rpms / openssl

Clone
Source Code
GIT

#10 Upgrade to version 1.1.1h
Merged 3 years ago by tmraz. Opened 3 years ago by saprasad.
rpms/ saprasad/openssl master  into  master

file modified
+1 
@@ -48,3 +48,4 @@ 
 

  /openssl-1.1.1e-hobbled.tar.xz
 

  /openssl-1.1.1f-hobbled.tar.xz
 

  /openssl-1.1.1g-hobbled.tar.xz
 

+ /openssl-1.1.1h-hobbled.tar.xz

file modified
+83 -1 
@@ -1,5 +1,5 @@ 
 

  /*
 

-  * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
 

+  * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
 

   * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 

   *
 

   * Licensed under the OpenSSL license (the "License").  You may not use
 
@@ -1425,6 +1425,87 @@ 
 

      return ret;
 

  }
 

  

+ /*
 

+  * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
 

+  */
 

+ static int custom_generator_test(int id)
 

+ {
 

+     int ret = 0, nid, bsize;
 

+     EC_GROUP *group = NULL;
 

+     EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
 

+     BN_CTX *ctx = NULL;
 

+     BIGNUM *k = NULL;
 

+     unsigned char *b1 = NULL, *b2 = NULL;
 

+ 

+     /* Do some setup */
 

+     nid = curves[id].nid;
 

+     TEST_note("Curve %s", OBJ_nid2sn(nid));
 

+     if (!TEST_ptr(ctx = BN_CTX_new()))
 

+         return 0;
 

+ 

+     BN_CTX_start(ctx);
 

+ 

+     if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
 

+         goto err;
 

+ 

+     /* expected byte length of encoded points */
 

+     bsize = (EC_GROUP_get_degree(group) + 7) / 8;
 

+     bsize = 2 * bsize + 1;
 

+ 

+     if (!TEST_ptr(k = BN_CTX_get(ctx))
 

+         /* fetch a testing scalar k != 0,1 */
 

+         || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
 

+                               BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
 

+         /* make k even */
 

+         || !TEST_true(BN_clear_bit(k, 0))
 

+         || !TEST_ptr(G2 = EC_POINT_new(group))
 

+         || !TEST_ptr(Q1 = EC_POINT_new(group))
 

+         /* Q1 := kG */
 

+         || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
 

+         /* pull out the bytes of that */
 

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
 

+                                            POINT_CONVERSION_UNCOMPRESSED, NULL,
 

+                                            0, ctx), bsize)
 

+         || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
 

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
 

+                                            POINT_CONVERSION_UNCOMPRESSED, b1,
 

+                                            bsize, ctx), bsize)
 

+         /* new generator is G2 := 2G */
 

+         || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
 

+                                    ctx))
 

+         || !TEST_true(EC_GROUP_set_generator(group, G2,
 

+                                              EC_GROUP_get0_order(group),
 

+                                              EC_GROUP_get0_cofactor(group)))
 

+         || !TEST_ptr(Q2 = EC_POINT_new(group))
 

+         || !TEST_true(BN_rshift1(k, k))
 

+         /* Q2 := k/2 G2 */
 

+         || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
 

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
 

+                                            POINT_CONVERSION_UNCOMPRESSED, NULL,
 

+                                            0, ctx), bsize)
 

+         || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
 

+         || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
 

+                                            POINT_CONVERSION_UNCOMPRESSED, b2,
 

+                                            bsize, ctx), bsize)
 

+         /* Q1 = kG = k/2 G2 = Q2 should hold */
 

+         || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
 

+         goto err;
 

+ 

+     ret = 1;
 

+ 

+  err:
 

+     BN_CTX_end(ctx);
 

+     EC_POINT_free(Q1);
 

+     EC_POINT_free(Q2);
 

+     EC_POINT_free(G2);
 

+     EC_GROUP_free(group);
 

+     BN_CTX_free(ctx);
 

+     OPENSSL_free(b1);
 

+     OPENSSL_free(b2);
 

+ 

+     return ret;
 

+ }
 

+ 

  #endif /* OPENSSL_NO_EC */
 

  

  int setup_tests(void)
 
@@ -1452,6 +1533,7 @@ 
 

  

      ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
 

      ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
 

+     ADD_ALL_TESTS(custom_generator_test, crv_len);
 

  #endif /* OPENSSL_NO_EC */
 

      return 1;
 

  }

file modified
+70 -14 
@@ -1,6 +1,6 @@ 
 

- diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
 

- --- openssl-1.1.1c/apps/speed.c.curves	2019-05-28 15:12:21.000000000 +0200
 

- +++ openssl-1.1.1c/apps/speed.c	2019-05-29 15:36:53.332224470 +0200
 

+ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
 

+ --- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
 

+ +++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
 

  @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
 

   #endif /* OPENSSL_NO_RSA */
 

   
@@ -92,7 +92,7 @@ 
 

       {"ecdhx25519", R_EC_X25519},
 

       {"ecdhx448", R_EC_X448}
 

   };
 

- @@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
 

+ @@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
 

           unsigned int bits;
 

       } test_curves[] = {
 

           /* Prime Curves */
 
@@ -124,7 +124,7 @@ 
 

           /* Other and ECDH only ones */
 

           {"X25519", NID_X25519, 253},
 

           {"X448", NID_X448, 448}
 

- @@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
 

+ @@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
 

   #  endif
 

   

   #  ifndef OPENSSL_NO_EC
 
@@ -137,7 +137,7 @@ 
 

           ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
 

           ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
 

           if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
 

- @@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
 

+ @@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
 

               }
 

           }
 

       }
 
@@ -146,7 +146,7 @@ 
 

       ecdsa_c[R_EC_K163][0] = count / 1000;
 

       ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
 

       for (i = R_EC_K233; i <= R_EC_K571; i++) {
 

- @@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
 

+ @@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
 

       }
 

   #   endif
 

   
@@ -157,7 +157,7 @@ 
 

           ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
 

           if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
 

               ecdh_doit[i] = 0;
 

- @@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
 

+ @@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
 

               }
 

           }
 

       }
 
@@ -166,9 +166,9 @@ 
 

       ecdh_c[R_EC_K163][0] = count / 1000;
 

       for (i = R_EC_K233; i <= R_EC_K571; i++) {
 

           ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
 

- diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
 

- --- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves	2019-05-28 15:12:21.000000000 +0200
 

- +++ openssl-1.1.1c/crypto/ec/ecp_smpl.c	2019-05-29 15:30:09.071349520 +0200
 

+ diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
 

+ --- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
 

+ +++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
 

  @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
 

           return 0;
 

       }
 
@@ -181,9 +181,9 @@ 
 

       if (ctx == NULL) {
 

           ctx = new_ctx = BN_CTX_new();
 

           if (ctx == NULL)
 

- diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
 

- --- openssl-1.1.1c/test/ecdsatest.h.curves	2019-05-29 15:30:09.010350595 +0200
 

- +++ openssl-1.1.1c/test/ecdsatest.h	2019-05-29 15:41:24.586444294 +0200
 

+ diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
 

+ --- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
 

+ +++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
 

  @@ -32,23 +32,6 @@ typedef struct {
 

   } ecdsa_cavs_kat_t;
 

   
@@ -208,3 +208,59 @@ 
 

       /* prime KATs from NIST CAVP */
 

       {NID_secp224r1, NID_sha224,
 

        "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
 

+ --- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
 

+ +++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
 

+ @@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
 

+      if disabled("ec");
 

+  

+  my @prime_curves = qw(
 

+ -    secp112r1
 

+ -    secp112r2
 

+ -    secp128r1
 

+ -    secp128r2
 

+ -    secp160k1
 

+ -    secp160r1
 

+ -    secp160r2
 

+ -    secp192k1
 

+ -    secp224k1
 

+      secp224r1
 

+      secp256k1
 

+      secp384r1
 

+      secp521r1
 

+ -    prime192v1
 

+ -    prime192v2
 

+ -    prime192v3
 

+ -    prime239v1
 

+ -    prime239v2
 

+ -    prime239v3
 

+      prime256v1
 

+ -    wap-wsg-idm-ecid-wtls6
 

+ -    wap-wsg-idm-ecid-wtls7
 

+ -    wap-wsg-idm-ecid-wtls8
 

+ -    wap-wsg-idm-ecid-wtls9
 

+ -    wap-wsg-idm-ecid-wtls12
 

+ -    brainpoolP160r1
 

+ -    brainpoolP160t1
 

+ -    brainpoolP192r1
 

+ -    brainpoolP192t1
 

+ -    brainpoolP224r1
 

+ -    brainpoolP224t1
 

+ -    brainpoolP256r1
 

+ -    brainpoolP256t1
 

+ -    brainpoolP320r1
 

+ -    brainpoolP320t1
 

+ -    brainpoolP384r1
 

+ -    brainpoolP384t1
 

+ -    brainpoolP512r1
 

+ -    brainpoolP512t1
 

+  );
 

+  

+  my @binary_curves = qw(
 

+ @@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
 

+      if !disabled("sm2");
 

+  

+  my @curve_aliases = qw(
 

+ -    P-192
 

+      P-224
 

+      P-256
 

+      P-384

file modified
+11 -86 
@@ -2716,91 +2716,16 @@ 
 

       return ret;
 

   }
 

   #endif
 

- diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
 

- --- openssl-1.1.1g/ssl/t1_lib.c.fips-dh	2020-07-17 10:36:29.243788425 +0200
 

- +++ openssl-1.1.1g/ssl/t1_lib.c	2020-07-17 10:36:29.249788474 +0200
 

- @@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
 

-  #ifndef OPENSSL_NO_DH
 

-  DH *ssl_get_auto_dh(SSL *s)
 

-  {
 

- +    DH *dhp = NULL;
 

- +    BIGNUM *p = NULL, *g = NULL;
 

-      int dh_secbits = 80;
 

- -    if (s->cert->dh_tmp_auto == 2)
 

- -        return DH_get_1024_160();
 

- -    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
 

- -        if (s->s3->tmp.new_cipher->strength_bits == 256)
 

- -            dh_secbits = 128;
 

- -        else
 

- -            dh_secbits = 80;
 

- -    } else {
 

- -        if (s->s3->tmp.cert == NULL)
 

- -            return NULL;
 

- -        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
 

- +    if (s->cert->dh_tmp_auto != 2) {
 

- +        if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
 

- +            if (s->s3->tmp.new_cipher->strength_bits == 256)
 

- +                dh_secbits = 128;
 

- +            else
 

- +                dh_secbits = 80;
 

- +        } else {
 

- +            if (s->s3->tmp.cert == NULL)
 

- +                return NULL;
 

- +            dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
 

- +        }
 

-      }
 

   

- -    if (dh_secbits >= 128) {
 

- -        DH *dhp = DH_new();
 

- -        BIGNUM *p, *g;
 

- -        if (dhp == NULL)
 

- -            return NULL;
 

- -        g = BN_new();
 

- -        if (g == NULL || !BN_set_word(g, 2)) {
 

- -            DH_free(dhp);
 

- -            BN_free(g);
 

- -            return NULL;
 

- -        }
 

- -        if (dh_secbits >= 192)
 

- -            p = BN_get_rfc3526_prime_8192(NULL);
 

- -        else
 

- -            p = BN_get_rfc3526_prime_3072(NULL);
 

- -        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
 

- -            DH_free(dhp);
 

- -            BN_free(p);
 

- -            BN_free(g);
 

- -            return NULL;
 

- -        }
 

- -        return dhp;
 

- +    dhp = DH_new();
 

- +    if (dhp == NULL)
 

- +        return NULL;
 

- +    g = BN_new();
 

- +    if (g == NULL || !BN_set_word(g, 2)) {
 

- +        DH_free(dhp);
 

- +        BN_free(g);
 

- +        return NULL;
 

- +    }
 

- +    if (dh_secbits >= 192)
 

- +        p = BN_get_rfc3526_prime_8192(NULL);
 

- +    else if (dh_secbits >= 152)
 

- +        p = BN_get_rfc3526_prime_4096(NULL);
 

- +    else if (dh_secbits >= 128)
 

- +        p = BN_get_rfc3526_prime_3072(NULL);
 

+ diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
 

+ --- openssl-1.1.1h/ssl/t1_lib.c.fips-dh	2020-11-04 14:04:41.851711629 +0100
 

+ +++ openssl-1.1.1h/ssl/t1_lib.c	2020-11-04 14:06:06.506431652 +0100
 

+ @@ -2470,7 +2470,7 @@
 

+          p = BN_get_rfc3526_prime_4096(NULL);
 

+      else if (dh_secbits >= 128)
 

+          p = BN_get_rfc3526_prime_3072(NULL);
 

+ -    else if (dh_secbits >= 112)
 

  +    else if (dh_secbits >= 112 || FIPS_mode())
 

- +        p = BN_get_rfc3526_prime_2048(NULL);
 

- +    else
 

- +        p = BN_get_rfc2409_prime_1024(NULL);
 

- +    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
 

- +        DH_free(dhp);
 

- +        BN_free(p);
 

- +        BN_free(g);
 

- +        return NULL;
 

-      }
 

- -    if (dh_secbits >= 112)
 

- -        return DH_get_2048_224();
 

- -    return DH_get_1024_160();
 

- +    return dhp;
 

-  }
 

-  #endif
 

-  

+          p = BN_get_rfc3526_prime_2048(NULL);
 

+      else
 

+          p = BN_get_rfc2409_prime_1024(NULL);

file modified
+4 -4 
@@ -11614,10 +11614,10 @@ 
 

  diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
 

  --- openssl-1.1.1e/util/libcrypto.num.fips	2020-03-17 17:31:10.744241038 +0100
 

  +++ openssl-1.1.1e/util/libcrypto.num	2020-03-17 17:32:37.851722261 +0100
 

- @@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
 

-  EVP_PKEY_meth_get_digestverify          4541	1_1_1e	EXIST::FUNCTION:
 

-  EVP_PKEY_meth_get_digestsign            4542	1_1_1e	EXIST::FUNCTION:
 

-  RSA_get0_pss_params                     4543	1_1_1e	EXIST::FUNCTION:RSA
 

+ @@ -4590,3 +4590,38 @@ X509_ALGOR_copy
 

+  X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION:
 

+  X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION:
 

+  EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC
 

  +FIPS_drbg_reseed                        6348	1_1_0g	EXIST::FUNCTION:
 

  +FIPS_selftest_check                     6349	1_1_0g	EXIST::FUNCTION:
 

  +FIPS_rand_set_method                    6350	1_1_0g	EXIST::FUNCTION:

file removed
-14 
@@ -1,14 +0,0 @@ 
 

- Do not return failure when setting version bound on fixed protocol
 

- version method.
 

- diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
 

- --- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
 

- +++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
 

- @@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
 

-           * methods are not subject to controls that disable individual protocol
 

-           * versions.
 

-           */
 

- -        return 0;
 

- +        return 1;
 

-  

-      case TLS_ANY_VERSION:
 

-          if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

file removed
-44 
@@ -1,44 +0,0 @@ 
 

- diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
 

- --- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
 

- +++ openssl-1.1.1g/include/openssl/ssl3.h	2020-06-05 15:20:22.090682776 +0200
 

- @@ -292,6 +292,9 @@ extern "C" {
 

-  

-  # define TLS1_FLAGS_STATELESS                    0x0800
 

-  

- +/* Set if extended master secret extension required on renegotiation */
 

- +# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
 

- +
 

-  # define SSL3_MT_HELLO_REQUEST                   0
 

-  # define SSL3_MT_CLIENT_HELLO                    1
 

-  # define SSL3_MT_SERVER_HELLO                    2
 

- diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
 

- --- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
 

- +++ openssl-1.1.1g/ssl/statem/extensions.c	2020-06-05 15:22:19.677653437 +0200
 

- @@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
 

-  

-  static int init_ems(SSL *s, unsigned int context)
 

-  {
 

- -    if (!s->server)
 

- +    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
 

-          s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
 

- +        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
 

- +    }
 

-  

-      return 1;
 

-  }
 

-  

-  static int final_ems(SSL *s, unsigned int context, int sent)
 

-  {
 

- +    /*
 

- +     * Check extended master secret extension is not dropped on
 

- +     * renegotiation.
 

- +     */
 

- +    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
 

- +        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
 

- +        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
 

- +                 SSL_R_INCONSISTENT_EXTMS);
 

- +        return 0;
 

- +    }
 

-      if (!s->server && s->hit) {
 

-          /*
 

-           * Check extended master secret extension is consistent with

file modified
+36 -16 
@@ -1,8 +1,17 @@ 
 

- diff --git a/apps/ts.c b/apps/ts.c
 

- index 63c5210183..4ef8a72eef 100644
 

- --- a/apps/ts.c
 

- +++ b/apps/ts.c
 

- @@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
 

+ diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
 

+ --- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100
 

+ +++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100
 

+ @@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i
 

+  				# (optional, default: no)
 

+  ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 

+  				# (optional, default: no)
 

+ -ess_cert_id_alg		= sha1	# algorithm to compute certificate
 

+ +ess_cert_id_alg		= sha256	# algorithm to compute certificate
 

+  				# identifier (optional, default: sha1)
 

+ diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
 

+ --- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
 

+ +++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100
 

+ @@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
 

       ASN1_OBJECT *policy_obj = NULL;
 

       ASN1_INTEGER *nonce_asn1 = NULL;
 

   
@@ -11,11 +20,22 @@ 
 

           goto err;
 

       if ((ts_req = TS_REQ_new()) == NULL)
 

           goto err;
 

- diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
 

- index 078905a845..83b8fe4350 100644
 

- --- a/doc/man1/ts.pod
 

- +++ b/doc/man1/ts.pod
 

- @@ -517,7 +517,7 @@ included. Default is no. (Optional)
 

+ diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
 

+ --- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100
 

+ +++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100
 

+ @@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
 

+      const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
 

+  

+      if (md == NULL)
 

+ -        md = "sha1";
 

+ +        md = "sha256";
 

+  

+      cert_md = EVP_get_digestbyname(md);
 

+      if (cert_md == NULL) {
 

+ diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
 

+ --- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
 

+ +++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100
 

+ @@ -518,7 +518,7 @@ included. Default is no. (Optional)
 

   =item B<ess_cert_id_alg>
 

   

   This option specifies the hash function to be used to calculate the TSA's
 
@@ -24,21 +44,21 @@ 
 

   

   =back
 

   

- @@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
 

+ @@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
 

   

   =head2 Time Stamp Request
 

   

- -To create a time stamp request for design1.txt with SHA-1
 

- +To create a time stamp request for design1.txt with SHA-256
 

+ -To create a timestamp request for design1.txt with SHA-1
 

+ +To create a timestamp request for design1.txt with SHA-256
 

   without nonce and policy and no certificate is required in the response:
 

   

     openssl ts -query -data design1.txt -no_nonce \
 

- @@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
 

+ @@ -546,12 +546,12 @@ To print the content of the previous req
 

   

     openssl ts -query -in design1.tsq -text
 

   

- -To create a time stamp request which includes the MD-5 digest
 

- +To create a time stamp request which includes the SHA-512 digest
 

+ -To create a timestamp request which includes the MD-5 digest
 

+ +To create a timestamp request which includes the SHA-512 digest
 

   of design2.txt, requests the signer certificate and nonce,
 

   specifies a policy id (assuming the tsa_policy1 name is defined in the
 

   OID section of the config file):

file modified
+3 -3 
@@ -4,9 +4,9 @@ 
 

  @@ -40,7 +40,7 @@ extern "C" {
 

    *  major minor fix final patch/beta)
 

    */
 

-  # define OPENSSL_VERSION_NUMBER  0x1010107fL
 

- -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g  21 Apr 2020"
 

- +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g FIPS  21 Apr 2020"
 

+  # define OPENSSL_VERSION_NUMBER  0x1010108fL
 

+ -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"
 

+ +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"
 

   

   /*-
 

    * The macros below are to be used for shared library (.so, .dll, ...)

file modified
+5 -6 
@@ -21,8 +21,8 @@ 
 

  

  Summary: Utilities from the general purpose cryptography library with TLS implementation
 

  Name: openssl
 

- Version: 1.1.1g
 

- Release: 15%{?dist}
 

+ Version: 1.1.1h
 

+ Release: 1%{?dist}
 

  Epoch: 1
 

  # We have to remove certain patented algorithms from the openssl source
 

  # tarball with the hobble-openssl script which is included below.
 
@@ -54,7 +54,6 @@ 
 

  Patch40: openssl-1.1.1-disable-ssl3.patch
 

  Patch41: openssl-1.1.1-system-cipherlist.patch
 

  Patch42: openssl-1.1.1-fips.patch
 

- Patch43: openssl-1.1.1-ignore-bound.patch
 

  Patch44: openssl-1.1.1-version-override.patch
 

  Patch45: openssl-1.1.1-weak-ciphers.patch
 

  Patch46: openssl-1.1.1-seclevel.patch
 
@@ -69,7 +68,6 @@ 
 

  Patch65: openssl-1.1.1-fips-drbg-selftest.patch
 

  Patch66: openssl-1.1.1-fips-dh.patch
 

  Patch67: openssl-1.1.1-kdf-selftest.patch
 

- Patch68: openssl-1.1.1-reneg-no-extms.patch
 

  Patch69: openssl-1.1.1-alpn-cb.patch
 

  Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 

  # Backported fixes including security fixes
 
@@ -167,7 +165,6 @@ 
 

  %patch40 -p1 -b .disable-ssl3
 

  %patch41 -p1 -b .system-cipherlist
 

  %patch42 -p1 -b .fips
 

- %patch43 -p1 -b .ignore-bound
 

  %patch44 -p1 -b .version-override
 

  %patch45 -p1 -b .weak-ciphers
 

  %patch46 -p1 -b .seclevel
 
@@ -186,7 +183,6 @@ 
 

  %patch65 -p1 -b .drbg-selftest
 

  %patch66 -p1 -b .fips-dh
 

  %patch67 -p1 -b .kdf-selftest
 

- %patch68 -p1 -b .reneg-no-extms
 

  %patch69 -p1 -b .alpn-cb
 

  %patch70 -p1 -b .rewire-fips-drbg
 

  
@@ -477,6 +473,9 @@ 
 

  %ldconfig_scriptlets libs
 

  

  %changelog
 

+ * Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
 

+ - Upgrade to version 1.1.1.h
 

+ 

  * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
 

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
 

+ SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908

Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.