jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Merged update from upstream sources

Browse Source 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2
This commit is contained in:
DistroBaker 2020-11-09 15:40:36 +00:00
parent 16459847f1
commit a99ab8f40a
11 changed files with 216 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1e-hobbled.tar.xz /openssl-1.1.1e-hobbled.tar.xz
/openssl-1.1.1f-hobbled.tar.xz /openssl-1.1.1f-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz /openssl-1.1.1g-hobbled.tar.xz
/openssl-1.1.1h-hobbled.tar.xz

84
ectest.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id)
return ret; return ret;
} }
/*
* check the EC_METHOD respects the supplied EC_GROUP_set_generator G
*/
static int custom_generator_test(int id)
{
int ret = 0, nid, bsize;
EC_GROUP *group = NULL;
EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
BN_CTX *ctx = NULL;
BIGNUM *k = NULL;
unsigned char *b1 = NULL, *b2 = NULL;
/* Do some setup */
nid = curves[id].nid;
TEST_note("Curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new()))
return 0;
BN_CTX_start(ctx);
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
goto err;
/* expected byte length of encoded points */
bsize = (EC_GROUP_get_degree(group) + 7) / 8;
bsize = 2 * bsize + 1;
if (!TEST_ptr(k = BN_CTX_get(ctx))
/* fetch a testing scalar k != 0,1 */
|| !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
/* make k even */
|| !TEST_true(BN_clear_bit(k, 0))
|| !TEST_ptr(G2 = EC_POINT_new(group))
|| !TEST_ptr(Q1 = EC_POINT_new(group))
/* Q1 := kG */
|| !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
/* pull out the bytes of that */
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b1 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, b1,
bsize, ctx), bsize)
/* new generator is G2 := 2G */
|| !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
ctx))
|| !TEST_true(EC_GROUP_set_generator(group, G2,
EC_GROUP_get0_order(group),
EC_GROUP_get0_cofactor(group)))
|| !TEST_ptr(Q2 = EC_POINT_new(group))
|| !TEST_true(BN_rshift1(k, k))
/* Q2 := k/2 G2 */
|| !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b2 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, b2,
bsize, ctx), bsize)
/* Q1 = kG = k/2 G2 = Q2 should hold */
|| !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
EC_POINT_free(Q1);
EC_POINT_free(Q2);
EC_POINT_free(G2);
EC_GROUP_free(group);
BN_CTX_free(ctx);
OPENSSL_free(b1);
OPENSSL_free(b2);
return ret;
}
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
int setup_tests(void) int setup_tests(void)
@ -1452,6 +1533,7 @@ int setup_tests(void)
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
ADD_ALL_TESTS(custom_generator_test, crv_len);
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
return 1; return 1;
} }

84
openssl-1.1.1-ec-curves.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200 --- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200 +++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
#endif /* OPENSSL_NO_RSA */ #endif /* OPENSSL_NO_RSA */
@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
{"ecdhx25519", R_EC_X25519}, {"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448} {"ecdhx448", R_EC_X448}
}; };
@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv) @@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
unsigned int bits; unsigned int bits;
} test_curves[] = { } test_curves[] = {
/* Prime Curves */ /* Prime Curves */
@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
/* Other and ECDH only ones */ /* Other and ECDH only ones */
{"X25519", NID_X25519, 253}, {"X25519", NID_X25519, 253},
{"X448", NID_X448, 448} {"X448", NID_X448, 448}
@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv) @@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
# endif # endif
# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_EC
@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv) @@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2; ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv) @@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
} }
# endif # endif
@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0; ecdh_doit[i] = 0;
@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv) @@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
ecdh_c[R_EC_K163][0] = count / 1000; ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200 --- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200 +++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
if (ctx == NULL) { if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200 --- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200 +++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
@@ -32,23 +32,6 @@ typedef struct { @@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t; } ecdsa_cavs_kat_t;
@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
/* prime KATs from NIST CAVP */ /* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224, {NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
- brainpoolP256r1
- brainpoolP256t1
- brainpoolP320r1
- brainpoolP320t1
- brainpoolP384r1
- brainpoolP384t1
- brainpoolP512r1
- brainpoolP512t1
);
my @binary_curves = qw(
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384

97
openssl-1.1.1-fips-dh.patch
View File

@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
return ret; return ret;
} }
#endif #endif
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
{
+ DH *dhp = NULL;
+ BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80;
- if (s->cert->dh_tmp_auto == 2)
- return DH_get_1024_160();
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
- if (s->s3->tmp.new_cipher->strength_bits == 256)
- dh_secbits = 128;
- else
- dh_secbits = 80;
- } else {
- if (s->s3->tmp.cert == NULL)
- return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ if (s->cert->dh_tmp_auto != 2) {
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+ dh_secbits = 128;
+ else
+ dh_secbits = 80;
+ } else {
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
}
- if (dh_secbits >= 128) { diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
- DH *dhp = DH_new(); --- openssl-1.1.1h/ssl/t1_lib.c.fips-dh 2020-11-04 14:04:41.851711629 +0100
- BIGNUM *p, *g; +++ openssl-1.1.1h/ssl/t1_lib.c 2020-11-04 14:06:06.506431652 +0100
- if (dhp == NULL) @@ -2470,7 +2470,7 @@
- return NULL; p = BN_get_rfc3526_prime_4096(NULL);
- g = BN_new(); else if (dh_secbits >= 128)
- if (g == NULL || !BN_set_word(g, 2)) { p = BN_get_rfc3526_prime_3072(NULL);
- DH_free(dhp); - else if (dh_secbits >= 112)
- BN_free(g);
- return NULL;
- }
- if (dh_secbits >= 192)
- p = BN_get_rfc3526_prime_8192(NULL);
- else
- p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
- DH_free(dhp);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dhp;
+ dhp = DH_new();
+ if (dhp == NULL)
+ return NULL;
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+ else if (dh_secbits >= 152)
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
+ else if (dh_secbits >= 112 || FIPS_mode()) + else if (dh_secbits >= 112 || FIPS_mode())
+ p = BN_get_rfc3526_prime_2048(NULL); p = BN_get_rfc3526_prime_2048(NULL);
+ else else
+ p = BN_get_rfc2409_prime_1024(NULL); p = BN_get_rfc2409_prime_1024(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
- if (dh_secbits >= 112)
- return DH_get_2048_224();
- return DH_get_1024_160();
+ return dhp;
}
#endif

8
openssl-1.1.1-fips.patch
View File

@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
--- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100 --- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100
+++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100 +++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100
@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify @@ -4590,3 +4590,38 @@ X509_ALGOR_copy
EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION: X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION: X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:

14
openssl-1.1.1-ignore-bound.patch
View File

@ -1,14 +0,0 @@
Do not return failure when setting version bound on fixed protocol
version method.
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
* methods are not subject to controls that disable individual protocol
* versions.
*/
- return 0;
+ return 1;
case TLS_ANY_VERSION:
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

44
openssl-1.1.1-reneg-no-extms.patch
View File

@ -1,44 +0,0 @@
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with

44
openssl-1.1.1-ts-sha256-default.patch
View File

@ -1,8 +1,17 @@
diff --git a/apps/ts.c b/apps/ts.c diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
index 63c5210183..4ef8a72eef 100644 --- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
--- a/apps/ts.c +++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
+++ b/apps/ts.c @@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, # (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
-ess_cert_id_alg = sha1 # algorithm to compute certificate
+ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha1)
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
ASN1_OBJECT *policy_obj = NULL; ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL; ASN1_INTEGER *nonce_asn1 = NULL;
@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
goto err; goto err;
if ((ts_req = TS_REQ_new()) == NULL) if ((ts_req = TS_REQ_new()) == NULL)
goto err; goto err;
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
index 078905a845..83b8fe4350 100644 --- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
--- a/doc/man1/ts.pod +++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
+++ b/doc/man1/ts.pod @@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
@@ -517,7 +517,7 @@ included. Default is no. (Optional) const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
if (md == NULL)
- md = "sha1";
+ md = "sha256";
cert_md = EVP_get_digestbyname(md);
if (cert_md == NULL) {
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
=item B<ess_cert_id_alg> =item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's This option specifies the hash function to be used to calculate the TSA's
@ -24,7 +44,7 @@ index 078905a845..83b8fe4350 100644
=back =back
@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do. @@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request =head2 Time Stamp Request
@ -33,7 +53,7 @@ index 078905a845..83b8fe4350 100644
without nonce and policy and no certificate is required in the response: without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \ openssl ts -query -data design1.txt -no_nonce \
@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format: @@ -546,12 +546,12 @@ To print the content of the previous req
openssl ts -query -in design1.tsq -text openssl ts -query -in design1.tsq -text

6
openssl-1.1.1-version-override.patch
View File

@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.
@@ -40,7 +40,7 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1010107fL # define OPENSSL_VERSION_NUMBER 0x1010108fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

13
openssl.spec
View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1g Version: 1.1.1h
Release: 15%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch Patch40: openssl-1.1.1-disable-ssl3.patch
Patch41: openssl-1.1.1-system-cipherlist.patch Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch Patch46: openssl-1.1.1-seclevel.patch
@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch Patch67: openssl-1.1.1-kdf-selftest.patch
Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes # Backported fixes including security fixes
@ -167,7 +165,6 @@ cp %{SOURCE13} test/
%patch40 -p1 -b .disable-ssl3 %patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist %patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips %patch42 -p1 -b .fips
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override %patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers %patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel %patch46 -p1 -b .seclevel
@ -186,7 +183,6 @@ cp %{SOURCE13} test/
%patch65 -p1 -b .drbg-selftest %patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh %patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest %patch67 -p1 -b .kdf-selftest
%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb %patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg %patch70 -p1 -b .rewire-fips-drbg
@ -428,6 +424,7 @@ export LD_LIBRARY_PATH
%{_pkgdocdir}/Makefile.certificate %{_pkgdocdir}/Makefile.certificate
%exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash* %exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/openssl-c_rehash*
%exclude %{_mandir}/man1*/tsget* %exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget* %exclude %{_mandir}/man1*/openssl-tsget*
@ -464,6 +461,7 @@ export LD_LIBRARY_PATH
%{_bindir}/tsget %{_bindir}/tsget
%{_mandir}/man1*/*.pl* %{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash* %{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/openssl-c_rehash*
%{_mandir}/man1*/tsget* %{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget* %{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA
@ -475,6 +473,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
- Upgrade to version 1.1.1.h
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971 SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908