public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Multiple fixes
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : f1c4ba61a3c49079c62cb3cdfbac660d46012b6f
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2019-10-03T17:43:23+02:00
Stats : +178/-8 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/f1c4ba61a3c49079c62cb3cdfbac660d46012b6f?branch=rebase_40beta
Log:
Multiple fixes
re-enable the stitched AES-CBC-SHA implementations
make AES-GCM work in FIPS mode again
enable TLS-1.2 AES-CCM ciphers in FIPS mode
fix openssl speed errors in FIPS mode
---
diff --git a/openssl-1.1.1-aes-asm.patch b/openssl-1.1.1-aes-asm.patch
new file mode 100644
index 0000000..65b8213
--- /dev/null
+++ b/openssl-1.1.1-aes-asm.patch
@@ -0,0 +1,58 @@
+commit 61cc715240d2d3f9511ca88043a3e9797c11482f
+Author: Richard Levitte <levitte@openssl.org>
+Date: Thu Oct 3 08:28:31 2019 +0200
+
+ Define AESNI_ASM if AESNI assembler is included, and use it
+
+ Because we have cases where basic assembler support isn't present, but
+ AESNI asssembler support is, we need a separate macro that indicates
+ that, and use it.
+
+ Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
+ Reviewed-by: Paul Dale <paul.dale@oracle.com>
+ (Merged from https://github.com/openssl/openssl/pull/10080)
+
+diff --git a/Configure b/Configure
+index 811bee81f5..f498ac2f81 100755
+--- a/Configure
++++ b/Configure
+@@ -1376,6 +1376,7 @@ unless ($disabled{asm}) {
+ }
+ if ($target{aes_asm_src}) {
+ push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
++ push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
+ # aes-ctr.fake is not a real file, only indication that assembler
+ # module implements AES_ctr32_encrypt...
+ push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index c9f5969162..27c36b46e7 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -33,7 +33,7 @@ typedef struct {
+
+ #define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
+index d5178313ae..cc622b6faa 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
+@@ -34,7 +34,7 @@ typedef struct {
+
+ # define NO_PAYLOAD_LENGTH ((size_t)-1)
+
+-#if defined(AES_ASM) && ( \
++#if defined(AESNI_ASM) && ( \
+ defined(__x86_64) || defined(__x86_64__) || \
+ defined(_M_AMD64) || defined(_M_X64) )
+
+@@ -947,4 +947,4 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
+ {
+ return NULL;
+ }
+-#endif
++#endif /* AESNI_ASM */
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index fd6633d..9063069 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -11,8 +11,8 @@ diff -up openssl-1.1.1d/apps/pkcs12.c.fips openssl-1.1.1d/apps/pkcs12.c
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
---- openssl-1.1.1d/apps/speed.c.fips 2019-09-13 15:13:11.008525884 +0200
-+++ openssl-1.1.1d/apps/speed.c 2019-09-13 15:13:11.022525640 +0200
+--- openssl-1.1.1d/apps/speed.c.fips 2019-10-03 16:51:22.019915908 +0200
++++ openssl-1.1.1d/apps/speed.c 2019-10-03 17:40:09.909994582 +0200
@@ -1595,7 +1595,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
@@ -60,7 +60,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
eddsa_doit[i] = 2;
continue;
}
-@@ -1737,23 +1742,30 @@ int speed_main(int argc, char **argv)
+@@ -1737,23 +1742,31 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -87,16 +87,18 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
ecdsa_doit[loop] = 1;
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
- ecdh_doit[loop] = 1;
+- ecdh_doit[loop] = 1;
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
- eddsa_doit[loop] = 1;
++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
++ ecdh_doit[loop] = 1;
+ if (!FIPS_mode())
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+ eddsa_doit[loop] = 1;
#endif
}
for (i = 0; i < ALGOR_NUM; i++)
-@@ -1801,30 +1813,46 @@ int speed_main(int argc, char **argv)
+@@ -1801,30 +1814,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -153,7 +155,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2122,6 +2150,7 @@ int speed_main(int argc, char **argv)
+@@ -2122,6 +2151,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -461,7 +463,7 @@ diff -up openssl-1.1.1d/crypto/dsa/dsa_gen.c.fips openssl-1.1.1d/crypto/dsa/dsa_
+ goto err;
+ }
+
-+ if (FIPS_mode() && (L != 1024 || N != 160) &&
++ if (FIPS_mode() &&
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
+ (L != 3072 || N != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
@@ -11368,6 +11370,108 @@ diff -up openssl-1.1.1d/include/openssl/rsaerr.h.fips openssl-1.1.1d/include/ope
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
+diff -up openssl-1.1.1d/ssl/s3_lib.c.fips openssl-1.1.1d/ssl/s3_lib.c
+--- openssl-1.1.1d/ssl/s3_lib.c.fips 2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/ssl/s3_lib.c 2019-10-03 16:53:51.140362311 +0200
+@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_HIGH,
++ SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_HIGH,
++ SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384,
+ 256,
+ 256,
+@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+- SSL_NOT_DEFAULT | SSL_HIGH,
++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
diff -up openssl-1.1.1d/ssl/ssl_ciph.c.fips openssl-1.1.1d/ssl/ssl_ciph.c
--- openssl-1.1.1d/ssl/ssl_ciph.c.fips 2019-09-13 15:13:11.019525692 +0200
+++ openssl-1.1.1d/ssl/ssl_ciph.c 2019-09-13 15:13:11.068524836 +0200
diff --git a/openssl.spec b/openssl.spec
index 2f6fdfc..859f4ea 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1d
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,7 @@ Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-regression-fixes.patch
+Patch55: openssl-1.1.1-aes-asm.patch
License: OpenSSL
URL: http://www.openssl.org/
@@ -168,6 +169,7 @@ cp %{SOURCE13} test/
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch54 -p1 -b .regression
+%patch55 -p1 -b .aes-asm
%build
@@ -454,6 +456,12 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Thu Oct 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-2
+- re-enable the stitched AES-CBC-SHA implementations
+- make AES-GCM work in FIPS mode again
+- enable TLS-1.2 AES-CCM ciphers in FIPS mode
+- fix openssl speed errors in FIPS mode
+
* Fri Sep 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-1
- update to the 1.1.1d release
^ permalink raw reply related [flat|nested] 2+ messages in thread* [rpms/openssl] rebase_40beta: Multiple fixes
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 90121b0c9d9f2dd632533e6e51bc7bc3e2550e3c
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2018-09-06T13:48:54+02:00
Stats : +24/-3 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/90121b0c9d9f2dd632533e6e51bc7bc3e2550e3c?branch=rebase_40beta
Log:
Multiple fixes
do not try to initialize RNG in cleanup if it was not initialized
before (#1624554)
use only /dev/urandom if getrandom() is not available
disable SM4
---
diff --git a/openssl-1.1.1-rand-cleanup.patch b/openssl-1.1.1-rand-cleanup.patch
new file mode 100644
index 0000000..5f886c5
--- /dev/null
+++ b/openssl-1.1.1-rand-cleanup.patch
@@ -0,0 +1,13 @@
+diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup openssl-1.1.1-pre9/crypto/rand/rand_lib.c
+--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup 2018-09-06 08:18:19.481566808 +0200
++++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c 2018-09-06 13:28:32.531777065 +0200
+@@ -353,7 +353,8 @@ void rand_cleanup_int(void)
+ if (meth != NULL && meth->cleanup != NULL)
+ meth->cleanup();
+ rand_pool_cleanup();
+- RAND_set_rand_method(NULL);
++ if (meth != NULL)
++ RAND_set_rand_method(NULL);
+ #ifndef OPENSSL_NO_ENGINE
+ CRYPTO_THREAD_lock_free(rand_engine_lock);
+ rand_engine_lock = NULL;
diff --git a/openssl.spec b/openssl.spec
index f3fdd2a..b20e505 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -24,7 +24,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1
-Release: 0.%{prerelease}.2%{?dist}
+Release: 0.%{prerelease}.3%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -59,6 +59,7 @@ Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch
+Patch46: openssl-1.1.1-rand-cleanup.patch
# Backported fixes including security fixes
Patch70: openssl-1.1.1-seclevel-check.patch
@@ -162,6 +163,7 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
+%patch46 -p1 -b .rand-cleanup
%patch70 -p1 -b .seclevel-check
@@ -243,8 +245,8 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
- no-mdc2 no-ec2m no-sm2 \
- shared ${sslarch} $RPM_OPT_FLAGS
+ no-mdc2 no-ec2m no-sm2 no-sm4 \
+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
@@ -451,6 +453,12 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
+- do not try to initialize RNG in cleanup if it was not initialized
+ before (#1624554)
+- use only /dev/urandom if getrandom() is not available
+- disable SM4
+
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
- fix dangling symlinks to manual pages
- make SSLv3_method work
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: Multiple fixes Tomas Mraz
-- strict thread matches above, loose matches on Subject: below --
2026-06-09 12:44 Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox