Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2
This commit is contained in:
parent
16459847f1
commit
a99ab8f40a
1
.gitignore
vendored
1
.gitignore
vendored
@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.1.1e-hobbled.tar.xz
|
||||
/openssl-1.1.1f-hobbled.tar.xz
|
||||
/openssl-1.1.1g-hobbled.tar.xz
|
||||
/openssl-1.1.1h-hobbled.tar.xz
|
||||
|
84
ectest.c
84
ectest.c
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* check the EC_METHOD respects the supplied EC_GROUP_set_generator G
|
||||
*/
|
||||
static int custom_generator_test(int id)
|
||||
{
|
||||
int ret = 0, nid, bsize;
|
||||
EC_GROUP *group = NULL;
|
||||
EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *k = NULL;
|
||||
unsigned char *b1 = NULL, *b2 = NULL;
|
||||
|
||||
/* Do some setup */
|
||||
nid = curves[id].nid;
|
||||
TEST_note("Curve %s", OBJ_nid2sn(nid));
|
||||
if (!TEST_ptr(ctx = BN_CTX_new()))
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
|
||||
goto err;
|
||||
|
||||
/* expected byte length of encoded points */
|
||||
bsize = (EC_GROUP_get_degree(group) + 7) / 8;
|
||||
bsize = 2 * bsize + 1;
|
||||
|
||||
if (!TEST_ptr(k = BN_CTX_get(ctx))
|
||||
/* fetch a testing scalar k != 0,1 */
|
||||
|| !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
|
||||
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
|
||||
/* make k even */
|
||||
|| !TEST_true(BN_clear_bit(k, 0))
|
||||
|| !TEST_ptr(G2 = EC_POINT_new(group))
|
||||
|| !TEST_ptr(Q1 = EC_POINT_new(group))
|
||||
/* Q1 := kG */
|
||||
|| !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
|
||||
/* pull out the bytes of that */
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
|
||||
POINT_CONVERSION_UNCOMPRESSED, NULL,
|
||||
0, ctx), bsize)
|
||||
|| !TEST_ptr(b1 = OPENSSL_malloc(bsize))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
|
||||
POINT_CONVERSION_UNCOMPRESSED, b1,
|
||||
bsize, ctx), bsize)
|
||||
/* new generator is G2 := 2G */
|
||||
|| !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
|
||||
ctx))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, G2,
|
||||
EC_GROUP_get0_order(group),
|
||||
EC_GROUP_get0_cofactor(group)))
|
||||
|| !TEST_ptr(Q2 = EC_POINT_new(group))
|
||||
|| !TEST_true(BN_rshift1(k, k))
|
||||
/* Q2 := k/2 G2 */
|
||||
|| !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
|
||||
POINT_CONVERSION_UNCOMPRESSED, NULL,
|
||||
0, ctx), bsize)
|
||||
|| !TEST_ptr(b2 = OPENSSL_malloc(bsize))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
|
||||
POINT_CONVERSION_UNCOMPRESSED, b2,
|
||||
bsize, ctx), bsize)
|
||||
/* Q1 = kG = k/2 G2 = Q2 should hold */
|
||||
|| !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
EC_POINT_free(Q1);
|
||||
EC_POINT_free(Q2);
|
||||
EC_POINT_free(G2);
|
||||
EC_GROUP_free(group);
|
||||
BN_CTX_free(ctx);
|
||||
OPENSSL_free(b1);
|
||||
OPENSSL_free(b2);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
||||
int setup_tests(void)
|
||||
@ -1452,6 +1533,7 @@ int setup_tests(void)
|
||||
|
||||
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
|
||||
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
|
||||
ADD_ALL_TESTS(custom_generator_test, crv_len);
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
|
||||
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
|
||||
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
|
||||
#endif /* OPENSSL_NO_RSA */
|
||||
|
||||
@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{"ecdhx448", R_EC_X448}
|
||||
};
|
||||
@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
|
||||
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
|
||||
unsigned int bits;
|
||||
} test_curves[] = {
|
||||
/* Prime Curves */
|
||||
@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
/* Other and ECDH only ones */
|
||||
{"X25519", NID_X25519, 253},
|
||||
{"X448", NID_X448, 448}
|
||||
@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
||||
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
||||
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
||||
@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
ecdsa_c[R_EC_K163][0] = count / 1000;
|
||||
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
# endif
|
||||
|
||||
@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
||||
ecdh_doit[i] = 0;
|
||||
@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
ecdh_c[R_EC_K163][0] = count / 1000;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
|
||||
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
|
||||
--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
|
||||
+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
|
||||
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
|
||||
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
|
||||
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
|
||||
@@ -32,23 +32,6 @@ typedef struct {
|
||||
} ecdsa_cavs_kat_t;
|
||||
|
||||
@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
|
||||
/* prime KATs from NIST CAVP */
|
||||
{NID_secp224r1, NID_sha224,
|
||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
|
||||
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
|
||||
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
|
||||
if disabled("ec");
|
||||
|
||||
my @prime_curves = qw(
|
||||
- secp112r1
|
||||
- secp112r2
|
||||
- secp128r1
|
||||
- secp128r2
|
||||
- secp160k1
|
||||
- secp160r1
|
||||
- secp160r2
|
||||
- secp192k1
|
||||
- secp224k1
|
||||
secp224r1
|
||||
secp256k1
|
||||
secp384r1
|
||||
secp521r1
|
||||
- prime192v1
|
||||
- prime192v2
|
||||
- prime192v3
|
||||
- prime239v1
|
||||
- prime239v2
|
||||
- prime239v3
|
||||
prime256v1
|
||||
- wap-wsg-idm-ecid-wtls6
|
||||
- wap-wsg-idm-ecid-wtls7
|
||||
- wap-wsg-idm-ecid-wtls8
|
||||
- wap-wsg-idm-ecid-wtls9
|
||||
- wap-wsg-idm-ecid-wtls12
|
||||
- brainpoolP160r1
|
||||
- brainpoolP160t1
|
||||
- brainpoolP192r1
|
||||
- brainpoolP192t1
|
||||
- brainpoolP224r1
|
||||
- brainpoolP224t1
|
||||
- brainpoolP256r1
|
||||
- brainpoolP256t1
|
||||
- brainpoolP320r1
|
||||
- brainpoolP320t1
|
||||
- brainpoolP384r1
|
||||
- brainpoolP384t1
|
||||
- brainpoolP512r1
|
||||
- brainpoolP512t1
|
||||
);
|
||||
|
||||
my @binary_curves = qw(
|
||||
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
|
||||
if !disabled("sm2");
|
||||
|
||||
my @curve_aliases = qw(
|
||||
- P-192
|
||||
P-224
|
||||
P-256
|
||||
P-384
|
||||
|
@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
|
||||
@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
|
||||
#ifndef OPENSSL_NO_DH
|
||||
DH *ssl_get_auto_dh(SSL *s)
|
||||
{
|
||||
+ DH *dhp = NULL;
|
||||
+ BIGNUM *p = NULL, *g = NULL;
|
||||
int dh_secbits = 80;
|
||||
- if (s->cert->dh_tmp_auto == 2)
|
||||
- return DH_get_1024_160();
|
||||
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
|
||||
- if (s->s3->tmp.new_cipher->strength_bits == 256)
|
||||
- dh_secbits = 128;
|
||||
- else
|
||||
- dh_secbits = 80;
|
||||
- } else {
|
||||
- if (s->s3->tmp.cert == NULL)
|
||||
- return NULL;
|
||||
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
|
||||
+ if (s->cert->dh_tmp_auto != 2) {
|
||||
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
|
||||
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
|
||||
+ dh_secbits = 128;
|
||||
+ else
|
||||
+ dh_secbits = 80;
|
||||
+ } else {
|
||||
+ if (s->s3->tmp.cert == NULL)
|
||||
+ return NULL;
|
||||
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
|
||||
+ }
|
||||
}
|
||||
|
||||
- if (dh_secbits >= 128) {
|
||||
- DH *dhp = DH_new();
|
||||
- BIGNUM *p, *g;
|
||||
- if (dhp == NULL)
|
||||
- return NULL;
|
||||
- g = BN_new();
|
||||
- if (g == NULL || !BN_set_word(g, 2)) {
|
||||
- DH_free(dhp);
|
||||
- BN_free(g);
|
||||
- return NULL;
|
||||
- }
|
||||
- if (dh_secbits >= 192)
|
||||
- p = BN_get_rfc3526_prime_8192(NULL);
|
||||
- else
|
||||
- p = BN_get_rfc3526_prime_3072(NULL);
|
||||
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
|
||||
- DH_free(dhp);
|
||||
- BN_free(p);
|
||||
- BN_free(g);
|
||||
- return NULL;
|
||||
- }
|
||||
- return dhp;
|
||||
+ dhp = DH_new();
|
||||
+ if (dhp == NULL)
|
||||
+ return NULL;
|
||||
+ g = BN_new();
|
||||
+ if (g == NULL || !BN_set_word(g, 2)) {
|
||||
+ DH_free(dhp);
|
||||
+ BN_free(g);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ if (dh_secbits >= 192)
|
||||
+ p = BN_get_rfc3526_prime_8192(NULL);
|
||||
+ else if (dh_secbits >= 152)
|
||||
+ p = BN_get_rfc3526_prime_4096(NULL);
|
||||
+ else if (dh_secbits >= 128)
|
||||
+ p = BN_get_rfc3526_prime_3072(NULL);
|
||||
diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
|
||||
--- openssl-1.1.1h/ssl/t1_lib.c.fips-dh 2020-11-04 14:04:41.851711629 +0100
|
||||
+++ openssl-1.1.1h/ssl/t1_lib.c 2020-11-04 14:06:06.506431652 +0100
|
||||
@@ -2470,7 +2470,7 @@
|
||||
p = BN_get_rfc3526_prime_4096(NULL);
|
||||
else if (dh_secbits >= 128)
|
||||
p = BN_get_rfc3526_prime_3072(NULL);
|
||||
- else if (dh_secbits >= 112)
|
||||
+ else if (dh_secbits >= 112 || FIPS_mode())
|
||||
+ p = BN_get_rfc3526_prime_2048(NULL);
|
||||
+ else
|
||||
+ p = BN_get_rfc2409_prime_1024(NULL);
|
||||
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
|
||||
+ DH_free(dhp);
|
||||
+ BN_free(p);
|
||||
+ BN_free(g);
|
||||
+ return NULL;
|
||||
}
|
||||
- if (dh_secbits >= 112)
|
||||
- return DH_get_2048_224();
|
||||
- return DH_get_1024_160();
|
||||
+ return dhp;
|
||||
}
|
||||
#endif
|
||||
|
||||
p = BN_get_rfc3526_prime_2048(NULL);
|
||||
else
|
||||
p = BN_get_rfc2409_prime_1024(NULL);
|
||||
|
@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
|
||||
diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
|
||||
--- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100
|
||||
+++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100
|
||||
@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
|
||||
EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
|
||||
EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
|
||||
RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
|
||||
@@ -4590,3 +4590,38 @@ X509_ALGOR_copy
|
||||
X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
|
||||
X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
|
||||
EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
|
||||
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
|
||||
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
|
||||
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
|
||||
|
@ -1,14 +0,0 @@
|
||||
Do not return failure when setting version bound on fixed protocol
|
||||
version method.
|
||||
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
||||
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
||||
* methods are not subject to controls that disable individual protocol
|
||||
* versions.
|
||||
*/
|
||||
- return 0;
|
||||
+ return 1;
|
||||
|
||||
case TLS_ANY_VERSION:
|
||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
@ -1,44 +0,0 @@
|
||||
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
|
||||
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
|
||||
@@ -292,6 +292,9 @@ extern "C" {
|
||||
|
||||
# define TLS1_FLAGS_STATELESS 0x0800
|
||||
|
||||
+/* Set if extended master secret extension required on renegotiation */
|
||||
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
|
||||
+
|
||||
# define SSL3_MT_HELLO_REQUEST 0
|
||||
# define SSL3_MT_CLIENT_HELLO 1
|
||||
# define SSL3_MT_SERVER_HELLO 2
|
||||
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
|
||||
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
|
||||
|
||||
static int init_ems(SSL *s, unsigned int context)
|
||||
{
|
||||
- if (!s->server)
|
||||
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
||||
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
||||
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
|
||||
+ }
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int final_ems(SSL *s, unsigned int context, int sent)
|
||||
{
|
||||
+ /*
|
||||
+ * Check extended master secret extension is not dropped on
|
||||
+ * renegotiation.
|
||||
+ */
|
||||
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
|
||||
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
|
||||
+ SSL_R_INCONSISTENT_EXTMS);
|
||||
+ return 0;
|
||||
+ }
|
||||
if (!s->server && s->hit) {
|
||||
/*
|
||||
* Check extended master secret extension is consistent with
|
@ -1,8 +1,17 @@
|
||||
diff --git a/apps/ts.c b/apps/ts.c
|
||||
index 63c5210183..4ef8a72eef 100644
|
||||
--- a/apps/ts.c
|
||||
+++ b/apps/ts.c
|
||||
@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
|
||||
diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
|
||||
--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
|
||||
+++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
|
||||
@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
|
||||
# (optional, default: no)
|
||||
ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
||||
# (optional, default: no)
|
||||
-ess_cert_id_alg = sha1 # algorithm to compute certificate
|
||||
+ess_cert_id_alg = sha256 # algorithm to compute certificate
|
||||
# identifier (optional, default: sha1)
|
||||
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
|
||||
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
|
||||
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
|
||||
ASN1_OBJECT *policy_obj = NULL;
|
||||
ASN1_INTEGER *nonce_asn1 = NULL;
|
||||
|
||||
@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
|
||||
goto err;
|
||||
if ((ts_req = TS_REQ_new()) == NULL)
|
||||
goto err;
|
||||
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
|
||||
index 078905a845..83b8fe4350 100644
|
||||
--- a/doc/man1/ts.pod
|
||||
+++ b/doc/man1/ts.pod
|
||||
@@ -517,7 +517,7 @@ included. Default is no. (Optional)
|
||||
diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
|
||||
--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
|
||||
+++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
|
||||
@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
|
||||
const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
|
||||
|
||||
if (md == NULL)
|
||||
- md = "sha1";
|
||||
+ md = "sha256";
|
||||
|
||||
cert_md = EVP_get_digestbyname(md);
|
||||
if (cert_md == NULL) {
|
||||
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
|
||||
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
|
||||
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
|
||||
=item B<ess_cert_id_alg>
|
||||
|
||||
This option specifies the hash function to be used to calculate the TSA's
|
||||
@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644
|
||||
|
||||
=back
|
||||
|
||||
@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
|
||||
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
|
||||
|
||||
=head2 Time Stamp Request
|
||||
|
||||
-To create a time stamp request for design1.txt with SHA-1
|
||||
+To create a time stamp request for design1.txt with SHA-256
|
||||
-To create a timestamp request for design1.txt with SHA-1
|
||||
+To create a timestamp request for design1.txt with SHA-256
|
||||
without nonce and policy and no certificate is required in the response:
|
||||
|
||||
openssl ts -query -data design1.txt -no_nonce \
|
||||
@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
|
||||
@@ -546,12 +546,12 @@ To print the content of the previous req
|
||||
|
||||
openssl ts -query -in design1.tsq -text
|
||||
|
||||
-To create a time stamp request which includes the MD-5 digest
|
||||
+To create a time stamp request which includes the SHA-512 digest
|
||||
-To create a timestamp request which includes the MD-5 digest
|
||||
+To create a timestamp request which includes the SHA-512 digest
|
||||
of design2.txt, requests the signer certificate and nonce,
|
||||
specifies a policy id (assuming the tsa_policy1 name is defined in the
|
||||
OID section of the config file):
|
||||
|
@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.
|
||||
@@ -40,7 +40,7 @@ extern "C" {
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010107fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010108fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
13
openssl.spec
13
openssl.spec
@ -21,8 +21,8 @@
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1g
|
||||
Release: 15%{?dist}
|
||||
Version: 1.1.1h
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
|
||||
Patch40: openssl-1.1.1-disable-ssl3.patch
|
||||
Patch41: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.1-fips.patch
|
||||
Patch43: openssl-1.1.1-ignore-bound.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.1-weak-ciphers.patch
|
||||
Patch46: openssl-1.1.1-seclevel.patch
|
||||
@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch
|
||||
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
||||
Patch66: openssl-1.1.1-fips-dh.patch
|
||||
Patch67: openssl-1.1.1-kdf-selftest.patch
|
||||
Patch68: openssl-1.1.1-reneg-no-extms.patch
|
||||
Patch69: openssl-1.1.1-alpn-cb.patch
|
||||
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
|
||||
# Backported fixes including security fixes
|
||||
@ -167,7 +165,6 @@ cp %{SOURCE13} test/
|
||||
%patch40 -p1 -b .disable-ssl3
|
||||
%patch41 -p1 -b .system-cipherlist
|
||||
%patch42 -p1 -b .fips
|
||||
%patch43 -p1 -b .ignore-bound
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .seclevel
|
||||
@ -186,7 +183,6 @@ cp %{SOURCE13} test/
|
||||
%patch65 -p1 -b .drbg-selftest
|
||||
%patch66 -p1 -b .fips-dh
|
||||
%patch67 -p1 -b .kdf-selftest
|
||||
%patch68 -p1 -b .reneg-no-extms
|
||||
%patch69 -p1 -b .alpn-cb
|
||||
%patch70 -p1 -b .rewire-fips-drbg
|
||||
|
||||
@ -428,6 +424,7 @@ export LD_LIBRARY_PATH
|
||||
%{_pkgdocdir}/Makefile.certificate
|
||||
%exclude %{_mandir}/man1*/*.pl*
|
||||
%exclude %{_mandir}/man1*/c_rehash*
|
||||
%exclude %{_mandir}/man1*/openssl-c_rehash*
|
||||
%exclude %{_mandir}/man1*/tsget*
|
||||
%exclude %{_mandir}/man1*/openssl-tsget*
|
||||
|
||||
@ -464,6 +461,7 @@ export LD_LIBRARY_PATH
|
||||
%{_bindir}/tsget
|
||||
%{_mandir}/man1*/*.pl*
|
||||
%{_mandir}/man1*/c_rehash*
|
||||
%{_mandir}/man1*/openssl-c_rehash*
|
||||
%{_mandir}/man1*/tsget*
|
||||
%{_mandir}/man1*/openssl-tsget*
|
||||
%dir %{_sysconfdir}/pki/CA
|
||||
@ -475,6 +473,9 @@ export LD_LIBRARY_PATH
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
|
||||
- Upgrade to version 1.1.1.h
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
|
||||
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
|
||||
|
Loading…
Reference in New Issue
Block a user