rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

update to the final 1.1.1 version

Browse Source
This commit is contained in:
Tomas Mraz 2018-09-13 09:43:22 +02:00
parent 90121b0c9d
commit a4bf4e1b65
6 changed files with 413 additions and 333 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
openssl-1.1.1-ec-curves.patch
View File

@ -1,8 +1,40 @@
diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200 --- openssl-1.1.1/apps/speed.c.curves 2018-09-11 14:48:20.000000000 +0200
+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200 +++ openssl-1.1.1/apps/speed.c 2018-09-13 09:24:24.840081023 +0200
@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2]; @@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
#define R_EC_X448 23 static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */
-#define R_EC_P160 0
-#define R_EC_P192 1
-#define R_EC_P224 2
-#define R_EC_P256 3
-#define R_EC_P384 4
-#define R_EC_P521 5
-#define R_EC_K163 6
-#define R_EC_K233 7
-#define R_EC_K283 8
-#define R_EC_K409 9
-#define R_EC_K571 10
-#define R_EC_B163 11
-#define R_EC_B233 12
-#define R_EC_B283 13
-#define R_EC_B409 14
-#define R_EC_B571 15
-#define R_EC_BRP256R1 16
-#define R_EC_BRP256T1 17
-#define R_EC_BRP384R1 18
-#define R_EC_BRP384T1 19
-#define R_EC_BRP512R1 20
-#define R_EC_BRP512T1 21
-#define R_EC_X25519 22
-#define R_EC_X448 23
+#define R_EC_P224 0
+#define R_EC_P256 1
+#define R_EC_P384 2
+#define R_EC_P521 3
+#define R_EC_X25519 4
+#define R_EC_X448 5
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = { static OPT_PAIR ecdsa_choices[] = {
- {"ecdsap160", R_EC_P160}, - {"ecdsap160", R_EC_P160},
@ -58,10 +90,90 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
{"ecdhx25519", R_EC_X25519}, {"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448} {"ecdhx448", R_EC_X448}
}; };
diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c @@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200 unsigned int bits;
+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200 } test_curves[] = {
@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO /* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
- /* Binary Curves */
- {"nistk163", NID_sect163k1, 163},
- {"nistk233", NID_sect233k1, 233},
- {"nistk283", NID_sect283k1, 283},
- {"nistk409", NID_sect409k1, 409},
- {"nistk571", NID_sect571k1, 571},
- {"nistb163", NID_sect163r2, 163},
- {"nistb233", NID_sect233r1, 233},
- {"nistb283", NID_sect283r1, 283},
- {"nistb409", NID_sect409r1, 409},
- {"nistb571", NID_sect571r1, 571},
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
# endif
# ifndef OPENSSL_NO_EC
- ecdsa_c[R_EC_P160][0] = count / 1000;
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+ ecdsa_c[R_EC_P224][0] = count / 1000;
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
}
}
}
-
- ecdh_c[R_EC_P160][0] = count / 1000;
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
+#endif
+ ecdh_c[R_EC_P224][0] = count / 1000;
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0;
@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#if 0
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
}
}
}
+#endif
/* default iteration count for the last two EC Curves */
ecdh_c[R_EC_X25519][0] = count / 1800;
ecdh_c[R_EC_X448][0] = count / 7200;
diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
--- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves 2018-09-11 14:48:21.000000000 +0200
+++ openssl-1.1.1/crypto/ec/ecp_smpl.c 2018-09-13 09:09:26.841792619 +0200
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -73,9 +185,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypt
if (ctx == NULL) { if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200 --- openssl-1.1.1/test/ecdsatest.c.curves 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200 +++ openssl-1.1.1/test/ecdsatest.c 2018-09-13 09:09:26.841792619 +0200
@@ -173,6 +173,7 @@ static int x9_62_tests(void) @@ -173,6 +173,7 @@ static int x9_62_tests(void)
if (!change_rand()) if (!change_rand())
goto x962_err; goto x962_err;

552
openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

13
openssl-1.1.1-rand-cleanup.patch
View File

@ -1,13 +0,0 @@
diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup openssl-1.1.1-pre9/crypto/rand/rand_lib.c
--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup 2018-09-06 08:18:19.481566808 +0200
+++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c 2018-09-06 13:28:32.531777065 +0200
@@ -353,7 +353,8 @@ void rand_cleanup_int(void)
if (meth != NULL && meth->cleanup != NULL)
meth->cleanup();
rand_pool_cleanup();
- RAND_set_rand_method(NULL);
+ if (meth != NULL)
+ RAND_set_rand_method(NULL);
#ifndef OPENSSL_NO_ENGINE
CRYPTO_THREAD_lock_free(rand_engine_lock);
rand_engine_lock = NULL;

14
openssl-1.1.1-seclevel-check.patch
View File

@ -1,14 +0,0 @@
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index df5cff79c9..e740a8c25d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
return 0;
break;
}

16
openssl-1.1.1-version-override.patch
View File

@ -1,14 +1,12 @@
diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200 --- openssl-1.1.1/include/openssl/opensslv.h.version-override 2018-09-13 08:54:38.247940128 +0200
+++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200 +++ openssl-1.1.1/include/openssl/opensslv.h 2018-09-13 08:56:10.757779555 +0200
@@ -39,8 +39,8 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
-# define OPENSSL_VERSION_NUMBER 0x10101009L # define OPENSSL_VERSION_NUMBER 0x1010100fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018"
+# define OPENSSL_VERSION_NUMBER 0x1010100fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 FIPS 11 Sep 2018"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

15
openssl.spec
View File

@ -19,17 +19,15 @@
%global _performance_build 1 %global _performance_build 1
%global prerelease pre9
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1 Version: 1.1.1
Release: 0.%{prerelease}.3%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm. # The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl Source1: hobble-openssl
Source2: Makefile.certificate Source2: Makefile.certificate
Source6: make-dummy-cert Source6: make-dummy-cert
@ -59,9 +57,7 @@ Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch Patch45: openssl-1.1.0-weak-ciphers.patch
Patch46: openssl-1.1.1-rand-cleanup.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch70: openssl-1.1.1-seclevel-check.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -135,7 +131,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit. from other formats to the formats used by the OpenSSL toolkit.
%prep %prep
%setup -q -n %{name}-%{version}-%{prerelease} %setup -q -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure. # The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed. # The tarball has already the sources removed.
@ -163,9 +159,7 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound %patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override %patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers %patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .rand-cleanup
%patch70 -p1 -b .seclevel-check
%build %build
# Figure out which flags we want to use. # Figure out which flags we want to use.
@ -453,6 +447,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
- update to the final 1.1.1 version
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3 * Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
- do not try to initialize RNG in cleanup if it was not initialized - do not try to initialize RNG in cleanup if it was not initialized
before (#1624554) before (#1624554)