jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Upgrade to version 1.1.1h

Browse Source 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2020-11-02 12:45:07 +01:00
parent 261f10a200
commit 3413ff9700
11 changed files with 214 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1e-hobbled.tar.xz
/openssl-1.1.1f-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz
/openssl-1.1.1h-hobbled.tar.xz

84
ectest.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id)
return ret;
}
/*
* check the EC_METHOD respects the supplied EC_GROUP_set_generator G
*/
static int custom_generator_test(int id)
{
int ret = 0, nid, bsize;
EC_GROUP *group = NULL;
EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
BN_CTX *ctx = NULL;
BIGNUM *k = NULL;
unsigned char *b1 = NULL, *b2 = NULL;
/* Do some setup */
nid = curves[id].nid;
TEST_note("Curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new()))
return 0;
BN_CTX_start(ctx);
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
goto err;
/* expected byte length of encoded points */
bsize = (EC_GROUP_get_degree(group) + 7) / 8;
bsize = 2 * bsize + 1;
if (!TEST_ptr(k = BN_CTX_get(ctx))
/* fetch a testing scalar k != 0,1 */
|| !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
/* make k even */
|| !TEST_true(BN_clear_bit(k, 0))
|| !TEST_ptr(G2 = EC_POINT_new(group))
|| !TEST_ptr(Q1 = EC_POINT_new(group))
/* Q1 := kG */
|| !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
/* pull out the bytes of that */
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b1 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, b1,
bsize, ctx), bsize)
/* new generator is G2 := 2G */
|| !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
ctx))
|| !TEST_true(EC_GROUP_set_generator(group, G2,
EC_GROUP_get0_order(group),
EC_GROUP_get0_cofactor(group)))
|| !TEST_ptr(Q2 = EC_POINT_new(group))
|| !TEST_true(BN_rshift1(k, k))
/* Q2 := k/2 G2 */
|| !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b2 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, b2,
bsize, ctx), bsize)
/* Q1 = kG = k/2 G2 = Q2 should hold */
|| !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
EC_POINT_free(Q1);
EC_POINT_free(Q2);
EC_POINT_free(G2);
EC_GROUP_free(group);
BN_CTX_free(ctx);
OPENSSL_free(b1);
OPENSSL_free(b2);
return ret;
}
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
@ -1452,6 +1533,7 @@ int setup_tests(void)
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
ADD_ALL_TESTS(custom_generator_test, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}

84
openssl-1.1.1-ec-curves.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
#endif /* OPENSSL_NO_RSA */
@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
{"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448}
};
@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
unsigned int bits;
} test_curves[] = {
/* Prime Curves */
@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
}
}
}
@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
}
# endif
@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
}
}
}
@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0;
}
@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
- brainpoolP256r1
- brainpoolP256t1
- brainpoolP320r1
- brainpoolP320t1
- brainpoolP384r1
- brainpoolP384t1
- brainpoolP512r1
- brainpoolP512t1
);
my @binary_curves = qw(
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384

97
openssl-1.1.1-fips-dh.patch
View File

@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
return ret;
}
#endif
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
{
+ DH *dhp = NULL;
+ BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80;
- if (s->cert->dh_tmp_auto == 2)
- return DH_get_1024_160();
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
- if (s->s3->tmp.new_cipher->strength_bits == 256)
- dh_secbits = 128;
- else
- dh_secbits = 80;
- } else {
- if (s->s3->tmp.cert == NULL)
- return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ if (s->cert->dh_tmp_auto != 2) {
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+ dh_secbits = 128;
+ else
+ dh_secbits = 80;
+ } else {
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
}
- if (dh_secbits >= 128) {
- DH *dhp = DH_new();
- BIGNUM *p, *g;
- if (dhp == NULL)
- return NULL;
- g = BN_new();
- if (g == NULL || !BN_set_word(g, 2)) {
- DH_free(dhp);
- BN_free(g);
- return NULL;
- }
- if (dh_secbits >= 192)
- p = BN_get_rfc3526_prime_8192(NULL);
- else
- p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
- DH_free(dhp);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dhp;
+ dhp = DH_new();
+ if (dhp == NULL)
+ return NULL;
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+ else if (dh_secbits >= 152)
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
--- openssl-1.1.1h/ssl/t1_lib.c.fips-dh 2020-11-04 14:04:41.851711629 +0100
+++ openssl-1.1.1h/ssl/t1_lib.c 2020-11-04 14:06:06.506431652 +0100
@@ -2470,7 +2470,7 @@
p = BN_get_rfc3526_prime_4096(NULL);
else if (dh_secbits >= 128)
p = BN_get_rfc3526_prime_3072(NULL);
- else if (dh_secbits >= 112)
+ else if (dh_secbits >= 112 || FIPS_mode())
+ p = BN_get_rfc3526_prime_2048(NULL);
+ else
+ p = BN_get_rfc2409_prime_1024(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
- if (dh_secbits >= 112)
- return DH_get_2048_224();
- return DH_get_1024_160();
+ return dhp;
}
#endif
p = BN_get_rfc3526_prime_2048(NULL);
else
p = BN_get_rfc2409_prime_1024(NULL);

8
openssl-1.1.1-fips.patch
View File

@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
--- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100
+++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100
@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
@@ -4590,3 +4590,38 @@ X509_ALGOR_copy
X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:

14
openssl-1.1.1-ignore-bound.patch
View File

@ -1,14 +0,0 @@
Do not return failure when setting version bound on fixed protocol
version method.
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
* methods are not subject to controls that disable individual protocol
* versions.
*/
- return 0;
+ return 1;
case TLS_ANY_VERSION:
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

44
openssl-1.1.1-reneg-no-extms.patch
View File

@ -1,44 +0,0 @@
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with

52
openssl-1.1.1-ts-sha256-default.patch
View File

@ -1,8 +1,17 @@
diff --git a/apps/ts.c b/apps/ts.c
index 63c5210183..4ef8a72eef 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
+++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
-ess_cert_id_alg = sha1 # algorithm to compute certificate
+ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha1)
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL;
@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
goto err;
if ((ts_req = TS_REQ_new()) == NULL)
goto err;
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
index 078905a845..83b8fe4350 100644
--- a/doc/man1/ts.pod
+++ b/doc/man1/ts.pod
@@ -517,7 +517,7 @@ included. Default is no. (Optional)
diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
+++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
if (md == NULL)
- md = "sha1";
+ md = "sha256";
cert_md = EVP_get_digestbyname(md);
if (cert_md == NULL) {
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
=item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's
@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644
=back
@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
+To create a time stamp request for design1.txt with SHA-256
-To create a timestamp request for design1.txt with SHA-1
+To create a timestamp request for design1.txt with SHA-256
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
@@ -546,12 +546,12 @@ To print the content of the previous req
openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
+To create a time stamp request which includes the SHA-512 digest
-To create a timestamp request which includes the MD-5 digest
+To create a timestamp request which includes the SHA-512 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):

6
openssl-1.1.1-version-override.patch
View File

@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010107fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
# define OPENSSL_VERSION_NUMBER 0x1010108fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

11
openssl.spec
View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
Release: 15%{?dist}
Version: 1.1.1h
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch
Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
@ -167,7 +165,6 @@ cp %{SOURCE13} test/
%patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
@ -186,7 +183,6 @@ cp %{SOURCE13} test/
%patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
@ -477,6 +473,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
- Upgrade to version 1.1.1.h
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908