public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: update to the 1.1.1a release
Date: Tue, 09 Jun 2026 12:44:22 GMT [thread overview]
Message-ID: <178100906276.1.16747634496708071291.rpms-openssl-301c642c7f61@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 301c642c7f619370e1ff199216736e172e86f8c9
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-01-15T15:07:49+01:00
Stats : +217/-305 in 12 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/301c642c7f619370e1ff199216736e172e86f8c9?branch=rebase_40beta
Log:
update to the 1.1.1a release
---
diff --git a/.gitignore b/.gitignore
index 8683d76..794e00b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1-pre8-hobbled.tar.xz
/openssl-1.1.1-pre9-hobbled.tar.xz
/openssl-1.1.1-hobbled.tar.xz
+/openssl-1.1.1a-hobbled.tar.xz
diff --git a/openssl-1.1.0-defaults.patch b/openssl-1.1.0-defaults.patch
deleted file mode 100644
index 347749a..0000000
--- a/openssl-1.1.0-defaults.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
---- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
-@@ -10,7 +10,7 @@
- # This definition stops the following lines choking if HOME isn't
- # defined.
- HOME = .
--RANDFILE = $ENV::HOME/.rnd
-+#RANDFILE = $ENV::HOME/.rnd
-
- # Extra OBJECT IDENTIFIER info:
- #oid_file = $ENV::HOME/.oid
-@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
-
- default_days = 365 # how long to certify for
- default_crl_days= 30 # how long before next CRL
--default_md = default # use public key default MD
-+default_md = sha256 # use SHA-256 by default
- preserve = no # keep passed DN ordering
-
- # A few difference way of specifying how similar the request should look
-@@ -104,6 +104,7 @@ emailAddress = optional
- ####################################################################
- [ req ]
- default_bits = 2048
-+default_md = sha256
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
diff --git a/openssl-1.1.1-coverity.patch b/openssl-1.1.1-coverity.patch
deleted file mode 100644
index ae78b9d..0000000
--- a/openssl-1.1.1-coverity.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1/apps/speed.c.coverity openssl-1.1.1/apps/speed.c
---- openssl-1.1.1/apps/speed.c.coverity 2018-10-09 16:32:44.912051009 +0200
-+++ openssl-1.1.1/apps/speed.c 2018-10-09 16:29:55.518851544 +0200
-@@ -2852,7 +2852,7 @@ int speed_main(int argc, char **argv)
-
- if (rsa_count <= 1) {
- /* if longer than 10s, don't do any more */
-- for (testnum++; testnum < EC_NUM; testnum++)
-+ for (testnum++; testnum < ECDSA_NUM; testnum++)
- ecdsa_doit[testnum] = 0;
- }
- }
diff --git a/openssl-1.1.1-defaults.patch b/openssl-1.1.1-defaults.patch
new file mode 100644
index 0000000..291ed88
--- /dev/null
+++ b/openssl-1.1.1-defaults.patch
@@ -0,0 +1,51 @@
+diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
+--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100
++++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100
+@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -106,6 +106,7 @@ emailAddress = optional
+ ####################################################################
+ [ req ]
+ default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -128,17 +129,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch
index 3852859..6e714bc 100644
--- a/openssl-1.1.1-fips-post-rand.patch
+++ b/openssl-1.1.1-fips-post-rand.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1/crypto/fips/fips.c.fips-post-rand openssl-1.1.1/crypto/fips/fips.c
---- openssl-1.1.1/crypto/fips/fips.c.fips-post-rand 2018-10-12 17:40:50.631506976 +0200
-+++ openssl-1.1.1/crypto/fips/fips.c 2018-11-08 17:49:08.091064655 +0100
+diff -up openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand openssl-1.1.1a/crypto/fips/fips.c
+--- openssl-1.1.1a/crypto/fips/fips.c.fips-post-rand 2019-01-15 14:14:07.813360637 +0100
++++ openssl-1.1.1a/crypto/fips/fips.c 2019-01-15 14:14:07.838360173 +0100
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
@@ -51,9 +51,9 @@ diff -up openssl-1.1.1/crypto/fips/fips.c.fips-post-rand openssl-1.1.1/crypto/fi
ret = 1;
goto end;
}
-diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1/crypto/include/internal/fips_int.h
---- openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand 2018-11-08 17:32:50.806526458 +0100
-+++ openssl-1.1.1/crypto/include/internal/fips_int.h 2018-11-08 17:32:20.533828167 +0100
+diff -up openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1a/crypto/include/internal/fips_int.h
+--- openssl-1.1.1a/crypto/include/internal/fips_int.h.fips-post-rand 2019-01-15 14:14:07.821360489 +0100
++++ openssl-1.1.1a/crypto/include/internal/fips_int.h 2019-01-15 14:14:07.838360173 +0100
@@ -76,6 +76,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
@@ -63,9 +63,9 @@ diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips-post-rand openssl
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
-diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/crypto/rand/rand_unix.c
---- openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand 2018-09-11 14:48:21.000000000 +0200
-+++ openssl-1.1.1/crypto/rand/rand_unix.c 2018-11-09 14:03:48.504301170 +0100
+diff -up openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1a/crypto/rand/rand_unix.c
+--- openssl-1.1.1a/crypto/rand/rand_unix.c.fips-post-rand 2018-11-20 14:35:38.000000000 +0100
++++ openssl-1.1.1a/crypto/rand/rand_unix.c 2019-01-15 14:17:22.416748544 +0100
@@ -16,10 +16,12 @@
#include <openssl/rand.h>
#include "rand_lcl.h"
@@ -79,16 +79,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
#endif
#if defined(__FreeBSD__)
# include <sys/types.h>
-@@ -86,7 +88,7 @@ static uint64_t get_timer_bits(void);
- || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
- || defined(OPENSSL_SYS_UEFI))
-
--static ssize_t syscall_random(void *buf, size_t buflen);
-+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock);
-
- # if defined(OPENSSL_SYS_VOS)
-
-@@ -248,7 +250,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -258,7 +260,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
@@ -97,7 +88,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
-@@ -270,6 +272,7 @@ static ssize_t syscall_random(void *buf,
+@@ -280,6 +282,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
@@ -105,7 +96,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-@@ -291,10 +294,10 @@ static ssize_t syscall_random(void *buf,
+@@ -301,10 +304,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
@@ -118,19 +109,19 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
-@@ -456,8 +459,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -454,8 +457,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
-
- # ifdef OPENSSL_RAND_SEED_GETRANDOM
+ # if defined(OPENSSL_RAND_SEED_GETRANDOM)
+ int in_post;
+
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
{
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
-@@ -466,7 +471,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -464,7 +469,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -139,7 +130,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
-@@ -498,8 +503,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -496,8 +501,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
@@ -151,7 +142,7 @@ diff -up openssl-1.1.1/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1/cryp
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -559,7 +566,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -557,7 +564,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
}
}
# endif
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index 069cfde..d24242b 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -316,9 +316,9 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_err.c.fips openssl-1.1.1/crypto/dsa/dsa_er
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
-diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_gen.c
---- openssl-1.1.1/crypto/dsa/dsa_gen.c.fips 2018-09-11 14:48:21.000000000 +0200
-+++ openssl-1.1.1/crypto/dsa/dsa_gen.c 2018-09-13 08:51:22.102521110 +0200
+diff -up openssl-1.1.1a/crypto/dsa/dsa_gen.c.fips openssl-1.1.1a/crypto/dsa/dsa_gen.c
+--- openssl-1.1.1a/crypto/dsa/dsa_gen.c.fips 2018-11-20 14:35:38.000000000 +0100
++++ openssl-1.1.1a/crypto/dsa/dsa_gen.c 2019-01-15 14:05:46.719672088 +0100
@@ -22,12 +22,22 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
@@ -367,9 +367,9 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
unsigned char *seed = NULL, *seed_tmp = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
int mdsize;
-@@ -327,6 +343,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
- if (mctx == NULL)
+@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
+ }
+# ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
@@ -388,7 +388,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
-@@ -427,9 +457,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
/* Provided seed didn't produce a prime: error */
if (seed_in) {
@@ -402,7 +402,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
}
/* do a callback call */
-@@ -515,11 +546,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
if (counter >= (int)(4 * L))
break;
}
@@ -417,7 +417,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
}
end:
if (!BN_GENCB_call(cb, 2, 1))
-@@ -590,7 +624,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
BN_free(ret->g);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
@@ -426,7 +426,7 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
goto err;
}
if (counter_ret != NULL)
-@@ -608,3 +642,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
EVP_MD_CTX_free(mctx);
return ok;
}
diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch
new file mode 100644
index 0000000..bbda9ef
--- /dev/null
+++ b/openssl-1.1.1-no-brainpool.patch
@@ -0,0 +1,124 @@
+diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in
+--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2018-11-20 14:35:42.000000000 +0100
++++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in 2019-01-15 14:55:03.898065698 +0100
+@@ -141,22 +141,23 @@ our @tests = (
+ {
+ name => "ECDSA with brainpool",
+ server => {
+- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+- "Groups" => "brainpoolP256r1",
++# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
++# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
++# "Groups" => "brainpoolP256r1",
++ "CipherString" => "aNULL",
+ },
+ client => {
+ #We don't restrict this to TLSv1.2, although use of brainpool
+ #should force this anyway so that this should succeed
+ "CipherString" => "aECDSA",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+- "Groups" => "brainpoolP256r1",
++# "Groups" => "brainpoolP256r1",
+ },
+ test => {
+- "ExpectedServerCertType" =>, "brainpoolP256r1",
+- "ExpectedServerSignType" =>, "EC",
++# "ExpectedServerCertType" =>, "brainpoolP256r1",
++# "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+- "ExpectedServerCANames" =>, "empty",
++# "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
+ {
+ name => "TLS 1.3 ECDSA with brainpool",
+ server => {
+- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+- "Groups" => "brainpoolP256r1",
++# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
++# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
++# "Groups" => "brainpoolP256r1",
++ "CipherString" => "aNULL",
+ },
+ client => {
+ "RequestCAFile" => test_pem("root-cert.pem"),
+- "Groups" => "brainpoolP256r1",
++# "Groups" => "brainpoolP256r1",
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ test => {
+- "ExpectedResult" => "ServerFail"
++ "ExpectedResult" => "Success"
+ },
+ },
+ );
+diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf
+--- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool 2018-11-20 14:35:42.000000000 +0100
++++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf 2019-01-15 14:58:24.420416659 +0100
+@@ -233,23 +233,23 @@ server = 5-ECDSA with brainpool-server
+ client = 5-ECDSA with brainpool-client
+
+ [5-ECDSA with brainpool-server]
+-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+-CipherString = DEFAULT
+-Groups = brainpoolP256r1
+-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++CipherString = aNULL
++#Groups = brainpoolP256r1
++#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+
+ [5-ECDSA with brainpool-client]
+ CipherString = aECDSA
+-Groups = brainpoolP256r1
++#Groups = brainpoolP256r1
+ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+ VerifyMode = Peer
+
+ [test-5]
+-ExpectedResult = Success
+-ExpectedServerCANames = empty
+-ExpectedServerCertType = brainpoolP256r1
+-ExpectedServerSignType = EC
++ExpectedResult = ServerFail
++#ExpectedServerCANames = empty
++#ExpectedServerCertType = brainpoolP256r1
++#ExpectedServerSignType = EC
+
+
+ # ===========================================================
+@@ -1577,14 +1577,14 @@ server = 47-TLS 1.3 ECDSA with brainpool
+ client = 47-TLS 1.3 ECDSA with brainpool-client
+
+ [47-TLS 1.3 ECDSA with brainpool-server]
+-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+-CipherString = DEFAULT
+-Groups = brainpoolP256r1
+-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++CipherString = aNULL
++#Groups = brainpoolP256r1
++#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+
+ [47-TLS 1.3 ECDSA with brainpool-client]
+ CipherString = DEFAULT
+-Groups = brainpoolP256r1
++#Groups = brainpoolP256r1
+ MaxProtocol = TLSv1.3
+ MinProtocol = TLSv1.3
+ RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+@@ -1592,7 +1592,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
+ VerifyMode = Peer
+
+ [test-47]
+-ExpectedResult = ServerFail
++ExpectedResult = Success
+
+
+ # ===========================================================
diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch
index 8b6a77a..fe6c6bb 100644
--- a/openssl-1.1.1-seclevel.patch
+++ b/openssl-1.1.1-seclevel.patch
@@ -39,17 +39,6 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
-@@ -951,8 +951,8 @@ static int ssl_security_default_callback
- if (level >= 2 && c->algorithm_enc == SSL_RC4)
- return 0;
- /* Level 3: forward secure ciphersuites only */
-- if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
-- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
-+ if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
-+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
- return 0;
- break;
- }
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
return 0;
break;
diff --git a/openssl-1.1.1-secure-getenv.patch b/openssl-1.1.1-secure-getenv.patch
deleted file mode 100644
index c3d14a1..0000000
--- a/openssl-1.1.1-secure-getenv.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c
---- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200
-@@ -9,6 +9,8 @@
-
- /* Part of the code in here was originally in conf.c, which is now removed */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include <stdlib.h>
- #include <string.h>
-@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
- if (v != NULL)
- return v->value;
- if (strcmp(section, "ENV") == 0) {
-- p = getenv(name);
-+ p = secure_getenv(name);
- if (p != NULL)
- return p;
- }
-diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c
---- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "internal/cryptlib.h"
- #include <stdio.h>
- #include <ctype.h>
-@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void
- int len;
-
- if (!OPENSSL_issetugid()) {
-- file = getenv("OPENSSL_CONF");
-+ file = secure_getenv("OPENSSL_CONF");
- if (file)
- return OPENSSL_strdup(file);
- }
-diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c
---- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <string.h>
-
-@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c
-
- int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
- {
-- const char *fpath = getenv(CTLOG_FILE_EVP);
-+ const char *fpath = secure_getenv(CTLOG_FILE_EVP);
-
- if (fpath == NULL)
- fpath = CTLOG_FILE;
-diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c
---- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200
-@@ -8,6 +8,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "eng_int.h"
-
- /*
-@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id)
- */
- if (strcmp(id, "dynamic")) {
- if (OPENSSL_issetugid()
-- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
-+ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL)
- load_dir = ENGINESDIR;
- iterator = ENGINE_by_id("dynamic");
- if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c
---- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include "internal/cryptlib.h"
- #include "internal/cryptlib_int.h"
-@@ -180,11 +182,11 @@ static int shouldfail(void)
-
- void ossl_malloc_setup_failures(void)
- {
-- const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
-+ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES");
-
- if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
- parseit();
-- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
-+ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL)
- md_tracefd = atoi(cp);
- }
- #endif
-diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c
---- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "internal/cryptlib.h"
-
- #include <errno.h>
-@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si
- #else
- if (OPENSSL_issetugid() != 0) {
- use_randfile = 0;
-- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
-+ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') {
- use_randfile = 0;
- s = getenv("HOME");
- }
-diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c
---- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "e_os.h"
- #include "internal/cryptlib.h"
- #include <stdio.h>
-@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
- switch (cmd) {
- case X509_L_ADD_DIR:
- if (argl == X509_FILETYPE_DEFAULT) {
-- const char *dir = getenv(X509_get_default_cert_dir_env());
-+ const char *dir = secure_getenv(X509_get_default_cert_dir_env());
-
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c
---- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
- switch (cmd) {
- case X509_L_FILE_LOAD:
- if (argl == X509_FILETYPE_DEFAULT) {
-- file = getenv(X509_get_default_cert_file_env());
-+ file = secure_getenv(X509_get_default_cert_file_env());
- if (file)
- ok = (X509_load_cert_crl_file(ctx, file,
- X509_FILETYPE_PEM) != 0);
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
index 513f27e..229d48d 100644
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@@ -1,12 +1,12 @@
-diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
---- openssl-1.1.1/include/openssl/opensslv.h.version-override 2018-09-13 08:54:38.247940128 +0200
-+++ openssl-1.1.1/include/openssl/opensslv.h 2018-09-13 08:56:10.757779555 +0200
+diff -up openssl-1.1.1a/include/openssl/opensslv.h.version-override openssl-1.1.1a/include/openssl/opensslv.h
+--- openssl-1.1.1a/include/openssl/opensslv.h.version-override 2019-01-15 14:09:04.591995174 +0100
++++ openssl-1.1.1a/include/openssl/opensslv.h 2019-01-15 14:11:31.976256442 +0100
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
- # define OPENSSL_VERSION_NUMBER 0x1010100fL
--# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018"
-+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 FIPS 11 Sep 2018"
+ # define OPENSSL_VERSION_NUMBER 0x1010101fL
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a 20 Nov 2018"
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a FIPS 20 Nov 2018"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index c2f8699..3465038 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.1.1
-Release: 7%{?dist}
+Version: 1.1.1a
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -39,7 +39,7 @@ Source12: ec_curve.c
Source13: ectest.c
# Build changes
Patch1: openssl-1.1.1-build.patch
-Patch2: openssl-1.1.0-defaults.patch
+Patch2: openssl-1.1.1-defaults.patch
Patch3: openssl-1.1.0-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
@@ -48,7 +48,7 @@ Patch21: openssl-1.1.0-issuer-hash.patch
Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch
Patch33: openssl-1.1.0-apps-dgst.patch
-Patch36: openssl-1.1.1-secure-getenv.patch
+Patch36: openssl-1.1.1-no-brainpool.patch
Patch37: openssl-1.1.1-ec-curves.patch
Patch38: openssl-1.1.0-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
@@ -58,7 +58,6 @@ Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
-Patch47: openssl-1.1.1-coverity.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
# Backported fixes including security fixes
@@ -153,7 +152,7 @@ cp %{SOURCE13} test/
%patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
-%patch36 -p1 -b .secure-getenv
+%patch36 -p1 -b .no-brainpool
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
%patch40 -p1 -b .disable-ssl3
@@ -163,7 +162,6 @@ cp %{SOURCE13} test/
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
-%patch47 -p1 -b .coverity
%patch48 -p1 -b .fips-post-rand
@@ -453,6 +451,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Jan 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1a-1
+- update to the 1.1.1a release
+
* Fri Nov 9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7
- use /dev/urandom for seeding the RNG in FIPS POST
diff --git a/sources b/sources
index 9e249a8..43aa399 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.1-hobbled.tar.xz) = a593ea9b4b11745e1a4fa8be91c0dbb5ee7c4c1089410ad6e6501212e838573bcf7e78e843444de3f9ba0beccc7db138deef243a22cafe480c040c696e80b0b3
+SHA512 (openssl-1.1.1a-hobbled.tar.xz) = 17d2703b2169f36b2ecd50d014103f31e22bbd42807b4688a3cd6140911e0aa9a2fa2bb1d4dda4eae000913a1551d85ac9c441a69c053a8ad10b593ec2a588b5
reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100906276.1.16747634496708071291.rpms-openssl-301c642c7f61@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox