deleted file mode 100644

@@ -1,42 +0,0 @@

-From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001

-From: Guido Vranken <guidovranken@gmail.com>

-Date: Mon, 11 Jun 2018 19:38:54 +0200

-Subject: [PATCH] Reject excessively large primes in DH key generation.

-

-CVE-2018-0732

-

-Signed-off-by: Guido Vranken <guidovranken@gmail.com>

-

-Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

-Reviewed-by: Rich Salz <rsalz@openssl.org>

-Reviewed-by: Matt Caswell <matt@openssl.org>

-(Merged from https://github.com/openssl/openssl/pull/6457)

- crypto/dh/dh_key.c | 7 ++++++-

- 1 file changed, 6 insertions(+), 1 deletion(-)

-

-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c

-index 6901548..752542b 100644

-+++ b/crypto/dh/dh_key.c

-@@ -78,10 +78,15 @@ static int generate_key(DH *dh)

-     int ok = 0;

-     int generate_new_key = 0;

-     unsigned l;

--    BN_CTX *ctx;

-+    BN_CTX *ctx = NULL;

-     BN_MONT_CTX *mont = NULL;

-     BIGNUM *pub_key = NULL, *priv_key = NULL;

- 

-+    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {

-+        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);

-+        return 0;

-+    }

-+

-     ctx = BN_CTX_new();

-     if (ctx == NULL)

-         goto err;

-2.7.4

-

deleted file mode 100644

@@ -1,27 +0,0 @@

-From: Billy Brumley <bbrumley@gmail.com>

-Date: Wed, 11 Apr 2018 07:10:58 +0000 (+0300)

-Subject: RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with... 

-X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f

-

-RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.

-

-CVE-2018-0737

-

-Reviewed-by: Rich Salz <rsalz@openssl.org>

-Reviewed-by: Matt Caswell <matt@openssl.org>

-(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)

-

-diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c

-index 9ca5dfe..42b89a8 100644

-+++ b/crypto/rsa/rsa_gen.c

-@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,

-     if (BN_copy(rsa->e, e_value) == NULL)

-         goto err;

- 

-+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);

-+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);

-     BN_set_flags(r2, BN_FLG_CONSTTIME);

-     /* generate p and q */

-     for (;;) {

deleted file mode 100644

@@ -1,528 +0,0 @@

-diff -rup openssl-1.0.2o/apps/s_apps.h openssl-1.0.2o-new/apps/s_apps.h

-+++ openssl-1.0.2o-new/apps/s_apps.h	2018-04-03 14:04:09.704887325 -0700

-@@ -151,7 +151,7 @@ typedef fd_mask fd_set;

- #define PORT_STR        "4433"

- #define PROTOCOL        "tcp"

- 

--int do_server(int port, int type, int *ret,

-+int do_server(char *port, int type, int *ret,

-               int (*cb) (char *hostname, int s, int stype,

-                          unsigned char *context), unsigned char *context,

-               int naccept);

-@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS

- int ssl_print_curves(BIO *out, SSL *s, int noshared);

- #endif

- int ssl_print_tmp_key(BIO *out, SSL *s);

--int init_client(int *sock, char *server, int port, int type);

-+int init_client(int *sock, char *server, char *port, int type);

- int should_retry(int i);

- int extract_port(char *str, short *port_ptr);

--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,

--                      short *p);

-+int extract_host_port(char *str, char **host_ptr, char **port_ptr);

- 

- long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,

-                                    int argi, long argl, long ret);

-diff -rup openssl-1.0.2o/apps/s_client.c openssl-1.0.2o-new/apps/s_client.c

-+++ openssl-1.0.2o-new/apps/s_client.c	2018-04-03 14:04:09.704887325 -0700

-@@ -668,7 +668,7 @@ int MAIN(int argc, char **argv)

-     int cbuf_len, cbuf_off;

-     int sbuf_len, sbuf_off;

-     fd_set readfds, writefds;

--    short port = PORT;

-+    char *port_str = PORT_STR;

-     int full_log = 1;

-     char *host = SSL_HOST_NAME;

-     char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;

-@@ -792,13 +792,11 @@ int MAIN(int argc, char **argv)

-         } else if (strcmp(*argv, "-port") == 0) {

-             if (--argc < 1)

-                 goto bad;

--            port = atoi(*(++argv));

--            if (port == 0)

--                goto bad;

-+            port_str = *(++argv);

-         } else if (strcmp(*argv, "-connect") == 0) {

-             if (--argc < 1)

-                 goto bad;

--            if (!extract_host_port(*(++argv), &host, NULL, &port))

-+            if (!extract_host_port(*(++argv), &host, &port_str))

-                 goto bad;

-         } else if (strcmp(*argv, "-verify") == 0) {

-             verify = SSL_VERIFY_PEER;

-@@ -1449,7 +1447,7 @@ int MAIN(int argc, char **argv)

- 

-  re_start:

- 

--    if (init_client(&s, host, port, socket_type) == 0) {

-+    if (init_client(&s, host, port_str, socket_type) == 0) {

-         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());

-         SHUTDOWN(s);

-         goto end;

-Only in openssl-1.0.2o-new/apps: s_client.c.orig

-diff -rup openssl-1.0.2o/apps/s_server.c openssl-1.0.2o-new/apps/s_server.c

-+++ openssl-1.0.2o-new/apps/s_server.c	2018-04-03 14:04:09.704887325 -0700

-@@ -1082,7 +1082,7 @@ int MAIN(int argc, char *argv[])

- {

-     X509_VERIFY_PARAM *vpm = NULL;

-     int badarg = 0;

--    short port = PORT;

-+    char *port_str = PORT_STR;

-     char *CApath = NULL, *CAfile = NULL;

-     char *chCApath = NULL, *chCAfile = NULL;

-     char *vfyCApath = NULL, *vfyCAfile = NULL;

-@@ -1170,7 +1170,8 @@ int MAIN(int argc, char *argv[])

-         if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {

-             if (--argc < 1)

-                 goto bad;

--            if (!extract_port(*(++argv), &port))

-+            port_str = *(++argv);

-+            if (port_str == NULL || *port_str == '\0')

-                 goto bad;

-         } else if (strcmp(*argv, "-naccept") == 0) {

-             if (--argc < 1)

-@@ -2058,13 +2059,13 @@ int MAIN(int argc, char *argv[])

-     BIO_printf(bio_s_out, "ACCEPT\n");

-     (void)BIO_flush(bio_s_out);

-     if (rev)

--        do_server(port, socket_type, &accept_socket, rev_body, context,

-+        do_server(port_str, socket_type, &accept_socket, rev_body, context,

-                   naccept);

-     else if (www)

--        do_server(port, socket_type, &accept_socket, www_body, context,

-+        do_server(port_str, socket_type, &accept_socket, www_body, context,

-                   naccept);

-     else

--        do_server(port, socket_type, &accept_socket, sv_body, context,

-+        do_server(port_str, socket_type, &accept_socket, sv_body, context,

-                   naccept);

-     print_stats(bio_s_out, ctx);

-     ret = 0;

-Only in openssl-1.0.2o-new/apps: s_server.c.orig

-diff -rup openssl-1.0.2o/apps/s_socket.c openssl-1.0.2o-new/apps/s_socket.c

-+++ openssl-1.0.2o-new/apps/s_socket.c	2018-04-03 14:31:17.626470644 -0700

-@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha

- static void ssl_sock_cleanup(void);

- # endif

- static int ssl_sock_init(void);

--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);

--static int init_server(int *sock, int port, int type);

--static int init_server_long(int *sock, int port, char *ip, int type);

-+static int init_server(int *sock, char *port, int type);

- static int do_accept(int acc_sock, int *sock, char **host);

- static int host_ip(char *str, unsigned char ip[4]);

- 

-@@ -231,65 +229,67 @@ static int ssl_sock_init(void)

-     return (1);

- }

- 

--int init_client(int *sock, char *host, int port, int type)

-+int init_client(int *sock, char *host, char *port, int type)

- {

--    unsigned char ip[4];

--

--    memset(ip, '\0', sizeof(ip));

--    if (!host_ip(host, &(ip[0])))

--        return 0;

--    return init_client_ip(sock, ip, port, type);

--}

--

--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)

--{

--    unsigned long addr;

--    struct sockaddr_in them;

--    int s, i;

-+    struct addrinfo *res, *res0, hints;

-+    char *failed_call = NULL;

-+    int s;

-+    int e;

- 

-     if (!ssl_sock_init())

-         return (0);

- 

--    memset((char *)&them, 0, sizeof(them));

--    them.sin_family = AF_INET;

--    them.sin_port = htons((unsigned short)port);

--    addr = (unsigned long)

--        ((unsigned long)ip[0] << 24L) |

--        ((unsigned long)ip[1] << 16L) |

--        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);

--    them.sin_addr.s_addr = htonl(addr);

--

--    if (type == SOCK_STREAM)

--        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);

--    else                        /* ( type == SOCK_DGRAM) */

--        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

--

--    if (s == INVALID_SOCKET) {

--        perror("socket");

-+    memset(&hints, '\0', sizeof(hints));

-+    hints.ai_socktype = type;

-+    hints.ai_flags = AI_ADDRCONFIG;

-+

-+    e = getaddrinfo(host, port, &hints, &res);

-+    if (e) {

-+        fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));

-+        if (e == EAI_SYSTEM)

-+            perror("getaddrinfo");

-         return (0);

-     }

-+

-+    res0 = res;

-+    while (res) {

-+        s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);

-+        if (s == INVALID_SOCKET) {

-+            failed_call = "socket";

-+            goto nextres;

-+        }

-+

- # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)

--    if (type == SOCK_STREAM) {

--        i = 0;

--        i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));

--        if (i < 0) {

--            closesocket(s);

--            perror("keepalive");

--            return (0);

-+        if (type == SOCK_STREAM) {

-+            int i = 0;

-+            i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,

-+                           (char *)&i, sizeof(i));

-+            if (i < 0) {

-+                failed_call = "keepalive";

-+                goto nextres;

-+            }

-         }

--    }

- # endif

--

--    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {

--        closesocket(s);

--        perror("connect");

--        return (0);

-+        if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {

-+            freeaddrinfo(res0);

-+            *sock = s;

-+            return (1);

-+        }

-+

-+        failed_call = "socket";

-+ nextres:

-+        if (s != INVALID_SOCKET)

-+            close(s);

-+        res = res->ai_next;

-     }

--    *sock = s;

--    return (1);

-+    freeaddrinfo(res0);

-+    closesocket(s);

-+

-+    perror(failed_call);

-+    return (0);

- }

- 

--int do_server(int port, int type, int *ret,

-+int do_server(char *port, int type, int *ret,

-               int (*cb) (char *hostname, int s, int stype,

-                          unsigned char *context), unsigned char *context,

-               int naccept)

-@@ -328,69 +328,88 @@ int do_server(int port, int type, int *r

-     }

- }

- 

--static int init_server_long(int *sock, int port, char *ip, int type)

-+static int init_server(int *sock, char *port, int type)

- {

--    int ret = 0;

--    struct sockaddr_in server;

--    int s = -1;

-+    struct addrinfo *res, *res0 = NULL, hints;

-+    char *failed_call = NULL;

-+    int s = INVALID_SOCKET;

-+    int e;

- 

-     if (!ssl_sock_init())

-         return (0);

- 

--    memset((char *)&server, 0, sizeof(server));

--    server.sin_family = AF_INET;

--    server.sin_port = htons((unsigned short)port);

--    if (ip == NULL)

--        server.sin_addr.s_addr = INADDR_ANY;

--    else

--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */

--# ifndef BIT_FIELD_LIMITS

--        memcpy(&server.sin_addr.s_addr, ip, 4);

--# else

--        memcpy(&server.sin_addr, ip, 4);

--# endif

--

--    if (type == SOCK_STREAM)

--        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);

--    else                        /* type == SOCK_DGRAM */

--        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

-+    memset(&hints, '\0', sizeof(hints));

-+    hints.ai_family = AF_INET6;

-+ tryipv4:

-+    hints.ai_socktype = type;

-+    hints.ai_flags = AI_PASSIVE;

-+

-+    e = getaddrinfo(NULL, port, &hints, &res);

-+    if (e) {

-+        if (hints.ai_family == AF_INET) {

-+            fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));

-+            if (e == EAI_SYSTEM)

-+                perror("getaddrinfo");

-+            return (0);

-+        } else

-+            res = NULL;

-+    }

- 

--    if (s == INVALID_SOCKET)

--        goto err;

-+    res0 = res;

-+    while (res) {

-+        s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);

-+        if (s == INVALID_SOCKET) {

-+            failed_call = "socket";

-+            goto nextres;

-+        }

-+        if (hints.ai_family == AF_INET6) {

-+            int j = 0;

-+            setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);

-+        }

- # if defined SOL_SOCKET && defined SO_REUSEADDR

--    {

--        int j = 1;

--        setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof(j));

--    }

--# endif

--    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {

--# ifndef OPENSSL_SYS_WINDOWS

--        perror("bind");

-+        {

-+            int j = 1;

-+            setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);

-+        }

- # endif

--        goto err;

--    }

--    /* Make it 128 for linux */

--    if (type == SOCK_STREAM && listen(s, 128) == -1)

--        goto err;

--    *sock = s;

--    ret = 1;

-- err:

--    if ((ret == 0) && (s != -1)) {

--        SHUTDOWN(s);

-+

-+        if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {

-+            failed_call = "bind";

-+            goto nextres;

-+        }

-+        if (type == SOCK_STREAM && listen(s, 128) == -1) {

-+            failed_call = "listen";

-+            goto nextres;

-+        }

-+

-+        *sock = s;

-+        return (1);

-+

-+ nextres:

-+        if (s != INVALID_SOCKET)

-+            close(s);

-+        res = res->ai_next;

-     }

--    return (ret);

--}

-+    if (res0)

-+        freeaddrinfo(res0);

- 

--static int init_server(int *sock, int port, int type)

--{

--    return (init_server_long(sock, port, NULL, type));

-+    if (s == INVALID_SOCKET) {

-+        if (hints.ai_family == AF_INET6) {

-+            hints.ai_family = AF_INET;

-+            goto tryipv4;

-+        }

-+        perror("socket");

-+        return (0);

-+    }

-+    perror(failed_call);

-+    return (0);

- }

- 

- static int do_accept(int acc_sock, int *sock, char **host)

- {

-+    static struct sockaddr_storage from;

-+    char buffer[NI_MAXHOST];

-     int ret;

--    struct hostent *h1, *h2;

--    static struct sockaddr_in from;

-     int len;

- /*      struct linger ling; */

- 

-@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *

-     ling.l_onoff=1;

-     ling.l_linger=0;

-     i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));

--    if (i < 0) { perror("linger"); return(0); }

-+    if (i < 0) { closesocket(ret); perror("linger"); return(0); }

-     i=0;

-     i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));

--    if (i < 0) { perror("keepalive"); return(0); }

-+    if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }

- */

- 

-     if (host == NULL)

-         goto end;

--# ifndef BIT_FIELD_LIMITS

--    /* I should use WSAAsyncGetHostByName() under windows */

--    h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,

--                       sizeof(from.sin_addr.s_addr), AF_INET);

--# else

--    h1 = gethostbyaddr((char *)&from.sin_addr,

--                       sizeof(struct in_addr), AF_INET);

--# endif

--    if (h1 == NULL) {

--        BIO_printf(bio_err, "bad gethostbyaddr\n");

-+

-+    if (getnameinfo((struct sockaddr *)&from, sizeof(from),

-+                    buffer, sizeof(buffer), NULL, 0, 0)) {

-+        BIO_printf(bio_err, "getnameinfo failed\n");

-         *host = NULL;

-         /* return(0); */

-     } else {

--        if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {

-+        if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {

-             perror("OPENSSL_malloc");

-             closesocket(ret);

-             return (0);

-         }

--        BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);

--

--        h2 = GetHostByName(*host);

--        if (h2 == NULL) {

--            BIO_printf(bio_err, "gethostbyname failure\n");

--            closesocket(ret);

--            return (0);

--        }

--        if (h2->h_addrtype != AF_INET) {

--            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");

--            closesocket(ret);

--            return (0);

--        }

-+        strcpy(*host, buffer);

-     }

-  end:

-     *sock = ret;

-     return (1);

- }

- 

--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,

--                      short *port_ptr)

-+int extract_host_port(char *str, char **host_ptr, char **port_ptr)

- {

--    char *h, *p;

-+    char *h, *p, *x;

- 

--    h = str;

--    p = strchr(str, ':');

-+    x = h = str;

-+    if (*h == '[') {

-+        h++;

-+        p = strchr(h, ']');

-+        if (p == NULL) {

-+            BIO_printf(bio_err, "no ending bracket for IPv6 address\n");

-+            return (0);

-+        }

-+        *(p++) = '\0';

-+        x = p;

-+    }

-+    p = strchr(x, ':');

-     if (p == NULL) {

-         BIO_printf(bio_err, "no port defined\n");

-         return (0);

-     }

-     *(p++) = '\0';

- 

--    if ((ip != NULL) && !host_ip(str, ip))

--        goto err;

-     if (host_ptr != NULL)

-         *host_ptr = h;

-+    if (port_ptr != NULL)

-+        *port_ptr = p;

- 

--    if (!extract_port(p, port_ptr))

--        goto err;

--    return (1);

-- err:

--    return (0);

--}

--

--static int host_ip(char *str, unsigned char ip[4])

--{

--    unsigned int in[4];

--    int i;

--

--    if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==

--        4) {

--        for (i = 0; i < 4; i++)

--            if (in[i] > 255) {

--                BIO_printf(bio_err, "invalid IP address\n");

--                goto err;

--            }

--        ip[0] = in[0];

--        ip[1] = in[1];

--        ip[2] = in[2];

--        ip[3] = in[3];

--    } else {                    /* do a gethostbyname */

--        struct hostent *he;

--

--        if (!ssl_sock_init())

--            return (0);

--

--        he = GetHostByName(str);

--        if (he == NULL) {

--            BIO_printf(bio_err, "gethostbyname failure\n");

--            goto err;

--        }

--        /* cast to short because of win16 winsock definition */

--        if ((short)he->h_addrtype != AF_INET) {

--            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");

--            return (0);

--        }

--        ip[0] = he->h_addr_list[0][0];

--        ip[1] = he->h_addr_list[0][1];

--        ip[2] = he->h_addr_list[0][2];

--        ip[3] = he->h_addr_list[0][3];

--    }

--    return (1);

-- err:

--    return (0);

--}

--

--int extract_port(char *str, short *port_ptr)

--{

--    int i;

--    struct servent *s;

--

--    i = atoi(str);

--    if (i != 0)

--        *port_ptr = (unsigned short)i;

--    else {

--        s = getservbyname(str, "tcp");

--        if (s == NULL) {

--            BIO_printf(bio_err, "getservbyname failure for %s\n", str);

--            return (0);

--        }

--        *port_ptr = ntohs((unsigned short)s->s_port);

--    }

-     return (1);

- }

- 

@@ -1,6 +1,6 @@

-diff -rup openssl-1.0.2o/crypto/o_init.c openssl-1.0.2o-new/crypto/o_init.c

-+++ openssl-1.0.2o-new/crypto/o_init.c	2018-04-03 13:58:19.869682415 -0700

+diff -ur openssl-1.0.2p/crypto/o_init.c openssl-1.0.2p-new/crypto/o_init.c

+--- openssl-1.0.2p/crypto/o_init.c	2018-08-14 05:48:58.000000000 -0700

 @@ -57,6 +57,7 @@

  #include <openssl/err.h>

  #ifdef OPENSSL_FIPS

@@ -9,7 +9,7 @@ diff -rup openssl-1.0.2o/crypto/o_init.c openssl-1.0.2o-new/crypto/o_init.c

  # include <openssl/rand.h>

  # ifndef OPENSSL_NO_DEPRECATED

-@@ -66,6 +67,52 @@ void FIPS_crypto_set_id_callback(unsigne

+@@ -66,6 +67,51 @@

  #endif

  /*

@@ -57,12 +57,11 @@ diff -rup openssl-1.0.2o/crypto/o_init.c openssl-1.0.2o-new/crypto/o_init.c

 +}

 +#endif

 +

-+

 +/*

   * Perform any essential OpenSSL initialization operations. Currently only

   * sets FIPS callbacks

   */

-@@ -84,6 +131,17 @@ void OPENSSL_init(void)

+@@ -84,6 +130,17 @@

      FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);

      FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);

      RAND_init_fips();

new file mode 100644

@@ -0,0 +1,468 @@

+diff -ur openssl-1.0.2p/apps/s_apps.h openssl-1.0.2p-new/apps/s_apps.h

+--- openssl-1.0.2p/apps/s_apps.h	2018-08-14 05:49:04.000000000 -0700

+@@ -151,7 +151,7 @@

+ #define PORT_STR        "4433"

+ #define PROTOCOL        "tcp"

+ 

+-int do_server(int port, int type, int *ret,

++int do_server(char *port, int type, int *ret,

+               int (*cb) (int s, int stype, unsigned char *context),

+               unsigned char *context, int naccept);

+ #ifdef HEADER_X509_H

+@@ -166,11 +166,10 @@

+ int ssl_print_curves(BIO *out, SSL *s, int noshared);

+ #endif

+ int ssl_print_tmp_key(BIO *out, SSL *s);

+-int init_client(int *sock, char *server, int port, int type);

++int init_client(int *sock, char *server, char *port, int type);

+ int should_retry(int i);

+ int extract_port(char *str, short *port_ptr);

+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,

+-                      short *p);

++int extract_host_port(char *str, char **host_ptr, char **port_ptr);

+ 

+ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,

+                                    int argi, long argl, long ret);

+diff -ur openssl-1.0.2p/apps/s_client.c openssl-1.0.2p-new/apps/s_client.c

+--- openssl-1.0.2p/apps/s_client.c	2018-08-14 05:49:04.000000000 -0700

+@@ -668,7 +668,7 @@

+     int cbuf_len, cbuf_off;

+     int sbuf_len, sbuf_off;

+     fd_set readfds, writefds;

+-    short port = PORT;

++    char *port_str = PORT_STR;

+     int full_log = 1;

+     char *host = SSL_HOST_NAME;

+     char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;

+@@ -792,13 +792,11 @@

+         } else if (strcmp(*argv, "-port") == 0) {

+             if (--argc < 1)

+                 goto bad;

+-            port = atoi(*(++argv));

+-            if (port == 0)

+-                goto bad;

++            port_str = *(++argv);

+         } else if (strcmp(*argv, "-connect") == 0) {

+             if (--argc < 1)

+                 goto bad;

+-            if (!extract_host_port(*(++argv), &host, NULL, &port))

++            if (!extract_host_port(*(++argv), &host, &port_str))

+                 goto bad;

+         } else if (strcmp(*argv, "-verify") == 0) {

+             verify = SSL_VERIFY_PEER;

+@@ -1449,7 +1447,7 @@

+ 

+  re_start:

+ 

+-    if (init_client(&s, host, port, socket_type) == 0) {

++    if (init_client(&s, host, port_str, socket_type) == 0) {

+         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());

+         SHUTDOWN(s);

+         goto end;

+diff -ur openssl-1.0.2p/apps/s_server.c openssl-1.0.2p-new/apps/s_server.c

+--- openssl-1.0.2p/apps/s_server.c	2018-08-14 05:49:04.000000000 -0700

+@@ -1082,7 +1082,7 @@

+ {

+     X509_VERIFY_PARAM *vpm = NULL;

+     int badarg = 0;

+-    short port = PORT;

++    char *port_str = PORT_STR;

+     char *CApath = NULL, *CAfile = NULL;

+     char *chCApath = NULL, *chCAfile = NULL;

+     char *vfyCApath = NULL, *vfyCAfile = NULL;

+@@ -1173,7 +1173,8 @@

+         if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {

+             if (--argc < 1)

+                 goto bad;

+-            if (!extract_port(*(++argv), &port))

++            port_str = *(++argv);

++            if (port_str == NULL || *port_str == '\0')

+                 goto bad;

+         } else if (strcmp(*argv, "-naccept") == 0) {

+             if (--argc < 1)

+@@ -2069,13 +2070,13 @@

+     BIO_printf(bio_s_out, "ACCEPT\n");

+     (void)BIO_flush(bio_s_out);

+     if (rev)

+-        do_server(port, socket_type, &accept_socket, rev_body, context,

++        do_server(port_str, socket_type, &accept_socket, rev_body, context,

+                   naccept);

+     else if (www)

+-        do_server(port, socket_type, &accept_socket, www_body, context,

++        do_server(port_str, socket_type, &accept_socket, www_body, context,

+                   naccept);

+     else

+-        do_server(port, socket_type, &accept_socket, sv_body, context,

++        do_server(port_str, socket_type, &accept_socket, sv_body, context,

+                   naccept);

+     print_stats(bio_s_out, ctx);

+     ret = 0;

+diff -ur openssl-1.0.2p/apps/s_socket.c openssl-1.0.2p-new/apps/s_socket.c

+--- openssl-1.0.2p/apps/s_socket.c	2018-08-14 05:49:04.000000000 -0700

+@@ -106,9 +106,7 @@

+ static void ssl_sock_cleanup(void);

+ # endif

+ static int ssl_sock_init(void);

+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);

+-static int init_server(int *sock, int port, int type);

+-static int init_server_long(int *sock, int port, char *ip, int type);

++static int init_server(int *sock, char *port, int type);

+ static int do_accept(int acc_sock, int *sock);

+ static int host_ip(char *str, unsigned char ip[4]);

+ 

+@@ -231,65 +229,66 @@

+     return (1);

+ }

+ 

+-int init_client(int *sock, char *host, int port, int type)

++int init_client(int *sock, char *host, char *port, int type)

+ {

+-    unsigned char ip[4];

+-

+-    memset(ip, '\0', sizeof(ip));

+-    if (!host_ip(host, &(ip[0])))

+-        return 0;

+-    return init_client_ip(sock, ip, port, type);

+-}

+-

+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)

+-{

+-    unsigned long addr;

+-    struct sockaddr_in them;

+-    int s, i;

++    struct addrinfo *res, *res0, hints;

++    char *failed_call = NULL;

++    int s;

++    int e;

+ 

+     if (!ssl_sock_init())

+         return (0);

+ 

+-    memset((char *)&them, 0, sizeof(them));

+-    them.sin_family = AF_INET;

+-    them.sin_port = htons((unsigned short)port);

+-    addr = (unsigned long)

+-        ((unsigned long)ip[0] << 24L) |

+-        ((unsigned long)ip[1] << 16L) |

+-        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);

+-    them.sin_addr.s_addr = htonl(addr);

+-

+-    if (type == SOCK_STREAM)

+-        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);

+-    else                        /* ( type == SOCK_DGRAM) */

+-        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

+-

+-    if (s == INVALID_SOCKET) {

+-        perror("socket");

++    memset(&hints, '\0', sizeof(hints));

++    hints.ai_socktype = type;

++    hints.ai_flags = AI_ADDRCONFIG;

++

++    e = getaddrinfo(host, port, &hints, &res);

++    if (e) {

++        fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));

++        if (e == EAI_SYSTEM)

++            perror("getaddrinfo");

+         return (0);

+     }

++

++    res0 = res;

++    while (res) {

++        s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);

++        if (s == INVALID_SOCKET) {

++            failed_call = "socket";

++            goto nextres;

++        }

+ # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)

+-    if (type == SOCK_STREAM) {

+-        i = 0;

+-        i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));

+-        if (i < 0) {

+-            closesocket(s);

+-            perror("keepalive");

+-            return (0);

++        if (type == SOCK_STREAM) {

++            int i = 0;

++            i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,

++                           (char *)&i, sizeof(i));

++            if (i < 0) {

++                failed_call = "keepalive";

++                goto nextres;

++            }

+         }

+-    }

+ # endif

++        if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {

++            freeaddrinfo(res0);

++            *sock = s;

++            return (1);

++        }

+ 

+-    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {

+-        closesocket(s);

+-        perror("connect");

+-        return (0);

++        failed_call = "socket";

++ nextres:

++        if (s != INVALID_SOCKET)

++            close(s);

++        res = res->ai_next;

+     }

+-    *sock = s;

+-    return (1);

++    freeaddrinfo(res0);

++    closesocket(s);

++

++    perror(failed_call);

++    return (0);

+ }

+ 

+-int do_server(int port, int type, int *ret,

++int do_server(char *port, int type, int *ret,

+               int (*cb) (int s, int stype, unsigned char *context),

+               unsigned char *context, int naccept)

+ {

+@@ -324,66 +323,88 @@

+     }

+ }

+ 

+-static int init_server_long(int *sock, int port, char *ip, int type)

++static int init_server(int *sock, char *port, int type)

+ {

+-    int ret = 0;

+-    struct sockaddr_in server;

+-    int s = -1;

++    struct addrinfo *res, *res0 = NULL, hints;

++    char *failed_call = NULL;

++    int s = INVALID_SOCKET;

++    int e;

+ 

+     if (!ssl_sock_init())

+         return (0);

+ 

+-    memset((char *)&server, 0, sizeof(server));

+-    server.sin_family = AF_INET;

+-    server.sin_port = htons((unsigned short)port);

+-    if (ip == NULL)

+-        server.sin_addr.s_addr = INADDR_ANY;

+-    else

+-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */

+-# ifndef BIT_FIELD_LIMITS