Upgrade to OpenSSL 1.1.1n

Related: rhbz#2064911 (cherry picked from commit 41079c8a15e65033775ffe3e998ed32d411df388)
2022-03-18 17:42:01 +01:00 · 2022-03-18 17:42:01 +01:00 · 46eb8fcc17
parent 2fc4e025c7
commit 46eb8fcc17
7 changed files with 17 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -53,3 +53,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1j-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-1.1.1l-hobbled.tar.xz
+/openssl-1.1.1n-hobbled.tar.xz
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@ -4474,13 +4474,6 @@ diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pk
 diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
 --- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf	2021-02-16 16:24:01.000000000 +0100
 +++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt	2021-03-03 14:08:02.494294874 +0100
-@@ -1,5 +1,5 @@
- #
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
-+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the OpenSSL license (the "License").  You may not use
- # this file except in compliance with the License.  You can obtain a copy
@@ -15,7 +15,7 @@
 Title = TLS1 PRF tests (from NIST test vectors)
 
@ -4740,7 +4733,7 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
 Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
@@ -303,3 +303,133 @@ Ctrl.r = r:8
 Ctrl.p = p:1
- Result = INTERNAL_ERROR
+ Result = KDF_DERIVE_ERROR
 
 +Title = PBKDF2 tests
 +
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@ -870,8 +870,8 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges
 +# include <openssl/fips.h>
 +#endif
 
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+ 
+ static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 {
@ -898,9 +898,9 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges
 +            }
 +        }
 +#endif
-         if (ctx->digest && ctx->digest->ctx_size) {
-             OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-             ctx->md_data = NULL;
+         cleanup_old_md_data(ctx, 1);
+ 
+         ctx->digest = type;
@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
--- a/openssl-1.1.1-system-cipherlist.patch
+++ b/openssl-1.1.1-system-cipherlist.patch
@ -238,7 +238,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
     }
 
     /*
-@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1592,10 +1648,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * if we cannot get one.
      */
     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -254,11 +254,6 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         if (!sk_SSL_CIPHER_push(cipherstack,
-                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
-+            OPENSSL_free(co_list);
-             sk_SSL_CIPHER_free(cipherstack);
-             return NULL;
-         }
@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     *cipher_list = cipherstack;
 
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@ -4,9 +4,9 @@ diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.
@@ -40,7 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
- # define OPENSSL_VERSION_NUMBER  0x101010cfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  24 Aug 2021"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  FIPS 24 Aug 2021"
+ # define OPENSSL_VERSION_NUMBER  0x101010efL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n  15 Mar 2022"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n  FIPS 15 Mar 2022"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/openssl.spec
+++ b/openssl.spec
@ -21,8 +21,8 @@

 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.1l
-Release: 2%{?dist}
+Version: 1.1.1n
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -479,6 +479,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs

 %changelog
+* Fri Mar 18 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1n-1
+- Upgrade to version 1.1.1n
+
 * Wed Sep 15 2021 Miro Hrončok <mhroncok@redhat.com> - 1:1.1.1l-2
 - Provide and obsolete openssl1.1 to allow using openssl1.1-devel on Fedora < 36

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-1.1.1l-hobbled.tar.xz) = f0dfe3d3f4d1165173a0aeb50949792fef37069fc2b29de4845851fe0dbae8254f1d892b0ab8b23b75efc994742f3a57c30c78efa0702f6408d3a80442053d6f
+SHA512 (openssl-1.1.1n-hobbled.tar.xz) = e76b367218394279a1f34afcb747c2fdac6fc25fc933a70cdf85d1fd0eb6a4418b3bab985e8082b563df4f98dd6bac34464d143a8532bb78530235aaef988c4b