From a99ab8f40a6b24fcc63bd4f1b63a0fbd4375747a Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Mon, 9 Nov 2020 15:40:36 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2 --- .gitignore | 1 + ectest.c | 84 ++++++++++++++++++++++- openssl-1.1.1-ec-curves.patch | 84 +++++++++++++++++++---- openssl-1.1.1-fips-dh.patch | 97 +++------------------------ openssl-1.1.1-fips.patch | 8 +-- openssl-1.1.1-ignore-bound.patch | 14 ---- openssl-1.1.1-reneg-no-extms.patch | 44 ------------ openssl-1.1.1-ts-sha256-default.patch | 52 +++++++++----- openssl-1.1.1-version-override.patch | 6 +- openssl.spec | 13 ++-- sources | 2 +- 11 files changed, 216 insertions(+), 189 deletions(-) delete mode 100644 openssl-1.1.1-ignore-bound.patch delete mode 100644 openssl-1.1.1-reneg-no-extms.patch diff --git a/.gitignore b/.gitignore index c6aba1d..3305a0f 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1e-hobbled.tar.xz /openssl-1.1.1f-hobbled.tar.xz /openssl-1.1.1g-hobbled.tar.xz +/openssl-1.1.1h-hobbled.tar.xz diff --git a/ectest.c b/ectest.c index c16642e..e4fd45b 100644 --- a/ectest.c +++ b/ectest.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id) return ret; } +/* + * check the EC_METHOD respects the supplied EC_GROUP_set_generator G + */ +static int custom_generator_test(int id) +{ + int ret = 0, nid, bsize; + EC_GROUP *group = NULL; + EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + unsigned char *b1 = NULL, *b2 = NULL; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(ctx = BN_CTX_new())) + return 0; + + BN_CTX_start(ctx); + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) + goto err; + + /* expected byte length of encoded points */ + bsize = (EC_GROUP_get_degree(group) + 7) / 8; + bsize = 2 * bsize + 1; + + if (!TEST_ptr(k = BN_CTX_get(ctx)) + /* fetch a testing scalar k != 0,1 */ + || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, + BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + /* make k even */ + || !TEST_true(BN_clear_bit(k, 0)) + || !TEST_ptr(G2 = EC_POINT_new(group)) + || !TEST_ptr(Q1 = EC_POINT_new(group)) + /* Q1 := kG */ + || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, b1, + bsize, ctx), bsize) + /* new generator is G2 := 2G */ + || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), + ctx)) + || !TEST_true(EC_GROUP_set_generator(group, G2, + EC_GROUP_get0_order(group), + EC_GROUP_get0_cofactor(group))) + || !TEST_ptr(Q2 = EC_POINT_new(group)) + || !TEST_true(BN_rshift1(k, k)) + /* Q2 := k/2 G2 */ + || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, b2, + bsize, ctx), bsize) + /* Q1 = kG = k/2 G2 = Q2 should hold */ + || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + EC_POINT_free(Q1); + EC_POINT_free(Q2); + EC_POINT_free(G2); + EC_GROUP_free(group); + BN_CTX_free(ctx); + OPENSSL_free(b1); + OPENSSL_free(b2); + + return ret; +} + #endif /* OPENSSL_NO_EC */ int setup_tests(void) @@ -1452,6 +1533,7 @@ int setup_tests(void) ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + ADD_ALL_TESTS(custom_generator_test, crv_len); #endif /* OPENSSL_NO_EC */ return 1; } diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch index a83a331..27f23ca 100644 --- a/openssl-1.1.1-ec-curves.patch +++ b/openssl-1.1.1-ec-curves.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ---- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200 +diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c +--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100 @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; #endif /* OPENSSL_NO_RSA */ @@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c {"ecdhx25519", R_EC_X25519}, {"ecdhx448", R_EC_X448} }; -@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv) +@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv) unsigned int bits; } test_curves[] = { /* Prime Curves */ @@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c /* Other and ECDH only ones */ {"X25519", NID_X25519, 253}, {"X448", NID_X448, 448} -@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv) +@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv) # endif # ifndef OPENSSL_NO_EC @@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) -@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv) +@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv) } } } @@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][1] = count / 1000 / 2; for (i = R_EC_K233; i <= R_EC_K571; i++) { -@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv) +@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv) } # endif @@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) ecdh_doit[i] = 0; -@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv) +@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv) } } } @@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdh_c[R_EC_K163][0] = count / 1000; for (i = R_EC_K233; i <= R_EC_K571; i++) { ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; -diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c ---- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200 +diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c +--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100 @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO return 0; } @@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) -diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h ---- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200 -+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200 +diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h +--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100 ++++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100 @@ -32,23 +32,6 @@ typedef struct { } ecdsa_cavs_kat_t; @@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h /* prime KATs from NIST CAVP */ {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100 ++++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100 +@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 +- brainpoolP256r1 +- brainpoolP256t1 +- brainpoolP320r1 +- brainpoolP320t1 +- brainpoolP384r1 +- brainpoolP384t1 +- brainpoolP512r1 +- brainpoolP512t1 + ); + + my @binary_curves = qw( +@@ -115,7 +81,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch index d98372e..ff895d5 100644 --- a/openssl-1.1.1-fips-dh.patch +++ b/openssl-1.1.1-fips-dh.patch @@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c return ret; } #endif -diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c ---- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200 -+++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200 -@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP - #ifndef OPENSSL_NO_DH - DH *ssl_get_auto_dh(SSL *s) - { -+ DH *dhp = NULL; -+ BIGNUM *p = NULL, *g = NULL; - int dh_secbits = 80; -- if (s->cert->dh_tmp_auto == 2) -- return DH_get_1024_160(); -- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { -- if (s->s3->tmp.new_cipher->strength_bits == 256) -- dh_secbits = 128; -- else -- dh_secbits = 80; -- } else { -- if (s->s3->tmp.cert == NULL) -- return NULL; -- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); -+ if (s->cert->dh_tmp_auto != 2) { -+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { -+ if (s->s3->tmp.new_cipher->strength_bits == 256) -+ dh_secbits = 128; -+ else -+ dh_secbits = 80; -+ } else { -+ if (s->s3->tmp.cert == NULL) -+ return NULL; -+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); -+ } - } -- if (dh_secbits >= 128) { -- DH *dhp = DH_new(); -- BIGNUM *p, *g; -- if (dhp == NULL) -- return NULL; -- g = BN_new(); -- if (g == NULL || !BN_set_word(g, 2)) { -- DH_free(dhp); -- BN_free(g); -- return NULL; -- } -- if (dh_secbits >= 192) -- p = BN_get_rfc3526_prime_8192(NULL); -- else -- p = BN_get_rfc3526_prime_3072(NULL); -- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { -- DH_free(dhp); -- BN_free(p); -- BN_free(g); -- return NULL; -- } -- return dhp; -+ dhp = DH_new(); -+ if (dhp == NULL) -+ return NULL; -+ g = BN_new(); -+ if (g == NULL || !BN_set_word(g, 2)) { -+ DH_free(dhp); -+ BN_free(g); -+ return NULL; -+ } -+ if (dh_secbits >= 192) -+ p = BN_get_rfc3526_prime_8192(NULL); -+ else if (dh_secbits >= 152) -+ p = BN_get_rfc3526_prime_4096(NULL); -+ else if (dh_secbits >= 128) -+ p = BN_get_rfc3526_prime_3072(NULL); +diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c +--- openssl-1.1.1h/ssl/t1_lib.c.fips-dh 2020-11-04 14:04:41.851711629 +0100 ++++ openssl-1.1.1h/ssl/t1_lib.c 2020-11-04 14:06:06.506431652 +0100 +@@ -2470,7 +2470,7 @@ + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); +- else if (dh_secbits >= 112) + else if (dh_secbits >= 112 || FIPS_mode()) -+ p = BN_get_rfc3526_prime_2048(NULL); -+ else -+ p = BN_get_rfc2409_prime_1024(NULL); -+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { -+ DH_free(dhp); -+ BN_free(p); -+ BN_free(g); -+ return NULL; - } -- if (dh_secbits >= 112) -- return DH_get_2048_224(); -- return DH_get_1024_160(); -+ return dhp; - } - #endif - + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index ad295a4..c9137ca 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1 diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num --- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100 +++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100 -@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify - EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION: - EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION: - RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA +@@ -4590,3 +4590,38 @@ X509_ALGOR_copy + X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: + X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: + EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch deleted file mode 100644 index 4838f3d..0000000 --- a/openssl-1.1.1-ignore-bound.patch +++ /dev/null @@ -1,14 +0,0 @@ -Do not return failure when setting version bound on fixed protocol -version method. -diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c ---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200 -+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200 -@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver - * methods are not subject to controls that disable individual protocol - * versions. - */ -- return 0; -+ return 1; - - case TLS_ANY_VERSION: - if (version < SSL3_VERSION || version > TLS_MAX_VERSION) diff --git a/openssl-1.1.1-reneg-no-extms.patch b/openssl-1.1.1-reneg-no-extms.patch deleted file mode 100644 index 76adef7..0000000 --- a/openssl-1.1.1-reneg-no-extms.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h ---- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200 -@@ -292,6 +292,9 @@ extern "C" { - - # define TLS1_FLAGS_STATELESS 0x0800 - -+/* Set if extended master secret extension required on renegotiation */ -+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 -+ - # define SSL3_MT_HELLO_REQUEST 0 - # define SSL3_MT_CLIENT_HELLO 1 - # define SSL3_MT_SERVER_HELLO 2 -diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c ---- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200 -@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int - - static int init_ems(SSL *s, unsigned int context) - { -- if (!s->server) -+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { - s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; -+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; -+ } - - return 1; - } - - static int final_ems(SSL *s, unsigned int context, int sent) - { -+ /* -+ * Check extended master secret extension is not dropped on -+ * renegotiation. -+ */ -+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) -+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, -+ SSL_R_INCONSISTENT_EXTMS); -+ return 0; -+ } - if (!s->server && s->hit) { - /* - * Check extended master secret extension is consistent with diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch index d99dc47..2a1dd6c 100644 --- a/openssl-1.1.1-ts-sha256-default.patch +++ b/openssl-1.1.1-ts-sha256-default.patch @@ -1,8 +1,17 @@ -diff --git a/apps/ts.c b/apps/ts.c -index 63c5210183..4ef8a72eef 100644 ---- a/apps/ts.c -+++ b/apps/ts.c -@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, +diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf +--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100 ++++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100 +@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i + # (optional, default: no) + ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +-ess_cert_id_alg = sha1 # algorithm to compute certificate ++ess_cert_id_alg = sha256 # algorithm to compute certificate + # identifier (optional, default: sha1) +diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c +--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100 +@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi ASN1_OBJECT *policy_obj = NULL; ASN1_INTEGER *nonce_asn1 = NULL; @@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644 goto err; if ((ts_req = TS_REQ_new()) == NULL) goto err; -diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod -index 078905a845..83b8fe4350 100644 ---- a/doc/man1/ts.pod -+++ b/doc/man1/ts.pod -@@ -517,7 +517,7 @@ included. Default is no. (Optional) +diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c +--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100 ++++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100 +@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF + const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG); + + if (md == NULL) +- md = "sha1"; ++ md = "sha256"; + + cert_md = EVP_get_digestbyname(md); + if (cert_md == NULL) { +diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod +--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100 +@@ -518,7 +518,7 @@ included. Default is no. (Optional) =item B This option specifies the hash function to be used to calculate the TSA's @@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644 =back -@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do. +@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do. =head2 Time Stamp Request --To create a time stamp request for design1.txt with SHA-1 -+To create a time stamp request for design1.txt with SHA-256 +-To create a timestamp request for design1.txt with SHA-1 ++To create a timestamp request for design1.txt with SHA-256 without nonce and policy and no certificate is required in the response: openssl ts -query -data design1.txt -no_nonce \ -@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format: +@@ -546,12 +546,12 @@ To print the content of the previous req openssl ts -query -in design1.tsq -text --To create a time stamp request which includes the MD-5 digest -+To create a time stamp request which includes the SHA-512 digest +-To create a timestamp request which includes the MD-5 digest ++To create a timestamp request which includes the SHA-512 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file): diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index a6975fa..ff69bdb 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1. @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010107fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020" + # define OPENSSL_VERSION_NUMBER 0x1010108fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index 40a7d8a..3f6403c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,8 +21,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.1g -Release: 15%{?dist} +Version: 1.1.1h +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch Patch41: openssl-1.1.1-system-cipherlist.patch Patch42: openssl-1.1.1-fips.patch -Patch43: openssl-1.1.1-ignore-bound.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch @@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch66: openssl-1.1.1-fips-dh.patch Patch67: openssl-1.1.1-kdf-selftest.patch -Patch68: openssl-1.1.1-reneg-no-extms.patch Patch69: openssl-1.1.1-alpn-cb.patch Patch70: openssl-1.1.1-rewire-fips-drbg.patch # Backported fixes including security fixes @@ -167,7 +165,6 @@ cp %{SOURCE13} test/ %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %patch42 -p1 -b .fips -%patch43 -p1 -b .ignore-bound %patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel @@ -186,7 +183,6 @@ cp %{SOURCE13} test/ %patch65 -p1 -b .drbg-selftest %patch66 -p1 -b .fips-dh %patch67 -p1 -b .kdf-selftest -%patch68 -p1 -b .reneg-no-extms %patch69 -p1 -b .alpn-cb %patch70 -p1 -b .rewire-fips-drbg @@ -428,6 +424,7 @@ export LD_LIBRARY_PATH %{_pkgdocdir}/Makefile.certificate %exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/c_rehash* +%exclude %{_mandir}/man1*/openssl-c_rehash* %exclude %{_mandir}/man1*/tsget* %exclude %{_mandir}/man1*/openssl-tsget* @@ -464,6 +461,7 @@ export LD_LIBRARY_PATH %{_bindir}/tsget %{_mandir}/man1*/*.pl* %{_mandir}/man1*/c_rehash* +%{_mandir}/man1*/openssl-c_rehash* %{_mandir}/man1*/tsget* %{_mandir}/man1*/openssl-tsget* %dir %{_sysconfdir}/pki/CA @@ -475,6 +473,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Mon Nov 9 2020 Sahana Prasad - 1.1.1h-1 +- Upgrade to version 1.1.1.h + * Tue Jul 28 2020 Fedora Release Engineering - 1:1.1.1g-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 50e115e..2bae151 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971 +SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908