#10 Upgrade to version 1.1.1h
Merged 2 years ago by tmraz. Opened 2 years ago by saprasad.
rpms/ saprasad/openssl master  into  master

file modified
+1
@@ -48,3 +48,4 @@ 

  /openssl-1.1.1e-hobbled.tar.xz

  /openssl-1.1.1f-hobbled.tar.xz

  /openssl-1.1.1g-hobbled.tar.xz

+ /openssl-1.1.1h-hobbled.tar.xz

file modified
+83 -1
@@ -1,5 +1,5 @@ 

  /*

-  * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.

+  * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.

   * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved

   *

   * Licensed under the OpenSSL license (the "License").  You may not use
@@ -1425,6 +1425,87 @@ 

      return ret;

  }

  

+ /*

+  * check the EC_METHOD respects the supplied EC_GROUP_set_generator G

+  */

+ static int custom_generator_test(int id)

+ {

+     int ret = 0, nid, bsize;

+     EC_GROUP *group = NULL;

+     EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;

+     BN_CTX *ctx = NULL;

+     BIGNUM *k = NULL;

+     unsigned char *b1 = NULL, *b2 = NULL;

+ 

+     /* Do some setup */

+     nid = curves[id].nid;

+     TEST_note("Curve %s", OBJ_nid2sn(nid));

+     if (!TEST_ptr(ctx = BN_CTX_new()))

+         return 0;

+ 

+     BN_CTX_start(ctx);

+ 

+     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))

+         goto err;

+ 

+     /* expected byte length of encoded points */

+     bsize = (EC_GROUP_get_degree(group) + 7) / 8;

+     bsize = 2 * bsize + 1;

+ 

+     if (!TEST_ptr(k = BN_CTX_get(ctx))

+         /* fetch a testing scalar k != 0,1 */

+         || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,

+                               BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))

+         /* make k even */

+         || !TEST_true(BN_clear_bit(k, 0))

+         || !TEST_ptr(G2 = EC_POINT_new(group))

+         || !TEST_ptr(Q1 = EC_POINT_new(group))

+         /* Q1 := kG */

+         || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))

+         /* pull out the bytes of that */

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q1,

+                                            POINT_CONVERSION_UNCOMPRESSED, NULL,

+                                            0, ctx), bsize)

+         || !TEST_ptr(b1 = OPENSSL_malloc(bsize))

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q1,

+                                            POINT_CONVERSION_UNCOMPRESSED, b1,

+                                            bsize, ctx), bsize)

+         /* new generator is G2 := 2G */

+         || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),

+                                    ctx))

+         || !TEST_true(EC_GROUP_set_generator(group, G2,

+                                              EC_GROUP_get0_order(group),

+                                              EC_GROUP_get0_cofactor(group)))

+         || !TEST_ptr(Q2 = EC_POINT_new(group))

+         || !TEST_true(BN_rshift1(k, k))

+         /* Q2 := k/2 G2 */

+         || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q2,

+                                            POINT_CONVERSION_UNCOMPRESSED, NULL,

+                                            0, ctx), bsize)

+         || !TEST_ptr(b2 = OPENSSL_malloc(bsize))

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q2,

+                                            POINT_CONVERSION_UNCOMPRESSED, b2,

+                                            bsize, ctx), bsize)

+         /* Q1 = kG = k/2 G2 = Q2 should hold */

+         || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))

+         goto err;

+ 

+     ret = 1;

+ 

+  err:

+     BN_CTX_end(ctx);

+     EC_POINT_free(Q1);

+     EC_POINT_free(Q2);

+     EC_POINT_free(G2);

+     EC_GROUP_free(group);

+     BN_CTX_free(ctx);

+     OPENSSL_free(b1);

+     OPENSSL_free(b2);

+ 

+     return ret;

+ }

+ 

  #endif /* OPENSSL_NO_EC */

  

  int setup_tests(void)
@@ -1452,6 +1533,7 @@ 

  

      ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);

      ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);

+     ADD_ALL_TESTS(custom_generator_test, crv_len);

  #endif /* OPENSSL_NO_EC */

      return 1;

  }

file modified
+70 -14
@@ -1,6 +1,6 @@ 

- diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c

- --- openssl-1.1.1c/apps/speed.c.curves	2019-05-28 15:12:21.000000000 +0200

- +++ openssl-1.1.1c/apps/speed.c	2019-05-29 15:36:53.332224470 +0200

+ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c

+ --- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200

+ +++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100

  @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];

   #endif /* OPENSSL_NO_RSA */

   
@@ -92,7 +92,7 @@ 

       {"ecdhx25519", R_EC_X25519},

       {"ecdhx448", R_EC_X448}

   };

- @@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)

+ @@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)

           unsigned int bits;

       } test_curves[] = {

           /* Prime Curves */
@@ -124,7 +124,7 @@ 

           /* Other and ECDH only ones */

           {"X25519", NID_X25519, 253},

           {"X448", NID_X448, 448}

- @@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)

+ @@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)

   #  endif

   

   #  ifndef OPENSSL_NO_EC
@@ -137,7 +137,7 @@ 

           ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;

           ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;

           if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)

- @@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)

+ @@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)

               }

           }

       }
@@ -146,7 +146,7 @@ 

       ecdsa_c[R_EC_K163][0] = count / 1000;

       ecdsa_c[R_EC_K163][1] = count / 1000 / 2;

       for (i = R_EC_K233; i <= R_EC_K571; i++) {

- @@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)

+ @@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)

       }

   #   endif

   
@@ -157,7 +157,7 @@ 

           ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;

           if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)

               ecdh_doit[i] = 0;

- @@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)

+ @@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)

               }

           }

       }
@@ -166,9 +166,9 @@ 

       ecdh_c[R_EC_K163][0] = count / 1000;

       for (i = R_EC_K233; i <= R_EC_K571; i++) {

           ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;

- diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c

- --- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves	2019-05-28 15:12:21.000000000 +0200

- +++ openssl-1.1.1c/crypto/ec/ecp_smpl.c	2019-05-29 15:30:09.071349520 +0200

+ diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c

+ --- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200

+ +++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100

  @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO

           return 0;

       }
@@ -181,9 +181,9 @@ 

       if (ctx == NULL) {

           ctx = new_ctx = BN_CTX_new();

           if (ctx == NULL)

- diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h

- --- openssl-1.1.1c/test/ecdsatest.h.curves	2019-05-29 15:30:09.010350595 +0200

- +++ openssl-1.1.1c/test/ecdsatest.h	2019-05-29 15:41:24.586444294 +0200

+ diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h

+ --- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100

+ +++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100

  @@ -32,23 +32,6 @@ typedef struct {

   } ecdsa_cavs_kat_t;

   
@@ -208,3 +208,59 @@ 

       /* prime KATs from NIST CAVP */

       {NID_secp224r1, NID_sha224,

        "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"

+ --- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100

+ +++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100

+ @@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport

+      if disabled("ec");

+  

+  my @prime_curves = qw(

+ -    secp112r1

+ -    secp112r2

+ -    secp128r1

+ -    secp128r2

+ -    secp160k1

+ -    secp160r1

+ -    secp160r2

+ -    secp192k1

+ -    secp224k1

+      secp224r1

+      secp256k1

+      secp384r1

+      secp521r1

+ -    prime192v1

+ -    prime192v2

+ -    prime192v3

+ -    prime239v1

+ -    prime239v2

+ -    prime239v3

+      prime256v1

+ -    wap-wsg-idm-ecid-wtls6

+ -    wap-wsg-idm-ecid-wtls7

+ -    wap-wsg-idm-ecid-wtls8

+ -    wap-wsg-idm-ecid-wtls9

+ -    wap-wsg-idm-ecid-wtls12

+ -    brainpoolP160r1

+ -    brainpoolP160t1

+ -    brainpoolP192r1

+ -    brainpoolP192t1

+ -    brainpoolP224r1

+ -    brainpoolP224t1

+ -    brainpoolP256r1

+ -    brainpoolP256t1

+ -    brainpoolP320r1

+ -    brainpoolP320t1

+ -    brainpoolP384r1

+ -    brainpoolP384t1

+ -    brainpoolP512r1

+ -    brainpoolP512t1

+  );

+  

+  my @binary_curves = qw(

+ @@ -115,7 +81,6 @@ push(@other_curves, 'SM2')

+      if !disabled("sm2");

+  

+  my @curve_aliases = qw(

+ -    P-192

+      P-224

+      P-256

+      P-384

file modified
+11 -86
@@ -2716,91 +2716,16 @@ 

       return ret;

   }

   #endif

- diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c

- --- openssl-1.1.1g/ssl/t1_lib.c.fips-dh	2020-07-17 10:36:29.243788425 +0200

- +++ openssl-1.1.1g/ssl/t1_lib.c	2020-07-17 10:36:29.249788474 +0200

- @@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP

-  #ifndef OPENSSL_NO_DH

-  DH *ssl_get_auto_dh(SSL *s)

-  {

- +    DH *dhp = NULL;

- +    BIGNUM *p = NULL, *g = NULL;

-      int dh_secbits = 80;

- -    if (s->cert->dh_tmp_auto == 2)

- -        return DH_get_1024_160();

- -    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {

- -        if (s->s3->tmp.new_cipher->strength_bits == 256)

- -            dh_secbits = 128;

- -        else

- -            dh_secbits = 80;

- -    } else {

- -        if (s->s3->tmp.cert == NULL)

- -            return NULL;

- -        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);

- +    if (s->cert->dh_tmp_auto != 2) {

- +        if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {

- +            if (s->s3->tmp.new_cipher->strength_bits == 256)

- +                dh_secbits = 128;

- +            else

- +                dh_secbits = 80;

- +        } else {

- +            if (s->s3->tmp.cert == NULL)

- +                return NULL;

- +            dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);

- +        }

-      }

   

- -    if (dh_secbits >= 128) {

- -        DH *dhp = DH_new();

- -        BIGNUM *p, *g;

- -        if (dhp == NULL)

- -            return NULL;

- -        g = BN_new();

- -        if (g == NULL || !BN_set_word(g, 2)) {

- -            DH_free(dhp);

- -            BN_free(g);

- -            return NULL;

- -        }

- -        if (dh_secbits >= 192)

- -            p = BN_get_rfc3526_prime_8192(NULL);

- -        else

- -            p = BN_get_rfc3526_prime_3072(NULL);

- -        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {

- -            DH_free(dhp);

- -            BN_free(p);

- -            BN_free(g);

- -            return NULL;

- -        }

- -        return dhp;

- +    dhp = DH_new();

- +    if (dhp == NULL)

- +        return NULL;

- +    g = BN_new();

- +    if (g == NULL || !BN_set_word(g, 2)) {

- +        DH_free(dhp);

- +        BN_free(g);

- +        return NULL;

- +    }

- +    if (dh_secbits >= 192)

- +        p = BN_get_rfc3526_prime_8192(NULL);

- +    else if (dh_secbits >= 152)

- +        p = BN_get_rfc3526_prime_4096(NULL);

- +    else if (dh_secbits >= 128)

- +        p = BN_get_rfc3526_prime_3072(NULL);

+ diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c

+ --- openssl-1.1.1h/ssl/t1_lib.c.fips-dh	2020-11-04 14:04:41.851711629 +0100

+ +++ openssl-1.1.1h/ssl/t1_lib.c	2020-11-04 14:06:06.506431652 +0100

+ @@ -2470,7 +2470,7 @@

+          p = BN_get_rfc3526_prime_4096(NULL);

+      else if (dh_secbits >= 128)

+          p = BN_get_rfc3526_prime_3072(NULL);

+ -    else if (dh_secbits >= 112)

  +    else if (dh_secbits >= 112 || FIPS_mode())

- +        p = BN_get_rfc3526_prime_2048(NULL);

- +    else

- +        p = BN_get_rfc2409_prime_1024(NULL);

- +    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {

- +        DH_free(dhp);

- +        BN_free(p);

- +        BN_free(g);

- +        return NULL;

-      }

- -    if (dh_secbits >= 112)

- -        return DH_get_2048_224();

- -    return DH_get_1024_160();

- +    return dhp;

-  }

-  #endif

-  

+          p = BN_get_rfc3526_prime_2048(NULL);

+      else

+          p = BN_get_rfc2409_prime_1024(NULL);

file modified
+4 -4
@@ -11614,10 +11614,10 @@ 

  diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num

  --- openssl-1.1.1e/util/libcrypto.num.fips	2020-03-17 17:31:10.744241038 +0100

  +++ openssl-1.1.1e/util/libcrypto.num	2020-03-17 17:32:37.851722261 +0100

- @@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify

-  EVP_PKEY_meth_get_digestverify          4541	1_1_1e	EXIST::FUNCTION:

-  EVP_PKEY_meth_get_digestsign            4542	1_1_1e	EXIST::FUNCTION:

-  RSA_get0_pss_params                     4543	1_1_1e	EXIST::FUNCTION:RSA

+ @@ -4590,3 +4590,38 @@ X509_ALGOR_copy

+  X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION:

+  X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION:

+  EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC

  +FIPS_drbg_reseed                        6348	1_1_0g	EXIST::FUNCTION:

  +FIPS_selftest_check                     6349	1_1_0g	EXIST::FUNCTION:

  +FIPS_rand_set_method                    6350	1_1_0g	EXIST::FUNCTION:

@@ -1,14 +0,0 @@ 

- Do not return failure when setting version bound on fixed protocol

- version method.

- diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c

- --- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200

- +++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200

- @@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver

-           * methods are not subject to controls that disable individual protocol

-           * versions.

-           */

- -        return 0;

- +        return 1;

-  

-      case TLS_ANY_VERSION:

-          if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

@@ -1,44 +0,0 @@ 

- diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h

- --- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200

- +++ openssl-1.1.1g/include/openssl/ssl3.h	2020-06-05 15:20:22.090682776 +0200

- @@ -292,6 +292,9 @@ extern "C" {

-  

-  # define TLS1_FLAGS_STATELESS                    0x0800

-  

- +/* Set if extended master secret extension required on renegotiation */

- +# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000

- +

-  # define SSL3_MT_HELLO_REQUEST                   0

-  # define SSL3_MT_CLIENT_HELLO                    1

-  # define SSL3_MT_SERVER_HELLO                    2

- diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c

- --- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200

- +++ openssl-1.1.1g/ssl/statem/extensions.c	2020-06-05 15:22:19.677653437 +0200

- @@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int

-  

-  static int init_ems(SSL *s, unsigned int context)

-  {

- -    if (!s->server)

- +    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {

-          s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;

- +        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;

- +    }

-  

-      return 1;

-  }

-  

-  static int final_ems(SSL *s, unsigned int context, int sent)

-  {

- +    /*

- +     * Check extended master secret extension is not dropped on

- +     * renegotiation.

- +     */

- +    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)

- +        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {

- +        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,

- +                 SSL_R_INCONSISTENT_EXTMS);

- +        return 0;

- +    }

-      if (!s->server && s->hit) {

-          /*

-           * Check extended master secret extension is consistent with

@@ -1,8 +1,17 @@ 

- diff --git a/apps/ts.c b/apps/ts.c

- index 63c5210183..4ef8a72eef 100644

- --- a/apps/ts.c

- +++ b/apps/ts.c

- @@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,

+ diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf

+ --- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100

+ +++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100

+ @@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i

+  				# (optional, default: no)

+  ess_cert_id_chain	= no	# Must the ESS cert id chain be included?

+  				# (optional, default: no)

+ -ess_cert_id_alg		= sha1	# algorithm to compute certificate

+ +ess_cert_id_alg		= sha256	# algorithm to compute certificate

+  				# identifier (optional, default: sha1)

+ diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c

+ --- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200

+ +++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100

+ @@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi

       ASN1_OBJECT *policy_obj = NULL;

       ASN1_INTEGER *nonce_asn1 = NULL;

   
@@ -11,11 +20,22 @@ 

           goto err;

       if ((ts_req = TS_REQ_new()) == NULL)

           goto err;

- diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod

- index 078905a845..83b8fe4350 100644

- --- a/doc/man1/ts.pod

- +++ b/doc/man1/ts.pod

- @@ -517,7 +517,7 @@ included. Default is no. (Optional)

+ diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c

+ --- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100

+ +++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100

+ @@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF

+      const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);

+  

+      if (md == NULL)

+ -        md = "sha1";

+ +        md = "sha256";

+  

+      cert_md = EVP_get_digestbyname(md);

+      if (cert_md == NULL) {

+ diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod

+ --- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200

+ +++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100

+ @@ -518,7 +518,7 @@ included. Default is no. (Optional)

   =item B<ess_cert_id_alg>

   

   This option specifies the hash function to be used to calculate the TSA's
@@ -24,21 +44,21 @@ 

   

   =back

   

- @@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.

+ @@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.

   

   =head2 Time Stamp Request

   

- -To create a time stamp request for design1.txt with SHA-1

- +To create a time stamp request for design1.txt with SHA-256

+ -To create a timestamp request for design1.txt with SHA-1

+ +To create a timestamp request for design1.txt with SHA-256

   without nonce and policy and no certificate is required in the response:

   

     openssl ts -query -data design1.txt -no_nonce \

- @@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:

+ @@ -546,12 +546,12 @@ To print the content of the previous req

   

     openssl ts -query -in design1.tsq -text

   

- -To create a time stamp request which includes the MD-5 digest

- +To create a time stamp request which includes the SHA-512 digest

+ -To create a timestamp request which includes the MD-5 digest

+ +To create a timestamp request which includes the SHA-512 digest

   of design2.txt, requests the signer certificate and nonce,

   specifies a policy id (assuming the tsa_policy1 name is defined in the

   OID section of the config file):

@@ -4,9 +4,9 @@ 

  @@ -40,7 +40,7 @@ extern "C" {

    *  major minor fix final patch/beta)

    */

-  # define OPENSSL_VERSION_NUMBER  0x1010107fL

- -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g  21 Apr 2020"

- +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g FIPS  21 Apr 2020"

+  # define OPENSSL_VERSION_NUMBER  0x1010108fL

+ -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"

+ +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"

   

   /*-

    * The macros below are to be used for shared library (.so, .dll, ...)

file modified
+5 -6
@@ -21,8 +21,8 @@ 

  

  Summary: Utilities from the general purpose cryptography library with TLS implementation

  Name: openssl

- Version: 1.1.1g

- Release: 15%{?dist}

+ Version: 1.1.1h

+ Release: 1%{?dist}

  Epoch: 1

  # We have to remove certain patented algorithms from the openssl source

  # tarball with the hobble-openssl script which is included below.
@@ -54,7 +54,6 @@ 

  Patch40: openssl-1.1.1-disable-ssl3.patch

  Patch41: openssl-1.1.1-system-cipherlist.patch

  Patch42: openssl-1.1.1-fips.patch

- Patch43: openssl-1.1.1-ignore-bound.patch

  Patch44: openssl-1.1.1-version-override.patch

  Patch45: openssl-1.1.1-weak-ciphers.patch

  Patch46: openssl-1.1.1-seclevel.patch
@@ -69,7 +68,6 @@ 

  Patch65: openssl-1.1.1-fips-drbg-selftest.patch

  Patch66: openssl-1.1.1-fips-dh.patch

  Patch67: openssl-1.1.1-kdf-selftest.patch

- Patch68: openssl-1.1.1-reneg-no-extms.patch

  Patch69: openssl-1.1.1-alpn-cb.patch

  Patch70: openssl-1.1.1-rewire-fips-drbg.patch

  # Backported fixes including security fixes
@@ -167,7 +165,6 @@ 

  %patch40 -p1 -b .disable-ssl3

  %patch41 -p1 -b .system-cipherlist

  %patch42 -p1 -b .fips

- %patch43 -p1 -b .ignore-bound

  %patch44 -p1 -b .version-override

  %patch45 -p1 -b .weak-ciphers

  %patch46 -p1 -b .seclevel
@@ -186,7 +183,6 @@ 

  %patch65 -p1 -b .drbg-selftest

  %patch66 -p1 -b .fips-dh

  %patch67 -p1 -b .kdf-selftest

- %patch68 -p1 -b .reneg-no-extms

  %patch69 -p1 -b .alpn-cb

  %patch70 -p1 -b .rewire-fips-drbg

  
@@ -477,6 +473,9 @@ 

  %ldconfig_scriptlets libs

  

  %changelog

+ * Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1

+ - Upgrade to version 1.1.1.h

+ 

  * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

  

file modified
+1 -1
@@ -1,1 +1,1 @@ 

- SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971

+ SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908