public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: - Rebase to upstream version 3.0.7
Date: Tue, 09 Jun 2026 12:45:06 GMT [thread overview]
Message-ID: <178100910643.1.8380090513174848736.rpms-openssl-106fe8964c34@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 106fe8964c342cc3c6699abf64f6ce70a478f505
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2022-12-23T11:53:21+01:00
Stats : +90/-484 in 10 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/106fe8964c342cc3c6699abf64f6ce70a478f505?branch=rebase_40beta
Log:
- Rebase to upstream version 3.0.7
Rebased to openssl-3.0.7 with corresponding minor bugfixes
- C99 compatibility in downstream-only 0032-Force-fips.patch
Resolves: rhbz#2152504
- Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083876
---
diff --git a/.gitignore b/.gitignore
index 57006f1..54863fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,3 +55,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.0.2-hobbled.tar.gz
/openssl-3.0.3-hobbled.tar.gz
/openssl-3.0.5-hobbled.tar.xz
+/openssl-3.0.7-hobbled.tar.gz
diff --git a/0008-Add-FIPS_mode-compatibility-macro.patch b/0008-Add-FIPS_mode-compatibility-macro.patch
index 0fac4eb..2e72999 100644
--- a/0008-Add-FIPS_mode-compatibility-macro.patch
+++ b/0008-Add-FIPS_mode-compatibility-macro.patch
@@ -12,24 +12,12 @@ default context.
3 files changed, 39 insertions(+)
create mode 100644 include/openssl/fips.h
-diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
-index 1036da9a2b..9d4896fcaf 100644
---- a/include/openssl/crypto.h.in
-+++ b/include/openssl/crypto.h.in
-@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros);
- # include <openssl/opensslconf.h>
- # include <openssl/cryptoerr.h>
- # include <openssl/core.h>
-+# include <openssl/fips.h>
-
- # ifdef CHARSET_EBCDIC
- # include <openssl/ebcdic.h>
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..c64f0f8e8f
--- /dev/null
+++ b/include/openssl/fips.h
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
@@ -43,6 +31,7 @@ index 0000000000..c64f0f8e8f
+# define OPENSSL_FIPS_H
+# pragma once
+
++# include <openssl/evp.h>
+# include <openssl/macros.h>
+
+# ifdef __cplusplus
@@ -58,10 +47,11 @@ index 0000000000..c64f0f8e8f
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
-@@ -488,6 +488,18 @@ static int test_property_list_to_string(
+@@ -488,6 +488,19 @@ static int test_property_list_to_string(
return ret;
}
-
+
++#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
+ int ret = 0;
diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch
index 51c9d23..10e200c 100644
--- a/0011-Remove-EC-curves.patch
+++ b/0011-Remove-EC-curves.patch
@@ -5011,3 +5011,15 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov
Title=prime256v1 curve tests
PrivateKey=ALICE_cf_prime256v1
+diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t
+--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100
++++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100
+@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
+
+ subtest 'Check loading of fips and non-fips keys' => sub {
+ plan skip_all => "FIPS is disabled"
+- if $no_fips;
++ if 1; #Red Hat specific, original value is $no_fips;
+
+ plan tests => 2;
+
diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch
index 1a4ea0d..514ab67 100644
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@@ -7,6 +7,14 @@
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <openssl/trace.h>
+ #include <openssl/err.h>
++#include <openssl/evp.h>
+ #include <openssl/conf.h>
+ #include <openssl/safestack.h>
+ #include <openssl/provider.h>
@@ -136,58 +136,18 @@ static int prov_already_activated(const
return 0;
}
diff --git a/0035-speed-skip-unavailable-dgst.patch b/0035-speed-skip-unavailable-dgst.patch
index 6d948dd..9256f7f 100644
--- a/0035-speed-skip-unavailable-dgst.patch
+++ b/0035-speed-skip-unavailable-dgst.patch
@@ -11,16 +11,3 @@ diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
-@@ -1922,8 +1925,10 @@ int speed_main(int argc, char **argv)
- if (loopargs[i].mctx == NULL)
- goto end;
-
-- if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params))
-- goto end;
-+ if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) {
-+ EVP_MAC_CTX_free(loopargs[i].mctx);
-+ loopargs[i].mctx = NULL;
-+ }
- }
- for (testnum = 0; testnum < size_num; testnum++) {
- print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum],
diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch
index 5c33a76..8a005e6 100644
--- a/0056-strcasecmp.patch
+++ b/0056-strcasecmp.patch
@@ -1,14 +1,54 @@
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
-@@ -5425,8 +5425,8 @@ ASN1_item_d2i_ex
- ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
- EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
+@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
--OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
--OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
-+OPENSSL_strcasecmp 5556 3_0_1 EXIST::FUNCTION:
-+OPENSSL_strncasecmp 5557 3_0_1 EXIST::FUNCTION:
+ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
+diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
+--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
+@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
+ #endif
+ }
+
+-int OPENSSL_strcasecmp(const char *s1, const char *s2)
++int
++#ifndef FIPS_MODULE
++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strcasecmp(const char *s1, const char *s2)
+ {
+ int t;
+
+@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
+ return t;
+ }
+
+-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
++int
++#ifndef FIPS_MODULE
++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+ {
+ int t;
+ size_t i;
+diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
+--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
+@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
+ s| .*||;
+ # Drop OpenSSL dynamic version information if there is any
+ s|\@\@.+$||;
++ s|\@.+$||;
+ # Return the result
+ $_
+ }
diff --git a/0080-CVE-2022-3602.patch b/0080-CVE-2022-3602.patch
deleted file mode 100644
index 4f935e4..0000000
--- a/0080-CVE-2022-3602.patch
+++ /dev/null
@@ -1,399 +0,0 @@
-diff --git a/crypto/punycode.c b/crypto/punycode.c
-index 385b4b1df4..b9b4e3d785 100644
---- a/crypto/punycode.c
-+++ b/crypto/punycode.c
-@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
- unsigned int bias = initial_bias;
- size_t processed_in = 0, written_out = 0;
- unsigned int max_out = *pout_length;
--
- unsigned int basic_count = 0;
- unsigned int loop;
-
-@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
- n = n + i / (written_out + 1);
- i %= (written_out + 1);
-
-- if (written_out > max_out)
-+ if (written_out >= max_out)
- return 0;
-
- memmove(pDecoded + i + 1, pDecoded + i,
-- (written_out - i) * sizeof *pDecoded);
-+ (written_out - i) * sizeof(*pDecoded));
- pDecoded[i] = n;
- i++;
- written_out++;
-@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
- */
- char *outptr = out;
- const char *inptr = in;
-- size_t size = 0;
-+ size_t size = 0, maxsize;
- int result = 1;
--
-+ unsigned int i, j;
- unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */
-- if (out == NULL)
-+
-+ if (out == NULL) {
- result = 0;
-+ maxsize = 0;
-+ } else {
-+ maxsize = *outlen;
-+ }
-+
-+#define PUSHC(c) \
-+ do \
-+ if (size++ < maxsize) \
-+ *outptr++ = c; \
-+ else \
-+ result = 0; \
-+ while (0)
-
- while (1) {
- char *tmpptr = strchr(inptr, '.');
-- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr);
-+ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr);
-
- if (strncmp(inptr, "xn--", 4) != 0) {
-- size += delta + 1;
--
-- if (size >= *outlen - 1)
-- result = 0;
--
-- if (result > 0) {
-- memcpy(outptr, inptr, delta + 1);
-- outptr += delta + 1;
-- }
-+ for (i = 0; i < delta + 1; i++)
-+ PUSHC(inptr[i]);
- } else {
- unsigned int bufsize = LABEL_BUF_SIZE;
-- unsigned int i;
-
- if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0)
- return -1;
-@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
- for (i = 0; i < bufsize; i++) {
- unsigned char seed[6];
- size_t utfsize = codepoint2utf8(seed, buf[i]);
-+
- if (utfsize == 0)
- return -1;
-
-- size += utfsize;
-- if (size >= *outlen - 1)
-- result = 0;
--
-- if (result > 0) {
-- memcpy(outptr, seed, utfsize);
-- outptr += utfsize;
-- }
-+ for (j = 0; j < utfsize; j++)
-+ PUSHC(seed[j]);
- }
-
-- if (tmpptr != NULL) {
-- *outptr = '.';
-- outptr++;
-- size++;
-- if (size >= *outlen - 1)
-- result = 0;
-- }
-+ PUSHC(tmpptr != NULL ? '.' : '\0');
- }
-
- if (tmpptr == NULL)
-@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
-
- inptr = tmpptr + 1;
- }
-+#undef PUSHC
-
-+ *outlen = size;
- return result;
- }
-
-@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
-
- int ossl_a2ucompare(const char *a, const char *u)
- {
-- char a_ulabel[LABEL_BUF_SIZE];
-+ char a_ulabel[LABEL_BUF_SIZE + 1];
- size_t a_size = sizeof(a_ulabel);
-
-- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) {
-+ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0)
- return -1;
-- }
-
-- return (strcmp(a_ulabel, u) == 0) ? 0 : 1;
-+ return strcmp(a_ulabel, u) != 0;
- }
-diff --git a/test/build.info b/test/build.info
-index 9d2d41e417..638f215da6 100644
---- a/test/build.info
-+++ b/test/build.info
-@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}]
- exptest pbetest localetest evp_pkey_ctx_new_from_name\
- evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
- evp_fetch_prov_test evp_libctx_test ossl_store_test \
-- v3nametest v3ext \
-+ v3nametest v3ext punycode_test \
- evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
- evp_fetch_prov_test v3nametest v3ext \
- crltest danetest bad_dtls_test lhash_test sparse_array_test \
-@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}]
- INCLUDE[pkcs7_test]=../include ../apps/include
- DEPEND[pkcs7_test]=../libcrypto libtestutil.a
-
-+ SOURCE[punycode_test]=punycode_test.c
-+ INCLUDE[punycode_test]=../include ../apps/include
-+ DEPEND[punycode_test]=../libcrypto.a libtestutil.a
-+
- SOURCE[stack_test]=stack_test.c
- INCLUDE[stack_test]=../include ../apps/include
- DEPEND[stack_test]=../libcrypto libtestutil.a
-diff --git a/test/punycode_test.c b/test/punycode_test.c
-new file mode 100644
-index 0000000000..285ead6966
---- /dev/null
-+++ b/test/punycode_test.c
-@@ -0,0 +1,219 @@
-+/*
-+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <openssl/crypto.h>
-+
-+#include "crypto/punycode.h"
-+#include "internal/nelem.h"
-+#include "testutil.h"
-+
-+
-+static const struct puny_test {
-+ unsigned int raw[50];
-+ const char *encoded;
-+} puny_cases[] = {
-+ /* Test cases from RFC 3492 */
-+ { /* Arabic (Egyptian) */
-+ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644,
-+ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F
-+ },
-+ "egbpdaj6bu4bxfgehfvwxn"
-+ },
-+ { /* Chinese (simplified) */
-+ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587
-+ },
-+ "ihqwcrb4cv8a8dqg056pqjye"
-+ },
-+ { /* Chinese (traditional) */
-+ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587
-+ },
-+ "ihqwctvzc91f659drss3x8bo0yb"
-+ },
-+ { /* Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky */
-+ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074,
-+ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D,
-+ 0x0065, 0x0073, 0x006B, 0x0079
-+ },
-+ "Proprostnemluvesky-uyb24dma41a"
-+ },
-+ { /* Hebrew */
-+ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8,
-+ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2,
-+ 0x05D1, 0x05E8, 0x05D9, 0x05EA
-+ },
-+ "4dbcagdahymbxekheh6e0a7fei0b"
-+ },
-+ { /* Hindi (Devanagari) */
-+ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D,
-+ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939,
-+ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947,
-+ 0x0939, 0x0948, 0x0902
-+ },
-+ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd"
-+ },
-+ { /* Japanese (kanji and hiragana) */
-+ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092,
-+ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B
-+ },
-+ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa"
-+ },
-+ { /* Korean (Hangul syllables) */
-+ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774,
-+ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74,
-+ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C
-+ },
-+ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c"
-+ },
-+ { /* Russian (Cyrillic) */
-+ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E,
-+ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440,
-+ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A,
-+ 0x0438
-+ },
-+ "b1abfaaepdrnnbgefbaDotcwatmq2g4l"
-+ },
-+ { /* Spanish */
-+ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070,
-+ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070,
-+ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061,
-+ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070,
-+ 0x0061, 0x00F1, 0x006F, 0x006C
-+ },
-+ "PorqunopuedensimplementehablarenEspaol-fmd56a"
-+ },
-+ { /* Vietnamese */
-+ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B,
-+ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068,
-+ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067,
-+ 0x0056, 0x0069, 0x1EC7, 0x0074
-+ },
-+ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g"
-+ },
-+ { /* Japanese: 3<nen>B<gumi><kinpachi><sensei> */
-+ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
-+ },
-+ "3B-ww4c5e180e575a65lsy2b"
-+ },
-+ { /* Japanese: <amuro><namie>-with-SUPER-MONKEYS */
-+ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074,
-+ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D,
-+ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053
-+ },
-+ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n"
-+ },
-+ { /* Japanese: Hello-Another-Way-<sorezore><no><basho> */
-+ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F,
-+ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D,
-+ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240
-+ },
-+ "Hello-Another-Way--fc4qua05auwb3674vfr0b"
-+ },
-+ { /* Japanese: <hitotsu><yane><no><shita>2 */
-+ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032
-+ },
-+ "2-u9tlzr9756bt3uc0v"
-+ },
-+ { /* Japanese: Maji<de>Koi<suru>5<byou><mae> */
-+ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059,
-+ 0x308B, 0x0035, 0x79D2, 0x524D
-+ },
-+ "MajiKoi5-783gue6qz075azm5e"
-+ },
-+ { /* Japanese: <pafii>de<runba> */
-+ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0
-+ },
-+ "de-jg4avhby1noc0d"
-+ },
-+ { /* Japanese: <sono><supiido><de> */
-+ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067
-+ },
-+ "d9juau41awczczp"
-+ },
-+ { /* -> $1.00 <- */
-+ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020,
-+ 0x003C, 0x002D
-+ },
-+ "-> $1.00 <--"
-+ }
-+};
-+
-+static int test_punycode(int n)
-+{
-+ const struct puny_test *tc = puny_cases + n;
-+ unsigned int buffer[50];
-+ unsigned int bsize = OSSL_NELEM(buffer);
-+ size_t i;
-+
-+ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded),
-+ buffer, &bsize)))
-+ return 0;
-+ for (i = 0; i < sizeof(tc->raw); i++)
-+ if (tc->raw[i] == 0)
-+ break;
-+ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer),
-+ tc->raw, i * sizeof(*tc->raw)))
-+ return 0;
-+ return 1;
-+}
-+
-+static int test_a2ulabel(void)
-+{
-+ char out[50];
-+ size_t outlen;
-+
-+ /*
-+ * Test that no buffer correctly returns the true length.
-+ * The punycode being passed in and parsed is malformed but we're not
-+ * verifying that behaviour here.
-+ */
-+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0)
-+ || !TEST_size_t_eq(outlen, 7)
-+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1))
-+ return 0;
-+ /* Test that a short input length returns the true length */
-+ outlen = 1;
-+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
-+ || !TEST_size_t_eq(outlen, 7)
-+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
-+ || !TEST_str_eq(out,"\xc2\x80.b.c"))
-+ return 0;
-+ /* Test for an off by one on the buffer size works */
-+ outlen = 6;
-+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
-+ || !TEST_size_t_eq(outlen, 7)
-+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
-+ || !TEST_str_eq(out,"\xc2\x80.b.c"))
-+ return 0;
-+ return 1;
-+}
-+
-+static int test_puny_overrun(void)
-+{
-+ static const unsigned int out[] = {
-+ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
-+ };
-+ static const char *in = "3B-ww4c5e180e575a65lsy2b";
-+ unsigned int buf[OSSL_NELEM(out)];
-+ unsigned int bsize = OSSL_NELEM(buf) - 1;
-+
-+ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) {
-+ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out)))
-+ TEST_error("CRITICAL: buffer overrun detected!");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+int setup_tests(void)
-+{
-+ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases));
-+ ADD_TEST(test_a2ulabel);
-+ ADD_TEST(test_puny_overrun);
-+ return 1;
-+}
-diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t
-new file mode 100644
-index 0000000000..de213c7e15
---- /dev/null
-+++ b/test/recipes/04-test_punycode.t
-@@ -0,0 +1,11 @@
-+#! /usr/bin/env perl
-+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License"). You may not use
-+# this file except in compliance with the License. You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use OpenSSL::Test::Simple;
-+
-+simple_test("test_punycode", "punycode_test");
diff --git a/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch b/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
deleted file mode 100644
index 660b237..0000000
--- a/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From c342004e07fd2c03a672f79353d13554fe0ffdaf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tomas@openssl.org>
-Date: Tue, 13 Sep 2022 14:37:05 +1000
-Subject: [PATCH] EVP_PKEY_eq: regain compatibility with the 3.0.0 FIPS
- provider
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19201)
----
- crypto/evp/p_lib.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
-index 170cb89cb0..c8c342b3e9 100644
---- a/crypto/evp/p_lib.c
-+++ b/crypto/evp/p_lib.c
-@@ -339,9 +339,16 @@ int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b)
- if (a == NULL || b == NULL)
- return 0;
-
-- if (a->keymgmt != NULL || b->keymgmt != NULL)
-- return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS
-- | OSSL_KEYMGMT_SELECT_KEYPAIR));
-+ if (a->keymgmt != NULL || b->keymgmt != NULL) {
-+ int selection = SELECT_PARAMETERS;
-+
-+ if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
-+ && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
-+ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
-+ else
-+ selection |= OSSL_KEYMGMT_SELECT_KEYPAIR;
-+ return evp_pkey_cmp_any(a, b, selection);
-+ }
-
- /* All legacy keys */
- if (a->type != b->type)
---
-2.38.1
-
diff --git a/openssl.spec b/openssl.spec
index 287ab80..bc11f21 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -28,13 +28,13 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.0.5
-Release: 7%{?dist}
+Version: 3.0.7
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.gz
Source1: hobble-openssl
Source2: Makefile.certificate
Source3: genpatches
@@ -184,10 +184,10 @@ Patch77: 0077-FIPS-140-3-zeroization.patch
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
-#CVE-2022-3602
-Patch80: 0080-CVE-2022-3602.patch
-#Provider interface fixes
-Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
+# #CVE-2022-3602
+# Patch80: 0080-CVE-2022-3602.patch
+# #Provider interface fixes
+# Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
Patch82: 0082-Propagate-selection-all-the-way-on-key-export.patch
Patch83: 0083-Update-documentation-for-keymgmt-export-utils.patch
Patch84: 0084-Add-test-for-EVP_PKEY_eq.patch
@@ -340,7 +340,8 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
- shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'
+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
+ -Wl,--allow-multiple-definition
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
@@ -529,6 +530,13 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Fri Dec 23 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-1
+- Rebase to upstream version 3.0.7
+- C99 compatibility in downstream-only 0032-Force-fips.patch
+ Resolves: rhbz#2152504
+- Adjusting include for the FIPS_mode macro
+ Resolves: rhbz#2083876
+
* Wed Nov 16 2022 Simo sorce <simo@redhat.com> - 1:3.0.5-7
- Backport patches to fix external providers compatibility issues
diff --git a/sources b/sources
index 98fbb23..32e6de8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.0.5-hobbled.tar.xz) = 2f5531d46a905af8d36bf81c18fa34ccc86f5bd66e6e4227bb17e2f926ef14f78057ab60cd9d55bb9d1bad3d5b56a71170e4a86708fd8352324db2e0747142cf
+SHA512 (openssl-3.0.7-hobbled.tar.gz) = 3580f7c2f4b9f2fb0997ddaac31034a9ce2ee288ec1cc58dc48704f43a9116733d0b07c1b262ff55ce58ac89af4abb9bfd559e746338c7b497eb223c473f6751
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100910643.1.8380090513174848736.rpms-openssl-106fe8964c34@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox