1 files changed, 39 insertions, 0 deletions

diff --git a/openssl-freefilesync/openssl-1.1.1-fips.patch b/openssl-freefilesync/openssl-1.1.1-fips.patch
index d59c440..3ff5aa4 100644
--- a/openssl-freefilesync/openssl-1.1.1-fips.patch
+++ b/openssl-freefilesync/openssl-1.1.1-fips.patch
@@ -11673,6 +11673,45 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
      }
  
      if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
+diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
+--- openssl-1.1.1c/ssl/ssl_locl.h.fips	2019-06-03 16:44:58.963560101 +0200
++++ openssl-1.1.1c/ssl/ssl_locl.h	2019-06-24 14:43:19.547353076 +0200
+@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st {
+ # define TLS_CURVE_PRIME         0x0
+ # define TLS_CURVE_CHAR2         0x1
+ # define TLS_CURVE_CUSTOM        0x2
++# define TLS_CURVE_FIPS          0x80
+ 
+ typedef struct cert_pkey_st CERT_PKEY;
+ 
+diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
+--- openssl-1.1.1c/ssl/t1_lib.c.fips	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/ssl/t1_lib.c	2019-06-24 14:49:00.638576235 +0200
+@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] =
+     {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
+     {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
+     {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
+-    {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
++    {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
+     {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
+-    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
+-    {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
+-    {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
++    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
++    {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
++    {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
+     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
+     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
+     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
+@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
+     if (cinfo->flags & TLS_CURVE_CHAR2)
+         return 0;
+ # endif
++    if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
++        return 0;
+     ctmp[0] = curve >> 8;
+     ctmp[1] = curve & 0xff;
+     return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
 diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
 --- openssl-1.1.1b/test/dsatest.c.fips	2019-02-26 15:15:30.000000000 +0100
 +++ openssl-1.1.1b/test/dsatest.c	2019-02-28 11:30:06.824745335 +0100