update to upstream version 1.1.0f

SRP and GOST is now allowed, note that GOST support requires
  adding GOST engine which is not part of openssl anymore

.gitignore

@@ -35,3 +35,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.0c-hobbled.tar.xz
 /openssl-1.1.0d-hobbled.tar.xz
 /openssl-1.1.0e-hobbled.tar.xz
+/openssl-1.1.0f-hobbled.tar.xz

hobble-openssl

@@ -8,19 +8,11 @@ set -e
 # IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
 # RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
 # EC:    ????????? ??/??/2020
-# SRP:   ????????? ??/??/20??
+# SRP:   ????????? ??/??/2017 - expired, we do not remove it anymore
 
 # Remove assembler portions of IDEA, MDC2, and RC5.
 # (find crypto/rc5/asm -type f | xargs -r rm -fv)
 
-# SRP.
-for a in srp; do
-  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
-	echo Destroying $c
-	> $c
-  done
-done
-
 for c in `find crypto/bn -name "*gf2m.c"`; do
 	echo Destroying $c
 	> $c
@@ -37,10 +29,9 @@ for c in `find test -name "ectest.c"`; do
 done
 
 for h in `find crypto ssl apps test -name "*.h"` ; do
-	echo Removing SRP and EC2M references from $h
+	echo Removing EC2M references from $h
 	cat $h | \
 	awk    'BEGIN {ech=1;} \
-		/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
 		/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
                 /^#[ \t]*if/ {if(ech < 1) ech--;} \
 		{if(ech>0) {;print $0};} \

openssl-1.1.0-build.patch

@@ -1,19 +1,28 @@
-diff -up openssl-1.1.0c/Configurations/unix-Makefile.tmpl.build openssl-1.1.0c/Configurations/unix-Makefile.tmpl
+diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0c/Configurations/unix-Makefile.tmpl.build	2016-11-10 15:03:43.000000000 +0100
+--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build	2017-06-02 13:51:39.621289504 +0200
-+++ openssl-1.1.0c/Configurations/unix-Makefile.tmpl	2016-11-11 13:26:36.094400833 +0100
++++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl	2017-06-02 13:54:45.298654812 +0200
-@@ -630,7 +630,7 @@ install_man_docs:
+@@ -553,7 +553,7 @@ uninstall_runtime:
- 	@\
+ install_man_docs:
- 	OUTSUFFIX='.$${SEC}$(MANSUFFIX)'; \
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	OUTTOP="$(DESTDIR)$(MANDIR)"; \
+ 	@echo "*** Installing manpages"
--	GENERATE='pod2man --name=$$NAME --section=$$SEC --center=OpenSSL --release=$(VERSION)'; \
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	GENERATE='TZ=UTC pod2man --name=$$NAME --section=$$SEC --center=OpenSSL --release=$(VERSION)'; \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 	$(PROCESS_PODS)
+ 		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
  
  uninstall_man_docs:
-diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configurations/10-main.conf
+@@ -565,7 +565,7 @@ uninstall_man_docs:
---- openssl-1.1.0c/Configurations/10-main.conf.build	2016-11-10 15:03:43.000000000 +0100
+ install_html_docs:
-+++ openssl-1.1.0c/Configurations/10-main.conf	2016-11-11 13:29:26.502289226 +0100
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-@@ -656,6 +656,7 @@ sub vms_info {
+ 	@echo "*** Installing HTML manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		--destdir=$(DESTDIR)$(HTMLDIR) --type=html
+ 
+ uninstall_html_docs:
+diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
+--- openssl-1.1.0f/Configurations/10-main.conf.build	2017-05-25 14:46:17.000000000 +0200
++++ openssl-1.1.0f/Configurations/10-main.conf	2017-06-02 13:51:39.622289528 +0200
+@@ -662,6 +662,7 @@ sub vms_info {
          cflags           => add("-m64 -DL_ENDIAN"),
          perlasm_scheme   => "linux64le",
          shared_ldflag    => add("-m64"),
@@ -21,7 +30,7 @@ diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configu
      },
  
      "linux-armv4" => {
-@@ -696,6 +697,7 @@ sub vms_info {
+@@ -702,6 +703,7 @@ sub vms_info {
      "linux-aarch64" => {
          inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
          perlasm_scheme   => "linux64",
@@ -29,3 +38,36 @@ diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configu
      },
      "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
          inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
+diff -up openssl-1.1.0f/test/evptests.txt.build openssl-1.1.0f/test/evptests.txt
+--- openssl-1.1.0f/test/evptests.txt.build	2017-05-25 14:46:21.000000000 +0200
++++ openssl-1.1.0f/test/evptests.txt	2017-06-02 15:05:49.422161136 +0200
+@@ -3690,14 +3690,6 @@ PublicKey=Bob-25519-PUBLIC
+ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+DQ8hbeGdNrfx+FG+IK08=
+ -----END PUBLIC KEY-----
+ 
+-Derive=Alice-25519
+-PeerKey=Bob-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+-Derive=Bob-25519
+-PeerKey=Alice-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+ # Illegal sign/verify operations with X25519 key
+ 
+ Sign=Alice-25519
+@@ -3710,6 +3702,14 @@ Result = KEYOP_INIT_ERROR
+ Function = EVP_PKEY_verify_init
+ Reason = operation not supported for this keytype
+ 
++Derive=Alice-25519
++PeerKey=Bob-25519-PUBLIC
++SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
++
++Derive=Bob-25519
++PeerKey=Alice-25519-PUBLIC
++SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
++
+ ## ECDH Tests: test with randomly generated keys for all the listed curves
+ 
+ 

openssl-1.1.0-cc-reqs.patch

@@ -1,7 +1,7 @@
-diff -up openssl-1.1.0d/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0d/crypto/rsa/rsa_gen.c
+diff -up openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0f/crypto/rsa/rsa_gen.c
---- openssl-1.1.0d/crypto/rsa/rsa_gen.c.cc-reqs	2017-01-26 14:10:23.000000000 +0100
+--- openssl-1.1.0f/crypto/rsa/rsa_gen.c.cc-reqs	2017-05-25 14:46:19.000000000 +0200
-+++ openssl-1.1.0d/crypto/rsa/rsa_gen.c	2017-01-26 16:01:52.622308528 +0100
++++ openssl-1.1.0f/crypto/rsa/rsa_gen.c	2017-06-02 14:13:45.352475862 +0200
-@@ -75,6 +75,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -85,6 +85,12 @@ static int rsa_builtin_keygen(RSA *rsa,
      if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
          goto err;
  
@@ -14,14 +14,14 @@ diff -up openssl-1.1.0d/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0d/crypto/rsa/r
      if (BN_copy(rsa->e, e_value) == NULL)
          goto err;
  
-@@ -103,7 +109,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+@@ -107,7 +113,9 @@ static int rsa_builtin_keygen(RSA *rsa,
          do {
              if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
                  goto err;
--        } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
+-        } while (BN_cmp(rsa->p, rsa->q) == 0);
 +            if (!BN_sub(r2, rsa->q, rsa->p))
 +                goto err;
-+        } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
++        } while (BN_ucmp(r2, r3) <= 0);
-         if (degenerate == 3) {
+         if (!BN_sub(r2, rsa->q, BN_value_one()))
-             ok = 0;             /* we set our own err */
+             goto err;
-             RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
+         if (!BN_gcd(r1, r2, rsa->e, ctx))

openssl-1.1.0-ec-curves.patch

@@ -59,57 +59,6 @@ diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp
      if (ctx == NULL) {
          ctx = new_ctx = BN_CTX_new();
          if (ctx == NULL)
-diff -up openssl-1.1.0e/test/ecdhtest_cavs.h.curves openssl-1.1.0e/test/ecdhtest_cavs.h
---- openssl-1.1.0e/test/ecdhtest_cavs.h.curves	2017-02-16 15:46:22.237503550 +0100
-+++ openssl-1.1.0e/test/ecdhtest_cavs.h	2017-02-16 16:08:16.091687111 +0100
-@@ -29,6 +29,7 @@ typedef struct {
- 
- static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
-     /* curves over prime fields go here */
-+#if 0
-     { NID_X9_62_prime192v1,
-     "42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
-     "dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
-@@ -204,6 +205,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
-     "fcd345a976c720caaa97de6697226825615e1287a9eff67e",
-     "58ea42edbeeafca9ff44cfd7f29abd2cbde7626d79e422c9",
-     "72e88f3ea67d46d46dbf83926e7e2a6b85b54536741e6d2c" },
-+#endif
-     { NID_secp224r1,
-     "af33cd0629bc7e996320a3f40368f74de8704fa37b8fab69abaae280",
-     "882092ccbba7930f419a8a4f9bb16978bbc3838729992559a6f2e2d7",
-diff -up openssl-1.1.0e/test/ecdhtest.c.curves openssl-1.1.0e/test/ecdhtest.c
---- openssl-1.1.0e/test/ecdhtest.c.curves	2017-02-16 12:58:24.000000000 +0100
-+++ openssl-1.1.0e/test/ecdhtest.c	2017-02-16 16:07:30.412629758 +0100
-@@ -252,10 +252,12 @@ typedef struct {
- 
- static const ecdh_kat_t ecdh_kats[] = {
-     /* Keys and shared secrets from RFC 5114 */
-+#if 0
-     { NID_X9_62_prime192v1,
-     "323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
-     "631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
-     "AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE" },
-+#endif
-     { NID_secp224r1,
-     "B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
-     "AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
-@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
-     "01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
-     "D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
-     "DDEA" },
-+#if 0
-     /* Keys and shared secrets from RFC 7027 */
-     { NID_brainpoolP256r1,
-     "81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
-@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
-     "ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
-     "A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
-     "D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
-+#endif
- };
- 
- /* Given private value and NID, create EC_KEY structure */
 diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
 --- openssl-1.1.0e/test/ecdsatest.c.curves	2017-02-16 12:58:24.000000000 +0100
 +++ openssl-1.1.0e/test/ecdsatest.c	2017-02-16 15:46:22.250503857 +0100

openssl.spec

@@ -21,7 +21,7 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.0e
+Version: 1.1.0f
 Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
@@ -70,6 +70,7 @@ BuildRequires: lksctp-tools-devel
 BuildRequires: /usr/bin/rename
 BuildRequires: /usr/bin/pod2man
 BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
+BuildRequires: perl(Module::Load::Conditional)
 Requires: coreutils, make
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -236,7 +237,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
-	no-mdc2 no-ec2m no-gost no-srp \
+	no-mdc2 no-ec2m \
 	shared  ${sslarch} $RPM_OPT_FLAGS
 
 util/mkdef.pl crypto update
@@ -427,6 +428,11 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-1
+- update to upstream version 1.1.0f
+- SRP and GOST is now allowed, note that GOST support requires
+  adding GOST engine which is not part of openssl anymore
+
 * Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1
 - update to upstream version 1.1.0e
 - add documentation of the PROFILE=SYSTEM special cipher string (#1420232)

sources

@@ -1 +1 @@
-SHA512 (openssl-1.1.0e-hobbled.tar.xz) = 7db753907c211427ed494d92915c255d05faf9b47f22febfffbfe2be602777b6b82d7c71793003c2ebbbf7f67708c80a72aacde2582501ae63761b1090523974
+SHA512 (openssl-1.1.0f-hobbled.tar.xz) = 4357ec7e2bebbf26e6f218bd4dbb7b1b836af16007a7e5f70e552409036de4dc080365cf0647c30e246c4f2ab3b521cf4b4941e2c4168821aaad049adc4421bb