update to upstream version 1.1.0h

Add Recommends for openssl-pkcs11

.gitignore

@@ -37,3 +37,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.0e-hobbled.tar.xz
 /openssl-1.1.0f-hobbled.tar.xz
 /openssl-1.1.0g-hobbled.tar.xz
+/openssl-1.1.0h-hobbled.tar.xz

ectest.c

@@ -962,7 +962,7 @@ int main(int argc, char *argv[])
         CRYPTO_set_mem_debug(1);
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
-    RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
+    RAND_seed(rnd_seed, sizeof(rnd_seed)); /* or BN_generate_prime may fail */
 
     prime_field_tests();
     puts("");

openssl-1.1.0-cc-reqs.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0f/crypto/rsa/rsa_gen.c
---- openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs	2017-05-25 14:46:19.000000000 +0200
-+++ openssl-1.1.0f/crypto/rsa/rsa_gen.c	2017-06-02 14:13:45.352475862 +0200
-@@ -85,6 +85,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0h/crypto/rsa/rsa_gen.c
+--- openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs	2018-03-27 15:50:39.000000000 +0200
++++ openssl-1.1.0h/crypto/rsa/rsa_gen.c	2018-03-29 14:37:53.405048562 +0200
+@@ -86,6 +86,12 @@ static int rsa_builtin_keygen(RSA *rsa,
      if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
          goto err;
  
@@ -14,7 +14,7 @@ diff -up openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0f/crypto/rsa/r
      if (BN_copy(rsa->e, e_value) == NULL)
          goto err;
  
-@@ -107,7 +113,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -118,7 +124,9 @@ static int rsa_builtin_keygen(RSA *rsa,
          do {
              if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
                  goto err;
@@ -24,4 +24,4 @@ diff -up openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0f/crypto/rsa/r
 +        } while (BN_ucmp(r2, r3) <= 0);
          if (!BN_sub(r2, rsa->q, BN_value_one()))
              goto err;
-         if (!BN_gcd(r1, r2, rsa->e, ctx))
+         ERR_set_mark();

openssl-1.1.0-disable-ssl3.patch

@@ -1,9 +1,9 @@
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3	2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c	2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
+diff -up openssl-1.1.0h/apps/s_client.c.disable-ssl3 openssl-1.1.0h/apps/s_client.c
+--- openssl-1.1.0h/apps/s_client.c.disable-ssl3	2018-03-29 14:38:39.612133765 +0200
++++ openssl-1.1.0h/apps/s_client.c	2018-03-29 14:41:51.309635904 +0200
+@@ -1489,6 +1489,9 @@ int s_client_main(int argc, char **argv)
+     if (!config_ctx(cctx, ssl_args, ctx))
+         goto end;
  
 +    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
 +        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
@@ -11,24 +11,23 @@ diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_clien
      if (ssl_config) {
          if (SSL_CTX_config(ctx, ssl_config) == 0) {
              BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3	2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c	2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
-     }
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
-+
+diff -up openssl-1.1.0h/apps/s_server.c.disable-ssl3 openssl-1.1.0h/apps/s_server.c
+--- openssl-1.1.0h/apps/s_server.c.disable-ssl3	2018-03-29 14:38:39.613133788 +0200
++++ openssl-1.1.0h/apps/s_server.c	2018-03-29 14:42:27.313481477 +0200
+@@ -1619,6 +1619,9 @@ int s_server_main(int argc, char *argv[]
+     if (!config_ctx(cctx, ssl_args, ctx))
+         goto end;
+ 
 +    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
 +        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
 +
      if (ssl_config) {
          if (SSL_CTX_config(ctx, ssl_config) == 0) {
              BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+diff -up openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0h/ssl/ssl_lib.c
+--- openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3	2018-03-27 15:50:40.000000000 +0200
++++ openssl-1.1.0h/ssl/ssl_lib.c	2018-03-29 14:38:39.614133811 +0200
+@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
       * or by using the SSL_CONF library.
       */
      ret->options |= SSL_OP_NO_COMPRESSION;
@@ -42,19 +41,19 @@ diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
  
      ret->tlsext_status_type = -1;
  
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
+diff -up openssl-1.1.0h/test/ssl_test.c.disable-ssl3 openssl-1.1.0h/test/ssl_test.c
+--- openssl-1.1.0h/test/ssl_test.c.disable-ssl3	2018-03-29 14:38:39.615133835 +0200
++++ openssl-1.1.0h/test/ssl_test.c	2018-03-29 14:43:37.893139086 +0200
+@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE
              SSL_TEST_SERVERNAME_CB_NONE) {
              server2_ctx = SSL_CTX_new(TLS_server_method());
              TEST_check(server2_ctx != NULL);
 +            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
          }
          client_ctx = SSL_CTX_new(TLS_client_method());
- 
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
-             resume_client_ctx = SSL_CTX_new(TLS_client_method());
+         TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
+@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE
+                                                      TLS_MAX_VERSION));
              TEST_check(resume_server_ctx != NULL);
              TEST_check(resume_client_ctx != NULL);
 +            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
@@ -69,10 +68,10 @@ diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.
  
      TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
  
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
+diff -up openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 openssl-1.1.0h/test/ssltest_old.c
+--- openssl-1.1.0h/test/ssltest_old.c.disable-ssl3	2018-03-27 15:50:41.000000000 +0200
++++ openssl-1.1.0h/test/ssltest_old.c	2018-03-29 14:38:39.615133835 +0200
+@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[])
          ERR_print_errors(bio_err);
          goto end;
      }

openssl-1.1.0-silent-rnd-write.patch

@@ -1,6 +1,6 @@
-diff -up openssl-1.1.0g/apps/app_rand.c.silent-rnd-write openssl-1.1.0g/apps/app_rand.c
---- openssl-1.1.0g/apps/app_rand.c.silent-rnd-write	2017-05-25 14:46:17.000000000 +0200
-+++ openssl-1.1.0g/apps/app_rand.c	2018-01-11 18:05:32.332703425 +0100
+diff -up openssl-1.1.0h/apps/app_rand.c.silent-rnd-write openssl-1.1.0h/apps/app_rand.c
+--- openssl-1.1.0h/apps/app_rand.c.silent-rnd-write	2018-03-27 15:50:37.000000000 +0200
++++ openssl-1.1.0h/apps/app_rand.c	2018-03-29 15:27:24.597891091 +0200
 @@ -91,6 +91,7 @@ long app_RAND_load_files(char *name)
  int app_RAND_write_file(const char *file)
  {
@@ -11,7 +11,7 @@ diff -up openssl-1.1.0g/apps/app_rand.c.silent-rnd-write openssl-1.1.0g/apps/app
          /*
 @@ -103,8 +104,10 @@ int app_RAND_write_file(const char *file
      if (file == NULL)
-         file = RAND_file_name(buffer, sizeof buffer);
+         file = RAND_file_name(buffer, sizeof(buffer));
      if (file == NULL || !RAND_write_file(file)) {
 -        BIO_printf(bio_err, "unable to write 'random state'\n");
 -        return 0;

openssl-1.1.0-version-add-engines.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.1.0-pre5/apps/version.c.version-add-engines openssl-1.1.0-pre5/apps/version.c
---- openssl-1.1.0-pre5/apps/version.c.version-add-engines	2016-07-18 15:25:52.694531409 +0200
-+++ openssl-1.1.0-pre5/apps/version.c	2016-07-18 15:32:53.943062181 +0200
-@@ -153,7 +153,7 @@ int version_main(int argc, char **argv)
+diff -up openssl-1.1.0h/apps/version.c.version-add-engines openssl-1.1.0h/apps/version.c
+--- openssl-1.1.0h/apps/version.c.version-add-engines	2018-03-27 15:50:37.000000000 +0200
++++ openssl-1.1.0h/apps/version.c	2018-03-29 14:33:30.732879537 +0200
+@@ -52,7 +52,7 @@ int version_main(int argc, char **argv)
  {
      int ret = 1, dirty = 0;
      int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
@@ -10,16 +10,16 @@ diff -up openssl-1.1.0-pre5/apps/version.c.version-add-engines openssl-1.1.0-pre
      char *prog;
      OPTION_CHOICE o;
  
-@@ -190,7 +190,7 @@ int version_main(int argc, char **argv)
+@@ -90,7 +90,7 @@ opthelp:
              dirty = version = 1;
              break;
          case OPT_A:
--            cflags = version = date = platform = dir = engdir = 1;
-+            cflags = version = date = platform = dir = engdir = engines = 1;
+-            options = cflags = version = date = platform = dir = engdir = 1;
++            options = cflags = version = date = platform = dir = engdir = engines = 1;
              break;
          }
      }
-@@ -235,6 +235,16 @@ int version_main(int argc, char **argv)
+@@ -139,6 +139,16 @@ opthelp:
          printf("%s\n", OpenSSL_version(OPENSSL_DIR));
      if (engdir)
          printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));

openssl.spec

@@ -21,8 +21,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.0g
-Release: 6%{?dist}
+Version: 1.1.0h
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -86,6 +86,7 @@ Summary: A general purpose cryptography library with TLS implementation
 Group: System Environment/Libraries
 Requires: ca-certificates >= 2008-5
 Requires: crypto-policies
+Recommends: openssl-pkcs11%{?_isa}
 # Needed obsoletes due to the base/lib subpackage split
 Obsoletes: openssl < 1:1.0.1-0.3.beta3
 Obsoletes: openssl-fips < 1:1.0.1e-28
@@ -429,6 +430,10 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-1
+- update to upstream version 1.1.0h
+- add Recommends for openssl-pkcs11
+
 * Fri Feb 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-6
 - one more try to apply RPM_LD_FLAGS properly (#1541033)
 - dropped unneeded starttls xmpp patch (#1417017)

sources

@@ -1 +1 @@
-SHA512 (openssl-1.1.0g-hobbled.tar.xz) = 6020086f57a115b7024a0ce320d3a8c95b172c85b8f9825c6190c9974a77be39e2f3c69006f975c466ad419b2217118f887d5973fa6ed4db8254d402cde1d70b
+SHA512 (openssl-1.1.0h-hobbled.tar.xz) = cba4641956d6593f5cf5164bed12fb3acfaa9c24a69d5642cc0267d0918555450a12ddeac6e02b246afa64e7019f35baa0d9302d1f06e3be5555d8340319c5e4