update to the 1.1.1b release

EVP_KDF API backport from master
SSH KDF implementation for EVP_KDF API backport from master

.gitignore

@@ -42,3 +42,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1-pre9-hobbled.tar.xz
 /openssl-1.1.1-hobbled.tar.xz
 /openssl-1.1.1a-hobbled.tar.xz
+/openssl-1.1.1b-hobbled.tar.xz

openssl-1.1.1-ec-curves.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
---- openssl-1.1.1/apps/speed.c.curves	2018-09-11 14:48:20.000000000 +0200
-+++ openssl-1.1.1/apps/speed.c	2018-09-13 09:24:24.840081023 +0200
+diff -up openssl-1.1.1b/apps/speed.c.curves openssl-1.1.1b/apps/speed.c
+--- openssl-1.1.1b/apps/speed.c.curves	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/apps/speed.c	2019-02-28 11:20:42.347170167 +0100
 @@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
  static double rsa_results[RSA_NUM][2];  /* 2 ops: sign then verify */
  #endif /* OPENSSL_NO_RSA */
@@ -98,11 +98,11 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
 -        {"nistp192", NID_X9_62_prime192v1, 192},
          {"nistp224", NID_secp224r1, 224},
          {"nistp256", NID_X9_62_prime256v1, 256},
-         {"nistp384", NID_secp384r1, 384}, 
+         {"nistp384", NID_secp384r1, 384},
          {"nistp521", NID_secp521r1, 521},
 -        /* Binary Curves */
 -        {"nistk163", NID_sect163k1, 163},
--        {"nistk233", NID_sect233k1, 233}, 
+-        {"nistk233", NID_sect233k1, 233},
 -        {"nistk283", NID_sect283k1, 283},
 -        {"nistk409", NID_sect409k1, 409},
 -        {"nistk571", NID_sect571k1, 571},
@@ -170,10 +170,10 @@ diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
      /* default iteration count for the last two EC Curves */
      ecdh_c[R_EC_X25519][0] = count / 1800;
      ecdh_c[R_EC_X448][0] = count / 7200;
-diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
---- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves	2018-09-11 14:48:21.000000000 +0200
-+++ openssl-1.1.1/crypto/ec/ecp_smpl.c	2018-09-13 09:09:26.841792619 +0200
-@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+diff -up openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves openssl-1.1.1b/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1b/crypto/ec/ecp_smpl.c.curves	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/ec/ecp_smpl.c	2019-02-28 11:19:30.628479300 +0100
+@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
          return 0;
      }
  
@@ -185,10 +185,10 @@ diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_s
      if (ctx == NULL) {
          ctx = new_ctx = BN_CTX_new();
          if (ctx == NULL)
-diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
---- openssl-1.1.1/test/ecdsatest.c.curves	2018-09-11 14:48:24.000000000 +0200
-+++ openssl-1.1.1/test/ecdsatest.c	2018-09-13 09:09:26.841792619 +0200
-@@ -173,6 +173,7 @@ static int x9_62_tests(void)
+diff -up openssl-1.1.1b/test/ecdsatest.c.curves openssl-1.1.1b/test/ecdsatest.c
+--- openssl-1.1.1b/test/ecdsatest.c.curves	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/test/ecdsatest.c	2019-02-28 11:19:30.628479300 +0100
+@@ -176,6 +176,7 @@ static int x9_62_tests(void)
      if (!change_rand())
          goto x962_err;
  
@@ -196,7 +196,7 @@ diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
      if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
                   "3342403536405981729393488334694600415596881826869351677613",
                   "5735822328888155254683894997897571951568553642892029982342")))
-@@ -183,6 +184,7 @@ static int x9_62_tests(void)
+@@ -186,6 +187,7 @@ static int x9_62_tests(void)
                   "3238135532097973577080787768312505059318910517550078427819"
                               "78505179448783")))
          goto x962_err;

openssl-1.1.1-no-weak-verify.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
---- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify	2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0g/crypto/asn1/a_verify.c	2017-11-03 16:15:46.125801341 +0100
+diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c
+--- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify	2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/asn1/a_verify.c	2019-02-28 11:25:31.531862873 +0100
 @@ -7,6 +7,9 @@
   * https://www.openssl.org/source/license.html
   */
@@ -11,7 +11,7 @@ diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/cryp
  #include <stdio.h>
  #include <time.h>
  #include <sys/types.h>
-@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
+@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
          if (ret != 2)
              goto err;
          ret = -1;
@@ -22,5 +22,5 @@ diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/cryp
 +                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 +        goto err;
      } else {
-         const EVP_MD *type;
-         type = EVP_get_digestbynid(mdnid);
+         const EVP_MD *type = EVP_get_digestbynid(mdnid);
+ 

openssl-1.1.1-system-cipherlist.patch

@@ -295,10 +295,10 @@ diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/s
          || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
          SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
          goto err2;
-diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre9/test/cipherlist_test.c
---- openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist	2018-08-21 14:14:15.000000000 +0200
-+++ openssl-1.1.1-pre9/test/cipherlist_test.c	2018-08-22 12:15:54.558743609 +0200
-@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
+diff -up openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist openssl-1.1.1b/test/cipherlist_test.c
+--- openssl-1.1.1b/test/cipherlist_test.c.system-cipherlist	2019-02-28 11:27:15.181936081 +0100
++++ openssl-1.1.1b/test/cipherlist_test.c	2019-02-28 11:28:53.357111055 +0100
+@@ -251,7 +251,9 @@ end:
  
  int setup_tests(void)
  {
@@ -306,5 +306,5 @@ diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1
      ADD_TEST(test_default_cipherlist_implicit);
 +#endif
      ADD_TEST(test_default_cipherlist_explicit);
+     ADD_TEST(test_default_cipherlist_clear);
      return 1;
- }

openssl-1.1.1-version-override.patch

@@ -1,12 +1,12 @@
-diff -up openssl-1.1.1a/include/openssl/opensslv.h.version-override openssl-1.1.1a/include/openssl/opensslv.h
---- openssl-1.1.1a/include/openssl/opensslv.h.version-override	2019-01-15 14:09:04.591995174 +0100
-+++ openssl-1.1.1a/include/openssl/opensslv.h	2019-01-15 14:11:31.976256442 +0100
+diff -up openssl-1.1.1b/include/openssl/opensslv.h.version-override openssl-1.1.1b/include/openssl/opensslv.h
+--- openssl-1.1.1b/include/openssl/opensslv.h.version-override	2019-02-28 11:34:56.427361796 +0100
++++ openssl-1.1.1b/include/openssl/opensslv.h	2019-02-28 11:35:40.487542747 +0100
 @@ -40,7 +40,7 @@ extern "C" {
   *  major minor fix final patch/beta)
   */
- # define OPENSSL_VERSION_NUMBER  0x1010101fL
--# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1a  20 Nov 2018"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1a FIPS  20 Nov 2018"
+ # define OPENSSL_VERSION_NUMBER  0x1010102fL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1b  26 Feb 2019"
++# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1b FIPS  26 Feb 2019"
  
  /*-
   * The macros below are to be used for shared library (.so, .dll, ...)

openssl.spec

@@ -21,8 +21,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.1a
-Release: 2%{?dist}
+Version: 1.1.1b
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -50,7 +50,7 @@ Patch32: openssl-1.1.1-version-add-engines.patch
 Patch33: openssl-1.1.0-apps-dgst.patch
 Patch36: openssl-1.1.1-no-brainpool.patch
 Patch37: openssl-1.1.1-ec-curves.patch
-Patch38: openssl-1.1.0-no-weak-verify.patch
+Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
@@ -59,6 +59,8 @@ Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
 Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch49: openssl-1.1.1-evp-kdf.patch
+Patch50: openssl-1.1.1-ssh-kdf.patch
 # Backported fixes including security fixes
 
 License: OpenSSL
@@ -158,6 +160,8 @@ cp %{SOURCE13} test/
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
 %patch48 -p1 -b .fips-post-rand
+%patch49 -p1 -b .evp-kdf
+%patch50 -p1 -b .ssh-kdf
 
 
 %build
@@ -444,6 +448,11 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Feb 28 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-1
+- update to the 1.1.1b release
+- EVP_KDF API backport from master
+- SSH KDF implementation for EVP_KDF API backport from master
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1a-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (openssl-1.1.1a-hobbled.tar.xz) = 17d2703b2169f36b2ecd50d014103f31e22bbd42807b4688a3cd6140911e0aa9a2fa2bb1d4dda4eae000913a1551d85ac9c441a69c053a8ad10b593ec2a588b5
+SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1