public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: fix SECLEVEL 3 support
Date: Tue, 09 Jun 2026 12:44:21 GMT [thread overview]
Message-ID: <178100906181.1.14411165683279238448.rpms-openssl-68f387b1c4b5@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 68f387b1c4b565556e15fc49848632b22c47d1af
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2018-10-12T17:35:34+02:00
Stats : +39/-19 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/68f387b1c4b565556e15fc49848632b22c47d1af?branch=rebase_40beta
Log:
fix SECLEVEL 3 support
fix some issues found in Coverity scan
---
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index 3365a23..069cfde 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -453,11 +453,11 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ return -1;
-+ BN_CTX_start(ctx);
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
+ return 0;
+ if (BN_cmp(dsa->g, dsa->p) >= 0)
+ return 0;
++ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL)
+ goto err;
@@ -697,7 +697,7 @@ diff -up openssl-1.1.1/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1/crypto/ec/ecdsa
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
++ return -1;
+ }
+#endif
+
@@ -2093,7 +2093,7 @@ diff -up openssl-1.1.1/crypto/fips/fips.c.fips openssl-1.1.1/crypto/fips/fips.c
+ int ret = 0;
+
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
-+ return NULL;
++ return 0;
+
+ fips_w_lock();
+ fips_started = 1;
@@ -4255,7 +4255,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1/crypto/fip
diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fips/fips_drbg_rand.c
--- openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips 2018-09-13 08:51:22.110520923 +0200
+++ openssl-1.1.1/crypto/fips/fips_drbg_rand.c 2018-09-13 08:51:22.110520923 +0200
-@@ -0,0 +1,183 @@
+@@ -0,0 +1,185 @@
+/* fips/rand/fips_drbg_rand.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -4409,21 +4409,23 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fi
+static int fips_drbg_seed(const void *seed, int seedlen)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
++ int ret = 1;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_seed_cb)
-+ return dctx->rand_seed_cb(dctx, seed, seedlen);
++ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return 1;
++ return ret;
+}
+
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
++ int ret = 1;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_add_cb)
-+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return 1;
++ return ret;
+}
+
+static const RAND_METHOD rand_drbg_meth = {
@@ -9699,7 +9701,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1/cry
+ }
+
+ for (;;) {
-+ char buf[1024];
++ unsigned char buf[1024];
+ size_t l = fread(buf, 1, sizeof buf, f);
+
+ if (l == 0) {
@@ -9856,8 +9858,12 @@ diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips openssl-1.1.1/cry
+#endif
diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c
--- openssl-1.1.1/crypto/o_fips.c.fips 2018-09-11 14:48:21.000000000 +0200
-+++ openssl-1.1.1/crypto/o_fips.c 2018-09-13 08:51:22.114520830 +0200
-@@ -11,14 +11,25 @@
++++ openssl-1.1.1/crypto/o_fips.c 2018-10-09 18:12:06.787802422 +0200
+@@ -8,17 +8,28 @@
+ */
+
+ #include "internal/cryptlib.h"
++#include "internal/fips_int.h"
int FIPS_mode(void)
{
@@ -9874,8 +9880,7 @@ diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c
+#ifdef OPENSSL_FIPS
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
+ return 1;
-+ if (!FIPS_module_mode_set(r))
-+ return 0;
++ return FIPS_module_mode_set(r);
+#else
if (r == 0)
return 1;
diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch
index 0871c9d..8b6a77a 100644
--- a/openssl-1.1.1-seclevel.patch
+++ b/openssl-1.1.1-seclevel.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 11:47:39.715317617 +0200
++++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
}
@@ -22,7 +22,7 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
}
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-14 11:47:39.715317617 +0200
++++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
@@ -38,7 +38,18 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
-+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 11:47:39.716317598 +0200
++++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
+@@ -951,8 +951,8 @@ static int ssl_security_default_callback
+ if (level >= 2 && c->algorithm_enc == SSL_RC4)
+ return 0;
+ /* Level 3: forward secure ciphersuites only */
+- if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
++ if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
++ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ return 0;
+ break;
+ }
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
return 0;
break;
@@ -51,7 +62,7 @@ diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
}
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
-+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-09-14 12:36:40.021812399 +0200
++++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
diff --git a/openssl.spec b/openssl.spec
index dfef25a..705fb24 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -227,7 +227,7 @@ sslarch=linux-generic64
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
-RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
export HASHBANGPERL=/usr/bin/perl
@@ -449,6 +449,10 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
+- fix SECLEVEL 3 support
+- fix some issues found in Coverity scan
+
* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
- Correctly invoke sed for defining OPENSSL_NO_SSL3
reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100906181.1.14411165683279238448.rpms-openssl-68f387b1c4b5@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox