public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Sahana Prasad <sahana@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Upgrade to version 1.1.1h
Date: Tue, 09 Jun 2026 12:44:51 GMT [thread overview]
Message-ID: <178100909191.1.10790705554299619788.rpms-openssl-3413ff970037@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 3413ff9700373616a74dcf14fe75868d046e22e2
Author : Sahana Prasad <sahana@redhat.com>
Date : 2020-11-09T10:41:15+01:00
Stats : +214/-189 in 11 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/3413ff9700373616a74dcf14fe75868d046e22e2?branch=rebase_40beta
Log:
Upgrade to version 1.1.1h
Signed-off-by: Sahana Prasad <sahana@redhat.com>
---
diff --git a/.gitignore b/.gitignore
index c6aba1d..3305a0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1e-hobbled.tar.xz
/openssl-1.1.1f-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz
+/openssl-1.1.1h-hobbled.tar.xz
diff --git a/ectest.c b/ectest.c
index c16642e..e4fd45b 100644
--- a/ectest.c
+++ b/ectest.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id)
return ret;
}
+/*
+ * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
+ */
+static int custom_generator_test(int id)
+{
+ int ret = 0, nid, bsize;
+ EC_GROUP *group = NULL;
+ EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
+ BN_CTX *ctx = NULL;
+ BIGNUM *k = NULL;
+ unsigned char *b1 = NULL, *b2 = NULL;
+
+ /* Do some setup */
+ nid = curves[id].nid;
+ TEST_note("Curve %s", OBJ_nid2sn(nid));
+ if (!TEST_ptr(ctx = BN_CTX_new()))
+ return 0;
+
+ BN_CTX_start(ctx);
+
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
+ goto err;
+
+ /* expected byte length of encoded points */
+ bsize = (EC_GROUP_get_degree(group) + 7) / 8;
+ bsize = 2 * bsize + 1;
+
+ if (!TEST_ptr(k = BN_CTX_get(ctx))
+ /* fetch a testing scalar k != 0,1 */
+ || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
+ BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ /* make k even */
+ || !TEST_true(BN_clear_bit(k, 0))
+ || !TEST_ptr(G2 = EC_POINT_new(group))
+ || !TEST_ptr(Q1 = EC_POINT_new(group))
+ /* Q1 := kG */
+ || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
+ /* pull out the bytes of that */
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+ POINT_CONVERSION_UNCOMPRESSED, NULL,
+ 0, ctx), bsize)
+ || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+ POINT_CONVERSION_UNCOMPRESSED, b1,
+ bsize, ctx), bsize)
+ /* new generator is G2 := 2G */
+ || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
+ ctx))
+ || !TEST_true(EC_GROUP_set_generator(group, G2,
+ EC_GROUP_get0_order(group),
+ EC_GROUP_get0_cofactor(group)))
+ || !TEST_ptr(Q2 = EC_POINT_new(group))
+ || !TEST_true(BN_rshift1(k, k))
+ /* Q2 := k/2 G2 */
+ || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+ POINT_CONVERSION_UNCOMPRESSED, NULL,
+ 0, ctx), bsize)
+ || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+ POINT_CONVERSION_UNCOMPRESSED, b2,
+ bsize, ctx), bsize)
+ /* Q1 = kG = k/2 G2 = Q2 should hold */
+ || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ EC_POINT_free(Q1);
+ EC_POINT_free(Q2);
+ EC_POINT_free(G2);
+ EC_GROUP_free(group);
+ BN_CTX_free(ctx);
+ OPENSSL_free(b1);
+ OPENSSL_free(b2);
+
+ return ret;
+}
+
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
@@ -1452,6 +1533,7 @@ int setup_tests(void)
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+ ADD_ALL_TESTS(custom_generator_test, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}
diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch
index a83a331..27f23ca 100644
--- a/openssl-1.1.1-ec-curves.patch
+++ b/openssl-1.1.1-ec-curves.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
---- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
+diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
+--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
#endif /* OPENSSL_NO_RSA */
@@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
{"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448}
};
-@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
+@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
unsigned int bits;
} test_curves[] = {
/* Prime Curves */
@@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
-@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
+@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
@@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
+@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
}
}
}
@@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
+@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
}
# endif
@@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
-@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
+@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
}
}
}
@@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
---- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
+diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0;
}
@@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
-diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
---- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
-+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
+diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
+--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
++++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
@@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
++++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
+@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
+ if disabled("ec");
+
+ my @prime_curves = qw(
+- secp112r1
+- secp112r2
+- secp128r1
+- secp128r2
+- secp160k1
+- secp160r1
+- secp160r2
+- secp192k1
+- secp224k1
+ secp224r1
+ secp256k1
+ secp384r1
+ secp521r1
+- prime192v1
+- prime192v2
+- prime192v3
+- prime239v1
+- prime239v2
+- prime239v3
+ prime256v1
+- wap-wsg-idm-ecid-wtls6
+- wap-wsg-idm-ecid-wtls7
+- wap-wsg-idm-ecid-wtls8
+- wap-wsg-idm-ecid-wtls9
+- wap-wsg-idm-ecid-wtls12
+- brainpoolP160r1
+- brainpoolP160t1
+- brainpoolP192r1
+- brainpoolP192t1
+- brainpoolP224r1
+- brainpoolP224t1
+- brainpoolP256r1
+- brainpoolP256t1
+- brainpoolP320r1
+- brainpoolP320t1
+- brainpoolP384r1
+- brainpoolP384t1
+- brainpoolP512r1
+- brainpoolP512t1
+ );
+
+ my @binary_curves = qw(
+@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
+ if !disabled("sm2");
+
+ my @curve_aliases = qw(
+- P-192
+ P-224
+ P-256
+ P-384
diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch
index d98372e..ff895d5 100644
--- a/openssl-1.1.1-fips-dh.patch
+++ b/openssl-1.1.1-fips-dh.patch
@@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
return ret;
}
#endif
-diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
-@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
- #ifndef OPENSSL_NO_DH
- DH *ssl_get_auto_dh(SSL *s)
- {
-+ DH *dhp = NULL;
-+ BIGNUM *p = NULL, *g = NULL;
- int dh_secbits = 80;
-- if (s->cert->dh_tmp_auto == 2)
-- return DH_get_1024_160();
-- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
-- if (s->s3->tmp.new_cipher->strength_bits == 256)
-- dh_secbits = 128;
-- else
-- dh_secbits = 80;
-- } else {
-- if (s->s3->tmp.cert == NULL)
-- return NULL;
-- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
-+ if (s->cert->dh_tmp_auto != 2) {
-+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
-+ if (s->s3->tmp.new_cipher->strength_bits == 256)
-+ dh_secbits = 128;
-+ else
-+ dh_secbits = 80;
-+ } else {
-+ if (s->s3->tmp.cert == NULL)
-+ return NULL;
-+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
-+ }
- }
-- if (dh_secbits >= 128) {
-- DH *dhp = DH_new();
-- BIGNUM *p, *g;
-- if (dhp == NULL)
-- return NULL;
-- g = BN_new();
-- if (g == NULL || !BN_set_word(g, 2)) {
-- DH_free(dhp);
-- BN_free(g);
-- return NULL;
-- }
-- if (dh_secbits >= 192)
-- p = BN_get_rfc3526_prime_8192(NULL);
-- else
-- p = BN_get_rfc3526_prime_3072(NULL);
-- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
-- DH_free(dhp);
-- BN_free(p);
-- BN_free(g);
-- return NULL;
-- }
-- return dhp;
-+ dhp = DH_new();
-+ if (dhp == NULL)
-+ return NULL;
-+ g = BN_new();
-+ if (g == NULL || !BN_set_word(g, 2)) {
-+ DH_free(dhp);
-+ BN_free(g);
-+ return NULL;
-+ }
-+ if (dh_secbits >= 192)
-+ p = BN_get_rfc3526_prime_8192(NULL);
-+ else if (dh_secbits >= 152)
-+ p = BN_get_rfc3526_prime_4096(NULL);
-+ else if (dh_secbits >= 128)
-+ p = BN_get_rfc3526_prime_3072(NULL);
+diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
+--- openssl-1.1.1h/ssl/t1_lib.c.fips-dh 2020-11-04 14:04:41.851711629 +0100
++++ openssl-1.1.1h/ssl/t1_lib.c 2020-11-04 14:06:06.506431652 +0100
+@@ -2470,7 +2470,7 @@
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
+- else if (dh_secbits >= 112)
+ else if (dh_secbits >= 112 || FIPS_mode())
-+ p = BN_get_rfc3526_prime_2048(NULL);
-+ else
-+ p = BN_get_rfc2409_prime_1024(NULL);
-+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
-+ DH_free(dhp);
-+ BN_free(p);
-+ BN_free(g);
-+ return NULL;
- }
-- if (dh_secbits >= 112)
-- return DH_get_2048_224();
-- return DH_get_1024_160();
-+ return dhp;
- }
- #endif
-
+ p = BN_get_rfc3526_prime_2048(NULL);
+ else
+ p = BN_get_rfc2409_prime_1024(NULL);
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index ad295a4..c9137ca 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
--- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100
+++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100
-@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
- EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
- EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
- RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
+@@ -4590,3 +4590,38 @@ X509_ALGOR_copy
+ X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
+ X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
+ EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch
deleted file mode 100644
index 4838f3d..0000000
--- a/openssl-1.1.1-ignore-bound.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Do not return failure when setting version bound on fixed protocol
-version method.
-diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
-@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
- * methods are not subject to controls that disable individual protocol
- * versions.
- */
-- return 0;
-+ return 1;
-
- case TLS_ANY_VERSION:
- if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
diff --git a/openssl-1.1.1-reneg-no-extms.patch b/openssl-1.1.1-reneg-no-extms.patch
deleted file mode 100644
index 76adef7..0000000
--- a/openssl-1.1.1-reneg-no-extms.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
---- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
-@@ -292,6 +292,9 @@ extern "C" {
-
- # define TLS1_FLAGS_STATELESS 0x0800
-
-+/* Set if extended master secret extension required on renegotiation */
-+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
-+
- # define SSL3_MT_HELLO_REQUEST 0
- # define SSL3_MT_CLIENT_HELLO 1
- # define SSL3_MT_SERVER_HELLO 2
-diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
---- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
-@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
-
- static int init_ems(SSL *s, unsigned int context)
- {
-- if (!s->server)
-+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
- s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
-+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
-+ }
-
- return 1;
- }
-
- static int final_ems(SSL *s, unsigned int context, int sent)
- {
-+ /*
-+ * Check extended master secret extension is not dropped on
-+ * renegotiation.
-+ */
-+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
-+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
-+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
-+ SSL_R_INCONSISTENT_EXTMS);
-+ return 0;
-+ }
- if (!s->server && s->hit) {
- /*
- * Check extended master secret extension is consistent with
diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch
index d99dc47..2a1dd6c 100644
--- a/openssl-1.1.1-ts-sha256-default.patch
+++ b/openssl-1.1.1-ts-sha256-default.patch
@@ -1,8 +1,17 @@
-diff --git a/apps/ts.c b/apps/ts.c
-index 63c5210183..4ef8a72eef 100644
---- a/apps/ts.c
-+++ b/apps/ts.c
-@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
+diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
+--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
++++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
+@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
+ # (optional, default: no)
+ ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+-ess_cert_id_alg = sha1 # algorithm to compute certificate
++ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
+--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
+@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL;
@@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
goto err;
if ((ts_req = TS_REQ_new()) == NULL)
goto err;
-diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
-index 078905a845..83b8fe4350 100644
---- a/doc/man1/ts.pod
-+++ b/doc/man1/ts.pod
-@@ -517,7 +517,7 @@ included. Default is no. (Optional)
+diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
+--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
++++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
+@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
+ const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
+
+ if (md == NULL)
+- md = "sha1";
++ md = "sha256";
+
+ cert_md = EVP_get_digestbyname(md);
+ if (cert_md == NULL) {
+diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
+--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
+@@ -518,7 +518,7 @@ included. Default is no. (Optional)
=item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's
@@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644
=back
-@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
+@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
--To create a time stamp request for design1.txt with SHA-1
-+To create a time stamp request for design1.txt with SHA-256
+-To create a timestamp request for design1.txt with SHA-1
++To create a timestamp request for design1.txt with SHA-256
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
-@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
+@@ -546,12 +546,12 @@ To print the content of the previous req
openssl ts -query -in design1.tsq -text
--To create a time stamp request which includes the MD-5 digest
-+To create a time stamp request which includes the SHA-512 digest
+-To create a timestamp request which includes the MD-5 digest
++To create a timestamp request which includes the SHA-512 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
index a6975fa..ff69bdb 100644
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
- # define OPENSSL_VERSION_NUMBER 0x1010107fL
--# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
-+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
+ # define OPENSSL_VERSION_NUMBER 0x1010108fL
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index 619a16c..3f6403c 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.1.1g
-Release: 15%{?dist}
+Version: 1.1.1h
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch
-Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
@@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch
-Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
@@ -167,7 +165,6 @@ cp %{SOURCE13} test/
%patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips
-%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
@@ -186,7 +183,6 @@ cp %{SOURCE13} test/
%patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
-%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
@@ -477,6 +473,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
+- Upgrade to version 1.1.1.h
+
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
diff --git a/sources b/sources
index 50e115e..2bae151 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
+SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100909191.1.10790705554299619788.rpms-openssl-3413ff970037@fedoraproject.org \
--to=sahana@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox