update to upstream version 1.1.0e

add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
2017-02-16 16:59:27 +01:00 · 2017-02-16 16:59:27 +01:00 · c676ac32d5
parent f6b0040c3e
commit c676ac32d5
8 changed files with 413 additions and 565 deletions
--- a/.gitignore
+++ b/.gitignore
@ -34,3 +34,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.0b-hobbled.tar.xz
 /openssl-1.1.0c-hobbled.tar.xz
 /openssl-1.1.0d-hobbled.tar.xz
+/openssl-1.1.0e-hobbled.tar.xz
--- a/openssl-1.1.0-backports.patch
+++ b/openssl-1.1.0-backports.patch
@ -1,147 +0,0 @@
-From 3f60b8fbdc9b17572a86457fe5b11437c0d3fbc2 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Thu, 26 Jan 2017 17:11:14 +0000
-Subject: [PATCH] Use correct signature algorithm list when sending or
- checking.
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/2297)
---
- ssl/ssl_locl.h           |  2 +-
- ssl/statem/statem_srvr.c |  2 +-
- ssl/t1_lib.c             | 12 ++++++------
- 3 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 4079b31..9a997cf 100644
--- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -2062,7 +2062,7 @@ __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
-                                  const unsigned char *psig, size_t psiglen);
- __owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
- __owur int tls1_process_sigalgs(SSL *s);
-__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
-+__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
- __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
-                                    const unsigned char *sig, EVP_PKEY *pkey);
- void ssl_set_client_disabled(SSL *s);
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index d36d194..ad89e93 100644
--- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
-     if (SSL_USE_SIGALGS(s)) {
-         const unsigned char *psigs;
-         unsigned char *etmp = p;
-        nl = tls12_get_psigalgs(s, &psigs);
-+        nl = tls12_get_psigalgs(s, 1, &psigs);
-         /* Skip over length for now */
-         p += 2;
-         nl = tls12_copy_sigalgs(s, p, psigs, nl);
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 1205f99..b75e568 100644
--- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -711,7 +711,7 @@ static const unsigned char suiteb_sigalgs[] = {
-         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
- };
- #endif
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
-+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
- {
-     /*
-      * If Suite B mode use Suite B sigalgs only, ignore any other
-@@ -733,7 +733,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
-     }
- #endif
-     /* If server use client authentication sigalgs if not NULL */
-    if (s->server && s->cert->client_sigalgs) {
-+    if (s->server == sent && s->cert->client_sigalgs) {
-         *psigs = s->cert->client_sigalgs;
-         return s->cert->client_sigalgslen;
-     } else if (s->cert->conf_sigalgs) {
-@@ -797,7 +797,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
- #endif
- 
-     /* Check signature matches a type we sent */
-    sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
-+    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
-     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
-         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
-             break;
-@@ -1189,7 +1189,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
-         size_t salglen;
-         const unsigned char *salg;
-         unsigned char *etmp;
-        salglen = tls12_get_psigalgs(s, &salg);
-+        salglen = tls12_get_psigalgs(s, 1, &salg);
- 
-         /*-
-          * check for enough space.
-@@ -3396,7 +3396,7 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
-      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
-      * down calls to security callback only check if we have to.
-      */
-    sigalgslen = tls12_get_psigalgs(s, &sigalgs);
-+    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
-     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
-         switch (sigalgs[1]) {
- #ifndef OPENSSL_NO_RSA
-@@ -3491,7 +3491,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
-         conf = c->conf_sigalgs;
-         conflen = c->conf_sigalgslen;
-     } else
-        conflen = tls12_get_psigalgs(s, &conf);
-+        conflen = tls12_get_psigalgs(s, 0, &conf);
-     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
-         pref = conf;
-         preflen = conflen;
-- 
-2.9.3
-
-From b431b094330da3e54805c49fb262192e34bc3864 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Sat, 28 Jan 2017 17:43:17 +0100
-Subject: [PATCH] X509_CRL_digest() - ensure precomputed sha1 hash before
- returning it
-
-X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
-present.  This also makes sure there's an appropriate flag to check.
-
-Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/2314)
-(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)
---
- crypto/x509/x_all.c | 2 +-
- crypto/x509/x_crl.c | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
-index 59f96a5..124dd2d 100644
--- a/crypto/x509/x_all.c
-+++ b/crypto/x509/x_all.c
-@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
- int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
-                     unsigned char *md, unsigned int *len)
- {
-    if (type == EVP_sha1()) {
-+    if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
-         /* Asking for SHA1; always computed in CRL d2i. */
-         if (len != NULL)
-             *len = sizeof(data->sha1_hash);
-diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
-index da9c6b6..dbed850 100644
--- a/crypto/x509/x_crl.c
-+++ b/crypto/x509/x_crl.c
-@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
-             if (crl->meth->crl_init(crl) == 0)
-                 return 0;
-         }
-+
-+        crl->flags |= EXFLAG_SET;
-         break;
- 
-     case ASN1_OP_FREE_POST:
-- 
-2.9.3
-
--- a/openssl-1.1.0-build.patch
+++ b/openssl-1.1.0-build.patch
@ -29,99 +29,3 @@ diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configu
     },
     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.0c/crypto/ec/ec_lib.c.build openssl-1.1.0c/crypto/ec/ec_lib.c
--- openssl-1.1.0c/crypto/ec/ec_lib.c.build	2016-11-10 15:03:44.000000000 +0100
-+++ openssl-1.1.0c/crypto/ec/ec_lib.c	2016-11-11 13:26:36.097400901 +0100
-@@ -74,9 +74,6 @@ void EC_pre_comp_free(EC_GROUP *group)
-         break;
- #endif
- #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    case PCT_nistp224:
-        EC_nistp224_pre_comp_free(group->pre_comp.nistp224);
-        break;
-     case PCT_nistp256:
-         EC_nistp256_pre_comp_free(group->pre_comp.nistp256);
-         break;
-@@ -152,9 +149,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const
-         break;
- #endif
- #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    case PCT_nistp224:
-        dest->pre_comp.nistp224 = EC_nistp224_pre_comp_dup(src->pre_comp.nistp224);
-        break;
-     case PCT_nistp256:
-         dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256);
-         break;
-diff -up openssl-1.1.0c/test/ecdhtest_cavs.h.build openssl-1.1.0c/test/ecdhtest_cavs.h
--- openssl-1.1.0c/test/ecdhtest_cavs.h.build	2016-11-11 13:26:36.079400491 +0100
-+++ openssl-1.1.0c/test/ecdhtest_cavs.h	2016-11-11 13:26:36.097400901 +0100
-@@ -29,6 +29,7 @@ typedef struct {
- 
- static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
-     /* curves over prime fields go here */
-+#if 0
-     { NID_X9_62_prime192v1,
-     "42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
-     "dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
-@@ -379,6 +380,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
-     "a6b29632db94da2125dc1cf80e03702687b2acc1122022fa2174765a",
-     "61723edd73e10daed73775278f1958ba56f1fc9d085ebc2b64c84fe5",
-     "71954e2261e8510be1a060733671d2e9d0a2d012eb4e09556d697d2a" },
-+#endif
-     { NID_X9_62_prime256v1,
-     "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287",
-     "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
-diff -up openssl-1.1.0c/test/ecdhtest.c.build openssl-1.1.0c/test/ecdhtest.c
--- openssl-1.1.0c/test/ecdhtest.c.build	2016-11-10 15:03:47.000000000 +0100
-+++ openssl-1.1.0c/test/ecdhtest.c	2016-11-11 13:26:36.097400901 +0100
-@@ -252,6 +252,7 @@ typedef struct {
- 
- static const ecdh_kat_t ecdh_kats[] = {
-     /* Keys and shared secrets from RFC 5114 */
-+#if 0
-     { NID_X9_62_prime192v1,
-     "323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
-     "631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
-@@ -260,6 +261,7 @@ static const ecdh_kat_t ecdh_kats[] = {
-     "B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
-     "AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
-     "52272F50F46F4EDC9151569092F46DF2D96ECC3B6DC1714A4EA949FA" },
-+#endif
-     { NID_X9_62_prime256v1,
-     "814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF",
-     "2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41",
-@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
-     "01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
-     "D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
-     "DDEA" },
-+#if 0
-     /* Keys and shared secrets from RFC 7027 */
-     { NID_brainpoolP256r1,
-     "81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
-@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
-     "ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
-     "A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
-     "D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
-+#endif
- };
- 
- /* Given private value and NID, create EC_KEY structure */
-diff -up openssl-1.1.0c/test/ecdsatest.c.build openssl-1.1.0c/test/ecdsatest.c
--- openssl-1.1.0c/test/ecdsatest.c.build	2016-11-10 15:03:47.000000000 +0100
-+++ openssl-1.1.0c/test/ecdsatest.c	2016-11-11 13:26:36.097400901 +0100
-@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
-     if (!change_rand())
-         goto x962_err;
- 
-+#if 0
-     if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
-                              "3342403536405981729393488334694600415596881826869351677613",
-                              "5735822328888155254683894997897571951568553642892029982342"))
-@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
-                              "3238135532097973577080787768312505059318910517550078427819"
-                              "78505179448783"))
-         goto x962_err;
-+#endif
- # ifndef OPENSSL_NO_EC2M
-     if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
-                              "87194383164871543355722284926904419997237591535066528048",
--- a/openssl-1.1.0-ec-curves.patch
+++ b/openssl-1.1.0-ec-curves.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
--- openssl-1.1.0d/apps/speed.c.curves	2017-01-26 14:10:21.000000000 +0100
-+++ openssl-1.1.0d/apps/speed.c	2017-01-26 15:53:33.913324153 +0100
+diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
+--- openssl-1.1.0e/apps/speed.c.curves	2017-02-16 12:58:20.000000000 +0100
+++ openssl-1.1.0e/apps/speed.c	2017-02-16 15:46:22.271504354 +0100
@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
 #define R_EC_X25519  16
 #ifndef OPENSSL_NO_EC
@ -44,9 +44,9 @@ diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
     {"ecdhx25519", R_EC_X25519},
     {NULL}
 };
-diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp_smpl.c
--- openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves	2017-01-26 14:10:22.000000000 +0100
-+++ openssl-1.1.0d/crypto/ec/ecp_smpl.c	2017-01-26 15:53:33.913324153 +0100
+diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
+--- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves	2017-02-16 12:58:21.000000000 +0100
+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c	2017-02-16 15:46:22.264504188 +0100
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
         return 0;
     }
@ -59,3 +59,73 @@ diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp
     if (ctx == NULL) {
         ctx = new_ctx = BN_CTX_new();
         if (ctx == NULL)
+diff -up openssl-1.1.0e/test/ecdhtest_cavs.h.curves openssl-1.1.0e/test/ecdhtest_cavs.h
+--- openssl-1.1.0e/test/ecdhtest_cavs.h.curves	2017-02-16 15:46:22.237503550 +0100
+++ openssl-1.1.0e/test/ecdhtest_cavs.h	2017-02-16 16:08:16.091687111 +0100
+@@ -29,6 +29,7 @@ typedef struct {
+ 
+ static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
+     /* curves over prime fields go here */
+#if 0
+     { NID_X9_62_prime192v1,
+     "42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
+     "dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
+@@ -204,6 +205,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
+     "fcd345a976c720caaa97de6697226825615e1287a9eff67e",
+     "58ea42edbeeafca9ff44cfd7f29abd2cbde7626d79e422c9",
+     "72e88f3ea67d46d46dbf83926e7e2a6b85b54536741e6d2c" },
+#endif
+     { NID_secp224r1,
+     "af33cd0629bc7e996320a3f40368f74de8704fa37b8fab69abaae280",
+     "882092ccbba7930f419a8a4f9bb16978bbc3838729992559a6f2e2d7",
+diff -up openssl-1.1.0e/test/ecdhtest.c.curves openssl-1.1.0e/test/ecdhtest.c
+--- openssl-1.1.0e/test/ecdhtest.c.curves	2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/ecdhtest.c	2017-02-16 16:07:30.412629758 +0100
+@@ -252,10 +252,12 @@ typedef struct {
+ 
+ static const ecdh_kat_t ecdh_kats[] = {
+     /* Keys and shared secrets from RFC 5114 */
+#if 0
+     { NID_X9_62_prime192v1,
+     "323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
+     "631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
+     "AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE" },
+#endif
+     { NID_secp224r1,
+     "B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
+     "AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
+@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
+     "01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
+     "D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
+     "DDEA" },
+#if 0
+     /* Keys and shared secrets from RFC 7027 */
+     { NID_brainpoolP256r1,
+     "81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
+@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
+     "ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
+     "A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
+     "D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
+#endif
+ };
+ 
+ /* Given private value and NID, create EC_KEY structure */
+diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
+--- openssl-1.1.0e/test/ecdsatest.c.curves	2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/ecdsatest.c	2017-02-16 15:46:22.250503857 +0100
+@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
+     if (!change_rand())
+         goto x962_err;
+ 
+#if 0
+     if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
+                              "3342403536405981729393488334694600415596881826869351677613",
+                              "5735822328888155254683894997897571951568553642892029982342"))
+@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
+                              "3238135532097973577080787768312505059318910517550078427819"
+                              "78505179448783"))
+         goto x962_err;
+#endif
+ # ifndef OPENSSL_NO_EC2M
+     if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
+                              "87194383164871543355722284926904419997237591535066528048",
--- a/openssl-1.1.0-fips.patch
+++ b/openssl-1.1.0-fips.patch
--- a/openssl-1.1.0-system-cipherlist.patch
+++ b/openssl-1.1.0-system-cipherlist.patch
@ -1,7 +1,7 @@
-diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0b/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist	2016-09-26 15:57:34.000000000 +0200
-+++ openssl-1.1.0b/Configurations/unix-Makefile.tmpl	2016-09-26 16:41:17.796148764 +0200
-@@ -157,6 +157,10 @@ MANDIR=$(INSTALLTOP)/share/man
+diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist	2017-02-16 16:15:38.658931413 +0100
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl	2017-02-16 16:15:38.675931806 +0100
+@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
 DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
 HTMLDIR=$(DOCDIR)/html
 
@ -12,7 +12,7 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
 # MANSUFFIX is for the benefit of anyone who may want to have a suffix
 # appended after the manpage file section number.  "ssl" is popular,
 # resulting in files such as config.5ssl rather than config.5.
-@@ -167,7 +171,7 @@ HTMLSUFFIX=html
+@@ -171,7 +175,7 @@ HTMLSUFFIX=html
 
 CROSS_COMPILE= {- $config{cross_compile_prefix} -}
 CC= $(CROSS_COMPILE){- $target{cc} -}
@ -21,9 +21,9 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
 CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
 LDFLAGS= {- $target{lflags} -}
 PLIB_LDFLAGS= {- $target{plib_lflags} -}
-diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
--- openssl-1.1.0b/Configure.system-cipherlist	2016-09-26 15:57:34.000000000 +0200
-+++ openssl-1.1.0b/Configure	2016-09-26 16:41:45.002787753 +0200
+diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
+--- openssl-1.1.0e/Configure.system-cipherlist	2017-02-16 12:58:20.000000000 +0100
+++ openssl-1.1.0e/Configure	2017-02-16 16:15:38.679931899 +0100
@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
 
 # see INSTALL for instructions.
@ -43,7 +43,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
 # --cross-compile-prefix Add specified prefix to binutils components.
 #
 # --api         One of 0.9.8, 1.0.0 or 1.1.0.  Do not compile support for
-@@ -292,6 +295,7 @@ $config{openssldir}="";
+@@ -293,6 +296,7 @@ $config{openssldir}="";
 $config{processor}="";
 $config{libdir}="";
 $config{cross_compile_prefix}="";
@ -51,7 +51,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
 $config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
 my $nofipscanistercheck=0;
 $config{baseaddr}="0xFB00000";
-@@ -716,6 +720,10 @@ foreach (@argvcopy)
+@@ -718,6 +722,10 @@ while (@argvcopy)
 			{
 			$config{baseaddr}="$1";
 			}
@ -62,7 +62,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
 		elsif (/^--cross-compile-prefix=(.*)$/)
 			{
 			$config{cross_compile_prefix}=$1;
-@@ -841,6 +849,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
+@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
     $target = "Cygwin".$1;
 }
 
@ -71,9 +71,28 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
 foreach (sort (keys %disabled))
 	{
 	$config{options} .= " no-$_";
-diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/include/openssl/ssl.h
--- openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist	2016-09-26 11:46:07.000000000 +0200
-+++ openssl-1.1.0b/include/openssl/ssl.h	2016-09-26 16:58:03.752760070 +0200
+diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
+--- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist	2017-02-16 12:58:22.000000000 +0100
+++ openssl-1.1.0e/doc/apps/ciphers.pod	2017-02-16 16:37:14.043219953 +0100
+@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+ 
+ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+ 
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
+beginning of the cipher list, otherwise it will not be recognized.
+
+ =item B<HIGH>
+ 
+ "high" encryption cipher suites. This currently means those with key lengths
+diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
+--- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist	2017-02-16 12:58:23.000000000 +0100
+++ openssl-1.1.0e/include/openssl/ssl.h	2017-02-16 16:15:38.676931830 +0100
@@ -201,6 +201,11 @@ extern "C" {
  * throwing out anonymous and unencrypted ciphersuites! (The latter are not
  * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@ -86,9 +105,9 @@ diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/i
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 # define SSL_SENT_SHUTDOWN       1
-diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_ciph.c
--- openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist	2016-09-26 11:46:07.000000000 +0200
-+++ openssl-1.1.0b/ssl/ssl_ciph.c	2016-09-26 16:51:33.056591689 +0200
+diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
+--- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist	2017-02-16 12:58:23.000000000 +0100
+++ openssl-1.1.0e/ssl/ssl_ciph.c	2017-02-16 16:15:38.691932177 +0100
@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
 }
 #endif
@ -140,7 +159,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
                                              **cipher_list, STACK_OF(SSL_CIPHER)
                                              **cipher_list_by_id,
-@@ -1296,19 +1340,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
 {
     int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
     uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
@ -173,7 +192,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
 #endif
 
     /*
-@@ -1331,7 +1385,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
     if (co_list == NULL) {
         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@ -182,7 +201,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
 
     ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1401,8 +1455,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * in force within each class
      */
     if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -192,7 +211,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
 
     /*
-@@ -1447,9 +1500,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
     if (ca_list == NULL) {
@ -203,7 +222,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                disabled_mkey, disabled_auth, disabled_enc,
-@@ -1475,8 +1527,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     OPENSSL_free(ca_list);      /* Not needed anymore */
 
     if (!ok) {                  /* Rule processing failure */
@ -213,7 +232,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
 
     /*
-@@ -1484,8 +1535,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * if we cannot get one.
      */
     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -223,7 +242,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
 
     /*
-@@ -1496,21 +1546,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
         if (curr->active
             && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
             if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
@ -249,7 +268,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     }
     sk_SSL_CIPHER_free(*cipher_list);
     *cipher_list = cipherstack;
-@@ -1520,6 +1570,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
 
     sk_SSL_CIPHER_sort(*cipher_list_by_id);
@ -262,9 +281,9 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
     return (cipherstack);
 }
 
-diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_lib.c
--- openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist	2016-09-26 15:57:34.000000000 +0200
-+++ openssl-1.1.0b/ssl/ssl_lib.c	2016-09-26 16:55:23.668003396 +0200
+diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
+--- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist	2017-02-16 16:15:38.673931760 +0100
+++ openssl-1.1.0e/ssl/ssl_lib.c	2017-02-16 16:15:38.692932200 +0100
@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
 
     sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
@ -274,7 +293,7 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
         SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
         return (0);
-@@ -2395,7 +2395,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
 #endif
     if (!ssl_create_cipher_list(ret->method,
                                 &ret->cipher_list, &ret->cipher_list_by_id,
@ -283,9 +302,9 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
         || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
         goto err2;
-diff -up openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist openssl-1.1.0b/test/cipherlist_test.c
--- openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist	2016-09-26 11:46:08.000000000 +0200
-+++ openssl-1.1.0b/test/cipherlist_test.c	2016-09-26 17:18:29.380513853 +0200
+diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
+--- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist	2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/cipherlist_test.c	2017-02-16 16:15:38.677931853 +0100
@@ -190,7 +190,9 @@ int main(int argc, char **argv)
 {
     int result = 0;
--- a/openssl.spec
+++ b/openssl.spec
@ -21,8 +21,8 @@

 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.1.0d
-Release: 3%{?dist}
+Version: 1.1.0e
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -61,7 +61,6 @@ Patch42: openssl-1.1.0-fips.patch
 Patch43: openssl-1.1.0-afalg-eventfd2.patch
 Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
 # Backported fixes including security fixes
-Patch60: openssl-1.1.0-backports.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -162,8 +161,6 @@ cp %{SOURCE13} test/
 %patch43 -p1 -b .eventfd2
 %patch44 -p1 -b .preserve-nl

-%patch60 -p1 -b .backports
-
 %build
 # Figure out which flags we want to use.
 # default
@ -430,6 +427,10 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig

 %changelog
+* Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1
+- update to upstream version 1.1.0e
+- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
+
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0d-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-1.1.0d-hobbled.tar.xz) = 375cecff07762593606d5e3ea145cf3dfad8ab5ce2fa2b696ffa2fbff9b45b929259f481c44d1db475183030e70eb443ae8c73ee9257fb766597032b27654349
+SHA512 (openssl-1.1.0e-hobbled.tar.xz) = 7db753907c211427ed494d92915c255d05faf9b47f22febfffbfe2be602777b6b82d7c71793003c2ebbbf7f67708c80a72aacde2582501ae63761b1090523974