forked from rpms/openssl
		
	Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2
This commit is contained in:
		
							parent
							
								
									16459847f1
								
							
						
					
					
						commit
						a99ab8f40a
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2 | ||||
| /openssl-1.1.1e-hobbled.tar.xz | ||||
| /openssl-1.1.1f-hobbled.tar.xz | ||||
| /openssl-1.1.1g-hobbled.tar.xz | ||||
| /openssl-1.1.1h-hobbled.tar.xz | ||||
|  | ||||
							
								
								
									
										84
									
								
								ectest.c
									
									
									
									
									
								
							
							
						
						
									
										84
									
								
								ectest.c
									
									
									
									
									
								
							| @ -1,5 +1,5 @@ | ||||
| /*
 | ||||
|  * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. | ||||
|  * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. | ||||
|  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved | ||||
|  * | ||||
|  * Licensed under the OpenSSL license (the "License").  You may not use | ||||
| @ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id) | ||||
|     return ret; | ||||
| } | ||||
| 
 | ||||
| /*
 | ||||
|  * check the EC_METHOD respects the supplied EC_GROUP_set_generator G | ||||
|  */ | ||||
| static int custom_generator_test(int id) | ||||
| { | ||||
|     int ret = 0, nid, bsize; | ||||
|     EC_GROUP *group = NULL; | ||||
|     EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; | ||||
|     BN_CTX *ctx = NULL; | ||||
|     BIGNUM *k = NULL; | ||||
|     unsigned char *b1 = NULL, *b2 = NULL; | ||||
| 
 | ||||
|     /* Do some setup */ | ||||
|     nid = curves[id].nid; | ||||
|     TEST_note("Curve %s", OBJ_nid2sn(nid)); | ||||
|     if (!TEST_ptr(ctx = BN_CTX_new())) | ||||
|         return 0; | ||||
| 
 | ||||
|     BN_CTX_start(ctx); | ||||
| 
 | ||||
|     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) | ||||
|         goto err; | ||||
| 
 | ||||
|     /* expected byte length of encoded points */ | ||||
|     bsize = (EC_GROUP_get_degree(group) + 7) / 8; | ||||
|     bsize = 2 * bsize + 1; | ||||
| 
 | ||||
|     if (!TEST_ptr(k = BN_CTX_get(ctx)) | ||||
|         /* fetch a testing scalar k != 0,1 */ | ||||
|         || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, | ||||
|                               BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) | ||||
|         /* make k even */ | ||||
|         || !TEST_true(BN_clear_bit(k, 0)) | ||||
|         || !TEST_ptr(G2 = EC_POINT_new(group)) | ||||
|         || !TEST_ptr(Q1 = EC_POINT_new(group)) | ||||
|         /* Q1 := kG */ | ||||
|         || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) | ||||
|         /* pull out the bytes of that */ | ||||
|         || !TEST_int_eq(EC_POINT_point2oct(group, Q1, | ||||
|                                            POINT_CONVERSION_UNCOMPRESSED, NULL, | ||||
|                                            0, ctx), bsize) | ||||
|         || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) | ||||
|         || !TEST_int_eq(EC_POINT_point2oct(group, Q1, | ||||
|                                            POINT_CONVERSION_UNCOMPRESSED, b1, | ||||
|                                            bsize, ctx), bsize) | ||||
|         /* new generator is G2 := 2G */ | ||||
|         || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), | ||||
|                                    ctx)) | ||||
|         || !TEST_true(EC_GROUP_set_generator(group, G2, | ||||
|                                              EC_GROUP_get0_order(group), | ||||
|                                              EC_GROUP_get0_cofactor(group))) | ||||
|         || !TEST_ptr(Q2 = EC_POINT_new(group)) | ||||
|         || !TEST_true(BN_rshift1(k, k)) | ||||
|         /* Q2 := k/2 G2 */ | ||||
|         || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) | ||||
|         || !TEST_int_eq(EC_POINT_point2oct(group, Q2, | ||||
|                                            POINT_CONVERSION_UNCOMPRESSED, NULL, | ||||
|                                            0, ctx), bsize) | ||||
|         || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) | ||||
|         || !TEST_int_eq(EC_POINT_point2oct(group, Q2, | ||||
|                                            POINT_CONVERSION_UNCOMPRESSED, b2, | ||||
|                                            bsize, ctx), bsize) | ||||
|         /* Q1 = kG = k/2 G2 = Q2 should hold */ | ||||
|         || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0)) | ||||
|         goto err; | ||||
| 
 | ||||
|     ret = 1; | ||||
| 
 | ||||
|  err: | ||||
|     BN_CTX_end(ctx); | ||||
|     EC_POINT_free(Q1); | ||||
|     EC_POINT_free(Q2); | ||||
|     EC_POINT_free(G2); | ||||
|     EC_GROUP_free(group); | ||||
|     BN_CTX_free(ctx); | ||||
|     OPENSSL_free(b1); | ||||
|     OPENSSL_free(b2); | ||||
| 
 | ||||
|     return ret; | ||||
| } | ||||
| 
 | ||||
| #endif /* OPENSSL_NO_EC */ | ||||
| 
 | ||||
| int setup_tests(void) | ||||
| @ -1452,6 +1533,7 @@ int setup_tests(void) | ||||
| 
 | ||||
|     ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); | ||||
|     ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); | ||||
|     ADD_ALL_TESTS(custom_generator_test, crv_len); | ||||
| #endif /* OPENSSL_NO_EC */ | ||||
|     return 1; | ||||
| } | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
 | ||||
| --- openssl-1.1.1c/apps/speed.c.curves	2019-05-28 15:12:21.000000000 +0200
 | ||||
| +++ openssl-1.1.1c/apps/speed.c	2019-05-29 15:36:53.332224470 +0200
 | ||||
| diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
 | ||||
| --- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
 | ||||
| +++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
 | ||||
| @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
 | ||||
|  #endif /* OPENSSL_NO_RSA */ | ||||
|   | ||||
| @ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|      {"ecdhx25519", R_EC_X25519}, | ||||
|      {"ecdhx448", R_EC_X448} | ||||
|  }; | ||||
| @@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
 | ||||
| @@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
 | ||||
|          unsigned int bits; | ||||
|      } test_curves[] = { | ||||
|          /* Prime Curves */ | ||||
| @ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|          /* Other and ECDH only ones */ | ||||
|          {"X25519", NID_X25519, 253}, | ||||
|          {"X448", NID_X448, 448} | ||||
| @@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
 | ||||
| @@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
 | ||||
|  #  endif | ||||
|   | ||||
|  #  ifndef OPENSSL_NO_EC | ||||
| @ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|          ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; | ||||
|          ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; | ||||
|          if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) | ||||
| @@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
 | ||||
| @@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
 | ||||
|              } | ||||
|          } | ||||
|      } | ||||
| @ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|      ecdsa_c[R_EC_K163][0] = count / 1000; | ||||
|      ecdsa_c[R_EC_K163][1] = count / 1000 / 2; | ||||
|      for (i = R_EC_K233; i <= R_EC_K571; i++) { | ||||
| @@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
 | ||||
| @@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
 | ||||
|      } | ||||
|  #   endif | ||||
|   | ||||
| @ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; | ||||
|          if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) | ||||
|              ecdh_doit[i] = 0; | ||||
| @@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
 | ||||
| @@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
 | ||||
|              } | ||||
|          } | ||||
|      } | ||||
| @ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c | ||||
|      ecdh_c[R_EC_K163][0] = count / 1000; | ||||
|      for (i = R_EC_K233; i <= R_EC_K571; i++) { | ||||
|          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; | ||||
| diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
 | ||||
| --- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves	2019-05-28 15:12:21.000000000 +0200
 | ||||
| +++ openssl-1.1.1c/crypto/ec/ecp_smpl.c	2019-05-29 15:30:09.071349520 +0200
 | ||||
| diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
 | ||||
| --- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
 | ||||
| +++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
 | ||||
| @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
 | ||||
|          return 0; | ||||
|      } | ||||
| @ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp | ||||
|      if (ctx == NULL) { | ||||
|          ctx = new_ctx = BN_CTX_new(); | ||||
|          if (ctx == NULL) | ||||
| diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
 | ||||
| --- openssl-1.1.1c/test/ecdsatest.h.curves	2019-05-29 15:30:09.010350595 +0200
 | ||||
| +++ openssl-1.1.1c/test/ecdsatest.h	2019-05-29 15:41:24.586444294 +0200
 | ||||
| diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
 | ||||
| --- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
 | ||||
| +++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
 | ||||
| @@ -32,23 +32,6 @@ typedef struct {
 | ||||
|  } ecdsa_cavs_kat_t; | ||||
|   | ||||
| @ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h | ||||
|      /* prime KATs from NIST CAVP */ | ||||
|      {NID_secp224r1, NID_sha224, | ||||
|       "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" | ||||
| --- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
 | ||||
| +++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
 | ||||
| @@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
 | ||||
|      if disabled("ec"); | ||||
|   | ||||
|  my @prime_curves = qw( | ||||
| -    secp112r1
 | ||||
| -    secp112r2
 | ||||
| -    secp128r1
 | ||||
| -    secp128r2
 | ||||
| -    secp160k1
 | ||||
| -    secp160r1
 | ||||
| -    secp160r2
 | ||||
| -    secp192k1
 | ||||
| -    secp224k1
 | ||||
|      secp224r1 | ||||
|      secp256k1 | ||||
|      secp384r1 | ||||
|      secp521r1 | ||||
| -    prime192v1
 | ||||
| -    prime192v2
 | ||||
| -    prime192v3
 | ||||
| -    prime239v1
 | ||||
| -    prime239v2
 | ||||
| -    prime239v3
 | ||||
|      prime256v1 | ||||
| -    wap-wsg-idm-ecid-wtls6
 | ||||
| -    wap-wsg-idm-ecid-wtls7
 | ||||
| -    wap-wsg-idm-ecid-wtls8
 | ||||
| -    wap-wsg-idm-ecid-wtls9
 | ||||
| -    wap-wsg-idm-ecid-wtls12
 | ||||
| -    brainpoolP160r1
 | ||||
| -    brainpoolP160t1
 | ||||
| -    brainpoolP192r1
 | ||||
| -    brainpoolP192t1
 | ||||
| -    brainpoolP224r1
 | ||||
| -    brainpoolP224t1
 | ||||
| -    brainpoolP256r1
 | ||||
| -    brainpoolP256t1
 | ||||
| -    brainpoolP320r1
 | ||||
| -    brainpoolP320t1
 | ||||
| -    brainpoolP384r1
 | ||||
| -    brainpoolP384t1
 | ||||
| -    brainpoolP512r1
 | ||||
| -    brainpoolP512t1
 | ||||
|  ); | ||||
|   | ||||
|  my @binary_curves = qw( | ||||
| @@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
 | ||||
|      if !disabled("sm2"); | ||||
|   | ||||
|  my @curve_aliases = qw( | ||||
| -    P-192
 | ||||
|      P-224 | ||||
|      P-256 | ||||
|      P-384 | ||||
|  | ||||
| @ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c | ||||
|      return ret; | ||||
|  } | ||||
|  #endif | ||||
| diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
 | ||||
| --- openssl-1.1.1g/ssl/t1_lib.c.fips-dh	2020-07-17 10:36:29.243788425 +0200
 | ||||
| +++ openssl-1.1.1g/ssl/t1_lib.c	2020-07-17 10:36:29.249788474 +0200
 | ||||
| @@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
 | ||||
|  #ifndef OPENSSL_NO_DH | ||||
|  DH *ssl_get_auto_dh(SSL *s) | ||||
|  { | ||||
| +    DH *dhp = NULL;
 | ||||
| +    BIGNUM *p = NULL, *g = NULL;
 | ||||
|      int dh_secbits = 80; | ||||
| -    if (s->cert->dh_tmp_auto == 2)
 | ||||
| -        return DH_get_1024_160();
 | ||||
| -    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
 | ||||
| -        if (s->s3->tmp.new_cipher->strength_bits == 256)
 | ||||
| -            dh_secbits = 128;
 | ||||
| -        else
 | ||||
| -            dh_secbits = 80;
 | ||||
| -    } else {
 | ||||
| -        if (s->s3->tmp.cert == NULL)
 | ||||
| -            return NULL;
 | ||||
| -        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
 | ||||
| +    if (s->cert->dh_tmp_auto != 2) {
 | ||||
| +        if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
 | ||||
| +            if (s->s3->tmp.new_cipher->strength_bits == 256)
 | ||||
| +                dh_secbits = 128;
 | ||||
| +            else
 | ||||
| +                dh_secbits = 80;
 | ||||
| +        } else {
 | ||||
| +            if (s->s3->tmp.cert == NULL)
 | ||||
| +                return NULL;
 | ||||
| +            dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
 | ||||
| +        }
 | ||||
|      } | ||||
|   | ||||
| -    if (dh_secbits >= 128) {
 | ||||
| -        DH *dhp = DH_new();
 | ||||
| -        BIGNUM *p, *g;
 | ||||
| -        if (dhp == NULL)
 | ||||
| -            return NULL;
 | ||||
| -        g = BN_new();
 | ||||
| -        if (g == NULL || !BN_set_word(g, 2)) {
 | ||||
| -            DH_free(dhp);
 | ||||
| -            BN_free(g);
 | ||||
| -            return NULL;
 | ||||
| -        }
 | ||||
| -        if (dh_secbits >= 192)
 | ||||
| -            p = BN_get_rfc3526_prime_8192(NULL);
 | ||||
| -        else
 | ||||
| -            p = BN_get_rfc3526_prime_3072(NULL);
 | ||||
| -        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
 | ||||
| -            DH_free(dhp);
 | ||||
| -            BN_free(p);
 | ||||
| -            BN_free(g);
 | ||||
| -            return NULL;
 | ||||
| -        }
 | ||||
| -        return dhp;
 | ||||
| +    dhp = DH_new();
 | ||||
| +    if (dhp == NULL)
 | ||||
| +        return NULL;
 | ||||
| +    g = BN_new();
 | ||||
| +    if (g == NULL || !BN_set_word(g, 2)) {
 | ||||
| +        DH_free(dhp);
 | ||||
| +        BN_free(g);
 | ||||
| +        return NULL;
 | ||||
| +    }
 | ||||
| +    if (dh_secbits >= 192)
 | ||||
| +        p = BN_get_rfc3526_prime_8192(NULL);
 | ||||
| +    else if (dh_secbits >= 152)
 | ||||
| +        p = BN_get_rfc3526_prime_4096(NULL);
 | ||||
| +    else if (dh_secbits >= 128)
 | ||||
| +        p = BN_get_rfc3526_prime_3072(NULL);
 | ||||
| diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
 | ||||
| --- openssl-1.1.1h/ssl/t1_lib.c.fips-dh	2020-11-04 14:04:41.851711629 +0100
 | ||||
| +++ openssl-1.1.1h/ssl/t1_lib.c	2020-11-04 14:06:06.506431652 +0100
 | ||||
| @@ -2470,7 +2470,7 @@
 | ||||
|          p = BN_get_rfc3526_prime_4096(NULL); | ||||
|      else if (dh_secbits >= 128) | ||||
|          p = BN_get_rfc3526_prime_3072(NULL); | ||||
| -    else if (dh_secbits >= 112)
 | ||||
| +    else if (dh_secbits >= 112 || FIPS_mode())
 | ||||
| +        p = BN_get_rfc3526_prime_2048(NULL);
 | ||||
| +    else
 | ||||
| +        p = BN_get_rfc2409_prime_1024(NULL);
 | ||||
| +    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
 | ||||
| +        DH_free(dhp);
 | ||||
| +        BN_free(p);
 | ||||
| +        BN_free(g);
 | ||||
| +        return NULL;
 | ||||
|      } | ||||
| -    if (dh_secbits >= 112)
 | ||||
| -        return DH_get_2048_224();
 | ||||
| -    return DH_get_1024_160();
 | ||||
| +    return dhp;
 | ||||
|  } | ||||
|  #endif | ||||
|   | ||||
|          p = BN_get_rfc3526_prime_2048(NULL); | ||||
|      else | ||||
|          p = BN_get_rfc2409_prime_1024(NULL); | ||||
|  | ||||
| @ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1 | ||||
| diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
 | ||||
| --- openssl-1.1.1e/util/libcrypto.num.fips	2020-03-17 17:31:10.744241038 +0100
 | ||||
| +++ openssl-1.1.1e/util/libcrypto.num	2020-03-17 17:32:37.851722261 +0100
 | ||||
| @@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
 | ||||
|  EVP_PKEY_meth_get_digestverify          4541	1_1_1e	EXIST::FUNCTION: | ||||
|  EVP_PKEY_meth_get_digestsign            4542	1_1_1e	EXIST::FUNCTION: | ||||
|  RSA_get0_pss_params                     4543	1_1_1e	EXIST::FUNCTION:RSA | ||||
| @@ -4590,3 +4590,38 @@ X509_ALGOR_copy
 | ||||
|  X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION: | ||||
|  X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION: | ||||
|  EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC | ||||
| +FIPS_drbg_reseed                        6348	1_1_0g	EXIST::FUNCTION:
 | ||||
| +FIPS_selftest_check                     6349	1_1_0g	EXIST::FUNCTION:
 | ||||
| +FIPS_rand_set_method                    6350	1_1_0g	EXIST::FUNCTION:
 | ||||
|  | ||||
| @ -1,14 +0,0 @@ | ||||
| Do not return failure when setting version bound on fixed protocol | ||||
| version method. | ||||
| diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
 | ||||
| --- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
 | ||||
| +++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
 | ||||
| @@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
 | ||||
|           * methods are not subject to controls that disable individual protocol | ||||
|           * versions. | ||||
|           */ | ||||
| -        return 0;
 | ||||
| +        return 1;
 | ||||
|   | ||||
|      case TLS_ANY_VERSION: | ||||
|          if (version < SSL3_VERSION || version > TLS_MAX_VERSION) | ||||
| @ -1,44 +0,0 @@ | ||||
| diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
 | ||||
| --- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
 | ||||
| +++ openssl-1.1.1g/include/openssl/ssl3.h	2020-06-05 15:20:22.090682776 +0200
 | ||||
| @@ -292,6 +292,9 @@ extern "C" {
 | ||||
|   | ||||
|  # define TLS1_FLAGS_STATELESS                    0x0800 | ||||
|   | ||||
| +/* Set if extended master secret extension required on renegotiation */
 | ||||
| +# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
 | ||||
| +
 | ||||
|  # define SSL3_MT_HELLO_REQUEST                   0 | ||||
|  # define SSL3_MT_CLIENT_HELLO                    1 | ||||
|  # define SSL3_MT_SERVER_HELLO                    2 | ||||
| diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
 | ||||
| --- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
 | ||||
| +++ openssl-1.1.1g/ssl/statem/extensions.c	2020-06-05 15:22:19.677653437 +0200
 | ||||
| @@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
 | ||||
|   | ||||
|  static int init_ems(SSL *s, unsigned int context) | ||||
|  { | ||||
| -    if (!s->server)
 | ||||
| +    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
 | ||||
|          s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | ||||
| +        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
 | ||||
| +    }
 | ||||
|   | ||||
|      return 1; | ||||
|  } | ||||
|   | ||||
|  static int final_ems(SSL *s, unsigned int context, int sent) | ||||
|  { | ||||
| +    /*
 | ||||
| +     * Check extended master secret extension is not dropped on
 | ||||
| +     * renegotiation.
 | ||||
| +     */
 | ||||
| +    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
 | ||||
| +        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
 | ||||
| +        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
 | ||||
| +                 SSL_R_INCONSISTENT_EXTMS);
 | ||||
| +        return 0;
 | ||||
| +    }
 | ||||
|      if (!s->server && s->hit) { | ||||
|          /* | ||||
|           * Check extended master secret extension is consistent with | ||||
| @ -1,8 +1,17 @@ | ||||
| diff --git a/apps/ts.c b/apps/ts.c
 | ||||
| index 63c5210183..4ef8a72eef 100644
 | ||||
| --- a/apps/ts.c
 | ||||
| +++ b/apps/ts.c
 | ||||
| @@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
 | ||||
| diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
 | ||||
| --- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100
 | ||||
| +++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100
 | ||||
| @@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i
 | ||||
|  				# (optional, default: no) | ||||
|  ess_cert_id_chain	= no	# Must the ESS cert id chain be included? | ||||
|  				# (optional, default: no) | ||||
| -ess_cert_id_alg		= sha1	# algorithm to compute certificate
 | ||||
| +ess_cert_id_alg		= sha256	# algorithm to compute certificate
 | ||||
|  				# identifier (optional, default: sha1) | ||||
| diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
 | ||||
| --- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
 | ||||
| +++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100
 | ||||
| @@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
 | ||||
|      ASN1_OBJECT *policy_obj = NULL; | ||||
|      ASN1_INTEGER *nonce_asn1 = NULL; | ||||
|   | ||||
| @ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644 | ||||
|          goto err; | ||||
|      if ((ts_req = TS_REQ_new()) == NULL) | ||||
|          goto err; | ||||
| diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
 | ||||
| index 078905a845..83b8fe4350 100644
 | ||||
| --- a/doc/man1/ts.pod
 | ||||
| +++ b/doc/man1/ts.pod
 | ||||
| @@ -517,7 +517,7 @@ included. Default is no. (Optional)
 | ||||
| diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
 | ||||
| --- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100
 | ||||
| +++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100
 | ||||
| @@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
 | ||||
|      const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG); | ||||
|   | ||||
|      if (md == NULL) | ||||
| -        md = "sha1";
 | ||||
| +        md = "sha256";
 | ||||
|   | ||||
|      cert_md = EVP_get_digestbyname(md); | ||||
|      if (cert_md == NULL) { | ||||
| diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
 | ||||
| --- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
 | ||||
| +++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100
 | ||||
| @@ -518,7 +518,7 @@ included. Default is no. (Optional)
 | ||||
|  =item B<ess_cert_id_alg> | ||||
|   | ||||
|  This option specifies the hash function to be used to calculate the TSA's | ||||
| @ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644 | ||||
|   | ||||
|  =back | ||||
|   | ||||
| @@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
 | ||||
| @@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
 | ||||
|   | ||||
|  =head2 Time Stamp Request | ||||
|   | ||||
| -To create a time stamp request for design1.txt with SHA-1
 | ||||
| +To create a time stamp request for design1.txt with SHA-256
 | ||||
| -To create a timestamp request for design1.txt with SHA-1
 | ||||
| +To create a timestamp request for design1.txt with SHA-256
 | ||||
|  without nonce and policy and no certificate is required in the response: | ||||
|   | ||||
|    openssl ts -query -data design1.txt -no_nonce \ | ||||
| @@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
 | ||||
| @@ -546,12 +546,12 @@ To print the content of the previous req
 | ||||
|   | ||||
|    openssl ts -query -in design1.tsq -text | ||||
|   | ||||
| -To create a time stamp request which includes the MD-5 digest
 | ||||
| +To create a time stamp request which includes the SHA-512 digest
 | ||||
| -To create a timestamp request which includes the MD-5 digest
 | ||||
| +To create a timestamp request which includes the SHA-512 digest
 | ||||
|  of design2.txt, requests the signer certificate and nonce, | ||||
|  specifies a policy id (assuming the tsa_policy1 name is defined in the | ||||
|  OID section of the config file): | ||||
|  | ||||
| @ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1. | ||||
| @@ -40,7 +40,7 @@ extern "C" {
 | ||||
|   *  major minor fix final patch/beta) | ||||
|   */ | ||||
|  # define OPENSSL_VERSION_NUMBER  0x1010107fL | ||||
| -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g  21 Apr 2020"
 | ||||
| +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g FIPS  21 Apr 2020"
 | ||||
|  # define OPENSSL_VERSION_NUMBER  0x1010108fL | ||||
| -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"
 | ||||
| +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"
 | ||||
|   | ||||
|  /*- | ||||
|   * The macros below are to be used for shared library (.so, .dll, ...) | ||||
|  | ||||
							
								
								
									
										13
									
								
								openssl.spec
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								openssl.spec
									
									
									
									
									
								
							| @ -21,8 +21,8 @@ | ||||
| 
 | ||||
| Summary: Utilities from the general purpose cryptography library with TLS implementation | ||||
| Name: openssl | ||||
| Version: 1.1.1g | ||||
| Release: 15%{?dist} | ||||
| Version: 1.1.1h | ||||
| Release: 1%{?dist} | ||||
| Epoch: 1 | ||||
| # We have to remove certain patented algorithms from the openssl source | ||||
| # tarball with the hobble-openssl script which is included below. | ||||
| @ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch | ||||
| Patch40: openssl-1.1.1-disable-ssl3.patch | ||||
| Patch41: openssl-1.1.1-system-cipherlist.patch | ||||
| Patch42: openssl-1.1.1-fips.patch | ||||
| Patch43: openssl-1.1.1-ignore-bound.patch | ||||
| Patch44: openssl-1.1.1-version-override.patch | ||||
| Patch45: openssl-1.1.1-weak-ciphers.patch | ||||
| Patch46: openssl-1.1.1-seclevel.patch | ||||
| @ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch | ||||
| Patch65: openssl-1.1.1-fips-drbg-selftest.patch | ||||
| Patch66: openssl-1.1.1-fips-dh.patch | ||||
| Patch67: openssl-1.1.1-kdf-selftest.patch | ||||
| Patch68: openssl-1.1.1-reneg-no-extms.patch | ||||
| Patch69: openssl-1.1.1-alpn-cb.patch | ||||
| Patch70: openssl-1.1.1-rewire-fips-drbg.patch | ||||
| # Backported fixes including security fixes | ||||
| @ -167,7 +165,6 @@ cp %{SOURCE13} test/ | ||||
| %patch40 -p1 -b .disable-ssl3 | ||||
| %patch41 -p1 -b .system-cipherlist | ||||
| %patch42 -p1 -b .fips | ||||
| %patch43 -p1 -b .ignore-bound | ||||
| %patch44 -p1 -b .version-override | ||||
| %patch45 -p1 -b .weak-ciphers | ||||
| %patch46 -p1 -b .seclevel | ||||
| @ -186,7 +183,6 @@ cp %{SOURCE13} test/ | ||||
| %patch65 -p1 -b .drbg-selftest | ||||
| %patch66 -p1 -b .fips-dh | ||||
| %patch67 -p1 -b .kdf-selftest | ||||
| %patch68 -p1 -b .reneg-no-extms | ||||
| %patch69 -p1 -b .alpn-cb | ||||
| %patch70 -p1 -b .rewire-fips-drbg | ||||
| 
 | ||||
| @ -428,6 +424,7 @@ export LD_LIBRARY_PATH | ||||
| %{_pkgdocdir}/Makefile.certificate | ||||
| %exclude %{_mandir}/man1*/*.pl* | ||||
| %exclude %{_mandir}/man1*/c_rehash* | ||||
| %exclude %{_mandir}/man1*/openssl-c_rehash* | ||||
| %exclude %{_mandir}/man1*/tsget* | ||||
| %exclude %{_mandir}/man1*/openssl-tsget* | ||||
| 
 | ||||
| @ -464,6 +461,7 @@ export LD_LIBRARY_PATH | ||||
| %{_bindir}/tsget | ||||
| %{_mandir}/man1*/*.pl* | ||||
| %{_mandir}/man1*/c_rehash* | ||||
| %{_mandir}/man1*/openssl-c_rehash* | ||||
| %{_mandir}/man1*/tsget* | ||||
| %{_mandir}/man1*/openssl-tsget* | ||||
| %dir %{_sysconfdir}/pki/CA | ||||
| @ -475,6 +473,9 @@ export LD_LIBRARY_PATH | ||||
| %ldconfig_scriptlets libs | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1 | ||||
| - Upgrade to version 1.1.1.h | ||||
| 
 | ||||
| * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										2
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								sources
									
									
									
									
									
								
							| @ -1 +1 @@ | ||||
| SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971 | ||||
| SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user