public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: FIPS mode fixes for TLS
Date: Tue, 09 Jun 2026 12:43:57 GMT [thread overview]
Message-ID: <178100903715.1.13035677370415559633.rpms-openssl-836560b32277@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 836560b322770ee91c04b6fe7088cc0abbe34f81
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2016-12-02T17:32:17+01:00
Stats : +54/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/836560b322770ee91c04b6fe7088cc0abbe34f81?branch=rebase_40beta
Log:
FIPS mode fixes for TLS
---
diff --git a/openssl-1.1.0-fips.patch b/openssl-1.1.0-fips.patch
index c7009ed..0a24b0d 100644
--- a/openssl-1.1.0-fips.patch
+++ b/openssl-1.1.0-fips.patch
@@ -12018,6 +12018,28 @@ diff -up openssl-1.1.0c/include/openssl/rsa.h.fips openssl-1.1.0c/include/openss
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
# define RSA_R_PADDING_CHECK_FAILED 114
# define RSA_R_PKCS_DECODING_ERROR 159
+diff -up openssl-1.1.0c/ssl/ssl_ciph.c.fips openssl-1.1.0c/ssl/ssl_ciph.c
+--- openssl-1.1.0c/ssl/ssl_ciph.c.fips 2016-11-30 15:31:14.000000000 +0100
++++ openssl-1.1.0c/ssl/ssl_ciph.c 2016-12-02 16:01:58.250067386 +0100
+@@ -404,7 +404,8 @@ void ssl_load_ciphers(void)
+ }
+ }
+ /* Make sure we can access MD5 and SHA1 */
+- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
++ if (!FIPS_mode())
++ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
+ OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
+
+ disabled_mkey_mask = 0;
+@@ -687,7 +688,7 @@ static void ssl_cipher_collect_ciphers(c
+ /* drop those that use any of that is not available */
+ if (c == NULL || !c->valid)
+ continue;
+- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
++ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
+ continue;
+ if ((c->algorithm_mkey & disabled_mkey) ||
+ (c->algorithm_auth & disabled_auth) ||
diff -up openssl-1.1.0c/ssl/ssl_init.c.fips openssl-1.1.0c/ssl/ssl_init.c
--- openssl-1.1.0c/ssl/ssl_init.c.fips 2016-11-10 15:03:46.000000000 +0100
+++ openssl-1.1.0c/ssl/ssl_init.c 2016-11-11 13:31:51.379604771 +0100
@@ -12064,6 +12086,34 @@ diff -up openssl-1.1.0c/ssl/ssl_init.c.fips openssl-1.1.0c/ssl/ssl_init.c
#ifndef OPENSSL_NO_COMP
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
+diff -up openssl-1.1.0c/ssl/ssl_lib.c.fips openssl-1.1.0c/ssl/ssl_lib.c
+--- openssl-1.1.0c/ssl/ssl_lib.c.fips 2016-11-30 15:31:14.000000000 +0100
++++ openssl-1.1.0c/ssl/ssl_lib.c 2016-12-02 16:31:12.108604595 +0100
+@@ -2405,13 +2405,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ if (ret->param == NULL)
+ goto err;
+
+- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+- goto err2;
+- }
+- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+- goto err2;
++ if (!FIPS_mode()) {
++ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
++ goto err2;
++ }
++ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
++ goto err2;
++ }
++ } else {
++ ret->min_proto_version = TLS1_VERSION;
+ }
+
+ if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
diff -up openssl-1.1.0c/test/dsatest.c.fips openssl-1.1.0c/test/dsatest.c
--- openssl-1.1.0c/test/dsatest.c.fips 2016-11-10 15:03:47.000000000 +0100
+++ openssl-1.1.0c/test/dsatest.c 2016-11-11 13:31:51.380604793 +0100
diff --git a/openssl.spec b/openssl.spec
index bb7d0ba..ec410fc 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.0c
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -430,6 +430,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Dec 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-4
+- FIPS mode fixes for TLS
+
* Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3
- revert SSL_read() behavior change - patch from upstream (#1394677)
- fix behavior on client certificate request in renegotiation (#1393579)
reply other threads:[~2026-06-09 12:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100903715.1.13035677370415559633.rpms-openssl-836560b32277@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox