRYPT] | [DECRYPT] */ -+ if(ibuf[0] == '\n') -+ break; -+ if (ibuf[0] == '[') -+ { -+ fputs(ibuf, rfp); -+ ++step; -+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) -+ dir = 1; -+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) -+ dir = 0; -+ else -+ { -+ printf("Invalid keyword: %s\n", ibuf); -+ err = 1; -+ } -+ break; -+ } -+ else if (dir == -1) -+ { -+ err = 1; -+ printf("Missing ENCRYPT/DECRYPT keyword\n"); -+ break; -+ } -+ else -+ step = 2; -+ -+ case 2: /* KEY = xxxx */ -+ if(*ibuf == '\n') -+ { -+ fputs(ibuf, rfp); -+ break; -+ } -+ if(!strncasecmp(ibuf,"COUNT = ",8)) -+ { -+ fputs(ibuf, rfp); -+ break; -+ } -+ if(!strncasecmp(ibuf,"COUNT=",6)) -+ { -+ fputs(ibuf, rfp); -+ break; -+ } -+ if(!strncasecmp(ibuf,"NumKeys = ",10)) -+ { -+ numkeys=atoi(ibuf+10); -+ break; -+ } -+ -+ fputs(ibuf, rfp); -+ if(!strncasecmp(ibuf,"KEY = ",6)) -+ { -+ akeysz=64; -+ len = hex2bin((char*)ibuf+6, aKey); -+ if (len < 0) -+ { -+ printf("Invalid KEY\n"); -+ err=1; -+ break; -+ } -+ PrintValue("KEY", aKey, len); -+ ++step; -+ } -+ else if(!strncasecmp(ibuf,"KEYs = ",7)) -+ { -+ akeysz=64*3; -+ len=hex2bin(ibuf+7,aKey); -+ if(len != 8) -+ { -+ printf("Invalid KEY\n"); -+ err=1; -+ break; -+ } -+ memcpy(aKey+8,aKey,8); -+ memcpy(aKey+16,aKey,8); -+ ibuf[4]='\0'; -+ PrintValue("KEYs",aKey,len); -+ ++step; -+ } -+ else if(!strncasecmp(ibuf,"KEY",3)) -+ { -+ int n=ibuf[3]-'1'; -+ -+ akeysz=64*3; -+ len=hex2bin(ibuf+7,aKey+n*8); -+ if(len != 8) -+ { -+ printf("Invalid KEY\n"); -+ err=1; -+ break; -+ } -+ ibuf[4]='\0'; -+ PrintValue(ibuf,aKey,len); -+ if(n == 2) -+ ++step; -+ } -+ else -+ { -+ printf("Missing KEY\n"); -+ err = 1; -+ } -+ break; -+ -+ case 3: /* IV = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "IV = ", 5) != 0) -+ { -+ printf("Missing IV\n"); -+ err = 1; -+ } -+ else -+ { -+ len = hex2bin((char*)ibuf+5, iVec); -+ if (len < 0) -+ { -+ printf("Invalid IV\n"); -+ err =1; -+ break; -+ } -+ PrintValue("IV", iVec, len); -+ step = (dir)? 4: 5; -+ } -+ break; -+ -+ case 4: /* PLAINTEXT = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) -+ { -+ printf("Missing PLAINTEXT\n"); -+ err = 1; -+ } -+ else -+ { -+ int nn = strlen(ibuf+12); -+ if(!strcmp(amode,"CFB1")) -+ len=bint2bin(ibuf+12,nn-1,plaintext); -+ else -+ len=hex2bin(ibuf+12, plaintext); -+ if (len < 0) -+ { -+ printf("Invalid PLAINTEXT: %s", ibuf+12); -+ err =1; -+ break; -+ } -+ if (len >= sizeof(plaintext)) -+ { -+ printf("Buffer overflow\n"); -+ } -+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); -+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ -+ { -+ do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp); -+ } -+ else -+ { -+ assert(dir == 1); -+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec, -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ ciphertext, plaintext, len); -+ OutputValue("CIPHERTEXT",ciphertext,len,rfp, -+ !strcmp(amode,"CFB1")); -+ } -+ step = 6; -+ } -+ break; -+ -+ case 5: /* CIPHERTEXT = xxxx */ -+ fputs(ibuf, rfp); -+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) -+ { -+ printf("Missing KEY\n"); -+ err = 1; -+ } -+ else -+ { -+ if(!strcmp(amode,"CFB1")) -+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); -+ else -+ len = hex2bin(ibuf+13,ciphertext); -+ if (len < 0) -+ { -+ printf("Invalid CIPHERTEXT\n"); -+ err =1; -+ break; -+ } -+ -+ PrintValue("CIPHERTEXT", ciphertext, len); -+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ -+ { -+ do_mct(amode, akeysz, numkeys, aKey, iVec, -+ dir, ciphertext, len, rfp); -+ } -+ else -+ { -+ assert(dir == 0); -+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec, -+ dir, /* 0 = decrypt, 1 = encrypt */ -+ plaintext, ciphertext, len); -+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, -+ !strcmp(amode,"CFB1")); -+ } -+ step = 6; -+ } -+ break; -+ -+ case 6: -+ if (ibuf[0] != '\n') -+ { -+ err = 1; -+ printf("Missing terminator\n"); -+ } -+ else if (strcmp(atest, "MCT") != 0) -+ { /* MCT already added terminating nl */ -+ fputs(ibuf, rfp); -+ } -+ step = 1; -+ break; -+ } -+ } -+ if (rfp) -+ fclose(rfp); -+ if (afp) -+ fclose(afp); -+ return err; -+ } -+ -+/*-------------------------------------------------- -+ Processes either a single file or -+ a set of files whose names are passed in a file. -+ A single file is specified as: -+ aes_test -f xxx.req -+ A set of files is specified as: -+ aes_test -d xxxxx.xxx -+ The default is: -d req.txt -+--------------------------------------------------*/ -+int main(int argc, char **argv) -+ { -+ char *rqlist = "req.txt", *rspfile = NULL; -+ FILE *fp = NULL; -+ char fn[250] = "", rfn[256] = ""; -+ int f_opt = 0, d_opt = 1; -+ -+#ifdef OPENSSL_FIPS -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ EXIT(1); -+ } -+#endif -+ if (argc > 1) -+ { -+ if (strcasecmp(argv[1], "-d") == 0) -+ { -+ d_opt = 1; -+ } -+ else if (strcasecmp(argv[1], "-f") == 0) -+ { -+ f_opt = 1; -+ d_opt = 0; -+ } -+ else -+ { -+ printf("Invalid parameter: %s\n", argv[1]); -+ return 0; -+ } -+ if (argc < 3) -+ { -+ printf("Missing parameter\n"); -+ return 0; -+ } -+ if (d_opt) -+ rqlist = argv[2]; -+ else -+ { -+ strcpy(fn, argv[2]); -+ rspfile = argv[3]; -+ } -+ } -+ if (d_opt) -+ { /* list of files (directory) */ -+ if (!(fp = fopen(rqlist, "r"))) -+ { -+ printf("Cannot open req list file\n"); -+ return -1; -+ } -+ while (fgets(fn, sizeof(fn), fp)) -+ { -+ strtok(fn, "\r\n"); -+ strcpy(rfn, fn); -+ printf("Processing: %s\n", rfn); -+ if (proc_file(rfn, rspfile)) -+ { -+ printf(">>> Processing failed for: %s <<<\n", rfn); -+ EXIT(1); -+ } -+ } -+ fclose(fp); -+ } -+ else /* single file */ -+ { -+ if (VERBOSE) -+ printf("Processing: %s\n", fn); -+ if (proc_file(fn, rspfile)) -+ { -+ printf(">>> Processing failed for: %s <<<\n", fn); -+ } -+ } -+ EXIT(0); -+ return 0; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_dssvs.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_dssvs.c.fips 2013-02-19 20:12:54.591664800 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_dssvs.c 2013-02-19 20:12:54.591664800 +0100 -@@ -0,0 +1,537 @@ -+#include -+ -+#ifndef OPENSSL_FIPS -+#include -+ -+int main(int argc, char **argv) -+{ -+ printf("No FIPS DSA support\n"); -+ return(0); -+} -+#else -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "fips_utl.h" -+ -+static void pbn(const char *name, BIGNUM *bn) -+ { -+ int len, i; -+ unsigned char *tmp; -+ len = BN_num_bytes(bn); -+ tmp = OPENSSL_malloc(len); -+ if (!tmp) -+ { -+ fprintf(stderr, "Memory allocation error\n"); -+ return; -+ } -+ BN_bn2bin(bn, tmp); -+ printf("%s = ", name); -+ for (i = 0; i < len; i++) -+ printf("%02X", tmp[i]); -+ fputs("\n", stdout); -+ OPENSSL_free(tmp); -+ return; -+ } -+ -+void primes() -+ { -+ char buf[10240]; -+ char lbuf[10240]; -+ char *keyword, *value; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ fputs(buf,stdout); -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if(!strcmp(keyword,"Prime")) -+ { -+ BIGNUM *pp; -+ -+ pp=BN_new(); -+ do_hex2bn(&pp,value); -+ printf("result= %c\n", -+ BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F'); -+ } -+ } -+ } -+ -+void pqg() -+ { -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ int nmod=0; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ if(!strcmp(keyword,"[mod")) -+ nmod=atoi(value); -+ else if(!strcmp(keyword,"N")) -+ { -+ int n=atoi(value); -+ -+ printf("[mod = %d]\n\n",nmod); -+ -+ while(n--) -+ { -+ unsigned char seed[20]; -+ DSA *dsa; -+ int counter; -+ unsigned long h; -+ dsa = FIPS_dsa_new(); -+ -+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ pbn("P",dsa->p); -+ pbn("Q",dsa->q); -+ pbn("G",dsa->g); -+ pv("Seed",seed,20); -+ printf("c = %d\n",counter); -+ printf("H = %lx\n",h); -+ putc('\n',stdout); -+ } -+ } -+ else -+ fputs(buf,stdout); -+ } -+ } -+ -+void pqgver() -+ { -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL; -+ int counter, counter2; -+ unsigned long h, h2; -+ DSA *dsa=NULL; -+ int nmod=0; -+ unsigned char seed[1024]; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ fputs(buf, stdout); -+ if(!strcmp(keyword,"[mod")) -+ nmod=atoi(value); -+ else if(!strcmp(keyword,"P")) -+ p=hex2bn(value); -+ else if(!strcmp(keyword,"Q")) -+ q=hex2bn(value); -+ else if(!strcmp(keyword,"G")) -+ g=hex2bn(value); -+ else if(!strcmp(keyword,"Seed")) -+ { -+ int slen = hex2bin(value, seed); -+ if (slen != 20) -+ { -+ fprintf(stderr, "Seed parse length error\n"); -+ exit (1); -+ } -+ } -+ else if(!strcmp(keyword,"c")) -+ counter =atoi(buf+4); -+ else if(!strcmp(keyword,"H")) -+ { -+ h = atoi(value); -+ if (!p || !q || !g) -+ { -+ fprintf(stderr, "Parse Error\n"); -+ exit (1); -+ } -+ dsa = FIPS_dsa_new(); -+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g) -+ || (counter != counter2) || (h != h2)) -+ printf("Result = F\n"); -+ else -+ printf("Result = P\n"); -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ p = NULL; -+ q = NULL; -+ g = NULL; -+ FIPS_dsa_free(dsa); -+ dsa = NULL; -+ } -+ } -+ } -+ -+/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2 -+ * algorithm tests. It is an additional test to perform sanity checks on the -+ * output of the KeyPair test. -+ */ -+ -+static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g, -+ BN_CTX *ctx) -+ { -+ BIGNUM *rem = NULL; -+ if (BN_num_bits(p) != nmod) -+ return 0; -+ if (BN_num_bits(q) != 160) -+ return 0; -+ if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1) -+ return 0; -+ if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1) -+ return 0; -+ rem = BN_new(); -+ if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem) -+ || (BN_cmp(g, BN_value_one()) <= 0) -+ || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem)) -+ { -+ BN_free(rem); -+ return 0; -+ } -+ /* Todo: check g */ -+ BN_free(rem); -+ return 1; -+ } -+ -+void keyver() -+ { -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL; -+ BIGNUM *Y2; -+ BN_CTX *ctx = NULL; -+ int nmod=0, paramcheck = 0; -+ -+ ctx = BN_CTX_new(); -+ Y2 = BN_new(); -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ if(!strcmp(keyword,"[mod")) -+ { -+ if (p) -+ BN_free(p); -+ p = NULL; -+ if (q) -+ BN_free(q); -+ q = NULL; -+ if (g) -+ BN_free(g); -+ g = NULL; -+ paramcheck = 0; -+ nmod=atoi(value); -+ } -+ else if(!strcmp(keyword,"P")) -+ p=hex2bn(value); -+ else if(!strcmp(keyword,"Q")) -+ q=hex2bn(value); -+ else if(!strcmp(keyword,"G")) -+ g=hex2bn(value); -+ else if(!strcmp(keyword,"X")) -+ X=hex2bn(value); -+ else if(!strcmp(keyword,"Y")) -+ { -+ Y=hex2bn(value); -+ if (!p || !q || !g || !X || !Y) -+ { -+ fprintf(stderr, "Parse Error\n"); -+ exit (1); -+ } -+ pbn("P",p); -+ pbn("Q",q); -+ pbn("G",g); -+ pbn("X",X); -+ pbn("Y",Y); -+ if (!paramcheck) -+ { -+ if (dss_paramcheck(nmod, p, q, g, ctx)) -+ paramcheck = 1; -+ else -+ paramcheck = -1; -+ } -+ if (paramcheck != 1) -+ printf("Result = F\n"); -+ else -+ { -+ if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y)) -+ printf("Result = F\n"); -+ else -+ printf("Result = P\n"); -+ } -+ BN_free(X); -+ BN_free(Y); -+ X = NULL; -+ Y = NULL; -+ } -+ } -+ if (p) -+ BN_free(p); -+ if (q) -+ BN_free(q); -+ if (g) -+ BN_free(g); -+ if (Y2) -+ BN_free(Y2); -+ } -+ -+void keypair() -+ { -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ int nmod=0; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ if(!strcmp(keyword,"[mod")) -+ nmod=atoi(value); -+ else if(!strcmp(keyword,"N")) -+ { -+ DSA *dsa; -+ int n=atoi(value); -+ -+ printf("[mod = %d]\n\n",nmod); -+ dsa = FIPS_dsa_new(); -+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ pbn("P",dsa->p); -+ pbn("Q",dsa->q); -+ pbn("G",dsa->g); -+ putc('\n',stdout); -+ -+ while(n--) -+ { -+ if (!DSA_generate_key(dsa)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ -+ pbn("X",dsa->priv_key); -+ pbn("Y",dsa->pub_key); -+ putc('\n',stdout); -+ } -+ } -+ } -+ } -+ -+void siggen() -+ { -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ int nmod=0; -+ DSA *dsa=NULL; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ if(!strcmp(keyword,"[mod")) -+ { -+ nmod=atoi(value); -+ printf("[mod = %d]\n\n",nmod); -+ if (dsa) -+ FIPS_dsa_free(dsa); -+ dsa = FIPS_dsa_new(); -+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ pbn("P",dsa->p); -+ pbn("Q",dsa->q); -+ pbn("G",dsa->g); -+ putc('\n',stdout); -+ } -+ else if(!strcmp(keyword,"Msg")) -+ { -+ unsigned char msg[1024]; -+ unsigned char sbuf[60]; -+ unsigned int slen; -+ int n; -+ EVP_PKEY pk; -+ EVP_MD_CTX mctx; -+ DSA_SIG *sig; -+ EVP_MD_CTX_init(&mctx); -+ -+ n=hex2bin(value,msg); -+ pv("Msg",msg,n); -+ -+ if (!DSA_generate_key(dsa)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; -+ pbn("Y",dsa->pub_key); -+ -+ EVP_SignInit_ex(&mctx, EVP_dss1(), NULL); -+ EVP_SignUpdate(&mctx, msg, n); -+ EVP_SignFinal(&mctx, sbuf, &slen, &pk); -+ -+ sig = DSA_SIG_new(); -+ FIPS_dsa_sig_decode(sig, sbuf, slen); -+ -+ pbn("R",sig->r); -+ pbn("S",sig->s); -+ putc('\n',stdout); -+ DSA_SIG_free(sig); -+ EVP_MD_CTX_cleanup(&mctx); -+ } -+ } -+ if (dsa) -+ FIPS_dsa_free(dsa); -+ } -+ -+void sigver() -+ { -+ DSA *dsa=NULL; -+ char buf[1024]; -+ char lbuf[1024]; -+ unsigned char msg[1024]; -+ char *keyword, *value; -+ int nmod=0, n=0; -+ DSA_SIG sg, *sig = &sg; -+ -+ sig->r = NULL; -+ sig->s = NULL; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ { -+ fputs(buf,stdout); -+ continue; -+ } -+ if(!strcmp(keyword,"[mod")) -+ { -+ nmod=atoi(value); -+ if(dsa) -+ FIPS_dsa_free(dsa); -+ dsa=FIPS_dsa_new(); -+ } -+ else if(!strcmp(keyword,"P")) -+ dsa->p=hex2bn(value); -+ else if(!strcmp(keyword,"Q")) -+ dsa->q=hex2bn(value); -+ else if(!strcmp(keyword,"G")) -+ { -+ dsa->g=hex2bn(value); -+ -+ printf("[mod = %d]\n\n",nmod); -+ pbn("P",dsa->p); -+ pbn("Q",dsa->q); -+ pbn("G",dsa->g); -+ putc('\n',stdout); -+ } -+ else if(!strcmp(keyword,"Msg")) -+ { -+ n=hex2bin(value,msg); -+ pv("Msg",msg,n); -+ } -+ else if(!strcmp(keyword,"Y")) -+ dsa->pub_key=hex2bn(value); -+ else if(!strcmp(keyword,"R")) -+ sig->r=hex2bn(value); -+ else if(!strcmp(keyword,"S")) -+ { -+ EVP_MD_CTX mctx; -+ EVP_PKEY pk; -+ unsigned char sigbuf[60]; -+ unsigned int slen; -+ int r; -+ EVP_MD_CTX_init(&mctx); -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; -+ sig->s=hex2bn(value); -+ -+ pbn("Y",dsa->pub_key); -+ pbn("R",sig->r); -+ pbn("S",sig->s); -+ -+ slen = FIPS_dsa_sig_encode(sigbuf, sig); -+ EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL); -+ EVP_VerifyUpdate(&mctx, msg, n); -+ r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk); -+ EVP_MD_CTX_cleanup(&mctx); -+ -+ printf("Result = %c\n", r == 1 ? 'P' : 'F'); -+ putc('\n',stdout); -+ } -+ } -+ } -+ -+int main(int argc,char **argv) -+ { -+ if(argc != 2) -+ { -+ fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]); -+ exit(1); -+ } -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ if(!strcmp(argv[1],"prime")) -+ primes(); -+ else if(!strcmp(argv[1],"pqg")) -+ pqg(); -+ else if(!strcmp(argv[1],"pqgver")) -+ pqgver(); -+ else if(!strcmp(argv[1],"keypair")) -+ keypair(); -+ else if(!strcmp(argv[1],"keyver")) -+ keyver(); -+ else if(!strcmp(argv[1],"siggen")) -+ siggen(); -+ else if(!strcmp(argv[1],"sigver")) -+ sigver(); -+ else -+ { -+ fprintf(stderr,"Don't know how to %s.\n",argv[1]); -+ exit(1); -+ } -+ -+ return 0; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_rngvs.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_rngvs.c.fips 2013-02-19 20:12:54.591664800 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_rngvs.c 2013-02-19 20:12:54.591664800 +0100 -@@ -0,0 +1,230 @@ -+/* -+ * Crude test driver for processing the VST and MCT testvector files -+ * generated by the CMVP RNGVS product. -+ * -+ * Note the input files are assumed to have a _very_ specific format -+ * as described in the NIST document "The Random Number Generator -+ * Validation System (RNGVS)", May 25, 2004. -+ * -+ */ -+#include -+ -+#ifndef OPENSSL_FIPS -+#include -+ -+int main(int argc, char **argv) -+{ -+ printf("No FIPS RNG support\n"); -+ return 0; -+} -+#else -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "fips_utl.h" -+ -+void vst() -+ { -+ unsigned char *key = NULL; -+ unsigned char *v = NULL; -+ unsigned char *dt = NULL; -+ unsigned char ret[16]; -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ long i, keylen; -+ -+ keylen = 0; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ fputs(buf,stdout); -+ if(!strncmp(buf,"[AES 128-Key]", 13)) -+ keylen = 16; -+ else if(!strncmp(buf,"[AES 192-Key]", 13)) -+ keylen = 24; -+ else if(!strncmp(buf,"[AES 256-Key]", 13)) -+ keylen = 32; -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if(!strcmp(keyword,"Key")) -+ { -+ key=hex2bin_m(value,&i); -+ if (i != keylen) -+ { -+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); -+ return; -+ } -+ } -+ else if(!strcmp(keyword,"DT")) -+ { -+ dt=hex2bin_m(value,&i); -+ if (i != 16) -+ { -+ fprintf(stderr, "Invalid DT length\n"); -+ return; -+ } -+ } -+ else if(!strcmp(keyword,"V")) -+ { -+ v=hex2bin_m(value,&i); -+ if (i != 16) -+ { -+ fprintf(stderr, "Invalid V length\n"); -+ return; -+ } -+ -+ if (!key || !dt) -+ { -+ fprintf(stderr, "Missing key or DT\n"); -+ return; -+ } -+ -+ FIPS_rand_set_key(key, keylen); -+ FIPS_rand_seed(v,16); -+ FIPS_rand_set_dt(dt); -+ if (FIPS_rand_bytes(ret,16) <= 0) -+ { -+ fprintf(stderr, "Error getting PRNG value\n"); -+ return; -+ } -+ -+ pv("R",ret,16); -+ OPENSSL_free(key); -+ key = NULL; -+ OPENSSL_free(dt); -+ dt = NULL; -+ OPENSSL_free(v); -+ v = NULL; -+ } -+ } -+ } -+ -+void mct() -+ { -+ unsigned char *key = NULL; -+ unsigned char *v = NULL; -+ unsigned char *dt = NULL; -+ unsigned char ret[16]; -+ char buf[1024]; -+ char lbuf[1024]; -+ char *keyword, *value; -+ long i, keylen; -+ int j; -+ -+ keylen = 0; -+ -+ while(fgets(buf,sizeof buf,stdin) != NULL) -+ { -+ fputs(buf,stdout); -+ if(!strncmp(buf,"[AES 128-Key]", 13)) -+ keylen = 16; -+ else if(!strncmp(buf,"[AES 192-Key]", 13)) -+ keylen = 24; -+ else if(!strncmp(buf,"[AES 256-Key]", 13)) -+ keylen = 32; -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if(!strcmp(keyword,"Key")) -+ { -+ key=hex2bin_m(value,&i); -+ if (i != keylen) -+ { -+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); -+ return; -+ } -+ } -+ else if(!strcmp(keyword,"DT")) -+ { -+ dt=hex2bin_m(value,&i); -+ if (i != 16) -+ { -+ fprintf(stderr, "Invalid DT length\n"); -+ return; -+ } -+ } -+ else if(!strcmp(keyword,"V")) -+ { -+ v=hex2bin_m(value,&i); -+ if (i != 16) -+ { -+ fprintf(stderr, "Invalid V length\n"); -+ return; -+ } -+ -+ if (!key || !dt) -+ { -+ fprintf(stderr, "Missing key or DT\n"); -+ return; -+ } -+ -+ FIPS_rand_set_key(key, keylen); -+ FIPS_rand_seed(v,16); -+ for (i = 0; i < 10000; i++) -+ { -+ FIPS_rand_set_dt(dt); -+ if (FIPS_rand_bytes(ret,16) <= 0) -+ { -+ fprintf(stderr, "Error getting PRNG value\n"); -+ return; -+ } -+ /* Increment DT */ -+ for (j = 15; j >= 0; j--) -+ { -+ dt[j]++; -+ if (dt[j]) -+ break; -+ } -+ } -+ -+ pv("R",ret,16); -+ OPENSSL_free(key); -+ key = NULL; -+ OPENSSL_free(dt); -+ dt = NULL; -+ OPENSSL_free(v); -+ v = NULL; -+ } -+ } -+ } -+ -+int main(int argc,char **argv) -+ { -+ if(argc != 2) -+ { -+ fprintf(stderr,"%s [mct|vst]\n",argv[0]); -+ exit(1); -+ } -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ exit(1); -+ } -+ FIPS_rand_reset(); -+ if (!FIPS_rand_test_mode()) -+ { -+ fprintf(stderr, "Error setting PRNG test mode\n"); -+ do_print_errors(); -+ exit(1); -+ } -+ if(!strcmp(argv[1],"mct")) -+ mct(); -+ else if(!strcmp(argv[1],"vst")) -+ vst(); -+ else -+ { -+ fprintf(stderr,"Don't know how to %s.\n",argv[1]); -+ exit(1); -+ } -+ -+ return 0; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_rsagtest.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_rsagtest.c.fips 2013-02-19 20:12:54.592664819 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_rsagtest.c 2013-02-19 20:12:54.592664819 +0100 -@@ -0,0 +1,390 @@ -+/* fips_rsagtest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2005. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RSA support\n"); -+ return(0); -+} -+ -+#else -+ -+#include "fips_utl.h" -+ -+int rsa_test(FILE *out, FILE *in); -+static int rsa_printkey1(FILE *out, RSA *rsa, -+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, -+ BIGNUM *e); -+static int rsa_printkey2(FILE *out, RSA *rsa, -+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq); -+ -+int main(int argc, char **argv) -+ { -+ FILE *in = NULL, *out = NULL; -+ -+ int ret = 1; -+ -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ goto end; -+ } -+ -+ if (argc == 1) -+ in = stdin; -+ else -+ in = fopen(argv[1], "r"); -+ -+ if (argc < 2) -+ out = stdout; -+ else -+ out = fopen(argv[2], "w"); -+ -+ if (!in) -+ { -+ fprintf(stderr, "FATAL input initialization error\n"); -+ goto end; -+ } -+ -+ if (!out) -+ { -+ fprintf(stderr, "FATAL output initialization error\n"); -+ goto end; -+ } -+ -+ if (!rsa_test(out, in)) -+ { -+ fprintf(stderr, "FATAL RSAGTEST file processing error\n"); -+ goto end; -+ } -+ else -+ ret = 0; -+ -+ end: -+ -+ if (ret) -+ do_print_errors(); -+ -+ if (in && (in != stdin)) -+ fclose(in); -+ if (out && (out != stdout)) -+ fclose(out); -+ -+ return ret; -+ -+ } -+ -+#define RSA_TEST_MAXLINELEN 10240 -+ -+int rsa_test(FILE *out, FILE *in) -+ { -+ char *linebuf, *olinebuf, *p, *q; -+ char *keyword, *value; -+ RSA *rsa = NULL; -+ BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL; -+ BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL; -+ BIGNUM *e = NULL; -+ int ret = 0; -+ int lnum = 0; -+ -+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ -+ if (!linebuf || !olinebuf) -+ goto error; -+ -+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) -+ { -+ lnum++; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no = or starts with [ (for [foo = bar] line) just copy */ -+ if (!p || *keyword=='[') -+ { -+ if (fputs(olinebuf, out) < 0) -+ goto error; -+ continue; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ if (!strcmp(keyword, "xp1")) -+ { -+ if (Xp1 || !do_hex2bn(&Xp1,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "xp2")) -+ { -+ if (Xp2 || !do_hex2bn(&Xp2,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "Xp")) -+ { -+ if (Xp || !do_hex2bn(&Xp,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "xq1")) -+ { -+ if (Xq1 || !do_hex2bn(&Xq1,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "xq2")) -+ { -+ if (Xq2 || !do_hex2bn(&Xq2,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "Xq")) -+ { -+ if (Xq || !do_hex2bn(&Xq,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "e")) -+ { -+ if (e || !do_hex2bn(&e,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "p1")) -+ continue; -+ else if (!strcmp(keyword, "p2")) -+ continue; -+ else if (!strcmp(keyword, "p")) -+ continue; -+ else if (!strcmp(keyword, "q1")) -+ continue; -+ else if (!strcmp(keyword, "q2")) -+ continue; -+ else if (!strcmp(keyword, "q")) -+ continue; -+ else if (!strcmp(keyword, "n")) -+ continue; -+ else if (!strcmp(keyword, "d")) -+ continue; -+ else -+ goto parse_error; -+ -+ fputs(olinebuf, out); -+ -+ if (e && Xp1 && Xp2 && Xp) -+ { -+ rsa = FIPS_rsa_new(); -+ if (!rsa) -+ goto error; -+ if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e)) -+ goto error; -+ BN_free(Xp1); -+ Xp1 = NULL; -+ BN_free(Xp2); -+ Xp2 = NULL; -+ BN_free(Xp); -+ Xp = NULL; -+ BN_free(e); -+ e = NULL; -+ } -+ -+ if (rsa && Xq1 && Xq2 && Xq) -+ { -+ if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq)) -+ goto error; -+ BN_free(Xq1); -+ Xq1 = NULL; -+ BN_free(Xq2); -+ Xq2 = NULL; -+ BN_free(Xq); -+ Xq = NULL; -+ FIPS_rsa_free(rsa); -+ rsa = NULL; -+ } -+ } -+ -+ ret = 1; -+ -+ error: -+ -+ if (olinebuf) -+ OPENSSL_free(olinebuf); -+ if (linebuf) -+ OPENSSL_free(linebuf); -+ -+ if (Xp1) -+ BN_free(Xp1); -+ if (Xp2) -+ BN_free(Xp2); -+ if (Xp) -+ BN_free(Xp); -+ if (Xq1) -+ BN_free(Xq1); -+ if (Xq1) -+ BN_free(Xq1); -+ if (Xq2) -+ BN_free(Xq2); -+ if (Xq) -+ BN_free(Xq); -+ if (e) -+ BN_free(e); -+ if (rsa) -+ FIPS_rsa_free(rsa); -+ -+ return ret; -+ -+ parse_error: -+ -+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); -+ -+ goto error; -+ -+ } -+ -+static int rsa_printkey1(FILE *out, RSA *rsa, -+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, -+ BIGNUM *e) -+ { -+ int ret = 0; -+ BIGNUM *p1 = NULL, *p2 = NULL; -+ p1 = BN_new(); -+ p2 = BN_new(); -+ if (!p1 || !p2) -+ goto error; -+ -+ if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp, -+ NULL, NULL, NULL, e, NULL)) -+ goto error; -+ -+ do_bn_print_name(out, "p1", p1); -+ do_bn_print_name(out, "p2", p2); -+ do_bn_print_name(out, "p", rsa->p); -+ -+ ret = 1; -+ -+ error: -+ if (p1) -+ BN_free(p1); -+ if (p2) -+ BN_free(p2); -+ -+ return ret; -+ } -+ -+static int rsa_printkey2(FILE *out, RSA *rsa, -+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq) -+ { -+ int ret = 0; -+ BIGNUM *q1 = NULL, *q2 = NULL; -+ q1 = BN_new(); -+ q2 = BN_new(); -+ if (!q1 || !q2) -+ goto error; -+ -+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL, -+ Xq1, Xq2, Xq, NULL, NULL)) -+ goto error; -+ -+ do_bn_print_name(out, "q1", q1); -+ do_bn_print_name(out, "q2", q2); -+ do_bn_print_name(out, "q", rsa->q); -+ do_bn_print_name(out, "n", rsa->n); -+ do_bn_print_name(out, "d", rsa->d); -+ -+ ret = 1; -+ -+ error: -+ if (q1) -+ BN_free(q1); -+ if (q2) -+ BN_free(q2); -+ -+ return ret; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_rsastest.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_rsastest.c.fips 2013-02-19 20:12:54.592664819 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_rsastest.c 2013-02-19 20:12:54.592664819 +0100 -@@ -0,0 +1,370 @@ -+/* fips_rsastest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2005. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RSA support\n"); -+ return(0); -+} -+ -+#else -+ -+#include "fips_utl.h" -+ -+static int rsa_stest(FILE *out, FILE *in, int Saltlen); -+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, -+ unsigned char *Msg, long Msglen, int Saltlen); -+ -+int main(int argc, char **argv) -+ { -+ FILE *in = NULL, *out = NULL; -+ -+ int ret = 1, Saltlen = -1; -+ -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ goto end; -+ } -+ -+ if ((argc > 2) && !strcmp("-saltlen", argv[1])) -+ { -+ Saltlen = atoi(argv[2]); -+ if (Saltlen < 0) -+ { -+ fprintf(stderr, "FATAL: Invalid salt length\n"); -+ goto end; -+ } -+ argc -= 2; -+ argv += 2; -+ } -+ else if ((argc > 1) && !strcmp("-x931", argv[1])) -+ { -+ Saltlen = -2; -+ argc--; -+ argv++; -+ } -+ -+ if (argc == 1) -+ in = stdin; -+ else -+ in = fopen(argv[1], "r"); -+ -+ if (argc < 2) -+ out = stdout; -+ else -+ out = fopen(argv[2], "w"); -+ -+ if (!in) -+ { -+ fprintf(stderr, "FATAL input initialization error\n"); -+ goto end; -+ } -+ -+ if (!out) -+ { -+ fprintf(stderr, "FATAL output initialization error\n"); -+ goto end; -+ } -+ -+ if (!rsa_stest(out, in, Saltlen)) -+ { -+ fprintf(stderr, "FATAL RSASTEST file processing error\n"); -+ goto end; -+ } -+ else -+ ret = 0; -+ -+ end: -+ -+ if (ret) -+ do_print_errors(); -+ -+ if (in && (in != stdin)) -+ fclose(in); -+ if (out && (out != stdout)) -+ fclose(out); -+ -+ return ret; -+ -+ } -+ -+#define RSA_TEST_MAXLINELEN 10240 -+ -+int rsa_stest(FILE *out, FILE *in, int Saltlen) -+ { -+ char *linebuf, *olinebuf, *p, *q; -+ char *keyword, *value; -+ RSA *rsa = NULL; -+ const EVP_MD *dgst = NULL; -+ unsigned char *Msg = NULL; -+ long Msglen = -1; -+ int keylen = -1, current_keylen = -1; -+ int ret = 0; -+ int lnum = 0; -+ -+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ -+ if (!linebuf || !olinebuf) -+ goto error; -+ -+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) -+ { -+ lnum++; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no = just copy */ -+ if (!p) -+ { -+ if (fputs(olinebuf, out) < 0) -+ goto error; -+ continue; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ /* Look for [mod = XXX] for key length */ -+ -+ if (!strcmp(keyword, "[mod")) -+ { -+ p = value + strlen(value) - 1; -+ if (*p != ']') -+ goto parse_error; -+ *p = 0; -+ keylen = atoi(value); -+ if (keylen < 0) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "SHAAlg")) -+ { -+ if (!strcmp(value, "SHA1")) -+ dgst = EVP_sha1(); -+ else if (!strcmp(value, "SHA224")) -+ dgst = EVP_sha224(); -+ else if (!strcmp(value, "SHA256")) -+ dgst = EVP_sha256(); -+ else if (!strcmp(value, "SHA384")) -+ dgst = EVP_sha384(); -+ else if (!strcmp(value, "SHA512")) -+ dgst = EVP_sha512(); -+ else -+ { -+ fprintf(stderr, -+ "FATAL: unsupported algorithm \"%s\"\n", -+ value); -+ goto parse_error; -+ } -+ } -+ else if (!strcmp(keyword, "Msg")) -+ { -+ if (Msg) -+ goto parse_error; -+ if (strlen(value) & 1) -+ *(--value) = '0'; -+ Msg = hex2bin_m(value, &Msglen); -+ if (!Msg) -+ goto parse_error; -+ } -+ -+ fputs(olinebuf, out); -+ -+ /* If key length has changed, generate and output public -+ * key components of new RSA private key. -+ */ -+ -+ if (keylen != current_keylen) -+ { -+ BIGNUM *bn_e; -+ if (rsa) -+ FIPS_rsa_free(rsa); -+ rsa = FIPS_rsa_new(); -+ if (!rsa) -+ goto error; -+ bn_e = BN_new(); -+ if (!bn_e || !BN_set_word(bn_e, 0x1001)) -+ goto error; -+ if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL)) -+ goto error; -+ BN_free(bn_e); -+ fputs("n = ", out); -+ do_bn_print(out, rsa->n); -+ fputs("\ne = ", out); -+ do_bn_print(out, rsa->e); -+ fputs("\n", out); -+ current_keylen = keylen; -+ } -+ -+ if (Msg && dgst) -+ { -+ if (!rsa_printsig(out, rsa, dgst, Msg, Msglen, -+ Saltlen)) -+ goto error; -+ OPENSSL_free(Msg); -+ Msg = NULL; -+ } -+ -+ } -+ -+ ret = 1; -+ -+ error: -+ -+ if (olinebuf) -+ OPENSSL_free(olinebuf); -+ if (linebuf) -+ OPENSSL_free(linebuf); -+ if (rsa) -+ FIPS_rsa_free(rsa); -+ -+ return ret; -+ -+ parse_error: -+ -+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); -+ -+ goto error; -+ -+ } -+ -+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, -+ unsigned char *Msg, long Msglen, int Saltlen) -+ { -+ int ret = 0; -+ unsigned char *sigbuf = NULL; -+ int i, siglen; -+ /* EVP_PKEY structure */ -+ EVP_PKEY pk; -+ EVP_MD_CTX ctx; -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = rsa; -+ -+ siglen = RSA_size(rsa); -+ sigbuf = OPENSSL_malloc(siglen); -+ if (!sigbuf) -+ goto error; -+ -+ EVP_MD_CTX_init(&ctx); -+ -+ if (Saltlen >= 0) -+ { -+ M_EVP_MD_CTX_set_flags(&ctx, -+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); -+ } -+ else if (Saltlen == -2) -+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); -+ if (!EVP_SignInit_ex(&ctx, dgst, NULL)) -+ goto error; -+ if (!EVP_SignUpdate(&ctx, Msg, Msglen)) -+ goto error; -+ if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk)) -+ goto error; -+ -+ EVP_MD_CTX_cleanup(&ctx); -+ -+ fputs("S = ", out); -+ -+ for (i = 0; i < siglen; i++) -+ fprintf(out, "%02X", sigbuf[i]); -+ -+ fputs("\n", out); -+ -+ ret = 1; -+ -+ error: -+ -+ return ret; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_rsavtest.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_rsavtest.c.fips 2013-02-19 20:12:54.592664819 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_rsavtest.c 2013-02-19 20:12:54.592664819 +0100 -@@ -0,0 +1,377 @@ -+/* fips_rsavtest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2005. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RSA support\n"); -+ return(0); -+} -+ -+#else -+ -+#include "fips_utl.h" -+ -+int rsa_test(FILE *out, FILE *in, int saltlen); -+static int rsa_printver(FILE *out, -+ BIGNUM *n, BIGNUM *e, -+ const EVP_MD *dgst, -+ unsigned char *Msg, long Msglen, -+ unsigned char *S, long Slen, int Saltlen); -+ -+int main(int argc, char **argv) -+ { -+ FILE *in = NULL, *out = NULL; -+ -+ int ret = 1; -+ int Saltlen = -1; -+ -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ goto end; -+ } -+ -+ if ((argc > 2) && !strcmp("-saltlen", argv[1])) -+ { -+ Saltlen = atoi(argv[2]); -+ if (Saltlen < 0) -+ { -+ fprintf(stderr, "FATAL: Invalid salt length\n"); -+ goto end; -+ } -+ argc -= 2; -+ argv += 2; -+ } -+ else if ((argc > 1) && !strcmp("-x931", argv[1])) -+ { -+ Saltlen = -2; -+ argc--; -+ argv++; -+ } -+ -+ if (argc == 1) -+ in = stdin; -+ else -+ in = fopen(argv[1], "r"); -+ -+ if (argc < 2) -+ out = stdout; -+ else -+ out = fopen(argv[2], "w"); -+ -+ if (!in) -+ { -+ fprintf(stderr, "FATAL input initialization error\n"); -+ goto end; -+ } -+ -+ if (!out) -+ { -+ fprintf(stderr, "FATAL output initialization error\n"); -+ goto end; -+ } -+ -+ if (!rsa_test(out, in, Saltlen)) -+ { -+ fprintf(stderr, "FATAL RSAVTEST file processing error\n"); -+ goto end; -+ } -+ else -+ ret = 0; -+ -+ end: -+ -+ if (ret) -+ do_print_errors(); -+ -+ if (in && (in != stdin)) -+ fclose(in); -+ if (out && (out != stdout)) -+ fclose(out); -+ -+ return ret; -+ -+ } -+ -+#define RSA_TEST_MAXLINELEN 10240 -+ -+int rsa_test(FILE *out, FILE *in, int Saltlen) -+ { -+ char *linebuf, *olinebuf, *p, *q; -+ char *keyword, *value; -+ const EVP_MD *dgst = NULL; -+ BIGNUM *n = NULL, *e = NULL; -+ unsigned char *Msg = NULL, *S = NULL; -+ long Msglen, Slen; -+ int ret = 0; -+ int lnum = 0; -+ -+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); -+ -+ if (!linebuf || !olinebuf) -+ goto error; -+ -+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) -+ { -+ lnum++; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no = or starts with [ (for [foo = bar] line) just copy */ -+ if (!p || *keyword=='[') -+ { -+ if (fputs(olinebuf, out) < 0) -+ goto error; -+ continue; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ if (!strcmp(keyword, "n")) -+ { -+ if (!do_hex2bn(&n,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "e")) -+ { -+ if (!do_hex2bn(&e,value)) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "SHAAlg")) -+ { -+ if (!strcmp(value, "SHA1")) -+ dgst = EVP_sha1(); -+ else if (!strcmp(value, "SHA224")) -+ dgst = EVP_sha224(); -+ else if (!strcmp(value, "SHA256")) -+ dgst = EVP_sha256(); -+ else if (!strcmp(value, "SHA384")) -+ dgst = EVP_sha384(); -+ else if (!strcmp(value, "SHA512")) -+ dgst = EVP_sha512(); -+ else -+ { -+ fprintf(stderr, -+ "FATAL: unsupported algorithm \"%s\"\n", -+ value); -+ goto parse_error; -+ } -+ } -+ else if (!strcmp(keyword, "Msg")) -+ { -+ if (Msg) -+ goto parse_error; -+ if (strlen(value) & 1) -+ *(--value) = '0'; -+ Msg = hex2bin_m(value, &Msglen); -+ if (!Msg) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "S")) -+ { -+ if (S) -+ goto parse_error; -+ if (strlen(value) & 1) -+ *(--value) = '0'; -+ S = hex2bin_m(value, &Slen); -+ if (!S) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "Result")) -+ continue; -+ else -+ goto parse_error; -+ -+ fputs(olinebuf, out); -+ -+ if (n && e && Msg && S && dgst) -+ { -+ if (!rsa_printver(out, n, e, dgst, -+ Msg, Msglen, S, Slen, Saltlen)) -+ goto error; -+ OPENSSL_free(Msg); -+ Msg = NULL; -+ OPENSSL_free(S); -+ S = NULL; -+ } -+ -+ } -+ -+ -+ ret = 1; -+ -+ -+ error: -+ -+ if (olinebuf) -+ OPENSSL_free(olinebuf); -+ if (linebuf) -+ OPENSSL_free(linebuf); -+ if (n) -+ BN_free(n); -+ if (e) -+ BN_free(e); -+ -+ return ret; -+ -+ parse_error: -+ -+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); -+ -+ goto error; -+ -+ } -+ -+static int rsa_printver(FILE *out, -+ BIGNUM *n, BIGNUM *e, -+ const EVP_MD *dgst, -+ unsigned char *Msg, long Msglen, -+ unsigned char *S, long Slen, int Saltlen) -+ { -+ int ret = 0, r; -+ /* Setup RSA and EVP_PKEY structures */ -+ RSA *rsa_pubkey = NULL; -+ EVP_PKEY pk; -+ EVP_MD_CTX ctx; -+ unsigned char *buf = NULL; -+ rsa_pubkey = FIPS_rsa_new(); -+ if (!rsa_pubkey) -+ goto error; -+ rsa_pubkey->n = BN_dup(n); -+ rsa_pubkey->e = BN_dup(e); -+ if (!rsa_pubkey->n || !rsa_pubkey->e) -+ goto error; -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = rsa_pubkey; -+ -+ EVP_MD_CTX_init(&ctx); -+ -+ if (Saltlen >= 0) -+ { -+ M_EVP_MD_CTX_set_flags(&ctx, -+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); -+ } -+ else if (Saltlen == -2) -+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); -+ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL)) -+ goto error; -+ if (!EVP_VerifyUpdate(&ctx, Msg, Msglen)) -+ goto error; -+ -+ r = EVP_VerifyFinal(&ctx, S, Slen, &pk); -+ -+ -+ EVP_MD_CTX_cleanup(&ctx); -+ -+ if (r < 0) -+ goto error; -+ ERR_clear_error(); -+ -+ if (r == 0) -+ fputs("Result = F\n", out); -+ else -+ fputs("Result = P\n", out); -+ -+ ret = 1; -+ -+ error: -+ if (rsa_pubkey) -+ FIPS_rsa_free(rsa_pubkey); -+ if (buf) -+ OPENSSL_free(buf); -+ -+ return ret; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.0k/crypto/fips/cavs/fips_shatest.c ---- openssl-1.0.0k/crypto/fips/cavs/fips_shatest.c.fips 2013-02-19 20:12:54.592664819 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_shatest.c 2013-02-19 20:12:54.592664819 +0100 -@@ -0,0 +1,388 @@ -+/* fips_shatest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2005. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS SHAXXX support\n"); -+ return(0); -+} -+ -+#else -+ -+#include "fips_utl.h" -+ -+static int dgst_test(FILE *out, FILE *in); -+static int print_dgst(const EVP_MD *md, FILE *out, -+ unsigned char *Msg, int Msglen); -+static int print_monte(const EVP_MD *md, FILE *out, -+ unsigned char *Seed, int SeedLen); -+ -+int main(int argc, char **argv) -+ { -+ FILE *in = NULL, *out = NULL; -+ -+ int ret = 1; -+ -+ if(!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ goto end; -+ } -+ -+ if (argc == 1) -+ in = stdin; -+ else -+ in = fopen(argv[1], "r"); -+ -+ if (argc < 2) -+ out = stdout; -+ else -+ out = fopen(argv[2], "w"); -+ -+ if (!in) -+ { -+ fprintf(stderr, "FATAL input initialization error\n"); -+ goto end; -+ } -+ -+ if (!out) -+ { -+ fprintf(stderr, "FATAL output initialization error\n"); -+ goto end; -+ } -+ -+ if (!dgst_test(out, in)) -+ { -+ fprintf(stderr, "FATAL digest file processing error\n"); -+ goto end; -+ } -+ else -+ ret = 0; -+ -+ end: -+ -+ if (ret) -+ do_print_errors(); -+ -+ if (in && (in != stdin)) -+ fclose(in); -+ if (out && (out != stdout)) -+ fclose(out); -+ -+ return ret; -+ -+ } -+ -+#define SHA_TEST_MAX_BITS 102400 -+#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100) -+ -+int dgst_test(FILE *out, FILE *in) -+ { -+ const EVP_MD *md = NULL; -+ char *linebuf, *olinebuf, *p, *q; -+ char *keyword, *value; -+ unsigned char *Msg = NULL, *Seed = NULL; -+ long MsgLen = -1, Len = -1, SeedLen = -1; -+ int ret = 0; -+ int lnum = 0; -+ -+ olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); -+ linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); -+ -+ if (!linebuf || !olinebuf) -+ goto error; -+ -+ -+ while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in)) -+ { -+ lnum++; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no = or starts with [ (for [L=20] line) just copy */ -+ if (!p) -+ { -+ fputs(olinebuf, out); -+ continue; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ if (!strcmp(keyword,"[L") && *p==']') -+ { -+ switch (atoi(value)) -+ { -+ case 20: md=EVP_sha1(); break; -+ case 28: md=EVP_sha224(); break; -+ case 32: md=EVP_sha256(); break; -+ case 48: md=EVP_sha384(); break; -+ case 64: md=EVP_sha512(); break; -+ default: goto parse_error; -+ } -+ } -+ else if (!strcmp(keyword, "Len")) -+ { -+ if (Len != -1) -+ goto parse_error; -+ Len = atoi(value); -+ if (Len < 0) -+ goto parse_error; -+ /* Only handle multiples of 8 bits */ -+ if (Len & 0x7) -+ goto parse_error; -+ if (Len > SHA_TEST_MAX_BITS) -+ goto parse_error; -+ MsgLen = Len >> 3; -+ } -+ -+ else if (!strcmp(keyword, "Msg")) -+ { -+ long tmplen; -+ if (strlen(value) & 1) -+ *(--value) = '0'; -+ if (Msg) -+ goto parse_error; -+ Msg = hex2bin_m(value, &tmplen); -+ if (!Msg) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "Seed")) -+ { -+ if (strlen(value) & 1) -+ *(--value) = '0'; -+ if (Seed) -+ goto parse_error; -+ Seed = hex2bin_m(value, &SeedLen); -+ if (!Seed) -+ goto parse_error; -+ } -+ else if (!strcmp(keyword, "MD")) -+ continue; -+ else -+ goto parse_error; -+ -+ fputs(olinebuf, out); -+ -+ if (md && Msg && (MsgLen >= 0)) -+ { -+ if (!print_dgst(md, out, Msg, MsgLen)) -+ goto error; -+ OPENSSL_free(Msg); -+ Msg = NULL; -+ MsgLen = -1; -+ Len = -1; -+ } -+ else if (md && Seed && (SeedLen > 0)) -+ { -+ if (!print_monte(md, out, Seed, SeedLen)) -+ goto error; -+ OPENSSL_free(Seed); -+ Seed = NULL; -+ SeedLen = -1; -+ } -+ -+ -+ } -+ -+ -+ ret = 1; -+ -+ -+ error: -+ -+ if (olinebuf) -+ OPENSSL_free(olinebuf); -+ if (linebuf) -+ OPENSSL_free(linebuf); -+ if (Msg) -+ OPENSSL_free(Msg); -+ if (Seed) -+ OPENSSL_free(Seed); -+ -+ return ret; -+ -+ parse_error: -+ -+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum); -+ -+ goto error; -+ -+ } -+ -+static int print_dgst(const EVP_MD *emd, FILE *out, -+ unsigned char *Msg, int Msglen) -+ { -+ int i, mdlen; -+ unsigned char md[EVP_MAX_MD_SIZE]; -+ if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL)) -+ { -+ fputs("Error calculating HASH\n", stderr); -+ return 0; -+ } -+ fputs("MD = ", out); -+ for (i = 0; i < mdlen; i++) -+ fprintf(out, "%02x", md[i]); -+ fputs("\n", out); -+ return 1; -+ } -+ -+static int print_monte(const EVP_MD *md, FILE *out, -+ unsigned char *Seed, int SeedLen) -+ { -+ unsigned int i, j, k; -+ int ret = 0; -+ EVP_MD_CTX ctx; -+ unsigned char *m1, *m2, *m3, *p; -+ unsigned int mlen, m1len, m2len, m3len; -+ -+ EVP_MD_CTX_init(&ctx); -+ -+ if (SeedLen > EVP_MAX_MD_SIZE) -+ mlen = SeedLen; -+ else -+ mlen = EVP_MAX_MD_SIZE; -+ -+ m1 = OPENSSL_malloc(mlen); -+ m2 = OPENSSL_malloc(mlen); -+ m3 = OPENSSL_malloc(mlen); -+ -+ if (!m1 || !m2 || !m3) -+ goto mc_error; -+ -+ m1len = m2len = m3len = SeedLen; -+ memcpy(m1, Seed, SeedLen); -+ memcpy(m2, Seed, SeedLen); -+ memcpy(m3, Seed, SeedLen); -+ -+ fputs("\n", out); -+ -+ for (j = 0; j < 100; j++) -+ { -+ for (i = 0; i < 1000; i++) -+ { -+ EVP_DigestInit_ex(&ctx, md, NULL); -+ EVP_DigestUpdate(&ctx, m1, m1len); -+ EVP_DigestUpdate(&ctx, m2, m2len); -+ EVP_DigestUpdate(&ctx, m3, m3len); -+ p = m1; -+ m1 = m2; -+ m1len = m2len; -+ m2 = m3; -+ m2len = m3len; -+ m3 = p; -+ EVP_DigestFinal_ex(&ctx, m3, &m3len); -+ } -+ fprintf(out, "COUNT = %d\n", j); -+ fputs("MD = ", out); -+ for (k = 0; k < m3len; k++) -+ fprintf(out, "%02x", m3[k]); -+ fputs("\n\n", out); -+ memcpy(m1, m3, m3len); -+ memcpy(m2, m3, m3len); -+ m1len = m2len = m3len; -+ } -+ -+ ret = 1; -+ -+ mc_error: -+ if (m1) -+ OPENSSL_free(m1); -+ if (m2) -+ OPENSSL_free(m2); -+ if (m3) -+ OPENSSL_free(m3); -+ -+ EVP_MD_CTX_cleanup(&ctx); -+ -+ return ret; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.0k/crypto/fips/cavs/fips_utl.h ---- openssl-1.0.0k/crypto/fips/cavs/fips_utl.h.fips 2013-02-19 20:12:54.593664838 +0100 -+++ openssl-1.0.0k/crypto/fips/cavs/fips_utl.h 2013-02-19 20:12:54.593664838 +0100 -@@ -0,0 +1,343 @@ -+/* ==================================================================== -+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+void do_print_errors(void) -+ { -+ const char *file, *data; -+ int line, flags; -+ unsigned long l; -+ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags))) -+ { -+ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d" -+ ":file=%s:line=%d:%s\n", -+ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l), -+ file, line, flags & ERR_TXT_STRING ? data : ""); -+ } -+ } -+ -+int hex2bin(const char *in, unsigned char *out) -+ { -+ int n1, n2; -+ unsigned char ch; -+ -+ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; ) -+ { /* first byte */ -+ if ((in[n1] >= '0') && (in[n1] <= '9')) -+ ch = in[n1++] - '0'; -+ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) -+ ch = in[n1++] - 'A' + 10; -+ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) -+ ch = in[n1++] - 'a' + 10; -+ else -+ return -1; -+ if(!in[n1]) -+ { -+ out[n2++]=ch; -+ break; -+ } -+ out[n2] = ch << 4; -+ /* second byte */ -+ if ((in[n1] >= '0') && (in[n1] <= '9')) -+ ch = in[n1++] - '0'; -+ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) -+ ch = in[n1++] - 'A' + 10; -+ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) -+ ch = in[n1++] - 'a' + 10; -+ else -+ return -1; -+ out[n2++] |= ch; -+ } -+ return n2; -+ } -+ -+unsigned char *hex2bin_m(const char *in, long *plen) -+ { -+ unsigned char *p; -+ p = OPENSSL_malloc((strlen(in) + 1)/2); -+ *plen = hex2bin(in, p); -+ return p; -+ } -+ -+int do_hex2bn(BIGNUM **pr, const char *in) -+ { -+ unsigned char *p; -+ long plen; -+ int r = 0; -+ p = hex2bin_m(in, &plen); -+ if (!p) -+ return 0; -+ if (!*pr) -+ *pr = BN_new(); -+ if (!*pr) -+ return 0; -+ if (BN_bin2bn(p, plen, *pr)) -+ r = 1; -+ OPENSSL_free(p); -+ return r; -+ } -+ -+int do_bn_print(FILE *out, BIGNUM *bn) -+ { -+ int len, i; -+ unsigned char *tmp; -+ len = BN_num_bytes(bn); -+ if (len == 0) -+ { -+ fputs("00", out); -+ return 1; -+ } -+ -+ tmp = OPENSSL_malloc(len); -+ if (!tmp) -+ { -+ fprintf(stderr, "Memory allocation error\n"); -+ return 0; -+ } -+ BN_bn2bin(bn, tmp); -+ for (i = 0; i < len; i++) -+ fprintf(out, "%02x", tmp[i]); -+ OPENSSL_free(tmp); -+ return 1; -+ } -+ -+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn) -+ { -+ int r; -+ fprintf(out, "%s = ", name); -+ r = do_bn_print(out, bn); -+ if (!r) -+ return 0; -+ fputs("\n", out); -+ return 1; -+ } -+ -+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf) -+ { -+ char *keyword, *value, *p, *q; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no '=' exit */ -+ if (!p) -+ return 0; -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ *pkw = keyword; -+ *pval = value; -+ return 1; -+ } -+ -+BIGNUM *hex2bn(const char *in) -+ { -+ BIGNUM *p=NULL; -+ -+ if (!do_hex2bn(&p, in)) -+ return NULL; -+ -+ return p; -+ } -+ -+int bin2hex(const unsigned char *in,int len,char *out) -+ { -+ int n1, n2; -+ unsigned char ch; -+ -+ for (n1=0,n2=0 ; n1 < len ; ++n1) -+ { -+ ch=in[n1] >> 4; -+ if (ch <= 0x09) -+ out[n2++]=ch+'0'; -+ else -+ out[n2++]=ch-10+'a'; -+ ch=in[n1] & 0x0f; -+ if(ch <= 0x09) -+ out[n2++]=ch+'0'; -+ else -+ out[n2++]=ch-10+'a'; -+ } -+ out[n2]='\0'; -+ return n2; -+ } -+ -+void pv(const char *tag,const unsigned char *val,int len) -+ { -+ char obuf[2048]; -+ -+ bin2hex(val,len,obuf); -+ printf("%s = %s\n",tag,obuf); -+ } -+ -+/* To avoid extensive changes to test program at this stage just convert -+ * the input line into an acceptable form. Keyword lines converted to form -+ * "keyword = value\n" no matter what white space present, all other lines -+ * just have leading and trailing space removed. -+ */ -+ -+int tidy_line(char *linebuf, char *olinebuf) -+ { -+ char *keyword, *value, *p, *q; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no '=' just chop leading, trailing ws */ -+ if (!p) -+ { -+ p = keyword + strlen(keyword) - 1; -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ strcpy(olinebuf, keyword); -+ strcat(olinebuf, "\n"); -+ return 1; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ strcpy(olinebuf, keyword); -+ strcat(olinebuf, " = "); -+ strcat(olinebuf, value); -+ strcat(olinebuf, "\n"); -+ -+ return 1; -+ } -+ -+/* NB: this return the number of _bits_ read */ -+int bint2bin(const char *in, int len, unsigned char *out) -+ { -+ int n; -+ -+ memset(out,0,len); -+ for(n=0 ; n < len ; ++n) -+ if(in[n] == '1') -+ out[n/8]|=(0x80 >> (n%8)); -+ return len; -+ } -+ -+int bin2bint(const unsigned char *in,int len,char *out) -+ { -+ int n; -+ -+ for(n=0 ; n < len ; ++n) -+ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0'; -+ return n; -+ } -+ -+/*-----------------------------------------------*/ -+ -+void PrintValue(char *tag, unsigned char *val, int len) -+{ -+#if VERBOSE -+ char obuf[2048]; -+ int olen; -+ olen = bin2hex(val, len, obuf); -+ printf("%s = %.*s\n", tag, olen, obuf); -+#endif -+} -+ -+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode) -+ { -+ char obuf[2048]; -+ int olen; -+ -+ if(bitmode) -+ olen=bin2bint(val,len,obuf); -+ else -+ olen=bin2hex(val,len,obuf); -+ -+ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf); -+#if VERBOSE -+ printf("%s = %.*s\n", tag, olen, obuf); -+#endif -+ } -+ -diff -up openssl-1.0.0k/crypto/fips_err.c.fips openssl-1.0.0k/crypto/fips_err.c ---- openssl-1.0.0k/crypto/fips_err.c.fips 2013-02-19 20:12:54.593664838 +0100 -+++ openssl-1.0.0k/crypto/fips_err.c 2013-02-19 20:12:54.593664838 +0100 -@@ -0,0 +1,7 @@ -+#include -+ -+#ifdef OPENSSL_FIPS -+# include "fips_err.h" -+#else -+static void *dummy=&dummy; -+#endif -diff -up openssl-1.0.0k/crypto/fips_err.h.fips openssl-1.0.0k/crypto/fips_err.h ---- openssl-1.0.0k/crypto/fips_err.h.fips 2013-02-19 20:12:54.593664838 +0100 -+++ openssl-1.0.0k/crypto/fips_err.h 2013-02-19 20:12:54.593664838 +0100 -@@ -0,0 +1,137 @@ -+/* crypto/fips_err.h */ -+/* ==================================================================== -+ * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* NOTE: this file was auto generated by the mkerr.pl script: any changes -+ * made to it will be overwritten when the script next updates this file, -+ * only reason strings will be preserved. -+ */ -+ -+#include -+#include -+#include -+ -+/* BEGIN ERROR CODES */ -+#ifndef OPENSSL_NO_ERR -+ -+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) -+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) -+ -+static ERR_STRING_DATA FIPS_str_functs[]= -+ { -+{ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, -+{ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"}, -+{ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, -+{ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, -+{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, -+{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, -+{ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"}, -+{ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_CHECK_INCORE_FINGERPRINT"}, -+{ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "FIPS_CHECK_RSA"}, -+{ERR_FUNC(FIPS_F_FIPS_DSA_CHECK), "FIPS_DSA_CHECK"}, -+{ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"}, -+{ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"}, -+{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, -+{ERR_FUNC(FIPS_F_HASH_FINAL), "HASH_FINAL"}, -+{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"}, -+{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"}, -+{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"}, -+{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, -+{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, -+{ERR_FUNC(FIPS_F_RSA_X931_GENERATE_KEY_EX), "RSA_X931_generate_key_ex"}, -+{ERR_FUNC(FIPS_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, -+{0,NULL} -+ }; -+ -+static ERR_STRING_DATA FIPS_str_reasons[]= -+ { -+{ERR_REASON(FIPS_R_CANNOT_READ_EXE) ,"cannot read exe"}, -+{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"}, -+{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"}, -+{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"}, -+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"}, -+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"}, -+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"}, -+{ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"}, -+{ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"}, -+{ERR_REASON(FIPS_R_INVALID_KEY_LENGTH) ,"invalid key length"}, -+{ERR_REASON(FIPS_R_KEY_TOO_SHORT) ,"key too short"}, -+{ERR_REASON(FIPS_R_NON_FIPS_METHOD) ,"non fips method"}, -+{ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"}, -+{ERR_REASON(FIPS_R_RSA_DECRYPT_ERROR) ,"rsa decrypt error"}, -+{ERR_REASON(FIPS_R_RSA_ENCRYPT_ERROR) ,"rsa encrypt error"}, -+{ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"}, -+{ERR_REASON(FIPS_R_TEST_FAILURE) ,"test failure"}, -+{ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM) ,"unsupported platform"}, -+{0,NULL} -+ }; -+ -+#endif -+ -+void ERR_load_FIPS_strings(void) -+ { -+#ifndef OPENSSL_NO_ERR -+ -+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) -+ { -+ ERR_load_strings(0,FIPS_str_functs); -+ ERR_load_strings(0,FIPS_str_reasons); -+ } -+#endif -+ } -diff -up openssl-1.0.0k/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_aes_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_aes_selftest.c.fips 2013-02-19 20:12:54.593664838 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_aes_selftest.c 2013-02-19 20:12:54.593664838 +0100 -@@ -0,0 +1,103 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+static struct -+ { -+ unsigned char key[16]; -+ unsigned char plaintext[16]; -+ unsigned char ciphertext[16]; -+ } tests[]= -+ { -+ { -+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, -+ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F }, -+ { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77, -+ 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF }, -+ { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30, -+ 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A }, -+ }, -+ }; -+ -+void FIPS_corrupt_aes() -+ { -+ tests[0].key[0]++; -+ } -+ -+int FIPS_selftest_aes() -+ { -+ int n; -+ int ret = 0; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ for(n=0 ; n < 1 ; ++n) -+ { -+ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(), -+ tests[n].key, NULL, -+ tests[n].plaintext, -+ tests[n].ciphertext, -+ 16) <= 0) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED); -+ return ret; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips.c.fips openssl-1.0.0k/crypto/fips/fips.c ---- openssl-1.0.0k/crypto/fips/fips.c.fips 2013-02-19 20:12:54.593664838 +0100 -+++ openssl-1.0.0k/crypto/fips/fips.c 2013-02-19 20:12:54.593664838 +0100 -@@ -0,0 +1,419 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+#include -+ -+#ifndef PATH_MAX -+#define PATH_MAX 1024 -+#endif -+ -+static int fips_selftest_fail; -+static int fips_mode; -+static const void *fips_rand_check; -+ -+static void fips_set_mode(int onoff) -+ { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_is_started()) -+ { -+ if (!owning_thread) fips_w_lock(); -+ fips_mode = onoff; -+ if (!owning_thread) fips_w_unlock(); -+ } -+ } -+ -+static void fips_set_rand_check(const void *rand_check) -+ { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_is_started()) -+ { -+ if (!owning_thread) fips_w_lock(); -+ fips_rand_check = rand_check; -+ if (!owning_thread) fips_w_unlock(); -+ } -+ } -+ -+int FIPS_mode(void) -+ { -+ int ret = 0; -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_is_started()) -+ { -+ if (!owning_thread) fips_r_lock(); -+ ret = fips_mode; -+ if (!owning_thread) fips_r_unlock(); -+ } -+ return ret; -+ } -+ -+const void *FIPS_rand_check(void) -+ { -+ const void *ret = 0; -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_is_started()) -+ { -+ if (!owning_thread) fips_r_lock(); -+ ret = fips_rand_check; -+ if (!owning_thread) fips_r_unlock(); -+ } -+ return ret; -+ } -+ -+int FIPS_selftest_failed(void) -+ { -+ int ret = 0; -+ if (fips_is_started()) -+ { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (!owning_thread) fips_r_lock(); -+ ret = fips_selftest_fail; -+ if (!owning_thread) fips_r_unlock(); -+ } -+ return ret; -+ } -+ -+/* Selftest failure fatal exit routine. This will be called -+ * during *any* cryptographic operation. It has the minimum -+ * overhead possible to avoid too big a performance hit. -+ */ -+ -+void FIPS_selftest_check(void) -+ { -+ if (fips_selftest_fail) -+ { -+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); -+ } -+ } -+ -+void fips_set_selftest_fail(void) -+ { -+ fips_selftest_fail = 1; -+ } -+ -+int FIPS_selftest() -+ { -+ -+ return FIPS_selftest_sha1() -+ && FIPS_selftest_hmac() -+ && FIPS_selftest_aes() -+ && FIPS_selftest_des() -+ && FIPS_selftest_rsa() -+ && FIPS_selftest_dsa(); -+ } -+ -+int FIPS_mode_set(int onoff) -+ { -+ int fips_set_owning_thread(); -+ int fips_clear_owning_thread(); -+ int ret = 0; -+ -+ fips_w_lock(); -+ fips_set_started(); -+ fips_set_owning_thread(); -+ -+ if(onoff) -+ { -+ unsigned char buf[48]; -+ -+ fips_selftest_fail = 0; -+ -+ /* Don't go into FIPS mode twice, just so we can do automagic -+ seeding */ -+ if(FIPS_mode()) -+ { -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+#ifdef OPENSSL_IA32_SSE2 -+ if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) -+ { -+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+#endif -+ -+ /* Perform RNG KAT before seeding */ -+ if (!FIPS_selftest_rng()) -+ { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ /* automagically seed PRNG if not already seeded */ -+ if(!FIPS_rand_status()) -+ { -+ if(RAND_bytes(buf,sizeof buf) <= 0) -+ { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ FIPS_rand_set_key(buf,32); -+ FIPS_rand_seed(buf+32,16); -+ } -+ -+ /* now switch into FIPS mode */ -+ fips_set_rand_check(FIPS_rand_method()); -+ RAND_set_rand_method(FIPS_rand_method()); -+ if(FIPS_selftest()) -+ fips_set_mode(1); -+ else -+ { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ ret = 1; -+ goto end; -+ } -+ fips_set_mode(0); -+ fips_selftest_fail = 0; -+ ret = 1; -+end: -+ fips_clear_owning_thread(); -+ fips_w_unlock(); -+ return ret; -+ } -+ -+void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } -+void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } -+void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } -+void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } -+ -+static int fips_started = 0; -+static unsigned long fips_thread = 0; -+ -+void fips_set_started(void) -+ { -+ fips_started = 1; -+ } -+ -+int fips_is_started(void) -+ { -+ return fips_started; -+ } -+ -+int fips_is_owning_thread(void) -+ { -+ int ret = 0; -+ -+ if (fips_is_started()) -+ { -+ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); -+ if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) -+ ret = 1; -+ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+ } -+ -+int fips_set_owning_thread(void) -+ { -+ int ret = 0; -+ -+ if (fips_is_started()) -+ { -+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); -+ if (fips_thread == 0) -+ { -+ fips_thread = CRYPTO_thread_id(); -+ ret = 1; -+ } -+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+ } -+ -+int fips_clear_owning_thread(void) -+ { -+ int ret = 0; -+ -+ if (fips_is_started()) -+ { -+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); -+ if (fips_thread == CRYPTO_thread_id()) -+ { -+ fips_thread = 0; -+ ret = 1; -+ } -+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+ } -+ -+/* Generalized public key test routine. Signs and verifies the data -+ * supplied in tbs using mesage digest md and setting option digest -+ * flags md_flags. If the 'kat' parameter is not NULL it will -+ * additionally check the signature matches it: a known answer test -+ * The string "fail_str" is used for identification purposes in case -+ * of failure. -+ */ -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, unsigned int katlen, -+ const EVP_MD *digest, unsigned int md_flags, -+ const char *fail_str) -+ { -+ int ret = 0; -+ unsigned char sigtmp[256], *sig = sigtmp; -+ unsigned int siglen; -+ EVP_MD_CTX mctx; -+ EVP_MD_CTX_init(&mctx); -+ -+ if ((pkey->type == EVP_PKEY_RSA) -+ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) -+ { -+ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa)); -+ if (!sig) -+ { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ } -+ -+ if (tbslen == -1) -+ tbslen = strlen((char *)tbs); -+ -+ if (md_flags) -+ EVP_MD_CTX_set_flags(&mctx, md_flags); -+ -+ if (!EVP_SignInit_ex(&mctx, digest, NULL)) -+ goto error; -+ if (!EVP_SignUpdate(&mctx, tbs, tbslen)) -+ goto error; -+ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey)) -+ goto error; -+ -+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) -+ goto error; -+ -+ if (!EVP_VerifyInit_ex(&mctx, digest, NULL)) -+ goto error; -+ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen)) -+ goto error; -+ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey); -+ -+ error: -+ if (sig != sigtmp) -+ OPENSSL_free(sig); -+ EVP_MD_CTX_cleanup(&mctx); -+ if (ret != 1) -+ { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE); -+ if (fail_str) -+ ERR_add_error_data(2, "Type=", fail_str); -+ return 0; -+ } -+ return 1; -+ } -+ -+/* Generalized symmetric cipher test routine. Encrypt data, verify result -+ * against known answer, decrypt and compare with original plaintext. -+ */ -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, -+ int len) -+ { -+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) -+ return 0; -+ EVP_Cipher(ctx, citmp, plaintext, len); -+ if (memcmp(citmp, ciphertext, len)) -+ return 0; -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) -+ return 0; -+ EVP_Cipher(ctx, pltmp, citmp, len); -+ if (memcmp(pltmp, plaintext, len)) -+ return 0; -+ return 1; -+ } -+ -+#if 0 -+/* The purpose of this is to ensure the error code exists and the function -+ * name is to keep the error checking script quiet -+ */ -+void hash_final(void) -+ { -+ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); -+ } -+#endif -+ -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_des_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_des_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_des_selftest.c.fips 2013-02-19 20:12:54.594664857 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_des_selftest.c 2013-02-19 20:12:54.594664857 +0100 -@@ -0,0 +1,139 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static struct -+ { -+ unsigned char key[16]; -+ unsigned char plaintext[8]; -+ unsigned char ciphertext[8]; -+ } tests2[]= -+ { -+ { -+ { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec, -+ 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 }, -+ { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef }, -+ { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd } -+ }, -+ { -+ { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34, -+ 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 }, -+ { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e }, -+ { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff }, -+ } -+ }; -+ -+static struct -+ { -+ unsigned char key[24]; -+ unsigned char plaintext[8]; -+ unsigned char ciphertext[8]; -+ } tests3[]= -+ { -+ { -+ { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10, -+ 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 }, -+ { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c }, -+ { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b }, -+ }, -+ { -+ { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE, -+ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, -+ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 }, -+ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, -+ { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 }, -+ }, -+ }; -+ -+void FIPS_corrupt_des() -+ { -+ tests2[0].plaintext[0]++; -+ } -+ -+int FIPS_selftest_des() -+ { -+ int n, ret = 0; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ -+ for(n=0 ; n < 2 ; ++n) -+ { -+ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(), -+ tests2[n].key, NULL, -+ tests2[n].plaintext, tests2[n].ciphertext, 8)) -+ goto err; -+ } -+ -+ /* Encrypt/decrypt with 3DES and compare to known answers */ -+ for(n=0 ; n < 2 ; ++n) -+ { -+ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(), -+ tests3[n].key, NULL, -+ tests3[n].plaintext, tests3[n].ciphertext, 8)) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED); -+ -+ return ret; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_dsa_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_dsa_selftest.c.fips 2013-02-19 20:12:54.594664857 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_dsa_selftest.c 2013-02-19 20:12:54.594664857 +0100 -@@ -0,0 +1,186 @@ -+/* crypto/dsa/dsatest.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+/* seed, out_p, out_q, out_g are taken the NIST test vectors */ -+ -+static unsigned char seed[20] = { -+ 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34, -+ 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a -+ }; -+ -+static unsigned char out_p[] = { -+ 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57, -+ 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b, -+ 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43, -+ 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69, -+ 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12, -+ 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47, -+ 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4, -+ 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8, -+ 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef, -+ 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8, -+ 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef -+ }; -+ -+static unsigned char out_q[] = { -+ 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c, -+ 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3 -+ }; -+ -+static unsigned char out_g[] = { -+ 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb, -+ 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e, -+ 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63, -+ 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35, -+ 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf, -+ 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a, -+ 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed, -+ 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf, -+ 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2, -+ 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36, -+ 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec -+ }; -+ -+static const unsigned char str1[]="12345678901234567890"; -+ -+void FIPS_corrupt_dsa() -+ { -+ ++seed[0]; -+ } -+ -+int FIPS_selftest_dsa() -+ { -+ DSA *dsa; -+ int counter,i,j, ret = 0; -+ unsigned int slen; -+ unsigned char buf[256]; -+ unsigned long h; -+ EVP_MD_CTX mctx; -+ EVP_PKEY *pk = NULL; -+ -+ EVP_MD_CTX_init(&mctx); -+ -+ dsa = DSA_new(); -+ -+ if(dsa == NULL) -+ goto err; -+ if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) -+ goto err; -+ if (counter != 378) -+ goto err; -+ if (h != 2) -+ goto err; -+ i=BN_bn2bin(dsa->q,buf); -+ j=sizeof(out_q); -+ if (i != j || memcmp(buf,out_q,i) != 0) -+ goto err; -+ -+ i=BN_bn2bin(dsa->p,buf); -+ j=sizeof(out_p); -+ if (i != j || memcmp(buf,out_p,i) != 0) -+ goto err; -+ -+ i=BN_bn2bin(dsa->g,buf); -+ j=sizeof(out_g); -+ if (i != j || memcmp(buf,out_g,i) != 0) -+ goto err; -+ DSA_generate_key(dsa); -+ -+ if ((pk=EVP_PKEY_new()) == NULL) -+ goto err; -+ EVP_PKEY_assign_DSA(pk, dsa); -+ -+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto err; -+ if (!EVP_SignUpdate(&mctx, str1, 20)) -+ goto err; -+ if (!EVP_SignFinal(&mctx, buf, &slen, pk)) -+ goto err; -+ -+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto err; -+ if (!EVP_VerifyUpdate(&mctx, str1, 20)) -+ goto err; -+ if (EVP_VerifyFinal(&mctx, buf, slen, pk) != 1) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_MD_CTX_cleanup(&mctx); -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (dsa) -+ DSA_free(dsa); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); -+ return ret; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips.h.fips openssl-1.0.0k/crypto/fips/fips.h ---- openssl-1.0.0k/crypto/fips/fips.h.fips 2013-02-19 20:12:54.594664857 +0100 -+++ openssl-1.0.0k/crypto/fips/fips.h 2013-02-19 20:12:54.594664857 +0100 -@@ -0,0 +1,163 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+ -+#ifndef OPENSSL_FIPS -+#error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+struct dsa_st; -+struct evp_pkey_st; -+struct env_md_st; -+struct evp_cipher_st; -+struct evp_cipher_ctx_st; -+ -+int FIPS_mode_set(int onoff); -+int FIPS_mode(void); -+const void *FIPS_rand_check(void); -+int FIPS_selftest_failed(void); -+void FIPS_selftest_check(void); -+void FIPS_corrupt_sha1(void); -+int FIPS_selftest_sha1(void); -+void FIPS_corrupt_aes(void); -+int FIPS_selftest_aes(void); -+void FIPS_corrupt_des(void); -+int FIPS_selftest_des(void); -+void FIPS_corrupt_rsa(void); -+void FIPS_corrupt_rsa_keygen(void); -+int FIPS_selftest_rsa(void); -+void FIPS_corrupt_dsa(void); -+void FIPS_corrupt_dsa_keygen(void); -+int FIPS_selftest_dsa(void); -+void FIPS_corrupt_rng(void); -+void FIPS_rng_stick(void); -+int FIPS_selftest_rng(void); -+int FIPS_selftest_hmac(void); -+ -+int fips_pkey_signature_test(struct evp_pkey_st *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, unsigned int katlen, -+ const struct env_md_st *digest, unsigned int md_flags, -+ const char *fail_str); -+ -+int fips_cipher_test(struct evp_cipher_ctx_st *ctx, -+ const struct evp_cipher_st *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, -+ int len); -+ -+/* BEGIN ERROR CODES */ -+/* The following lines are auto generated by the script mkerr.pl. Any changes -+ * made after this point may be overwritten when the script is next run. -+ */ -+void ERR_load_FIPS_strings(void); -+ -+/* Error codes for the FIPS functions. */ -+ -+/* Function codes. */ -+#define FIPS_F_DH_BUILTIN_GENPARAMS 100 -+#define FIPS_F_DSA_BUILTIN_PARAMGEN 101 -+#define FIPS_F_DSA_DO_SIGN 102 -+#define FIPS_F_DSA_DO_VERIFY 103 -+#define FIPS_F_EVP_CIPHERINIT_EX 124 -+#define FIPS_F_EVP_DIGESTINIT_EX 125 -+#define FIPS_F_FIPS_CHECK_DSA 104 -+#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 -+#define FIPS_F_FIPS_CHECK_RSA 106 -+#define FIPS_F_FIPS_DSA_CHECK 107 -+#define FIPS_F_FIPS_MODE_SET 108 -+#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -+#define FIPS_F_FIPS_SELFTEST_AES 110 -+#define FIPS_F_FIPS_SELFTEST_DES 111 -+#define FIPS_F_FIPS_SELFTEST_DSA 112 -+#define FIPS_F_FIPS_SELFTEST_HMAC 113 -+#define FIPS_F_FIPS_SELFTEST_RNG 114 -+#define FIPS_F_FIPS_SELFTEST_SHA1 115 -+#define FIPS_F_HASH_FINAL 123 -+#define FIPS_F_RSA_BUILTIN_KEYGEN 116 -+#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 -+#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 -+#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 -+#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 -+#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 -+#define FIPS_F_SSLEAY_RAND_BYTES 122 -+ -+/* Reason codes. */ -+#define FIPS_R_CANNOT_READ_EXE 103 -+#define FIPS_R_CANNOT_READ_EXE_DIGEST 104 -+#define FIPS_R_CONTRADICTING_EVIDENCE 114 -+#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105 -+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 -+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 -+#define FIPS_R_FIPS_MODE_ALREADY_SET 102 -+#define FIPS_R_FIPS_SELFTEST_FAILED 106 -+#define FIPS_R_INVALID_KEY_LENGTH 109 -+#define FIPS_R_KEY_TOO_SHORT 108 -+#define FIPS_R_NON_FIPS_METHOD 100 -+#define FIPS_R_PAIRWISE_TEST_FAILED 107 -+#define FIPS_R_RSA_DECRYPT_ERROR 115 -+#define FIPS_R_RSA_ENCRYPT_ERROR 116 -+#define FIPS_R_SELFTEST_FAILED 101 -+#define FIPS_R_TEST_FAILURE 117 -+#define FIPS_R_UNSUPPORTED_PLATFORM 113 -+ -+#ifdef __cplusplus -+} -+#endif -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_hmac_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_hmac_selftest.c.fips 2013-02-19 20:12:54.594664857 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_hmac_selftest.c 2013-02-19 20:12:54.594664857 +0100 -@@ -0,0 +1,137 @@ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ const EVP_MD *(*alg)(void); -+ const char *key, *iv; -+ unsigned char kaval[EVP_MAX_MD_SIZE]; -+} HMAC_KAT; -+ -+static const HMAC_KAT vector[] = { -+ { EVP_sha1, -+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19, -+ 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c, -+ 0xc6,0xc7,0x5d,0x24 } -+ }, -+ { EVP_sha224, -+ /* just keep extending the above... */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb, -+ 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa, -+ 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b, -+ 0x8c,0x8d,0x12,0xc7 } -+ }, -+ { EVP_sha256, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09, -+ 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34, -+ 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38, -+ 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 } -+ }, -+ { EVP_sha384, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad, -+ 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6, -+ 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04, -+ 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f, -+ 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50, -+ 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f } -+ }, -+ { EVP_sha512, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41, -+ 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac, -+ 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0, -+ 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68, -+ 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f, -+ 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7, -+ 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45, -+ 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 } -+ }, -+}; -+ -+int FIPS_selftest_hmac() -+ { -+ int n; -+ unsigned int outlen; -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ const EVP_MD *md; -+ const HMAC_KAT *t; -+ -+ for(n=0,t=vector; nalg)(); -+ HMAC(md,t->key,strlen(t->key), -+ (const unsigned char *)t->iv,strlen(t->iv), -+ out,&outlen); -+ -+ if(memcmp(out,t->kaval,outlen)) -+ { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+ } -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_rand.c.fips openssl-1.0.0k/crypto/fips/fips_rand.c ---- openssl-1.0.0k/crypto/fips/fips_rand.c.fips 2013-02-19 20:12:54.594664857 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_rand.c 2013-02-19 20:12:54.594664857 +0100 -@@ -0,0 +1,412 @@ -+/* ==================================================================== -+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* -+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4. -+ */ -+ -+#include "e_os.h" -+ -+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't -+ be defined and gettimeofday() won't be declared with strict compilers -+ like DEC C in ANSI C mode. */ -+#ifndef _XOPEN_SOURCE_EXTENDED -+#define _XOPEN_SOURCE_EXTENDED 1 -+#endif -+ -+#include -+#include -+#include -+#include -+#ifndef OPENSSL_SYS_WIN32 -+#include -+#endif -+#include -+#ifndef OPENSSL_SYS_WIN32 -+# ifdef OPENSSL_UNISTD -+# include OPENSSL_UNISTD -+# else -+# include -+# endif -+#endif -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+void *OPENSSL_stderr(void); -+ -+#define AES_BLOCK_LENGTH 16 -+ -+ -+/* AES FIPS PRNG implementation */ -+ -+typedef struct -+ { -+ int seeded; -+ int keyed; -+ int test_mode; -+ int second; -+ int error; -+ unsigned long counter; -+ AES_KEY ks; -+ int vpos; -+ /* Temporary storage for key if it equals seed length */ -+ unsigned char tmp_key[AES_BLOCK_LENGTH]; -+ unsigned char V[AES_BLOCK_LENGTH]; -+ unsigned char DT[AES_BLOCK_LENGTH]; -+ unsigned char last[AES_BLOCK_LENGTH]; -+ } FIPS_PRNG_CTX; -+ -+static FIPS_PRNG_CTX sctx; -+ -+static int fips_prng_fail = 0; -+ -+void FIPS_rng_stick(void) -+ { -+ fips_prng_fail = 1; -+ } -+ -+void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx) -+ { -+ ctx->seeded = 0; -+ ctx->keyed = 0; -+ ctx->test_mode = 0; -+ ctx->counter = 0; -+ ctx->second = 0; -+ ctx->error = 0; -+ ctx->vpos = 0; -+ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH); -+ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY)); -+ } -+ -+ -+static int fips_set_prng_key(FIPS_PRNG_CTX *ctx, -+ const unsigned char *key, FIPS_RAND_SIZE_T keylen) -+ { -+ FIPS_selftest_check(); -+ if (keylen != 16 && keylen != 24 && keylen != 32) -+ { -+ /* error: invalid key size */ -+ return 0; -+ } -+ AES_set_encrypt_key(key, keylen << 3, &ctx->ks); -+ if (keylen == 16) -+ { -+ memcpy(ctx->tmp_key, key, 16); -+ ctx->keyed = 2; -+ } -+ else -+ ctx->keyed = 1; -+ ctx->seeded = 0; -+ ctx->second = 0; -+ return 1; -+ } -+ -+static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx, -+ const unsigned char *seed, FIPS_RAND_SIZE_T seedlen) -+ { -+ int i; -+ if (!ctx->keyed) -+ return 0; -+ /* In test mode seed is just supplied data */ -+ if (ctx->test_mode) -+ { -+ if (seedlen != AES_BLOCK_LENGTH) -+ return 0; -+ memcpy(ctx->V, seed, AES_BLOCK_LENGTH); -+ ctx->seeded = 1; -+ return 1; -+ } -+ /* Outside test mode XOR supplied data with existing seed */ -+ for (i = 0; i < seedlen; i++) -+ { -+ ctx->V[ctx->vpos++] ^= seed[i]; -+ if (ctx->vpos == AES_BLOCK_LENGTH) -+ { -+ ctx->vpos = 0; -+ /* Special case if first seed and key length equals -+ * block size check key and seed do not match. -+ */ -+ if (ctx->keyed == 2) -+ { -+ if (!memcmp(ctx->tmp_key, ctx->V, 16)) -+ { -+ RANDerr(RAND_F_FIPS_SET_PRNG_SEED, -+ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY); -+ return 0; -+ } -+ OPENSSL_cleanse(ctx->tmp_key, 16); -+ ctx->keyed = 1; -+ } -+ ctx->seeded = 1; -+ } -+ } -+ return 1; -+ } -+ -+int fips_set_test_mode(FIPS_PRNG_CTX *ctx) -+ { -+ if (ctx->keyed) -+ { -+ RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED); -+ return 0; -+ } -+ ctx->test_mode = 1; -+ return 1; -+ } -+ -+int FIPS_rand_test_mode(void) -+ { -+ return fips_set_test_mode(&sctx); -+ } -+ -+int FIPS_rand_set_dt(unsigned char *dt) -+ { -+ if (!sctx.test_mode) -+ { -+ RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE); -+ return 0; -+ } -+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); -+ return 1; -+ } -+ -+static void fips_get_dt(FIPS_PRNG_CTX *ctx) -+ { -+#ifdef OPENSSL_SYS_WIN32 -+ FILETIME ft; -+#else -+ struct timeval tv; -+#endif -+ unsigned char *buf = ctx->DT; -+ -+#ifndef GETPID_IS_MEANINGLESS -+ unsigned long pid; -+#endif -+ -+#ifdef OPENSSL_SYS_WIN32 -+ GetSystemTimeAsFileTime(&ft); -+ buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff); -+ buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff); -+ buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff); -+ buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff); -+ buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff); -+ buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff); -+ buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff); -+ buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff); -+#else -+ gettimeofday(&tv,NULL); -+ buf[0] = (unsigned char) (tv.tv_sec & 0xff); -+ buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char) (tv.tv_usec & 0xff); -+ buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff); -+ buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff); -+ buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff); -+#endif -+ buf[8] = (unsigned char) (ctx->counter & 0xff); -+ buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff); -+ buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff); -+ buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff); -+ -+ ctx->counter++; -+ -+ -+#ifndef GETPID_IS_MEANINGLESS -+ pid=(unsigned long)getpid(); -+ buf[12] = (unsigned char) (pid & 0xff); -+ buf[13] = (unsigned char) ((pid >> 8) & 0xff); -+ buf[14] = (unsigned char) ((pid >> 16) & 0xff); -+ buf[15] = (unsigned char) ((pid >> 24) & 0xff); -+#endif -+ } -+ -+static int fips_rand(FIPS_PRNG_CTX *ctx, -+ unsigned char *out, FIPS_RAND_SIZE_T outlen) -+ { -+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; -+ unsigned char tmp[AES_BLOCK_LENGTH]; -+ int i; -+ if (ctx->error) -+ { -+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); -+ return 0; -+ } -+ if (!ctx->keyed) -+ { -+ RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET); -+ return 0; -+ } -+ if (!ctx->seeded) -+ { -+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED); -+ return 0; -+ } -+ for (;;) -+ { -+ if (!ctx->test_mode) -+ fips_get_dt(ctx); -+ AES_encrypt(ctx->DT, I, &ctx->ks); -+ for (i = 0; i < AES_BLOCK_LENGTH; i++) -+ tmp[i] = I[i] ^ ctx->V[i]; -+ AES_encrypt(tmp, R, &ctx->ks); -+ for (i = 0; i < AES_BLOCK_LENGTH; i++) -+ tmp[i] = R[i] ^ I[i]; -+ AES_encrypt(tmp, ctx->V, &ctx->ks); -+ /* Continuous PRNG test */ -+ if (ctx->second) -+ { -+ if (fips_prng_fail) -+ memcpy(ctx->last, R, AES_BLOCK_LENGTH); -+ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) -+ { -+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK); -+ ctx->error = 1; -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ } -+ memcpy(ctx->last, R, AES_BLOCK_LENGTH); -+ if (!ctx->second) -+ { -+ ctx->second = 1; -+ if (!ctx->test_mode) -+ continue; -+ } -+ -+ if (outlen <= AES_BLOCK_LENGTH) -+ { -+ memcpy(out, R, outlen); -+ break; -+ } -+ -+ memcpy(out, R, AES_BLOCK_LENGTH); -+ out += AES_BLOCK_LENGTH; -+ outlen -= AES_BLOCK_LENGTH; -+ } -+ return 1; -+ } -+ -+ -+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen) -+ { -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_set_prng_key(&sctx, key, keylen); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+ } -+ -+int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) -+ { -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_set_prng_seed(&sctx, seed, seedlen); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+ } -+ -+ -+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count) -+ { -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_rand(&sctx, out, count); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+ } -+ -+int FIPS_rand_status(void) -+ { -+ int ret; -+ CRYPTO_r_lock(CRYPTO_LOCK_RAND); -+ ret = sctx.seeded; -+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+ } -+ -+void FIPS_rand_reset(void) -+ { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ fips_rand_prng_reset(&sctx); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ } -+ -+static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) -+ { -+ FIPS_rand_seed(seed, seedlen); -+ } -+ -+static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen, -+ double add_entropy) -+ { -+ FIPS_rand_seed(seed, seedlen); -+ } -+ -+static const RAND_METHOD rand_fips_meth= -+ { -+ fips_do_rand_seed, -+ FIPS_rand_bytes, -+ FIPS_rand_reset, -+ fips_do_rand_add, -+ FIPS_rand_bytes, -+ FIPS_rand_status -+ }; -+ -+const RAND_METHOD *FIPS_rand_method(void) -+{ -+ return &rand_fips_meth; -+} -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_rand.h.fips openssl-1.0.0k/crypto/fips/fips_rand.h ---- openssl-1.0.0k/crypto/fips/fips_rand.h.fips 2013-02-19 20:12:54.595664876 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_rand.h 2013-02-19 20:12:54.595664876 +0100 -@@ -0,0 +1,77 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifndef HEADER_FIPS_RAND_H -+#define HEADER_FIPS_RAND_H -+ -+#include "des.h" -+ -+#ifdef OPENSSL_FIPS -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen); -+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num); -+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen); -+ -+int FIPS_rand_test_mode(void); -+void FIPS_rand_reset(void); -+int FIPS_rand_set_dt(unsigned char *dt); -+ -+int FIPS_rand_status(void); -+ -+const RAND_METHOD *FIPS_rand_method(void); -+ -+#ifdef __cplusplus -+} -+#endif -+#endif -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_rand_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_rand_selftest.c.fips 2013-02-19 20:12:54.595664876 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_rand_selftest.c 2013-02-19 20:12:54.595664876 +0100 -@@ -0,0 +1,373 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+ -+ -+typedef struct -+ { -+ unsigned char DT[16]; -+ unsigned char V[16]; -+ unsigned char R[16]; -+ } AES_PRNG_TV; -+ -+/* The following test vectors are taken directly from the RGNVS spec */ -+ -+static unsigned char aes_128_key[16] = -+ {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42, -+ 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02}; -+ -+static AES_PRNG_TV aes_128_tv[] = { -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9}, -+ /* V */ -+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55, -+ 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa}, -+ /* V */ -+ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c, -+ 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb}, -+ /* V */ -+ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5, -+ 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc}, -+ /* V */ -+ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5, -+ 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd}, -+ /* V */ -+ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb, -+ 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, -+ /* R */ -+ {0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc, -+ 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea} -+ }, -+ { -+ /* DT */ -+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, -+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, -+ /* R */ -+ {0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5, -+ 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33} -+ }, -+}; -+ -+static unsigned char aes_192_key[24] = -+ {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e, -+ 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc, -+ 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b}; -+ -+static AES_PRNG_TV aes_192_tv[] = { -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b}, -+ /* V */ -+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef, -+ 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c}, -+ /* V */ -+ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0, -+ 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d}, -+ /* V */ -+ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e, -+ 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e}, -+ /* V */ -+ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7, -+ 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f}, -+ /* V */ -+ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf, -+ 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, -+ /* R */ -+ {0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43, -+ 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d} -+ }, -+ { -+ /* DT */ -+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, -+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, -+ /* R */ -+ {0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50, -+ 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea} -+ }, -+}; -+ -+static unsigned char aes_256_key[32] = -+ {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d, -+ 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f, -+ 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5, -+ 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb}; -+ -+static AES_PRNG_TV aes_256_tv[] = { -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88}, -+ /* V */ -+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc, -+ 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89}, -+ /* V */ -+ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41, -+ 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a}, -+ /* V */ -+ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30, -+ 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b}, -+ /* V */ -+ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30, -+ 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c}, -+ /* V */ -+ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, -+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, -+ /* R */ -+ {0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4, -+ 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, -+ /* R */ -+ {0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28, -+ 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec} -+ }, -+ { -+ /* DT */ -+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, -+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07}, -+ /* V */ -+ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, -+ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, -+ /* R */ -+ {0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3, -+ 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84} -+ }, -+}; -+ -+ -+void FIPS_corrupt_rng() -+ { -+ aes_192_tv[0].V[0]++; -+ } -+ -+#define fips_rand_test(key, tv) \ -+ do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV)) -+ -+static int do_rand_test(unsigned char *key, int keylen, -+ AES_PRNG_TV *tv, int ntv) -+ { -+ unsigned char R[16]; -+ int i; -+ if (!FIPS_rand_set_key(key, keylen)) -+ return 0; -+ for (i = 0; i < ntv; i++) -+ { -+ FIPS_rand_seed(tv[i].V, 16); -+ FIPS_rand_set_dt(tv[i].DT); -+ FIPS_rand_bytes(R, 16); -+ if (memcmp(R, tv[i].R, 16)) -+ return 0; -+ } -+ return 1; -+ } -+ -+ -+int FIPS_selftest_rng() -+ { -+ FIPS_rand_reset(); -+ if (!FIPS_rand_test_mode()) -+ { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ if (!fips_rand_test(aes_128_key,aes_128_tv) -+ || !fips_rand_test(aes_192_key, aes_192_tv) -+ || !fips_rand_test(aes_256_key, aes_256_tv)) -+ { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ FIPS_rand_reset(); -+ return 1; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_randtest.c.fips openssl-1.0.0k/crypto/fips/fips_randtest.c ---- openssl-1.0.0k/crypto/fips/fips_randtest.c.fips 2013-02-19 20:12:54.595664876 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_randtest.c 2013-02-19 20:12:54.595664876 +0100 -@@ -0,0 +1,248 @@ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "e_os.h" -+ -+#ifndef OPENSSL_FIPS -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RAND support\n"); -+ return(0); -+} -+ -+#else -+ -+#include "fips_utl.h" -+ -+typedef struct -+ { -+ unsigned char DT[16]; -+ unsigned char V[16]; -+ unsigned char R[16]; -+ } AES_PRNG_MCT; -+ -+static unsigned char aes_128_mct_key[16] = -+ {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5, -+ 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48}; -+ -+static AES_PRNG_MCT aes_128_mct_tv = { -+ /* DT */ -+ {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b, -+ 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac}, -+ /* V */ -+ {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97, -+ 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1}, -+ /* R */ -+ {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb, -+ 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73} -+}; -+ -+static unsigned char aes_192_mct_key[24] = -+ {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73, -+ 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91, -+ 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a}; -+ -+static AES_PRNG_MCT aes_192_mct_tv = { -+ /* DT */ -+ {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9, -+ 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52}, -+ /* V */ -+ {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64, -+ 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d}, -+ /* R */ -+ {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21, -+ 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47} -+}; -+ -+static unsigned char aes_256_mct_key[32] = -+ {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a, -+ 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0, -+ 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d, -+ 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50}; -+ -+static AES_PRNG_MCT aes_256_mct_tv = { -+ /* DT */ -+ {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee, -+ 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c}, -+ /* V */ -+ {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1, -+ 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca}, -+ /* R */ -+ {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1, -+ 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d} -+}; -+ -+static void dump(const unsigned char *b,int n) -+ { -+ while(n-- > 0) -+ { -+ printf(" %02x",*b++); -+ } -+ } -+ -+static void compare(const unsigned char *result,const unsigned char *expected, -+ int n) -+ { -+ int i; -+ -+ for(i=0 ; i < n ; ++i) -+ if(result[i] != expected[i]) -+ { -+ puts("Random test failed, got:"); -+ dump(result,n); -+ puts("\n expected:"); -+ dump(expected,n); -+ putchar('\n'); -+ EXIT(1); -+ } -+ } -+ -+ -+static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv) -+ { -+ unsigned char buf[16], dt[16]; -+ int i, j; -+ FIPS_rand_reset(); -+ FIPS_rand_test_mode(); -+ FIPS_rand_set_key(key, keylen); -+ FIPS_rand_seed(tv->V, 16); -+ memcpy(dt, tv->DT, 16); -+ for (i = 0; i < 10000; i++) -+ { -+ FIPS_rand_set_dt(dt); -+ FIPS_rand_bytes(buf, 16); -+ /* Increment DT */ -+ for (j = 15; j >= 0; j--) -+ { -+ dt[j]++; -+ if (dt[j]) -+ break; -+ } -+ } -+ -+ compare(buf,tv->R, 16); -+ } -+ -+int main() -+ { -+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv); -+ printf("FIPS PRNG test 1 done\n"); -+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv); -+ printf("FIPS PRNG test 2 done\n"); -+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv); -+ printf("FIPS PRNG test 3 done\n"); -+ return 0; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_rsa_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_rsa_selftest.c.fips 2013-02-19 20:12:54.595664876 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_rsa_selftest.c 2013-02-19 20:12:54.595664876 +0100 -@@ -0,0 +1,441 @@ -+/* ==================================================================== -+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static unsigned char n[] = -+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" -+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" -+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" -+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" -+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" -+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" -+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" -+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" -+"\xCB"; -+ -+ -+static int setrsakey(RSA *key) -+ { -+ static const unsigned char e[] = "\x11"; -+ -+ static const unsigned char d[] = -+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" -+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" -+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" -+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" -+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" -+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" -+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" -+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" -+"\xC1"; -+ -+ static const unsigned char p[] = -+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" -+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" -+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" -+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" -+"\x99"; -+ -+ static const unsigned char q[] = -+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" -+"\x03"; -+ -+ static const unsigned char dmp1[] = -+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" -+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" -+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" -+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; -+ -+ static const unsigned char dmq1[] = -+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" -+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" -+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" -+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; -+ -+ static const unsigned char iqmp[] = -+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" -+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" -+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" -+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" -+"\xF7"; -+ -+ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); -+ key->e = BN_bin2bn(e, sizeof(e)-1, key->e); -+ key->d = BN_bin2bn(d, sizeof(d)-1, key->d); -+ key->p = BN_bin2bn(p, sizeof(p)-1, key->p); -+ key->q = BN_bin2bn(q, sizeof(q)-1, key->q); -+ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); -+ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); -+ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); -+ return 1; -+ } -+ -+void FIPS_corrupt_rsa() -+ { -+ n[0]++; -+ } -+ -+/* Known Answer Test (KAT) data for the above RSA private key signing -+ * kat_tbs. -+ */ -+ -+static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT"; -+ -+static const unsigned char kat_RSA_PSS_SHA1[] = { -+ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, -+ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, -+ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, -+ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, -+ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, -+ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, -+ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, -+ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, -+ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, -+ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, -+ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA224[] = { -+ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, -+ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, -+ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, -+ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, -+ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, -+ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, -+ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, -+ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, -+ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, -+ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, -+ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA256[] = { -+ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, -+ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, -+ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, -+ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, -+ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, -+ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, -+ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, -+ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, -+ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, -+ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, -+ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA384[] = { -+ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, -+ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, -+ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, -+ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, -+ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, -+ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, -+ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, -+ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, -+ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, -+ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, -+ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA512[] = { -+ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, -+ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, -+ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, -+ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, -+ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, -+ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, -+ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, -+ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, -+ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, -+ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, -+ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B -+}; -+ -+static const unsigned char kat_RSA_SHA1[] = { -+ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, -+ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, -+ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, -+ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, -+ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, -+ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, -+ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, -+ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, -+ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, -+ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, -+ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 -+}; -+ -+static const unsigned char kat_RSA_SHA224[] = { -+ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, -+ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, -+ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, -+ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, -+ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, -+ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, -+ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, -+ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, -+ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, -+ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, -+ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D -+}; -+ -+static const unsigned char kat_RSA_SHA256[] = { -+ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, -+ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, -+ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, -+ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, -+ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, -+ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, -+ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, -+ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, -+ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, -+ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, -+ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A -+}; -+ -+static const unsigned char kat_RSA_SHA384[] = { -+ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, -+ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, -+ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, -+ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, -+ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, -+ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, -+ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, -+ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, -+ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, -+ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, -+ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF -+}; -+ -+static const unsigned char kat_RSA_SHA512[] = { -+ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, -+ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, -+ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, -+ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, -+ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, -+ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, -+ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, -+ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, -+ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, -+ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, -+ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA1[] = { -+ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, -+ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, -+ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, -+ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, -+ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, -+ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, -+ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, -+ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, -+ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, -+ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, -+ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA256[] = { -+ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, -+ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, -+ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, -+ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, -+ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, -+ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, -+ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, -+ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, -+ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, -+ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, -+ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA384[] = { -+ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, -+ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, -+ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, -+ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, -+ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, -+ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, -+ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, -+ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, -+ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, -+ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, -+ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA512[] = { -+ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, -+ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, -+ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, -+ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, -+ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, -+ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, -+ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, -+ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, -+ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, -+ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, -+ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 -+}; -+ -+ -+int FIPS_selftest_rsa() -+ { -+ int ret = 0; -+ RSA *key; -+ EVP_PKEY *pk = NULL; -+ -+ if ((key=RSA_new()) == NULL) -+ goto err; -+ setrsakey(key); -+ if ((pk=EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_RSA(pk, key); -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA1 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224), -+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA224 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA256 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384), -+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA384 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512), -+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA512 PKCS#1")) -+ goto err; -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA1 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224), -+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA224 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA256 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384), -+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA384 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512), -+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA512 PSS")) -+ goto err; -+ -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA1 X931")) -+ goto err; -+ /* NB: SHA224 not supported in X9.31 */ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA256 X931")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384), -+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA384 X931")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512), -+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA512 X931")) -+ goto err; -+ -+ -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (key) -+ RSA_free(key); -+ return ret; -+ } -+ -+#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.0.0k/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.0k/crypto/fips/fips_rsa_x931g.c ---- openssl-1.0.0k/crypto/fips/fips_rsa_x931g.c.fips 2013-02-19 20:12:54.596664895 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_rsa_x931g.c 2013-02-19 20:12:54.596664895 +0100 -@@ -0,0 +1,281 @@ -+/* crypto/rsa/rsa_gen.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+ -+extern int fips_check_rsa(RSA *rsa); -+#endif -+ -+/* X9.31 RSA key derivation and generation */ -+ -+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, -+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, -+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, -+ const BIGNUM *e, BN_GENCB *cb) -+ { -+ BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL; -+ BN_CTX *ctx=NULL,*ctx2=NULL; -+ -+ if (!rsa) -+ goto err; -+ -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ goto err; -+ BN_CTX_start(ctx); -+ -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ if (!rsa->e) -+ { -+ rsa->e = BN_dup(e); -+ if (!rsa->e) -+ goto err; -+ } -+ else -+ e = rsa->e; -+ -+ /* If not all parameters present only calculate what we can. -+ * This allows test programs to output selective parameters. -+ */ -+ -+ if (Xp && !rsa->p) -+ { -+ rsa->p = BN_new(); -+ if (!rsa->p) -+ goto err; -+ -+ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2, -+ Xp, Xp1, Xp2, e, ctx, cb)) -+ goto err; -+ } -+ -+ if (Xq && !rsa->q) -+ { -+ rsa->q = BN_new(); -+ if (!rsa->q) -+ goto err; -+ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2, -+ Xq, Xq1, Xq2, e, ctx, cb)) -+ goto err; -+ } -+ -+ if (!rsa->p || !rsa->q) -+ { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ return 2; -+ } -+ -+ /* Since both primes are set we can now calculate all remaining -+ * components. -+ */ -+ -+ /* calculate n */ -+ rsa->n=BN_new(); -+ if (rsa->n == NULL) -+ goto err; -+ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1,rsa->p,BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2,rsa->q,BN_value_one())) -+ goto err; /* q-1 */ -+ if (!BN_mul(r0,r1,r2,ctx)) -+ goto err; /* (p-1)(q-1) */ -+ -+ if (!BN_gcd(r3, r1, r2, ctx)) -+ goto err; -+ -+ if (!BN_div(r0, NULL, r0, r3, ctx)) -+ goto err; /* LCM((p-1)(q-1)) */ -+ -+ ctx2 = BN_CTX_new(); -+ if (!ctx2) -+ goto err; -+ -+ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ -+ if (rsa->d == NULL) -+ goto err; -+ -+ /* calculate d mod (p-1) */ -+ rsa->dmp1=BN_new(); -+ if (rsa->dmp1 == NULL) -+ goto err; -+ if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) -+ goto err; -+ -+ /* calculate d mod (q-1) */ -+ rsa->dmq1=BN_new(); -+ if (rsa->dmq1 == NULL) -+ goto err; -+ if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) -+ goto err; -+ -+ /* calculate inverse of q mod p */ -+ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); -+ -+ err: -+ if (ctx) -+ { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ if (ctx2) -+ BN_CTX_free(ctx2); -+ /* If this is set all calls successful */ -+ if (rsa && rsa->iqmp != NULL) -+ return 1; -+ -+ return 0; -+ -+ } -+ -+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb) -+ { -+ int ok = 0; -+ BIGNUM *Xp = NULL, *Xq = NULL; -+ BN_CTX *ctx = NULL; -+ -+#ifdef OPENSSL_FIPS -+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ -+ if (bits & 0xff) -+ { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif -+ -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ goto error; -+ -+ BN_CTX_start(ctx); -+ Xp = BN_CTX_get(ctx); -+ Xq = BN_CTX_get(ctx); -+ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx)) -+ goto error; -+ -+ rsa->p = BN_new(); -+ rsa->q = BN_new(); -+ if (!rsa->p || !rsa->q) -+ goto error; -+ -+ /* Generate two primes from Xp, Xq */ -+ -+ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp, -+ e, ctx, cb)) -+ goto error; -+ -+ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq, -+ e, ctx, cb)) -+ goto error; -+ -+ /* Since rsa->p and rsa->q are valid this call will just derive -+ * remaining RSA components. -+ */ -+ -+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, NULL, NULL, e, cb)) -+ goto error; -+ -+#ifdef OPENSSL_FIPS -+ if(!fips_check_rsa(rsa)) -+ goto error; -+#endif -+ -+ ok = 1; -+ -+ error: -+ if (ctx) -+ { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ if (ok) -+ return 1; -+ -+ return 0; -+ -+ } -diff -up openssl-1.0.0k/crypto/fips/fips_sha1_selftest.c.fips openssl-1.0.0k/crypto/fips/fips_sha1_selftest.c ---- openssl-1.0.0k/crypto/fips/fips_sha1_selftest.c.fips 2013-02-19 20:12:54.596664895 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_sha1_selftest.c 2013-02-19 20:12:54.596664895 +0100 -@@ -0,0 +1,99 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+static char test[][60]= -+ { -+ "", -+ "abc", -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -+ }; -+ -+static const unsigned char ret[][SHA_DIGEST_LENGTH]= -+ { -+ { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55, -+ 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 }, -+ { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e, -+ 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d }, -+ { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae, -+ 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 }, -+ }; -+ -+void FIPS_corrupt_sha1() -+ { -+ test[2][0]++; -+ } -+ -+int FIPS_selftest_sha1() -+ { -+ int n; -+ -+ for(n=0 ; n -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef FIPSCANISTER_O -+int FIPS_selftest_failed() { return 0; } -+void FIPS_selftest_check() {} -+void OPENSSL_cleanse(void *p,size_t len) {} -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, -+ const char *key) -+ { -+ size_t len=strlen(key); -+ int i; -+ unsigned char keymd[HMAC_MAX_MD_CBLOCK]; -+ unsigned char pad[HMAC_MAX_MD_CBLOCK]; -+ -+ if (len > SHA_CBLOCK) -+ { -+ SHA1_Init(md_ctx); -+ SHA1_Update(md_ctx,key,len); -+ SHA1_Final(keymd,md_ctx); -+ len=20; -+ } -+ else -+ memcpy(keymd,key,len); -+ memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len); -+ -+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) -+ pad[i]=0x36^keymd[i]; -+ SHA1_Init(md_ctx); -+ SHA1_Update(md_ctx,pad,SHA_CBLOCK); -+ -+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) -+ pad[i]=0x5c^keymd[i]; -+ SHA1_Init(o_ctx); -+ SHA1_Update(o_ctx,pad,SHA_CBLOCK); -+ } -+ -+static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) -+ { -+ unsigned char buf[20]; -+ -+ SHA1_Final(buf,md_ctx); -+ SHA1_Update(o_ctx,buf,sizeof buf); -+ SHA1_Final(md,o_ctx); -+ } -+ -+#endif -+ -+int main(int argc,char **argv) -+ { -+#ifdef OPENSSL_FIPS -+ static char key[]="etaonrishdlcupfm"; -+ int n,binary=0; -+ -+ if(argc < 2) -+ { -+ fprintf(stderr,"%s []+\n",argv[0]); -+ exit(1); -+ } -+ -+ n=1; -+ if (!strcmp(argv[n],"-binary")) -+ { -+ n++; -+ binary=1; /* emit binary fingerprint... */ -+ } -+ -+ for(; n < argc ; ++n) -+ { -+ FILE *f=fopen(argv[n],"rb"); -+ SHA_CTX md_ctx,o_ctx; -+ unsigned char md[20]; -+ int i; -+ -+ if(!f) -+ { -+ perror(argv[n]); -+ exit(2); -+ } -+ -+ hmac_init(&md_ctx,&o_ctx,key); -+ for( ; ; ) -+ { -+ char buf[1024]; -+ size_t l=fread(buf,1,sizeof buf,f); -+ -+ if(l == 0) -+ { -+ if(ferror(f)) -+ { -+ perror(argv[n]); -+ exit(3); -+ } -+ else -+ break; -+ } -+ SHA1_Update(&md_ctx,buf,l); -+ } -+ hmac_final(md,&md_ctx,&o_ctx); -+ -+ if (binary) -+ { -+ fwrite(md,20,1,stdout); -+ break; /* ... for single(!) file */ -+ } -+ -+ printf("HMAC-SHA1(%s)= ",argv[n]); -+ for(i=0 ; i < 20 ; ++i) -+ printf("%02x",md[i]); -+ printf("\n"); -+ } -+#endif -+ return 0; -+ } -+ -+ -diff -up openssl-1.0.0k/crypto/fips/fips_test_suite.c.fips openssl-1.0.0k/crypto/fips/fips_test_suite.c ---- openssl-1.0.0k/crypto/fips/fips_test_suite.c.fips 2013-02-19 20:12:54.596664895 +0100 -+++ openssl-1.0.0k/crypto/fips/fips_test_suite.c 2013-02-19 20:12:54.596664895 +0100 -@@ -0,0 +1,588 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * -+ * This command is intended as a test driver for the FIPS-140 testing -+ * lab performing FIPS-140 validation. It demonstrates the use of the -+ * OpenSSL library ito perform a variety of common cryptographic -+ * functions. A power-up self test is demonstrated by deliberately -+ * pointing to an invalid executable hash -+ * -+ * Contributed by Steve Marquess. -+ * -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+ -+#ifndef OPENSSL_FIPS -+int main(int argc, char *argv[]) -+ { -+ printf("No FIPS support\n"); -+ return(0); -+ } -+#else -+ -+#include -+#include "fips_utl.h" -+ -+/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext -+*/ -+static int FIPS_aes_test(void) -+ { -+ int ret = 0; -+ unsigned char pltmp[16]; -+ unsigned char citmp[16]; -+ unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; -+ unsigned char plaintext[16] = "etaonrishdlcu"; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, citmp, plaintext, 16); -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, pltmp, citmp, 16); -+ if (memcmp(pltmp, plaintext, 16)) -+ goto err; -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ return ret; -+ } -+ -+static int FIPS_des3_test(void) -+ { -+ int ret = 0; -+ unsigned char pltmp[8]; -+ unsigned char citmp[8]; -+ unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, -+ 19,20,21,22,23,24}; -+ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' }; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, citmp, plaintext, 8); -+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, pltmp, citmp, 8); -+ if (memcmp(pltmp, plaintext, 8)) -+ goto err; -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ return ret; -+ } -+ -+/* -+ * DSA: generate keys and sign, verify input plaintext. -+ */ -+static int FIPS_dsa_test(int bad) -+ { -+ DSA *dsa = NULL; -+ EVP_PKEY pk; -+ unsigned char dgst[] = "etaonrishdlc"; -+ unsigned char buf[60]; -+ unsigned int slen; -+ int r = 0; -+ EVP_MD_CTX mctx; -+ -+ ERR_clear_error(); -+ EVP_MD_CTX_init(&mctx); -+ dsa = DSA_new(); -+ if (!dsa) -+ goto end; -+ if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL)) -+ goto end; -+ if (!DSA_generate_key(dsa)) -+ goto end; -+ if (bad) -+ BN_add_word(dsa->pub_key, 1); -+ -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; -+ -+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto end; -+ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1)) -+ goto end; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ goto end; -+ -+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto end; -+ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1)) -+ goto end; -+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ end: -+ EVP_MD_CTX_cleanup(&mctx); -+ if (dsa) -+ DSA_free(dsa); -+ if (r != 1) -+ return 0; -+ return 1; -+ } -+ -+/* -+ * RSA: generate keys and sign, verify input plaintext. -+ */ -+static int FIPS_rsa_test(int bad) -+ { -+ RSA *key; -+ unsigned char input_ptext[] = "etaonrishdlc"; -+ unsigned char buf[256]; -+ unsigned int slen; -+ BIGNUM *bn; -+ EVP_MD_CTX mctx; -+ EVP_PKEY pk; -+ int r = 0; -+ -+ ERR_clear_error(); -+ EVP_MD_CTX_init(&mctx); -+ key = RSA_new(); -+ bn = BN_new(); -+ if (!key || !bn) -+ return 0; -+ BN_set_word(bn, 65537); -+ if (!RSA_generate_key_ex(key, 1024,bn,NULL)) -+ return 0; -+ BN_free(bn); -+ if (bad) -+ BN_add_word(key->n, 1); -+ -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = key; -+ -+ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL)) -+ goto end; -+ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) -+ goto end; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ goto end; -+ -+ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL)) -+ goto end; -+ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) -+ goto end; -+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ end: -+ EVP_MD_CTX_cleanup(&mctx); -+ if (key) -+ RSA_free(key); -+ if (r != 1) -+ return 0; -+ return 1; -+ } -+ -+/* SHA1: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha1_test() -+ { -+ unsigned char digest[SHA_DIGEST_LENGTH] = -+ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 }; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0; -+ if (memcmp(md,digest,sizeof(md))) -+ return 0; -+ return 1; -+ } -+ -+/* SHA256: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha256_test() -+ { -+ unsigned char digest[SHA256_DIGEST_LENGTH] = -+ {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91, -+ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57}; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0; -+ if (memcmp(md,digest,sizeof(md))) -+ return 0; -+ return 1; -+ } -+ -+/* SHA512: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha512_test() -+ { -+ unsigned char digest[SHA512_DIGEST_LENGTH] = -+ {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca, -+ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a, -+ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22, -+ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3}; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0; -+ if (memcmp(md,digest,sizeof(md))) -+ return 0; -+ return 1; -+ } -+ -+/* HMAC-SHA1: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha1_test() -+ { -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70, -+ 0xb2, 0xfb, 0xec, 0xc6}; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; -+ if (memcmp(out,kaval,outlen)) -+ return 0; -+ return 1; -+ } -+ -+/* HMAC-SHA224: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha224_test() -+ { -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35, -+ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19}; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; -+ if (memcmp(out,kaval,outlen)) -+ return 0; -+ return 1; -+ } -+ -+/* HMAC-SHA256: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha256_test() -+ { -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87, -+ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4}; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; -+ if (memcmp(out,kaval,outlen)) -+ return 0; -+ return 1; -+ } -+ -+/* HMAC-SHA384: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha384_test() -+ { -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10, -+ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08, -+ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c}; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; -+ if (memcmp(out,kaval,outlen)) -+ return 0; -+ return 1; -+ } -+ -+/* HMAC-SHA512: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha512_test() -+ { -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6, -+ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1, -+ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c, -+ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53}; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; -+ if (memcmp(out,kaval,outlen)) -+ return 0; -+ return 1; -+ } -+ -+ -+/* DH: generate shared parameters -+*/ -+static int dh_test() -+ { -+ DH *dh; -+ ERR_clear_error(); -+ dh = FIPS_dh_new(); -+ if (!dh) -+ return 0; -+ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) -+ return 0; -+ FIPS_dh_free(dh); -+ return 1; -+ } -+ -+/* Zeroize -+*/ -+static int Zeroize() -+ { -+ RSA *key; -+ BIGNUM *bn; -+ unsigned char userkey[16] = -+ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 }; -+ int i, n; -+ -+ key = FIPS_rsa_new(); -+ bn = BN_new(); -+ if (!key || !bn) -+ return 0; -+ BN_set_word(bn, 65537); -+ if (!RSA_generate_key_ex(key, 1024,bn,NULL)) -+ return 0; -+ BN_free(bn); -+ -+ n = BN_num_bytes(key->d); -+ printf(" Generated %d byte RSA private key\n", n); -+ printf("\tBN key before overwriting:\n"); -+ do_bn_print(stdout, key->d); -+ BN_rand(key->d,n*8,-1,0); -+ printf("\tBN key after overwriting:\n"); -+ do_bn_print(stdout, key->d); -+ -+ printf("\tchar buffer key before overwriting: \n\t\t"); -+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); -+ printf("\n"); -+ RAND_bytes(userkey, sizeof userkey); -+ printf("\tchar buffer key after overwriting: \n\t\t"); -+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); -+ printf("\n"); -+ -+ return 1; -+ } -+ -+static int Error; -+const char * Fail(const char *msg) -+ { -+ do_print_errors(); -+ Error++; -+ return msg; -+ } -+ -+int main(int argc,char **argv) -+ { -+ -+ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0; -+ int bad_rsa = 0, bad_dsa = 0; -+ int do_rng_stick = 0; -+ int no_exit = 0; -+ -+ printf("\tFIPS-mode test application\n\n"); -+ -+ /* Load entropy from external file, if any */ -+ RAND_load_file(".rnd", 1024); -+ -+ if (argv[1]) { -+ /* Corrupted KAT tests */ -+ if (!strcmp(argv[1], "aes")) { -+ FIPS_corrupt_aes(); -+ printf("AES encryption/decryption with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "des")) { -+ FIPS_corrupt_des(); -+ printf("DES3-ECB encryption/decryption with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "dsa")) { -+ FIPS_corrupt_dsa(); -+ printf("DSA key generation and signature validation with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rsa")) { -+ FIPS_corrupt_rsa(); -+ printf("RSA key generation and signature validation with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rsakey")) { -+ printf("RSA key generation and signature validation with corrupted key...\n"); -+ bad_rsa = 1; -+ no_exit = 1; -+ } else if (!strcmp(argv[1], "rsakeygen")) { -+ do_corrupt_rsa_keygen = 1; -+ no_exit = 1; -+ printf("RSA key generation and signature validation with corrupted keygen...\n"); -+ } else if (!strcmp(argv[1], "dsakey")) { -+ printf("DSA key generation and signature validation with corrupted key...\n"); -+ bad_dsa = 1; -+ no_exit = 1; -+ } else if (!strcmp(argv[1], "dsakeygen")) { -+ do_corrupt_dsa_keygen = 1; -+ no_exit = 1; -+ printf("DSA key generation and signature validation with corrupted keygen...\n"); -+ } else if (!strcmp(argv[1], "sha1")) { -+ FIPS_corrupt_sha1(); -+ printf("SHA-1 hash with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rng")) { -+ FIPS_corrupt_rng(); -+ } else if (!strcmp(argv[1], "rngstick")) { -+ do_rng_stick = 1; -+ no_exit = 1; -+ printf("RNG test with stuck continuous test...\n"); -+ } else { -+ printf("Bad argument \"%s\"\n", argv[1]); -+ exit(1); -+ } -+ if (!no_exit) { -+ if (!FIPS_mode_set(1)) { -+ do_print_errors(); -+ printf("Power-up self test failed\n"); -+ exit(1); -+ } -+ printf("Power-up self test successful\n"); -+ exit(0); -+ } -+ } -+ -+ /* Non-Approved cryptographic operation -+ */ -+ printf("1. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)..."); -+ printf( dh_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* Power-up self test -+ */ -+ ERR_clear_error(); -+ printf("2. Automatic power-up self test..."); -+ if (!FIPS_mode_set(1)) -+ { -+ do_print_errors(); -+ printf(Fail("FAILED!\n")); -+ exit(1); -+ } -+ printf("successful\n"); -+ if (do_corrupt_dsa_keygen) -+ FIPS_corrupt_dsa_keygen(); -+ if (do_corrupt_rsa_keygen) -+ FIPS_corrupt_rsa_keygen(); -+ if (do_rng_stick) -+ FIPS_rng_stick(); -+ -+ /* AES encryption/decryption -+ */ -+ printf("3. AES encryption/decryption..."); -+ printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* RSA key generation and encryption/decryption -+ */ -+ printf("4. RSA key generation and encryption/decryption..."); -+ printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* DES-CBC encryption/decryption -+ */ -+ printf("5. DES-ECB encryption/decryption..."); -+ printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* DSA key generation and signature validation -+ */ -+ printf("6. DSA key generation and signature validation..."); -+ printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* SHA-1 hash -+ */ -+ printf("7a. SHA-1 hash..."); -+ printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* SHA-256 hash -+ */ -+ printf("7b. SHA-256 hash..."); -+ printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* SHA-512 hash -+ */ -+ printf("7c. SHA-512 hash..."); -+ printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* HMAC-SHA-1 hash -+ */ -+ printf("7d. HMAC-SHA-1 hash..."); -+ printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* HMAC-SHA-224 hash -+ */ -+ printf("7e. HMAC-SHA-224 hash..."); -+ printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* HMAC-SHA-256 hash -+ */ -+ printf("7f. HMAC-SHA-256 hash..."); -+ printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* HMAC-SHA-384 hash -+ */ -+ printf("7g. HMAC-SHA-384 hash..."); -+ printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* HMAC-SHA-512 hash -+ */ -+ printf("7h. HMAC-SHA-512 hash..."); -+ printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") ); -+ -+ /* Non-Approved cryptographic operation -+ */ -+ printf("8. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)..."); -+ printf( dh_test() ? "successful as expected\n" -+ : Fail("failed INCORRECTLY!\n") ); -+ -+ /* Zeroization -+ */ -+ printf("9. Zero-ization...\n"); -+ printf( Zeroize() ? "\tsuccessful as expected\n" -+ : Fail("\tfailed INCORRECTLY!\n") ); -+ -+ printf("\nAll tests completed with %d errors\n", Error); -+ return Error ? 1 : 0; -+ } -+ -+#endif -diff -up openssl-1.0.0k/crypto/fips_locl.h.fips openssl-1.0.0k/crypto/fips_locl.h ---- openssl-1.0.0k/crypto/fips_locl.h.fips 2013-02-19 20:12:54.596664895 +0100 -+++ openssl-1.0.0k/crypto/fips_locl.h 2013-02-19 20:12:54.596664895 +0100 -@@ -0,0 +1,72 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifdef OPENSSL_FIPS -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+void fips_w_lock(void); -+void fips_w_unlock(void); -+void fips_r_lock(void); -+void fips_r_unlock(void); -+int fips_is_started(void); -+void fips_set_started(void); -+int fips_is_owning_thread(void); -+int fips_set_owning_thread(void); -+void fips_set_selftest_fail(void); -+int fips_clear_owning_thread(void); -+ -+#define FIPS_MAX_CIPHER_TEST_SIZE 16 -+ -+#ifdef __cplusplus -+} -+#endif -+#endif -diff -up openssl-1.0.0k/crypto/fips/Makefile.fips openssl-1.0.0k/crypto/fips/Makefile ---- openssl-1.0.0k/crypto/fips/Makefile.fips 2013-02-19 20:12:54.597664913 +0100 -+++ openssl-1.0.0k/crypto/fips/Makefile 2013-02-19 20:12:54.597664913 +0100 -@@ -0,0 +1,81 @@ -+# -+# OpenSSL/crypto/fips/Makefile -+# -+ -+DIR= fips -+TOP= ../.. -+CC= cc -+INCLUDES= -+CFLAG=-g -+MAKEFILE= Makefile -+AR= ar r -+ -+CFLAGS= $(INCLUDES) $(CFLAG) -+ -+GENERAL=Makefile -+TEST=fips_test_suite.c fips_randtest.c -+APPS= -+ -+LIB=$(TOP)/libcrypto.a -+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ -+ fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ -+ fips_rsa_x931g.c -+ -+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ -+ fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ -+ fips_rsa_x931g.o -+ -+SRC= $(LIBSRC) fips_standalone_sha1.c -+ -+EXHEADER= fips.h fips_rand.h -+HEADER= $(EXHEADER) -+ -+ALL= $(GENERAL) $(SRC) $(HEADER) -+ -+top: -+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) -+ -+all: lib -+ -+lib: $(LIBOBJ) -+ $(AR) $(LIB) $(LIBOBJ) -+ $(RANLIB) $(LIB) || echo Never mind. -+ @touch lib -+ -+files: -+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO -+ -+links: -+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) -+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) -+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) -+ -+install: -+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... -+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ -+ do \ -+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ -+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ -+ done; -+ -+tags: -+ ctags $(SRC) -+ -+tests: -+ -+lint: -+ lint -DLINT $(INCLUDES) $(SRC)>fluff -+ -+depend: -+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... -+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) -+ -+dclean: -+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new -+ mv -f Makefile.new $(MAKEFILE) -+ -+clean: -+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff -+ -+# DO NOT DELETE THIS LINE -- make depend depends on it. -+ -diff -up openssl-1.0.0k/crypto/hmac/hmac.c.fips openssl-1.0.0k/crypto/hmac/hmac.c ---- openssl-1.0.0k/crypto/hmac/hmac.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/hmac/hmac.c 2013-02-19 20:12:54.597664913 +0100 -@@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - - if (key != NULL) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) -+ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) -+ goto err; -+#endif - reset=1; - j=EVP_MD_block_size(md); - OPENSSL_assert(j <= (int)sizeof(ctx->key)); -diff -up openssl-1.0.0k/crypto/Makefile.fips openssl-1.0.0k/crypto/Makefile ---- openssl-1.0.0k/crypto/Makefile.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/Makefile 2013-02-19 20:12:54.597664913 +0100 -@@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i - - LIB= $(TOP)/libcrypto.a - SHARED_LIB= libcrypto$(SHLIB_EXT) --LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c --LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ) -+LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c o_init.c fips_err.c -+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_init.o fips_err.o $(CPUID_OBJ) - - SRC= $(LIBSRC) - - EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ - ossl_typ.h --HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) -+HEADER= cryptlib.h buildinf.h fips_locl.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) - - ALL= $(GENERAL) $(SRC) $(HEADER) - -diff -up openssl-1.0.0k/crypto/md2/md2_dgst.c.fips openssl-1.0.0k/crypto/md2/md2_dgst.c ---- openssl-1.0.0k/crypto/md2/md2_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/md2/md2_dgst.c 2013-02-19 20:12:54.597664913 +0100 -@@ -62,6 +62,11 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#include - - const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; - -@@ -116,7 +121,7 @@ const char *MD2_options(void) - return("md2(int)"); - } - --int MD2_Init(MD2_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD2) - { - c->num=0; - memset(c->state,0,sizeof c->state); -diff -up openssl-1.0.0k/crypto/md2/md2.h.fips openssl-1.0.0k/crypto/md2/md2.h ---- openssl-1.0.0k/crypto/md2/md2.h.fips 2013-02-19 20:12:54.348660189 +0100 -+++ openssl-1.0.0k/crypto/md2/md2.h 2013-02-19 20:12:54.597664913 +0100 -@@ -81,6 +81,9 @@ typedef struct MD2state_st - } MD2_CTX; - - const char *MD2_options(void); -+#ifdef OPENSSL_FIPS -+int private_MD2_Init(MD2_CTX *c); -+#endif - int MD2_Init(MD2_CTX *c); - int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); - int MD2_Final(unsigned char *md, MD2_CTX *c); -diff -up openssl-1.0.0k/crypto/md4/md4_dgst.c.fips openssl-1.0.0k/crypto/md4/md4_dgst.c ---- openssl-1.0.0k/crypto/md4/md4_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/md4/md4_dgst.c 2013-02-19 20:12:54.598664931 +0100 -@@ -59,6 +59,11 @@ - #include - #include "md4_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; - -@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_V - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --int MD4_Init(MD4_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD4) - { - memset (c,0,sizeof(*c)); - c->A=INIT_DATA_A; -diff -up openssl-1.0.0k/crypto/md4/md4.h.fips openssl-1.0.0k/crypto/md4/md4.h ---- openssl-1.0.0k/crypto/md4/md4.h.fips 2013-02-19 20:12:54.268658671 +0100 -+++ openssl-1.0.0k/crypto/md4/md4.h 2013-02-19 20:12:54.598664931 +0100 -@@ -105,6 +105,9 @@ typedef struct MD4state_st - unsigned int num; - } MD4_CTX; - -+#ifdef OPENSSL_FIPS -+int private_MD4_Init(MD4_CTX *c); -+#endif - int MD4_Init(MD4_CTX *c); - int MD4_Update(MD4_CTX *c, const void *data, size_t len); - int MD4_Final(unsigned char *md, MD4_CTX *c); -diff -up openssl-1.0.0k/crypto/md5/md5_dgst.c.fips openssl-1.0.0k/crypto/md5/md5_dgst.c ---- openssl-1.0.0k/crypto/md5/md5_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/md5/md5_dgst.c 2013-02-19 20:12:54.598664931 +0100 -@@ -59,6 +59,11 @@ - #include - #include "md5_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; - -@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_V - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --int MD5_Init(MD5_CTX *c) -+FIPS_NON_FIPS_MD_Init(MD5) - { - memset (c,0,sizeof(*c)); - c->A=INIT_DATA_A; -diff -up openssl-1.0.0k/crypto/md5/md5.h.fips openssl-1.0.0k/crypto/md5/md5.h ---- openssl-1.0.0k/crypto/md5/md5.h.fips 2013-02-19 20:12:54.012653813 +0100 -+++ openssl-1.0.0k/crypto/md5/md5.h 2013-02-19 20:12:54.598664931 +0100 -@@ -105,6 +105,9 @@ typedef struct MD5state_st - unsigned int num; - } MD5_CTX; - -+#ifdef OPENSSL_FIPS -+int private_MD5_Init(MD5_CTX *c); -+#endif - int MD5_Init(MD5_CTX *c); - int MD5_Update(MD5_CTX *c, const void *data, size_t len); - int MD5_Final(unsigned char *md, MD5_CTX *c); -diff -up openssl-1.0.0k/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0k/crypto/mdc2/mdc2dgst.c ---- openssl-1.0.0k/crypto/mdc2/mdc2dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/mdc2/mdc2dgst.c 2013-02-19 20:12:54.597664913 +0100 -@@ -61,6 +61,11 @@ - #include - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - #undef c2l - #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ -@@ -75,7 +80,7 @@ - *((c)++)=(unsigned char)(((l)>>24L)&0xff)) - - static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len); --int MDC2_Init(MDC2_CTX *c) -+FIPS_NON_FIPS_MD_Init(MDC2) - { - c->num=0; - c->pad_type=1; -diff -up openssl-1.0.0k/crypto/mdc2/mdc2.h.fips openssl-1.0.0k/crypto/mdc2/mdc2.h ---- openssl-1.0.0k/crypto/mdc2/mdc2.h.fips 2013-02-19 20:12:54.061654741 +0100 -+++ openssl-1.0.0k/crypto/mdc2/mdc2.h 2013-02-19 20:12:54.597664913 +0100 -@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st - int pad_type; /* either 1 or 2, default 1 */ - } MDC2_CTX; - -- -+#ifdef OPENSSL_FIPS -+int private_MDC2_Init(MDC2_CTX *c); -+#endif - int MDC2_Init(MDC2_CTX *c); - int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); - int MDC2_Final(unsigned char *md, MDC2_CTX *c); -diff -up openssl-1.0.0k/crypto/mem.c.fips openssl-1.0.0k/crypto/mem.c ---- openssl-1.0.0k/crypto/mem.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/mem.c 2013-02-19 20:12:54.598664931 +0100 -@@ -101,7 +101,7 @@ static void (*free_locked_func)(void *) - - /* may be changed as long as 'allow_customize_debug' is set */ - /* XXX use correct function pointer types */ --#ifdef CRYPTO_MDEBUG -+#if defined(CRYPTO_MDEBUG) && !defined(OPENSSL_FIPS) - /* use default functions from mem_dbg.c */ - static void (*malloc_debug_func)(void *,int,const char *,int,int) - = CRYPTO_dbg_malloc; -diff -up openssl-1.0.0k/crypto/o_init.c.fips openssl-1.0.0k/crypto/o_init.c ---- openssl-1.0.0k/crypto/o_init.c.fips 2013-02-19 20:12:54.598664931 +0100 -+++ openssl-1.0.0k/crypto/o_init.c 2013-02-19 20:12:54.598664931 +0100 -@@ -0,0 +1,80 @@ -+/* o_init.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+#include -+ -+/* Perform any essential OpenSSL initialization operations. -+ * Currently only sets FIPS callbacks -+ */ -+ -+void OPENSSL_init_library(void) -+ { -+#ifdef OPENSSL_FIPS -+ static int done = 0; -+ if (!done) -+ { -+#ifdef CRYPTO_MDEBUG -+ CRYPTO_malloc_debug_init(); -+#endif -+ done = 1; -+ } -+#endif -+ } -+ -+ -diff -up openssl-1.0.0k/crypto/opensslconf.h.in.fips openssl-1.0.0k/crypto/opensslconf.h.in ---- openssl-1.0.0k/crypto/opensslconf.h.in.fips 2013-02-05 12:47:28.000000000 +0100 -+++ openssl-1.0.0k/crypto/opensslconf.h.in 2013-02-19 20:12:54.599664950 +0100 -@@ -1,5 +1,20 @@ - /* crypto/opensslconf.h.in */ - -+#ifdef OPENSSL_DOING_MAKEDEPEND -+ -+/* Include any symbols here that have to be explicitly set to enable a feature -+ * that should be visible to makedepend. -+ * -+ * [Our "make depend" doesn't actually look at this, we use actual build settings -+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.] -+ */ -+ -+#ifndef OPENSSL_FIPS -+#define OPENSSL_FIPS -+#endif -+ -+#endif -+ - /* Generate 80386 code? */ - #undef I386_ONLY - -diff -up openssl-1.0.0k/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0k/crypto/pkcs12/p12_crt.c ---- openssl-1.0.0k/crypto/pkcs12/p12_crt.c.fips 2013-02-05 12:47:28.000000000 +0100 -+++ openssl-1.0.0k/crypto/pkcs12/p12_crt.c 2013-02-19 20:12:54.599664950 +0100 -@@ -59,6 +59,10 @@ - #include - #include "cryptlib.h" - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - - static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); -@@ -90,11 +94,18 @@ PKCS12 *PKCS12_create(char *pass, char * - - /* Set defaults */ - if (!nid_cert) -+ { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -+ else -+#endif - #ifdef OPENSSL_NO_RC2 - nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - #else - nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; - #endif -+ } - if (!nid_key) - nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - if (!iter) -diff -up openssl-1.0.0k/crypto/rand/md_rand.c.fips openssl-1.0.0k/crypto/rand/md_rand.c ---- openssl-1.0.0k/crypto/rand/md_rand.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rand/md_rand.c 2013-02-19 20:12:54.599664950 +0100 -@@ -126,6 +126,10 @@ - - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - #ifdef BN_DEBUG - # define PREDICT -@@ -342,6 +346,14 @@ static int ssleay_rand_bytes(unsigned ch - #endif - int do_stir_pool = 0; - -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ { -+ FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif -+ - #ifdef PREDICT - if (rand_predictable) - { -diff -up openssl-1.0.0k/crypto/rand/rand_err.c.fips openssl-1.0.0k/crypto/rand/rand_err.c ---- openssl-1.0.0k/crypto/rand/rand_err.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rand/rand_err.c 2013-02-19 20:12:54.599664950 +0100 -@@ -70,6 +70,13 @@ - - static ERR_STRING_DATA RAND_str_functs[]= - { -+{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD), "ENG_RAND_GET_RAND_METHOD"}, -+{ERR_FUNC(RAND_F_FIPS_RAND), "FIPS_RAND"}, -+{ERR_FUNC(RAND_F_FIPS_RAND_BYTES), "FIPS_RAND_BYTES"}, -+{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT), "FIPS_RAND_SET_DT"}, -+{ERR_FUNC(RAND_F_FIPS_SET_DT), "FIPS_SET_DT"}, -+{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED), "FIPS_SET_PRNG_SEED"}, -+{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE), "FIPS_SET_TEST_MODE"}, - {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"}, - {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, - {0,NULL} -@@ -77,7 +84,17 @@ static ERR_STRING_DATA RAND_str_functs[] - - static ERR_STRING_DATA RAND_str_reasons[]= - { -+{ERR_REASON(RAND_R_NON_FIPS_METHOD) ,"non fips method"}, -+{ERR_REASON(RAND_R_NOT_IN_TEST_MODE) ,"not in test mode"}, -+{ERR_REASON(RAND_R_NO_KEY_SET) ,"no key set"}, -+{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"}, -+{ERR_REASON(RAND_R_PRNG_ERROR) ,"prng error"}, -+{ERR_REASON(RAND_R_PRNG_KEYED) ,"prng keyed"}, -+{ERR_REASON(RAND_R_PRNG_NOT_REKEYED) ,"prng not rekeyed"}, -+{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED) ,"prng not reseeded"}, - {ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"}, -+{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"}, -+{ERR_REASON(RAND_R_PRNG_STUCK) ,"prng stuck"}, - {0,NULL} - }; - -diff -up openssl-1.0.0k/crypto/rand/rand.h.fips openssl-1.0.0k/crypto/rand/rand.h ---- openssl-1.0.0k/crypto/rand/rand.h.fips 2013-02-19 20:12:54.071654932 +0100 -+++ openssl-1.0.0k/crypto/rand/rand.h 2013-02-19 20:12:54.599664950 +0100 -@@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void); - /* Error codes for the RAND functions. */ - - /* Function codes. */ -+#define RAND_F_ENG_RAND_GET_RAND_METHOD 108 -+#define RAND_F_FIPS_RAND 103 -+#define RAND_F_FIPS_RAND_BYTES 102 -+#define RAND_F_FIPS_RAND_SET_DT 106 -+#define RAND_F_FIPS_SET_DT 104 -+#define RAND_F_FIPS_SET_PRNG_SEED 107 -+#define RAND_F_FIPS_SET_TEST_MODE 105 - #define RAND_F_RAND_GET_RAND_METHOD 101 - #define RAND_F_SSLEAY_RAND_BYTES 100 - - /* Reason codes. */ -+#define RAND_R_NON_FIPS_METHOD 105 -+#define RAND_R_NOT_IN_TEST_MODE 106 -+#define RAND_R_NO_KEY_SET 107 -+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101 -+#define RAND_R_PRNG_ERROR 108 -+#define RAND_R_PRNG_KEYED 109 -+#define RAND_R_PRNG_NOT_REKEYED 102 -+#define RAND_R_PRNG_NOT_RESEEDED 103 - #define RAND_R_PRNG_NOT_SEEDED 100 -+#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110 -+#define RAND_R_PRNG_STUCK 104 - - #ifdef __cplusplus - } -diff -up openssl-1.0.0k/crypto/rand/rand_lib.c.fips openssl-1.0.0k/crypto/rand/rand_lib.c ---- openssl-1.0.0k/crypto/rand/rand_lib.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rand/rand_lib.c 2013-02-19 20:12:54.599664950 +0100 -@@ -60,6 +60,12 @@ - #include - #include "cryptlib.h" - #include -+#include "rand_lcl.h" -+#ifdef OPENSSL_FIPS -+#include -+#include -+#endif -+ - #ifndef OPENSSL_NO_ENGINE - #include - #endif -@@ -102,8 +108,19 @@ const RAND_METHOD *RAND_get_rand_method( - funct_ref = e; - else - #endif -+#ifdef OPENSSL_FIPS -+ default_RAND_meth = FIPS_mode() ? FIPS_rand_method() : RAND_SSLeay(); -+ } -+ if (FIPS_mode() -+ && default_RAND_meth != FIPS_rand_check()) -+ { -+ RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#else - default_RAND_meth = RAND_SSLeay(); - } -+#endif - return default_RAND_meth; - } - -diff -up openssl-1.0.0k/crypto/rc2/rc2.h.fips openssl-1.0.0k/crypto/rc2/rc2.h ---- openssl-1.0.0k/crypto/rc2/rc2.h.fips 2013-02-19 20:12:54.216657683 +0100 -+++ openssl-1.0.0k/crypto/rc2/rc2.h 2013-02-19 20:12:54.599664950 +0100 -@@ -79,7 +79,9 @@ typedef struct rc2_key_st - RC2_INT data[64]; - } RC2_KEY; - -- -+#ifdef OPENSSL_FIPS -+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); -+#endif - void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); - void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, - int enc); -diff -up openssl-1.0.0k/crypto/rc2/rc2_skey.c.fips openssl-1.0.0k/crypto/rc2/rc2_skey.c ---- openssl-1.0.0k/crypto/rc2/rc2_skey.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc2/rc2_skey.c 2013-02-19 20:12:54.600664970 +0100 -@@ -57,6 +57,11 @@ - */ - - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #include "rc2_locl.h" - - static const unsigned char key_table[256]={ -@@ -94,8 +99,20 @@ static const unsigned char key_table[256 - * BSAFE uses the 'retarded' version. What I previously shipped is - * the same as specifying 1024 for the 'bits' parameter. Bsafe uses - * a version where the bits parameter is the same as len*8 */ -+ -+#ifdef OPENSSL_FIPS - void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) - { -+ if (FIPS_mode()) -+ FIPS_BAD_ABORT(RC2) -+ private_RC2_set_key(key, len, data, bits); -+ } -+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, -+ int bits) -+#else -+void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) -+#endif -+ { - int i,j; - unsigned char *k; - RC2_INT *ki; -diff -up openssl-1.0.0k/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0k/crypto/rc4/asm/rc4-586.pl ---- openssl-1.0.0k/crypto/rc4/asm/rc4-586.pl.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc4/asm/rc4-586.pl 2013-02-19 20:12:54.600664970 +0100 -@@ -166,8 +166,12 @@ $idx="edx"; - - &external_label("OPENSSL_ia32cap_P"); - -+$setkeyfunc = "RC4_set_key"; -+$setkeyfunc = "private_RC4_set_key" if ($ENV{FIPS} ne ""); -+ -+ - # void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data); --&function_begin("RC4_set_key"); -+&function_begin($setkeyfunc); - &mov ($out,&wparam(0)); # load key - &mov ($idi,&wparam(1)); # load len - &mov ($inp,&wparam(2)); # load data -@@ -245,7 +249,7 @@ $idx="edx"; - &xor ("eax","eax"); - &mov (&DWP(-8,$out),"eax"); # key->x=0; - &mov (&DWP(-4,$out),"eax"); # key->y=0; --&function_end("RC4_set_key"); -+&function_end($setkeyfunc); - - # const char *RC4_options(void); - &function_begin_B("RC4_options"); -diff -up openssl-1.0.0k/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0k/crypto/rc4/asm/rc4-s390x.pl ---- openssl-1.0.0k/crypto/rc4/asm/rc4-s390x.pl.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc4/asm/rc4-s390x.pl 2013-02-19 20:12:54.600664970 +0100 -@@ -202,4 +202,6 @@ RC4_options: - .string "rc4(8x,char)" - ___ - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; -diff -up openssl-1.0.0k/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0k/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0k/crypto/rc4/asm/rc4-x86_64.pl.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc4/asm/rc4-x86_64.pl 2013-02-19 20:12:54.600664970 +0100 -@@ -499,6 +499,8 @@ ___ - - $code =~ s/#([bwd])/$1/gm; - -+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne ""); -+ - print $code; - - close STDOUT; -diff -up openssl-1.0.0k/crypto/rc4/Makefile.fips openssl-1.0.0k/crypto/rc4/Makefile ---- openssl-1.0.0k/crypto/rc4/Makefile.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc4/Makefile 2013-02-19 20:12:54.600664970 +0100 -@@ -21,8 +21,8 @@ TEST=rc4test.c - APPS= - - LIB=$(TOP)/libcrypto.a --LIBSRC=rc4_skey.c rc4_enc.c --LIBOBJ=$(RC4_ENC) -+LIBSRC=rc4_skey.c rc4_enc.c rc4_fblk.c -+LIBOBJ=$(RC4_ENC) rc4_fblk.o - - SRC= $(LIBSRC) - -diff -up openssl-1.0.0k/crypto/rc4/rc4_fblk.c.fips openssl-1.0.0k/crypto/rc4/rc4_fblk.c ---- openssl-1.0.0k/crypto/rc4/rc4_fblk.c.fips 2013-02-19 20:12:54.601664990 +0100 -+++ openssl-1.0.0k/crypto/rc4/rc4_fblk.c 2013-02-19 20:12:54.601664990 +0100 -@@ -0,0 +1,75 @@ -+/* crypto/rc4/rc4_fblk.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+ -+#include -+#include "rc4_locl.h" -+#include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+/* FIPS mode blocking for RC4 has to be done separately since RC4_set_key -+ * may be implemented in an assembly language file. -+ */ -+ -+#ifdef OPENSSL_FIPS -+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) -+ { -+ if (FIPS_mode()) -+ FIPS_BAD_ABORT(RC4) -+ private_RC4_set_key(key, len, data); -+ } -+#endif -+ -diff -up openssl-1.0.0k/crypto/rc4/rc4.h.fips openssl-1.0.0k/crypto/rc4/rc4.h ---- openssl-1.0.0k/crypto/rc4/rc4.h.fips 2013-02-19 20:12:53.860650927 +0100 -+++ openssl-1.0.0k/crypto/rc4/rc4.h 2013-02-19 20:12:54.601664990 +0100 -@@ -78,6 +78,9 @@ typedef struct rc4_key_st - - - const char *RC4_options(void); -+#ifdef OPENSSL_FIPS -+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); -+#endif - void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); - void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, - unsigned char *outdata); -diff -up openssl-1.0.0k/crypto/rc4/rc4_skey.c.fips openssl-1.0.0k/crypto/rc4/rc4_skey.c ---- openssl-1.0.0k/crypto/rc4/rc4_skey.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rc4/rc4_skey.c 2013-02-19 20:12:54.601664990 +0100 -@@ -59,6 +59,11 @@ - #include - #include "rc4_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT; - -@@ -85,7 +90,11 @@ const char *RC4_options(void) - * Date: Wed, 14 Sep 1994 06:35:31 GMT - */ - -+#ifdef OPENSSL_FIPS -+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) -+#else - void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) -+#endif - { - register RC4_INT tmp; - register int id1,id2; -@@ -126,7 +135,12 @@ void RC4_set_key(RC4_KEY *key, int len, - * module... - * - */ -+#ifdef OPENSSL_FIPS -+ unsigned long *ia32cap_ptr = OPENSSL_ia32cap_loc(); -+ if (ia32cap_ptr && (*ia32cap_ptr & (1<<28))) { -+#else - if (OPENSSL_ia32cap_P & (1<<28)) { -+#endif - unsigned char *cp=(unsigned char *)d; - - for (i=0;i<256;i++) cp[i]=i; -diff -up openssl-1.0.0k/crypto/ripemd/ripemd.h.fips openssl-1.0.0k/crypto/ripemd/ripemd.h ---- openssl-1.0.0k/crypto/ripemd/ripemd.h.fips 2013-02-19 20:12:54.170656810 +0100 -+++ openssl-1.0.0k/crypto/ripemd/ripemd.h 2013-02-19 20:12:54.601664990 +0100 -@@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st - unsigned int num; - } RIPEMD160_CTX; - -+#ifdef OPENSSL_FIPS -+int private_RIPEMD160_Init(RIPEMD160_CTX *c); -+#endif - int RIPEMD160_Init(RIPEMD160_CTX *c); - int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); - int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); -diff -up openssl-1.0.0k/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0k/crypto/ripemd/rmd_dgst.c ---- openssl-1.0.0k/crypto/ripemd/rmd_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/ripemd/rmd_dgst.c 2013-02-19 20:12:54.601664990 +0100 -@@ -59,6 +59,11 @@ - #include - #include "rmd_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT; - -@@ -69,7 +74,7 @@ const char RMD160_version[]="RIPE-MD160" - void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); - # endif - --int RIPEMD160_Init(RIPEMD160_CTX *c) -+FIPS_NON_FIPS_MD_Init(RIPEMD160) - { - memset (c,0,sizeof(*c)); - c->A=RIPEMD160_A; -diff -up openssl-1.0.0k/crypto/rsa/rsa_eay.c.fips openssl-1.0.0k/crypto/rsa/rsa_eay.c ---- openssl-1.0.0k/crypto/rsa/rsa_eay.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa_eay.c 2013-02-19 20:12:54.601664990 +0100 -@@ -114,6 +114,10 @@ - #include - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif - - #ifndef RSA_NULL - -@@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={ - BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ - RSA_eay_init, - RSA_eay_finish, -- 0, /* flags */ -+ RSA_FLAG_FIPS_METHOD, /* flags */ - NULL, - 0, /* rsa_sign */ - 0, /* rsa_verify */ -@@ -150,6 +154,16 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) - return(&rsa_pkcs1_eay_meth); - } - -+/* Usage example; -+ * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); -+ */ -+#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ -+ if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ -+ !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ -+ CRYPTO_LOCK_RSA, \ -+ (rsa)->m, (ctx))) \ -+ err_instr -+ - static int RSA_eay_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -@@ -158,6 +172,23 @@ static int RSA_eay_public_encrypt(int fl - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ { -+ if (FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+#endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -223,9 +254,7 @@ static int RSA_eay_public_encrypt(int fl - goto err; - } - -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) -- goto err; -+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, - rsa->_method_mod_n)) goto err; -@@ -361,6 +390,23 @@ static int RSA_eay_private_encrypt(int f - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+#endif -+ - if ((ctx=BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); -@@ -444,9 +490,7 @@ static int RSA_eay_private_encrypt(int f - else - d= rsa->d; - -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) -- goto err; -+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, - rsa->_method_mod_n)) goto err; -@@ -504,6 +548,23 @@ static int RSA_eay_private_decrypt(int f - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+#endif -+ - if((ctx = BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); -@@ -577,9 +638,7 @@ static int RSA_eay_private_decrypt(int f - else - d = rsa->d; - -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) -- goto err; -+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, - rsa->_method_mod_n)) - goto err; -@@ -639,6 +698,23 @@ static int RSA_eay_public_decrypt(int fl - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+#endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); -@@ -689,9 +765,7 @@ static int RSA_eay_public_decrypt(int fl - goto err; - } - -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) -- goto err; -+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, - rsa->_method_mod_n)) goto err; -@@ -739,6 +813,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c - BIGNUM *r1,*m1,*vrfy; - BIGNUM local_dmp1,local_dmq1,local_c,local_r1; - BIGNUM *dmp1,*dmq1,*c,*pr1; -+ int bn_flags; - int ret=0; - - BN_CTX_start(ctx); -@@ -746,41 +821,31 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c - m1 = BN_CTX_get(ctx); - vrfy = BN_CTX_get(ctx); - -- { -- BIGNUM local_p, local_q; -- BIGNUM *p = NULL, *q = NULL; -- -- /* Make sure BN_mod_inverse in Montgomery intialization uses the -- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) -- */ -- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) -- { -- BN_init(&local_p); -- p = &local_p; -- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); -- -- BN_init(&local_q); -- q = &local_q; -- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); -- } -- else -- { -- p = rsa->p; -- q = rsa->q; -- } -+ /* Make sure mod_inverse in montgomerey intialization use correct -+ * BN_FLG_CONSTTIME flag. -+ */ -+ bn_flags = rsa->p->flags; -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) -+ { -+ rsa->p->flags |= BN_FLG_CONSTTIME; -+ } -+ MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); -+ /* We restore bn_flags back */ -+ rsa->p->flags = bn_flags; - -- if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) -- { -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) -- goto err; -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) -- goto err; -- } -- } -+ /* Make sure mod_inverse in montgomerey intialization use correct -+ * BN_FLG_CONSTTIME flag. -+ */ -+ bn_flags = rsa->q->flags; -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) -+ { -+ rsa->q->flags |= BN_FLG_CONSTTIME; -+ } -+ MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); -+ /* We restore bn_flags back */ -+ rsa->q->flags = bn_flags; - -- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) -- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) -- goto err; -+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - /* compute I mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) -@@ -897,6 +962,9 @@ err: - - static int RSA_eay_init(RSA *rsa) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; - return(1); - } -diff -up openssl-1.0.0k/crypto/rsa/rsa_err.c.fips openssl-1.0.0k/crypto/rsa/rsa_err.c ---- openssl-1.0.0k/crypto/rsa/rsa_err.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa_err.c 2013-02-19 20:12:54.602665009 +0100 -@@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]= - {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, - {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, - {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"}, -+{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"}, - {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, -+{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"}, - {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, -+{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, -+{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, - {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, - {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, - {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, -@@ -155,10 +159,12 @@ static ERR_STRING_DATA RSA_str_reasons[] - {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, - {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, - {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, -+{ERR_REASON(RSA_R_NON_FIPS_METHOD) ,"non fips method"}, - {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, - {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, - {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, - {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, -+{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"}, - {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, - {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, - {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, -diff -up openssl-1.0.0k/crypto/rsa/rsa_gen.c.fips openssl-1.0.0k/crypto/rsa/rsa_gen.c ---- openssl-1.0.0k/crypto/rsa/rsa_gen.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa_gen.c 2013-02-19 20:12:54.602665009 +0100 -@@ -67,6 +67,82 @@ - #include "cryptlib.h" - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+static int fips_rsa_pairwise_fail = 0; -+ -+void FIPS_corrupt_rsa_keygen(void) -+ { -+ fips_rsa_pairwise_fail = 1; -+ } -+ -+int fips_check_rsa(RSA *rsa) -+ { -+ const unsigned char tbs[] = "RSA Pairwise Check Data"; -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int len, ret = 0; -+ EVP_PKEY *pk; -+ -+ if ((pk=EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, rsa); -+ -+ /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) -+ goto err; -+ /* Now perform pairwise consistency encrypt/decrypt test */ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) -+ goto err; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ -+ if (!ptbuf) -+ goto err; -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != (sizeof(tbs) - 1)) -+ goto err; -+ if (memcmp(ptbuf, tbs, len)) -+ goto err; -+ -+ ret = 1; -+ -+ if (!ptbuf) -+ goto err; -+ -+ err: -+ if (ret == 0) -+ { -+ fips_set_selftest_fail(); -+ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); -+ } -+ -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+ } -+#endif - - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); - -@@ -90,6 +166,23 @@ static int rsa_builtin_keygen(RSA *rsa, - int bitsp,bitsq,ok= -1,n=0; - BN_CTX *ctx=NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if(FIPS_selftest_failed()) -+ { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -+ { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ } -+#endif -+ - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); -@@ -201,6 +294,17 @@ static int rsa_builtin_keygen(RSA *rsa, - p = rsa->p; - if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ if (fips_rsa_pairwise_fail) -+ BN_add_word(rsa->n, 1); -+ -+ if(!fips_check_rsa(rsa)) -+ goto err; -+ } -+#endif -+ - ok=1; - err: - if (ok == -1) -diff -up openssl-1.0.0k/crypto/rsa/rsa.h.fips openssl-1.0.0k/crypto/rsa/rsa.h ---- openssl-1.0.0k/crypto/rsa/rsa.h.fips 2013-02-19 20:12:54.354660303 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa.h 2013-02-19 20:12:54.602665009 +0100 -@@ -74,6 +74,21 @@ - #error RSA is disabled. - #endif - -+/* If this flag is set the RSA method is FIPS compliant and can be used -+ * in FIPS mode. This is set in the validated module method. If an -+ * application sets this flag in its own methods it is its reposibility -+ * to ensure the result is compliant. -+ */ -+ -+#define RSA_FLAG_FIPS_METHOD 0x0400 -+ -+/* If this flag is set the operations normally disabled in FIPS mode are -+ * permitted it is then the applications responsibility to ensure that the -+ * usage is compliant. -+ */ -+ -+#define RSA_FLAG_NON_FIPS_ALLOW 0x0400 -+ - #ifdef __cplusplus - extern "C" { - #endif -@@ -164,6 +179,8 @@ struct rsa_st - # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 - #endif - -+#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024 -+ - #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS - # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 - #endif -@@ -267,6 +284,11 @@ RSA * RSA_generate_key(int bits, unsigne - - /* New version */ - int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); -+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, -+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, -+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, -+ const BIGNUM *e, BN_GENCB *cb); -+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb); - - int RSA_check_key(const RSA *); - /* next 4 return -1 on error */ -@@ -438,8 +460,12 @@ void ERR_load_RSA_strings(void); - #define RSA_F_RSA_PRINT_FP 116 - #define RSA_F_RSA_PRIV_DECODE 137 - #define RSA_F_RSA_PRIV_ENCODE 138 -+#define RSA_F_RSA_PRIVATE_ENCRYPT 148 - #define RSA_F_RSA_PUB_DECODE 139 -+#define RSA_F_RSA_PUBLIC_DECRYPT 149 - #define RSA_F_RSA_SETUP_BLINDING 136 -+#define RSA_F_RSA_SET_DEFAULT_METHOD 150 -+#define RSA_F_RSA_SET_METHOD 151 - #define RSA_F_RSA_SIGN 117 - #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 - #define RSA_F_RSA_VERIFY 119 -@@ -479,10 +505,12 @@ void ERR_load_RSA_strings(void); - #define RSA_R_KEY_SIZE_TOO_SMALL 120 - #define RSA_R_LAST_OCTET_INVALID 134 - #define RSA_R_MODULUS_TOO_LARGE 105 -+#define RSA_R_NON_FIPS_METHOD 149 - #define RSA_R_NO_PUBLIC_EXPONENT 140 - #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 - #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 - #define RSA_R_OAEP_DECODING_ERROR 121 -+#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150 - #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 - #define RSA_R_PADDING_CHECK_FAILED 114 - #define RSA_R_P_NOT_PRIME 128 -diff -up openssl-1.0.0k/crypto/rsa/rsa_lib.c.fips openssl-1.0.0k/crypto/rsa/rsa_lib.c ---- openssl-1.0.0k/crypto/rsa/rsa_lib.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa_lib.c 2013-02-19 20:12:54.602665009 +0100 -@@ -80,6 +80,13 @@ RSA *RSA_new(void) - - void RSA_set_default_method(const RSA_METHOD *meth) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) -+ { -+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD); -+ return; -+ } -+#endif - default_RSA_meth = meth; - } - -@@ -111,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M - /* NB: The caller is specifically setting a method, so it's not up to us - * to deal with which ENGINE it comes from. */ - const RSA_METHOD *mtmp; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) -+ { -+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - mtmp = rsa->meth; - if (mtmp->finish) mtmp->finish(rsa); - #ifndef OPENSSL_NO_ENGINE -@@ -163,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine) - } - } - #endif -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) -+ { -+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD); -+#ifndef OPENSSL_NO_ENGINE -+ if (ret->engine) -+ ENGINE_finish(ret->engine); -+#endif -+ OPENSSL_free(ret); -+ return NULL; -+ } -+#endif - - ret->pad=0; - ret->version=0; -@@ -294,6 +320,13 @@ int RSA_public_encrypt(int flen, const u - int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) -+ { -+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return 0; -+ } -+#endif - return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); - } - -@@ -306,6 +339,13 @@ int RSA_private_decrypt(int flen, const - int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) -+ { -+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return 0; -+ } -+#endif - return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); - } - -diff -up openssl-1.0.0k/crypto/rsa/rsa_sign.c.fips openssl-1.0.0k/crypto/rsa/rsa_sign.c ---- openssl-1.0.0k/crypto/rsa/rsa_sign.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/rsa/rsa_sign.c 2013-02-19 20:12:54.603665028 +0100 -@@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch - i2d_X509_SIG(&sig,&p); - s=tmps; - } -- i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0; - if (i <= 0) - ret=0; - else -@@ -161,8 +162,8 @@ int int_rsa_verify(int dtype, const unsi - - if((dtype == NID_md5_sha1) && rm) - { -- i = RSA_public_decrypt((int)siglen, -- sigbuf,rm,rsa,RSA_PKCS1_PADDING); -+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, -+ sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0; - if (i <= 0) - return 0; - *prm_len = i; -@@ -179,7 +180,8 @@ int int_rsa_verify(int dtype, const unsi - RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); - goto err; - } -- i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0; - - if (i <= 0) goto err; - -diff -up openssl-1.0.0k/crypto/seed/seed.c.fips openssl-1.0.0k/crypto/seed/seed.c ---- openssl-1.0.0k/crypto/seed/seed.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/seed/seed.c 2013-02-19 20:12:54.603665028 +0100 -@@ -34,6 +34,9 @@ - - #include - #include "seed_locl.h" -+#ifdef OPENSSL_FIPS -+#include -+#endif - - static const seed_word SS[4][256] = { { - 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0, 0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124, -@@ -193,7 +196,18 @@ static const seed_word KC[] = { - KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 }; - #endif - -+#ifdef OPENSSL_FIPS -+void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -+ { -+ if (FIPS_mode()) -+ FIPS_BAD_ABORT(SEED) -+ private_SEED_set_key(rawkey, ks); -+ } -+ -+void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -+#else - void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks) -+#endif - { - seed_word x1, x2, x3, x4; - seed_word t0, t1; -diff -up openssl-1.0.0k/crypto/seed/seed.h.fips openssl-1.0.0k/crypto/seed/seed.h ---- openssl-1.0.0k/crypto/seed/seed.h.fips 2013-02-19 20:12:54.022654004 +0100 -+++ openssl-1.0.0k/crypto/seed/seed.h 2013-02-19 20:12:54.603665028 +0100 -@@ -117,6 +117,9 @@ typedef struct seed_key_st { - } SEED_KEY_SCHEDULE; - - -+#ifdef OPENSSL_FIPS -+void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); -+#endif - void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks); - - void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks); -diff -up openssl-1.0.0k/crypto/sha/sha1dgst.c.fips openssl-1.0.0k/crypto/sha/sha1dgst.c ---- openssl-1.0.0k/crypto/sha/sha1dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/sha/sha1dgst.c 2013-02-19 20:12:54.604665047 +0100 -@@ -63,6 +63,10 @@ - #define SHA_1 - - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - - const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; - -diff -up openssl-1.0.0k/crypto/sha/sha256.c.fips openssl-1.0.0k/crypto/sha/sha256.c ---- openssl-1.0.0k/crypto/sha/sha256.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/sha/sha256.c 2013-02-19 20:12:54.604665047 +0100 -@@ -12,12 +12,19 @@ - - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #include - - const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT; - - int SHA224_Init (SHA256_CTX *c) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - memset (c,0,sizeof(*c)); - c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL; - c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL; -@@ -29,6 +36,9 @@ int SHA224_Init (SHA256_CTX *c) - - int SHA256_Init (SHA256_CTX *c) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - memset (c,0,sizeof(*c)); - c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; - c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; -diff -up openssl-1.0.0k/crypto/sha/sha512.c.fips openssl-1.0.0k/crypto/sha/sha512.c ---- openssl-1.0.0k/crypto/sha/sha512.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/sha/sha512.c 2013-02-19 20:12:54.604665047 +0100 -@@ -5,6 +5,10 @@ - * ==================================================================== - */ - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) - /* - * IMPLEMENTATION NOTES. -@@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP - - int SHA384_Init (SHA512_CTX *c) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) - /* maintain dword order required by assembler module */ - unsigned int *h = (unsigned int *)c->h; -@@ -90,6 +97,9 @@ int SHA384_Init (SHA512_CTX *c) - - int SHA512_Init (SHA512_CTX *c) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm)) - /* maintain dword order required by assembler module */ - unsigned int *h = (unsigned int *)c->h; -diff -up openssl-1.0.0k/crypto/sha/sha_dgst.c.fips openssl-1.0.0k/crypto/sha/sha_dgst.c ---- openssl-1.0.0k/crypto/sha/sha_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/sha/sha_dgst.c 2013-02-19 20:12:54.603665028 +0100 -@@ -57,6 +57,12 @@ - */ - - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ -+#include - #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) - - #undef SHA_1 -diff -up openssl-1.0.0k/crypto/sha/sha.h.fips openssl-1.0.0k/crypto/sha/sha.h ---- openssl-1.0.0k/crypto/sha/sha.h.fips 2013-02-19 20:12:53.892651535 +0100 -+++ openssl-1.0.0k/crypto/sha/sha.h 2013-02-19 20:12:54.603665028 +0100 -@@ -106,6 +106,9 @@ typedef struct SHAstate_st - } SHA_CTX; - - #ifndef OPENSSL_NO_SHA0 -+#ifdef OPENSSL_FIPS -+int private_SHA_Init(SHA_CTX *c); -+#endif - int SHA_Init(SHA_CTX *c); - int SHA_Update(SHA_CTX *c, const void *data, size_t len); - int SHA_Final(unsigned char *md, SHA_CTX *c); -diff -up openssl-1.0.0k/crypto/sha/sha_locl.h.fips openssl-1.0.0k/crypto/sha/sha_locl.h ---- openssl-1.0.0k/crypto/sha/sha_locl.h.fips 2013-02-19 20:12:53.897651631 +0100 -+++ openssl-1.0.0k/crypto/sha/sha_locl.h 2013-02-19 20:12:54.603665028 +0100 -@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, - #define INIT_DATA_h3 0x10325476UL - #define INIT_DATA_h4 0xc3d2e1f0UL - -+#if defined(SHA_0) && defined(OPENSSL_FIPS) -+FIPS_NON_FIPS_MD_Init(SHA) -+#else - int HASH_INIT (SHA_CTX *c) -+#endif - { -+#if defined(SHA_1) && defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset (c,0,sizeof(*c)); - c->h0=INIT_DATA_h0; - c->h1=INIT_DATA_h1; -diff -up openssl-1.0.0k/crypto/whrlpool/whrlpool.h.fips openssl-1.0.0k/crypto/whrlpool/whrlpool.h ---- openssl-1.0.0k/crypto/whrlpool/whrlpool.h.fips 2013-02-19 20:12:54.187657134 +0100 -+++ openssl-1.0.0k/crypto/whrlpool/whrlpool.h 2013-02-19 20:12:54.604665047 +0100 -@@ -24,6 +24,9 @@ typedef struct { - } WHIRLPOOL_CTX; - - #ifndef OPENSSL_NO_WHIRLPOOL -+#ifdef OPENSSL_FIPS -+int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c); -+#endif - int WHIRLPOOL_Init (WHIRLPOOL_CTX *c); - int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes); - void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits); -diff -up openssl-1.0.0k/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.0k/crypto/whrlpool/wp_dgst.c ---- openssl-1.0.0k/crypto/whrlpool/wp_dgst.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/crypto/whrlpool/wp_dgst.c 2013-02-19 20:12:54.604665047 +0100 -@@ -53,8 +53,12 @@ - - #include "wp_locl.h" - #include -+#include -+#ifdef OPENSSL_FIPS -+#include -+#endif - --int WHIRLPOOL_Init (WHIRLPOOL_CTX *c) -+FIPS_NON_FIPS_MD_Init(WHIRLPOOL) - { - memset (c,0,sizeof(*c)); - return(1); -diff -up openssl-1.0.0k/Makefile.org.fips openssl-1.0.0k/Makefile.org ---- openssl-1.0.0k/Makefile.org.fips 2013-02-19 20:12:54.544663908 +0100 -+++ openssl-1.0.0k/Makefile.org 2013-02-19 20:12:54.604665047 +0100 -@@ -110,6 +110,9 @@ LIBKRB5= - ZLIB_INCLUDE= - LIBZLIB= - -+# Non-empty if FIPS enabled -+FIPS= -+ - DIRS= crypto ssl engines apps test tools - ENGDIRS= ccgost - SHLIBDIRS= crypto ssl -@@ -122,7 +125,7 @@ SDIRS= \ - bn ec rsa dsa ecdsa dh ecdh dso engine \ - buffer bio stack lhash rand err \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ -- cms pqueue ts jpake store -+ cms pqueue ts jpake store fips - # keep in mind that the above list is adjusted by ./Configure - # according to no-xxx arguments... - -@@ -206,6 +209,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS - RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ - WP_ASM_OBJ='$(WP_ASM_OBJ)' \ - PERLASM_SCHEME='$(PERLASM_SCHEME)' \ -+ FIPS="$${FIPS:-$(FIPS)}" \ - THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= - # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, - # which in turn eliminates ambiguities in variable treatment with -e. -diff -up openssl-1.0.0k/ssl/s23_clnt.c.fips openssl-1.0.0k/ssl/s23_clnt.c ---- openssl-1.0.0k/ssl/s23_clnt.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/s23_clnt.c 2013-02-19 20:12:54.607665104 +0100 -@@ -334,6 +334,14 @@ static int ssl23_client_hello(SSL *s) - version_major = TLS1_VERSION_MAJOR; - version_minor = TLS1_VERSION_MINOR; - } -+#ifdef OPENSSL_FIPS -+ else if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - else if (version == SSL3_VERSION) - { - version_major = SSL3_VERSION_MAJOR; -@@ -617,6 +625,14 @@ static int ssl23_get_server_hello(SSL *s - if ((p[2] == SSL3_VERSION_MINOR) && - !(s->options & SSL_OP_NO_SSLv3)) - { -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ { -+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif - s->version=SSL3_VERSION; - s->method=SSLv3_client_method(); - } -diff -up openssl-1.0.0k/ssl/s23_srvr.c.fips openssl-1.0.0k/ssl/s23_srvr.c ---- openssl-1.0.0k/ssl/s23_srvr.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/s23_srvr.c 2013-02-19 20:12:54.607665104 +0100 -@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s) - } - } - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (s->version < TLS1_VERSION)) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, -+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ goto err; -+ } -+#endif -+ - if (s->state == SSL23_ST_SR_CLNT_HELLO_B) - { - /* we have SSLv3/TLSv1 in an SSLv2 header -diff -up openssl-1.0.0k/ssl/s3_clnt.c.fips openssl-1.0.0k/ssl/s3_clnt.c ---- openssl-1.0.0k/ssl/s3_clnt.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/s3_clnt.c 2013-02-19 20:12:54.608665123 +0100 -@@ -156,6 +156,10 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+#include -+#endif -+ - #ifndef OPENSSL_NO_DH - #include - #endif -@@ -1559,6 +1563,8 @@ int ssl3_get_key_exchange(SSL *s) - q=md_buf; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0k/ssl/s3_enc.c.fips openssl-1.0.0k/ssl/s3_enc.c ---- openssl-1.0.0k/ssl/s3_enc.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/s3_enc.c 2013-02-19 20:12:54.609665142 +0100 -@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL * - #endif - k=0; - EVP_MD_CTX_init(&m5); -+ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_init(&s1); - for (i=0; (int)is3->tmp.new_cipher->algorithm2) && md) - { - s->s3->handshake_dgst[i]=EVP_MD_CTX_create(); -+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL); - EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen); - } -@@ -665,6 +668,7 @@ static int ssl3_handshake_mac(SSL *s, in - return 0; - } - EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_MD_CTX_copy_ex(&ctx,d); - n=EVP_MD_CTX_size(&ctx); - if (n < 0) -diff -up openssl-1.0.0k/ssl/s3_srvr.c.fips openssl-1.0.0k/ssl/s3_srvr.c ---- openssl-1.0.0k/ssl/s3_srvr.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/s3_srvr.c 2013-02-19 20:12:54.609665142 +0100 -@@ -1779,6 +1779,8 @@ int ssl3_send_server_key_exchange(SSL *s - j=0; - for (num=2; num > 0; num--) - { -+ EVP_MD_CTX_set_flags(&md_ctx, -+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1, NULL); - EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); -diff -up openssl-1.0.0k/ssl/ssl_ciph.c.fips openssl-1.0.0k/ssl/ssl_ciph.c ---- openssl-1.0.0k/ssl/ssl_ciph.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/ssl_ciph.c 2013-02-19 20:12:54.605665066 +0100 -@@ -728,6 +728,9 @@ static void ssl_cipher_collect_ciphers(c - !(c->algorithm_auth & disabled_auth) && - !(c->algorithm_enc & disabled_enc) && - !(c->algorithm_mac & disabled_mac) && -+#ifdef OPENSSL_FIPS -+ (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && -+#endif - !(c->algorithm_ssl & disabled_ssl)) - { - co_list[co_list_num].cipher = c; -@@ -1423,7 +1426,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - */ - for (curr = head; curr != NULL; curr = curr->next) - { -+#ifdef OPENSSL_FIPS -+ if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) -+#else - if (curr->active) -+#endif - { - sk_SSL_CIPHER_push(cipherstack, curr->cipher); - #ifdef CIPHER_DEBUG -diff -up openssl-1.0.0k/ssl/ssl_lib.c.fips openssl-1.0.0k/ssl/ssl_lib.c ---- openssl-1.0.0k/ssl/ssl_lib.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/ssl_lib.c 2013-02-19 20:12:54.605665066 +0100 -@@ -1526,6 +1526,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - return(NULL); - } - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && (meth->version < TLS1_VERSION)) -+ { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); -+ return NULL; -+ } -+#endif -+ - if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) - { - SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); -diff -up openssl-1.0.0k/ssl/ssltest.c.fips openssl-1.0.0k/ssl/ssltest.c ---- openssl-1.0.0k/ssl/ssltest.c.fips 2013-02-19 20:12:54.542663869 +0100 -+++ openssl-1.0.0k/ssl/ssltest.c 2013-02-19 20:12:54.606665085 +0100 -@@ -268,6 +268,9 @@ static void sv_usage(void) - { - fprintf(stderr,"usage: ssltest [args ...]\n"); - fprintf(stderr,"\n"); -+#ifdef OPENSSL_FIPS -+ fprintf(stderr,"-F - run test in FIPS mode\n"); -+#endif - fprintf(stderr," -server_auth - check server certificate\n"); - fprintf(stderr," -client_auth - do client authentication\n"); - fprintf(stderr," -proxy - allow proxy certificates\n"); -@@ -487,6 +490,9 @@ int main(int argc, char *argv[]) - #endif - STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; - int test_cipherlist = 0; -+#ifdef OPENSSL_FIPS -+ int fips_mode=0; -+#endif - - verbose = 0; - debug = 0; -@@ -518,7 +524,16 @@ int main(int argc, char *argv[]) - - while (argc >= 1) - { -- if (strcmp(*argv,"-server_auth") == 0) -+ if(!strcmp(*argv,"-F")) -+ { -+#ifdef OPENSSL_FIPS -+ fips_mode=1; -+#else -+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); -+ EXIT(0); -+#endif -+ } -+ else if (strcmp(*argv,"-server_auth") == 0) - server_auth=1; - else if (strcmp(*argv,"-client_auth") == 0) - client_auth=1; -@@ -714,6 +729,20 @@ bad: - EXIT(1); - } - -+#ifdef OPENSSL_FIPS -+ if(fips_mode) -+ { -+ if(!FIPS_mode_set(1)) -+ { -+ ERR_load_crypto_strings(); -+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); -+ EXIT(1); -+ } -+ else -+ fprintf(stderr,"*** IN FIPS MODE ***\n"); -+ } -+#endif -+ - if (print_time) - { - if (!bio_pair) -@@ -2153,12 +2182,12 @@ static int MS_CALLBACK app_verify_callba - } - - #ifndef OPENSSL_NO_X509_VERIFY --# ifdef OPENSSL_FIPS -+# if 0 - if(s->version == TLS1_VERSION) - FIPS_allow_md5(1); - # endif - ok = X509_verify_cert(ctx); --# ifdef OPENSSL_FIPS -+# if 0 - if(s->version == TLS1_VERSION) - FIPS_allow_md5(0); - # endif -diff -up openssl-1.0.0k/ssl/t1_enc.c.fips openssl-1.0.0k/ssl/t1_enc.c ---- openssl-1.0.0k/ssl/t1_enc.c.fips 2013-02-05 12:58:46.000000000 +0100 -+++ openssl-1.0.0k/ssl/t1_enc.c 2013-02-19 20:12:54.610665161 +0100 -@@ -170,6 +170,8 @@ static int tls1_P_hash(const EVP_MD *md, - - HMAC_CTX_init(&ctx); - HMAC_CTX_init(&ctx_tmp); -+ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -+ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL)) - goto err; - if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL)) Index: trunk/server/common/patches/openssl-1.0.0n-ipv6-apps.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-ipv6-apps.patch (revision 2581) +++ (revision ) @@ -1,499 +1,0 @@ -diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h ---- openssl-1.0.0b/apps/s_apps.h.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 -+++ openssl-1.0.0b/apps/s_apps.h 2010-11-16 17:19:29.000000000 +0100 -@@ -148,7 +148,7 @@ typedef fd_mask fd_set; - #define PORT_STR "4433" - #define PROTOCOL "tcp" - --int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); -+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); - #ifdef HEADER_X509_H - int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); - #endif -@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, - int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); - int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); - #endif --int init_client(int *sock, char *server, int port, int type); -+int init_client(int *sock, char *server, char *port, int type); - int should_retry(int i); --int extract_port(char *str, short *port_ptr); --int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); -+int extract_host_port(char *str,char **host_ptr,char **port_ptr); - - long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, - int argi, long argl, long ret); -diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c ---- openssl-1.0.0b/apps/s_client.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 -+++ openssl-1.0.0b/apps/s_client.c 2010-11-16 17:19:29.000000000 +0100 -@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv) - int cbuf_len,cbuf_off; - int sbuf_len,sbuf_off; - fd_set readfds,writefds; -- short port=PORT; -+ char *port_str = PORT_STR; - int full_log=1; - char *host=SSL_HOST_NAME; - char *cert_file=NULL,*key_file=NULL; -@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv) - else if (strcmp(*argv,"-port") == 0) - { - if (--argc < 1) goto bad; -- port=atoi(*(++argv)); -- if (port == 0) goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-connect") == 0) - { - if (--argc < 1) goto bad; -- if (!extract_host_port(*(++argv),&host,NULL,&port)) -+ if (!extract_host_port(*(++argv),&host,&port_str)) - goto bad; - } - else if (strcmp(*argv,"-verify") == 0) -@@ -967,7 +966,7 @@ bad: - - re_start: - -- if (init_client(&s,host,port,socket_type) == 0) -+ if (init_client(&s,host,port_str,socket_type) == 0) - { - BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); - SHUTDOWN(s); -diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c ---- openssl-1.0.0b/apps/s_server.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100 -+++ openssl-1.0.0b/apps/s_server.c 2010-11-16 17:19:29.000000000 +0100 -@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[]) - { - X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; -- short port=PORT; -+ char *port_str = PORT_STR; - char *CApath=NULL,*CAfile=NULL; - unsigned char *context = NULL; - char *dhfile = NULL; -@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[]) - (strcmp(*argv,"-accept") == 0)) - { - if (--argc < 1) goto bad; -- if (!extract_port(*(++argv),&port)) -- goto bad; -+ port_str= *(++argv); - } - else if (strcmp(*argv,"-verify") == 0) - { -@@ -1700,9 +1699,9 @@ bad: - BIO_printf(bio_s_out,"ACCEPT\n"); - (void)BIO_flush(bio_s_out); - if (www) -- do_server(port,socket_type,&accept_socket,www_body, context); -+ do_server(port_str,socket_type,&accept_socket,www_body, context); - else -- do_server(port,socket_type,&accept_socket,sv_body, context); -+ do_server(port_str,socket_type,&accept_socket,sv_body, context); - print_stats(bio_s_out,ctx); - ret=0; - end: -diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c ---- openssl-1.0.0b/apps/s_socket.c.ipv6-apps 2010-07-05 13:03:22.000000000 +0200 -+++ openssl-1.0.0b/apps/s_socket.c 2010-11-16 17:27:18.000000000 +0100 -@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha - static void ssl_sock_cleanup(void); - #endif - static int ssl_sock_init(void); --static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); --static int init_server(int *sock, int port, int type); --static int init_server_long(int *sock, int port,char *ip, int type); -+static int init_server(int *sock, char *port, int type); - static int do_accept(int acc_sock, int *sock, char **host); - static int host_ip(char *str, unsigned char ip[4]); - -@@ -234,58 +232,70 @@ static int ssl_sock_init(void) - return(1); - } - --int init_client(int *sock, char *host, int port, int type) -+int init_client(int *sock, char *host, char *port, int type) - { -- unsigned char ip[4]; -- -- if (!host_ip(host,&(ip[0]))) -- { -- return(0); -- } -- return(init_client_ip(sock,ip,port,type)); -- } -- --static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) -- { -- unsigned long addr; -- struct sockaddr_in them; -- int s,i; -+ struct addrinfo *res, *res0, hints; -+ char * failed_call = NULL; -+ int s; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&them,0,sizeof(them)); -- them.sin_family=AF_INET; -- them.sin_port=htons((unsigned short)port); -- addr=(unsigned long) -- ((unsigned long)ip[0]<<24L)| -- ((unsigned long)ip[1]<<16L)| -- ((unsigned long)ip[2]<< 8L)| -- ((unsigned long)ip[3]); -- them.sin_addr.s_addr=htonl(addr); -- -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* ( type == SOCK_DGRAM) */ -- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); -- -- if (s == INVALID_SOCKET) { perror("socket"); return(0); } -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_ADDRCONFIG; -+ -+ e = getaddrinfo(host, port, &hints, &res); -+ if (e) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } - -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } - #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) - if (type == SOCK_STREAM) - { -- i=0; -- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); -- if (i < 0) { closesocket(s); perror("keepalive"); return(0); } -+ int i=0; -+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, -+ (char *)&i,sizeof(i)); -+ if (i < 0) { -+ failed_call = "keepalive"; -+ goto nextres; -+ } - } - #endif -- -- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) -- { closesocket(s); perror("connect"); return(0); } -+ if (connect(s,(struct sockaddr *)res->ai_addr, -+ res->ai_addrlen) == 0) -+ { -+ freeaddrinfo(res0); - *sock=s; - return(1); - } - --int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) -+ failed_call = "socket"; -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; -+ } -+ freeaddrinfo(res0); -+ -+ perror(failed_call); -+ return(0); -+ } -+ -+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) - { - int sock; - char *name = NULL; -@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r - } - } - --static int init_server_long(int *sock, int port, char *ip, int type) -+static int init_server(int *sock, char *port, int type) - { -- int ret=0; -- struct sockaddr_in server; -- int s= -1; -+ struct addrinfo *res, *res0, hints; -+ char * failed_call = NULL; -+ char port_name[8]; -+ int s; -+ int e; - - if (!ssl_sock_init()) return(0); - -- memset((char *)&server,0,sizeof(server)); -- server.sin_family=AF_INET; -- server.sin_port=htons((unsigned short)port); -- if (ip == NULL) -- server.sin_addr.s_addr=INADDR_ANY; -- else --/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ --#ifndef BIT_FIELD_LIMITS -- memcpy(&server.sin_addr.s_addr,ip,4); --#else -- memcpy(&server.sin_addr,ip,4); --#endif -+ memset(&hints, '\0', sizeof(hints)); -+ hints.ai_socktype = type; -+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; - -- if (type == SOCK_STREAM) -- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); -- else /* type == SOCK_DGRAM */ -- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); -+ e = getaddrinfo(NULL, port, &hints, &res); -+ if (e) -+ { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); -+ if (e == EAI_SYSTEM) -+ perror("getaddrinfo"); -+ return (0); -+ } - -- if (s == INVALID_SOCKET) goto err; -+ res0 = res; -+ while (res) -+ { -+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (s == INVALID_SOCKET) -+ { -+ failed_call = "socket"; -+ goto nextres; -+ } - #if defined SOL_SOCKET && defined SO_REUSEADDR - { - int j = 1; -@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i - (void *) &j, sizeof j); - } - #endif -- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) -+ -+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) - { --#ifndef OPENSSL_SYS_WINDOWS -- perror("bind"); --#endif -- goto err; -+ failed_call = "bind"; -+ goto nextres; - } -- /* Make it 128 for linux */ -- if (type==SOCK_STREAM && listen(s,128) == -1) goto err; -- *sock=s; -- ret=1; --err: -- if ((ret == 0) && (s != -1)) -+ if (type==SOCK_STREAM && listen(s,128) == -1) - { -- SHUTDOWN(s); -+ failed_call = "listen"; -+ goto nextres; - } -- return(ret); -+ -+ *sock=s; -+ return(1); -+ -+nextres: -+ if (s != INVALID_SOCKET) -+ close(s); -+ res = res->ai_next; - } -+ freeaddrinfo(res0); - --static int init_server(int *sock, int port, int type) -- { -- return(init_server_long(sock, port, NULL, type)); -+ if (s == INVALID_SOCKET) { perror("socket"); return(0); } -+ -+ perror(failed_call); -+ return(0); - } - - static int do_accept(int acc_sock, int *sock, char **host) - { -+ static struct sockaddr_storage from; -+ char buffer[NI_MAXHOST]; - int ret; -- struct hostent *h1,*h2; -- static struct sockaddr_in from; - int len; - /* struct linger ling; */ - -@@ -432,138 +451,59 @@ redoit: - */ - - if (host == NULL) goto end; --#ifndef BIT_FIELD_LIMITS -- /* I should use WSAAsyncGetHostByName() under windows */ -- h1=gethostbyaddr((char *)&from.sin_addr.s_addr, -- sizeof(from.sin_addr.s_addr),AF_INET); --#else -- h1=gethostbyaddr((char *)&from.sin_addr, -- sizeof(struct in_addr),AF_INET); --#endif -- if (h1 == NULL) -+ -+ if (getnameinfo((struct sockaddr *)&from, sizeof(from), -+ buffer, sizeof(buffer), -+ NULL, 0, 0)) - { -- BIO_printf(bio_err,"bad gethostbyaddr\n"); -+ BIO_printf(bio_err,"getnameinfo failed\n"); - *host=NULL; - /* return(0); */ - } - else - { -- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) -+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) - { - perror("OPENSSL_malloc"); - closesocket(ret); - return(0); - } -- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); -- -- h2=GetHostByName(*host); -- if (h2 == NULL) -- { -- BIO_printf(bio_err,"gethostbyname failure\n"); -- closesocket(ret); -- return(0); -- } -- if (h2->h_addrtype != AF_INET) -- { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -- closesocket(ret); -- return(0); -- } -+ strcpy(*host, buffer); - } - end: - *sock=ret; - return(1); - } - --int extract_host_port(char *str, char **host_ptr, unsigned char *ip, -- short *port_ptr) -+int extract_host_port(char *str, char **host_ptr, -+ char **port_ptr) - { -- char *h,*p; -+ char *h,*p,*x; - -- h=str; -- p=strchr(str,':'); -+ x=h=str; -+ if (*h == '[') -+ { -+ h++; -+ p=strchr(h,']'); - if (p == NULL) - { -- BIO_printf(bio_err,"no port defined\n"); -+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); - return(0); - } - *(p++)='\0'; -- -- if ((ip != NULL) && !host_ip(str,ip)) -- goto err; -- if (host_ptr != NULL) *host_ptr=h; -- -- if (!extract_port(p,port_ptr)) -- goto err; -- return(1); --err: -- return(0); -+ x = p; - } -- --static int host_ip(char *str, unsigned char ip[4]) -- { -- unsigned int in[4]; -- int i; -- -- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) -- { -- for (i=0; i<4; i++) -- if (in[i] > 255) -- { -- BIO_printf(bio_err,"invalid IP address\n"); -- goto err; -- } -- ip[0]=in[0]; -- ip[1]=in[1]; -- ip[2]=in[2]; -- ip[3]=in[3]; -- } -- else -- { /* do a gethostbyname */ -- struct hostent *he; -- -- if (!ssl_sock_init()) return(0); -- -- he=GetHostByName(str); -- if (he == NULL) -- { -- BIO_printf(bio_err,"gethostbyname failure\n"); -- goto err; -- } -- /* cast to short because of win16 winsock definition */ -- if ((short)he->h_addrtype != AF_INET) -+ p=strchr(x,':'); -+ if (p == NULL) - { -- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); -- return(0); -- } -- ip[0]=he->h_addr_list[0][0]; -- ip[1]=he->h_addr_list[0][1]; -- ip[2]=he->h_addr_list[0][2]; -- ip[3]=he->h_addr_list[0][3]; -- } -- return(1); --err: -+ BIO_printf(bio_err,"no port defined\n"); - return(0); - } -+ *(p++)='\0'; - --int extract_port(char *str, short *port_ptr) -- { -- int i; -- struct servent *s; -+ if (host_ptr != NULL) *host_ptr=h; -+ if (port_ptr != NULL) *port_ptr=p; - -- i=atoi(str); -- if (i != 0) -- *port_ptr=(unsigned short)i; -- else -- { -- s=getservbyname(str,"tcp"); -- if (s == NULL) -- { -- BIO_printf(bio_err,"getservbyname failure for %s\n",str); -- return(0); -- } -- *port_ptr=ntohs((unsigned short)s->s_port); -- } - return(1); - } - Index: trunk/server/common/patches/openssl-1.0.0n-version.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.0n-version.patch (revision 2581) +++ (revision ) @@ -1,21 +1,0 @@ -diff -up openssl-1.0.0k/crypto/opensslv.h.version openssl-1.0.0k/crypto/opensslv.h ---- openssl-1.0.0k/crypto/opensslv.h.version 2013-02-19 21:12:26.903472656 +0100 -+++ openssl-1.0.0k/crypto/opensslv.h 2013-02-19 21:14:35.613100870 +0100 -@@ -25,7 +25,7 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --#define OPENSSL_VERSION_NUMBER 0x100000efL -+#define OPENSSL_VERSION_NUMBER 0x10000003L - #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0n-fips 6 Aug 2014" - #else -@@ -83,7 +83,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "1.0.0" -+#define SHLIB_VERSION_NUMBER "1.0.0n" - - - #endif /* HEADER_OPENSSLV_H */ Index: trunk/server/common/patches/python-authkit.patch =================================================================== --- trunk/server/common/patches/python-authkit.patch (revision 2591) +++ trunk/server/common/patches/python-authkit.patch (revision 2591) @@ -0,0 +1,31 @@ +--- a/setup.py 2014-08-27 21:13:54.239160546 -0400 ++++ b/setup.py 2014-08-27 21:14:11.988111062 -0400 +@@ -39,7 +39,7 @@ + install_requires = [ + "Paste>=1.4", "nose>=0.9.2", "PasteDeploy>=1.1", "Beaker>=1.1", + "PasteScript>=1.1", "python-openid>=2.1.1", +- "elementtree>=1.2,<=1.3", "decorator>=2.1.0", ++ "decorator>=2.1.0", + "WebOb>=0.9.3", + ], + extras_require = { +--- a/authkit/authenticate/sso/api.py 2014-08-27 21:13:40.388419051 -0400 ++++ b/authkit/authenticate/sso/api.py 2014-08-27 21:14:40.659645804 -0400 +@@ -13,7 +13,7 @@ + """ + import logging + +-from elementtree import ElementTree ++import xml.etree.cElementTree as ElementTree + from paste.request import construct_url + from paste.util.converters import asbool + from paste.httpexceptions import HTTPNotFound, HTTPSeeOther, HTTPForbidden +--- a/AuthKit.egg-info/requires.txt 2014-08-27 21:13:48.095831831 -0400 ++++ b/AuthKit.egg-info/requires.txt 2014-08-27 21:20:35.238637909 -0400 +@@ -4,7 +4,6 @@ + Beaker>=1.1 + PasteScript>=1.1 + python-openid>=2.1.1 +-elementtree>=1.2,<=1.3 + decorator>=2.1.0 + WebOb>=0.9.3 Index: trunk/server/common/patches/rubygems-rails-require-thread.patch =================================================================== --- trunk/server/common/patches/rubygems-rails-require-thread.patch (revision 2581) +++ (revision ) @@ -1,13 +1,0 @@ ---- a/lib/rubygems.rb.orig 2011-11-04 14:20:28.000000000 -0400 -+++ b/lib/rubygems.rb 2011-11-04 14:22:00.000000000 -0400 -@@ -30,6 +30,10 @@ - require 'rbconfig' - require "rubygems/deprecate" - -+# HACK: this is here just for rails, see -+# http://stackoverflow.com/questions/5176782/uninitialized-constant-activesupportdependenciesmutex-nameerror -+require "thread" -+ - ## - # RubyGems is the Ruby standard for publishing and managing third party - # libraries. Index: trunk/server/doc/install-ldap =================================================================== --- trunk/server/doc/install-ldap (revision 2581) +++ (revision ) @@ -1,420 +1,0 @@ -# b -# To set up a new LDAP server: - -# Temporarily move away the existing slapd-scripts folder -mv /etc/dirsrv/slapd-scripts{,.bak} - -# Setup directory server -/usr/sbin/setup-ds.pl -# - Choose a typical install -# - Tell it to use the fedora-ds user and group -# - Directory server identifier: scripts -# - Suffix: dc=scripts,dc=mit,dc=edu -# - Input directory manager password -# (this can be found in ~/.ldapvirc) - -# Move the schema back -cp -R /etc/dirsrv/slapd-scripts.bak/* /etc/dirsrv/slapd-scripts -rm -Rf /etc/dirsrv/slapd-scripts.bak - -# Check and make sure the sysconfig references the correct keytab -svn revert /etc/sysconfig/dirsrv-scripts - -# Turn dirsrv off: -systemctl stop dirsrv@scripts.service - -# Apply the following configuration changes. If you're editing -# dse.ldif, you don't want dirsrv to be on, otherwise it will -# overwrite your changes. [XXX: show how to do these changes with -# dsconf, which is the "blessed" method, although it seems -# dsconf only exists for Red Hat] - -vim /etc/dirsrv/slapd-scripts/dse.ldif -<< M2 ---> S - - 2. Configure the new server to be replicated back. - - M1 <---> M2 <---> S - - 3. Set up the rest of the replication agreements. - - M1 <---> M2 - ^ ^ - | | - +--> S <--+ - - 4. Push a change from every existing server (to the new server), and - then a change from the new server to (all) the existing servers. - In addition to merely testing that replication works, this will - set up the servers' changelogs properly. - - If this step is not completed before any server's LDAP server - shuts down, then the replication agreements will fall apart the - next time a change is made. You may wish to intentionally reboot - any servers that look like they want to crash _before_ beginning - this process. - - Here's how you do it. - - NOTE: There's this spiffy new tool MMR hammer which automates some of - this process. Check the "MMR Hammer" sections to see how. Install it - here: https://github.com/ezyang/mmr-hammer - - 0. Tell -c scripts not to go off and reboot servers until you're - done (or to get any rebooting done with first). - - 1. Pull open the replication part of the database. It's fairly empty - right now. - - ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config - - 2. Configure the server $SLAVE (this server) to accept $MASTER - replications by adding the following LDAP entries: - -add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config -objectClass: top -objectClass: nsDS5Replica -cn: replica -nsDS5ReplicaId: $REPLICA_ID -nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu -nsDS5Flags: 1 -nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/miracle-cure.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindDN: uid=ldap/lucky-star.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -nsds5ReplicaPurgeDelay: 604800 -nsds5ReplicaLegacyConsumer: off -nsDS5ReplicaType: 3 - - $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find - out.) You might wonder why we are binding to all servers; - weren't we going to replicate from only one server? That is - correct, however, simply binding won't mean we will receive - updates; we have to setup the $MASTER to send data $SLAVE. - - 3. Although we allowed those uids to bind, that user information - doesn't exist on $SLAVE yet. So you'll need to create the entry - for just $MASTER. - - REMEMBER: You need to use FOO.mit.edu for the names! Otherwise you will get - unauthorized errors. - -add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu -uid: ldap/$MASTER -objectClass: account -objectClass: top - - 4. Though our $SLAVE will not be making changes to LDAP, we need to - initialize the changelog because we intend to be able to do this - later. - -add cn=changelog5,cn=config -objectclass: top -objectclass: extensibleObject -cn: changelog5 -nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb - - 5. Ok, now go to your $MASTER server that you picked (it should have - been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell - it to replicate to $SLAVE. - - The last line runs the replication. This is perhaps the most - risky step of the process; see below for help debugging problems. - - MMR Hammer: - mmr-hammer -h $MASTER init agreements $SLAVE - mmr-hammer -h $MASTER update $SLAVE # XXX pick a better name - - ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config - -add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config -objectClass: top -objectClass: nsDS5ReplicationAgreement -cn: "GSSAPI Replication to $SLAVE" -cn: GSSAPI Replication to $SLAVE -nsDS5ReplicaHost: $SLAVE -nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu -nsDS5ReplicaPort: 389 -nsDS5ReplicaTransportInfo: LDAP -nsDS5ReplicaBindDN: uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindMethod: SASL/GSSAPI -nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" -nsDS5ReplicaTimeout: 120 -nsDS5BeginReplicaRefresh: start - - 5. Check that the replication is running; the status will be stored - in the object we've been mucking around with. - - If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER - for more information. It might be because fedora-ds can't read - /etc/dirsrv/keytab or because you setup the account on the SLAVE - incorrectly. - - 6. Replicate in the other direction. On $MASTER, add $SLAVE - as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config - Also, add an account for $SLAVE if it doesn't exist already. - -add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu -uid: ldap/$SLAVE -objectClass: account -objectClass: top - - On $SLAVE, - - MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER - -add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config -objectClass: top -objectClass: nsDS5ReplicationAgreement -cn: "GSSAPI Replication to $MASTER" -cn: GSSAPI Replication to $MASTER -nsDS5ReplicaHost: $MASTER -nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu -nsDS5ReplicaPort: 389 -nsDS5ReplicaTransportInfo: LDAP -nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu -nsDS5ReplicaBindMethod: SASL/GSSAPI -nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" -nsDS5ReplicaTimeout: 120 - - If you get a really scary internal server error, that might mean you - forgot to initialize the changelog. Remove the replication - agreement (you'll need to turn off dirsrv), add the changelog, and - then try again. - - 7. Repeat step 6 to complete the graph of replications (i.e., from - every other server to the new server, and from the new server to - every other server). - - Note the only difference between steps 5 and 6 is the lack of - nsDS5ReplicaRefresh: start. That only needs to be done once, to the - new server. - - With MMR hammer, that's something like: - - for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done - - 8. If at this point you look at the new server's changelog with - cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you - for a password), you won't see the servers you added in step 7. So, - from each of those servers, make a change to some record so it gets - propagated to the new server, and then one from the new server so it - gets propagated to all the existing servers' changelogs. This is - also good for making sure the replication agreements actually work. - - With MMR hammer, that's something like: - - for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done - -Troubleshooting -=============== - -LDAP multimaster replication can fail in a number of colorful ways; -combine that with GSSAPI authentication and it goes exponential. - -If authentication is failing with LDAP error 49, check if: - - * /etc/dirsrv/keytab - * fedora-ds is able to read /etc/dirsrv/keytab - * /etc/hosts has not been modified by Network Manager (you - /did/ uninstall it, right? Right?) - -If the failure is local to a single master, usually you can recover -by asking another master to refresh that master with: - -nsDS5BeginReplicaRefresh: start - -In practice, we've also had problems with this technique. Some of them -include: - -* Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503 - on Fedora 11 ns-slapd, where replication is turned off to do the - replication, but then it wedges and you need to forcibly kill the - process. - -* Failed LDAP authentication because another master attempted to do - an incremental update. - -* Repropagation of the error because the corrupt master thinks it still - should push updates. - -So the extremely safe method to bring up a crashed master is as follows: - -1. Disable all incoming and outgoing replication agreements by editing - /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge: - - nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config - - and all of the push agreements. Deleting them outright works, but - means you'll have to reconstruct all of the agreements from scratch. - -2. Bring up the server. - -3. Accept incoming replication data from a single server. - -4. Initiate a full update from that server. - -5. Finish setting up replication as described above. - -If your database gets extremely fucked, other servers may not be able -to authenticate because your authentication information has gone missing. -In that case, the minimal set of entries you need is: - -add dc=scripts,dc=mit,dc=edu -objectClass: top -objectClass: domain -dc: scripts - -add ou=People,dc=scripts,dc=mit,dc=edu -objectClass: top -objectClass: organizationalunit -ou: People - -add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu -objectClass: account -objectClass: top -uid: ldap/whole-enchilada.mit.edu Index: trunk/server/doc/ldap-kerberos-replication.txt =================================================================== --- trunk/server/doc/ldap-kerberos-replication.txt (revision 2581) +++ (revision ) @@ -1,93 +1,0 @@ -How to migrate from SSL authentication to GSSAPI authentication -=============================================================== - - :author: Edward Z. Yang - :author: Geoffrey Thomas - -NOTE: This document is strictly for HISTORICAL purposes. It may -come in handy if you ever need to migrate from SSL to GSSAPI on -another LDAP setup, though! This assumes that ldap service keytabs -are setup properly on all hosts involved. - ----- - -On $CONSUMER (e.g. real-mccoy.mit.edu) - -To cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config: -Add nsDS5ReplicaBindDN: uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu - This tells the CONSUMER to accept replication pushes from PRODUCER. - However, PRODUCER is not configured yet, so you should keep - the cn=repman,cn=config entry which is old style. - -Create uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu -uid: ldap/$PRODUCER -objectClass: account -objectClass: top - This creates the LDAP user entry for GSSAPI authentication via the - service keytab of LDAP replication. This information /is/ - replicated, so if you felt like it you could create entries for all - PRODUCERS (which, in full multimaster replication, is all servers.) - ----- - -On $PRODUCER (e.g. cats-whiskers.mit.edu) - You will destroy and recreate a replication agreement (well, - actually, ldapvi will attempt to create and then destroy the old - agreement). - -To cn="SSL Replication to $CONSUMER",cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config -Replace all instances of "SSL Replication" to "GSSAPI Replication" -Replace the number on the entry with 'add'; to indicate destroy/recreate -Replace nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu - (instead of cn=repman,cn=config) -Replace nsDS5ReplicaTransportInfo: LDAP - (instead of SSL) -Replace nsDS5ReplicaPort: 389 - (instead of 636) -Replace nsDS5ReplicaBindMethod: SASL/GSSAPI - (instead of simple) -Remove nsDS5ReplicaCredentials - -Here are some search-replace lines that will probably do what you want, -but be sure to double check how many substitutions were made. '<,'> lines -should exclude the cn=replica section. - - # n = NUMBER OF SERVERS - 1 = 4 - # n*3 substitutions - :%s/SSL Replication/GSSAPI Replication/g - # n substitutions - :'<,'>s/cn=repman,cn=config/uid=ldap\/$HOST,ou=People,dc=scripts,dc=mit,dc=edu/g - :%s/simple/SASL\/GSSAPI/ - :%s/nsDS5ReplicaPort: 636/nsDS5ReplicaPort: 389/ - :%s/SSL/LDAP/g - :%s/^nsDS5ReplicaCredentials.\+\n//g - :'<,'>s/^nsds5replicareapactive: 0\n//g - :%s/^[1-9] /add /g # fix if more than 9 servers - -There is some cleanup that needs to happen after these values change; -I had luck forcibly rebooting the servers and making LDAP cleanup -after an unclean shutdown. You can tell if this cleanup is necessary -if LDAP refuses to start replication sessions. This issue is known to -clear up after several reboots or by destroying and recreating all -replicas. - ----- - -Once everything is on the new replication and you verify it's working -correctly, you should then clean out the SSL configuration (most -notably, turn nsslapd-security off. Despite its ominous name, it only -controls SSL authentication, not GSSAPI authentication.) You will need -to take the server offline to do that; edit -/etc/dirsrv/slapd-scripts/dse.ldif - -When that's gone, there may be some vestigial SSL configuration left. -Scripts specifically had the following sections that needed to be -cleaned up: - - cn=RSA,cn=encryption,cn=config - (whole thing) - cn=encryption,cn=config - nsSSL3: on [change to off] - nsSSL3Ciphers: +rsa_rc4_128_md5 [delete] - cn=config - nsslapd-sslclientauth: on [change to off] Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 2581) +++ trunk/server/fedora/Makefile (revision 2591) @@ -19,10 +19,11 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh rubygems gnutls kernel openssl openssl.i686 -hackage = cgi-3001.1.8.2 unix-handle-0.0.0 +upstream_yum = krb5 krb5.i686 httpd openssh +hackage = cgi-3001.1.8.5 unix-handle-0.0.0 upstream_hackage = ghc-cgi ghc-unix-handle -gems = pony:1.8 -upstream_gems = rubygem-pony -upstream = openafs $(upstream_yum) $(upstream_hackage) $(upstream_gems) moira zephyr zephyr.i686 python-zephyr python-afs python-moira python-hesiod athena-aclocal discuss +gems = pony:1.8 fcgi:0.9.2.1 +upstream_gems = rubygem-pony rubygem-fcgi +upstream_eggs = python-authkit +upstream = openafs $(upstream_yum) $(upstream_hackage) $(upstream_gems) $(upstream_eggs) moira zephyr zephyr.i686 python-zephyr python-afs python-moira python-hesiod athena-aclocal discuss oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i686 whoisd athrun php_scripts scripts-wizard scripts-base scripts-static-cat fuse-better-mousetrapfs scripts-munin-plugins allsrc = $(upstream) $(oursrc) @@ -40,7 +41,6 @@ dload = ${PWD}/.dload -openafs_url = "https://www.openafs.org/dl/openafs/1.6.5/openafs-1.6.5-1.src.rpm" -zephyr_url = "http://zephyr.1ts.org/files/zephyr-3.0.2.tar.gz" -openssl_url = "https://www.openssl.org/source/openssl-1.0.0n.tar.gz" +openafs_url = "https://www.openafs.org/dl/openafs/1.6.8/openafs-1.6.8-1.src.rpm" +#zephyr_url = "http://zephyr.1ts.org/files/zephyr-3.0.2.tar.gz" PKG = $(patsubst %.i686,%,$@) @@ -70,6 +70,5 @@ cd $(dload) && yumdownloader --disablerepo=scripts --source $(upstream_yum) wget -P $(dload) $(openafs_url) - wget -P $(dload) $(zephyr_url) - wget -P $(tmp_src) $(openssl_url) + #wget -P $(dload) $(zephyr_url) cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz https://debathena.mit.edu/apt/pool/debathena/d/debathena-moira/ cabal update @@ -77,8 +76,10 @@ cp -a $(hackage:%=~/.cabal/packages/*/*/*/%.tar.gz) $(tmp_src) $(foreach gem, $(gems), gem fetch $(firstword $(subst :, ,$(gem))) -v $(lastword $(subst :, ,$(gem)));) + spectool -g -R $(specs)/zephyr.spec spectool -g -R $(specs)/python-zephyr.spec spectool -g -R $(specs)/python-afs.spec spectool -g -R $(specs)/python-moira.spec spectool -g -R $(specs)/python-hesiod.spec + spectool -g -R $(specs)/python-authkit.spec touch download_stamp @@ -153,10 +154,10 @@ PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc17-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc20-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` $(filter-out %.i686,$(oursrc)): %: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc17-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc20-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` $(upstream) openafs-kernel: rpmbuild_args += --define 'scriptsversion $(shell svnversion ${patches} | tr ':' '_')' @@ -166,14 +167,14 @@ $(filter %.i686,$(upstream)): %.i686: setup patch-specs rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc17-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc20-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` $(filter-out %.i686,$(upstream)): %: setup patch-specs rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc17-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc20-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` openafs-kernel: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/openafs*.spec - /usr/bin/mock -r scripts-fc17-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc20-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` #sort -n sorts "2.6.25-1" later than "2.6.25.1-1", so it's Wrong Index: trunk/server/fedora/config/etc/default/grub =================================================================== --- trunk/server/fedora/config/etc/default/grub (revision 2581) +++ trunk/server/fedora/config/etc/default/grub (revision 2591) @@ -4,3 +4,3 @@ GRUB_TERMINAL="serial console" GRUB_SERIAL_COMMAND="serial" -GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 console=hvc0 KEYTABLE=us rd.luks=0 SYSFONT=True LANG=en_US.UTF-8" +GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 KEYTABLE=us rd.luks=0 SYSFONT=True LANG=en_US.UTF-8 net.ifnames=0" Index: trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf (revision 2591) @@ -36,4 +36,5 @@ + SSLVerifyClient require @@ -41,2 +42,3 @@ RewriteRule /afs/athena.mit.edu/contrib/scripts/www/certerror /__scripts/unauthorized.html [L] + Index: trunk/server/fedora/config/etc/httpd/conf/httpd.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf/httpd.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/conf/httpd.conf (revision 2591) @@ -5,4 +5,6 @@ MaxKeepAliveRequests 1000 KeepAliveTimeout 15 + +LoadModule mpm_worker_module modules/mod_mpm_worker.so @@ -35,11 +37,17 @@ +# This file configures systemd module: +LoadModule systemd_module modules/mod_systemd.so + +# Enable .htaccess files to use the legacy Order By syntax +LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so +LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_default_module modules/mod_authn_default.so +LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so @@ -47,5 +55,4 @@ LoadModule authz_groupfile_module modules/mod_authz_groupfile.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_default_module modules/mod_authz_default.so LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so @@ -86,5 +93,7 @@ LoadModule cgi_module modules/mod_cgi.so LoadModule ssl_module modules/mod_ssl.so +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule vhost_ldap_module modules/mod_vhost_ldap.so +LoadModule unixd_module modules/mod_unixd.so User apache @@ -100,4 +109,10 @@ AllowOverride None Options FollowSymLinks IncludesNoExec + # The new syntax wasn't added until 2.4, + # so there's simply no way any deployed sites + # are already using the new syntax. + + SSILegacyExprParser on + @@ -131,11 +146,9 @@ - Order Allow,Deny - Deny from all + Require all denied UseCanonicalName Off TypesConfig /etc/mime.types -DefaultType text/plain #MIMEMagicFile conf/magic @@ -154,6 +167,6 @@ - Alias /__scripts/icons /var/www/icons - + Alias /__scripts/icons /usr/share/httpd/icons/ + Options Indexes AllowOverride None @@ -266,11 +279,4 @@ RLimitNPROC 4096 4096 -NameVirtualHost *:80 -NameVirtualHost *:443 -NameVirtualHost *:444 -NameVirtualHost 18.181.0.50:80 -NameVirtualHost 18.181.0.50:443 -NameVirtualHost 18.181.0.50:444 - ServerName localhost DocumentRoot /afs/athena.mit.edu/contrib/scripts/www @@ -325,16 +331,12 @@ SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 28800 - SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin - SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.scripts.pem - SSLCertificateKeyFile /etc/pki/tls/private/scripts.key SSLCACertificateFile /etc/pki/tls/certs/ca.pem SSLVerifyClient none SSLOptions +StdEnvVars SSLProtocol all -SSLv2 - SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 ServerName scripts-cert.mit.edu @@ -343,5 +345,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem - SSLCertificateChainFile /etc/pki/tls/certs/scripts-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Include conf.d/vhosts-common-ssl-cert.conf @@ -353,5 +354,4 @@ SSLCertificateFile /etc/pki/tls/certs/scripts.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key - SSLCertificateChainFile /etc/pki/tls/certs/scripts.pem @@ -362,9 +362,10 @@ SSLCertificateFile /etc/pki/tls/certs/scripts.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key - SSLCertificateChainFile /etc/pki/tls/certs/scripts.pem # LDAP vhost, w00t w00t ServerName localhost + SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Include conf.d/vhost_ldap.conf Include conf.d/vhosts-common-ssl.conf @@ -373,4 +374,6 @@ ServerName localhost + SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Include conf.d/vhost_ldap.conf Include conf.d/vhosts-common-ssl.conf @@ -381,12 +384,6 @@ - ServerName scripts.scripts.mit.edu - ServerAlias *.scripts.mit.edu *.scripts - SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.scripts.pem - Include conf.d/vhost_ldap.conf - Include conf.d/vhosts-common-ssl.conf - - + SSLCertificateFile /etc/pki/tls/certs/scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Include conf.d/scripts-vhost-names.conf Include conf.d/scripts-vhost.conf @@ -394,13 +391,6 @@ - ServerName scripts.scripts.mit.edu - ServerAlias *.scripts.mit.edu *.scripts - SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.scripts.pem - Include conf.d/vhost_ldap.conf - Include conf.d/vhosts-common-ssl.conf - Include conf.d/vhosts-common-ssl-cert.conf - - + SSLCertificateFile /etc/pki/tls/certs/scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Include conf.d/scripts-vhost-names.conf Include conf.d/scripts-vhost.conf Index: trunk/server/fedora/config/etc/httpd/vhosts.d/achernya.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/achernya.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/achernya.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/achernya.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/achernya.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/achernya.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/achernya.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ai6034.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ai6034.pem - SSLCertificateChainFile /etc/pki/tls/certs/ai6034.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ai6034.pem - SSLCertificateChainFile /etc/pki/tls/certs/ai6034.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/asa.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/asa.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/asa.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/asa.pem - SSLCertificateChainFile /etc/pki/tls/certs/asa.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/asa.pem - SSLCertificateChainFile /etc/pki/tls/certs/asa.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ashdown.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ashdown.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ashdown.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ashdown.pem - SSLCertificateChainFile /etc/pki/tls/certs/ashdown.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ashdown.pem - SSLCertificateChainFile /etc/pki/tls/certs/ashdown.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/auth.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/auth.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/auth.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/auth.pem - SSLCertificateChainFile /etc/pki/tls/certs/auth.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/auth.pem - SSLCertificateChainFile /etc/pki/tls/certs/auth.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/axo.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/axo.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/axo.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/axo.pem - SSLCertificateChainFile /etc/pki/tls/certs/axo.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/axo.pem - SSLCertificateChainFile /etc/pki/tls/certs/axo.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/bakerfoundation.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/bakerfoundation.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/bakerfoundation.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/bakerfoundation.pem - SSLCertificateChainFile /etc/pki/tls/certs/bakerfoundation.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/bakerfoundation.pem - SSLCertificateChainFile /etc/pki/tls/certs/bakerfoundation.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/barnowl.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/barnowl.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/barnowl.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/barnowl.pem - SSLCertificateChainFile /etc/pki/tls/certs/barnowl.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/barnowl.pem - SSLCertificateChainFile /etc/pki/tls/certs/barnowl.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/bc.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/bc.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/bc.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/bc.pem - SSLCertificateChainFile /etc/pki/tls/certs/bc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/bc.pem - SSLCertificateChainFile /etc/pki/tls/certs/bc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/be-it.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/be-it.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/be-it.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/be-it.pem - SSLCertificateChainFile /etc/pki/tls/certs/be-it.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/be-it.pem - SSLCertificateChainFile /etc/pki/tls/certs/be-it.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/blog.gregbrockman.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/blog.gregbrockman.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/blog.gregbrockman.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/blog.gregbrockman.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/blog.gregbrockman.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/blog.gregbrockman.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/blog.gregbrockman.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/bluechips.emergent-studios.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/bluechips.emergent-studios.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/bluechips.emergent-studios.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/bluechips.emergent-studios.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/bluechips.emergent-studios.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/bluechips.emergent-studios.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/bluechips.emergent-studios.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/carepackages.pem - SSLCertificateChainFile /etc/pki/tls/certs/carepackages.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/carepackages.pem - SSLCertificateChainFile /etc/pki/tls/certs/carepackages.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/cehs.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/cehs.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/cehs.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/cehs.pem - SSLCertificateChainFile /etc/pki/tls/certs/cehs.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/cehs.pem - SSLCertificateChainFile /etc/pki/tls/certs/cehs.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/chatter.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/chatter.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/chatter.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/chatter.pem - SSLCertificateChainFile /etc/pki/tls/certs/chatter.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/chatter.pem - SSLCertificateChainFile /etc/pki/tls/certs/chatter.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/classof2014.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/classof2014.pem - SSLCertificateChainFile /etc/pki/tls/certs/classof2014.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/classof2014.pem - SSLCertificateChainFile /etc/pki/tls/certs/classof2014.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/conner4.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/conner4.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/conner4.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/conner4.pem - SSLCertificateChainFile /etc/pki/tls/certs/conner4.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/conner4.pem - SSLCertificateChainFile /etc/pki/tls/certs/conner4.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/cons.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/cons.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/cons.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/cons.pem - SSLCertificateChainFile /etc/pki/tls/certs/cons.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/cons.pem - SSLCertificateChainFile /etc/pki/tls/certs/cons.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/cosmic-turtle.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/cosmic-turtle.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/cosmic-turtle.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/cosmic-turtle.pem - SSLCertificateChainFile /etc/pki/tls/certs/cosmic-turtle.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/cosmic-turtle.pem - SSLCertificateChainFile /etc/pki/tls/certs/cosmic-turtle.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/courseroad.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/courseroad.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/courseroad.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/courseroad.pem - SSLCertificateChainFile /etc/pki/tls/certs/courseroad.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/courseroad.pem - SSLCertificateChainFile /etc/pki/tls/certs/courseroad.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/crew.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/crew.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/crew.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/crew.pem - SSLCertificateChainFile /etc/pki/tls/certs/crew.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/crew.pem - SSLCertificateChainFile /etc/pki/tls/certs/crew.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/crush.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/crush.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/crush.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/crush.pem - SSLCertificateChainFile /etc/pki/tls/certs/crush.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/crush.pem - SSLCertificateChainFile /etc/pki/tls/certs/crush.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/cs6090.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/cs6090.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/cs6090.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/cs6090.pem - SSLCertificateChainFile /etc/pki/tls/certs/cs6090.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/cs6090.pem - SSLCertificateChainFile /etc/pki/tls/certs/cs6090.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/davidben.net.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/davidben.net.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/davidben.net.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/davidben.net.pem - SSLCertificateChainFile /etc/pki/tls/certs/davidben.net.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/davidben.net.pem - SSLCertificateChainFile /etc/pki/tls/certs/davidben.net.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/dchang.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/dchang.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/dchang.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/dchang.pem - SSLCertificateChainFile /etc/pki/tls/certs/dchang.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/dchang.pem - SSLCertificateChainFile /etc/pki/tls/certs/dchang.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/debathena.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/debathena.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/debathena.conf (revision 2591) @@ -21,5 +21,4 @@ CustomLog /home/logview/debathena.log combined SSLCertificateFile /etc/pki/tls/certs/debathena.pem - SSLCertificateChainFile /etc/pki/tls/certs/debathena.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -34,5 +33,4 @@ CustomLog /home/logview/debathena.log combined SSLCertificateFile /etc/pki/tls/certs/debathena.pem - SSLCertificateChainFile /etc/pki/tls/certs/debathena.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/dnd.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/dnd.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/dnd.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/dnd.pem - SSLCertificateChainFile /etc/pki/tls/certs/dnd.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/dnd.pem - SSLCertificateChainFile /etc/pki/tls/certs/dnd.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/dormbase.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/dormbase.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/dormbase.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/dormbase.pem - SSLCertificateChainFile /etc/pki/tls/certs/dormbase.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/dormbase.pem - SSLCertificateChainFile /etc/pki/tls/certs/dormbase.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/duspexplorer.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/duspexplorer.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/duspexplorer.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/duspexplorer.pem - SSLCertificateChainFile /etc/pki/tls/certs/duspexplorer.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/duspexplorer.pem - SSLCertificateChainFile /etc/pki/tls/certs/duspexplorer.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/eastgate.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/eastgate.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/eastgate.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/eastgate.pem - SSLCertificateChainFile /etc/pki/tls/certs/eastgate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/eastgate.pem - SSLCertificateChainFile /etc/pki/tls/certs/eastgate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ec.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ec.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ec.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ec.pem - SSLCertificateChainFile /etc/pki/tls/certs/ec.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ec.pem - SSLCertificateChainFile /etc/pki/tls/certs/ec.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/edudesignshop.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/edudesignshop.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/edudesignshop.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/edudesignshop.pem - SSLCertificateChainFile /etc/pki/tls/certs/edudesignshop.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/edudesignshop.pem - SSLCertificateChainFile /etc/pki/tls/certs/edudesignshop.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/emit.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/emit.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/emit.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/emit.pem - SSLCertificateChainFile /etc/pki/tls/certs/emit.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/emit.pem - SSLCertificateChainFile /etc/pki/tls/certs/emit.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/familynet.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/familynet.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/familynet.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/familynet.pem - SSLCertificateChainFile /etc/pki/tls/certs/familynet.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/familynet.pem - SSLCertificateChainFile /etc/pki/tls/certs/familynet.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/feed.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/feed.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/feed.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/feed.pem - SSLCertificateChainFile /etc/pki/tls/certs/feed.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/feed.pem - SSLCertificateChainFile /etc/pki/tls/certs/feed.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/finboard.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/finboard.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/finboard.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/finboard.pem - SSLCertificateChainFile /etc/pki/tls/certs/finboard.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/finboard.pem - SSLCertificateChainFile /etc/pki/tls/certs/finboard.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/fridget.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/fridget.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/fridget.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/fridget.pem - SSLCertificateChainFile /etc/pki/tls/certs/fridget.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/fridget.pem - SSLCertificateChainFile /etc/pki/tls/certs/fridget.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/gsc.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/gsc.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/gsc.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/gsc.pem - SSLCertificateChainFile /etc/pki/tls/certs/gsc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/gsc.pem - SSLCertificateChainFile /etc/pki/tls/certs/gsc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/hmmt.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/hmmt.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/hmmt.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/hmmt.pem - SSLCertificateChainFile /etc/pki/tls/certs/hmmt.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/hmmt.pem - SSLCertificateChainFile /etc/pki/tls/certs/hmmt.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/impact.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/impact.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/impact.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/impact.pem - SSLCertificateChainFile /etc/pki/tls/certs/impact.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/impact.pem - SSLCertificateChainFile /etc/pki/tls/certs/impact.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/isa.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/isa.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/isa.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/isa.pem - SSLCertificateChainFile /etc/pki/tls/certs/isa.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/isa.pem - SSLCertificateChainFile /etc/pki/tls/certs/isa.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/isawyou.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/isawyou.pem - SSLCertificateChainFile /etc/pki/tls/certs/isawyou.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/isawyou.pem - SSLCertificateChainFile /etc/pki/tls/certs/isawyou.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ldpreload.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ldpreload.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ldpreload.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ldpreload.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/ldpreload.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ldpreload.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/ldpreload.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/legendary.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/legendary.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/legendary.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/legendary.pem - SSLCertificateChainFile /etc/pki/tls/certs/legendary.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/legendary.pem - SSLCertificateChainFile /etc/pki/tls/certs/legendary.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/listmon.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/listmon.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/listmon.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/listmon.pem - SSLCertificateChainFile /etc/pki/tls/certs/listmon.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/listmon.pem - SSLCertificateChainFile /etc/pki/tls/certs/listmon.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/liyan.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/liyan.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/liyan.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/liyan.pem - SSLCertificateChainFile /etc/pki/tls/certs/liyan.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/liyan.pem - SSLCertificateChainFile /etc/pki/tls/certs/liyan.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/liyanchang.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/liyanchang.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/liyanchang.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/liyanchang.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/liyanchang.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/liyanchang.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/liyanchang.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/lizdenys.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/lizdenys.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/lizdenys.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -55,5 +53,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -67,5 +64,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -91,5 +87,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -103,5 +98,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -127,5 +121,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -139,5 +132,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -163,5 +155,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -175,5 +166,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/star.lizdenys.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/star.lizdenys.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/locate.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/locate.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/locate.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/locate.pem - SSLCertificateChainFile /etc/pki/tls/certs/locate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/locate.pem - SSLCertificateChainFile /etc/pki/tls/certs/locate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/luke.wf.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/luke.wf.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/luke.wf.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/luke.wf.pem - SSLCertificateChainFile /etc/pki/tls/certs/luke.wf.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/luke.wf.pem - SSLCertificateChainFile /etc/pki/tls/certs/luke.wf.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/mailto.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/mailto.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/mailto.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/mailto.pem - SSLCertificateChainFile /etc/pki/tls/certs/mailto.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/mailto.pem - SSLCertificateChainFile /etc/pki/tls/certs/mailto.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/maseeh.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/maseeh.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/maseeh.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/maseeh.pem - SSLCertificateChainFile /etc/pki/tls/certs/maseeh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/maseeh.pem - SSLCertificateChainFile /etc/pki/tls/certs/maseeh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/metu.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/metu.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/metu.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/metu.pem - SSLCertificateChainFile /etc/pki/tls/certs/metu.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/metu.pem - SSLCertificateChainFile /etc/pki/tls/certs/metu.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/mitchief.org.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/mitchief.org.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/mitchief.org.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/mitchief.org.pem - SSLCertificateChainFile /etc/pki/tls/certs/mitchief.org.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/mitchief.org.pem - SSLCertificateChainFile /etc/pki/tls/certs/mitchief.org.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/mitsoc.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/mitsoc.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/mitsoc.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/mitsoc.pem - SSLCertificateChainFile /etc/pki/tls/certs/mitsoc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/mitsoc.pem - SSLCertificateChainFile /etc/pki/tls/certs/mitsoc.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/mosh.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/mosh.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/mosh.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/mosh.pem - SSLCertificateChainFile /etc/pki/tls/certs/mosh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/mosh.pem - SSLCertificateChainFile /etc/pki/tls/certs/mosh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/next.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/next.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/next.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/next.pem - SSLCertificateChainFile /etc/pki/tls/certs/next.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/next.pem - SSLCertificateChainFile /etc/pki/tls/certs/next.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/nudelta.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/nudelta.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/nudelta.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/nudelta.pem - SSLCertificateChainFile /etc/pki/tls/certs/nudelta.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/nudelta.pem - SSLCertificateChainFile /etc/pki/tls/certs/nudelta.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ofcourse.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ofcourse.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ofcourse.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ofcourse.pem - SSLCertificateChainFile /etc/pki/tls/certs/ofcourse.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ofcourse.pem - SSLCertificateChainFile /etc/pki/tls/certs/ofcourse.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/picker.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/picker.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/picker.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/picker.pem - SSLCertificateChainFile /etc/pki/tls/certs/picker.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/picker.pem - SSLCertificateChainFile /etc/pki/tls/certs/picker.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/pickr.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/pickr.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/pickr.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/pickr.pem - SSLCertificateChainFile /etc/pki/tls/certs/pickr.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/pickr.pem - SSLCertificateChainFile /etc/pki/tls/certs/pickr.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/psetcentral.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/psetcentral.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/psetcentral.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/psetcentral.pem - SSLCertificateChainFile /etc/pki/tls/certs/psetcentral.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/psetcentral.pem - SSLCertificateChainFile /etc/pki/tls/certs/psetcentral.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/quota.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/quota.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/quota.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/quota.pem - SSLCertificateChainFile /etc/pki/tls/certs/quota.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/quota.pem - SSLCertificateChainFile /etc/pki/tls/certs/quota.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/random-hall.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/random-hall.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/random-hall.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/random-hall.pem - SSLCertificateChainFile /etc/pki/tls/certs/random-hall.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/random-hall.pem - SSLCertificateChainFile /etc/pki/tls/certs/random-hall.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py (revision 2591) @@ -63,5 +63,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/%(hname)s.pem - SSLCertificateChainFile /etc/pki/tls/certs/%(hname)s.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -75,5 +74,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/%(hname)s.pem - SSLCertificateChainFile /etc/pki/tls/certs/%(hname)s.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/roost.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/roost.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/roost.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/roost.pem - SSLCertificateChainFile /etc/pki/tls/certs/roost.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/roost.pem - SSLCertificateChainFile /etc/pki/tls/certs/roost.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/rpl.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/rpl.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/rpl.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/rpl.pem - SSLCertificateChainFile /etc/pki/tls/certs/rpl.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/rpl.pem - SSLCertificateChainFile /etc/pki/tls/certs/rpl.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/sayno.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/sayno.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/sayno.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/sayno.pem - SSLCertificateChainFile /etc/pki/tls/certs/sayno.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/sayno.pem - SSLCertificateChainFile /etc/pki/tls/certs/sayno.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/schuh.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/schuh.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/schuh.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/schuh.pem - SSLCertificateChainFile /etc/pki/tls/certs/schuh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/schuh.pem - SSLCertificateChainFile /etc/pki/tls/certs/schuh.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/set-up.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/set-up.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/set-up.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/set-up.pem - SSLCertificateChainFile /etc/pki/tls/certs/set-up.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/set-up.pem - SSLCertificateChainFile /etc/pki/tls/certs/set-up.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/signup.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/signup.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/signup.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/signup.pem - SSLCertificateChainFile /etc/pki/tls/certs/signup.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/signup.pem - SSLCertificateChainFile /etc/pki/tls/certs/signup.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/sipb.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/sipb.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/sipb.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/sipb.pem - SSLCertificateChainFile /etc/pki/tls/certs/sipb.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/sipb.pem - SSLCertificateChainFile /etc/pki/tls/certs/sipb.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/six101.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/six101.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/six101.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/six101.pem - SSLCertificateChainFile /etc/pki/tls/certs/six101.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/six101.pem - SSLCertificateChainFile /etc/pki/tls/certs/six101.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/swe.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/swe.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/swe.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/swe.pem - SSLCertificateChainFile /etc/pki/tls/certs/swe.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/swe.pem - SSLCertificateChainFile /etc/pki/tls/certs/swe.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/tb.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/tb.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/tb.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/tb.pem - SSLCertificateChainFile /etc/pki/tls/certs/tb.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/tb.pem - SSLCertificateChainFile /etc/pki/tls/certs/tb.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/techfair.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/techfair.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/techfair.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/techfair.pem - SSLCertificateChainFile /etc/pki/tls/certs/techfair.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/techfair.pem - SSLCertificateChainFile /etc/pki/tls/certs/techfair.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/tf.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/tf.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/tf.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/tf.pem - SSLCertificateChainFile /etc/pki/tls/certs/tf.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/tf.pem - SSLCertificateChainFile /etc/pki/tls/certs/tf.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/tibetforum.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/tibetforum.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/tibetforum.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/tibetforum.pem - SSLCertificateChainFile /etc/pki/tls/certs/tibetforum.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/tibetforum.pem - SSLCertificateChainFile /etc/pki/tls/certs/tibetforum.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ties.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ties.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ties.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ties.pem - SSLCertificateChainFile /etc/pki/tls/certs/ties.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ties.pem - SSLCertificateChainFile /etc/pki/tls/certs/ties.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/tours.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/tours.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/tours.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/tours.pem - SSLCertificateChainFile /etc/pki/tls/certs/tours.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/tours.pem - SSLCertificateChainFile /etc/pki/tls/certs/tours.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/twentytwelve.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/twentytwelve.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/twentytwelve.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/twentytwelve.pem - SSLCertificateChainFile /etc/pki/tls/certs/twentytwelve.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/twentytwelve.pem - SSLCertificateChainFile /etc/pki/tls/certs/twentytwelve.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/ua.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/ua.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/ua.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/ua.pem - SSLCertificateChainFile /etc/pki/tls/certs/ua.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/ua.pem - SSLCertificateChainFile /etc/pki/tls/certs/ua.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/unim.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/unim.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/unim.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/unim.pem - SSLCertificateChainFile /etc/pki/tls/certs/unim.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/unim.pem - SSLCertificateChainFile /etc/pki/tls/certs/unim.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/wakeup.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/wakeup.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/wakeup.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/wakeup.pem - SSLCertificateChainFile /etc/pki/tls/certs/wakeup.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/wakeup.pem - SSLCertificateChainFile /etc/pki/tls/certs/wakeup.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/webathena.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/webathena.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/webathena.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/webathena.pem - SSLCertificateChainFile /etc/pki/tls/certs/webathena.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/webathena.pem - SSLCertificateChainFile /etc/pki/tls/certs/webathena.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/webid.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/webid.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/webid.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/webid.pem - SSLCertificateChainFile /etc/pki/tls/certs/webid.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/webid.pem - SSLCertificateChainFile /etc/pki/tls/certs/webid.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/westgate.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/westgate.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/westgate.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/westgate.pem - SSLCertificateChainFile /etc/pki/tls/certs/westgate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/westgate.pem - SSLCertificateChainFile /etc/pki/tls/certs/westgate.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/whatsnext.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/whatsnext.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/whatsnext.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/whatsnext.pem - SSLCertificateChainFile /etc/pki/tls/certs/whatsnext.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/whatsnext.pem - SSLCertificateChainFile /etc/pki/tls/certs/whatsnext.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/www.davidben.net.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/www.davidben.net.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/www.davidben.net.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/www.davidben.net.pem - SSLCertificateChainFile /etc/pki/tls/certs/www.davidben.net.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/www.davidben.net.pem - SSLCertificateChainFile /etc/pki/tls/certs/www.davidben.net.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/httpd/vhosts.d/www.liyanchang.com.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/vhosts.d/www.liyanchang.com.conf (revision 2581) +++ trunk/server/fedora/config/etc/httpd/vhosts.d/www.liyanchang.com.conf (revision 2591) @@ -19,5 +19,4 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/www.liyanchang.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/www.liyanchang.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -31,5 +30,4 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/www.liyanchang.com.pem - SSLCertificateChainFile /etc/pki/tls/certs/www.liyanchang.com.pem SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: trunk/server/fedora/config/etc/krb5.conf =================================================================== --- trunk/server/fedora/config/etc/krb5.conf (revision 2581) +++ trunk/server/fedora/config/etc/krb5.conf (revision 2591) @@ -1,4 +1,4 @@ [libdefaults] - allow_weak_crypto = true + allow_weak_crypto = false default_realm = ATHENA.MIT.EDU # The following krb5.conf variables are only for MIT Kerberos. Index: trunk/server/fedora/config/etc/mock/scripts-fc19-i386.cfg =================================================================== --- trunk/server/fedora/config/etc/mock/scripts-fc19-i386.cfg (revision 2591) +++ trunk/server/fedora/config/etc/mock/scripts-fc19-i386.cfg (revision 2591) @@ -0,0 +1,69 @@ +config_opts['root'] = 'fedora-19-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=i386 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/i386/os/ +failovermethod=priority + +[updates] +name=updates +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=i386 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/i386/ +failovermethod=priority + +[updates-testing] +name=updates-testing +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=i386 +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ +enabled=1 +gpgcheck=0 + +[fedora-debuginfo] +name=fedora-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=i386 +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=i386 +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=i386 +failovermethod=priority +enabled=0 +""" Index: trunk/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg =================================================================== --- trunk/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg (revision 2591) +++ trunk/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg (revision 2591) @@ -0,0 +1,69 @@ +config_opts['root'] = 'fedora-19-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=x86_64 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/x86_64/os/ +failovermethod=priority + +[updates] +name=updates +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=x86_64 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/x86_64/ +failovermethod=priority + +[updates-testing] +name=updates-testing +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=x86_64 +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ +enabled=1 +gpgcheck=0 + +[fedora-debuginfo] +name=fedora-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=x86_64 +failovermethod=priority +enabled=0 +""" Index: trunk/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg =================================================================== --- trunk/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg (revision 2591) +++ trunk/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg (revision 2591) @@ -0,0 +1,71 @@ +config_opts['root'] = 'fedora-20-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '20' + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=x86_64 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/ +failovermethod=priority + +[updates] +name=updates +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=x86_64 +#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/20/x86_64/ +failovermethod=priority + +[updates-testing] +name=updates-testing +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=x86_64 +failovermethod=priority +enabled=0 + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ +enabled=1 +gpgcheck=0 + +[fedora-debuginfo] +name=fedora-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-debuginfo] +name=updates-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=x86_64 +failovermethod=priority +enabled=0 + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=x86_64 +failovermethod=priority +enabled=0 +""" Index: trunk/server/fedora/config/etc/munin/munin-node.conf =================================================================== --- trunk/server/fedora/config/etc/munin/munin-node.conf (revision 2581) +++ trunk/server/fedora/config/etc/munin/munin-node.conf (revision 2591) @@ -4,5 +4,5 @@ log_level 4 -log_file /var/log/munin/munin-node.log +log_file /var/log/munin-node/munin-node.log pid_file /var/run/munin/munin-node.pid Index: trunk/server/fedora/config/etc/nagios/nrpe.cfg =================================================================== --- trunk/server/fedora/config/etc/nagios/nrpe.cfg (revision 2581) +++ trunk/server/fedora/config/etc/nagios/nrpe.cfg (revision 2591) @@ -24,5 +24,5 @@ # user and is running in standalone mode. -pid_file=/var/run/nrpe.pid +pid_file=/var/run/nrpe/nrpe.pid Index: trunk/server/fedora/config/etc/nsswitch.conf =================================================================== --- trunk/server/fedora/config/etc/nsswitch.conf (revision 2581) +++ trunk/server/fedora/config/etc/nsswitch.conf (revision 2591) @@ -46,5 +46,5 @@ #hosts: db files nisplus nis dns -hosts: files dns +hosts: files dns myhostname #hosts: files mdns4_minimal [NOTFOUND=return] dns Index: trunk/server/fedora/config/etc/php.d/ctype.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/ctype.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/ctype.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable ctype extension module +extension=ctype.so Index: trunk/server/fedora/config/etc/php.d/iconv.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/iconv.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/iconv.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable iconv extension module +extension=iconv.so Index: trunk/server/fedora/config/etc/php.d/mysql.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/mysql.ini (revision 2581) +++ (revision ) @@ -1,1 +1,0 @@ -extension = mysql.so Index: trunk/server/fedora/config/etc/php.d/mysqlnd.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/mysqlnd.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/mysqlnd.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable mysqlnd extension module +extension=mysqlnd.so Index: trunk/server/fedora/config/etc/php.d/mysqlnd_mysql.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/mysqlnd_mysql.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/mysqlnd_mysql.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable mysqlnd_mysql extension module +extension=mysqlnd_mysql.so Index: trunk/server/fedora/config/etc/php.d/mysqlnd_mysqli.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/mysqlnd_mysqli.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/mysqlnd_mysqli.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable mysqlnd_mysqli extension module +extension=mysqlnd_mysqli.so Index: trunk/server/fedora/config/etc/php.d/xml.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/xml.ini (revision 2591) +++ trunk/server/fedora/config/etc/php.d/xml.ini (revision 2591) @@ -0,0 +1,2 @@ +; Enable xml extension module +extension=xml.so Index: trunk/server/fedora/config/etc/postfix/main.cf =================================================================== --- trunk/server/fedora/config/etc/postfix/main.cf (revision 2581) +++ trunk/server/fedora/config/etc/postfix/main.cf (revision 2591) @@ -18,6 +18,6 @@ recipient_delimiter = + inet_interfaces = all -readme_directory = /usr/share/doc/postfix-2.9.6/README_FILES -sample_directory = /usr/share/doc/postfix-2.9.6/samples +readme_directory = /usr/share/doc/postfix-2.10.2/README_FILES +sample_directory = /usr/share/doc/postfix-2.10.2/samples sendmail_path = /usr/sbin/sendmail html_directory = no Index: trunk/server/fedora/config/etc/scripts/allowed-filecaps.list =================================================================== --- trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2581) +++ trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2591) @@ -1,4 +1,6 @@ /usr/bin/ping /usr/bin/ping6 +/usr/bin/systemd-detect-virt /usr/sbin/fping /usr/sbin/fping6 +/usr/sbin/mtr Index: trunk/server/fedora/config/etc/sysconfig/httpd =================================================================== --- trunk/server/fedora/config/etc/sysconfig/httpd (revision 2581) +++ trunk/server/fedora/config/etc/sysconfig/httpd (revision 2591) @@ -7,5 +7,5 @@ # The service must be stopped before changing this variable. # -HTTPD=/usr/sbin/httpd.worker +HTTPD=/usr/sbin/httpd # Index: trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth0 =================================================================== --- trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth0 (revision 2591) +++ trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth0 (revision 2591) @@ -0,0 +1,1 @@ +default via 18.181.0.1 Index: trunk/server/fedora/config/etc/yum.repos.d/fedora-updates-testing.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/fedora-updates-testing.repo (revision 2581) +++ trunk/server/fedora/config/etc/yum.repos.d/fedora-updates-testing.repo (revision 2591) @@ -3,5 +3,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/testing/$releasever/$basearch/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch enabled=0 @@ -13,5 +13,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/testing/$releasever/$basearch/debug/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch enabled=0 @@ -23,5 +23,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/testing/$releasever/SRPMS/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch enabled=0 Index: trunk/server/fedora/config/etc/yum.repos.d/fedora-updates.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/fedora-updates.repo (revision 2581) +++ trunk/server/fedora/config/etc/yum.repos.d/fedora-updates.repo (revision 2591) @@ -3,5 +3,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/$releasever/$basearch/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch enabled=1 @@ -13,5 +13,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/$releasever/$basearch/debug/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/$basearch/debug/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch enabled=0 @@ -23,5 +23,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/$releasever/SRPMS/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/SRPMS/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch enabled=0 Index: trunk/server/fedora/config/etc/yum.repos.d/fedora.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/fedora.repo (revision 2581) +++ trunk/server/fedora/config/etc/yum.repos.d/fedora.repo (revision 2591) @@ -3,5 +3,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/$basearch/os/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch enabled=1 @@ -14,5 +14,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/$basearch/debug/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch enabled=0 @@ -25,5 +25,5 @@ failovermethod=priority #baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/source/SRPMS/ +baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/ #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch enabled=0 Index: trunk/server/fedora/config/etc/yum.repos.d/scripts.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2581) +++ trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2591) @@ -1,5 +1,5 @@ [scripts] name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ enabled=1 gpgcheck=0 @@ -7,5 +7,5 @@ [scripts-testing] name=Scripts Testing -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17-testing/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20-testing/ enabled=0 gpgcheck=0 Index: trunk/server/fedora/config/etc/yum/post-actions/capoverride.action =================================================================== --- trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2581) +++ trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2591) @@ -6,2 +6,4 @@ /usr/bin/rlogin:install:setcap -r /usr/bin/rlogin /usr/libexec/pt_chown:install:setcap -r /usr/libexec/pt_chown +/usr/sbin/arping:install:setcap -r /usr/sbin/arping +/usr/sbin/clockdiff:install:setcap -r /usr/sbin/clockdiff Index: trunk/server/fedora/config/etc/yum/post-actions/statoverride.action =================================================================== --- trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2581) +++ trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2591) @@ -33,2 +33,8 @@ /usr/sbin/netreport:install:chmod ug-s /usr/sbin/netreport /usr/bin/ssh-agent:install:chmod ug-s /usr/bin/ssh-agent +/usr/bin/uustat:install:chmod ug-s /usr/bin/uustat +/usr/bin/uucp:install:chmod ug-s /usr/bin/uucp +/usr/bin/uux:install:chmod ug-s /usr/bin/uux +/usr/bin/cu:install:chmod ug-s /usr/bin/cu +/usr/bin/uucico:install:chmod ug-s /usr/bin/uucico +/usr/libexec/qemu-bridge-helper:install:chmod ug-s /usr/libexec/qemu-bridge-helper Index: trunk/server/fedora/specs/accountadm.spec =================================================================== --- trunk/server/fedora/specs/accountadm.spec (revision 2581) +++ trunk/server/fedora/specs/accountadm.spec (revision 2591) @@ -10,9 +10,9 @@ BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root BuildRequires: scripts-openafs-devel, scripts-openafs-authlibs-devel -BuildRequires: hesinfo +BuildRequires: hesiod BuildRequires: openldap-clients BuildRequires: krb5-devel BuildRequires: sudo -Requires: hesinfo +Requires: hesiod Requires: openldap-clients Requires: sudo Index: trunk/server/fedora/specs/discuss.spec =================================================================== --- trunk/server/fedora/specs/discuss.spec (revision 2581) +++ trunk/server/fedora/specs/discuss.spec (revision 2591) @@ -1,5 +1,5 @@ # Make sure to update this to coincide with the most recent debathena-discuss # release from http://debathena.mit.edu/apt/pool/debathena/d/debathena-discuss/ -%define upstreamversion 10.0.15 +%define upstreamversion 10.0.17 Name: discuss Version: %{upstreamversion} @@ -21,5 +21,5 @@ %prep -%setup -q -n debathena-%{name}-%{upstreamversion} +%setup -q -n %{name}-%{upstreamversion} %build @@ -30,5 +30,6 @@ automake --add-missing --foreign || : %configure --without-krb4 --with-krb5 --with-zephyr --with-pager=/usr/bin/less -make %{?_smp_mflags} +#make %{?_smp_mflags} +make %install @@ -56,5 +57,4 @@ %{_bindir}/dspipe %{_bindir}/mkds -%{_bindir}/pmtg %{_bindir}/rmds %{_libexecdir}/edsc @@ -99,4 +99,7 @@ %attr(755,discuss,discuss) %{_localstatedir}/spool/discuss %attr(644,root,root) %config(noreplace) %{_sysconfdir}/xinetd.d/%{name} +%{_libexecdir}/disdebug +%{_libexecdir}/expunge +%{_libexecdir}/recover %pre server @@ -108,4 +111,7 @@ %changelog +* Mon May 26 2014 Alexander Chernyakhovsky - 10.0.17-1 +- Update to discuss 10.0.17 + * Tue Mar 19 2013 Alexander Chernyakhovsky - 10.0.15-1 - Update to discuss 10.0.15 Index: trunk/server/fedora/specs/ghc-cgi.spec =================================================================== --- trunk/server/fedora/specs/ghc-cgi.spec (revision 2581) +++ trunk/server/fedora/specs/ghc-cgi.spec (revision 2591) @@ -1,34 +1,43 @@ -# cabal2spec-0.25 +# Generated with cabal-rpm # https://fedoraproject.org/wiki/Packaging:Haskell -# https://fedoraproject.org/wiki/PackagingDrafts/Haskell %global pkg_name cgi -%global common_summary Haskell %{pkg_name} library +Name: ghc-%{pkg_name} +Version: 3001.1.8.5 +Release: 0.%{scriptsversion}%{?dist} +Summary: A library for writing CGI programs -%global common_description A %{pkg_name} library for Haskell. - -Name: ghc-%{pkg_name} -Version: 3001.1.8.2 -Release: 0.%{scriptsversion}%{?dist} -Summary: %{common_summary} - -Group: System Environment/Libraries License: BSD -# BEGIN cabal2spec URL: http://hackage.haskell.org/package/%{pkg_name} Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz -ExclusiveArch: %{ghc_arches} + BuildRequires: ghc-Cabal-devel BuildRequires: ghc-rpm-macros %{!?without_hscolour:hscolour} -# END cabal2spec -BuildRequires: ghc-network-prof -BuildRequires: ghc-parsec-prof -BuildRequires: ghc-mtl-prof -BuildRequires: ghc-MonadCatchIO-mtl-prof -BuildRequires: ghc-xhtml-prof +# Begin cabal-rpm deps: +BuildRequires: ghc-MonadCatchIO-mtl-devel +BuildRequires: ghc-containers-devel +BuildRequires: ghc-mtl-devel +BuildRequires: ghc-network-devel +BuildRequires: ghc-old-locale-devel +BuildRequires: ghc-old-time-devel +BuildRequires: ghc-parsec-devel +BuildRequires: ghc-xhtml-devel +# End cabal-rpm deps %description -%{common_description} +This is a Haskell library for writing CGI programs. + + +%package devel +Summary: Haskell %{pkg_name} library development files +Provides: %{name}-static = %{version}-%{release} +Requires: ghc-compiler = %{ghc_version} +Requires(post): ghc-compiler = %{ghc_version} +Requires(postun): ghc-compiler = %{ghc_version} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package provides the Haskell %{pkg_name} library development files. @@ -45,17 +54,23 @@ -# devel subpackage -%ghc_devel_package - -%ghc_devel_description +%post devel +%ghc_pkg_recache -%ghc_devel_post_postun +%postun devel +%ghc_pkg_recache -%ghc_files LICENSE +%files -f %{name}.files +%doc LICENSE + + +%files devel -f %{name}-devel.files %changelog +* Mon May 26 2014 Alexander Chernyakhovsky - 3001.1.8.5-0 +- Updated packaging for F20, with cabal-rpm + * Fri May 25 2012 Anders Kaseorg - 3001.1.8.2-0 - regenerated packaging with cabal2spec-0.25.5 Index: trunk/server/fedora/specs/ghc-unix-handle.spec =================================================================== --- trunk/server/fedora/specs/ghc-unix-handle.spec (revision 2581) +++ trunk/server/fedora/specs/ghc-unix-handle.spec (revision 2591) @@ -1,29 +1,38 @@ -# cabal2spec-0.25 # https://fedoraproject.org/wiki/Packaging:Haskell -# https://fedoraproject.org/wiki/PackagingDrafts/Haskell %global pkg_name unix-handle - -%global common_summary Haskell %{pkg_name} library - -%global common_description A %{pkg_name} library for Haskell. Name: ghc-%{pkg_name} Version: 0.0.0 Release: 0.%{scriptsversion}%{?dist} -Summary: %{common_summary} +Summary: POSIX operations on Handles -Group: System Environment/Libraries License: BSD -# BEGIN cabal2spec URL: http://hackage.haskell.org/package/%{pkg_name} Source0: http://hackage.haskell.org/packages/archive/%{pkg_name}/%{version}/%{pkg_name}-%{version}.tar.gz -ExclusiveArch: %{ghc_arches} + BuildRequires: ghc-Cabal-devel BuildRequires: ghc-rpm-macros %{!?without_hscolour:hscolour} -# END cabal2spec +# Begin cabal-rpm deps: +BuildRequires: ghc-unix-devel +# End cabal-rpm deps %description -%{common_description} +This package provides versions of functions from "System.Posix.Files" that +operate on 'System.IO.Handle' instead of 'System.IO.FilePath' or +'System.Posix.Fd'. This is useful to prevent race conditions that may arise +from looking up the same path twice. + + +%package devel +Summary: Haskell %{pkg_name} library development files +Provides: %{name}-static = %{version}-%{release} +Requires: ghc-compiler = %{ghc_version} +Requires(post): ghc-compiler = %{ghc_version} +Requires(postun): ghc-compiler = %{ghc_version} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package provides the Haskell %{pkg_name} library development files. @@ -40,17 +49,23 @@ -# devel subpackage -%ghc_devel_package - -%ghc_devel_description +%post devel +%ghc_pkg_recache -%ghc_devel_post_postun +%postun devel +%ghc_pkg_recache -%ghc_files LICENSE +%files -f %{name}.files +%doc LICENSE + + +%files devel -f %{name}-devel.files %changelog +* Mon May 26 2014 Alex Chernyakhovsky - 0.0.0-0 +- Updated packaging for F20 with cabal-rpm + * Fri May 25 2012 Anders Kaseorg - 0.0.0-0 - regenerated packaging with cabal2spec-0.25.5 Index: trunk/server/fedora/specs/gnutls.spec.patch =================================================================== --- trunk/server/fedora/specs/gnutls.spec.patch (revision 2581) +++ (revision ) @@ -1,28 +1,0 @@ ---- gnutls.spec.orig 2014-03-08 16:13:24.922925743 -0500 -+++ gnutls.spec 2014-03-08 16:14:50.464231133 -0500 -@@ -1,7 +1,7 @@ - Summary: A TLS protocol implementation - Name: gnutls - Version: 2.12.23 --Release: 2%{?dist} -+Release: 2%{?dist}.scripts.%{scriptsversion} - # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ - License: GPLv3+ and LGPLv2+ - Group: System Environment/Libraries -@@ -26,6 +26,8 @@ - # Use only FIPS approved ciphers in the FIPS mode - Patch7: gnutls-2.12.21-fips-algorithms.patch - Patch8: gnutls-2.12.23-cve-2013-2116.patch -+# Patch GNUTLS-SA-2014-2 -+Patch9: gnutls-2.12.x-cve-2014-0092.patch - - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - Requires: libgcrypt >= 1.2.2 -@@ -99,6 +101,7 @@ - %patch6 -p1 -b .cli-debug - %patch7 -p1 -b .fips - %patch8 -p1 -b .overread -+%patch9 -p1 -b .cve-2014-0092 - - for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do - touch lib/$i Index: trunk/server/fedora/specs/httpd.spec.patch =================================================================== --- trunk/server/fedora/specs/httpd.spec.patch (revision 2581) +++ trunk/server/fedora/specs/httpd.spec.patch (revision 2591) @@ -1,8 +1,8 @@ ---- /tmp/httpd/httpd.spec.orig 2013-02-14 17:53:29.967176396 -0500 -+++ /tmp/httpd/httpd.spec 2013-02-14 17:54:57.172521444 -0500 -@@ -9,7 +9,7 @@ +--- rpmbuild/SPECS/httpd.spec.~1~ 2014-07-23 06:24:15.000000000 -0400 ++++ httpd.spec 2014-08-26 21:10:34.994027237 -0400 +@@ -15,7 +15,7 @@ Summary: Apache HTTP Server Name: httpd - Version: 2.2.23 + Version: 2.4.10 -Release: 1%{?dist} +Release: 1%{?dist}.scripts.%{scriptsversion} @@ -10,21 +10,27 @@ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html -@@ -57,6 +57,15 @@ - Requires(postun): systemd-units - Requires(post): systemd-units - +@@ -65,6 +65,13 @@ + # Bug fixes + Patch55: httpd-2.4.4-malformed-host.patch + Patch56: httpd-2.4.4-mod_unique_id.patch ++ ++Patch1001: httpd-suexec-scripts.patch ++Patch1002: httpd-mod_status-security.patch ++Patch1003: httpd-304s.patch ++Patch1004: httpd-fixup-vhost.patch ++Patch1005: httpd-allow-null-user.patch ++ + License: ASL 2.0 + Group: System Environment/Daemons + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +@@ -77,6 +84,7 @@ + Provides: webserver + Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} + Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa} +Provides: scripts-httpd = %{version}-%{release} -+Patch1000: httpd-suexec-scripts.patch -+Patch1003: httpd-2.2.x-mod_status-security.patch -+Patch1004: httpd-2.2.x-304.patch -+Patch1005: httpd-2.2.x-mod_ssl-sessioncaching.patch -+Patch1006: httpd-suexec-cloexec.patch -+Patch1007: httpd-fixup-vhost.patch -+Patch1008: httpd-SSLCompression.patch -+ - %description - The Apache HTTP Server is a powerful, efficient, and extensible - web server. -@@ -67,6 +76,7 @@ + Requires: httpd-tools = %{version}-%{release} + Requires(pre): /usr/sbin/useradd + Requires(preun): systemd-units +@@ -94,6 +102,7 @@ Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel Requires: apr-devel, apr-util-devel, pkgconfig @@ -34,5 +40,5 @@ %description devel The httpd-devel package contains the APXS binary and other files -@@ -105,6 +115,7 @@ +@@ -132,6 +141,7 @@ Requires(post): openssl, /bin/cat Requires(pre): httpd @@ -42,28 +48,29 @@ %description -n mod_ssl -@@ -131,6 +142,14 @@ - # Patch in vendor/release string - sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 +@@ -190,6 +200,12 @@ + %patch55 -p1 -b .malformedhost + %patch56 -p1 -b .uniqueid -+%patch1000 -p1 -b .scripts -+%patch1003 -p1 -b .permitstatus -+%patch1004 -p1 -b .scripts-304 -+%patch1005 -p1 -b .ssl-sessioncache -+%patch1006 -p1 -b .cloexec -+%patch1007 -p1 -b .fixup-vhost -+%patch1008 -p1 -b .sslcompression ++%patch1001 -p1 -b .suexec-scripts ++%patch1002 -p1 -b .mod_status-security ++%patch1003 -p1 -b .scripts-304s ++%patch1004 -p1 -b .fixup-vhost ++%patch1005 -p1 -b .allow-null-user + - # Safety check: prevent build if defined MMN does not equal upstream MMN. - vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` - if test "x${vmmn}" != "x%{mmn}"; then -@@ -191,10 +210,12 @@ - --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ + # Patch in the vendor string + sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h + +@@ -242,11 +258,13 @@ --enable-suexec --with-suexec \ + --enable-suexec-capabilities \ --with-suexec-caller=%{suexec_caller} \ -- --with-suexec-docroot=%{contentdir} \ +- --with-suexec-docroot=%{docroot} \ +- --without-suexec-logfile \ +- --with-suexec-syslog \ + --with-suexec-docroot=/ \ + --with-suexec-userdir=web_scripts \ + --with-suexec-trusteddir=/usr/libexec/scripts-trusted \ - --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ ++ --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ ++ --without-suexec-syslog \ --with-suexec-bin=%{_sbindir}/suexec \ - --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ @@ -71,3 +78,22 @@ --enable-pie \ --with-pcre \ - $* + --enable-mods-shared=all \ +@@ -542,7 +560,8 @@ + %{_sbindir}/fcgistarter + %{_sbindir}/apachectl + %{_sbindir}/rotatelogs +-%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec ++# cap_dac_override needed to write to /var/log/httpd ++%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec + + %dir %{_libdir}/httpd + %dir %{_libdir}/httpd/modules +@@ -1014,3 +1033,8 @@ + * Sun Apr 04 2010 Robert Scheck - 2.2.15-1 + - update to 2.2.15 (#572404, #579311) + ++Patch1001: httpd-suexec-scripts.patch ++Patch1002: httpd-mod_status-security.patch ++Patch1003: httpd-304s.patch ++Patch1004: httpd-fixup-vhost.patch ++Patch1005: httpd-allow-null-user.patch Index: trunk/server/fedora/specs/kernel.spec.patch =================================================================== --- trunk/server/fedora/specs/kernel.spec.patch (revision 2581) +++ (revision ) @@ -1,36 +1,0 @@ ---- kernel.spec.orig 2014-05-13 21:12:04.076585365 -0400 -+++ kernel.spec 2014-05-13 21:16:17.885587650 -0400 -@@ -783,6 +783,16 @@ - #rhbz 976837 - Patch25065: fix-ext4-overflows.patch - -+# CVE-2014-0196 (FEDORA-2014-6122) -+Patch30000: cve-2014-0196.patch -+ -+# CVE-2014-3153 -+Patch30001: cve-2014-3153-0.patch -+Patch30002: cve-2014-3153-1.patch -+Patch30003: cve-2014-3153-2.patch -+Patch30004: cve-2014-3153-3.patch -+Patch30005: cve-2014-3153-4.patch -+ - # END OF PATCH DEFINITIONS - - %endif -@@ -1516,6 +1519,16 @@ - #rhbz 976837 - ApplyPatch fix-ext4-overflows.patch - -+# CVE-2014-0196 (FEDORA-2014-6122) -+ApplyPatch cve-2014-0196.patch -+ -+# CVE-2014-3153 -+ApplyPatch cve-2014-3153-0.patch -+ApplyPatch cve-2014-3153-1.patch -+ApplyPatch cve-2014-3153-2.patch -+ApplyPatch cve-2014-3153-3.patch -+ApplyPatch cve-2014-3153-4.patch -+ - # END OF PATCH APPLICATIONS - - %endif Index: trunk/server/fedora/specs/krb5.spec.patch =================================================================== --- trunk/server/fedora/specs/krb5.spec.patch (revision 2581) +++ trunk/server/fedora/specs/krb5.spec.patch (revision 2591) @@ -1,16 +1,16 @@ ---- krb5.spec.orig 2013-05-23 18:04:40.738088099 -0400 -+++ krb5.spec 2013-05-23 18:08:02.592147349 -0400 -@@ -20,7 +20,7 @@ +--- krb5.spec.orig 2014-05-25 19:01:13.701141912 -0400 ++++ krb5.spec 2014-05-25 19:02:11.438816630 -0400 +@@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 - Version: 1.10.2 --Release: 12%{?dist} -+Release: 12%{?dist}.scripts.%{scriptsversion} + Version: 1.11.5 +-Release: 11%{?dist} ++Release: 11%{?dist}.scripts.%{scriptsversion} # Maybe we should explode from the now-available-to-everybody tarball instead? - # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar + # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar Source0: krb5-%{version}.tar.gz -@@ -77,6 +77,8 @@ - Patch113: krb5-fast-msg_type.patch - Patch114: krb5-1.11.2-kpasswd_pingpong.patch +@@ -143,6 +143,8 @@ + Patch405: 0005-Be-more-careful-of-target-ccache-collections.patch + Patch406: 0006-Copy-config-entries-to-the-target-ccache.patch +Patch1000: krb5-kuserok-scripts.patch @@ -19,18 +19,19 @@ URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries -@@ -134,6 +136,7 @@ +@@ -232,6 +234,7 @@ %package libs Summary: The shared libraries used by Kerberos 5 Group: System Environment/Libraries +Provides: scripts-krb5-libs, scripts-krb5-libs%{?_isa} + %if 0%{?rhel} == 6 + # Some of the older libsmbclient builds here incorrectly called + # krb5_locate_kdc(), which was mistakenly exported in 1.9. +@@ -410,6 +413,8 @@ + %patch203 -p1 -b .otp2 + %patch204 -p1 -b .move-otp-sockets - %description libs - Kerberos is a network authentication system. The krb5-libs package -@@ -261,6 +264,7 @@ - %patch112 -p1 -b .CVE-2013-1416 - %patch113 -p1 -b .fast-msg_type - %patch114 -p1 -b .kpasswd_pingpong +%patch1000 -p1 -b .kuserok - rm src/lib/krb5/krb/deltat.c ++ + # Take the execute bit off of documentation. + chmod -x doc/krb5-protocol/*.txt - gzip doc/*.ps Index: trunk/server/fedora/specs/openafs.spec.patch =================================================================== --- trunk/server/fedora/specs/openafs.spec.patch (revision 2581) +++ trunk/server/fedora/specs/openafs.spec.patch (revision 2591) @@ -1,6 +1,6 @@ ---- openafs.spec.orig 2013-06-24 04:40:31.000000000 -0400 -+++ openafs.spec 2013-07-18 22:43:10.631044261 -0400 +--- openafs.spec.orig 2014-05-25 21:15:54.539027644 -0400 ++++ openafs.spec 2014-05-25 21:16:27.836268275 -0400 @@ -4,7 +4,7 @@ - %define pkgvers 1.6.4 + %define pkgvers 1.6.8 # for beta/rc releases make pkgrel 0. # for real releases make pkgrel 1 (or more for extra releases) @@ -10,5 +10,5 @@ %{!?fedorakmod: %define fedorakmod 1} %{!?build_dkmspkg: %define build_dkmspkg 1} -@@ -249,9 +249,16 @@ +@@ -249,9 +249,15 @@ %if %{build_modules} BuildRequires: kernel-devel @@ -21,5 +21,4 @@ +Patch1002: openafs-systemd-crond.patch +Patch1003: openafs-systemd-csdb.patch -+Patch1004: openafs-d_drop.patch +%define _default_patch_fuzz 2 + @@ -33,5 +32,5 @@ +Provides: scripts-openafs-client Requires: binutils, openafs = %{version} - %if 0%{?fedora} >= 15 + %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 Requires: systemd-units @@ -382,6 +389,7 @@ @@ -92,5 +91,5 @@ %else -@@ -698,6 +711,12 @@ +@@ -698,6 +711,11 @@ #%setup -q -n %{srcdir} %setup -q -b 1 -n %{srcdir} @@ -100,10 +99,9 @@ +%patch1002 -p1 -b .systemd-crond +%patch1003 -p1 -b .systemd-csdb -+%patch1004 -p1 -b .d_drop + ############################################################################## # # building -@@ -869,6 +887,8 @@ +@@ -871,6 +889,8 @@ %endif %endif @@ -114,5 +112,5 @@ --prefix=%{_prefix} \ --libdir=%{_libdir} \ -@@ -1257,6 +1277,13 @@ +@@ -1267,6 +1287,13 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libafsrpc.so rm -f $RPM_BUILD_ROOT%{_libdir}/libafsauthent.so.* Index: trunk/server/fedora/specs/openssh.spec.patch =================================================================== --- trunk/server/fedora/specs/openssh.spec.patch (revision 2581) +++ trunk/server/fedora/specs/openssh.spec.patch (revision 2591) @@ -1,5 +1,5 @@ ---- openssh.spec.orig 2013-07-15 21:14:52.452894092 -0400 -+++ openssh.spec 2013-07-15 21:18:59.494168115 -0400 -@@ -74,7 +74,7 @@ +--- openssh.spec.orig 2014-05-25 19:03:45.308703615 -0400 ++++ openssh.spec 2014-05-25 19:05:57.593843283 -0400 +@@ -71,7 +71,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -9,24 +9,23 @@ URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net - #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -@@ -220,7 +220,7 @@ - Patch904: openssh-5.9p1-change-max-startups.patch - # make sftp's libedit interface marginally multibyte aware (#841771) - Patch908: openssh-5.9p1-sftp-multibyte.patch -- + Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +@@ -196,6 +196,7 @@ + # ignore environment variables with embedded '=' or '\0' characters (#1077843) + Patch909: openssh-6.4p1-ignore-bad-env-var.patch + +Patch1001: openssh-4.7p1-gssapi-name-in-env.patch License: BSD Group: Applications/Internet -@@ -271,6 +273,7 @@ - Group: Applications/Internet - Requires: openssh = %{version}-%{release} +@@ -254,6 +255,7 @@ + Requires(pre): /usr/sbin/useradd + Requires: pam >= 1.0.1-3 Requires: fipscheck-lib%{_isa} >= 1.3.0 +Provides: scripts-openssh-server - - %package server - Summary: An open source SSH server daemon -@@ -458,10 +461,12 @@ - %patch714 -p0 -b .null-xcrypt + Requires(post): systemd-units + Requires(preun): systemd-units + Requires(postun): systemd-units +@@ -411,10 +413,12 @@ + %patch713 -p1 -b .ctr-cavs %patch800 -p1 -b .gsskex @@ -39,8 +38,8 @@ +# Remove the kuserok patch as it won't apply without patch800 +# %patch901 -p1 -b .kuserok - %patch902 -p1 -b .man-moduli - %patch903 -p1 -b .ipqos - %patch904 -p1 -b .max-startups -@@ -471,6 +476,8 @@ + %patch902 -p1 -b .ccache_name + %patch903 -p1 -b .dh + %patch904 -p1 -b .SP800-131A +@@ -428,6 +432,8 @@ # Nothing here yet %endif Index: trunk/server/fedora/specs/openssl.spec.patch =================================================================== --- trunk/server/fedora/specs/openssl.spec.patch (revision 2581) +++ (revision ) @@ -1,84 +1,0 @@ ---- openssl.spec.orig 2013-02-19 16:06:27.000000000 -0500 -+++ openssl.spec 2014-08-06 20:57:41.043801219 -0400 -@@ -20,13 +20,13 @@ - - Summary: A general purpose cryptography library with TLS implementation - Name: openssl --Version: 1.0.0k --Release: 1%{?dist} -+Version: 1.0.0n -+Release: 0%{?dist}.scripts.%{scriptsversion} - Epoch: 1 - # We have to remove certain patented algorithms from the openssl source - # tarball with the hobble-openssl script which is included below. - # The original openssl upstream tarball cannot be shipped in the .src.rpm. --Source: openssl-%{version}-usa.tar.xz -+Source: https://www.openssl.org/source/openssl-%{version}.tar.gz - Source1: hobble-openssl - Source2: Makefile.certificate - Source6: make-dummy-cert -@@ -44,23 +44,22 @@ - Patch7: openssl-1.0.0-timezone.patch - # Bug fixes - Patch23: openssl-1.0.0-beta4-default-paths.patch --Patch25: openssl-1.0.0a-manfix.patch - # Functionality changes - Patch32: openssl-0.9.8g-ia64.patch - Patch33: openssl-1.0.0-beta4-ca-dir.patch - Patch34: openssl-0.9.6-x509.patch - Patch35: openssl-0.9.8j-version-add-engines.patch --Patch38: openssl-1.0.0-beta5-cipher-change.patch --Patch39: openssl-1.0.0b-ipv6-apps.patch --Patch40: openssl-1.0.0k-fips.patch -+Patch38: openssl-1.0.0n-cipher-change.patch -+Patch39: openssl-1.0.0n-ipv6-apps.patch -+Patch40: openssl-1.0.0n-fips.patch - Patch41: openssl-1.0.0-beta3-fipscheck.patch - Patch43: openssl-1.0.0a-fipsmode.patch - Patch44: openssl-1.0.0-beta3-fipsrng.patch - Patch45: openssl-1.0.1e-env-zlib.patch - Patch47: openssl-1.0.0-beta5-readme-warning.patch --Patch49: openssl-1.0.1a-algo-doc.patch -+Patch49: openssl-1.0.0n-algo-doc.patch - Patch50: openssl-1.0.0-beta4-dtls1-abi.patch --Patch51: openssl-1.0.0k-version.patch -+Patch51: openssl-1.0.0n-version.patch - Patch52: openssl-1.0.0b-aesni.patch - Patch53: openssl-1.0.0-name-hash.patch - Patch54: openssl-1.0.0c-speed-fips.patch -@@ -73,13 +72,11 @@ - Patch61: openssl-1.0.0d-cavs.patch - Patch62: openssl-1.0.0-fips-aesni.patch - Patch63: openssl-1.0.0d-xmpp-starttls.patch --Patch64: openssl-1.0.0k-intelopts.patch - Patch65: openssl-1.0.0e-chil-fixes.patch - Patch66: openssl-1.0.0-sha2test.patch - Patch67: openssl-1.0.0k-secure-getenv.patch - # Backported fixes including security fixes - Patch81: openssl-1.0.0d-padlock64.patch --Patch82: openssl-1.0.0k-backports.patch - - License: OpenSSL - Group: System Environment/Libraries -@@ -143,7 +140,6 @@ - %patch7 -p1 -b .timezone - - %patch23 -p1 -b .default-paths --%patch25 -p1 -b .manfix - - %patch32 -p1 -b .ia64 - %patch33 -p1 -b .ca-dir -@@ -172,13 +168,11 @@ - %patch61 -p1 -b .cavs - %patch62 -p1 -b .fips-aesni - %patch63 -p1 -b .starttls --%patch64 -p1 -b .intelopts - %patch65 -p1 -b .chil - %patch66 -p1 -b .sha2test - %patch67 -p1 -b .secure-getenv - - %patch81 -p1 -b .padlock64 --%patch82 -p1 -b .backports - - # Modify the various perl scripts to reference perl in the right location. - perl util/perlpath.pl `dirname %{__perl}` Index: trunk/server/fedora/specs/python-authkit.spec =================================================================== --- trunk/server/fedora/specs/python-authkit.spec (revision 2591) +++ trunk/server/fedora/specs/python-authkit.spec (revision 2591) @@ -0,0 +1,67 @@ +# sitelib for noarch packages, sitearch for others (remove the unneeded one) +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} + +Name: python-authkit +Version: 0.4.5 +Release: 2%{?dist} +Summary: An authentication and authorization toolkit for WSGI applications and frameworks + +License: MIT +URL: https://pypi.python.org/pypi/AuthKit/0.4.5 +Source0: https://pypi.python.org/packages/source/A/AuthKit/AuthKit-0.4.5.tar.gz + +BuildArch: noarch + +BuildRequires: python-setuptools +BuildRequires: python2-devel + +Requires: python-beaker +Requires: python-decorator +Requires: python-nose +Requires: python-openid +Requires: python-paste +Requires: python-paste-deploy +Requires: python-paste-script +Requires: python-webob + +Patch0: python-authkit.patch + +%description +* Built for WSGI applications and middleware +* Sophisticated and extensible permissions system +* Built in support for HTTP basic, HTTP digest, form, cookie and + OpenID authentication methods plus others +* Easily define users, passwords and roles +* Designed to be totally extensible so you can use the components to + integrate with a database, LDAP connection or your own custom system +* Plays nicely with the Pylons web framework + + +%prep +%setup -q -n AuthKit-%{version} +%patch0 -p1 + + +%build +# Remove CFLAGS=... for noarch packages (unneeded) +CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build + + +%install +rm -rf $RPM_BUILD_ROOT +%{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT + + +%files +%doc +# For noarch packages: sitelib +%{python_sitelib}/* + + +%changelog +* Thu Aug 28 2014 Alex Chernyakhovsky - 0.4.5-2 +- Correct ElementTree import. + +* Thu Aug 28 2014 Alex Chernyakhovsky - 0.4.5-1 +- Initial packaging. Index: trunk/server/fedora/specs/rubygem-fcgi.spec =================================================================== --- trunk/server/fedora/specs/rubygem-fcgi.spec (revision 2591) +++ trunk/server/fedora/specs/rubygem-fcgi.spec (revision 2591) @@ -0,0 +1,86 @@ +# Generated from fcgi-0.9.1.gem by gem2rpm -*- rpm-spec -*- +%global gem_name fcgi + +Name: rubygem-%{gem_name} +Version: 0.9.2.1 +Release: 1.scripts.%{scriptsversion}%{?dist} +Summary: FastCGI library for Ruby +Group: Development/Languages +License: BSDL +URL: http://github.com/alphallc/ruby-fcgi-ng +Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem +Requires: ruby(release) +Requires: ruby(rubygems) +Requires: fcgi-devel +BuildRequires: ruby(release) +BuildRequires: rubygems-devel +BuildRequires: ruby-devel +BuildRequires: fcgi-devel +Provides: rubygem(%{gem_name}) = %{version} + +%description +FastCGI is a language independent, scalable, open extension to CGI that +provides high performance without the limitations of server specific APIs. +This version aims to be compatible with both 1.8.x and 1.9.x versions of Ruby, +and also will be ported to 2.0.x. + + +%package doc +Summary: Documentation for %{name} +Group: Documentation +Requires: %{name} = %{version}-%{release} +BuildArch: noarch + +%description doc +Documentation for %{name} + +%prep +gem unpack %{SOURCE0} + +%setup -q -D -T -n %{gem_name}-%{version} + +gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec + +%build +# Create the gem as gem install only works on a gem file +gem build %{gem_name}.gemspec + +# %%gem_install compiles any C extensions and installs the gem into ./%gem_dir +# by default, so that we can move it into the buildroot in %%install +%gem_install + +%install +mkdir -p %{buildroot}%{gem_dir} +cp -pa .%{gem_dir}/* \ + %{buildroot}%{gem_dir}/ + +mkdir -p %{buildroot}%{gem_extdir_mri}/lib +# TODO: move the extensions +# mv %{buildroot}%{gem_instdir}/lib/shared_object.so %{buildroot}%{gem_extdir_mri}/lib/ + + + +%files +%dir %{gem_instdir} +%{gem_libdir} +%exclude %{gem_instdir}/ext +%{gem_extdir_mri} +%exclude %{gem_cache} +%{gem_spec} + +%files doc +%doc %{gem_docdir} +%doc %{gem_instdir}/VERSION +%doc %{gem_instdir}/LICENSE +%doc %{gem_instdir}/README.rdoc +%doc %{gem_instdir}/README.signals +%{gem_instdir}/fcgi.gemspec +%{gem_instdir}/test/helper.rb +%{gem_instdir}/test/test_fcgi.rb + +%changelog +* Sat Jul 19 2014 Benjamin Tidor - 0.9.2.1-1 +- Updated to 0.9.2.1, reconfigured for Sscripts + +* Mon Aug 12 2013 Steven Valdez - 0.9.1-1 +- Initial package Index: trunk/server/fedora/specs/rubygem-pony.spec =================================================================== --- trunk/server/fedora/specs/rubygem-pony.spec (revision 2581) +++ trunk/server/fedora/specs/rubygem-pony.spec (revision 2591) @@ -1,9 +1,8 @@ # Generated from pony-1.8.gem by gem2rpm -*- rpm-spec -*- %global gem_name pony -%global rubyabi 1.9.1 Name: rubygem-%{gem_name} Version: 1.8 -Release: 1%{?dist}.scripts.%{scriptsversion} +Release: 2%{?dist}.scripts.%{scriptsversion} Summary: Send email in one command: Pony.mail(:to => 'someone@example.com', :body => 'hello') Group: Development/Languages @@ -11,8 +10,8 @@ URL: http://github.com/benprew/pony Source0: http://rubygems.org/gems/%{gem_name}-%{version}.gem -Requires: ruby(abi) = %{rubyabi} +Requires: ruby(release) Requires: ruby(rubygems) Requires: rubygem(mail) >= 2.0 -BuildRequires: ruby(abi) = %{rubyabi} +BuildRequires: ruby(release) BuildRequires: rubygems-devel BuildRequires: ruby @@ -72,4 +71,7 @@ %changelog +* Mon May 26 2014 Alexander Chernyakhovsky - 1.8-2 +- Update for Fedora 20 + * Sun Mar 09 2014 Benjamin Tidor - 1.8-1 - Initial package Index: trunk/server/fedora/specs/rubygems.spec.patch =================================================================== --- trunk/server/fedora/specs/rubygems.spec.patch (revision 2581) +++ (revision ) @@ -1,29 +1,0 @@ ---- rubygems.spec.orig 2013-04-05 15:02:08.147935906 -0400 -+++ rubygems.spec 2013-04-05 15:04:14.512566960 -0400 -@@ -26,7 +26,7 @@ - Summary: The Ruby standard for packaging ruby libraries - Name: rubygems - Version: 1.8.25 --Release: 6%{?dist} -+Release: 6%{?dist}.scripts.%{scriptsversion} - Group: Development/Libraries - License: Ruby or MIT - -@@ -60,6 +60,8 @@ - # https://github.com/rubygems/rubygems/issues/210 - Patch109: rubygems-1.8.11-binary-extensions.patch - -+Provides: scripts-rubygems = %{version}-%{release} -+Patch1000: rubygems-rails-require-thread.patch - - Requires: ruby(abi) = 1.9.1 - Requires: rubygem(rdoc) >= 3.9.4 -@@ -105,6 +107,8 @@ - %patch105 -p1 -b .uninst - %patch109 -p1 -b .bindir - -+%patch1000 -p1 -b .thread -+ - # Some of the library files start with #! which rpmlint doesn't like - # and doesn't make much sense - for f in `find lib -name \*.rb` ; do Index: trunk/server/fedora/specs/scripts-base.spec =================================================================== --- trunk/server/fedora/specs/scripts-base.spec (revision 2581) +++ trunk/server/fedora/specs/scripts-base.spec (revision 2591) @@ -22,5 +22,4 @@ Requires: scripts-openssh-server Requires: scripts-static-cat -Requires: scripts-rubygems Requires: sql-signup Requires: tokensys Index: trunk/server/fedora/specs/scripts-static-cat.spec =================================================================== --- trunk/server/fedora/specs/scripts-static-cat.spec (revision 2581) +++ trunk/server/fedora/specs/scripts-static-cat.spec (revision 2591) @@ -1,5 +1,3 @@ -# cabal2spec-0.25 # https://fedoraproject.org/wiki/Packaging:Haskell -# https://fedoraproject.org/wiki/PackagingDrafts/Haskell # Link Haskell libs statically for 3x faster startup speed. @@ -11,22 +9,21 @@ Summary: static-cat for scripts.mit.edu -Group: Applications/System -License: GPL -# BEGIN cabal2spec +License: GPL+ URL: http://scripts.mit.edu/ Source0: %{name}.tar.gz -ExclusiveArch: %{ghc_arches} + BuildRequires: ghc-Cabal-devel BuildRequires: ghc-rpm-macros -# END cabal2spec +# Begin cabal-rpm deps: +BuildRequires: ghc-MonadCatchIO-mtl-devel BuildRequires: ghc-bytestring-devel -BuildRequires: ghc-cgi-devel >= 3001.1.8 +BuildRequires: ghc-cgi-devel BuildRequires: ghc-containers-devel BuildRequires: ghc-filepath-devel -BuildRequires: ghc-MonadCatchIO-mtl-devel BuildRequires: ghc-old-locale-devel BuildRequires: ghc-time-devel BuildRequires: ghc-unix-devel BuildRequires: ghc-unix-handle-devel +# End cabal-rpm deps %description @@ -51,4 +48,7 @@ %changelog +* Mon May 26 2014 Alexander Chernyakhovsky - 0.0-0 +- Updated for F20 with cabal-rpm + * Fri May 25 2012 Anders Kaseorg - 0.0-0 - regenerated packaging with cabal2spec-0.25.5 Index: trunk/server/fedora/specs/zephyr.spec =================================================================== --- trunk/server/fedora/specs/zephyr.spec (revision 2581) +++ trunk/server/fedora/specs/zephyr.spec (revision 2591) @@ -1,4 +1,6 @@ Name: zephyr -Version: 3.0.2 +Version: 3.1.2 +%define commit 54c6b84a81301a1691f9bec10c63c1e36166df9d +%define shortcommit %(c=%{commit}; echo ${c:0:7}) Release: 0.%{scriptsversion}%{?dist} Summary: Client programs for the Zephyr real-time messaging system @@ -7,5 +9,5 @@ License: MIT URL: http://zephyr.1ts.org/ -Source0: http://zephyr.1ts.org/export/HEAD/distribution/%{name}-%{version}.tar.gz +Source0: https://github.com/zephyr-im/zephyr/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz Source1: zhm.init BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -59,5 +61,5 @@ %prep -%setup -q +%setup -q -n %{name}-%{commit} cp -p %{SOURCE1} . @@ -142,7 +144,10 @@ %{_libdir}/*.so %{_includedir}/* - +%{_libdir}/pkgconfig/zephyr.pc %changelog +* Mon May 26 2014 Alexander Chernyakhovsky - 3.1.2-0 +- Update to Zephyr 3.1.2, fix packaging for F20 + * Sat Apr 16 2011 Alexander Chernyakhovsky 3.0.1-0 - Zephyr 3.0.1 Index: trunk/server/fedora/specs/zhm.init =================================================================== --- trunk/server/fedora/specs/zhm.init (revision 2581) +++ trunk/server/fedora/specs/zhm.init (revision 2591) @@ -14,6 +14,6 @@ ### BEGIN INIT INFO # Provides: zhm -# Required-Start: $local_fs $remote_fs $network $named -# Required-Stop: $local_fs $remote_fs $network +# Required-Start: $local_fs $network $named +# Required-Stop: $local_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6