diff --git a/SOURCES/openssl-1.1.1-fips-dh.patch b/SOURCES/openssl-1.1.1-fips-dh.patch
index 9e15289..d98372e 100644
--- a/SOURCES/openssl-1.1.1-fips-dh.patch
+++ b/SOURCES/openssl-1.1.1-fips-dh.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn_const.c
--- openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-06-05 17:31:28.044776018 +0200
++++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-07-17 10:36:29.245788441 +0200
@@ -1,13 +1,17 @@
/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -479,7 +479,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn
}
diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh.c
--- openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-06-05 17:31:28.044776018 +0200
++++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-07-17 10:36:29.246788449 +0200
@@ -1,7 +1,7 @@
/*
- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved.
@@ -1958,7 +1958,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh
+#endif /* OPENSSL_NO_DH */
diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh_check.c
--- openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-06-05 17:31:28.045776027 +0200
++++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-07-17 10:36:29.246788449 +0200
@@ -10,6 +10,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
@@ -1998,9 +1998,54 @@ diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
+@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co
+ return errflags == 0;
+ }
+
+-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret)
+ {
+ int ok = 0;
+ BIGNUM *tmp = NULL;
+@@ -198,9 +209,9 @@ int DH_check_pub_key(const DH *dh, const
+ if (BN_cmp(pub_key, tmp) >= 0)
+ *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+
+- if (dh->q != NULL) {
++ if (q != NULL) {
+ /* Check pub_key^q == 1 mod p */
+- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
++ if (!BN_mod_exp(tmp, pub_key, q, dh->p, ctx))
+ goto err;
+ if (!BN_is_one(tmp))
+ *ret |= DH_CHECK_PUBKEY_INVALID;
+@@ -212,3 +223,23 @@ int DH_check_pub_key(const DH *dh, const
+ BN_CTX_free(ctx);
+ return ok;
+ }
++
++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
++{
++ return dh_check_pub_key_int(dh, dh->q, pub_key, ret);
++}
++
++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret)
++{
++ BIGNUM *q = dh->q;
++
++ if (q == NULL) {
++ if (dh_get_known_q(dh, &q) == 0) {
++ *ret |= DH_CHECK_INVALID_Q_VALUE;
++ return 0;
++ }
++ }
++
++ return dh_check_pub_key_int(dh, q, pub_key, ret);
++}
++
diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_gen.c
---- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-06-05 17:31:27.977775462 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-06-05 17:31:28.045776027 +0200
+--- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-07-17 10:36:29.182787923 +0200
++++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-07-17 10:36:29.246788449 +0200
@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i
BN_GENCB *cb)
{
@@ -2031,8 +2076,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_g
if (ctx == NULL)
goto err;
diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_key.c
---- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-06-05 17:31:27.977775462 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-06-05 17:31:28.045776027 +0200
+--- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-07-17 10:36:29.182787923 +0200
++++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-07-17 11:00:07.783777846 +0200
@@ -100,10 +100,18 @@ static int generate_key(DH *dh)
BIGNUM *pub_key = NULL, *priv_key = NULL;
@@ -2073,9 +2118,52 @@ diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_k
do {
if (!BN_priv_rand_range(priv_key, dh->q))
goto err;
+@@ -175,6 +191,15 @@ static int generate_key(DH *dh)
+ }
+ /* We MUST free prk before any further use of priv_key */
+ BN_clear_free(prk);
++
++ if (FIPS_mode()) {
++ int check_result;
++
++ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY);
++ goto err;
++ }
++ }
+ }
+
+ dh->pub_key = pub_key;
+@@ -197,6 +222,7 @@ static int compute_key(unsigned char *ke
+ BN_CTX *ctx = NULL;
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *tmp;
++ BIGNUM *p1;
+ int ret = -1;
+ int check_result;
+
+@@ -243,6 +269,18 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
+ goto err;
+ }
++
++ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) {
++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
++ goto err;
++ }
++
++ if ((p1 = BN_CTX_get(ctx)) == NULL
++ || !BN_sub(p1, dh->p, BN_value_one())
++ || BN_cmp(p1, tmp) <= 0) {
++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
++ goto err;
++ }
+
+ ret = BN_bn2bin(tmp, key);
+ err:
diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_lib.c
--- openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-06-18 14:13:33.546892717 +0200
++++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-07-17 10:36:29.246788449 +0200
@@ -8,6 +8,7 @@
*/
@@ -2093,11 +2181,12 @@ diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_l
return ret;
err:
-@@ -205,7 +208,9 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
+@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
dh->g = g;
}
- if (q != NULL) {
++ dh->nid = NID_undef;
+ dh_cache_nid(dh);
+
+ if (q != NULL && dh->nid == NID_undef) {
@@ -2105,8 +2194,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_l
}
diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh_local.h
---- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-06-05 17:31:27.763773685 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-06-05 17:31:28.045776027 +0200
+--- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-07-17 10:36:28.968786163 +0200
++++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-07-17 10:36:29.246788449 +0200
@@ -35,6 +35,7 @@ struct dh_st {
const DH_METHOD *meth;
ENGINE *engine;
@@ -2115,15 +2204,20 @@ diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh
};
struct dh_method {
-@@ -55,3 +56,5 @@ struct dh_method {
+@@ -55,3 +56,10 @@ struct dh_method {
int (*generate_params) (DH *dh, int prime_len, int generator,
BN_GENCB *cb);
};
+
+void dh_cache_nid(DH *dh);
++/* Obtain known q value based on nid or p */
++int dh_get_known_q(const DH *dh, BIGNUM **q);
++/* FIPS mode only check which requires nid set and looks up q based on it. */
++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret);
++
diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/dh_rfc7919.c
--- openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-06-05 17:31:28.045776027 +0200
++++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-07-17 10:36:29.246788449 +0200
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
@@ -2154,7 +2248,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
return dh;
}
-@@ -29,46 +36,115 @@ DH *DH_new_by_nid(int nid)
+@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid)
{
switch (nid) {
case NID_ffdhe2048:
@@ -2203,52 +2297,52 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
return NID_undef;
- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p))
+
-+ if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) {
++ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) {
nid = NID_ffdhe2048;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p))
+ q = &_bignum_ffdhe2048_q;
+ length = 225;
-+ } else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) {
++ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) {
nid = NID_ffdhe3072;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p))
+ q = &_bignum_ffdhe3072_q;
+ length = 275;
-+ } else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) {
++ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) {
nid = NID_ffdhe4096;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p))
+ q = &_bignum_ffdhe4096_q;
+ length = 325;
-+ } else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) {
++ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) {
nid = NID_ffdhe6144;
- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p))
+ q = &_bignum_ffdhe6144_q;
+ length = 375;
-+ } else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) {
++ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) {
nid = NID_ffdhe8192;
- else
+ q = &_bignum_ffdhe8192_q;
+ length = 400;
-+ } else if (!BN_cmp(dh->p, &_bignum_modp_2048_p)) {
++ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) {
+ nid = NID_modp_2048;
+ q = &_bignum_modp_2048_q;
+ length = 225;
-+ } else if (!BN_cmp(dh->p, &_bignum_modp_3072_p)) {
++ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) {
+ nid = NID_modp_3072;
+ q = &_bignum_modp_3072_q;
+ length = 275;
-+ } else if (!BN_cmp(dh->p, &_bignum_modp_4096_p)) {
++ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) {
+ nid = NID_modp_4096;
+ q = &_bignum_modp_4096_q;
+ length = 325;
-+ } else if (!BN_cmp(dh->p, &_bignum_modp_6144_p)) {
++ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) {
+ nid = NID_modp_6144;
+ q = &_bignum_modp_6144_q;
+ length = 375;
-+ } else if (!BN_cmp(dh->p, &_bignum_modp_8192_p)) {
++ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) {
+ nid = NID_modp_8192;
+ q = &_bignum_modp_8192_q;
+ length = 400;
-+ } else if (!FIPS_mode() && !BN_cmp(dh->p, &_bignum_modp_1536_p)) {
++ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) {
+ nid = NID_modp_1536;
+ q = &_bignum_modp_1536_q;
+ length = 175;
@@ -2287,9 +2381,63 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
+{
+ dh->nid = dh_match_group(dh, NULL, &dh->length);
+}
++
++int dh_get_known_q(const DH *dh, BIGNUM **q)
++{
++ return dh_match_group(dh, q, NULL) != NID_undef;
++}
++
+diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_key.c
+--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 11:00:53.958175227 +0200
++++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-20 13:24:03.941107320 +0200
+@@ -280,9 +280,18 @@ int ec_key_simple_generate_key(EC_KEY *e
+ if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
+ goto err;
+
+- eckey->priv_key = priv_key;
+ eckey->pub_key = pub_key;
+
++ if (FIPS_mode()) {
++ eckey->priv_key = NULL;
++ if (EC_KEY_check_key(eckey) <= 0) {
++ eckey->pub_key = NULL;
++ goto err;
++ }
++ }
++
++ eckey->priv_key = priv_key;
++
+ ok = 1;
+
+ err:
+@@ -296,8 +305,23 @@ int ec_key_simple_generate_key(EC_KEY *e
+
+ int ec_key_simple_generate_public_key(EC_KEY *eckey)
+ {
+- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
++ BIGNUM *priv_key;
++ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
+ NULL, NULL);
++
++ if (ret <= 0 || !FIPS_mode())
++ return ret;
++
++ /* no need to perform private key test, temporarily hide it */
++ priv_key = eckey->priv_key;
++ eckey->priv_key = NULL;
++ ret = EC_KEY_check_key(eckey);
++ eckey->priv_key = priv_key;
++
++ if (ret <= 0)
++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
++
++ return ret;
+ }
+
+ int EC_KEY_check_key(const EC_KEY *eckey)
diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_lib.c
--- openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-06-05 17:31:28.045776027 +0200
++++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-07-17 10:36:29.247788458 +0200
@@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p
int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
@@ -2301,8 +2449,8 @@ diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_l
if (ret)
diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/objects/obj_dat.h
---- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-06-05 17:31:28.036775952 +0200
-+++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-06-05 17:31:28.046776035 +0200
+--- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-07-17 10:36:29.239788392 +0200
++++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-07-17 10:36:29.247788458 +0200
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
};
@@ -2365,8 +2513,8 @@ diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/o
173, /* "name" */
681, /* "onBasis" */
diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto/objects/objects.txt
---- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-06-05 17:31:28.037775960 +0200
-+++ openssl-1.1.1g/crypto/objects/objects.txt 2020-06-05 17:31:28.046776035 +0200
+--- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-07-17 10:36:29.239788392 +0200
++++ openssl-1.1.1g/crypto/objects/objects.txt 2020-07-17 10:36:29.247788458 +0200
@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit
: ffdhe4096
: ffdhe6144
@@ -2382,8 +2530,8 @@ diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto
# OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17)
diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto/objects/obj_mac.num
---- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-06-05 17:31:28.037775960 +0200
-+++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-06-05 17:31:28.046776035 +0200
+--- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-07-17 10:36:29.239788392 +0200
++++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-07-17 10:36:29.248788466 +0200
@@ -1196,3 +1196,9 @@ sshkdf 1195
kbkdf 1196
krb5kdf 1197
@@ -2396,7 +2544,7 @@ diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto
+modp_8192 1204
diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/man3/DH_new_by_nid.pod
--- openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-06-05 17:31:28.046776035 +0200
++++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-07-17 10:36:29.248788466 +0200
@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find
#include <openssl/dh.h>
@@ -2417,7 +2565,7 @@ diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/ma
any named set. It returns the NID corresponding to the matching parameters or
diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod
--- openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-06-05 17:31:28.046776035 +0200
++++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-07-17 10:36:29.248788466 +0200
@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets
If B<pad> is zero (the default) then no padding is performed.
@@ -2436,7 +2584,7 @@ diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/do
The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/crypto/bn_dh.h
--- openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-06-05 17:31:28.047776043 +0200
++++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-07-17 10:36:29.248788466 +0200
@@ -1,7 +1,7 @@
/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -2486,8 +2634,8 @@ diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/cr
+extern const BIGNUM _bignum_modp_6144_q;
+extern const BIGNUM _bignum_modp_8192_q;
diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include/openssl/obj_mac.h
---- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-06-05 17:31:28.038775968 +0200
-+++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-06-05 17:31:28.047776043 +0200
+--- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-07-17 10:36:29.240788400 +0200
++++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-07-17 10:36:29.248788466 +0200
@@ -5115,6 +5115,24 @@
#define SN_ffdhe8192 "ffdhe8192"
#define NID_ffdhe8192 1130
@@ -2514,8 +2662,8 @@ diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include
#define NID_ISO_UA 1150
#define OBJ_ISO_UA OBJ_member_body,804L
diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
---- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-06-05 17:31:27.996775620 +0200
-+++ openssl-1.1.1g/ssl/s3_lib.c 2020-06-05 17:31:28.047776043 +0200
+--- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-07-17 10:36:29.199788063 +0200
++++ openssl-1.1.1g/ssl/s3_lib.c 2020-07-17 10:36:29.248788466 +0200
@@ -4858,13 +4858,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
@@ -2569,8 +2717,8 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
}
#endif
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-06-05 17:31:28.042776002 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-18 14:18:13.518339214 +0200
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index fadc22e..dbd4c4d 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
-Release: 9%{?dist}
+Release: 11%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -477,6 +477,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
+- Further changes for SP 800-56A rev3 requirements
+
* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
- Rewire FIPS_drbg API to use the RAND_DRBG
- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters