public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Fix two small regressions
Date: Tue, 09 Jun 2026 12:44:30 GMT [thread overview]
Message-ID: <178100907045.1.10727167271369013653.rpms-openssl-22a821356e6f@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 22a821356e6f4b9c0df6538f8f40fb924bbb1bcd
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-05-10T14:35:26+02:00
Stats : +131/-32 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/22a821356e6f4b9c0df6538f8f40fb924bbb1bcd?branch=rebase_40beta
Log:
Fix two small regressions
Change the ts application default hash to SHA256
---
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index adcc584..09d8692 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
---- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 08:56:33.531174336 +0200
-+++ openssl-1.1.1b/apps/speed.c 2019-05-07 09:43:06.673989992 +0200
+--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200
++++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200
@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
@@ -22,8 +22,19 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
dsa_doit[R_DSA_2048] = 1;
continue;
}
-@@ -1640,12 +1643,12 @@ int speed_main(int argc, char **argv)
- ecdh_doit[i] = 2;
+@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv)
+ }
+ if (strcmp(*argv, "ecdh") == 0) {
+ for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
+- ecdh_doit[loop] = 1;
++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
++ ecdh_doit[loop] = 1;
+ continue;
+ }
+ if (found(*argv, ecdh_choices, &i)) {
+- ecdh_doit[i] = 2;
++ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448))
++ ecdh_doit[i] = 2;
continue;
}
- if (strcmp(*argv, "eddsa") == 0) {
@@ -37,7 +48,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
eddsa_doit[i] = 2;
continue;
}
-@@ -1734,23 +1737,30 @@ int speed_main(int argc, char **argv)
+@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -73,7 +84,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
}
for (i = 0; i < ALGOR_NUM; i++)
-@@ -1798,30 +1808,46 @@ int speed_main(int argc, char **argv)
+@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -130,7 +141,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2118,6 +2144,7 @@ int speed_main(int argc, char **argv)
+@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -1648,7 +1659,7 @@ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pm
+ {
pmeth = EVP_PKEY_meth_find(id);
+#ifdef OPENSSL_FIPS
-+ if (!(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
++ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
+ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);
+ return NULL;
+ }
@@ -9890,7 +9901,7 @@ diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/h
diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h
--- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100
+++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -9954,6 +9965,7 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c
+int FIPS_module_installed(void);
+int FIPS_selftest_sha1(void);
+int FIPS_selftest_sha2(void);
++int FIPS_selftest_sha3(void);
+int FIPS_selftest_aes_ccm(void);
+int FIPS_selftest_aes_gcm(void);
+int FIPS_selftest_aes_xts(void);
diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch
index bbda9ef..2ab6fc9 100644
--- a/openssl-1.1.1-no-brainpool.patch
+++ b/openssl-1.1.1-no-brainpool.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in
---- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2018-11-20 14:35:42.000000000 +0100
-+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in 2019-01-15 14:55:03.898065698 +0100
+diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in
+--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200
@@ -141,22 +141,23 @@ our @tests = (
{
name => "ECDSA with brainpool",
@@ -57,10 +57,10 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
},
},
);
-diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf
---- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool 2018-11-20 14:35:42.000000000 +0100
-+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf 2019-01-15 14:58:24.420416659 +0100
-@@ -233,23 +233,23 @@ server = 5-ECDSA with brainpool-server
+diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf
+--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200
+@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server
client = 5-ECDSA with brainpool-client
[5-ECDSA with brainpool-server]
@@ -68,32 +68,26 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aNULL
-+#Groups = brainpoolP256r1
-+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-ECDSA with brainpool-client]
CipherString = aECDSA
-Groups = brainpoolP256r1
-+#Groups = brainpoolP256r1
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
--ExpectedResult = Success
+ ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
-+ExpectedResult = ServerFail
-+#ExpectedServerCANames = empty
-+#ExpectedServerCertType = brainpoolP256r1
-+#ExpectedServerSignType = EC
# ===========================================================
-@@ -1577,14 +1577,14 @@ server = 47-TLS 1.3 ECDSA with brainpool
+@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool
client = 47-TLS 1.3 ECDSA with brainpool-client
[47-TLS 1.3 ECDSA with brainpool-server]
@@ -101,19 +95,17 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aNULL
-+#Groups = brainpoolP256r1
-+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[47-TLS 1.3 ECDSA with brainpool-client]
CipherString = DEFAULT
-Groups = brainpoolP256r1
-+#Groups = brainpoolP256r1
MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-@@ -1592,7 +1592,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
+@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
VerifyMode = Peer
[test-47]
diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch
new file mode 100644
index 0000000..3af815e
--- /dev/null
+++ b/openssl-1.1.1-regression-fixes.patch
@@ -0,0 +1,37 @@
+diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c
+--- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200
+@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(
+ {
+ OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
+
+- if (ret != NULL)
+- memset(ret, 0, sizeof(*ret));
++ if (ret == NULL)
++ return NULL;
++
++ memset(ret, 0, sizeof(*ret));
+ ret->flags = DEFAULT_CONF_MFLAGS;
+
+ return ret;
+diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.regression openssl-1.1.1b/crypto/evp/evp_enc.c
+--- openssl-1.1.1b/crypto/evp/evp_enc.c.regression 2019-05-07 11:52:35.982596242 +0200
++++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-10 14:30:42.269243383 +0200
+@@ -338,7 +338,7 @@ static int evp_EncryptDecryptUpdate(EVP_
+
+ bl = ctx->cipher->block_size;
+
+- if (inl <= 0) {
++ if (in == NULL && inl <= 0) {
+ *outl = 0;
+ return inl == 0;
+ }
+@@ -491,7 +491,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
+ if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
+ cmpl = (cmpl + 7) / 8;
+
+- if (inl <= 0) {
++ if (in == NULL && inl <= 0) {
+ *outl = 0;
+ return inl == 0;
+ }
diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch
new file mode 100644
index 0000000..d99dc47
--- /dev/null
+++ b/openssl-1.1.1-ts-sha256-default.patch
@@ -0,0 +1,50 @@
+diff --git a/apps/ts.c b/apps/ts.c
+index 63c5210183..4ef8a72eef 100644
+--- a/apps/ts.c
++++ b/apps/ts.c
+@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
+ ASN1_OBJECT *policy_obj = NULL;
+ ASN1_INTEGER *nonce_asn1 = NULL;
+
+- if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
++ if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
+ goto err;
+ if ((ts_req = TS_REQ_new()) == NULL)
+ goto err;
+diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
+index 078905a845..83b8fe4350 100644
+--- a/doc/man1/ts.pod
++++ b/doc/man1/ts.pod
+@@ -517,7 +517,7 @@ included. Default is no. (Optional)
+ =item B<ess_cert_id_alg>
+
+ This option specifies the hash function to be used to calculate the TSA's
+-public key certificate identifier. Default is sha1. (Optional)
++public key certificate identifier. Default is sha256. (Optional)
+
+ =back
+
+@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
+
+ =head2 Time Stamp Request
+
+-To create a time stamp request for design1.txt with SHA-1
++To create a time stamp request for design1.txt with SHA-256
+ without nonce and policy and no certificate is required in the response:
+
+ openssl ts -query -data design1.txt -no_nonce \
+@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
+
+ openssl ts -query -in design1.tsq -text
+
+-To create a time stamp request which includes the MD-5 digest
++To create a time stamp request which includes the SHA-512 digest
+ of design2.txt, requests the signer certificate and nonce,
+ specifies a policy id (assuming the tsa_policy1 name is defined in the
+ OID section of the config file):
+
+- openssl ts -query -data design2.txt -md5 \
++ openssl ts -query -data design2.txt -sha512 \
+ -tspolicy tsa_policy1 -cert -out design2.tsq
+
+ =head2 Time Stamp Response
diff --git a/openssl.spec b/openssl.spec
index 1814eed..a8ba638 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1b
-Release: 8%{?dist}
+Release: 9%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -58,6 +58,7 @@ Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
+Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
@@ -65,6 +66,7 @@ Patch50: openssl-1.1.1-ssh-kdf.patch
Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
+Patch54: openssl-1.1.1-regression-fixes.patch
License: OpenSSL
URL: http://www.openssl.org/
@@ -158,12 +160,14 @@ cp %{SOURCE13} test/
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
+%patch47 -p1 -b .ts-sha256-default
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .upstream-sync
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
+%patch54 -p1 -b .regression
%build
@@ -450,6 +454,10 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-9
+- Fix two small regressions
+- Change the ts application default hash to SHA256
+
* Tue May 7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-8
- FIPS compliance fixes
reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100907045.1.10727167271369013653.rpms-openssl-22a821356e6f@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox