From 3413ff9700373616a74dcf14fe75868d046e22e2 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Nov 09 2020 09:41:15 +0000
Subject: Upgrade to version 1.1.1h


Signed-off-by: Sahana Prasad <sahana@redhat.com>

---

diff --git a/.gitignore b/.gitignore
index c6aba1d..3305a0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1e-hobbled.tar.xz
 /openssl-1.1.1f-hobbled.tar.xz
 /openssl-1.1.1g-hobbled.tar.xz
+/openssl-1.1.1h-hobbled.tar.xz
diff --git a/ectest.c b/ectest.c
index c16642e..e4fd45b 100644
--- a/ectest.c
+++ b/ectest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -1425,6 +1425,87 @@ static int ec_point_hex2point_test(int id)
     return ret;
 }
 
+/*
+ * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
+ */
+static int custom_generator_test(int id)
+{
+    int ret = 0, nid, bsize;
+    EC_GROUP *group = NULL;
+    EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
+    BN_CTX *ctx = NULL;
+    BIGNUM *k = NULL;
+    unsigned char *b1 = NULL, *b2 = NULL;
+
+    /* Do some setup */
+    nid = curves[id].nid;
+    TEST_note("Curve %s", OBJ_nid2sn(nid));
+    if (!TEST_ptr(ctx = BN_CTX_new()))
+        return 0;
+
+    BN_CTX_start(ctx);
+
+    if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
+        goto err;
+
+    /* expected byte length of encoded points */
+    bsize = (EC_GROUP_get_degree(group) + 7) / 8;
+    bsize = 2 * bsize + 1;
+
+    if (!TEST_ptr(k = BN_CTX_get(ctx))
+        /* fetch a testing scalar k != 0,1 */
+        || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
+                              BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+        /* make k even */
+        || !TEST_true(BN_clear_bit(k, 0))
+        || !TEST_ptr(G2 = EC_POINT_new(group))
+        || !TEST_ptr(Q1 = EC_POINT_new(group))
+        /* Q1 := kG */
+        || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
+        /* pull out the bytes of that */
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+                                           POINT_CONVERSION_UNCOMPRESSED, NULL,
+                                           0, ctx), bsize)
+        || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+                                           POINT_CONVERSION_UNCOMPRESSED, b1,
+                                           bsize, ctx), bsize)
+        /* new generator is G2 := 2G */
+        || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
+                                   ctx))
+        || !TEST_true(EC_GROUP_set_generator(group, G2,
+                                             EC_GROUP_get0_order(group),
+                                             EC_GROUP_get0_cofactor(group)))
+        || !TEST_ptr(Q2 = EC_POINT_new(group))
+        || !TEST_true(BN_rshift1(k, k))
+        /* Q2 := k/2 G2 */
+        || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+                                           POINT_CONVERSION_UNCOMPRESSED, NULL,
+                                           0, ctx), bsize)
+        || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
+        || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+                                           POINT_CONVERSION_UNCOMPRESSED, b2,
+                                           bsize, ctx), bsize)
+        /* Q1 = kG = k/2 G2 = Q2 should hold */
+        || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
+        goto err;
+
+    ret = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    EC_POINT_free(Q1);
+    EC_POINT_free(Q2);
+    EC_POINT_free(G2);
+    EC_GROUP_free(group);
+    BN_CTX_free(ctx);
+    OPENSSL_free(b1);
+    OPENSSL_free(b2);
+
+    return ret;
+}
+
 #endif /* OPENSSL_NO_EC */
 
 int setup_tests(void)
@@ -1452,6 +1533,7 @@ int setup_tests(void)
 
     ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
     ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+    ADD_ALL_TESTS(custom_generator_test, crv_len);
 #endif /* OPENSSL_NO_EC */
     return 1;
 }
diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch
index a83a331..27f23ca 100644
--- a/openssl-1.1.1-ec-curves.patch
+++ b/openssl-1.1.1-ec-curves.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
---- openssl-1.1.1c/apps/speed.c.curves	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/apps/speed.c	2019-05-29 15:36:53.332224470 +0200
+diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
+--- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
 @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
  #endif /* OPENSSL_NO_RSA */
  
@@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
      {"ecdhx25519", R_EC_X25519},
      {"ecdhx448", R_EC_X448}
  };
-@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
+@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
          unsigned int bits;
      } test_curves[] = {
          /* Prime Curves */
@@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
          /* Other and ECDH only ones */
          {"X25519", NID_X25519, 253},
          {"X448", NID_X448, 448}
-@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
+@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
  #  endif
  
  #  ifndef OPENSSL_NO_EC
@@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
          ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
          ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
          if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
+@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
              }
          }
      }
@@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
      ecdsa_c[R_EC_K163][0] = count / 1000;
      ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
      for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
+@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
      }
  #   endif
  
@@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
          if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
              ecdh_doit[i] = 0;
-@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
+@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
              }
          }
      }
@@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
      ecdh_c[R_EC_K163][0] = count / 1000;
      for (i = R_EC_K233; i <= R_EC_K571; i++) {
          ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
---- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c	2019-05-29 15:30:09.071349520 +0200
+diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
 @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
          return 0;
      }
@@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
      if (ctx == NULL) {
          ctx = new_ctx = BN_CTX_new();
          if (ctx == NULL)
-diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
---- openssl-1.1.1c/test/ecdsatest.h.curves	2019-05-29 15:30:09.010350595 +0200
-+++ openssl-1.1.1c/test/ecdsatest.h	2019-05-29 15:41:24.586444294 +0200
+diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
+--- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
++++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
 @@ -32,23 +32,6 @@ typedef struct {
  } ecdsa_cavs_kat_t;
  
@@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
      /* prime KATs from NIST CAVP */
      {NID_secp224r1, NID_sha224,
       "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
++++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
+@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
+     if disabled("ec");
+ 
+ my @prime_curves = qw(
+-    secp112r1
+-    secp112r2
+-    secp128r1
+-    secp128r2
+-    secp160k1
+-    secp160r1
+-    secp160r2
+-    secp192k1
+-    secp224k1
+     secp224r1
+     secp256k1
+     secp384r1
+     secp521r1
+-    prime192v1
+-    prime192v2
+-    prime192v3
+-    prime239v1
+-    prime239v2
+-    prime239v3
+     prime256v1
+-    wap-wsg-idm-ecid-wtls6
+-    wap-wsg-idm-ecid-wtls7
+-    wap-wsg-idm-ecid-wtls8
+-    wap-wsg-idm-ecid-wtls9
+-    wap-wsg-idm-ecid-wtls12
+-    brainpoolP160r1
+-    brainpoolP160t1
+-    brainpoolP192r1
+-    brainpoolP192t1
+-    brainpoolP224r1
+-    brainpoolP224t1
+-    brainpoolP256r1
+-    brainpoolP256t1
+-    brainpoolP320r1
+-    brainpoolP320t1
+-    brainpoolP384r1
+-    brainpoolP384t1
+-    brainpoolP512r1
+-    brainpoolP512t1
+ );
+ 
+ my @binary_curves = qw(
+@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
+     if !disabled("sm2");
+ 
+ my @curve_aliases = qw(
+-    P-192
+     P-224
+     P-256
+     P-384
diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch
index d98372e..ff895d5 100644
--- a/openssl-1.1.1-fips-dh.patch
+++ b/openssl-1.1.1-fips-dh.patch
@@ -2716,91 +2716,16 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
      return ret;
  }
  #endif
-diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.fips-dh	2020-07-17 10:36:29.243788425 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c	2020-07-17 10:36:29.249788474 +0200
-@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
- #ifndef OPENSSL_NO_DH
- DH *ssl_get_auto_dh(SSL *s)
- {
-+    DH *dhp = NULL;
-+    BIGNUM *p = NULL, *g = NULL;
-     int dh_secbits = 80;
--    if (s->cert->dh_tmp_auto == 2)
--        return DH_get_1024_160();
--    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
--        if (s->s3->tmp.new_cipher->strength_bits == 256)
--            dh_secbits = 128;
--        else
--            dh_secbits = 80;
--    } else {
--        if (s->s3->tmp.cert == NULL)
--            return NULL;
--        dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
-+    if (s->cert->dh_tmp_auto != 2) {
-+        if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
-+            if (s->s3->tmp.new_cipher->strength_bits == 256)
-+                dh_secbits = 128;
-+            else
-+                dh_secbits = 80;
-+        } else {
-+            if (s->s3->tmp.cert == NULL)
-+                return NULL;
-+            dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
-+        }
-     }
  
--    if (dh_secbits >= 128) {
--        DH *dhp = DH_new();
--        BIGNUM *p, *g;
--        if (dhp == NULL)
--            return NULL;
--        g = BN_new();
--        if (g == NULL || !BN_set_word(g, 2)) {
--            DH_free(dhp);
--            BN_free(g);
--            return NULL;
--        }
--        if (dh_secbits >= 192)
--            p = BN_get_rfc3526_prime_8192(NULL);
--        else
--            p = BN_get_rfc3526_prime_3072(NULL);
--        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
--            DH_free(dhp);
--            BN_free(p);
--            BN_free(g);
--            return NULL;
--        }
--        return dhp;
-+    dhp = DH_new();
-+    if (dhp == NULL)
-+        return NULL;
-+    g = BN_new();
-+    if (g == NULL || !BN_set_word(g, 2)) {
-+        DH_free(dhp);
-+        BN_free(g);
-+        return NULL;
-+    }
-+    if (dh_secbits >= 192)
-+        p = BN_get_rfc3526_prime_8192(NULL);
-+    else if (dh_secbits >= 152)
-+        p = BN_get_rfc3526_prime_4096(NULL);
-+    else if (dh_secbits >= 128)
-+        p = BN_get_rfc3526_prime_3072(NULL);
+diff -up openssl-1.1.1h/ssl/t1_lib.c.fips-dh openssl-1.1.1h/ssl/t1_lib.c
+--- openssl-1.1.1h/ssl/t1_lib.c.fips-dh	2020-11-04 14:04:41.851711629 +0100
++++ openssl-1.1.1h/ssl/t1_lib.c	2020-11-04 14:06:06.506431652 +0100
+@@ -2470,7 +2470,7 @@
+         p = BN_get_rfc3526_prime_4096(NULL);
+     else if (dh_secbits >= 128)
+         p = BN_get_rfc3526_prime_3072(NULL);
+-    else if (dh_secbits >= 112)
 +    else if (dh_secbits >= 112 || FIPS_mode())
-+        p = BN_get_rfc3526_prime_2048(NULL);
-+    else
-+        p = BN_get_rfc2409_prime_1024(NULL);
-+    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
-+        DH_free(dhp);
-+        BN_free(p);
-+        BN_free(g);
-+        return NULL;
-     }
--    if (dh_secbits >= 112)
--        return DH_get_2048_224();
--    return DH_get_1024_160();
-+    return dhp;
- }
- #endif
- 
+         p = BN_get_rfc3526_prime_2048(NULL);
+     else
+         p = BN_get_rfc2409_prime_1024(NULL);
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index ad295a4..c9137ca 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -11614,10 +11614,10 @@ diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
 diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
 --- openssl-1.1.1e/util/libcrypto.num.fips	2020-03-17 17:31:10.744241038 +0100
 +++ openssl-1.1.1e/util/libcrypto.num	2020-03-17 17:32:37.851722261 +0100
-@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
- EVP_PKEY_meth_get_digestverify          4541	1_1_1e	EXIST::FUNCTION:
- EVP_PKEY_meth_get_digestsign            4542	1_1_1e	EXIST::FUNCTION:
- RSA_get0_pss_params                     4543	1_1_1e	EXIST::FUNCTION:RSA
+@@ -4590,3 +4590,38 @@ X509_ALGOR_copy
+ X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION:
+ X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION:
+ EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC
 +FIPS_drbg_reseed                        6348	1_1_0g	EXIST::FUNCTION:
 +FIPS_selftest_check                     6349	1_1_0g	EXIST::FUNCTION:
 +FIPS_rand_set_method                    6350	1_1_0g	EXIST::FUNCTION:
diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch
deleted file mode 100644
index 4838f3d..0000000
--- a/openssl-1.1.1-ignore-bound.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Do not return failure when setting version bound on fixed protocol
-version method.
-diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
-@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
-          * methods are not subject to controls that disable individual protocol
-          * versions.
-          */
--        return 0;
-+        return 1;
- 
-     case TLS_ANY_VERSION:
-         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
diff --git a/openssl-1.1.1-reneg-no-extms.patch b/openssl-1.1.1-reneg-no-extms.patch
deleted file mode 100644
index 76adef7..0000000
--- a/openssl-1.1.1-reneg-no-extms.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
---- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/include/openssl/ssl3.h	2020-06-05 15:20:22.090682776 +0200
-@@ -292,6 +292,9 @@ extern "C" {
- 
- # define TLS1_FLAGS_STATELESS                    0x0800
- 
-+/* Set if extended master secret extension required on renegotiation */
-+# define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
-+
- # define SSL3_MT_HELLO_REQUEST                   0
- # define SSL3_MT_CLIENT_HELLO                    1
- # define SSL3_MT_SERVER_HELLO                    2
-diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
---- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/ssl/statem/extensions.c	2020-06-05 15:22:19.677653437 +0200
-@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
- 
- static int init_ems(SSL *s, unsigned int context)
- {
--    if (!s->server)
-+    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
-         s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
-+        s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
-+    }
- 
-     return 1;
- }
- 
- static int final_ems(SSL *s, unsigned int context, int sent)
- {
-+    /*
-+     * Check extended master secret extension is not dropped on
-+     * renegotiation.
-+     */
-+    if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
-+        && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
-+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
-+                 SSL_R_INCONSISTENT_EXTMS);
-+        return 0;
-+    }
-     if (!s->server && s->hit) {
-         /*
-          * Check extended master secret extension is consistent with
diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch
index d99dc47..2a1dd6c 100644
--- a/openssl-1.1.1-ts-sha256-default.patch
+++ b/openssl-1.1.1-ts-sha256-default.patch
@@ -1,8 +1,17 @@
-diff --git a/apps/ts.c b/apps/ts.c
-index 63c5210183..4ef8a72eef 100644
---- a/apps/ts.c
-+++ b/apps/ts.c
-@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
+diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
+--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100
++++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100
+@@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i
+ 				# (optional, default: no)
+ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+ 				# (optional, default: no)
+-ess_cert_id_alg		= sha1	# algorithm to compute certificate
++ess_cert_id_alg		= sha256	# algorithm to compute certificate
+ 				# identifier (optional, default: sha1)
+diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
+--- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100
+@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
      ASN1_OBJECT *policy_obj = NULL;
      ASN1_INTEGER *nonce_asn1 = NULL;
  
@@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
          goto err;
      if ((ts_req = TS_REQ_new()) == NULL)
          goto err;
-diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
-index 078905a845..83b8fe4350 100644
---- a/doc/man1/ts.pod
-+++ b/doc/man1/ts.pod
-@@ -517,7 +517,7 @@ included. Default is no. (Optional)
+diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
+--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100
++++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100
+@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
+     const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
+ 
+     if (md == NULL)
+-        md = "sha1";
++        md = "sha256";
+ 
+     cert_md = EVP_get_digestbyname(md);
+     if (cert_md == NULL) {
+diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
+--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
++++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100
+@@ -518,7 +518,7 @@ included. Default is no. (Optional)
  =item B<ess_cert_id_alg>
  
  This option specifies the hash function to be used to calculate the TSA's
@@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644
  
  =back
  
-@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
+@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
  
  =head2 Time Stamp Request
  
--To create a time stamp request for design1.txt with SHA-1
-+To create a time stamp request for design1.txt with SHA-256
+-To create a timestamp request for design1.txt with SHA-1
++To create a timestamp request for design1.txt with SHA-256
  without nonce and policy and no certificate is required in the response:
  
    openssl ts -query -data design1.txt -no_nonce \
-@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
+@@ -546,12 +546,12 @@ To print the content of the previous req
  
    openssl ts -query -in design1.tsq -text
  
--To create a time stamp request which includes the MD-5 digest
-+To create a time stamp request which includes the SHA-512 digest
+-To create a timestamp request which includes the MD-5 digest
++To create a timestamp request which includes the SHA-512 digest
  of design2.txt, requests the signer certificate and nonce,
  specifies a policy id (assuming the tsa_policy1 name is defined in the
  OID section of the config file):
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
index a6975fa..ff69bdb 100644
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@@ -4,9 +4,9 @@ diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.
 @@ -40,7 +40,7 @@ extern "C" {
   *  major minor fix final patch/beta)
   */
- # define OPENSSL_VERSION_NUMBER  0x1010107fL
--# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g  21 Apr 2020"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1g FIPS  21 Apr 2020"
+ # define OPENSSL_VERSION_NUMBER  0x1010108fL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"
++# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"
  
  /*-
   * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index 619a16c..3f6403c 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,8 +21,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.1g
-Release: 15%{?dist}
+Version: 1.1.1h
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -54,7 +54,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
-Patch43: openssl-1.1.1-ignore-bound.patch
 Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
@@ -69,7 +68,6 @@ Patch62: openssl-1.1.1-fips-curves.patch
 Patch65: openssl-1.1.1-fips-drbg-selftest.patch
 Patch66: openssl-1.1.1-fips-dh.patch
 Patch67: openssl-1.1.1-kdf-selftest.patch
-Patch68: openssl-1.1.1-reneg-no-extms.patch
 Patch69: openssl-1.1.1-alpn-cb.patch
 Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 # Backported fixes including security fixes
@@ -167,7 +165,6 @@ cp %{SOURCE13} test/
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
-%patch43 -p1 -b .ignore-bound
 %patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
@@ -186,7 +183,6 @@ cp %{SOURCE13} test/
 %patch65 -p1 -b .drbg-selftest
 %patch66 -p1 -b .fips-dh
 %patch67 -p1 -b .kdf-selftest
-%patch68 -p1 -b .reneg-no-extms
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
 
@@ -477,6 +473,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
+- Upgrade to version 1.1.1.h
+
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
diff --git a/sources b/sources
index 50e115e..2bae151 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
+SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908