# For the curious:

# 0.9.5a soversion = 0

# 0.9.6  soversion = 1

# 0.9.6a soversion = 2

# 0.9.6c soversion = 3

# 0.9.7a soversion = 4

# 0.9.7ef soversion = 5

# 0.9.8ab soversion = 6

# 0.9.8g soversion = 7

# 0.9.8jk + EAP-FAST soversion = 8

# 1.0.0 soversion = 10

# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols

#                        depends on build configuration options)

%define soversion 1.1

# Arches on which we need to prevent arch conflicts on opensslconf.h, must

# also be handled in opensslconf-new.h.

%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64

%global _performance_build 1

Summary: Utilities from the general purpose cryptography library with TLS implementation

Name: openssl

Version: 1.1.1g

Release: 9%{?dist}

Epoch: 1

# We have to remove certain patented algorithms from the openssl source

# tarball with the hobble-openssl script which is included below.

# The original openssl upstream tarball cannot be shipped in the .src.rpm.

Source: openssl-%{version}-hobbled.tar.xz

Source1: hobble-openssl

Source2: Makefile.certificate

Source6: make-dummy-cert

Source7: renew-dummy-cert

Source9: opensslconf-new.h

Source10: opensslconf-new-warning.h

Source11: README.FIPS

Source12: ec_curve.c

Source13: ectest.c

# Build changes

Patch1: openssl-1.1.1-build.patch

Patch2: openssl-1.1.1-defaults.patch

Patch3: openssl-1.1.1-no-html.patch

Patch4: openssl-1.1.1-man-rename.patch

# Bug fixes

Patch21: openssl-1.1.0-issuer-hash.patch

# Functionality changes

Patch31: openssl-1.1.1-conf-paths.patch

Patch32: openssl-1.1.1-version-add-engines.patch

Patch33: openssl-1.1.1-apps-dgst.patch

Patch36: openssl-1.1.1-no-brainpool.patch

Patch37: openssl-1.1.1-ec-curves.patch

Patch38: openssl-1.1.1-no-weak-verify.patch

Patch40: openssl-1.1.1-sslv3-keep-abi.patch

Patch41: openssl-1.1.1-system-cipherlist.patch

Patch42: openssl-1.1.1-fips.patch

Patch43: openssl-1.1.1-ignore-bound.patch

Patch44: openssl-1.1.1-version-override.patch

Patch45: openssl-1.1.1-weak-ciphers.patch

Patch46: openssl-1.1.1-seclevel.patch

Patch47: openssl-1.1.1-ts-sha256-default.patch

Patch48: openssl-1.1.1-fips-post-rand.patch

Patch49: openssl-1.1.1-evp-kdf.patch

Patch50: openssl-1.1.1-ssh-kdf.patch

Patch51: openssl-1.1.1-intel-cet.patch

Patch60: openssl-1.1.1-krb5-kdf.patch

Patch61: openssl-1.1.1-edk2-build.patch

Patch62: openssl-1.1.1-fips-curves.patch

Patch65: openssl-1.1.1-fips-drbg-selftest.patch

Patch66: openssl-1.1.1-fips-dh.patch

Patch67: openssl-1.1.1-kdf-selftest.patch

Patch68: openssl-1.1.1-reneg-no-extms.patch

Patch69: openssl-1.1.1-alpn-cb.patch

Patch70: openssl-1.1.1-rewire-fips-drbg.patch

# Backported fixes including security fixes

Patch52: openssl-1.1.1-s390x-update.patch

Patch53: openssl-1.1.1-fips-crng-test.patch

Patch55: openssl-1.1.1-arm-update.patch

Patch56: openssl-1.1.1-s390x-ecc.patch

License: OpenSSL and ASL 2.0

URL: http://www.openssl.org/

BuildRequires: gcc

BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp

BuildRequires: lksctp-tools-devel

BuildRequires: /usr/bin/rename

BuildRequires: /usr/bin/pod2man

BuildRequires: /usr/sbin/sysctl

BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)

BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)

BuildRequires: perl(Time::HiRes)

BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)

Requires: coreutils

Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}

%description

The OpenSSL toolkit provides support for secure communications between

machines. OpenSSL includes a certificate management tool and shared

libraries which provide various cryptographic algorithms and

protocols.

%package libs

Summary: A general purpose cryptography library with TLS implementation

Requires: ca-certificates >= 2008-5

Requires: crypto-policies >= 20180730

Recommends: openssl-pkcs11%{?_isa}

# Needed obsoletes due to the base/lib subpackage split

Obsoletes: openssl < 1:1.0.1-0.3.beta3

Obsoletes: openssl-fips < 1:1.0.1e-28

Provides: openssl-fips = %{epoch}:%{version}-%{release}

%description libs

OpenSSL is a toolkit for supporting cryptography. The openssl-libs

package contains the libraries that are used by various applications which

support cryptographic algorithms and protocols.

%package devel

Summary: Files for development of applications which will use OpenSSL

Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}

Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}

Requires: pkgconfig

%description devel

OpenSSL is a toolkit for supporting cryptography. The openssl-devel

package contains include files needed to develop applications which

support various cryptographic algorithms and protocols.

%package static

Summary:  Libraries for static linking of applications which will use OpenSSL

Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}

%description static

OpenSSL is a toolkit for supporting cryptography. The openssl-static

package contains static libraries needed for static linking of

applications which support various cryptographic algorithms and

protocols.

%package perl

Summary: Perl scripts provided with OpenSSL

Requires: perl-interpreter

Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}

%description perl

OpenSSL is a toolkit for supporting cryptography. The openssl-perl

package provides Perl scripts for converting certificates and keys

from other formats to the formats used by the OpenSSL toolkit.

%prep

%setup -q -n %{name}-%{version}

# The hobble_openssl is called here redundantly, just to be sure.

# The tarball has already the sources removed.

%{SOURCE1} > /dev/null

cp %{SOURCE12} crypto/ec/

cp %{SOURCE13} test/

%patch1 -p1 -b .build   %{?_rawbuild}

%patch2 -p1 -b .defaults

%patch3 -p1 -b .no-html  %{?_rawbuild}

%patch4 -p1 -b .man-rename

%patch21 -p1 -b .issuer-hash

%patch31 -p1 -b .conf-paths

%patch32 -p1 -b .version-add-engines

%patch33 -p1 -b .dgst

%patch36 -p1 -b .no-brainpool

%patch37 -p1 -b .curves

%patch38 -p1 -b .no-weak-verify

%patch40 -p1 -b .sslv3-abi

%patch41 -p1 -b .system-cipherlist

%patch42 -p1 -b .fips

%patch43 -p1 -b .ignore-bound

%patch44 -p1 -b .version-override

%patch45 -p1 -b .weak-ciphers

%patch46 -p1 -b .seclevel

%patch47 -p1 -b .ts-sha256-default

%patch48 -p1 -b .fips-post-rand

%patch49 -p1 -b .evp-kdf

%patch50 -p1 -b .ssh-kdf

%patch51 -p1 -b .intel-cet

%patch52 -p1 -b .s390x-update

%patch53 -p1 -b .crng-test

%patch55 -p1 -b .arm-update

%patch56 -p1 -b .s390x-ecc

%patch60 -p1 -b .krb5-kdf

%patch61 -p1 -b .edk2-build

%patch62 -p1 -b .fips-curves

%patch65 -p1 -b .drbg-selftest

%patch66 -p1 -b .fips-dh

%patch67 -p1 -b .kdf-selftest

%patch68 -p1 -b .reneg-no-extms

%patch69 -p1 -b .alpn-cb

%patch70 -p1 -b .rewire-fips-drbg

%build

# Figure out which flags we want to use.

# default

sslarch=%{_os}-%{_target_cpu}

%ifarch %ix86

sslarch=linux-elf

if ! echo %{_target} | grep -q i686 ; then

	sslflags="no-asm 386"

fi

%endif

%ifarch x86_64

sslflags=enable-ec_nistp_64_gcc_128

%endif

%ifarch sparcv9

sslarch=linux-sparcv9

sslflags=no-asm

%endif

%ifarch sparc64

sslarch=linux64-sparcv9

sslflags=no-asm

%endif

%ifarch alpha alphaev56 alphaev6 alphaev67

sslarch=linux-alpha-gcc

%endif

%ifarch s390 sh3eb sh4eb

sslarch="linux-generic32 -DB_ENDIAN"

%endif

%ifarch s390x

sslarch="linux64-s390x"

%endif

%ifarch %{arm}

sslarch=linux-armv4

%endif

%ifarch aarch64

sslarch=linux-aarch64

sslflags=enable-ec_nistp_64_gcc_128

%endif

%ifarch sh3 sh4

sslarch=linux-generic32

%endif

%ifarch ppc64 ppc64p7

sslarch=linux-ppc64

%endif

%ifarch ppc64le

sslarch="linux-ppc64le"

sslflags=enable-ec_nistp_64_gcc_128

%endif

%ifarch mips mipsel

sslarch="linux-mips32 -mips32r2"

%endif

%ifarch mips64 mips64el

sslarch="linux64-mips64 -mips64r2"

%endif

%ifarch mips64el

sslflags=enable-ec_nistp_64_gcc_128

%endif

%ifarch riscv64

sslarch=linux-generic64

%endif

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be

# marked as not requiring an executable stack.

# Also add -DPURIFY to make using valgrind with openssl easier as we do not

# want to depend on the uninitialized memory as a source of entropy anyway.

RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

# ia64, x86_64, ppc are OK by default

# Configure the build tree.  Override OpenSSL defaults with known-good defaults

# usable on all platforms.  The Configure script already knows to use -fPIC and

# RPM_OPT_FLAGS, so we can skip specifiying them here.

./Configure \

	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \

	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \

	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \

	enable-cms enable-md2 enable-rc5\

	enable-weak-ssl-ciphers \

	no-mdc2 no-ec2m no-sm2 no-sm4 \

	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

# Do not run this in a production package the FIPS symbols must be patched-in

#util/mkdef.pl crypto update

make all

# Overwrite FIPS README

cp -f %{SOURCE11} .

# Clean up the .pc files

for i in libcrypto.pc libssl.pc openssl.pc ; do

  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i

done

%check

# Verify that what was compiled actually works.

# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check

(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \

(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&

 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \

 touch -r configdata.pm configdata.pm.new && \

 mv -f configdata.pm.new configdata.pm)

# We must revert patch31 before tests otherwise they will fail

patch -p1 -R < %{PATCH31}

LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}

export LD_LIBRARY_PATH

crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac

ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac

crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac

ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac

OPENSSL_ENABLE_MD5_VERIFY=

export OPENSSL_ENABLE_MD5_VERIFY

OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file

export OPENSSL_SYSTEM_CIPHERS_OVERRIDE

make test

# Add generation of HMAC checksum of the final stripped library

%define __spec_install_post \

    %{?__debug_package:%{__debug_install_post}} \

    %{__arch_install_post} \

    %{__os_install_post} \

    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \

    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \

    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \

    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \

%{nil}

%define __provides_exclude_from %{_libdir}/openssl

%install

[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

# Install OpenSSL.

install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}

make DESTDIR=$RPM_BUILD_ROOT install

rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}

for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do

	chmod 755 ${lib}

	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`

	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}

done

# Install a makefile for generating keys and self-signed certs, and a script

# for generating them on the fly.

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs

install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate

install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert

install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert

# Move runable perl scripts to bindir

mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}

mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}

# Drop the SSLv3 methods from includes

sed -i '/ifndef OPENSSL_NO_SSL3_METHOD/,+4d' $RPM_BUILD_ROOT%{_includedir}/openssl/ssl.h

# Rename man pages so that they don't conflict with other system man pages.

pushd $RPM_BUILD_ROOT%{_mandir}

ln -s -f config.5 man5/openssl.cnf.5

for manpage in man*/* ; do

	if [ -L ${manpage} ]; then

		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`

		ln -snf ${TARGET}ssl ${manpage}ssl

		rm -f ${manpage}

	else

		mv ${manpage} ${manpage}ssl

	fi

done

for conflict in passwd rand ; do

	rename ${conflict} ssl${conflict} man*/${conflict}*

# Fix dangling symlinks

	manpage=man1/openssl-${conflict}.*

	if [ -L ${manpage} ] ; then

		ln -snf ssl${conflict}.1ssl ${manpage}

	fi

done

popd

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA

mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts

# Ensure the config file timestamps are identical across builds to avoid

# mulitlib conflicts and unnecessary renames on upgrade

touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf

touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist

# Determine which arch opensslconf.h is going to try to #include.

basearch=%{_arch}

%ifarch %{ix86}

basearch=i386

%endif

%ifarch sparcv9

basearch=sparc

%endif

%ifarch sparc64

basearch=sparc64

%endif

%ifarch %{multilib_arches}

# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you

# can have both a 32- and 64-bit version of the library, and they each need

# their own correct-but-different versions of opensslconf.h to be usable.

install -m644 %{SOURCE10} \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h

cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h

install -m644 %{SOURCE9} \

	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h

%endif

LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}

export LD_LIBRARY_PATH

%files

%{!?_licensedir:%global license %%doc}

%license LICENSE

%doc FAQ NEWS README README.FIPS

%{_bindir}/make-dummy-cert

%{_bindir}/renew-dummy-cert

%{_bindir}/openssl

%{_mandir}/man1*/*

%{_mandir}/man5*/*

%{_mandir}/man7*/*

%{_pkgdocdir}/Makefile.certificate

%exclude %{_mandir}/man1*/*.pl*

%exclude %{_mandir}/man1*/c_rehash*

%exclude %{_mandir}/man1*/tsget*

%exclude %{_mandir}/man1*/openssl-tsget*

%files libs

%{!?_licensedir:%global license %%doc}

%license LICENSE

%dir %{_sysconfdir}/pki/tls

%dir %{_sysconfdir}/pki/tls/certs

%dir %{_sysconfdir}/pki/tls/misc

%dir %{_sysconfdir}/pki/tls/private

%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf

%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf

%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}

%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}

%attr(0755,root,root) %{_libdir}/libssl.so.%{version}

%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}

%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac

%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac

%attr(0755,root,root) %{_libdir}/engines-%{soversion}

%files devel

%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el

%{_prefix}/include/openssl

%{_libdir}/*.so

%{_mandir}/man3*/*

%{_libdir}/pkgconfig/*.pc

%files static

%{_libdir}/*.a

%files perl

%{_bindir}/c_rehash

%{_bindir}/*.pl

%{_bindir}/tsget

%{_mandir}/man1*/*.pl*

%{_mandir}/man1*/c_rehash*

%{_mandir}/man1*/tsget*

%{_mandir}/man1*/openssl-tsget*

%dir %{_sysconfdir}/pki/CA

%dir %{_sysconfdir}/pki/CA/private

%dir %{_sysconfdir}/pki/CA/certs

%dir %{_sysconfdir}/pki/CA/crl

%dir %{_sysconfdir}/pki/CA/newcerts

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%changelog

* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9

- Rewire FIPS_drbg API to use the RAND_DRBG

- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters

* Mon Jun  8 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7

- Disallow dropping Extended Master Secret extension

  on renegotiation

- Return alert from s_server if ALPN protocol does not match

- SHA1 is allowed in @SECLEVEL=2 only if allowed by

  TLS SigAlgs configuration

* Wed Jun  3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6

- Add FIPS selftest for PBKDF2 and KBKDF

* Wed May 27 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-5

- Allow only well known DH groups in the FIPS mode

* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1

- update to the 1.1.1g release

- FIPS module installed state definition is modified

* Thu Mar  5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15

- add selftest of the RAND_DRBG implementation

* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14

- fix incorrect error return value from FIPS_selftest_dsa

- S390x: properly restore SIGILL signal handler

* Wed Dec  4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12

- additional fix for the edk2 build

* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9

- disallow use of SHA-1 signatures in TLS in FIPS mode

* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8

- fix CVE-2019-1547 - side-channel weak encryption vulnerability

- fix CVE-2019-1563 - padding oracle in CMS API

- fix CVE-2019-1549 - ensure fork safety of the DRBG

- fix handling of non-FIPS allowed EC curves in FIPS mode

- fix TLS compliance issues

* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7

- backported ARM performance fixes from master

* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6

- backport of S390x ECC CPACF enhancements from master

- FIPS mode: properly disable 1024 bit DSA key generation

- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed

- FIPS mode: allow AES-CCM ciphersuites

* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5

- make the code suitable for edk2 build

* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4

- backport of SSKDF from master

* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3

- backport of KBKDF and KRB5KDF from master

* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2

- do not try to use EC groups disallowed in FIPS mode

  in TLS

- fix Valgrind regression with constant-time code

* Mon Jun  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1

- update to the 1.1.1c release

* Fri May 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-6

- adjust the default cert pbe algorithm for pkcs12 -export

  in the FIPS mode

* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-5

- Fix small regressions related to the rebase

* Tue May  7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-3

- FIPS compliance fixes

* Tue May  7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-1

- update to the 1.1.1b release

- EVP_KDF API backport from master

- SSH KDF implementation for EVP_KDF API backport from master

- add S390x chacha20-poly1305 assembler support from master branch

* Fri Dec 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-8

- make openssl ts default to using SHA256 digest

* Wed Nov 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7

- use /dev/urandom for seeding the RNG in FIPS POST

* Mon Oct 15 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6

- make SECLEVEL=3 work

* Tue Oct  9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-5

- fix defects found in Coverity scan

* Mon Oct  1 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4

- drop SSLv3 support

* Tue Sep 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3

- drop the TLS-1.3 version revert

* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2

- disable RC4-MD5 ciphersuites completely

* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1

- update to the final 1.1.1 version

- for consistent support of security policies we build

  RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2

- use only /dev/urandom if getrandom() is not available

- disable SM4

* Thu Aug 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1

- update to the latest 1.1.1 beta version

- temporarily revert TLS-1.3 to draft 28 version

* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.4

- bidirectional shutdown fixes from upstream

* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.3

- do not put error on stack when using fixed protocol version

  with the default config (#1615098)

* Fri Jul 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.2

- load crypto policy config file from the default config

* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8

- update to the latest 1.1.1 beta version

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Tue Jun 19 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-5

- fix FIPS RSA key generation failure

* Mon Jun  4 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-4

- ppc64le is not multilib arch (#1584994)

* Tue Apr  3 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-3

- fix regression of c_rehash (#1562953)

* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-2

- fix FIPS symbol versions

* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-1

- update to upstream version 1.1.0h

- add Recommends for openssl-pkcs11

* Fri Feb 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-6

- one more try to apply RPM_LD_FLAGS properly (#1541033)

- dropped unneeded starttls xmpp patch (#1417017)

* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0g-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Feb  1 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-4

- apply RPM_LD_FLAGS properly (#1541033)

* Thu Jan 11 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-3

- silence the .rnd write failure as that is auxiliary functionality (#1524833)

* Thu Dec 14 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-2

- put the Makefile.certificate in pkgdocdir and drop the requirement on make

* Fri Nov  3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-1

- update to upstream version 1.1.0g

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0f-9

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0f-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Mon Jul 17 2017 Tomáš Mráz <tmraz@redhat.com> 1:1.1.0f-7

- make s_client and s_server work with -ssl3 option (#1471783)

* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 1:1.1.0f-6

- perl dependency renamed to perl-interpreter

  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>

* Mon Jun 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-5

- disable verification of all insecure hashes

* Fri Jun 23 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-4

- make DTLS work (#1462541)

* Thu Jun 15 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-3

- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)

* Mon Jun  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2

- only release thread-local key if we created it (from upstream) (#1458775)

* Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-1

- update to upstream version 1.1.0f

- SRP and GOST is now allowed, note that GOST support requires

  adding GOST engine which is not part of openssl anymore

* Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1

- update to upstream version 1.1.0e

- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0d-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Wed Feb  1 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-2

- applied upstream fixes (fix regression in X509_CRL_digest)

* Thu Jan 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-1

- update to upstream version 1.1.0d

* Thu Dec 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-5

- preserve new line in fd BIO BIO_gets() as other BIOs do

* Fri Dec  2 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-4

- FIPS mode fixes for TLS

* Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3

- revert SSL_read() behavior change - patch from upstream (#1394677)

- fix behavior on client certificate request in renegotiation (#1393579)

* Tue Nov 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-2

- EC curve NIST P-224 is now allowed, still kept disabled in TLS due

  to less than optimal security

* Fri Nov 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-1

- update to upstream version 1.1.0c

* Fri Nov  4 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-4

- use a random seed if the supplied one did not generate valid

  parameters in dsa_builtin_paramgen2()

* Wed Oct 12 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-3

- do not break contract on return value when using dsa_builtin_paramgen2()

* Wed Oct 12 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-2

- fix afalg failure on big endian

* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-1

- update to upstream version 1.1.0b

* Fri Oct 07 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.0.2j-2