update to the final 1.1.1 version

2018-09-13 09:43:22 +02:00 · 2018-09-13 09:43:22 +02:00 · a4bf4e1b65
parent 90121b0c9d
commit a4bf4e1b65
6 changed files with 413 additions and 333 deletions
--- a/openssl-1.1.1-ec-curves.patch
+++ b/openssl-1.1.1-ec-curves.patch
@ -1,8 +1,40 @@
-diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
--- openssl-1.1.1-pre8/apps/speed.c.curves	2018-07-17 08:48:56.106625020 +0200
-+++ openssl-1.1.1-pre8/apps/speed.c	2018-07-17 08:50:07.526521809 +0200
-@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2];
- #define R_EC_X448    23
+diff -up openssl-1.1.1/apps/speed.c.curves openssl-1.1.1/apps/speed.c
+--- openssl-1.1.1/apps/speed.c.curves	2018-09-11 14:48:20.000000000 +0200
+++ openssl-1.1.1/apps/speed.c	2018-09-13 09:24:24.840081023 +0200
+@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
+ static double rsa_results[RSA_NUM][2];  /* 2 ops: sign then verify */
+ #endif /* OPENSSL_NO_RSA */
+ 
+-#define R_EC_P160    0
+-#define R_EC_P192    1
+-#define R_EC_P224    2
+-#define R_EC_P256    3
+-#define R_EC_P384    4
+-#define R_EC_P521    5
+-#define R_EC_K163    6
+-#define R_EC_K233    7
+-#define R_EC_K283    8
+-#define R_EC_K409    9
+-#define R_EC_K571    10
+-#define R_EC_B163    11
+-#define R_EC_B233    12
+-#define R_EC_B283    13
+-#define R_EC_B409    14
+-#define R_EC_B571    15
+-#define R_EC_BRP256R1  16
+-#define R_EC_BRP256T1  17
+-#define R_EC_BRP384R1  18
+-#define R_EC_BRP384T1  19
+-#define R_EC_BRP512R1  20
+-#define R_EC_BRP512T1  21
+-#define R_EC_X25519  22
+-#define R_EC_X448    23
+#define R_EC_P224    0
+#define R_EC_P256    1
+#define R_EC_P384    2
+#define R_EC_P521    3
+#define R_EC_X25519  4
+#define R_EC_X448    5
 #ifndef OPENSSL_NO_EC
 static OPT_PAIR ecdsa_choices[] = {
 -    {"ecdsap160", R_EC_P160},
@ -58,10 +90,90 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
     {"ecdhx25519", R_EC_X25519},
     {"ecdhx448", R_EC_X448}
 };
-diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c
--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves	2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c	2018-07-17 08:48:56.107625044 +0200
-@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
+         unsigned int bits;
+     } test_curves[] = {
+         /* Prime Curves */
+-        {"secp160r1", NID_secp160r1, 160},
+-        {"nistp192", NID_X9_62_prime192v1, 192},
+         {"nistp224", NID_secp224r1, 224},
+         {"nistp256", NID_X9_62_prime256v1, 256},
+         {"nistp384", NID_secp384r1, 384}, 
+         {"nistp521", NID_secp521r1, 521},
+-        /* Binary Curves */
+-        {"nistk163", NID_sect163k1, 163},
+-        {"nistk233", NID_sect233k1, 233}, 
+-        {"nistk283", NID_sect283k1, 283},
+-        {"nistk409", NID_sect409k1, 409},
+-        {"nistk571", NID_sect571k1, 571},
+-        {"nistb163", NID_sect163r2, 163},
+-        {"nistb233", NID_sect233r1, 233},
+-        {"nistb283", NID_sect283r1, 283},
+-        {"nistb409", NID_sect409r1, 409},
+-        {"nistb571", NID_sect571r1, 571},
+-        {"brainpoolP256r1", NID_brainpoolP256r1, 256},
+-        {"brainpoolP256t1", NID_brainpoolP256t1, 256},
+-        {"brainpoolP384r1", NID_brainpoolP384r1, 384},
+-        {"brainpoolP384t1", NID_brainpoolP384t1, 384},
+-        {"brainpoolP512r1", NID_brainpoolP512r1, 512},
+-        {"brainpoolP512t1", NID_brainpoolP512t1, 512},
+         /* Other and ECDH only ones */
+         {"X25519", NID_X25519, 253},
+         {"X448", NID_X448, 448}
+@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv)
+ #  endif
+ 
+ #  ifndef OPENSSL_NO_EC
+-    ecdsa_c[R_EC_P160][0] = count / 1000;
+-    ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
+-    for (i = R_EC_P192; i <= R_EC_P521; i++) {
+    ecdsa_c[R_EC_P224][0] = count / 1000;
+    ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
+         ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
+         ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
+         if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
+@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
+#if 0
+     ecdsa_c[R_EC_K163][0] = count / 1000;
+     ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
+     for (i = R_EC_K233; i <= R_EC_K571; i++) {
+@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
+-
+-    ecdh_c[R_EC_P160][0] = count / 1000;
+-    for (i = R_EC_P192; i <= R_EC_P521; i++) {
+#endif
+    ecdh_c[R_EC_P224][0] = count / 1000;
+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
+         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+         if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
+             ecdh_doit[i] = 0;
+@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
+#if 0
+     ecdh_c[R_EC_K163][0] = count / 1000;
+     for (i = R_EC_K233; i <= R_EC_K571; i++) {
+         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv)
+             }
+         }
+     }
+#endif
+     /* default iteration count for the last two EC Curves */
+     ecdh_c[R_EC_X25519][0] = count / 1800;
+     ecdh_c[R_EC_X448][0] = count / 7200;
+diff -up openssl-1.1.1/crypto/ec/ecp_smpl.c.curves openssl-1.1.1/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1/crypto/ec/ecp_smpl.c.curves	2018-09-11 14:48:21.000000000 +0200
+++ openssl-1.1.1/crypto/ec/ecp_smpl.c	2018-09-13 09:09:26.841792619 +0200
+@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
         return 0;
     }
 
@ -73,9 +185,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypt
     if (ctx == NULL) {
         ctx = new_ctx = BN_CTX_new();
         if (ctx == NULL)
-diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c
--- openssl-1.1.1-pre8/test/ecdsatest.c.curves	2018-06-20 16:48:14.000000000 +0200
-+++ openssl-1.1.1-pre8/test/ecdsatest.c	2018-07-17 08:48:56.107625044 +0200
+diff -up openssl-1.1.1/test/ecdsatest.c.curves openssl-1.1.1/test/ecdsatest.c
+--- openssl-1.1.1/test/ecdsatest.c.curves	2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/ecdsatest.c	2018-09-13 09:09:26.841792619 +0200
@@ -173,6 +173,7 @@ static int x9_62_tests(void)
     if (!change_rand())
         goto x962_err;
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
--- a/openssl-1.1.1-rand-cleanup.patch
+++ b/openssl-1.1.1-rand-cleanup.patch
@ -1,13 +0,0 @@
-diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup openssl-1.1.1-pre9/crypto/rand/rand_lib.c
--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup	2018-09-06 08:18:19.481566808 +0200
-+++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c	2018-09-06 13:28:32.531777065 +0200
-@@ -353,7 +353,8 @@ void rand_cleanup_int(void)
-     if (meth != NULL && meth->cleanup != NULL)
-         meth->cleanup();
-     rand_pool_cleanup();
-    RAND_set_rand_method(NULL);
-+    if (meth != NULL)
-+        RAND_set_rand_method(NULL);
- #ifndef OPENSSL_NO_ENGINE
-     CRYPTO_THREAD_lock_free(rand_engine_lock);
-     rand_engine_lock = NULL;
--- a/openssl-1.1.1-seclevel-check.patch
+++ b/openssl-1.1.1-seclevel-check.patch
@ -1,14 +0,0 @@
-diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
-index df5cff79c9..e740a8c25d 100644
--- a/ssl/ssl_cert.c
-+++ b/ssl/ssl_cert.c
-@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
-             if (level >= 2 && c->algorithm_enc == SSL_RC4)
-                 return 0;
-             /* Level 3: forward secure ciphersuites only */
-            if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
-+            if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
-+                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
-                 return 0;
-             break;
-         }
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@ -1,14 +1,12 @@
-diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override	2018-08-22 12:25:31.959886929 +0200
-+++ openssl-1.1.1-pre9/include/openssl/opensslv.h	2018-08-22 12:26:17.997014595 +0200
-@@ -39,8 +39,8 @@ extern "C" {
-  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+diff -up openssl-1.1.1/include/openssl/opensslv.h.version-override openssl-1.1.1/include/openssl/opensslv.h
+--- openssl-1.1.1/include/openssl/opensslv.h.version-override	2018-09-13 08:54:38.247940128 +0200
+++ openssl-1.1.1/include/openssl/opensslv.h	2018-09-13 08:56:10.757779555 +0200
+@@ -40,7 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x10101009L
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018"
-+# define OPENSSL_VERSION_NUMBER  0x1010100fL
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
+ # define OPENSSL_VERSION_NUMBER  0x1010100fL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1  11 Sep 2018"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1 FIPS  11 Sep 2018"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/openssl.spec
+++ b/openssl.spec
@ -19,17 +19,15 @@

 %global _performance_build 1

-%global prerelease pre9
-
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 0.%{prerelease}.3%{?dist}
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.xz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source6: make-dummy-cert
@ -59,9 +57,7 @@ Patch42: openssl-1.1.1-fips.patch
 Patch43: openssl-1.1.1-ignore-bound.patch
 Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.0-weak-ciphers.patch
-Patch46: openssl-1.1.1-rand-cleanup.patch
 # Backported fixes including security fixes
-Patch70: openssl-1.1.1-seclevel-check.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -135,7 +131,7 @@ package provides Perl scripts for converting certificates and keys
 from other formats to the formats used by the OpenSSL toolkit.

 %prep
-%setup -q -n %{name}-%{version}-%{prerelease}
+%setup -q -n %{name}-%{version}

 # The hobble_openssl is called here redundantly, just to be sure.
 # The tarball has already the sources removed.
@ -163,9 +159,7 @@ cp %{SOURCE13} test/
 %patch43 -p1 -b .ignore-bound
 %patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
-%patch46 -p1 -b .rand-cleanup

-%patch70 -p1 -b .seclevel-check

 %build
 # Figure out which flags we want to use.
@ -453,6 +447,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig

 %changelog
+* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
+- update to the final 1.1.1 version
+
 * Thu Sep  6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
 - do not try to initialize RNG in cleanup if it was not initialized
  before (#1624554)