public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Update patches to make ELN build happy
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : b5f6fd82161d63be6a8c69ca9bfca99d6feb9bad
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2022-09-12T11:39:39+02:00
Stats : +322/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/b5f6fd82161d63be6a8c69ca9bfca99d6feb9bad?branch=rebase_40beta
Log:
Update patches to make ELN build happy
Resolves: rhbz#2123755
---
diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch
new file mode 100644
index 0000000..0b6a9fb
--- /dev/null
+++ b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch
@@ -0,0 +1,313 @@
+From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 15 Jul 2022 17:45:40 +0200
+Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
+
+In review for FIPS 140-3, the lack of a self-test for the digest_sign
+and digest_verify provider functions was highlighted as a problem. NIST
+no longer provides ACVP tests for the RSA SigVer primitive (see
+https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
+recommends the use of functions that compute the digest and signature
+within the module, we have been advised in our module review that the
+self tests should also use the combined digest and signature APIs, i.e.
+the digest_sign and digest_verify provider functions.
+
+Modify the signature self-test to use these instead by switching to
+EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
+crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
+ providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
+index db1a1d7bc3..c94c3c53bd 100644
+--- a/crypto/evp/m_sigver.c
++++ b/crypto/evp/m_sigver.c
+@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
+ ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
+ return 0;
+ }
++#endif /* !defined(FIPS_MODULE) */
+
+ /*
+ * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
+@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ reinit = 0;
+ if (e == NULL)
+ ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
++#ifndef FIPS_MODULE
+ else
+ ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
++#endif /* !defined(FIPS_MODULE) */
+ }
+ if (ctx->pctx == NULL)
+ return 0;
+@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ locpctx = ctx->pctx;
+ ERR_set_mark();
+
++#ifndef FIPS_MODULE
+ if (evp_pkey_ctx_is_legacy(locpctx))
+ goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+
+ /* do not reinitialize if pkey is set or operation is different */
+ if (reinit
+@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ signature =
+ evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
+ supported_sig, locpctx->propquery);
++#ifndef FIPS_MODULE
+ if (signature == NULL)
+ goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ break;
+ }
+ if (signature == NULL)
+@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
+ if (ctx->fetched_digest != NULL) {
+ ctx->digest = ctx->reqdigest = ctx->fetched_digest;
++#ifndef FIPS_MODULE
+ } else {
+ /* legacy engine support : remove the mark when this is deleted */
+ ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
+@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+ goto err;
+ }
++#endif /* !defined(FIPS_MODULE) */
+ }
+ (void)ERR_pop_to_mark();
+ }
+ }
+
++#ifndef FIPS_MODULE
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ goto err;
+ }
+ }
++#endif /* !defined(FIPS_MODULE) */
+
+ if (ver) {
+ if (signature->digest_verify_init == NULL) {
+@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ EVP_KEYMGMT_free(tmp_keymgmt);
+ return 0;
+
++#ifndef FIPS_MODULE
+ legacy:
+ /*
+ * If we don't have the full support we need with provided methods,
+@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ ctx->pctx->flag_call_digest_custom = 1;
+
+ ret = 1;
++#endif /* !defined(FIPS_MODULE) */
+
+ end:
+ #ifndef FIPS_MODULE
+@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+ return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
+ NULL);
+ }
+-#endif /* FIPS_MDOE */
+
+ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
+ {
+@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
+ return EVP_DigestUpdate(ctx, data, dsize);
+ }
+
+-#ifndef FIPS_MODULE
+ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+ size_t *siglen)
+ {
+- int sctx = 0, r = 0;
+- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
++ int r = 0;
++#ifndef FIPS_MODULE
++ int sctx = 0;
++ EVP_PKEY_CTX *dctx;
++#endif /* !defined(FIPS_MODULE) */
++ EVP_PKEY_CTX *pctx = ctx->pctx;
+
++#ifndef FIPS_MODULE
+ if (pctx == NULL
+ || pctx->operation != EVP_PKEY_OP_SIGNCTX
+ || pctx->op.sig.algctx == NULL
+ || pctx->op.sig.signature == NULL)
+ goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+
+ if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
+ return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+ sigret, siglen,
+ sigret == NULL ? 0 : *siglen);
++#ifndef FIPS_MODULE
+ dctx = EVP_PKEY_CTX_dup(pctx);
+ if (dctx == NULL)
+ return 0;
+@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+ sigret, siglen,
+ *siglen);
+ EVP_PKEY_CTX_free(dctx);
++#endif /* defined(FIPS_MODULE) */
+ return r;
+
++#ifndef FIPS_MODULE
+ legacy:
+ if (pctx == NULL || pctx->pmeth == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+ }
+ }
+ return 1;
++#endif /* !defined(FIPS_MODULE) */
+ }
+
+ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen)
+ {
+- unsigned char md[EVP_MAX_MD_SIZE];
+ int r = 0;
++#ifndef FIPS_MODULE
++ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int mdlen = 0;
+ int vctx = 0;
+- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
++ EVP_PKEY_CTX *dctx;
++#endif /* !defined(FIPS_MODULE) */
++ EVP_PKEY_CTX *pctx = ctx->pctx;
+
++#ifndef FIPS_MODULE
+ if (pctx == NULL
+ || pctx->operation != EVP_PKEY_OP_VERIFYCTX
+ || pctx->op.sig.algctx == NULL
+ || pctx->op.sig.signature == NULL)
+ goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+
+ if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
+ return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+ sig, siglen);
++#ifndef FIPS_MODULE
+ dctx = EVP_PKEY_CTX_dup(pctx);
+ if (dctx == NULL)
+ return 0;
+@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+ r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
+ sig, siglen);
+ EVP_PKEY_CTX_free(dctx);
++#endif /* !defined(FIPS_MODULE) */
+ return r;
+
++#ifndef FIPS_MODULE
+ legacy:
+ if (pctx == NULL || pctx->pmeth == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+ if (vctx || !r)
+ return r;
+ return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
++#endif /* !defined(FIPS_MODULE) */
+ }
+
+ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+ return -1;
+ return EVP_DigestVerifyFinal(ctx, sigret, siglen);
+ }
+-#endif /* FIPS_MODULE */
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index b6d5e8e134..77eec075e6 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+ int ret = 0;
+ OSSL_PARAM *params = NULL, *params_sig = NULL;
+ OSSL_PARAM_BLD *bld = NULL;
++ EVP_MD *md = NULL;
++ EVP_MD_CTX *ctx = NULL;
+ EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
+ EVP_PKEY *pkey = NULL;
+- unsigned char sig[256];
+ BN_CTX *bnctx = NULL;
+ BIGNUM *K = NULL;
++ const char *msg = "Hello World!";
++ unsigned char sig[256];
+ size_t siglen = sizeof(sig);
+ static const unsigned char dgst[] = {
+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
+@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+ || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err;
+
+- /* Create a EVP_PKEY_CTX to use for the signing operation */
+- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+- if (sctx == NULL
+- || EVP_PKEY_sign_init(sctx) <= 0)
+- goto err;
+-
+- /* set signature parameters */
+- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
+- t->mdalgorithm,
+- strlen(t->mdalgorithm) + 1))
+- goto err;
++ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
++ * parameters and sign */
+ params_sig = OSSL_PARAM_BLD_to_param(bld);
+- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
++ md = EVP_MD_fetch(libctx, "SHA256", NULL);
++ ctx = EVP_MD_CTX_new();
++ if (md == NULL || ctx == NULL)
++ goto err;
++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
++ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
++ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
++ || EVP_MD_CTX_reset(ctx) <= 0)
+ goto err;
+
+- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
+- || EVP_PKEY_verify_init(sctx) <= 0
++ /* sctx is not freed automatically inside the FIPS module */
++ EVP_PKEY_CTX_free(sctx);
++ sctx = NULL;
++
++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+ goto err;
+
+@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+ goto err;
+
+ OSSL_SELF_TEST_oncorrupt_byte(st, sig);
+- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
++ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
+ goto err;
+ ret = 1;
+ err:
+ BN_CTX_free(bnctx);
+ EVP_PKEY_free(pkey);
+- EVP_PKEY_CTX_free(kctx);
++ EVP_MD_free(md);
++ EVP_MD_CTX_free(ctx);
++ /* sctx is not freed automatically inside the FIPS module */
+ EVP_PKEY_CTX_free(sctx);
++ EVP_PKEY_CTX_free(kctx);
+ OSSL_PARAM_free(params);
+ OSSL_PARAM_free(params_sig);
+ OSSL_PARAM_BLD_free(bld);
+--
+2.37.1
+
diff --git a/openssl.spec b/openssl.spec
index a3a10f9..6cb9542 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.5
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -168,7 +168,11 @@ Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
+%if 0%{?rhel}
+Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch
+%else
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+%endif
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
@@ -517,6 +521,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Mon Sep 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-5
+- Update patches to make ELN build happy
+ Resolves: rhbz#2123755
+
* Fri Sep 09 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.5-4
- Fix AES-GCM on Power 8 CPUs
Resolves: rhbz#2124845
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Update patches to make ELN build happy Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox